1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-25 04:43:33 +00:00

Document libidn2 vulnerability

This commit is contained in:
Sunpoet Po-Chuan Hsieh 2019-11-18 18:13:56 +00:00
parent 9c6bdac859
commit fb17797493
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=517921

View File

@ -58,6 +58,41 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="f04f840d-0840-11ea-8d66-75d3253ef913">
<topic>libidn2 -- roundtrip check vulnerability</topic>
<affects>
<package>
<name>libidn2</name>
<range><lt>2.3.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CVE list:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12290">
<p>.</p>
<p>GNU libidn2 before 2.2.0 fails to perform the roundtrip checks
specified in RFC3490 Section 4.2 when converting A-labels to U-labels.
This makes it possible in some circumstances for one domain to
impersonate another. By creating a malicious domain that matches a
target domain except for the inclusion of certain punycoded Unicode
characters (that would be discarded when converted first to a Unicode
label and then back to an ASCII label), arbitrary domains can be
impersonated.</p>
</blockquote>
</body>
</description>
<references>
<url>https://gitlab.com/libidn/libidn2/blob/master/NEWS</url>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12290</url>
<cvename>CVE-2019-12290</cvename>
</references>
<dates>
<discovery>2019-11-14</discovery>
<entry>2019-11-18</entry>
</dates>
</vuln>
<vuln vid="f59af308-07f3-11ea-8c56-f8b156b6dcc8">
<topic>GNU cpio -- multiple vulnerabilities</topic>
<affects>