diff options
| author | niels <niels@FreeBSD.org> | 2010-04-25 05:14:57 +0800 |
|---|---|---|
| committer | niels <niels@FreeBSD.org> | 2010-04-25 05:14:57 +0800 |
| commit | e7be64081d1df627919b17e905086ff1e7ce116b (patch) | |
| tree | 411dee909b33ee1d8a99c2ae3d8fb845e6ea6c66 /security | |
| parent | f8b15566551bb1b1b94ad3e1bbaeaff647e912fa (diff) | |
| download | freebsd-ports-gnome-e7be64081d1df627919b17e905086ff1e7ce116b.tar.gz freebsd-ports-gnome-e7be64081d1df627919b17e905086ff1e7ce116b.tar.zst freebsd-ports-gnome-e7be64081d1df627919b17e905086ff1e7ce116b.zip | |
Documented vulnerabilities in moodle, tomcat55, tomcat66 and cacti
PR: ports/146021
PR: ports/146022
Approved by: remko (secteam)
Security: http://seclists.org/bugtraq/2010/Apr/200
Security: http://docs.moodle.org/en/Moodle_1.9.8_release_notes
Security: http://www.bonsai-sec.com/en/research/vulnerability.php
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 462127c84f42..07db7f71a818 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,100 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="5198ef84-4fdc-11df-83fb-0015587e2cc1"> + <topic>cacti -- SQL injection and command execution vulnerabilities</topic> + <affects> + <package> + <name>cacti</name> + <range><le>0.8.7e4</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Bonsai information security reports:</p> + <blockquote cite="http://www.bonsai-sec.com/en/research/vulnerability.php"> + <p>A Vulnerability has been discovered in Cacti, which + can be exploited by any user to conduct SQL Injection + attacks. Input passed via the "export_item_id" parameter + to "templates_export.php" script is not properly sanitized + before being used in a SQL query.</p> + </blockquote> + <p>The same source also reported a command execution + vulnerability. This second issue can be exploited by + Cacti users who have the rights to modify device or + graph configurations.</p> + </body> + </description> + <references> + <freebsdpr>ports/146021</freebsdpr> + <url>http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php</url> + <url>http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-sql-injection-0104.php</url> + </references> + <dates> + <discovery>2010-04-21</discovery> + <entry>2010-04-24</entry> + </dates> + </vuln> + + <vuln vid="f6429c24-4fc9-11df-83fb-0015587e2cc1"> + <topic>moodle -- multiple vulnerabilities</topic> + <affects> + <package> + <name>moodle</name> + <range><lt>1.9.8</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Moodle release notes report multiple vulnerabilities + which could allow remote attackers to perform, amongst + others, cross site scripting, user enumeration and SQL + injection attacks.</p> + </body> + </description> + <references> + <url>http://docs.moodle.org/en/Moodle_1.9.8_release_notes</url> + </references> + <dates> + <discovery>2010-03-25</discovery> + <entry>2010-04-24</entry> + </dates> + </vuln> + + <vuln vid="3383e706-4fc3-11df-83fb-0015587e2cc1"> + <topic>tomcat -- information disclosure vulnerability</topic> + <affects> + <package> + <name>tomcat</name> + <range><gt>5.5.0</gt><le>5.5.28</le></range> + <range><gt>6.0.0</gt><le>6.0.24</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Apache software foundation reports:</p> + <blockquote cite="http://seclists.org/bugtraq/2010/Apr/200"> + <p>The "WWW-Authenticate" header for BASIC and DIGEST + authentication includes a realm name. If a <realm-name> + element is specified for the application in web.xml it + will be used. However, a <realm-name> is not + specified then Tomcat will generate one.</p> + <p>In some circumstances this can expose the local + hostname or IP address of the machine running Tomcat.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2010-1157</cvename> + <freebsdpr>ports/146022</freebsdpr> + <url>http://seclists.org/bugtraq/2010/Apr/200</url> + </references> + <dates> + <discovery>2010-04-22</discovery> + <entry>2010-04-24</entry> + </dates> + </vuln> + <vuln vid="f6b6beaa-4e0e-11df-83fb-0015587e2cc1"> <topic>emacs -- movemail symlink race condition</topic> <affects> |