FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
43eaa656-80bc-11e6-bf52-b499baebfeafOpenSSL -- multiple vulnerabilities

OpenSSL reports:

High: OCSP Status Request extension unbounded memory growth

SSL_peek() hang on empty record

SWEET32 Mitigation

OOB write in MDC2_Update()

Malformed SHA512 ticket DoS

OOB write in BN_bn2dec()

OOB read in TS_OBJ_print_bio()

Pointer arithmetic undefined behaviour

Constant time flag not preserved in DSA signing

DTLS buffered message DoS

DTLS replay protection DoS

Certificate message OOB reads

Excessive allocation of memory in tls_get_message_header()

Excessive allocation of memory in dtls1_preprocess_fragment()

NB: LibreSSL is only affected by CVE-2016-6304


Discovery 2016-09-22
Entry 2016-09-22
Modified 2016-10-11
openssl-devel
ge 1.1.0 lt 1.1.0_1

openssl
lt 1.0.2i,1

linux-c6-openssl
lt 1.0.1e_11

FreeBSD
ge 10.3 lt 10.3_8

ge 10.2 lt 10.2_21

ge 10.1 lt 10.1_38

ge 9.3 lt 9.3_46

https://www.openssl.org/news/secadv/20160922.txt
CVE-2016-6304
CVE-2016-6305
CVE-2016-2183
CVE-2016-6303
CVE-2016-6302
CVE-2016-2182
CVE-2016-2180
CVE-2016-2177
CVE-2016-2178
CVE-2016-2179
CVE-2016-2181
CVE-2016-6306
CVE-2016-6307
CVE-2016-6308
SA-16:26.openssl
4c8d1d72-9b38-11e5-aece-d050996490d0openssl -- multiple vulnerabilities

OpenSSL project reports:

  1. BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
  2. Certificate verify crash with missing PSS parameter (CVE-2015-3194)
  3. X509_ATTRIBUTE memory leak (CVE-2015-3195)
  4. Race condition handling PSK identify hint (CVE-2015-3196)
  5. Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)

Discovery 2015-12-03
Entry 2015-12-05
Modified 2016-08-09
openssl
lt 1.0.2_5

mingw32-openssl
ge 1.0.1 lt 1.0.2e

linux-c6-openssl
lt 1.0.1e_7

FreeBSD
ge 10.2 lt 10.2_8

ge 10.1 lt 10.1_25

ge 9.3 lt 9.3_31

SA-15:26.openssl
CVE-2015-1794
CVE-2015-3193
CVE-2015-3194
CVE-2015-3195
CVE-2015-3196
https://www.openssl.org/news/secadv/20151203.txt
01d729ca-1143-11e6-b55e-b499baebfeafOpenSSL -- multiple vulnerabilities

OpenSSL reports:

Memory corruption in the ASN.1 encoder

Padding oracle in AES-NI CBC MAC check

EVP_EncodeUpdate overflow

EVP_EncryptUpdate overflow

ASN.1 BIO excessive memory allocation

EBCDIC overread (OpenSSL only)


Discovery 2016-05-03
Entry 2016-05-03
Modified 2016-08-09
openssl
lt 1.0.2_11

linux-c6-openssl
lt 1.0.1e_8

libressl
ge 2.3.0 lt 2.3.4

lt 2.2.7

libressl-devel
lt 2.3.4

FreeBSD
ge 10.3 lt 10.3_2

ge 10.2 lt 10.2_16

ge 10.1 lt 10.1_33

ge 9.3 lt 9.3_41

https://www.openssl.org/news/secadv/20160503.txt
https://marc.info/?l=openbsd-tech&m=146228598730414
CVE-2016-2105
CVE-2016-2106
CVE-2016-2107
CVE-2016-2108
CVE-2016-2109
CVE-2016-2176
SA-16:17.openssl
7700061f-34f7-11e9-b95c-b499baebfeafOpenSSL -- Padding oracle vulnerability

The OpenSSL project reports:

0-byte record padding oracle (CVE-2019-1559) (Moderate)

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data.


Discovery 2019-02-19
Entry 2019-02-20
Modified 2019-03-07
openssl
lt 1.0.2r,1

linux-c6-openssl
lt 1.0.1e_16

https://www.openssl.org/news/secadv/20190226.txt
CVE-2019-1559
0fcd3af0-a0fe-11e6-b1cf-14dae9d210b8FreeBSD -- OpenSSL Remote DoS vulnerability

Problem Description:

Due to improper handling of alert packets, OpenSSL would consume an excessive amount of CPU time processing undefined alert messages.

Impact:

A remote attacker who can initiate handshakes with an OpenSSL based server can cause the server to consume a lot of computation power with very little bandwidth usage, and may be able to use this technique in a leveraged Denial of Service attack.


Discovery 2016-11-02
Entry 2016-11-02
Modified 2017-02-22
FreeBSD
ge 10.3 lt 10.3_12

ge 10.2 lt 10.2_25

ge 10.1 lt 10.1_42

ge 9.3 lt 9.3_50

openssl
lt 1.0.2i,1

openssl-devel
lt 1.1.0a

linux-c6-openssl
lt 1.0.1e_13

linux-c7-openssl-libs
lt 1.0.1e_3

CVE-2016-8610
SA-16:35.openssl
http://seclists.org/oss-sec/2016/q4/224
d455708a-e3d3-11e6-9940-b499baebfeafOpenSSL -- multiple vulnerabilities

The OpenSSL project reports:

  • Truncated packet could crash via OOB read (CVE-2017-3731)
  • Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)
  • BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
  • Montgomery multiplication may produce incorrect results (CVE-2016-7055)

Discovery 2017-01-26
Entry 2017-01-26
Modified 2017-05-26
openssl
lt 1.0.2k,1

openssl-devel
lt 1.1.0d

linux-c6-openssl
lt 1.0.1e_13

linux-c7-openssl-libs
lt 1.0.1e_3

FreeBSD
ge 11.0 lt 11.0_8

ge 10.3 lt 10.3_17

https://www.openssl.org/news/secadv/20170126.txt
CVE-2016-7055
CVE-2017-3730
CVE-2017-3731
CVE-2017-3732
SA-17:02.openssl