FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
15888c7e-e659-11ec-b7fe-10c37b4ac2eago -- multiple vulnerabilities

The Go project reports:

crypto/rand: rand.Read hangs with extremely large buffers

On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes.

crypto/tls: session tickets lack random ticket_age_add

Session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

os/exec: empty Cmd.Path can result in running unintended binary on Windows

If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput are executed when Cmd.Path is unset and, in the working directory, there are binaries named either "..com" or "..exe", they will be executed.

path/filepath: Clean(`.\c:`) returns `c:` on Windows

On Windows, the filepath.Clean function could convert an invalid path to a valid, absolute path. For example, Clean(`.\c:`) returned `c:`.


Discovery 2022-06-01
Entry 2022-06-07
go118
lt 1.18.3

go117
lt 1.17.11

https://groups.google.com/g/golang-dev/c/DidEMYAH_n0
CVE-2022-30634
https://go.dev/issue/52561
CVE-2022-30629
https://go.dev/issue/52814
CVE-2022-30580
https://go.dev/issue/52574
CVE-2022-29804
https://go.dev/issue/52476
6fea7103-2ea4-11ed-b403-3dae8ac60d3ego -- multiple vulnerabilities

The Go project reports:

net/http: handle server errors after sending GOAWAY

A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.

net/url: JoinPath does not strip relative path components in all circumstances

JoinPath and URL.JoinPath would not remove ../ path components appended to a relative path.


Discovery 2022-09-06
Entry 2022-09-07
go118
lt 1.18.6

go119
lt 1.19.1

CVE-2022-27664
CVE-2022-32190
https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ
7f8d5435-125a-11ed-9a69-10c37b4ac2eago -- decoding big.Float and big.Rat can panic

The Go project reports:

encoding/gob & math/big: decoding big.Float and big.Rat can panic

Decoding big.Float and big.Rat types can panic if the encoded message is too short.


Discovery 2022-07-14
Entry 2022-08-02
go118
lt 1.18.5

go117
lt 1.17.13

CVE-2022-32189
https://groups.google.com/g/golang-announce/c/YqYYG87xB10
a4f2416c-02a0-11ed-b817-10c37b4ac2eago -- multiple vulnerabilities

The Go project reports:

net/http: improper sanitization of Transfer-Encoding header

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.

When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected.

compress/gzip: stack exhaustion in Reader.Read

Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.

encoding/xml: stack exhaustion in Unmarshal

Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion.

encoding/xml: stack exhaustion in Decoder.Skip

Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.

encoding/gob: stack exhaustion in Decoder.Decode

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

path/filepath: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

io/fs: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

go/parser: stack exhaustion in all Parse* functions

Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.


Discovery 2022-07-12
Entry 2022-07-13
go118
lt 1.18.4

go117
lt 1.17.12

CVE-2022-1705
CVE-2022-32148
CVE-2022-30631
CVE-2022-30633
CVE-2022-28131
CVE-2022-30635
CVE-2022-30632
CVE-2022-30630
CVE-2022-1962
https://groups.google.com/g/golang-dev/c/frczlF8OFQ0