FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  517352
Date:      2019-11-12
Time:      21:38:20Z
Committer: gjb

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
caf545f2-c0d9-11e9-9051-4c72b94353b5Apache -- Multiple vulnerabilities

SO-AND-SO reports:

SECURITY: CVE-2019-10081

mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client.

SECURITY: CVE-2019-9517

mod_http2: a malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections.

SECURITY: CVE-2019-10098

rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable matches and substitutions with encoded line break characters.

SECURITY: CVE-2019-10092

Remove HTML-escaped URLs from canned error responses to prevent misleading text/links being displayed via crafted links.

SECURITY: CVE-2019-10097

mod_remoteip: Fix stack buffer overflow and NULL pointer deference when reading the PROXY protocol header.

CVE-2019-10082

mod_http2: Using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.


Discovery 2019-08-14
Entry 2019-08-17
apache24
lt 2.4.41

http://www.apache.org/dist/httpd/CHANGES_2.4
CVE-2019-10081
CVE-2019-9517
CVE-2019-10098
CVE-2019-10092
CVE-2019-10082
eb888ce5-1f19-11e9-be05-4c72b94353b5Apache -- vulnerability

The Apache httpd Project reports:

SECURITY: CVE-2018-17199 mod_session: mod_session_cookie does not respect expiry time allowing sessions to be reused.

SECURITY: CVE-2019-0190 mod_ssl: Fix infinite loop triggered by a client-initiated renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and later. PR 63052.

SECURITY: CVE-2018-17189 mod_http2: fixes a DoS attack vector. By sending slow request bodies to resources not consuming them, httpd cleanup code occupies a server thread unnecessarily. This was changed to an immediate stream reset which discards all stream state and incoming data.


Discovery 2019-01-22
Entry 2019-01-23
apache24
lt 2.4.38

http://www.apache.org/dist/httpd/CHANGES_2.4.38
http://httpd.apache.org/security/vulnerabilities_24.html
CVE-2018-17199
CVE-2018-17189
CVE-2019-0190
cf2105c6-551b-11e9-b95c-b499baebfeafApache -- Multiple vulnerabilities

The Apache httpd Project reports:

Apache HTTP Server privilege escalation from modules' scripts (CVE-2019-0211) (important)

mod_auth_digest access control bypass (CVE-2019-0217) (important)

mod_ssl access control bypass (CVE-2019-0215) (important)

mod_http2, possible crash on late upgrade (CVE-2019-0197) (low)

mod_http2, read-after-free on a string compare (CVE-2019-0196) (low)

Apache httpd URL normalization inconsistincy (CVE-2019-0220) (low)


Discovery 2019-04-01
Entry 2019-04-02
apache24
lt 2.4.39

https://www.apache.org/dist/httpd/CHANGES_2.4.39
https://httpd.apache.org/security/vulnerabilities_24.html
CVE-2019-0211
CVE-2019-0217
CVE-2019-0215
CVE-2019-0196
CVE-2019-0220