FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
2c6af5c3-4d36-11ec-a539-0800270512f4rubygem-cgi -- buffer overrun in CGI.escape_html

chamal reports:

A security vulnerability that causes buffer overflow when you pass a very large string (> 700 MB) to CGI.escape_html on a platform where long type takes 4 bytes, typically, Windows.


Discovery 2021-11-24
Entry 2021-11-24
ruby
ge 2.7.0,1 lt 2.7.5,1

ge 3.0.0,1 lt 3.0.3,1

ruby27
ge 2.7.0,1 lt 2.7.5,1

ruby30
ge 3.0.0,1 lt 3.0.3,1

rubygem-cgi
< 0.3.1

CVE-2021-41816
https://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/
4548ec97-4d38-11ec-a539-0800270512f4rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse

ooooooo_q reports:

The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application.

By this fix, CGI::Cookie.parse no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded.


Discovery 2021-11-24
Entry 2021-11-24
ruby
ge 2.6.0,1 lt 2.6.9,1

ge 2.7.0,1 lt 2.7.5,1

ge 3.0.0,1 lt 3.0.3,1

ruby26
ge 2.6.0,1 lt 2.6.9,1

ruby27
ge 2.7.0,1 lt 2.7.5,1

ruby30
ge 3.0.0,1 lt 3.0.3,1

rubygem-cgi
< 0.3.1

CVE-2021-41819
https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/