<pre style='margin:0'>
Joshua Root (jmroot) pushed a commit to branch master
in repository macports.github.io.

</pre>
<p><a href="https://github.com/macports/macports.github.io/commit/7b575b0de1fec321fa46454cfe49e7227ead1db3">https://github.com/macports/macports.github.io/commit/7b575b0de1fec321fa46454cfe49e7227ead1db3</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'>     new 7b575b0  Advisory for CVE-2024-11681
</span>7b575b0 is described below

<span style='display:block; white-space:pre;color:#808000;'>commit 7b575b0de1fec321fa46454cfe49e7227ead1db3
</span>Author: Joshua Root <jmr@macports.org>
AuthorDate: Sun Dec 29 02:53:04 2024 +1100

<span style='display:block; white-space:pre;color:#404040;'>    Advisory for CVE-2024-11681
</span>---
 _posts/2024-12-28-CVE-2024-11681.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

<span style='display:block; white-space:pre;color:#808080;'>diff --git a/_posts/2024-12-28-CVE-2024-11681.md b/_posts/2024-12-28-CVE-2024-11681.md
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..5aa6941
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/_posts/2024-12-28-CVE-2024-11681.md
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,24 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+---
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+title: Security issue in MacPorts 2.10.4 and older
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+slug: CVE-2024-11681
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+date: 2024-12-28 15:32:57
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+---
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+MacPorts versions 2.10.4 and older contain a vulnerability that can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+allow a compromised rsync mirror to add Portfiles to the synced ports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+tree, thus allowing arbitrary code to be executed when those Portfiles
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+are parsed. (Note that we currently have no reason to believe that any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+of our mirrors have been compromised.)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+The [fix][1] for this issue is included in versions 2.10.5 and later.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+We recommend that all users running an affected version upgrade as soon
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+as possible.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Full details are available [here][2]. Thanks to Simon Scannell of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Google's Cloud Vulnerability Research team for discovering and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+analysing the issue.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+The MacPorts Port Managers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[1]: <https://github.com/macports/macports-base/commit/906525fab1d57bb7b76729b83ef73b48b335656b>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[2]: <https://github.com/google/security-research/security/advisories/GHSA-2j38-pjh8-wfxw>
</span></pre><pre style='margin:0'>

</pre>