FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-29 07:54:42 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
7f8d5435-125a-11ed-9a69-10c37b4ac2eago -- decoding big.Float and big.Rat can panic

The Go project reports:

encoding/gob & math/big: decoding big.Float and big.Rat can panic

Decoding big.Float and big.Rat types can panic if the encoded message is too short.


Discovery 2022-07-14
Entry 2022-08-02
go118
< 1.18.5

go117
< 1.17.13

CVE-2022-32189
https://groups.google.com/g/golang-announce/c/YqYYG87xB10
a4f2416c-02a0-11ed-b817-10c37b4ac2eago -- multiple vulnerabilities

The Go project reports:

net/http: improper sanitization of Transfer-Encoding header

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.

When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected.

compress/gzip: stack exhaustion in Reader.Read

Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.

encoding/xml: stack exhaustion in Unmarshal

Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion.

encoding/xml: stack exhaustion in Decoder.Skip

Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.

encoding/gob: stack exhaustion in Decoder.Decode

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

path/filepath: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

io/fs: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

go/parser: stack exhaustion in all Parse* functions

Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.


Discovery 2022-07-12
Entry 2022-07-13
go118
< 1.18.4

go117
< 1.17.12

CVE-2022-1705
CVE-2022-32148
CVE-2022-30631
CVE-2022-30633
CVE-2022-28131
CVE-2022-30635
CVE-2022-30632
CVE-2022-30630
CVE-2022-1962
https://groups.google.com/g/golang-dev/c/frczlF8OFQ0
15888c7e-e659-11ec-b7fe-10c37b4ac2eago -- multiple vulnerabilities

The Go project reports:

crypto/rand: rand.Read hangs with extremely large buffers

On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes.

crypto/tls: session tickets lack random ticket_age_add

Session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

os/exec: empty Cmd.Path can result in running unintended binary on Windows

If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput are executed when Cmd.Path is unset and, in the working directory, there are binaries named either "..com" or "..exe", they will be executed.

path/filepath: Clean(`.\c:`) returns `c:` on Windows

On Windows, the filepath.Clean function could convert an invalid path to a valid, absolute path. For example, Clean(`.\c:`) returned `c:`.


Discovery 2022-06-01
Entry 2022-06-07
go118
< 1.18.3

go117
< 1.17.11

https://groups.google.com/g/golang-dev/c/DidEMYAH_n0
CVE-2022-30634
https://go.dev/issue/52561
CVE-2022-30629
https://go.dev/issue/52814
CVE-2022-30580
https://go.dev/issue/52574
CVE-2022-29804
https://go.dev/issue/52476