FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-05-02 10:37:19 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
ef0033ad-5823-11e6-80cc-001517f335e2lighttpd - multiple vulnerabilities

Lighttpd Project reports:

Security fixes for Lighttpd:

  • security: encode quoting chars in HTML and XML

  • security: ensure gid != 0 if server.username is set, but not server.groupname

  • security: disable stat_cache if server.follow-symlink = “disable”

  • security: httpoxy defense: do not emit HTTP_PROXY to CGI env


Discovery 2016-07-31
Entry 2016-08-03
lighttpd
< 1.4.41

http://www.lighttpd.net/2016/7/31/1.4.41/
ports/211495
92a6efd0-e40d-11e8-ada4-408d5cf35399lighttpd - use-after-free vulnerabilities

Lighttpd Project reports:

Security fixes for Lighttpd:

  • security: process headers after combining folded headers


Discovery 2018-08-26
Entry 2018-11-09
lighttpd
< 1.4.51

https://www.lighttpd.net/2018/10/14/1.4.51/
ports/232278
dd7f29cc-3ee9-11e5-93ad-002590263bf5lighttpd -- Log injection vulnerability in mod_auth

MITRE reports:

mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.


Discovery 2015-05-25
Entry 2015-08-10
lighttpd
< 1.4.36

CVE-2015-3200
http://redmine.lighttpd.net/issues/2646
1cd3ca42-33e6-11e2-a255-5404a67eef98lighttpd -- remote DoS in header parsing

Lighttpd security advisory reports:

Certain Connection header values will trigger an endless loop, for example: "Connection: TE,,Keep-Alive"

On receiving such value, lighttpd will enter an endless loop, detecting an empty token but not incrementing the current string position, and keep reading the ',' again and again.

This bug was introduced in 1.4.31, when we fixed an "invalid read" bug (it would try to read the byte before the string if it started with ',', although the value wasn't actually used).


Discovery 2012-11-17
Entry 2012-11-21
lighttpd
gt 1.4.30 lt 1.4.32

CVE-2012-5533
90b27045-9530-11e3-9d09-000c2980a9f3lighttpd -- multiple vulnerabilities

lighttpd security advisories report:

It is possible to inadvertantly enable vulnerable ciphers when using ssl.cipher-list.

In certain cases setuid() and similar can fail, potentially triggering lighttpd to restart running as root.

If FAMMonitorDirectory fails, the memory intended to store the context is released; some lines below the "version" compoment of that context is read. Reading invalid data doesn't matter, but the memory access could trigger a segfault.


Discovery 2013-11-28
Entry 2014-02-14
lighttpd
< 1.4.34

http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt
CVE-2013-4508
CVE-2013-4559
CVE-2013-4560