FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
ef5b4f5f-a658-11ea-80d7-001cc0382b2fGnuTLS -- flaw in TLS session ticket key construction

The GnuTLS project reports:

It was found that GnuTLS 3.6.4 introduced a regression in the TLS protocol implementation. This caused the TLS server to not securely construct a session ticket encryption key considering the application supplied secret, allowing a MitM attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2.


Discovery 2020-06-03
Entry 2020-06-04
gnutls
< 3.6.14

https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03
CVE-2020-13777
1cd0c17a-17c0-11ed-91a5-080027f5fec9gnutls -- double free vulnerability

The GnuTLS project reports:

When gnutls_pkcs7_verify cannot verify signature against given trust list, it starts creating a chain of certificates starting from identified signer up to known root. During the creation of this chain the signer certificate gets freed which results in double free when the same signer certificate is freed at the end of the algorithm.


Discovery 2022-07-07
Entry 2022-08-09
gnutls
ge 3.6.0 lt 3.7.7

CVE-2022-2509
https://www.gnutls.org/security-new.html#GNUTLS-SA-2022-07-07
fb30db8f-62af-11e9-b0de-001cc0382b2fGnuTLS -- double free, invalid pointer access

The GnuTLS project reports:

  • Tavis Ormandy from Google Project Zero found a memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.
  • It was found using the TLS fuzzer tools that decoding a malformed TLS1.3 asynchronous message can cause a server crash via an invalid pointer access. The issue affects GnuTLS server applications since 3.6.4.

Discovery 2019-03-27
Entry 2019-04-19
gnutls
< 3.6.7

https://www.gnutls.org/security-new.html#GNUTLS-SA-2019-03-27
CVE-2019-3829
CVE-2019-3836
d887b3d9-7366-11ea-b81a-001cc0382b2fGnuTLS -- flaw in DTLS protocol implementation

The GnuTLS project reports:

It was found that GnuTLS 3.6.3 introduced a regression in the DTLS protocol implementation. This caused the DTLS client to not contribute any randomness to the DTLS negotiation breaking the security guarantees of the DTLS protocol.


Discovery 2020-03-31
Entry 2020-03-31
gnutls
< 3.6.13

https://gnutls.org/security-new.html#GNUTLS-SA-2020-03-31
CVE-2020-11501
2272e6f1-f029-11ea-838a-0011d823eebdGnuTLS -- null pointer dereference

The GnuTLS project reports:

It was found by oss-fuzz that the server sending a "no_renegotiation" alert in an unexpected timing, followed by an invalid second handshake can cause a TLS 1.3 client to crash via a null-pointer dereference. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.


Discovery 2020-09-04
Entry 2020-09-06
gnutls
< 3.6.15

https://gnutls.org/security-new.html#GNUTLS-SA-2020-09-04
CVE-2020-24659