FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
854c2afb-4424-11ed-af97-adcabf310f9bgo -- multiple vulnerabilities

The Go project reports:

archive/tar: unbounded memory consumption when reading headers

Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. Reader.Read now limits the maximum size of header blocks to 1 MiB.

net/http/httputil: ReverseProxy should not forward unparseable query parameters

Requests forwarded by ReverseProxy included the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value.

ReverseProxy will now sanitize the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy.Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.

regexp/syntax: limit memory used by parsing regexps

The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory.

Each regexp being parsed is now limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are now rejected. Normal use of regular expressions is unaffected.


Discovery 2022-10-04
Entry 2022-10-04
go118
< 1.18.7

go119
< 1.19.2

CVE-2022-2879
CVE-2022-2880
CVE-2022-41715
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU/m/jEhlI_5WBgAJ
6fea7103-2ea4-11ed-b403-3dae8ac60d3ego -- multiple vulnerabilities

The Go project reports:

net/http: handle server errors after sending GOAWAY

A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.

net/url: JoinPath does not strip relative path components in all circumstances

JoinPath and URL.JoinPath would not remove ../ path components appended to a relative path.


Discovery 2022-09-06
Entry 2022-09-07
go118
< 1.18.6

go119
< 1.19.1

CVE-2022-27664
CVE-2022-32190
https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ
7f8d5435-125a-11ed-9a69-10c37b4ac2eago -- decoding big.Float and big.Rat can panic

The Go project reports:

encoding/gob & math/big: decoding big.Float and big.Rat can panic

Decoding big.Float and big.Rat types can panic if the encoded message is too short.


Discovery 2022-07-14
Entry 2022-08-02
go118
< 1.18.5

go117
< 1.17.13

CVE-2022-32189
https://groups.google.com/g/golang-announce/c/YqYYG87xB10
26b1100a-5a27-11ed-abfe-29ac76ec31b5go -- syscall, os/exec: unsanitized NUL in environment variables

The Go project reports:

syscall, os/exec: unsanitized NUL in environment variables

On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D".


Discovery 2022-10-17
Entry 2022-11-01
go118
< 1.18.8

go119
< 1.19.3

CVE-2022-41716
https://groups.google.com/g/golang-dev/c/83nKqv2W1Dk/m/gEJdD5vjDwAJ