FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-18 11:12:36 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID Description

VuXML ID	Description
4548ec97-4d38-11ec-a539-0800270512f4	rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse ooooooo_q reports: The old versions of `CGI::Cookie.parse` applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application. By this fix, `CGI::Cookie.parse` no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded. Discovery 2021-11-24 Entry 2021-11-24 ruby ge 2.6.0,1 lt 2.6.9,1 ge 2.7.0,1 lt 2.7.5,1 ge 3.0.0,1 lt 3.0.3,1 ruby26 ge 2.6.0,1 lt 2.6.9,1 ruby27 ge 2.7.0,1 lt 2.7.5,1 ruby30 ge 3.0.0,1 lt 3.0.3,1 rubygem-cgi < 0.3.1 CVE-2021-41819 https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
6916ea94-4628-11ec-bbe2-0800270512f4	rubygem-date -- Regular Expression Denial of Service Vunlerability of Date Parsing Methods Stanislav Valkanov reports: Date's parsing methods including `Date.parse` are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected. Discovery 2021-11-15 Entry 2021-11-15 Modified 2021-11-24 ruby ge 2.6.0,1 lt 2.6.9,1 ge 2.7.0,1 lt 2.7.5,1 ge 3.0.0,1 lt 3.0.3,1 ruby26 ge 2.6.0,1 lt 2.6.9,1 ruby27 ge 2.7.0,1 lt 2.7.5,1 ruby30 ge 3.0.0,1 lt 3.0.3,1 rubygem-date < 3.2.1 CVE-2021-41817 https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
7ed5779c-e4c7-11eb-91d7-08002728f74c	Ruby -- multiple vulnerabilities Ruby news: This release includes security fixes. Please check the topics below for details. CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP CVE-2021-31799: A command injection vulnerability in RDoc Discovery 2021-07-07 Entry 2021-07-14 ruby26 < 2.6.8,1 ruby < 2.7.4,1 ruby30 < 3.0.2,1 CVE-2021-31799 CVE-2021-31810 CVE-2021-32066 https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released/ https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/ https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released/ https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/ https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/ https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/

4548ec97-4d38-11ec-a539-0800270512f4

rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse

ooooooo_q reports:

The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application.

By this fix, CGI::Cookie.parse no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded.

Discovery 2021-11-24
Entry 2021-11-24
ruby

ge 2.6.0,1 lt 2.6.9,1

ge 2.7.0,1 lt 2.7.5,1

ge 3.0.0,1 lt 3.0.3,1

ruby26

ge 2.6.0,1 lt 2.6.9,1

ruby27

ge 2.7.0,1 lt 2.7.5,1

ruby30

ge 3.0.0,1 lt 3.0.3,1

rubygem-cgi

< 0.3.1

CVE-2021-41819
https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/

6916ea94-4628-11ec-bbe2-0800270512f4

rubygem-date -- Regular Expression Denial of Service Vunlerability of Date Parsing Methods

Stanislav Valkanov reports:

Date's parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected.

Discovery 2021-11-15
Entry 2021-11-15
Modified 2021-11-24
ruby

ge 2.6.0,1 lt 2.6.9,1

ge 2.7.0,1 lt 2.7.5,1

ge 3.0.0,1 lt 3.0.3,1

ruby26

ge 2.6.0,1 lt 2.6.9,1

ruby27

ge 2.7.0,1 lt 2.7.5,1

ruby30

ge 3.0.0,1 lt 3.0.3,1

rubygem-date

< 3.2.1

CVE-2021-41817
https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/

7ed5779c-e4c7-11eb-91d7-08002728f74c

Ruby -- multiple vulnerabilities

Ruby news:

This release includes security fixes. Please check the topics below for details.

CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP

CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP

CVE-2021-31799: A command injection vulnerability in RDoc

Discovery 2021-07-07
Entry 2021-07-14
ruby26

< 2.6.8,1

ruby

< 2.7.4,1

ruby30

< 3.0.2,1

CVE-2021-31799
CVE-2021-31810
CVE-2021-32066
https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released/
https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/
https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released/
https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/