From rea@codelabs.ru  Mon Dec 27 21:24:45 2010
Return-Path: <rea@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 92F58106566B
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 27 Dec 2010 21:24:45 +0000 (UTC)
	(envelope-from rea@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id 1C24B8FC0A
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 27 Dec 2010 21:24:44 +0000 (UTC)
Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25])
	by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256)
	id 1PXKYR-000D03-JR for FreeBSD-gnats-submit@freebsd.org; Tue, 28 Dec 2010 00:24:44 +0300
Message-Id: <20101227212431.5554CDA81F@void.codelabs.ru>
Date: Tue, 28 Dec 2010 00:24:31 +0300 (MSK)
From: Eygene Ryabinkin <rea@freebsd.org>
Reply-To: Eygene Ryabinkin <rea@freebsd.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [VuXML] security/vuxml: document XSS in www/drupal6-views
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         153474
>Category:       ports
>Synopsis:       [VuXML] security/vuxml: document XSS in www/drupal6-views
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    secteam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 27 21:30:11 UTC 2010
>Closed-Date:    Tue Dec 28 06:43:02 UTC 2010
>Last-Modified:  Tue Dec 28 06:43:02 UTC 2010
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 9.0-CURRENT amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 9.0-CURRENT amd64

>Description:

Cross-site scripting vulnerability was found in Drupal-6.x views
plugin: [1].

>How-To-Repeat:

[1] http://drupal.org/node/999380

>Fix:

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="ff8b419a-0ffa-11e0-becc-0022156e8794">
    <topic>Drupal Views plugin -- cross-site scripting</topic>
    <affects>
      <package>
        <name>drupal6-views</name>
        <range><lt>2.12</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Drupal security team reports:</p>
        <blockquote
          cite="http://drupal.org/node/999380">
          <p>The Views module provides a flexible method for Drupal site
          designers to control how lists and tables of content are
          presented. Under certain circumstances, Views could display
          parts of the page path without escaping, resulting in a
          relected Cross Site Scripting (XSS) vulnerability. An attacker
          could exploit this to gain full administrative access.</p>
          <p>Mitigating factors: This vulnerability only occurs with a
          specific combination of configuration options for a specific
          View, but this combination is used in the default Views
          provided by some additional modules. A malicious user would
          need to get an authenticated administrative user to visit a
          specially crafted URL.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2010-4521</cvename>
      <url>http://drupal.org/node/999380</url>
    </references>
    <dates>
      <discovery>2010-12-15</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---

Port upgrade to 2.12 is on the go (I am the maintainer).
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->secteam 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Mon Dec 27 21:30:21 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=153474 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/153474: commit references a PR
Date: Tue, 28 Dec 2010 06:34:37 +0000 (UTC)

 remko       2010-12-28 06:34:32 UTC
 
   FreeBSD ports repository (src,doc committer)
 
   Modified files:
     security/vuxml       vuln.xml 
   Log:
   Add Drupal views plugin - Cross Site Scripting (XSS).
   
   While here, improve previously added vuln entry by
   following style a bit better.
   
   PR:             153474
   Submitted by:   rea
   
   Revision  Changes    Path
   1.2267    +39 -2     ports/security/vuxml/vuln.xml
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: remko 
State-Changed-When: Tue Dec 28 06:43:01 UTC 2010 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=153474 
>Unformatted:
