FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-05-02 10:37:19 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
dd7f29cc-3ee9-11e5-93ad-002590263bf5lighttpd -- Log injection vulnerability in mod_auth

MITRE reports:

mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.


Discovery 2015-05-25
Entry 2015-08-10
lighttpd
< 1.4.36

CVE-2015-3200
http://redmine.lighttpd.net/issues/2646
ef0033ad-5823-11e6-80cc-001517f335e2lighttpd - multiple vulnerabilities

Lighttpd Project reports:

Security fixes for Lighttpd:

  • security: encode quoting chars in HTML and XML

  • security: ensure gid != 0 if server.username is set, but not server.groupname

  • security: disable stat_cache if server.follow-symlink = “disable”

  • security: httpoxy defense: do not emit HTTP_PROXY to CGI env


Discovery 2016-07-31
Entry 2016-08-03
lighttpd
< 1.4.41

http://www.lighttpd.net/2016/7/31/1.4.41/
ports/211495
c6521b04-314b-11e1-9cf4-5404a67eef98lighttpd -- remote DoS in HTTP authentication

US-CERT/NIST reports:

Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.


Discovery 2011-11-29
Entry 2011-12-28
lighttpd
< 1.4.30

CVE-2011-4362
92a6efd0-e40d-11e8-ada4-408d5cf35399lighttpd - use-after-free vulnerabilities

Lighttpd Project reports:

Security fixes for Lighttpd:

  • security: process headers after combining folded headers


Discovery 2018-08-26
Entry 2018-11-09
lighttpd
< 1.4.51

https://www.lighttpd.net/2018/10/14/1.4.51/
ports/232278
90b27045-9530-11e3-9d09-000c2980a9f3lighttpd -- multiple vulnerabilities

lighttpd security advisories report:

It is possible to inadvertantly enable vulnerable ciphers when using ssl.cipher-list.

In certain cases setuid() and similar can fail, potentially triggering lighttpd to restart running as root.

If FAMMonitorDirectory fails, the memory intended to store the context is released; some lines below the "version" compoment of that context is read. Reading invalid data doesn't matter, but the memory access could trigger a segfault.


Discovery 2013-11-28
Entry 2014-02-14
lighttpd
< 1.4.34

http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt
CVE-2013-4508
CVE-2013-4559
CVE-2013-4560