FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  518141
Date:      2019-11-22
Time:      11:15:09Z
Committer: kai

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
8f353420-4197-11e8-8777-b499baebfeafOpenSSL -- Cache timing vulnerability

The OpenSSL project reports:

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key.

Discovery 2018-04-16
Entry 2018-04-16
lt 1.0.2o_2,1

lt 1.1.0h_1
b7cff5a9-31cc-11e8-8f07-b499baebfeafOpenSSL -- multiple vulnerabilities

The OpenSSL project reports:

  • Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739)

    Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe.
  • rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)

    There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation).

Discovery 2018-03-27
Entry 2018-03-27
lt 1.0.2o,1

lt 1.1.0h
c82ecac5-6e3f-11e8-8777-b499baebfeafOpenSSL -- Client DoS due to large DH parameter

The OpenSSL project reports:

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack.

Discovery 2018-06-12
Entry 2018-06-12
Modified 2018-07-24
lt 2.6.5

ge 2.7.0 lt 2.7.4

lt 1.0.2o_4,1

lt 1.1.0h_2
7700061f-34f7-11e9-b95c-b499baebfeafOpenSSL -- Padding oracle vulnerability

The OpenSSL project reports:

0-byte record padding oracle (CVE-2019-1559) (Moderate)

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data.

Discovery 2019-02-19
Entry 2019-02-20
Modified 2019-03-07
lt 1.0.2r,1

lt 1.0.1e_16
9e0c6f7a-d46d-11e9-a1c7-b499baebfeafOpenSSL -- Multiple vulnerabilities

The OpenSSL project reports:

ECDSA remote timing attack (CVE-2019-1547) [Low]

Fork Protection (CVE-2019-1549) [Low]

(OpenSSL 1.1.1 only)

Discovery 2019-09-10
Entry 2019-09-11
lt 1.0.2t,1

lt 1.1.1d