FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-05-02 10:37:19 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
34e0316a-aa91-11df-8c2e-001517289bf8ruby -- UTF-7 encoding XSS vulnerability in WEBrick

The official ruby site reports:

WEBrick have had a cross-site scripting vulnerability that allows an attacker to inject arbitrary script or HTML via a crafted URI. This does not affect user agents that strictly implement HTTP/1.1, however, some user agents do not.


Discovery 2010-08-16
Entry 2010-08-17
Modified 2010-08-20
ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.7.248_3,1

ge 1.9.*,1 lt 1.9.1.430,1

40895
CVE-2010-0541
http://www.ruby-lang.org/en/news/2010/08/16/xss-in-webrick-cve-2010-0541/
53802164-3f7e-11dd-90ea-0019666436c2ruby -- multiple integer and buffer overflow vulnerabilities

The official ruby site reports:

Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code.


Discovery 2008-06-19
Entry 2008-06-21
ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.6.111_3,1

ruby_static
ge 1.8.*,1

CVE-2008-2726
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/
62e0fbe5-5798-11de-bb78-001cc0377035ruby -- BigDecimal denial of service vulnerability

The official ruby site reports:

A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.

An attacker can cause a denial of service by causing BigDecimal to parse an insanely large number, such as:

BigDecimal("9E69999999").to_s("F")


Discovery 2009-06-09
Entry 2009-06-13
Modified 2010-05-02
ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.7.160_1,1

35278
CVE-2009-1904
http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/
91be81e7-3fea-11e1-afc7-2c4138874f7dMultiple implementations -- DoS via hash algorithm collision

oCERT reports:

A variety of programming languages suffer from a denial-of-service (DoS) condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms.

The issue finds particular exposure in web server applications and/or frameworks. In particular, the lack of sufficient limits for the number of parameters in POST requests in conjunction with the predictable collision properties in the hashing functions of the underlying languages can render web applications vulnerable to the DoS condition. The attacker, using specially crafted HTTP requests, can lead to a 100% of CPU usage which can last up to several hours depending on the targeted application and server performance, the amplification effect is considerable and requires little bandwidth and time on the attacker side.

The condition for predictable collisions in the hashing functions has been reported for the following language implementations: Java, JRuby, PHP, Python, Rubinius, Ruby. In the case of the Ruby language, the 1.9.x branch is not affected by the predictable collision condition since this version includes a randomization of the hashing function.

The vulnerability outlined in this advisory is practically identical to the one reported in 2003 and described in the paper Denial of Service via Algorithmic Complexity Attacks which affected the Perl language.


Discovery 2011-12-28
Entry 2012-01-16
Modified 2012-01-20
jruby
< 1.6.5.1

ruby
ruby+nopthreads
ruby+nopthreads+oniguruma
ruby+oniguruma
< 1.8.7.357,1

rubygem-rack
< 1.3.6,3

v8
< 3.8.5

redis
le 2.4.6

node
< 0.6.7

CVE-2011-4838
CVE-2011-4815
CVE-2011-5036
CVE-2011-5037
http://www.ocert.org/advisories/ocert-2011-003.html
http://www.nruns.com/_downloads/advisory28122011.pdf
959d384d-6b59-11dd-9d79-001fc61c2a55ruby -- DNS spoofing vulnerability

The official ruby site reports:

resolv.rb allow remote attackers to spoof DNS answers. This risk can be reduced by randomness of DNS transaction IDs and source ports.


Discovery 2008-08-08
Entry 2008-08-16
Modified 2009-02-09
ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.6.111_5,1

ge 1.9.*,1 lt 1.9.1.0,1

CVE-2008-1447
http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
a8674c14-83d7-11db-88d5-0012f06707f0ruby -- cgi.rb library Denial of Service

The official ruby site reports:

Another vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS).

A specific HTTP request for any web application using cgi.rb causes CPU consumption on the machine on which the web application is running. Many such requests result in a denial of service.


Discovery 2006-12-04
Entry 2006-12-04
Modified 2010-05-12
ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.5_5,1

ruby_static
ge 1.8.*,1

CVE-2006-6303
http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/
ab8dbe98-6be4-11db-ae91-0012f06707f0ruby -- cgi.rb library Denial of Service

Official ruby site reports:

A vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS). The problem is triggered by sending the library an HTTP request that uses multipart MIME encoding and as an invalid boundary specifier that begins with "-" instead of "--". Once triggered it will exhaust all available memory resources effectively creating a DoS condition.


Discovery 2006-10-25
Entry 2006-11-04
Modified 2006-12-15
ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.5_4,1

ruby_static
ge 1.8.*,1

20777
CVE-2006-5467
http://rubyforge.org/pipermail/mongrel-users/2006-October/001946.html
c329712a-6b5b-11dd-9d79-001fc61c2a55ruby -- multiple vulnerabilities in safe level

The official ruby site reports:

Several vulnerabilities in safe level have been discovereds:.

  • untrace_var is permitted at safe level 4;
  • $PROGRAM_NAME may be modified at safe level 4;
  • insecure methods may be called at safe level 1-3;
  • syslog operations are permitted at safe level 4;
  • dl doesn't check taintness, so it could allow attackers to call dangerous functions.

Discovery 2008-08-08
Entry 2008-08-16
Modified 2010-05-12
ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.6.287,1

ge 1.9.*,1 lt 1.9.1.0,1

CVE-2008-3655
CVE-2008-3656
CVE-2008-3905
http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
f7ba20aa-6b5a-11dd-9d79-001fc61c2a55ruby -- DoS vulnerability in WEBrick

The official ruby site reports:

WEBrick::HTTP::DefaultFileHandler is faulty of exponential time taking requests due to a backtracking regular expression in WEBrick::HTTPUtils.split_header_value.


Discovery 2008-08-08
Entry 2008-08-16
Modified 2010-05-12
ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.6.111_5,1

ge 1.9.*,1 lt 1.9.1.0,1

CVE-2008-3655
CVE-2008-3656
CVE-2008-3905
http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/