FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  318751
Date:      2013-05-22
Time:      09:14:17Z
Committer: rene

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
918f38cd-f71e-11e1-8bd8-0022156e8794	php5 -- header splitting attack via carriage-return character Rui Hirokawa reports: As of PHP 5.1.2, header() can no longer be used to send multiple response headers in a single call to prevent the HTTP Response Splitting Attack. header() only checks the linefeed (LF, 0x0A) as line-end marker, it doesn't check the carriage-return (CR, 0x0D). However, some browsers including Google Chrome, IE also recognize CR as the line-end. The current specification of header() still has the vulnerability against the HTTP header splitting attack. Discovery 2011-11-06 Entry 2012-09-05 Modified 2012-09-19 php5 ge 5.2 lt 5.3.11 ge 5.4 lt 5.4.1 php52 ge 0 php53 lt 5.3.11 CVE-2011-1398 https://bugs.php.net/bug.php?id=60227
3761df02-0f9c-11e0-becc-0022156e8794	php -- NULL byte poisoning PHP-specific version of NULL-byte poisoning was briefly described by ShAnKaR: Poison NULL byte vulnerability for perl CGI applications was described in [1]. ShAnKaR noted, that same vulnerability also affects different PHP applications. PHP developers report that branch 5.3 received a fix: Paths with NULL in them (foo\0bar.txt) are now considered as invalid (CVE-2006-7243). Discovery 2010-12-10 Entry 2011-01-13 Modified 2012-11-25 php5 lt 5.3.4 php52 ge 0 CVE-2006-7243 http://www.securityfocus.com/archive/1/archive/1/445788/100/0/threaded http://artofhacking.com/files/phrack/phrack55/P55-07.TXT
918f38cd-f71e-11e1-8bd8-0022156e8794	php5 -- header splitting attack via carriage-return character Rui Hirokawa reports: As of PHP 5.1.2, header() can no longer be used to send multiple response headers in a single call to prevent the HTTP Response Splitting Attack. header() only checks the linefeed (LF, 0x0A) as line-end marker, it doesn't check the carriage-return (CR, 0x0D). However, some browsers including Google Chrome, IE also recognize CR as the line-end. The current specification of header() still has the vulnerability against the HTTP header splitting attack. Discovery 2011-11-06 Entry 2012-09-05 Modified 2012-09-19 php5 ge 5.2 lt 5.3.11 ge 5.4 lt 5.4.1 php52 ge 0 php53 lt 5.3.11 CVE-2011-1398 https://bugs.php.net/bug.php?id=60227
3761df02-0f9c-11e0-becc-0022156e8794	php -- NULL byte poisoning PHP-specific version of NULL-byte poisoning was briefly described by ShAnKaR: Poison NULL byte vulnerability for perl CGI applications was described in [1]. ShAnKaR noted, that same vulnerability also affects different PHP applications. PHP developers report that branch 5.3 received a fix: Paths with NULL in them (foo\0bar.txt) are now considered as invalid (CVE-2006-7243). Discovery 2010-12-10 Entry 2011-01-13 Modified 2012-11-25 php5 lt 5.3.4 php52 ge 0 CVE-2006-7243 http://www.securityfocus.com/archive/1/archive/1/445788/100/0/threaded http://artofhacking.com/files/phrack/phrack55/P55-07.TXT
3761df02-0f9c-11e0-becc-0022156e8794	php -- NULL byte poisoning PHP-specific version of NULL-byte poisoning was briefly described by ShAnKaR: Poison NULL byte vulnerability for perl CGI applications was described in [1]. ShAnKaR noted, that same vulnerability also affects different PHP applications. PHP developers report that branch 5.3 received a fix: Paths with NULL in them (foo\0bar.txt) are now considered as invalid (CVE-2006-7243). Discovery 2010-12-10 Entry 2011-01-13 Modified 2012-11-25 php5 lt 5.3.4 php52 ge 0 CVE-2006-7243 http://www.securityfocus.com/archive/1/archive/1/445788/100/0/threaded http://artofhacking.com/files/phrack/phrack55/P55-07.TXT