FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  517534
Date:      2019-11-13
Time:      23:45:36Z
Committer: sunpoet

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
cf2105c6-551b-11e9-b95c-b499baebfeafApache -- Multiple vulnerabilities

The Apache httpd Project reports:

Apache HTTP Server privilege escalation from modules' scripts (CVE-2019-0211) (important)

mod_auth_digest access control bypass (CVE-2019-0217) (important)

mod_ssl access control bypass (CVE-2019-0215) (important)

mod_http2, possible crash on late upgrade (CVE-2019-0197) (low)

mod_http2, read-after-free on a string compare (CVE-2019-0196) (low)

Apache httpd URL normalization inconsistincy (CVE-2019-0220) (low)


Discovery 2019-04-01
Entry 2019-04-02
apache24
lt 2.4.39

https://www.apache.org/dist/httpd/CHANGES_2.4.39
https://httpd.apache.org/security/vulnerabilities_24.html
CVE-2019-0211
CVE-2019-0217
CVE-2019-0215
CVE-2019-0196
CVE-2019-0220
e182c076-c189-11e8-a6d2-b499baebfeafApache -- Denial of service vulnerability in HTTP/2

The Apache httpd project reports:

low: DoS for HTTP/2 connections by continuous SETTINGS

By sending continous SETTINGS frames of maximum size an ongoing HTTP/2 connection could be kept busy and would never time out. This can be abused for a DoS on the server. This only affect a server that has enabled the h2 protocol.


Discovery 2018-09-25
Entry 2018-09-26
apache24
lt 2.4.35

http://httpd.apache.org/security/vulnerabilities_24.html
CVE-2018-11763
caf545f2-c0d9-11e9-9051-4c72b94353b5Apache -- Multiple vulnerabilities

SO-AND-SO reports:

SECURITY: CVE-2019-10081

mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client.

SECURITY: CVE-2019-9517

mod_http2: a malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections.

SECURITY: CVE-2019-10098

rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable matches and substitutions with encoded line break characters.

SECURITY: CVE-2019-10092

Remove HTML-escaped URLs from canned error responses to prevent misleading text/links being displayed via crafted links.

SECURITY: CVE-2019-10097

mod_remoteip: Fix stack buffer overflow and NULL pointer deference when reading the PROXY protocol header.

CVE-2019-10082

mod_http2: Using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.


Discovery 2019-08-14
Entry 2019-08-17
apache24
lt 2.4.41

http://www.apache.org/dist/httpd/CHANGES_2.4
CVE-2019-10081
CVE-2019-9517
CVE-2019-10098
CVE-2019-10092
CVE-2019-10082
8b1a50ab-8a8e-11e8-add2-b499baebfeafApache httpd -- multiple vulnerabilities

The Apache project reports:

  • DoS for HTTP/2 connections by crafted requests (CVE-2018-1333). By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. (low)
  • mod_md, DoS via Coredumps on specially crafted requests (CVE-2018-8011). By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. (moderate)

Discovery 2018-07-18
Entry 2018-07-18
apache24
lt 2.4.34

http://httpd.apache.org/security/vulnerabilities_24.html
CVE-2018-1333
CVE-2018-8011
eb888ce5-1f19-11e9-be05-4c72b94353b5Apache -- vulnerability

The Apache httpd Project reports:

SECURITY: CVE-2018-17199 mod_session: mod_session_cookie does not respect expiry time allowing sessions to be reused.

SECURITY: CVE-2019-0190 mod_ssl: Fix infinite loop triggered by a client-initiated renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and later. PR 63052.

SECURITY: CVE-2018-17189 mod_http2: fixes a DoS attack vector. By sending slow request bodies to resources not consuming them, httpd cleanup code occupies a server thread unnecessarily. This was changed to an immediate stream reset which discards all stream state and incoming data.


Discovery 2019-01-22
Entry 2019-01-23
apache24
lt 2.4.38

http://www.apache.org/dist/httpd/CHANGES_2.4.38
http://httpd.apache.org/security/vulnerabilities_24.html
CVE-2018-17199
CVE-2018-17189
CVE-2019-0190