FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  526521
Date:      2020-02-19
Time:      18:06:45Z
Committer: kwm

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
c9075321-f483-11e5-92ce-002590263bf5bind -- denial of service vulnerability

ISC reports:

An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c.


Discovery 2016-03-09
Entry 2016-03-28
Modified 2016-08-09
bind98
le 9.8.8

bind99
ge 9.9.0 lt 9.9.8P4

bind910
ge 9.10.0 lt 9.10.3P4

bind9-devel
lt 9.11.0.a20160309

FreeBSD
ge 9.3 lt 9.3_38

CVE-2016-1285
SA-16:13.bind
https://kb.isc.org/article/AA-01352
c8d902b1-8550-11e6-81e7-d050996490d0BIND -- Remote Denial of Service vulnerability

ISC reports:

Testing by ISC has uncovered a critical error condition which can occur when a nameserver is constructing a response. A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria.


Discovery 2016-09-27
Entry 2016-09-28
Modified 2016-10-10
bind99
lt 9.9.9P3

bind910
lt 9.10.4P3

bind911
lt 9.11.0.rc3

bind9-devel
lt 9.12.0.a.2016.09.10

FreeBSD
ge 9.3 lt 9.3_48

CVE-2016-2776
SA-16:28.bind
https://kb.isc.org/article/AA-01419
58033a95-bba8-11e4-88ae-d050992ecde8bind -- denial of service vulnerability

ISC reports:

When configured to perform DNSSEC validation, named can crash when encountering a rare set of conditions in the managed trust anchors.


Discovery 2015-02-18
Entry 2015-02-23
Modified 2016-08-09
bind910
bind910-base
lt 9.10.1P2

bind99
bind99-base
lt 9.9.6P2

FreeBSD
ge 9.3 lt 9.3_10

ge 8.4 lt 8.4_24

SA-15:05.bind
CVE-2015-1349
https://kb.isc.org/article/AA-01235
b4578647-c12b-11e5-96d6-14dae9d210b8bind -- denial of service vulnerability

ISC reports:

Specific APL data could trigger an INSIST in apl_42.c


Discovery 2016-01-19
Entry 2016-01-22
Modified 2016-08-09
bind99
lt 9.9.8P3

bind910
lt 9.10.3P3

FreeBSD
ge 9.3 lt 9.3_35

https://kb.isc.org/article/AA-01335
CVE-2015-8704
SA-16:08.bind
d4c7e9a9-d893-11e6-9b4d-d050996490d0BIND -- multiple vulnerabilities

ISC reports:

A malformed query response received by a recursive server in response to a query of RTYPE ANY could trigger an assertion failure while named is attempting to add the RRs in the query response to the cache.

Depending on the type of query and the EDNS options in the query they receive, DNSSEC-enabled authoritative servers are expected to include RRSIG and other RRsets in their responses to recursive servers. DNSSEC-validating servers will also make specific queries for DS and other RRsets. Whether DNSSEC-validating or not, an error in processing malformed query responses that contain DNSSEC-related RRsets that are inconsistent with other RRsets in the same query response can trigger an assertion failure. Although the combination of properties which triggers the assertion should not occur in normal traffic, it is potentially possible for the assertion to be triggered deliberately by an attacker sending a specially-constructed answer.

An unusually-formed answer containing a DS resource record could trigger an assertion failure. While the combination of properties which triggers the assertion should not occur in normal traffic, it is potentially possible for the assertion to be triggered deliberately by an attacker sending a specially-constructed answer having the required properties.

An error in handling certain queries can cause an assertion failure when a server is using the nxdomain-redirect feature to cover a zone for which it is also providing authoritative service. A vulnerable server could be intentionally stopped by an attacker if it was using a configuration that met the criteria for the vulnerability and if the attacker could cause it to accept a query that possessed the required attributes.


Discovery 2017-01-11
Entry 2017-01-12
bind99
lt 9.9.9P5

bind910
lt 9.10.4P5

bind911
lt 9.11.0P2

bind9-devel
le 9.12.0.a.2016.12.28

FreeBSD
ge 9.3 lt 10.0

CVE-2016-9131
CVE-2016-9147
CVE-2016-9444
CVE-2016-9778
https://kb.isc.org/article/AA-01439/0
https://kb.isc.org/article/AA-01440/0
https://kb.isc.org/article/AA-01441/0
https://kb.isc.org/article/AA-01442/0
a8ec4db7-a398-11e5-85e9-14dae9d210b8bind -- multiple vulnerabilities

ISC reports:

Named is potentially vulnerable to the OpenSSL vulnerability described in CVE-2015-3193.

Incorrect reference counting could result in an INSIST failure if a socket error occurred while performing a lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]

Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. This flaw is disclosed in CVE-2015-8000. [RT #40987]


Discovery 2015-11-24
Entry 2015-12-16
Modified 2016-08-09
bind99
lt 9.9.8P2

bind910
lt 9.10.3P2

bind9-devel
lt 9.11.0.a20151215

FreeBSD
ge 9.3 lt 9.3_32

https://kb.isc.org/article/AA-01328/0/BIND-9.10.3-P2-Release-Notes.html
https://kb.isc.org/article/AA-01317/0/CVE-2015-8000%3A-Responses-with-a-malformed-class-attribute-can-trigger-an-assertion-failure-in-db.c.html
https://kb.isc.org/article/AA-01319/0/CVE-2015-8461%3A-A-race-condition-when-handling-socket-errors-can-lead-to-an-assertion-failure-in-resolver.c.html
CVE-2015-3193
CVE-2015-8000
CVE-2015-8461
SA-15:27.bind
eaf3b255-5245-11e5-9ad8-14dae9d210b8bind -- denial of service vulnerability

ISC reports:

Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c. It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately malformed key.


Discovery 2015-08-19
Entry 2015-09-03
Modified 2016-08-09
bind99
lt 9.9.7P3

bind910
ge 9.10.2 lt 9.10.2P4

bind910-base
bind99-base
gt 0

FreeBSD
ge 9.3 lt 9.3_25

https://www.isc.org/blogs/cve-2015-5722-parsing-malformed-keys-may-cause-bind-to-exit-due-to-a-failed-assertion-in-buffer-c/
CVE-2015-5722
SA-15:23.bind
c93533a3-24f1-11e5-8b74-3c970e169bc2bind -- denial of service vulnerability

ISC reports:

A very uncommon combination of zone data has been found that triggers a bug in BIND, with the result that named will exit with a "REQUIRE" failure in name.c when validating the data returned in answer to a recursive query.

A recursive resolver that is performing DNSSEC validation can be deliberately terminated by any attacker who can cause a query to be performed against a maliciously constructed zone. This will result in a denial of service to clients who rely on that resolver.


Discovery 2015-07-07
Entry 2015-07-07
Modified 2016-08-09
bind910
lt 9.10.2P2

bind99
lt 9.9.7P1

bind910-base
bind99-base
gt 0

FreeBSD
ge 9.3 lt 9.3_19

ge 8.4 lt 8.4_33

SA-15:11.bind
CVE-2015-4620
https://kb.isc.org/article/AA-01267/
0b8d01a4-a0d2-11e6-9ca2-d050996490d0BIND -- Remote Denial of Service vulnerability

ISC reports:

A defect in BIND's handling of responses containing a DNAME answer can cause a resolver to exit after encountering an assertion failure in db.c or resolver.c


Discovery 2016-11-01
Entry 2016-11-02
bind99
lt 9.9.9P4

bind910
lt 9.10.4P4

bind911
lt 9.11.0P1

bind9-devel
le 9.12.0.a.2016.10.21

FreeBSD
ge 9.3 lt 9.3_50

CVE-2016-8864
SA-16:34.bind
https://kb.isc.org/article/AA-01434/
c6861494-1ffb-11e7-934d-d05099c0ae8cBIND -- multiple vulnerabilities

ISC reports:

A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate.

An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met.

Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order.

named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc.

A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string.


Discovery 2017-04-12
Entry 2017-04-13
Modified 2017-04-13
bind99
lt 9.9.9P8

bind910
lt 9.10.4P8

bind911
lt 9.11.0P5

bind9-devel
le 9.12.0.a.2017.03.25

CVE-2017-3136
CVE-2017-3137
CVE-2017-3138
https://kb.isc.org/article/AA-01465/0
https://kb.isc.org/article/AA-01466/0
https://kb.isc.org/article/AA-01471/0
7a31e0de-5b6d-11e6-b334-002590263bf5bind -- denial of service vulnerability

ISC reports:

A query name which is too long can cause a segmentation fault in lwresd.


Discovery 2016-07-18
Entry 2016-08-06
bind99
lt 9.9.9P2

bind910
lt 9.10.4P2

bind911
lt 9.11.0.b2

bind9-devel
lt 9.12.0.a.2016.07.14

CVE-2016-2775
https://kb.isc.org/article/AA-01393
cba246d2-f483-11e5-92ce-002590263bf5bind -- denial of service vulnerability

ISC reports:

A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c


Discovery 2016-03-09
Entry 2016-03-28
Modified 2016-08-09
bind98
le 9.8.8

bind99
ge 9.9.0 lt 9.9.8P4

bind910
ge 9.10.0 lt 9.10.3P4

bind9-devel
lt 9.11.0.a20160309

FreeBSD
ge 9.3 lt 9.3_38

CVE-2016-1286
SA-16:13.bind
https://kb.isc.org/article/AA-01353
7d08e608-5e95-11e6-b334-002590263bf5BIND,Knot,NSD,PowerDNS -- denial over service via oversized zone transfers

ISC reports:

DNS protocols were designed with the assumption that a certain amount of trust could be presumed between the operators of primary and secondary servers for a given zone. However, in current practice some organizations have scenarios which require them to accept zone data from sources that are not fully trusted (for example: providers of secondary name service). A party who is allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS updates) can overwhelm the server which is accepting data by intentionally or accidentally exhausting that server's memory.


Discovery 2016-07-06
Entry 2016-08-10
Modified 2017-04-24
bind99
le 9.9.9P2

bind910
le 9.10.4P2

bind911
le 9.11.0.b2

bind9-devel
le 9.12.0.a.2016.11.02

knot
knot1
lt 1.6.8

knot2
lt 2.3.0

nsd
lt 4.1.11

powerdns
lt 4.0.1

CVE-2016-6170
CVE-2016-6171
CVE-2016-6172
CVE-2016-6173
https://kb.isc.org/article/AA-01390
http://www.openwall.com/lists/oss-security/2016/07/06/4
731cdeaa-3564-11e5-9970-14dae9d210b8bind -- denial of service vulnerability

ISC reports:

An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit.


Discovery 2015-07-21
Entry 2015-07-28
Modified 2016-08-09
bind910
lt 9.10.2P3

bind99
lt 9.9.7P2

bind910-base
bind99-base
gt 0

FreeBSD
ge 9.3 lt 9.3_21

ge 8.4 lt 8.4_35

SA-15:17.bind
CVE-2015-5477
https://kb.isc.org/article/AA-01272/