FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-05-01 20:12:40 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
1225549f-ca91-11e2-b3b8-f0def16c5c1b	passenger -- security vulnerability The Phusion reports: A denial of service and arbitrary code execution by hijacking temp files. [CVE-2013-2119] Discovery 2013-05-29 Entry 2013-06-01 rubygem-passenger < 4.0.5 CVE-2013-2119 http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released/
84fdd1bb-9d37-11e5-8f5c-002590263bf5	passenger -- client controlled header overwriting Daniel Knoppel reports: It was discovered by the SUSE security team that it was possible, in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue. CVE-2015-7519 has been assigned to this issue. Affected use-cases: Header overwriting may occur if all of the following conditions are met: Apache integration mode, or standalone+builtin engine without a filtering proxy Ruby or Python applications only (Passenger 5); or any application (Passenger 4) The app depends on a request header containing a dash (-) The header is supposed to be trusted (set by the server) The client correctly guesses the header name This vulnerability has been fixed by filtering out client headers that do not consist of alphanumeric/dash characters (Nginx already did this, so Passenger+Nginx was not affected). If your application depends on headers that don't conform to this, you can add a workaround in Apache specifically for those to convert them to a dash-based format. Discovery 2015-12-07 Entry 2015-12-07 rubygem-passenger ge 5.0.0 lt 5.0.22 < 4.0.60 CVE-2015-7519 https://blog.phusion.nl/2015/12/07/cve-2015-7519/
8cf25a29-e063-11e7-9b2c-001e672571bc	rubygem-passenger -- arbitrary file read vulnerability Phusion reports: The cPanel Security Team discovered a vulnerability in Passenger that allows users to list the contents of arbitrary files on the system. CVE-2017-16355 has been assigned to this issue. Discovery 2017-10-13 Entry 2017-12-18 rubygem-passenger ge 5.0.10 lt 5.1.11 https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/ CVE-2017-16355

VuXML ID

Description

1225549f-ca91-11e2-b3b8-f0def16c5c1b

passenger -- security vulnerability

The Phusion reports:

A denial of service and arbitrary code execution by hijacking temp files. [CVE-2013-2119]

Discovery 2013-05-29
Entry 2013-06-01
rubygem-passenger

< 4.0.5

CVE-2013-2119
http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released/

84fdd1bb-9d37-11e5-8f5c-002590263bf5

passenger -- client controlled header overwriting

Daniel Knoppel reports:

It was discovered by the SUSE security team that it was possible, in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue. CVE-2015-7519 has been assigned to this issue.

Affected use-cases:

Header overwriting may occur if all of the following conditions are met:

Apache integration mode, or standalone+builtin engine without a filtering proxy

Ruby or Python applications only (Passenger 5); or any application (Passenger 4)

The app depends on a request header containing a dash (-)

The header is supposed to be trusted (set by the server)

The client correctly guesses the header name

This vulnerability has been fixed by filtering out client headers that do not consist of alphanumeric/dash characters (Nginx already did this, so Passenger+Nginx was not affected). If your application depends on headers that don't conform to this, you can add a workaround in Apache specifically for those to convert them to a dash-based format.

Discovery 2015-12-07
Entry 2015-12-07
rubygem-passenger

ge 5.0.0 lt 5.0.22

< 4.0.60

CVE-2015-7519
https://blog.phusion.nl/2015/12/07/cve-2015-7519/

8cf25a29-e063-11e7-9b2c-001e672571bc

rubygem-passenger -- arbitrary file read vulnerability

Phusion reports:

The cPanel Security Team discovered a vulnerability in Passenger that allows users to list the contents of arbitrary files on the system. CVE-2017-16355 has been assigned to this issue.

Discovery 2017-10-13
Entry 2017-12-18
rubygem-passenger

ge 5.0.10 lt 5.1.11

https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/
CVE-2017-16355