FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  365592
Date:      2014-08-21
Time:      19:46:21Z
Committer: zi

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
207f8ff3-f697-11d8-81b0-000347a4fa7dnss -- exploitable buffer overflow in SSLv2 protocol handler

ISS X-Force reports that a remotely exploitable buffer overflow exists in the Netscape Security Services (NSS) library's implementation of SSLv2. From their advisory:

The NSS library contains a flaw in SSLv2 record parsing that may lead to remote compromise. When parsing the first record in an SSLv2 negotiation, the client hello message, the server fails to validate the length of a record field. As a result, it is possible for an attacker to trigger a heap-based overflow of arbitrary length.

Note that the vulnerable NSS library is also present in Mozilla-based browsers. However, it is not believed that browsers are affected, as the vulnerability is present only in code used by SSLv2 *servers*.


Discovery 2004-08-23
Entry 2004-08-27
nss
lt 3.9.2

http://xforce.iss.net/xforce/alerts/id/180
http://www.osvdb.org/9116
http://secunia.com/advisories/12362
11015
aa5bc971-d635-11e0-b3cf-080027ef73ecnss/ca_root_nss -- fraudulent certificates issued by DigiNotar.nl

Heather Adkins, Google's Information Security Manager, reported that Google received

[...] reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it). [...]

VASCO Data Security International Inc., owner of DigiNotar, issued a press statement confirming this incident:

On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. [...] an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. [...]

Mozilla, maintainer of the NSS package, from which FreeBSD derived ca_root_nss, stated that they:

revoked our trust in the DigiNotar certificate authority from all Mozilla software. This is not a temporary suspension, it is a complete removal from our trusted root program. Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort.

Three central issues informed our decision:

  1. Failure to notify. [...]
  2. The scope of the breach remains unknown. [...]
  3. The attack is not theoretical.

Discovery 2011-07-19
Entry 2011-09-03
Modified 2011-09-06
nss
lt 3.12.11

ca_root_nss
lt 3.12.11

firefox
gt 3.6.*,1 lt 3.6.22,1

gt 4.0.*,1 lt 6.0.2,1

seamonkey
lt 2.3.2

linux-firefox
lt 3.6.22,1

thunderbird
gt 3.1.* lt 3.1.14

gt 5.0.* lt 6.0.2

linux-thunderbird
lt 3.1.14

linux-seamonkey
lt 2.3.2

http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx
http://www.mozilla.org/security/announce/2011/mfsa2011-34.html
http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html
207f8ff3-f697-11d8-81b0-000347a4fa7dnss -- exploitable buffer overflow in SSLv2 protocol handler

ISS X-Force reports that a remotely exploitable buffer overflow exists in the Netscape Security Services (NSS) library's implementation of SSLv2. From their advisory:

The NSS library contains a flaw in SSLv2 record parsing that may lead to remote compromise. When parsing the first record in an SSLv2 negotiation, the client hello message, the server fails to validate the length of a record field. As a result, it is possible for an attacker to trigger a heap-based overflow of arbitrary length.

Note that the vulnerable NSS library is also present in Mozilla-based browsers. However, it is not believed that browsers are affected, as the vulnerability is present only in code used by SSLv2 *servers*.


Discovery 2004-08-23
Entry 2004-08-27
nss
lt 3.9.2

http://xforce.iss.net/xforce/alerts/id/180
http://www.osvdb.org/9116
http://secunia.com/advisories/12362
11015
aa5bc971-d635-11e0-b3cf-080027ef73ecnss/ca_root_nss -- fraudulent certificates issued by DigiNotar.nl

Heather Adkins, Google's Information Security Manager, reported that Google received

[...] reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it). [...]

VASCO Data Security International Inc., owner of DigiNotar, issued a press statement confirming this incident:

On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. [...] an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. [...]

Mozilla, maintainer of the NSS package, from which FreeBSD derived ca_root_nss, stated that they:

revoked our trust in the DigiNotar certificate authority from all Mozilla software. This is not a temporary suspension, it is a complete removal from our trusted root program. Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort.

Three central issues informed our decision:

  1. Failure to notify. [...]
  2. The scope of the breach remains unknown. [...]
  3. The attack is not theoretical.

Discovery 2011-07-19
Entry 2011-09-03
Modified 2011-09-06
nss
lt 3.12.11

ca_root_nss
lt 3.12.11

firefox
gt 3.6.*,1 lt 3.6.22,1

gt 4.0.*,1 lt 6.0.2,1

seamonkey
lt 2.3.2

linux-firefox
lt 3.6.22,1

thunderbird
gt 3.1.* lt 3.1.14

gt 5.0.* lt 6.0.2

linux-thunderbird
lt 3.1.14

linux-seamonkey
lt 2.3.2

http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx
http://www.mozilla.org/security/announce/2011/mfsa2011-34.html
http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html