FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  556810
Date:      2020-12-02
Time:      10:03:15Z
Committer: philip

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
7700061f-34f7-11e9-b95c-b499baebfeafOpenSSL -- Padding oracle vulnerability

The OpenSSL project reports:

0-byte record padding oracle (CVE-2019-1559) (Moderate)

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data.

Discovery 2019-02-19
Entry 2019-02-20
Modified 2019-03-07
lt 1.0.2r,1

lt 1.0.1e_16
c82ecac5-6e3f-11e8-8777-b499baebfeafOpenSSL -- Client DoS due to large DH parameter

The OpenSSL project reports:

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack.

Discovery 2018-06-12
Entry 2018-06-12
Modified 2018-07-24
lt 2.6.5

ge 2.7.0 lt 2.7.4

lt 1.0.2o_4,1

lt 1.1.0h_2
9e0c6f7a-d46d-11e9-a1c7-b499baebfeafOpenSSL -- Multiple vulnerabilities

The OpenSSL project reports:

ECDSA remote timing attack (CVE-2019-1547) [Low]

Fork Protection (CVE-2019-1549) [Low]

(OpenSSL 1.1.1 only)

Discovery 2019-09-10
Entry 2019-09-11
lt 1.0.2t,1

lt 1.1.1d
8f353420-4197-11e8-8777-b499baebfeafOpenSSL -- Cache timing vulnerability

The OpenSSL project reports:

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key.

Discovery 2018-04-16
Entry 2018-04-16
lt 1.0.2o_2,1

lt 1.1.0h_1