FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-16 19:33:48 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
e56f2f7c-410e-11e9-b95c-b499baebfeaf	OpenSSL -- ChaCha20-Poly1305 nonce vulnerability The OpenSSL project reports: Low: ChaCha20-Poly1305 with long nonces (CVE-2019-1543) ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. Discovery 2019-03-06 Entry 2019-03-07 openssl111 < 1.1.1b_1 https://www.openssl.org/news/secadv/20190306.txt CVE-2019-1543
9e0c6f7a-d46d-11e9-a1c7-b499baebfeaf	OpenSSL -- Multiple vulnerabilities The OpenSSL project reports: ECDSA remote timing attack (CVE-2019-1547) [Low] Fork Protection (CVE-2019-1549) [Low] (OpenSSL 1.1.1 only) Discovery 2019-09-10 Entry 2019-09-11 openssl < 1.0.2t,1 openssl111 < 1.1.1d https://www.openssl.org/news/secadv/20190910.txt CVE-2019-1547 CVE-2019-1549
238ae7de-dba2-11e8-b713-b499baebfeaf	OpenSSL -- Multiple vulnerabilities in 1.1 branch The OpenSSL project reports: Timing vulnerability in ECDSA signature generation (CVE-2018-0735): The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key (Low). Timing vulnerability in DSA signature generation (CVE-2018-0734): Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack (Low). Discovery 2018-10-29 Entry 2018-10-29 Modified 2018-11-10 openssl-devel < 1.1.0i_1 openssl111 < 1.1.1_2 libressl ge 2.8.0 lt 2.8.3 libressl-devel ge 2.8.0 lt 2.8.3 https://www.openssl.org/news/secadv/20181029.txt https://github.com/openssl/openssl/commit/8abfe72e CVE-2018-0735 CVE-2018-0734

VuXML ID

Description

e56f2f7c-410e-11e9-b95c-b499baebfeaf

OpenSSL -- ChaCha20-Poly1305 nonce vulnerability

The OpenSSL project reports:

Low: ChaCha20-Poly1305 with long nonces (CVE-2019-1543)

ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored.

Discovery 2019-03-06
Entry 2019-03-07
openssl111

< 1.1.1b_1

https://www.openssl.org/news/secadv/20190306.txt
CVE-2019-1543

9e0c6f7a-d46d-11e9-a1c7-b499baebfeaf

OpenSSL -- Multiple vulnerabilities

The OpenSSL project reports:

ECDSA remote timing attack (CVE-2019-1547) [Low]

Fork Protection (CVE-2019-1549) [Low]

(OpenSSL 1.1.1 only)

Discovery 2019-09-10
Entry 2019-09-11
openssl

< 1.0.2t,1

openssl111

< 1.1.1d

https://www.openssl.org/news/secadv/20190910.txt
CVE-2019-1547
CVE-2019-1549

238ae7de-dba2-11e8-b713-b499baebfeaf

OpenSSL -- Multiple vulnerabilities in 1.1 branch

The OpenSSL project reports:

Timing vulnerability in ECDSA signature generation (CVE-2018-0735): The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key (Low).

Timing vulnerability in DSA signature generation (CVE-2018-0734): Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack (Low).

Discovery 2018-10-29
Entry 2018-10-29
Modified 2018-11-10
openssl-devel

< 1.1.0i_1

openssl111

< 1.1.1_2

libressl

ge 2.8.0 lt 2.8.3

libressl-devel

ge 2.8.0 lt 2.8.3

https://www.openssl.org/news/secadv/20181029.txt
https://github.com/openssl/openssl/commit/8abfe72e
CVE-2018-0735
CVE-2018-0734