FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
ced2d47e-8469-11ea-a283-b42e99a1b9c3malicious URLs may present credentials to wrong server

git security advisory reports:

Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server for an HTTP request being made to another server, resulting in credentials for the former being sent to the latter.


Discovery 2020-04-14
Entry 2020-04-22
git
ge 2.26.0 lt 2.26.1

ge 2.25.0 lt 2.25.3

ge 2.24.0 lt 2.24.2

ge 2.23.0 lt 2.23.2

ge 2.22.0 lt 2.22.3

ge 2.21.0 lt 2.21.2

ge 2.20.0 lt 2.20.3

ge 2.19.0 lt 2.19.4

ge 2.18.0 lt 2.18.3

ge 0 lt 2.17.4

git-lite
ge 2.26.0 lt 2.26.1

ge 2.25.0 lt 2.25.3

ge 2.24.0 lt 2.24.2

ge 2.23.0 lt 2.23.2

ge 2.22.0 lt 2.22.3

ge 2.21.0 lt 2.21.2

ge 2.20.0 lt 2.20.3

ge 2.19.0 lt 2.19.4

ge 2.18.0 lt 2.18.3

ge 0 lt 2.17.4

git-gui
ge 2.26.0 lt 2.26.1

ge 2.25.0 lt 2.25.3

ge 2.24.0 lt 2.24.2

ge 2.23.0 lt 2.23.2

ge 2.22.0 lt 2.22.3

ge 2.21.0 lt 2.21.2

ge 2.20.0 lt 2.20.3

ge 2.19.0 lt 2.19.4

ge 2.18.0 lt 2.18.3

ge 0 lt 2.17.4

https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
CVE-2020-5260
67765237-8470-11ea-a283-b42e99a1b9c3malicious URLs can cause git to send a stored credential to wrong server

git security advisory reports:

Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching any URL, and will return some unspecified stored password, leaking the password to an attacker's server.


Discovery 2020-04-20
Entry 2020-04-22
git
ge 2.26.0 lt 2.26.2

ge 2.25.0 lt 2.25.4

ge 2.24.0 lt 2.24.3

ge 2.23.0 lt 2.23.3

ge 2.22.0 lt 2.22.4

ge 2.21.0 lt 2.21.3

ge 2.20.0 lt 2.20.4

ge 2.19.0 lt 2.19.5

ge 2.18.0 lt 2.18.4

ge 0 lt 2.17.5

git-lite
ge 2.26.0 lt 2.26.2

ge 2.25.0 lt 2.25.4

ge 2.24.0 lt 2.24.3

ge 2.23.0 lt 2.23.3

ge 2.22.0 lt 2.22.4

ge 2.21.0 lt 2.21.3

ge 2.20.0 lt 2.20.4

ge 2.19.0 lt 2.19.5

ge 2.18.0 lt 2.18.4

ge 0 lt 2.17.5

git-gui
ge 2.26.0 lt 2.26.2

ge 2.25.0 lt 2.25.4

ge 2.24.0 lt 2.24.3

ge 2.23.0 lt 2.23.3

ge 2.22.0 lt 2.22.4

ge 2.21.0 lt 2.21.3

ge 2.20.0 lt 2.20.4

ge 2.19.0 lt 2.19.5

ge 2.18.0 lt 2.18.4

ge 0 lt 2.17.5

https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7
CVE-2020-11008
7f645ee5-7681-11e5-8519-005056ac623eGit -- Execute arbitrary code

Git release notes:

Some protocols (like git-remote-ext) can execute arbitrary code found in the URL. The URLs that submodules use may come from arbitrary sources (e.g., .gitmodules files in a remote repository), and can hurt those who blindly enable recursive fetch. Restrict the allowed protocols to well known and safe ones.


Discovery 2015-09-23
Entry 2015-10-19
Modified 2015-12-12
git
lt 2.6.1

git-gui
lt 2.6.1

git-lite
lt 2.6.1

git-subversion
lt 2.6.1

CVE-2015-7545
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.1.txt
http://www.openwall.com/lists/oss-security/2015/12/11/7
c7a135f4-66a4-11e8-9e63-3085a9a47796Git -- Fix memory out-of-bounds and remote code execution vulnerabilities (CVE-2018-11233 and CVE-2018-11235)

The Git community reports:

  • In affected versions of Git, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory.
  • In affected versions of Git, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.

Discovery 2018-05-29
Entry 2018-06-02
git
git-lite
lt 2.13.7

ge 2.14 lt 2.14.4

ge 2.15 lt 2.15.2

ge 2.16 lt 2.16.4

ge 2.17 lt 2.17.1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11233
CVE-2018-11233
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11235
CVE-2018-11235
d2a84feb-ebe0-11e5-92ce-002590263bf5git -- integer overflow

Debian reports:

integer overflow due to a loop which adds more to "len".


Discovery 2016-02-24
Entry 2016-03-18
git
lt 2.4.11

ge 2.5.0 lt 2.5.5

ge 2.6.0 lt 2.6.6

ge 2.7.0 lt 2.7.4

git-gui
lt 2.4.11

ge 2.5.0 lt 2.5.5

ge 2.6.0 lt 2.6.6

ge 2.7.0 lt 2.7.4

git-lite
lt 2.4.11

ge 2.5.0 lt 2.5.5

ge 2.6.0 lt 2.6.6

ge 2.7.0 lt 2.7.4

git-subversion
lt 2.4.11

ge 2.5.0 lt 2.5.5

ge 2.6.0 lt 2.6.6

ge 2.7.0 lt 2.7.4

CVE-2016-2324
https://security-tracker.debian.org/tracker/CVE-2016-2324
https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d