FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  567892
Date:      2021-03-09
Time:      06:26:48Z
Committer: bhughes

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
9e0c6f7a-d46d-11e9-a1c7-b499baebfeaf	OpenSSL -- Multiple vulnerabilities The OpenSSL project reports: ECDSA remote timing attack (CVE-2019-1547) [Low] Fork Protection (CVE-2019-1549) [Low] (OpenSSL 1.1.1 only) Discovery 2019-09-10 Entry 2019-09-11 openssl lt 1.0.2t,1 openssl111 lt 1.1.1d https://www.openssl.org/news/secadv/20190910.txt CVE-2019-1547 CVE-2019-1549
1d56cfc5-3970-11eb-929d-d4c9ef517024	OpenSSL -- NULL pointer de-reference The OpenSSL project reports: EDIPARTYNAME NULL pointer de-reference (High) The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. Discovery 2020-12-08 Entry 2020-12-08 Modified 2020-12-15 openssl ge 1.0.2,1 lt 1.1.1i,1 FreeBSD ge 12.2 lt 12.2_2 ge 12.1 lt 12.1_12 ge 11.4 lt 11.4_6 https://www.openssl.org/news/secadv/20201208.txt CVE-2020-1971 SA-20:33.openssl
d778ddb0-2338-11ea-a1c7-b499baebfeaf	OpenSSL -- Overflow vulnerability The OpenSSL project reports: rsaz_512_sqr overflow bug on x86_64 (CVE-2019-1551) (Low) There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Discovery 2019-12-06 Entry 2019-12-20 openssl lt 1.0.2u,1 https://www.openssl.org/news/secadv/20191206.txt CVE-2019-1551

VuXML ID

Description

9e0c6f7a-d46d-11e9-a1c7-b499baebfeaf

OpenSSL -- Multiple vulnerabilities

The OpenSSL project reports:

ECDSA remote timing attack (CVE-2019-1547) [Low]

Fork Protection (CVE-2019-1549) [Low]

(OpenSSL 1.1.1 only)

Discovery 2019-09-10
Entry 2019-09-11
openssl

lt 1.0.2t,1

openssl111

lt 1.1.1d

https://www.openssl.org/news/secadv/20190910.txt
CVE-2019-1547
CVE-2019-1549

1d56cfc5-3970-11eb-929d-d4c9ef517024

OpenSSL -- NULL pointer de-reference

The OpenSSL project reports:

EDIPARTYNAME NULL pointer de-reference (High)

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack.

Discovery 2020-12-08
Entry 2020-12-08
Modified 2020-12-15
openssl

ge 1.0.2,1 lt 1.1.1i,1

FreeBSD

ge 12.2 lt 12.2_2

ge 12.1 lt 12.1_12

ge 11.4 lt 11.4_6

https://www.openssl.org/news/secadv/20201208.txt
CVE-2020-1971
SA-20:33.openssl

d778ddb0-2338-11ea-a1c7-b499baebfeaf

OpenSSL -- Overflow vulnerability

The OpenSSL project reports:

rsaz_512_sqr overflow bug on x86_64 (CVE-2019-1551) (Low)

There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME.

Discovery 2019-12-06
Entry 2019-12-20
openssl

lt 1.0.2u,1

https://www.openssl.org/news/secadv/20191206.txt
CVE-2019-1551