macports/macports.github.io
0
0
Fork 0
mirror of https://github.com/macports/macports.github.io.git synced 2026-03-31 14:37:22 -07:00
Code Issues Packages Projects Releases Wiki Activity

Advisory for CVE-2024-11681

Browse Source
This commit is contained in:
Joshua Root
2024-12-29 02:53:04 +11:00
parent 8d7237430c
commit 7b575b0de1
1 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
_posts/2024-12-28-CVE-2024-11681.md Normal file
View File

@@ -0,0 +1,24 @@
---
title: Security issue in MacPorts 2.10.4 and older
slug: CVE-2024-11681
date: 2024-12-28 15:32:57
---
MacPorts versions 2.10.4 and older contain a vulnerability that can
allow a compromised rsync mirror to add Portfiles to the synced ports
tree, thus allowing arbitrary code to be executed when those Portfiles
are parsed. (Note that we currently have no reason to believe that any
of our mirrors have been compromised.)
The [fix][1] for this issue is included in versions 2.10.5 and later.
We recommend that all users running an affected version upgrade as soon
as possible.
Full details are available [here][2]. Thanks to Simon Scannell of
Google's Cloud Vulnerability Research team for discovering and
analysing the issue.
The MacPorts Port Managers
[1]: <https://github.com/macports/macports-base/commit/906525fab1d57bb7b76729b83ef73b48b335656b>
[2]: <https://github.com/google/security-research/security/advisories/GHSA-2j38-pjh8-wfxw>