FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
c82ecac5-6e3f-11e8-8777-b499baebfeafOpenSSL -- Client DoS due to large DH parameter

The OpenSSL project reports:

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack.


Discovery 2018-06-12
Entry 2018-06-12
Modified 2018-07-24
libressl
libressl-devel
< 2.6.5

ge 2.7.0 lt 2.7.4

openssl
< 1.0.2o_4,1

openssl-devel
< 1.1.0h_2

https://www.openssl.org/news/secadv/20180612.txt
CVE-2018-0732
88dfd92f-3b9c-11eb-929d-d4c9ef517024LibreSSL -- NULL pointer dereference

The LibreSSL project reports:

Malformed ASN.1 in a certificate revocation list or a timestamp response token can lead to a NULL pointer dereference.


Discovery 2020-12-08
Entry 2020-12-11
Modified 2020-12-12
libressl
gt 3.2.0 lt 3.2.3

< 3.1.5

libressl-devel
< 3.3.1

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.3-relnotes.txt
91a337d8-83ed-11e6-bf52-b499baebfeafOpenSSL -- multiple vulnerabilities

OpenSSL reports:

Critical vulnerability in OpenSSL 1.1.0a

Fix Use After Free for large message sizes (CVE-2016-6309)

Moderate vulnerability in OpenSSL 1.0.2i

Missing CRL sanity check (CVE-2016-7052)


Discovery 2016-09-26
Entry 2016-09-26
Modified 2016-10-10
openssl
< 1.0.2j,1

openssl-devel
< 1.1.0b

libressl
< 2.4.3

libressl-devel
< 2.4.3

FreeBSD
ge 11.0 lt 11.0_1

https://www.openssl.org/news/secadv/20160926.txt
CVE-2016-6309
CVE-2016-7052
SA-16:27.openssl
7caebe30-d7f1-11e6-a9a5-b499baebfeafopenssl -- timing attack vulnerability

Cesar Pereida Garcia reports:

The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versions and forks is vulnerable to timing attacks when signing with the standardized elliptic curve P-256 despite featuring constant-time curve operations and modular inversion. A software defect omits setting the BN_FLG_CONSTTIME flag for nonces, failing to take a secure code path in the BN_mod_inverse method and therefore resulting in a cache-timing attack vulnerability.

A malicious user with local access can recover ECDSA P-256 private keys.


Discovery 2017-01-10
Entry 2017-01-11
Modified 2017-01-11
openssl
< 1.0.2

libressl
< 2.4.4_1

libressl-devel
< 2.5.0_1

http://seclists.org/oss-sec/2017/q1/52
CVE-2016-7056