FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-05-02 10:37:19 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
7fe7df75-6568-11e6-a590-14dae9d210b8End of Life Ports

These packages have reached End of Life status and/or have been removed from the Ports Tree. They may contain undocumented security issues. Please take caution and find alternative software as soon as possible.


Discovery 2016-08-18
Entry 2016-08-18
Modified 2016-10-18
python32
python31
python30
python26
python25
python24
python23
python22
python21
python20
python15
ge 0

php54
php53
php52
php5
php4
ge 0

perl5
< 5.18

perl5.16
perl5.14
perl5.12
perl
ge 0

ruby
ruby_static
< 2.1,1

unifi2
unifi3
ge 0

apache21
apache20
apache13
ge 0

tomcat55
tomcat41
ge 0

mysql51-client
mysql51-server
mysql50-client
mysql50-server
mysql41-client
mysql41-server
mysql40-client
mysql40-server
ge 0

postgresql90-client
postgresql90-server
postgresql84-client
postgresql84-server
postgresql83-client
postgresql83-server
postgresql82-client
postgresql82-server
postgresql81-client
postgresql81-server
postgresql80-client
postgresql80-server
postgresql74-client
postgresql74-server
postgresql73-client
postgresql73-server
postgresql72-client
postgresql72-server
postgresql71-client
postgresql71-server
postgresql7-client
postgresql7-server
ge 0

ports/211975
d656296b-33ff-11d9-a9e7-0001020eed82ruby -- CGI DoS

The Ruby CGI.rb module contains a bug which can cause the CGI module to go into an infinite loop, thereby causing a denial-of-service situation on the web server by using all available CPU time.


Discovery 2004-11-06
Entry 2004-11-13
Modified 2004-11-25
ruby
ruby_r
gt 1.7.* lt 1.8.2.p2_2

< 1.6.8.2004.07.28_1

ruby-1.7.0
ge a2001.05.12 le a2001.05.26

CVE-2004-0983
http://www.debian.org/security/2004/dsa-586
1daea60a-4719-11da-b5c6-0004614cc33druby -- vulnerability in the safe level settings

Ruby home page reports:

The Object Oriented Scripting Language Ruby supports safely executing an untrusted code with two mechanisms: safe level and taint flag on objects.

A vulnerability has been found that allows bypassing these mechanisms.

By using the vulnerability, arbitrary code can be executed beyond the restrictions specified in each safe level. Therefore, Ruby has to be updated on all systems that use safe level to execute untrusted code.


Discovery 2005-10-02
Entry 2005-10-27
ruby
ruby_static
gt 1.6.* lt 1.6.8.2004.07.28_2

gt 1.8.* lt 1.8.2_5

CVE-2005-2337
http://www.ruby-lang.org/en/20051003.html
e811aaf1-f015-11d8-876f-00902714cc7cRuby insecure file permissions in the CGI session management

According to a Debian Security Advisory:

Andres Salomon noticed a problem in the CGI session management of Ruby, an object-oriented scripting language. CGI::Session's FileStore (and presumably PStore [...]) implementations store session information insecurely. They simply create files, ignoring permission issues. This can lead an attacker who has also shell access to the webserver to take over a session.


Discovery 2004-08-16
Entry 2004-08-16
Modified 2004-08-28
ruby
< 1.6.8.2004.07.26

ge 1.7.0 lt 1.8.1.2004.07.23

CVE-2004-0755
http://xforce.iss.net/xforce/xfdb/16996
http://www.debian.org/security/2004/dsa-537
http://marc.theaimsgroup.com/?l=bugtraq&m=109267579822250&w=2
76562594-1f19-11db-b7d4-0008743bf21aruby -- multiple vulnerabilities

Secunia reports:

Two vulnerabilities have been reported in Ruby, which can be exploited by malicious people to bypass certain security restrictions.

  1. An error in the handling of the "alias" functionality can be exploited to bypass the safe level protection and replace methods called in the trusted level.
  2. An error caused due to directory operations not being properly checked can be exploited to bypass the safe level protection and close untainted directory streams.

Discovery 2006-07-12
Entry 2006-07-29
Modified 2006-07-30
ruby
ruby_static
gt 1.6.* lt 1.8.*

gt 1.8.* lt 1.8.4_9,1

18944
CVE-2006-3694
http://secunia.com/advisories/21009/
http://jvn.jp/jp/JVN%2383768862/index.html
http://jvn.jp/jp/JVN%2313947696/index.html
91be81e7-3fea-11e1-afc7-2c4138874f7dMultiple implementations -- DoS via hash algorithm collision

oCERT reports:

A variety of programming languages suffer from a denial-of-service (DoS) condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms.

The issue finds particular exposure in web server applications and/or frameworks. In particular, the lack of sufficient limits for the number of parameters in POST requests in conjunction with the predictable collision properties in the hashing functions of the underlying languages can render web applications vulnerable to the DoS condition. The attacker, using specially crafted HTTP requests, can lead to a 100% of CPU usage which can last up to several hours depending on the targeted application and server performance, the amplification effect is considerable and requires little bandwidth and time on the attacker side.

The condition for predictable collisions in the hashing functions has been reported for the following language implementations: Java, JRuby, PHP, Python, Rubinius, Ruby. In the case of the Ruby language, the 1.9.x branch is not affected by the predictable collision condition since this version includes a randomization of the hashing function.

The vulnerability outlined in this advisory is practically identical to the one reported in 2003 and described in the paper Denial of Service via Algorithmic Complexity Attacks which affected the Perl language.


Discovery 2011-12-28
Entry 2012-01-16
Modified 2012-01-20
jruby
< 1.6.5.1

ruby
ruby+nopthreads
ruby+nopthreads+oniguruma
ruby+oniguruma
< 1.8.7.357,1

rubygem-rack
< 1.3.6,3

v8
< 3.8.5

redis
le 2.4.6

node
< 0.6.7

CVE-2011-4838
CVE-2011-4815
CVE-2011-5036
CVE-2011-5037
http://www.ocert.org/advisories/ocert-2011-003.html
http://www.nruns.com/_downloads/advisory28122011.pdf
7ed5779c-e4c7-11eb-91d7-08002728f74cRuby -- multiple vulnerabilities

Ruby news:

This release includes security fixes. Please check the topics below for details.

CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP

CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP

CVE-2021-31799: A command injection vulnerability in RDoc


Discovery 2021-07-07
Entry 2021-07-14
ruby26
< 2.6.8,1

ruby
< 2.7.4,1

ruby30
< 3.0.2,1

CVE-2021-31799
CVE-2021-31810
CVE-2021-32066
https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released/
https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/
https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released/
https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/