FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-16 19:33:48 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID Description

VuXML ID	Description
2c6af5c3-4d36-11ec-a539-0800270512f4	rubygem-cgi -- buffer overrun in CGI.escape_html chamal reports: A security vulnerability that causes buffer overflow when you pass a very large string (> 700 MB) to `CGI.escape_html` on a platform where `long` type takes 4 bytes, typically, Windows. Discovery 2021-11-24 Entry 2021-11-24 ruby ge 2.7.0,1 lt 2.7.5,1 ge 3.0.0,1 lt 3.0.3,1 ruby27 ge 2.7.0,1 lt 2.7.5,1 ruby30 ge 3.0.0,1 lt 3.0.3,1 rubygem-cgi < 0.3.1 CVE-2021-41816 https://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/
4548ec97-4d38-11ec-a539-0800270512f4	rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse ooooooo_q reports: The old versions of `CGI::Cookie.parse` applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application. By this fix, `CGI::Cookie.parse` no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded. Discovery 2021-11-24 Entry 2021-11-24 ruby ge 2.6.0,1 lt 2.6.9,1 ge 2.7.0,1 lt 2.7.5,1 ge 3.0.0,1 lt 3.0.3,1 ruby26 ge 2.6.0,1 lt 2.6.9,1 ruby27 ge 2.7.0,1 lt 2.7.5,1 ruby30 ge 3.0.0,1 lt 3.0.3,1 rubygem-cgi < 0.3.1 CVE-2021-41819 https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
84ab03b6-6c20-11ed-b519-080027f5fec9	rubygem-cgi -- HTTP response splitting vulnerability Hiroshi Tokumaru reports: If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body. Also, the contents for a `CGI::Cookie` object were not checked properly. If an application creates a `CGI::Cookie` object based on user input, an attacker may exploit it to inject invalid attributes in `Set-Cookie` header. We think such applications are unlikely, but we have included a change to check arguments for `CGI::Cookie#initialize` preventatively. Discovery 2022-11-22 Entry 2022-11-24 rubygem-cgi < 0.3.4 ruby ge 2.7.0,1 lt 2.7.7,1 ge 3.0.0,1 lt 3.0.5,1 ge 3.1.0,1 lt 3.1.3,1 ge 3.2.0.p1,1 lt 3.2.0.r1,1 ruby27 ge 2.7.0,1 lt 2.7.7,1 ruby30 ge 3.0.0,1 lt 3.0.5,1 ruby31 ge 3.1.0,1 lt 3.1.3,1 ruby32 ge 3.2.0.p1,1 lt 3.2.0.r1,1 CVE-2021-33621 https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/

2c6af5c3-4d36-11ec-a539-0800270512f4

rubygem-cgi -- buffer overrun in CGI.escape_html

chamal reports:

A security vulnerability that causes buffer overflow when you pass a very large string (> 700 MB) to CGI.escape_html on a platform where long type takes 4 bytes, typically, Windows.

Discovery 2021-11-24
Entry 2021-11-24
ruby

ge 2.7.0,1 lt 2.7.5,1

ge 3.0.0,1 lt 3.0.3,1

ruby27

ge 2.7.0,1 lt 2.7.5,1

ruby30

ge 3.0.0,1 lt 3.0.3,1

rubygem-cgi

< 0.3.1

CVE-2021-41816
https://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/

4548ec97-4d38-11ec-a539-0800270512f4

rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse

ooooooo_q reports:

The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application.

By this fix, CGI::Cookie.parse no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded.

Discovery 2021-11-24
Entry 2021-11-24
ruby

ge 2.6.0,1 lt 2.6.9,1

ge 2.7.0,1 lt 2.7.5,1

ge 3.0.0,1 lt 3.0.3,1

ruby26

ge 2.6.0,1 lt 2.6.9,1

ruby27

ge 2.7.0,1 lt 2.7.5,1

ruby30

ge 3.0.0,1 lt 3.0.3,1

rubygem-cgi

< 0.3.1

CVE-2021-41819
https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/

84ab03b6-6c20-11ed-b519-080027f5fec9

rubygem-cgi -- HTTP response splitting vulnerability

Hiroshi Tokumaru reports:

If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body.

Also, the contents for a CGI::Cookie object were not checked properly. If an application creates a CGI::Cookie object based on user input, an attacker may exploit it to inject invalid attributes in Set-Cookie header. We think such applications are unlikely, but we have included a change to check arguments for CGI::Cookie#initialize preventatively.

Discovery 2022-11-22
Entry 2022-11-24
rubygem-cgi

< 0.3.4

ruby

ge 2.7.0,1 lt 2.7.7,1

ge 3.0.0,1 lt 3.0.5,1

ge 3.1.0,1 lt 3.1.3,1

ge 3.2.0.p1,1 lt 3.2.0.r1,1

ruby27

ge 2.7.0,1 lt 2.7.7,1

ruby30

ge 3.0.0,1 lt 3.0.5,1

ruby31

ge 3.1.0,1 lt 3.1.3,1

ruby32

ge 3.2.0.p1,1 lt 3.2.0.r1,1

CVE-2021-33621
https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/