FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  369565
Date:      2014-09-29
Time:      23:34:30Z
Committer: bdrewery

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
2e25d38b-54d1-11d9-b612-000c6e8f12efjabberd -- denial-of-service vulnerability

José Antonio Calvo discovered a bug in the Jabber 1.x server. According to Matthias Wimmer:

Without this patch, it is possible to remotly crash jabberd14, if there is access to one of the following types of network sockets:

  • Socket accepting client connections
  • Socket accepting connections from other servers
  • Socket connecting to an other Jabber server
  • Socket accepting connections from server components
  • Socket connecting to server components

This is any socket on which the jabberd server parses XML!

The problem existed in the included expat XML parser code. This patch removes the included expat code from jabberd14 and links jabberd against an installed version of expat.


Discovery 2004-09-19
Entry 2004-12-26
Modified 2005-01-19
jabber
lt 1.4.3.1

CVE-2004-1378
http://devel.amessage.info/jabberd14/README.html
http://mail.jabber.org/pipermail/jabberd/2004-September/002004.html
4c005a5e-2541-4d95-80a0-00c76919aa66fd_set -- bitmap index overflow in multiple applications

3APA3A reports:

If programmer fails to check socket number before using select() or fd_set macros, it's possible to overwrite memory behind fd_set structure. Very few select() based application actually check FD_SETSIZE value. [...]

Depending on vulnerable application it's possible to overwrite portions of memory. Impact is close to off-by-one overflows, code execution doesn't seems exploitable.


Discovery 2004-12-12
Entry 2005-06-17
Modified 2006-09-03
gatekeeper
lt 2.2.1

citadel
lt 6.29

3proxy
lt 0.5.b

jabber
lt 1.4.3.1_1,1

eq 1.4.4

bnc
lt 2.9.3

rinetd
lt 0.62_1

dante
lt 1.1.15

bld
lt 0.3.3

http://www.gotbnc.com/changes.html#2.9.3
http://www.security.nnov.ru/advisories/sockets.asp
http://marc.theaimsgroup.com/?l=bugtraq&m=110660879328901
4c005a5e-2541-4d95-80a0-00c76919aa66fd_set -- bitmap index overflow in multiple applications

3APA3A reports:

If programmer fails to check socket number before using select() or fd_set macros, it's possible to overwrite memory behind fd_set structure. Very few select() based application actually check FD_SETSIZE value. [...]

Depending on vulnerable application it's possible to overwrite portions of memory. Impact is close to off-by-one overflows, code execution doesn't seems exploitable.


Discovery 2004-12-12
Entry 2005-06-17
Modified 2006-09-03
gatekeeper
lt 2.2.1

citadel
lt 6.29

3proxy
lt 0.5.b

jabber
lt 1.4.3.1_1,1

eq 1.4.4

bnc
lt 2.9.3

rinetd
lt 0.62_1

dante
lt 1.1.15

bld
lt 0.3.3

http://www.gotbnc.com/changes.html#2.9.3
http://www.security.nnov.ru/advisories/sockets.asp
http://marc.theaimsgroup.com/?l=bugtraq&m=110660879328901
2e25d38b-54d1-11d9-b612-000c6e8f12efjabberd -- denial-of-service vulnerability

José Antonio Calvo discovered a bug in the Jabber 1.x server. According to Matthias Wimmer:

Without this patch, it is possible to remotly crash jabberd14, if there is access to one of the following types of network sockets:

  • Socket accepting client connections
  • Socket accepting connections from other servers
  • Socket connecting to an other Jabber server
  • Socket accepting connections from server components
  • Socket connecting to server components

This is any socket on which the jabberd server parses XML!

The problem existed in the included expat XML parser code. This patch removes the included expat code from jabberd14 and links jabberd against an installed version of expat.


Discovery 2004-09-19
Entry 2004-12-26
Modified 2005-01-19
jabber
lt 1.4.3.1

CVE-2004-1378
http://devel.amessage.info/jabberd14/README.html
http://mail.jabber.org/pipermail/jabberd/2004-September/002004.html