FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2025-10-21 17:02:33 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
e4403051-a667-11eb-b9c9-6cc21735f730	sbibboleth-sp -- denial of service vulnerability Shibboleth project reports: Session recovery feature contains a null pointer deference. The cookie-based session recovery feature added in V3.0 contains a flaw that is exploitable on systems not using the feature if a specially crafted cookie is supplied. This manifests as a crash in the shibd daemon/service process. Because it is very simple to trigger this condition remotely, it results in a potential denial of service condition exploitable by a remote, unauthenticated attacker. Discovery 2021-04-23 Entry 2021-04-26 shibboleth-sp >= 3.0.0 lt 3.2.1_1 https://shibboleth.net/community/advisories/secadv_20210426.txt
9f9b0b37-88fa-11f0-90a2-6cc21735f730	Shibboleth Service Provider -- SQL injection vulnerability in ODBC plugin Internet2 reports: The Shibboleth Service Provider includes a storage API usable for a number of different use cases such as the session cache, replay cache, and relay state management. An ODBC extension plugin is provided with some distributions of the software (notably on Windows). A SQL injection vulnerability was identified in some of the queries issued by the plugin, and this can be creatively exploited through specially crafted inputs to exfiltrate information stored in the database used by the SP. Discovery 2025-09-03 Entry 2025-09-03 shibboleth-sp < 3.5.1 https://shibboleth.net/community/advisories/secadv_20250903.txt

VuXML ID

Description

e4403051-a667-11eb-b9c9-6cc21735f730

sbibboleth-sp -- denial of service vulnerability

Shibboleth project reports:

Session recovery feature contains a null pointer deference.

The cookie-based session recovery feature added in V3.0 contains a flaw that is exploitable on systems *not* using the feature if a specially crafted cookie is supplied.

This manifests as a crash in the shibd daemon/service process.

Because it is very simple to trigger this condition remotely, it results in a potential denial of service condition exploitable by a remote, unauthenticated attacker.

Discovery 2021-04-23
Entry 2021-04-26
shibboleth-sp

>= 3.0.0 lt 3.2.1_1

https://shibboleth.net/community/advisories/secadv_20210426.txt

9f9b0b37-88fa-11f0-90a2-6cc21735f730

Shibboleth Service Provider -- SQL injection vulnerability in ODBC plugin

Internet2 reports:

The Shibboleth Service Provider includes a storage API usable for a number of different use cases such as the session cache, replay cache, and relay state management. An ODBC extension plugin is provided with some distributions of the software (notably on Windows).

A SQL injection vulnerability was identified in some of the queries issued by the plugin, and this can be creatively exploited through specially crafted inputs to exfiltrate information stored in the database used by the SP.

Discovery 2025-09-03
Entry 2025-09-03
shibboleth-sp

< 3.5.1

https://shibboleth.net/community/advisories/secadv_20250903.txt