FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-18 11:12:36 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
23f65f58-a261-11e9-b444-002590acae31GnuPG -- denial of service

From the GnuPG 2.2.17 changelog:

gpg: Ignore all key-signatures received from keyservers. This change is required to mitigate a DoS due to keys flooded with faked key-signatures.


Discovery 2019-07-03
Entry 2019-07-09
gnupg
< 2.2.17

https://dev.gnupg.org/T4606
https://dev.gnupg.org/T4607
7da0417f-6b24-11e8-84cc-002590acae31gnupg -- unsanitized output (CVE-2018-12020)

GnuPG reports:

GnuPG did not sanitize input file names, which may then be output to the terminal. This could allow terminal control sequences or fake status messages to be injected into the output.


Discovery 2018-06-07
Entry 2018-06-08
gnupg
< 2.2.8

gnupg1
< 1.4.23

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020
CVE-2018-12020
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526
CVE-2017-7526
30394651-13e1-11dd-bab7-0016179b2dd5gnupg -- memory corruption vulnerability

Secunia reports:

A vulnerability has been reported in GnuPG, which can potentially be exploited to compromise a vulnerable system.

The vulnerability is caused due to an error when importing keys with duplicated IDs. This can be exploited to cause a memory corruption when importing keys via --refresh-keys or --import.

Successful exploitation potentially allows execution of arbitrary code, but has not been proven yet.


Discovery 2008-03-19
Entry 2008-04-26
Modified 2008-04-29
gnupg
ge 1.0.0 lt 1.4.9

ge 2.0.0 lt 2.0.9

28487
CVE-2008-1530
http://www.ocert.org/advisories/ocert-2008-1.html
http://secunia.com/advisories/29568
https://bugs.g10code.com/gnupg/issue894
1c840eb9-fb32-11e3-866e-b499baab0cbegnupg -- possible DoS using garbled compressed data packets

Werner Koch reports:

This release includes a *security fix* to stop a possible DoS using garbled compressed data packets which can be used to put gpg into an infinite loop.


Discovery 2014-06-23
Entry 2014-06-23
gnupg1
< 1.4.17

gnupg
< 2.0.24

http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000344.html
http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000345.html
2e5715f8-67f7-11e3-9811-b499baab0cbegnupg -- RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack

Werner Koch reports:

CVE-2013-4576 has been assigned to this security bug.

The paper describes two attacks. The first attack allows to distinguish keys: An attacker is able to notice which key is currently used for decryption. This is in general not a problem but may be used to reveal the information that a message, encrypted to a commonly not used key, has been received by the targeted machine. We do not have a software solution to mitigate this attack.

The second attack is more serious. It is an adaptive chosen ciphertext attack to reveal the private key. A possible scenario is that the attacker places a sensor (for example a standard smartphone) in the vicinity of the targeted machine. That machine is assumed to do unattended RSA decryption of received mails, for example by using a mail client which speeds up browsing by opportunistically decrypting mails expected to be read soon. While listening to the acoustic emanations of the targeted machine, the smartphone will send new encrypted messages to that machine and re-construct the private key bit by bit. A 4096 bit RSA key used on a laptop can be revealed within an hour.


Discovery 2013-12-18
Entry 2013-12-18
Modified 2014-04-30
gnupg
< 1.4.16

gnupg1
< 1.4.16

CVE-2013-4576
http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000337.html
80771b89-f57b-11e2-bf21-b499baab0cbegnupg -- side channel attack on RSA secret keys

A Yarom and Falkner paper reports:

Flush+Reload is a cache side-channel attack that monitors access to data in shared pages. In this paper we demonstrate how to use the attack to extract private encryption keys from GnuPG. The high resolution and low noise of the Flush+Reload attack enables a spy program to recover over 98% of the bits of the private key in a single decryption or signing round. Unlike previous attacks, the attack targets the last level L3 cache. Consequently, the spy program and the victim do not need to share the execution core of the CPU. The attack is not limited to a traditional OS and can be used in a virtualised environment, where it can attack programs executing in a different VM.


Discovery 2013-07-18
Entry 2013-07-25
Modified 2013-07-26
gnupg
< 1.4.14

http://eprint.iacr.org/2013/448
http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html
749b5587-2da1-11e3-b1a9-b499baab0cbegnupg -- possible infinite recursion in the compressed packet parser

Werner Koch reports:

Special crafted input data may be used to cause a denial of service against GPG (GnuPG's OpenPGP part) and some other OpenPGP implementations. All systems using GPG to process incoming data are affected..


Discovery 2013-10-05
Entry 2013-10-05
gnupg
< 1.4.15

ge 2.0.0 lt 2.0.22

CVE-2013-4402