FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
90b27045-9530-11e3-9d09-000c2980a9f3lighttpd -- multiple vulnerabilities

lighttpd security advisories report:

It is possible to inadvertantly enable vulnerable ciphers when using ssl.cipher-list.

In certain cases setuid() and similar can fail, potentially triggering lighttpd to restart running as root.

If FAMMonitorDirectory fails, the memory intended to store the context is released; some lines below the "version" compoment of that context is read. Reading invalid data doesn't matter, but the memory access could trigger a segfault.


Discovery 2013-11-28
Entry 2014-02-14
lighttpd
lt 1.4.34

http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt
CVE-2013-4508
CVE-2013-4559
CVE-2013-4560
ef0033ad-5823-11e6-80cc-001517f335e2lighttpd - multiple vulnerabilities

Lighttpd Project reports:

Security fixes for Lighttpd:

  • security: encode quoting chars in HTML and XML

  • security: ensure gid != 0 if server.username is set, but not server.groupname

  • security: disable stat_cache if server.follow-symlink = “disable”

  • security: httpoxy defense: do not emit HTTP_PROXY to CGI env


Discovery 2016-07-31
Entry 2016-08-03
lighttpd
lt 1.4.41

http://www.lighttpd.net/2016/7/31/1.4.41/
ports/211495
dd7f29cc-3ee9-11e5-93ad-002590263bf5lighttpd -- Log injection vulnerability in mod_auth

MITRE reports:

mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.


Discovery 2015-05-25
Entry 2015-08-10
lighttpd
lt 1.4.36

CVE-2015-3200
http://redmine.lighttpd.net/issues/2646
92a6efd0-e40d-11e8-ada4-408d5cf35399lighttpd - use-after-free vulnerabilities

Lighttpd Project reports:

Security fixes for Lighttpd:

  • security: process headers after combining folded headers


Discovery 2018-08-26
Entry 2018-11-09
lighttpd
lt 1.4.51

https://www.lighttpd.net/2018/10/14/1.4.51/
ports/232278