This page displays vulnerability information about FreeBSD Ports.
The last vuln.xml file processed by FreshPorts is:
Revision: 504357 Date: 2019-06-16 Time: 17:07:14Z Committer: marcus
List all Vulnerabilities, by package
List all Vulnerabilities, by date
These are the vulnerabilities relating to the commit you have selected:
|30e4ed7b-1ca6-11da-bc01-000e0c2e438a||bind9 -- denial of service|
A DNSSEC-related validator function in BIND 9.3.0 contains an inappropriate internal consistency test. When this test is triggered, named(8) will exit.
On systems with DNSSEC enabled, a remote attacker may be able to inject a specially crafted packet that will cause the internal consistency test to trigger, and named(8) to terminate. As a result, the name server will no longer be available to service requests.
DNSSEC is not enabled by default, and the "dnssec-enable" directive is not normally present. If DNSSEC has been enabled, disable it by changing the "dnssec-enable" directive to "dnssec-enable no;" in the named.conf(5) configuration file.
ge 5.3 lt 5.3_16
|83725c91-7c7e-11de-9672-00e0815b8da8||BIND -- Dynamic update message remote DoS|
When named(8) receives a specially crafted dynamic update message an internal assertion check is triggered which causes named(8) to exit.
To trigger the problem, the dynamic update message must contains a record of type "ANY" and at least one resource record set (RRset) for this fully qualified domain name (FQDN) must exist on the server.
An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation.
No generally applicable workaround is available, but some firewalls may be able to prevent nsupdate DNS packets from reaching the nameserver.
NOTE WELL: Merely configuring named(8) to ignore dynamic updates is NOT sufficient to protect it from this vulnerability.
ge 6.3 lt 6.3_12
ge 6.4 lt 6.4_6
ge 7.1 lt 7.1_7
ge 7.2 lt 7.2_3
|ef3306fc-8f9b-11db-ab33-000e0c2e438a||bind9 -- Denial of Service in named(8)|
For a recursive DNS server, a remote attacker sending enough recursive queries for the replies to arrive after all the interested clients have left the recursion queue will trigger an INSIST failure in the named(8) daemon. Also for a recursive DNS server, an assertion failure can occur when processing a query whose reply will contain more than one SIG(covered) RRset.
For an authoritative DNS server serving a RFC 2535 DNSSEC zone which is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g. a zone apex), named(8) will trigger an assertion failure when it tries to construct the response.
An attacker who can perform recursive lookups on a DNS server and is able to send a sufficiently large number of recursive queries, or is able to get the DNS server to return more than one SIG(covered) RRsets can stop the functionality of the DNS service.
An attacker querying an authoritative DNS server serving a RFC 2535 DNSSEC zone may be able to crash the DNS server.
A possible workaround is to only allow trusted clients to perform recursive queries.
ge 6.1 lt 6.1_6
ge 6.0 lt 6.0_11
ge 5.5 lt 5.5_4
ge 5.4 lt 5.4_18
ge 5.0 lt 5.3_33
ge 9.0 lt 188.8.131.52