FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  526079
Date:      2020-02-14
Time:      01:16:13Z
Committer: philip

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
3b50881d-1860-4721-aab1-503290e23f6cRuby -- unsafe tainted string vulnerability

Ruby developer reports:

There is an unsafe tainted string vulnerability in Fiddle and DL. This issue was originally reported and fixed with CVE-2009-5147 in DL, but reappeared after DL was reimplemented using Fiddle and libffi.

And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not fixed at other branches, then rubies which bundled DL except Ruby 1.9.1 are still vulnerable.


Discovery 2015-12-16
Entry 2015-12-23
ruby
ge 2.0.0,1 lt 2.0.0.648,1

ge 2.1.0,1 lt 2.1.8,1

ge 2.2.0,1 lt 2.2.4,1

https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/
CVE-2015-7551
d4379f59-3e9b-49eb-933b-61de4d0b0fdbRuby -- OpenSSL Hostname Verification Vulnerability

Ruby Developers report:

After reviewing RFC 6125 and RFC 5280, we found multiple violations of matching hostnames and particularly wildcard certificates.

Ruby’s OpenSSL extension will now provide a string-based matching algorithm which follows more strict behavior, as recommended by these RFCs. In particular, matching of more than one wildcard per subject/SAN is no-longer allowed. As well, comparison of these values are now case-insensitive.


Discovery 2015-04-13
Entry 2015-04-14
Modified 2015-09-23
ruby
ruby20
ge 2.0,1 lt 2.0.0.645,1

ruby
ruby21
ge 2.1,1 lt 2.1.6,1

ruby
ruby22
ge 2.2,1 lt 2.2.2,1

https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
CVE-2015-1855