FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  567419
Date:      2021-03-05
Time:      21:18:20Z
Committer: mfechner

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
150d1538-23fa-11e5-a4a5-002590263bf5squid -- Improper Protection of Alternate Path with CONNECT requests

Squid security advisory 2015:2 reports:

Squid configured with cache_peer and operating on explicit proxy traffic does not correctly handle CONNECT method peer responses.

The bug is important because it allows remote clients to bypass security in an explicit gateway proxy.

However, the bug is exploitable only if you have configured cache_peer to receive CONNECT requests.


Discovery 2015-07-06
Entry 2015-07-06
Modified 2015-07-17
squid
lt 3.5.6

http://www.squid-cache.org/Advisories/SQUID-2015_2.txt
CVE-2015-5400
d5b6d151-1887-11e8-94f7-9c5c8e75236asquid -- Vulnerable to Denial of Service attack

Louis Dion-Marcil reports:

Due to incorrect pointer handling Squid is vulnerable to denial of service attack when processing ESI responses.

This problem allows a remote server delivering certain ESI response syntax to trigger a denial of service for all clients accessing the Squid service.

Due to unrelated changes Squid-3.5 has become vulnerable to some regular ESI server responses also triggering this issue.

This problem is limited to the Squid custom ESI parser. Squid built to use libxml2 or libexpat XML parsers do not have this problem.

Due to incorrect pointer handling Squid is vulnerable to denial of service attack when processing ESI responses or downloading intermediate CA certificates.

This problem allows a remote client delivering certain HTTP requests in conjunction with certain trusted server responses to trigger a denial of service for all clients accessing the Squid service.


Discovery 2017-12-13
Entry 2018-02-23
squid
lt 3.5.27_3

squid-devel
lt 4.0.23

http://www.squid-cache.org/Advisories/SQUID-2018_1.txt
http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
CVE-2018-1000024
CVE-2018-1000027
https://www.debian.org/security/2018/dsa-4122
ports/226138
57c1c2ee-7914-11ea-90bf-0800276545c1Squid -- multiple vulnerabilities

The Squid developers reports:

Improper Input Validation issues in HTTP Request processing (CVE-2020-8449, CVE-2020-8450).

Information Disclosure issue in FTP Gateway (CVE-2019-12528).

Buffer Overflow issue in ext_lm_group_acl helper (CVE-2020-8517).


Discovery 2020-02-10
Entry 2020-04-07
squid
lt 4.10

http://lists.squid-cache.org/pipermail/squid-announce/2020-February/000107.html
https://nvd.nist.gov/vuln/detail/CVE-2020-8449
https://nvd.nist.gov/vuln/detail/CVE-2020-8450
https://nvd.nist.gov/vuln/detail/CVE-2019-12528
https://nvd.nist.gov/vuln/detail/CVE-2020-8517
CVE-2020-8449
CVE-2020-8450
CVE-2019-12528
CVE-2020-8517
ports/244026
25e5205b-1447-11e6-9ead-6805ca0b3d42squid -- multiple vulnerabilities

The squid development team reports:

Please reference CVE/URL list for details


Discovery 2016-05-06
Entry 2016-05-07
Modified 2016-05-09
squid
ge 3.0.0 lt 3.5.18

squid-devel
ge 4.0.0 lt 4.0.10

CVE-2016-4553
CVE-2016-4554
CVE-2016-4555
CVE-2016-4556
http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
http://www.squid-cache.org/Advisories/SQUID-2016_8.txt
http://www.squid-cache.org/Advisories/SQUID-2016_9.txt
297117ba-f92d-11e5-92ce-002590263bf5squid -- multiple vulnerabilities

Squid security advisory 2016:3 reports:

Due to a buffer overrun Squid pinger binary is vulnerable to denial of service or information leak attack when processing ICMPv6 packets.

This bug also permits the server response to manipulate other ICMP and ICMPv6 queries processing to cause information leak.

This bug allows any remote server to perform a denial of service attack on the Squid service by crashing the pinger. This may affect Squid HTTP routing decisions. In some configurations, sub-optimal routing decisions may result in serious service degradation or even transaction failures.

If the system does not contain buffer-overrun protection leading to that crash this bug will instead allow attackers to leak arbitrary amounts of information from the heap into Squid log files. This is of higher importance than usual because the pinger process operates with root priviliges.

Squid security advisory 2016:4 reports:

Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses.

This problem allows a malicious client script and remote server delivering certain unusual HTTP response syntax to trigger a denial of service for all clients accessing the Squid service.


Discovery 2016-03-28
Entry 2016-04-02
squid
lt 3.5.16

CVE-2016-3947
CVE-2016-3948
ports/208463
http://www.squid-cache.org/Advisories/SQUID-2016_3.txt
http://www.squid-cache.org/Advisories/SQUID-2016_4.txt
b6da24da-23f7-11e5-a4a5-002590263bf5squid -- client-first SSL-bump does not correctly validate X509 server certificate

Squid security advisory 2015:1 reports:

Squid configured with client-first SSL-bump does not correctly validate X509 server certificate domain / hostname fields.

The bug is important because it allows remote servers to bypass client certificate validation. Some attackers may also be able to use valid certificates for one domain signed by a global Certificate Authority to abuse an unrelated domain.

However, the bug is exploitable only if you have configured Squid to perform SSL Bumping with the "client-first" or "bump" mode of operation.

Sites that do not use SSL-Bump are not vulnerable.

All Squid built without SSL support are not vulnerable to the problem.

The FreeBSD port does not use SSL by default and is not vulnerable in the default configuration.


Discovery 2015-05-01
Entry 2015-07-06
squid
ge 3.5 lt 3.5.4

ge 3.4 lt 3.4.13

squid33
ge 3.3 lt 3.3.14

squid32
ge 3.2 lt 3.2.14

CVE-2015-3455
http://www.squid-cache.org/Advisories/SQUID-2015_1.txt
660ebbf5-daeb-11e5-b2bd-002590263bf5squid -- remote DoS in HTTP response processing

Squid security advisory 2016:2 reports:

Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses.

These problems allow remote servers delivering certain unusual HTTP response syntax to trigger a denial of service for all clients accessing the Squid service.

HTTP responses containing malformed headers that trigger this issue are becoming common. We are not certain at this time if that is a sign of malware or just broken server scripting.


Discovery 2016-02-24
Entry 2016-02-24
Modified 2016-02-28
squid
lt 3.5.15

CVE-2016-2569
CVE-2016-2570
CVE-2016-2571
ports/207454
http://www.squid-cache.org/Advisories/SQUID-2016_2.txt
http://www.openwall.com/lists/oss-security/2016/02/24/12
620685d6-0aa3-11ea-9673-4c72b94353b5squid -- Vulnerable to HTTP Digest Authentication

Squid Team reports:

Problem Description: Due to incorrect data management Squid is vulnerable to a information disclosure when processing HTTP Digest Authentication.

Severity: Nonce tokens contain the raw byte value of a pointer which sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks.


Discovery 2019-11-05
Entry 2019-11-19
squid
lt 4.9

http://www.squid-cache.org/Advisories/SQUID-2019_11.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18679
CVE-2019-18679
e05bfc92-0763-11e6-94fa-002590263bf5squid -- multiple vulnerabilities

Squid security advisory 2016:5 reports:

Due to incorrect buffer management Squid cachemgr.cgi tool is vulnerable to a buffer overflow when processing remotely supplied inputs relayed to it from Squid.

This problem allows any client to seed the Squid manager reports with data that will cause a buffer overflow when processed by the cachemgr.cgi tool. However, this does require manual administrator actions to take place. Which greatly reduces the impact and possible uses.

Squid security advisory 2016:6 reports:

Due to buffer overflow issues Squid is vulnerable to a denial of service attack when processing ESI responses. Due to incorrect input validation Squid is vulnerable to public information disclosure of the server stack layout when processing ESI responses. Due to incorrect input validation and buffer overflow Squid is vulnerable to remote code execution when processing ESI responses.

These problems allow ESI components to be used to perform a denial of service attack on the Squid service and all other services on the same machine. Under certain build conditions these problems allow remote clients to view large sections of the server memory. However, the bugs are exploitable only if you have built and configured the ESI features to be used by a reverse-proxy and if the ESI components being processed by Squid can be controlled by an attacker.


Discovery 2016-04-20
Entry 2016-04-21
squid
lt 3.5.17

CVE-2016-4051
CVE-2016-4052
CVE-2016-4053
CVE-2016-4054
ports/208939
http://www.squid-cache.org/Advisories/SQUID-2016_5.txt
http://www.squid-cache.org/Advisories/SQUID-2016_6.txt
41f8af15-c8b9-11e6-ae1b-002590263bf5squid -- multiple vulnerabilities

Squid security advisory 2016:10 reports:

Due to incorrect comparison of request headers Squid can deliver responses containing private data to clients it should not have reached.

This problem allows a remote attacker to discover private and sensitive information about another clients browsing session. Potentially including credentials which allow access to further sensitive resources. This problem only affects Squid configured to use the Collapsed Forwarding feature. It is of particular importance for HTTPS reverse-proxy sites with Collapsed Forwarding.

Squid security advisory 2016:11 reports:

Due to incorrect HTTP conditional request handling Squid can deliver responses containing private data to clients it should not have reached.

This problem allows a remote attacker to discover private and sensitive information about another clients browsing session. Potentially including credentials which allow access to further sensitive resources..


Discovery 2016-12-16
Entry 2016-12-23
squid
ge 3.1 lt 3.5.23

squid-devel
ge 4.0 lt 4.0.17

CVE-2016-10002
CVE-2016-10003
ports/215416
ports/215418
http://www.squid-cache.org/Advisories/SQUID-2016_10.txt
http://www.squid-cache.org/Advisories/SQUID-2016_11.txt