FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
43eaa656-80bc-11e6-bf52-b499baebfeafOpenSSL -- multiple vulnerabilities

OpenSSL reports:

High: OCSP Status Request extension unbounded memory growth

SSL_peek() hang on empty record

SWEET32 Mitigation

OOB write in MDC2_Update()

Malformed SHA512 ticket DoS

OOB write in BN_bn2dec()

OOB read in TS_OBJ_print_bio()

Pointer arithmetic undefined behaviour

Constant time flag not preserved in DSA signing

DTLS buffered message DoS

DTLS replay protection DoS

Certificate message OOB reads

Excessive allocation of memory in tls_get_message_header()

Excessive allocation of memory in dtls1_preprocess_fragment()

NB: LibreSSL is only affected by CVE-2016-6304


Discovery 2016-09-22
Entry 2016-09-22
Modified 2016-10-11
openssl-devel
ge 1.1.0 lt 1.1.0_1

openssl
lt 1.0.2i,1

linux-c6-openssl
lt 1.0.1e_11

FreeBSD
ge 10.3 lt 10.3_8

ge 10.2 lt 10.2_21

ge 10.1 lt 10.1_38

ge 9.3 lt 9.3_46

https://www.openssl.org/news/secadv/20160922.txt
CVE-2016-6304
CVE-2016-6305
CVE-2016-2183
CVE-2016-6303
CVE-2016-6302
CVE-2016-2182
CVE-2016-2180
CVE-2016-2177
CVE-2016-2178
CVE-2016-2179
CVE-2016-2181
CVE-2016-6306
CVE-2016-6307
CVE-2016-6308
SA-16:26.openssl
0fcd3af0-a0fe-11e6-b1cf-14dae9d210b8FreeBSD -- OpenSSL Remote DoS vulnerability

Problem Description:

Due to improper handling of alert packets, OpenSSL would consume an excessive amount of CPU time processing undefined alert messages.

Impact:

A remote attacker who can initiate handshakes with an OpenSSL based server can cause the server to consume a lot of computation power with very little bandwidth usage, and may be able to use this technique in a leveraged Denial of Service attack.


Discovery 2016-11-02
Entry 2016-11-02
Modified 2017-02-22
FreeBSD
ge 10.3 lt 10.3_12

ge 10.2 lt 10.2_25

ge 10.1 lt 10.1_42

ge 9.3 lt 9.3_50

openssl
lt 1.0.2i,1

openssl-devel
lt 1.1.0a

linux-c6-openssl
lt 1.0.1e_13

linux-c7-openssl-libs
lt 1.0.1e_3

CVE-2016-8610
SA-16:35.openssl
http://seclists.org/oss-sec/2016/q4/224
9d15355b-ce7c-11e4-9db0-d050992ecde8OpenSSL -- multiple vulnerabilities

OpenSSL project reports:

  • Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204). OpenSSL only.
  • Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
  • ASN.1 structure reuse memory corruption (CVE-2015-0287)
  • PKCS#7 NULL pointer dereferences (CVE-2015-0289)
  • Base64 decode (CVE-2015-0292). OpenSSL only.
  • DoS via reachable assert in SSLv2 servers (CVE-2015-0293). OpenSSL only.
  • Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
  • X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)

Discovery 2015-03-19
Entry 2015-03-19
Modified 2016-08-09
openssl
ge 1.0.1 lt 1.0.1_19

mingw32-openssl
ge 1.0.1 lt 1.0.1m

linux-c6-openssl
lt 1.0.1e_4

libressl
le 2.1.5_1

FreeBSD
ge 10.1 lt 10.1_8

ge 9.3 lt 9.3_12

ge 8.4 lt 8.4_26

SA-15:06.openssl
ports/198681
CVE-2015-0204
CVE-2015-0286
CVE-2015-0287
CVE-2015-0289
CVE-2015-0292
CVE-2015-0293
CVE-2015-0209
CVE-2015-0288
https://www.openssl.org/news/secadv_20150319.txt
8305e215-1080-11e5-8ba2-000c2980a9f3openssl -- multiple vulnerabilities

The OpenSSL team reports:

  • Missing DHE man-in-the-middle protection (Logjam) (CVE-2015-4000)
  • Malformed ECParameters causes infinite loop (CVE-2015-1788)
  • Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
  • PKCS#7 crash with missing EnvelopedContent (CVE-2015-1790)
  • CMS verify infinite loop with unknown hash function (CVE-2015-1792)
  • Race condition handling NewSessionTicket (CVE-2015-1791)
  • Invalid free in DTLS (CVE-2014-8176)

Discovery 2015-06-11
Entry 2015-06-11
Modified 2016-08-09
openssl
lt 1.0.2_2

mingw32-openssl
ge 1.0.1 lt 1.0.2b

linux-c6-openssl
lt 1.0.1e_6

libressl
lt 2.1.7

FreeBSD
ge 10.1 lt 10.1_12

ge 9.3 lt 9.3_16

ge 8.4 lt 8.4_30

CVE-2014-8176
CVE-2015-1788
CVE-2015-1789
CVE-2015-1790
CVE-2015-1791
CVE-2015-1792
CVE-2015-4000
SA-15:10.openssl
https://www.openssl.org/news/secadv_20150611.txt
7700061f-34f7-11e9-b95c-b499baebfeafOpenSSL -- Padding oracle vulnerability

The OpenSSL project reports:

0-byte record padding oracle (CVE-2019-1559) (Moderate)

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data.


Discovery 2019-02-19
Entry 2019-02-20
Modified 2019-03-07
openssl
lt 1.0.2r,1

linux-c6-openssl
lt 1.0.1e_16

https://www.openssl.org/news/secadv/20190226.txt
CVE-2019-1559
4c8d1d72-9b38-11e5-aece-d050996490d0openssl -- multiple vulnerabilities

OpenSSL project reports:

  1. BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
  2. Certificate verify crash with missing PSS parameter (CVE-2015-3194)
  3. X509_ATTRIBUTE memory leak (CVE-2015-3195)
  4. Race condition handling PSK identify hint (CVE-2015-3196)
  5. Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)

Discovery 2015-12-03
Entry 2015-12-05
Modified 2016-08-09
openssl
lt 1.0.2_5

mingw32-openssl
ge 1.0.1 lt 1.0.2e

linux-c6-openssl
lt 1.0.1e_7

FreeBSD
ge 10.2 lt 10.2_8

ge 10.1 lt 10.1_25

ge 9.3 lt 9.3_31

SA-15:26.openssl
CVE-2015-1794
CVE-2015-3193
CVE-2015-3194
CVE-2015-3195
CVE-2015-3196
https://www.openssl.org/news/secadv/20151203.txt
01d729ca-1143-11e6-b55e-b499baebfeafOpenSSL -- multiple vulnerabilities

OpenSSL reports:

Memory corruption in the ASN.1 encoder

Padding oracle in AES-NI CBC MAC check

EVP_EncodeUpdate overflow

EVP_EncryptUpdate overflow

ASN.1 BIO excessive memory allocation

EBCDIC overread (OpenSSL only)


Discovery 2016-05-03
Entry 2016-05-03
Modified 2016-08-09
openssl
lt 1.0.2_11

linux-c6-openssl
lt 1.0.1e_8

libressl
ge 2.3.0 lt 2.3.4

lt 2.2.7

libressl-devel
lt 2.3.4

FreeBSD
ge 10.3 lt 10.3_2

ge 10.2 lt 10.2_16

ge 10.1 lt 10.1_33

ge 9.3 lt 9.3_41

https://www.openssl.org/news/secadv/20160503.txt
https://marc.info/?l=openbsd-tech&m=146228598730414
CVE-2016-2105
CVE-2016-2106
CVE-2016-2107
CVE-2016-2108
CVE-2016-2109
CVE-2016-2176
SA-16:17.openssl
d455708a-e3d3-11e6-9940-b499baebfeafOpenSSL -- multiple vulnerabilities

The OpenSSL project reports:

  • Truncated packet could crash via OOB read (CVE-2017-3731)
  • Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)
  • BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
  • Montgomery multiplication may produce incorrect results (CVE-2016-7055)

Discovery 2017-01-26
Entry 2017-01-26
Modified 2017-05-26
openssl
lt 1.0.2k,1

openssl-devel
lt 1.1.0d

linux-c6-openssl
lt 1.0.1e_13

linux-c7-openssl-libs
lt 1.0.1e_3

FreeBSD
ge 11.0 lt 11.0_8

ge 10.3 lt 10.3_17

https://www.openssl.org/news/secadv/20170126.txt
CVE-2016-7055
CVE-2017-3730
CVE-2017-3731
CVE-2017-3732
SA-17:02.openssl