FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
d4379f59-3e9b-49eb-933b-61de4d0b0fdbRuby -- OpenSSL Hostname Verification Vulnerability

Ruby Developers report:

After reviewing RFC 6125 and RFC 5280, we found multiple violations of matching hostnames and particularly wildcard certificates.

Ruby’s OpenSSL extension will now provide a string-based matching algorithm which follows more strict behavior, as recommended by these RFCs. In particular, matching of more than one wildcard per subject/SAN is no-longer allowed. As well, comparison of these values are now case-insensitive.


Discovery 2015-04-13
Entry 2015-04-14
Modified 2015-09-23
ruby
ruby20
ge 2.0,1 lt 2.0.0.645,1

ruby
ruby21
ge 2.1,1 lt 2.1.6,1

ruby
ruby22
ge 2.2,1 lt 2.2.2,1

https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
CVE-2015-1855
cc9043cf-7f7a-426e-b2cc-8d1980618113ruby -- Heap Overflow in Floating Point Parsing

Ruby developers report:

Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable.


Discovery 2013-11-22
Entry 2013-11-23
ruby19
< 1.9.3.484,1

ruby20
< 2.0.0.353,1

https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/
https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released/
CVE-2013-4164