FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  567419
Date:      2021-03-05
Time:      21:18:20Z
Committer: mfechner

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
fa175f30-8c75-11e6-924a-60a44ce6887b	redis -- sensitive information leak through command history file Redis team reports: The redis-cli history file (in linenoise) is created with the default OS umask value which makes it world readable in most systems and could potentially expose authentication credentials to other users. Discovery 2013-11-30 Entry 2016-10-11 redis redis-devel lt 3.2.3 https://github.com/antirez/redis/pull/1418 https://github.com/antirez/redis/issues/3284 CVE-2013-7458
91be81e7-3fea-11e1-afc7-2c4138874f7d	Multiple implementations -- DoS via hash algorithm collision oCERT reports: A variety of programming languages suffer from a denial-of-service (DoS) condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms. The issue finds particular exposure in web server applications and/or frameworks. In particular, the lack of sufficient limits for the number of parameters in POST requests in conjunction with the predictable collision properties in the hashing functions of the underlying languages can render web applications vulnerable to the DoS condition. The attacker, using specially crafted HTTP requests, can lead to a 100% of CPU usage which can last up to several hours depending on the targeted application and server performance, the amplification effect is considerable and requires little bandwidth and time on the attacker side. The condition for predictable collisions in the hashing functions has been reported for the following language implementations: Java, JRuby, PHP, Python, Rubinius, Ruby. In the case of the Ruby language, the 1.9.x branch is not affected by the predictable collision condition since this version includes a randomization of the hashing function. The vulnerability outlined in this advisory is practically identical to the one reported in 2003 and described in the paper Denial of Service via Algorithmic Complexity Attacks which affected the Perl language. Discovery 2011-12-28 Entry 2012-01-16 Modified 2012-01-20 jruby lt 1.6.5.1 ruby ruby+nopthreads ruby+nopthreads+oniguruma ruby+oniguruma lt 1.8.7.357,1 rubygem-rack lt 1.3.6,3 v8 lt 3.8.5 redis le 2.4.6 node lt 0.6.7 CVE-2011-4838 CVE-2011-4815 CVE-2011-5036 CVE-2011-5037 http://www.ocert.org/advisories/ocert-2011-003.html http://www.nruns.com/_downloads/advisory28122011.pdf
91be81e7-3fea-11e1-afc7-2c4138874f7d	Multiple implementations -- DoS via hash algorithm collision oCERT reports: A variety of programming languages suffer from a denial-of-service (DoS) condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms. The issue finds particular exposure in web server applications and/or frameworks. In particular, the lack of sufficient limits for the number of parameters in POST requests in conjunction with the predictable collision properties in the hashing functions of the underlying languages can render web applications vulnerable to the DoS condition. The attacker, using specially crafted HTTP requests, can lead to a 100% of CPU usage which can last up to several hours depending on the targeted application and server performance, the amplification effect is considerable and requires little bandwidth and time on the attacker side. The condition for predictable collisions in the hashing functions has been reported for the following language implementations: Java, JRuby, PHP, Python, Rubinius, Ruby. In the case of the Ruby language, the 1.9.x branch is not affected by the predictable collision condition since this version includes a randomization of the hashing function. The vulnerability outlined in this advisory is practically identical to the one reported in 2003 and described in the paper Denial of Service via Algorithmic Complexity Attacks which affected the Perl language. Discovery 2011-12-28 Entry 2012-01-16 Modified 2012-01-20 jruby lt 1.6.5.1 ruby ruby+nopthreads ruby+nopthreads+oniguruma ruby+oniguruma lt 1.8.7.357,1 rubygem-rack lt 1.3.6,3 v8 lt 3.8.5 redis le 2.4.6 node lt 0.6.7 CVE-2011-4838 CVE-2011-4815 CVE-2011-5036 CVE-2011-5037 http://www.ocert.org/advisories/ocert-2011-003.html http://www.nruns.com/_downloads/advisory28122011.pdf

VuXML ID

Description

fa175f30-8c75-11e6-924a-60a44ce6887b

redis -- sensitive information leak through command history file

Redis team reports:

The redis-cli history file (in linenoise) is created with the default OS umask value which makes it world readable in most systems and could potentially expose authentication credentials to other users.

Discovery 2013-11-30
Entry 2016-10-11
redis
redis-devel

lt 3.2.3

https://github.com/antirez/redis/pull/1418
https://github.com/antirez/redis/issues/3284
CVE-2013-7458

91be81e7-3fea-11e1-afc7-2c4138874f7d

Multiple implementations -- DoS via hash algorithm collision

oCERT reports:

A variety of programming languages suffer from a denial-of-service (DoS) condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms.

The issue finds particular exposure in web server applications and/or frameworks. In particular, the lack of sufficient limits for the number of parameters in POST requests in conjunction with the predictable collision properties in the hashing functions of the underlying languages can render web applications vulnerable to the DoS condition. The attacker, using specially crafted HTTP requests, can lead to a 100% of CPU usage which can last up to several hours depending on the targeted application and server performance, the amplification effect is considerable and requires little bandwidth and time on the attacker side.

The condition for predictable collisions in the hashing functions has been reported for the following language implementations: Java, JRuby, PHP, Python, Rubinius, Ruby. In the case of the Ruby language, the 1.9.x branch is not affected by the predictable collision condition since this version includes a randomization of the hashing function.

The vulnerability outlined in this advisory is practically identical to the one reported in 2003 and described in the paper Denial of Service via Algorithmic Complexity Attacks which affected the Perl language.

Discovery 2011-12-28
Entry 2012-01-16
Modified 2012-01-20
jruby

lt 1.6.5.1

ruby
ruby+nopthreads
ruby+nopthreads+oniguruma
ruby+oniguruma

lt 1.8.7.357,1

rubygem-rack

lt 1.3.6,3

lt 3.8.5

redis

le 2.4.6

node

lt 0.6.7

CVE-2011-4838
CVE-2011-4815
CVE-2011-5036
CVE-2011-5037
http://www.ocert.org/advisories/ocert-2011-003.html
http://www.nruns.com/_downloads/advisory28122011.pdf