FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  368515
Date:      2014-09-18
Time:      19:53:09Z
Committer: madpilot

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
92f30415-9935-11e2-ad4c-080027ef73ecOpenVPN -- potential side-channel/timing attack when comparing HMACs

The OpenVPN project reports:

OpenVPN 2.3.0 and earlier running in UDP mode are subject to chosen ciphertext injection due to a non-constant-time HMAC comparison function.


Discovery 2013-03-19
Entry 2013-03-31
Modified 2013-06-01
openvpn
lt 2.0.9_4

ge 2.1.0 lt 2.2.2_2

ge 2.3.0 lt 2.3.1

https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc
CVE-2013-2061
http://www.openwall.com/lists/oss-security/2013/05/06/6
https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee
be4ccb7b-c48b-11da-ae12-0002b3b60e4copenvpn -- LD_PRELOAD code execution on client through malicious or compromised server

Hendrik Weimer reports:

OpenVPN clients are a bit too generous when accepting configuration options from a server. It is possible to transmit environment variables to client-side shell scripts. There are some filters in place to prevent obvious nonsense, however they don't catch the good old LD_PRELOAD trick. All we need is to put a file onto the client under a known location (e.g. by returning a specially crafted document upon web access) and we have a remote root exploit. But since the attack may only come from authenticated servers, this threat is greatly reduced.


Discovery 2006-04-03
Entry 2006-04-05
Modified 2006-04-06
openvpn
ge 2.0 lt 2.0.6

CVE-2006-1629
http://www.osreviews.net/reviews/security/openvpn-print
http://openvpn.net/changelog.html
http://sourceforge.net/mailarchive/message.php?msg_id=15298074
be4ccb7b-c48b-11da-ae12-0002b3b60e4copenvpn -- LD_PRELOAD code execution on client through malicious or compromised server

Hendrik Weimer reports:

OpenVPN clients are a bit too generous when accepting configuration options from a server. It is possible to transmit environment variables to client-side shell scripts. There are some filters in place to prevent obvious nonsense, however they don't catch the good old LD_PRELOAD trick. All we need is to put a file onto the client under a known location (e.g. by returning a specially crafted document upon web access) and we have a remote root exploit. But since the attack may only come from authenticated servers, this threat is greatly reduced.


Discovery 2006-04-03
Entry 2006-04-05
Modified 2006-04-06
openvpn
ge 2.0 lt 2.0.6

CVE-2006-1629
http://www.osreviews.net/reviews/security/openvpn-print
http://openvpn.net/changelog.html
http://sourceforge.net/mailarchive/message.php?msg_id=15298074