/www/py-plone.app.form/

Craig Leres leres@FreeBSD.org 2019-09-17T23:13:57+00:00 6c6354e4391b6f6346251ac3863368c7af0825e6 Service vulnerability: https://raw.githubusercontent.com/zeek/zeek/3b5a9f88ece1d274edee897837e280ef751bde94/NEWS - The NTLM analyzer did not properly handle AV Pair sequences that were either empty or unterminated, resulting in invalid memory access or heap buffer over-read. The NTLM analyzer is enabled by default and used in the analysis of SMB, DCE/RPC, and GSSAPI protocols. Approved by: ler (mentor, implicit) MFH: 2019Q3 Security: 55571619-454e-4769-b1e5-28354659e152 
Service vulnerability:

   https://raw.githubusercontent.com/zeek/zeek/3b5a9f88ece1d274edee897837e280ef751bde94/NEWS

 - The NTLM analyzer did not properly handle AV Pair sequences that
   were either empty or unterminated, resulting in invalid memory
   access or heap buffer over-read.  The NTLM analyzer is enabled
   by default and used in the analysis of SMB, DCE/RPC, and GSSAPI
   protocols.

Approved by:	ler (mentor, implicit)
MFH:		2019Q3
Security:	55571619-454e-4769-b1e5-28354659e152
security/bro: Update to 2.6.3 and address potential denial of service 2019-08-09T16:59:52+00:00 Craig Leres leres@FreeBSD.org 2019-08-09T16:59:52+00:00 3cd67449f871e4742eaa03fc2d1745d8c8c6b98c vulnerabilities: https://raw.githubusercontent.com/zeek/zeek/1d874e5548a58b3b8fd2a342fe4aa0944e779809/NEWS - Null pointer dereference in the RPC analysis code. RPC analyzers (e.g. MOUNT or NFS) are not enabled in the default configuration. - Signed integer overflow in BinPAC-generated parser code. The result of this is Undefined Behavior with respect to the array bounds checking conditions that BinPAC generates, so it's unpredictable what an optimizing compiler may actually do under the assumption that signed integer overlows should never happen. The specific symptom which lead to finding this issue was with the PE analyzer causing out-of-memory crashes due to large allocations that were otherwise prevented when the array bounds checking logic was changed to prevent any possible signed integer overlow. Approved by: matthew (mentor, implicit) MFH: 2019Q3 Security: f56669f5-d799-4ff5-9174-64a6d571c451 
vulnerabilities:

    https://raw.githubusercontent.com/zeek/zeek/1d874e5548a58b3b8fd2a342fe4aa0944e779809/NEWS

 - Null pointer dereference in the RPC analysis code. RPC analyzers
   (e.g. MOUNT or NFS) are not enabled in the default configuration.

 - Signed integer overflow in BinPAC-generated parser code.  The
   result of this is Undefined Behavior with respect to the array
   bounds checking conditions that BinPAC generates, so it's
   unpredictable what an optimizing compiler may actually do under
   the assumption that signed integer overlows should never happen.
   The specific symptom which lead to finding this issue was with
   the PE analyzer causing out-of-memory crashes due to large
   allocations that were otherwise prevented when the array bounds
   checking logic was changed to prevent any possible signed integer
   overlow.

Approved by:	matthew (mentor, implicit)
MFH:		2019Q3
Security:	f56669f5-d799-4ff5-9174-64a6d571c451
security/bro: Update to 2.6.2 and address several denial of service 2019-05-31T19:23:07+00:00 Craig Leres leres@FreeBSD.org 2019-05-31T19:23:07+00:00 d28e16137384e3c360615771dee7aefda2e7c349 vulnerabilities: https://raw.githubusercontent.com/zeek/zeek/bb979702cf9a2fa67b8d1a1c7f88d0b56c6af104/NEWS - Integer type mismatches in BinPAC-generated parser code and Bro analyzer code may allow for crafted packet data to cause unintentional code paths in the analysis logic to be taken due to unsafe integer conversions causing the parser and analysis logic to each expect different fields to have been parsed. One such example, reported by Maksim Shudrak, causes the Kerberos analyzer to dereference a null pointer. CVE-2019-12175 was assigned for this issue. - The Kerberos parser allows for several fields to be left uninitialized, but they were not marked with an &optional attribute and several usages lacked existence checks. Crafted packet data could potentially cause an attempt to access such uninitialized fields, generate a runtime error/exception, and leak memory. Existence checks and &optional attributes have been added to the relevent Kerberos fields. - BinPAC-generated protocol parsers commonly contain fields whose length is derived from other packet input, and for those that allow for incremental parsing, BinPAC did not impose a limit on how large such a field could grow, allowing for remotely-controlled packet data to cause growth of BinPAC's flowbuffer bounded only by the numeric limit of an unsigned 64-bit integer, leading to memory exhaustion. There is now a generalized limit for how large flowbuffers are allowed to grow, tunable by setting "BinPAC::flowbuffer_capacity_max". Approved by: ler (mentor, implicit) MFH: 2019Q2 Security: 177fa455-48fc-4ded-ba1b-9975caa7f62a 
vulnerabilities:

   https://raw.githubusercontent.com/zeek/zeek/bb979702cf9a2fa67b8d1a1c7f88d0b56c6af104/NEWS

 - Integer type mismatches in BinPAC-generated parser code and Bro
   analyzer code may allow for crafted packet data to cause
   unintentional code paths in the analysis logic to be taken due
   to unsafe integer conversions causing the parser and analysis
   logic to each expect different fields to have been parsed.  One
   such example, reported by Maksim Shudrak, causes the Kerberos
   analyzer to dereference a null pointer.  CVE-2019-12175 was
   assigned for this issue.

 - The Kerberos parser allows for several fields to be left
   uninitialized, but they were not marked with an &optional attribute
   and several usages lacked existence checks.  Crafted packet data
   could potentially cause an attempt to access such uninitialized
   fields, generate a runtime error/exception, and leak memory.
   Existence checks and &optional attributes have been added to the
   relevent Kerberos fields.

 - BinPAC-generated protocol parsers commonly contain fields whose
   length is derived from other packet input, and for those that
   allow for incremental parsing, BinPAC did not impose a limit on
   how large such a field could grow, allowing for remotely-controlled
   packet data to cause growth of BinPAC's flowbuffer bounded only
   by the numeric limit of an unsigned 64-bit integer, leading to
   memory exhaustion.  There is now a generalized limit for how
   large flowbuffers are allowed to grow, tunable by setting
   "BinPAC::flowbuffer_capacity_max".

Approved by:	ler (mentor, implicit)
MFH:		2019Q2
Security:	177fa455-48fc-4ded-ba1b-9975caa7f62a
Update to 2.6.1: 2018-12-20T01:25:09+00:00 Craig Leres leres@FreeBSD.org 2018-12-20T01:25:09+00:00 dca411da1e668ac7cd3f865351fb8bd65621d56d - Update the embedded SQLite library from 3.18.0 to 3.26.0 to address a remote code execution vulnerability ("Magellan"). - Uses a bundled version of the actor-framework (caf) library so we can remove the port-local build for caf. Replace broctl-config.sh absolute symlink with a relative one. Approved by: ler (mentor, implicit) MFH: 2018Q4 Security: b80f039d-579e-4b82-95ad-b534a709f220 
 - Update the embedded SQLite library from 3.18.0 to 3.26.0 to
   address a remote code execution vulnerability ("Magellan").

 - Uses a bundled version of the actor-framework (caf) library so
   we can remove the port-local build for caf.

Replace broctl-config.sh absolute symlink with a relative one.

Approved by:	ler (mentor, implicit)
MFH:		2018Q4
Security:	b80f039d-579e-4b82-95ad-b534a709f220
Update to 2.5.5 which addresses security issues: 2018-08-30T00:13:32+00:00 Craig Leres leres@FreeBSD.org 2018-08-30T00:13:32+00:00 9b93fbb32b19258018b826caf02f7c62c74d9040 - Fix array bounds checking in BinPAC: for arrays that are fields within a record, the bounds check was based on a pointer to the start of the record rather than the start of the array field, potentially resulting in a buffer over-read. - Fix SMTP command string comparisons: the number of bytes compared was based on the user-supplied string length and can lead to incorrect matches. e.g. giving a command of "X" incorrectly matched "X-ANONYMOUSTLS" (and an empty commands match anything). - Weird" events are now generally suppressed/sampled by default according to some tunable parameters. - Improved handling of empty lines in several text protocol analyzers that can cause performance issues when seen in long sequences. - Add `smtp_excessive_pending_cmds' weird which serves as a notification for when the "pending command" queue has reached an upper limit and been cleared to prevent one from attempting to slowly exhaust memory. Approved by: ler (mentor, implicit) MFH: 2018Q3 Security: d0be41fe-2a20-4633-b057-4e8b25c41780 
    - Fix array bounds checking in BinPAC: for arrays that are
      fields within a record, the bounds check was based on a pointer
      to the start of the record rather than the start of the array
      field, potentially resulting in a buffer over-read.

    - Fix SMTP command string comparisons: the number of bytes
      compared was based on the user-supplied string length and can
      lead to incorrect matches. e.g. giving a command of "X"
      incorrectly matched "X-ANONYMOUSTLS" (and an empty commands
      match anything).

    - Weird" events are now generally suppressed/sampled by default
      according to some tunable parameters.

    - Improved handling of empty lines in several text protocol
      analyzers that can cause performance issues when seen in long
      sequences.

    - Add `smtp_excessive_pending_cmds' weird which serves as a
      notification for when the "pending command" queue has reached
      an upper limit and been cleared to prevent one from attempting
      to slowly exhaust memory.

Approved by: ler (mentor, implicit)
MFH: 2018Q3
Security: d0be41fe-2a20-4633-b057-4e8b25c41780