FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
121fec01-c042-11e9-a73f-b36f5969f162nghttp2 -- multiple vulnerabilities

nghttp2 GitHub releases:

This release fixes CVE-2019-9511 "Data Dribble" and CVE-2019-9513 "Resource Loop" vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.

CVE-2019-9511 "Data Dribble": The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

CVE-2019-9513 "Ping Flood": The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.


Discovery 2019-08-13
Entry 2019-08-16
libnghttp2
nghttp2
lt 1.39.2

https://github.com/nghttp2/nghttp2/releases
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
CVE-2019-9511
CVE-2019-9513
4bb56d2f-a5b0-11ea-a860-08002728f74cnghttp2 -- DoS vulnerability

nghttp2 security advisories:

The overly large HTTP/2 SETTINGS frame payload causes denial of service.

The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%.


Discovery 2020-06-02
Entry 2020-06-03
nghttp2
libnghttp2
lt 1.41.0

https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr
CVE-2020-11080