Get Mystery Box with random crypto!

FreeBSD VuXML

Logo of telegram channel freebsdports — FreeBSD VuXML F
Logo of telegram channel freebsdports — FreeBSD VuXML
Channel address: @freebsdports
Categories: Uncategorized
Language: English
Subscribers: 42
Description from channel

You can view and join @freebsdports right away.

Ratings & Reviews

3.00

2 reviews

Reviews can be left only by registered users. All reviews are moderated by admins.

5 stars

1

4 stars

0

3 stars

0

2 stars

0

1 stars

1


The latest Messages

2021-03-28 06:21:03 samba -- Multiple Vulnerabilities

VuXML ID: 1f6d97da-8f72-11eb-b3f1-005056a311d1
Discovery: 2021-03-24
Entry: 2021-03-28

Packages
samba411 <= 4.11.15
samba412 < 4.12.14
samba413 < 4.13.7
samba414 < 4.14.2

Description
The Samba Team reports:
CVE-2020-27840: An anonymous attacker can crash the Samba AD DC
LDAP server by sending easily crafted DNs as
part of a bind request. More serious heap corruption
is likely also possible.
CVE-2021-20277: User-controlled LDAP filter strings against
the AD DC LDAP server may crash the LDAP server.

URL
https://www.samba.org/samba/security/CVE-2020-27840.html
97 views03:21
Open / Comment
2021-03-27 14:13:02 nettle 3.7.2 -- fix serious ECDSA signature verify bug

VuXML ID: 80f9dbd3-8eec-11eb-b9e8-3525f51429a0
Discovery: 2021-03-21
Entry: 2021-03-27

Packages
nettle < 3.7.2
linux-c7-nettle < 3.7.2

Description
Niels Möller reports:
I've prepared a new bug-fix release of Nettle, a low-level
cryptographics library, to fix a serious bug in the function to
verify ECDSA signatures. Implications include an assertion failure,
which could be used for denial-of-service, when verifying signatures
on the secp_224r1 and secp521_r1 curves.
Even when no assert is triggered in ecdsa_verify, ECC point
multiplication may get invalid intermediate values as input, and
produce incorrect results. [...] It appears difficult to construct
an alleged signature that makes the function misbehave in such a way
that an invalid signature is accepted as valid, but such attacks
can't be ruled out without further analysis.

URL
https://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009458.html
76 viewsedited  11:13
Open / Comment
2021-03-26 11:10:03 OpenSSL -- Multiple vulnerabilities

VuXML ID: 5a668ab3-8d86-11eb-b8d6-d4c9ef517024
Discovery: 2021-03-25
Entry: 2021-03-26

Packages
openssl < 1.1.1k,1

Description
The OpenSSL project reports:


High: CA certificate check bypass with X509_V_FLAG_X509_STRICT
(CVE-2021-3450)The X509_V_FLAG_X509_STRICT flag enables
additional security checks of the certificates present in a
certificate chain. It is not set by default.

High: NULL pointer deref in signature_algorithms processing
(CVE-2021-3449)An OpenSSL TLS server may crash if sent a
maliciously crafted renegotiation ClientHello message from a client.
If a TLSv1.2 renegotiation ClientHello omits the
signature_algorithms extension (where it was present in the initial
ClientHello), but includes a signature_algorithms_cert extension
then a NULL pointer dereference will result, leading to a crash and
a denial of service attack.

URL
https://www.openssl.org/news/secadv/20210325.txt
45 views08:10
Open / Comment
2021-03-24 23:04:03 spamassassin -- Malicious rule configuration (.cf) files can be configured to run system commands

VuXML ID: ec04f3d0-8cd9-11eb-bb9f-206a8a720317
Discovery: 2021-03-24
Entry: 2021-03-24

Packages
spamassassin < 3.4.5

Description
The Apache SpamAssassin project reports:


Apache SpamAssassin 3.4.5 was recently released [1], and fixes
an issue of security note where malicious rule configuration (.cf)
files can be configured to run system commands.

In Apache SpamAssassin before 3.4.5, exploits can be injected in
a number of scenarios. In addition to upgrading to SA 3.4.5,
users should only use update channels or 3rd party .cf files from
trusted places.

URL
https://spamassassin.apache.org/news.html
41 viewsedited  20:04
Open / Comment
2021-03-24 08:46:03 gitea -- multiple vulnerabilities

VuXML ID: c4d2f950-8c27-11eb-a3ae-0800278d94f0
Discovery: 2021-03-21
Entry: 2021-03-23

Packages
gitea < 1.13.6

Description
The Gitea Team reports for release 1.13.6:
Fix bug on avatar middleware
Fix another clusterfuzz identified issue

URL
https://github.com/go-gitea/gitea/releases/tag/v1.13.5
39 views05:46
Open / Comment
2021-03-21 21:32:03 gitea -- quoting in markdown text

VuXML ID: 1431a25c-8a70-11eb-bd16-0800278d94f0
Discovery: 2021-03-20
Entry: 2021-03-21

Packages
gitea < 1.13.5

Description
The Gitea Team reports for release 1.13.5:
Update to goldmark 1.3.3

URL
https://github.com/go-gitea/gitea/releases/tag/v1.13.5
39 views18:32
Open / Comment
2021-03-18 22:31:03 OpenSSH -- Double-free memory corruption in ssh-agent

VuXML ID: 76b5068c-8436-11eb-9469-080027f515ea
Discovery: 2021-03-03
Entry: 2021-03-13

Packages
8.2p1,1 <= openssh-portable < 8.4p1,1_4
8.2p1,1 <= openssh-portable-hpn < 8.4p1,1_4
8.2p1,1 <= openssh-portable-gssapi < 8.4p1,1_4

Description
OpenBSD Project reports:
ssh-agent(1): fixed a double-free memory corruption that was
introduced in OpenSSH 8.2 . We treat all such memory faults as
potentially exploitable. This bug could be reached by an attacker
with access to the agent socket.
On modern operating systems where the OS can provide information
about the user identity connected to a socket, OpenSSH ssh-agent
and sshd limit agent socket access only to the originating user
and root. Additional mitigation may be afforded by the system's
malloc(3)/free(3) implementation, if it detects double-free
conditions.
The most likely scenario for exploitation is a user forwarding an
agent either to an account shared with a malicious user or to a
host with an attacker holding root access.

URL
https://www.openssh.com/txt/release-8.5
44 viewsedited  19:31
Open / Comment
2021-03-18 17:06:05 Gitlab -- Multiple vulnerabilities

VuXML ID: 50e59056-87f2-11eb-b6a2-001b217b3468
Discovery: 2021-03-17
Entry: 2021-03-18

Packages
13.9.0 <= gitlab-ce < 13.9.4
13.8.0 <= gitlab-ce < 13.8.6
13.2.0 <= gitlab-ce < 13.7.9

Description
Gigtlab reports:


Remote code execution via unsafe user-controlled markdown rendering options

URL
https://about.gitlab.com/releases/2021/03/17/security-release-gitlab-13-9-4-released/
33 views14:06
Open / Comment
2021-03-18 03:10:03 dnsmasq -- cache poisoning vulnerability in certain configurations

VuXML ID: 5b72b1ff-877c-11eb-bd4f-2f1d57dafe46
Discovery: 2021-03-17
Entry: 2021-03-18

Packages
dnsmasq < 2.85.r1,1
dnsmasq-devel < 2.85.r1,3

Description
Simon Kelley reports:
[In configurations where the forwarding server address contains an @
character for specifying a sending interface or source address, the]
random source port behavior was disabled, making cache poisoning
attacks possible.


This only affects configurations of the form server=1.1.1.1@em0 or
server=1.1.1.1@192.0.2.1, i. e. those that specify an interface to
send through, or an IP address to send from, or use together with
NetworkManager.

URL
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014835.html
30 viewsedited  00:10
Open / Comment
2021-03-17 16:05:03 minio -- MITM attack

VuXML ID: b073677f-253a-41f9-bf2b-2d16072a25f6
Discovery: 2021-03-17
Entry: 2021-03-17

Packages
minio < 2021.03.17.02.33.02

Description
minio developer report:
This is a security issue because it enables MITM modification of
request bodies that are meant to have integrity guaranteed by chunk
signatures.
In a PUT request using aws-chunked encoding, MinIO ordinarily
verifies signatures at the end of a chunk. This check can be skipped
if the client sends a false chunk size that is much greater than the
actual data sent: the server accepts and completes the request
without ever reaching the end of the chunk + thereby without ever
checking the chunk signature.

URL
https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp
29 views13:05
Open / Comment