FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
4bb56d2f-a5b0-11ea-a860-08002728f74cnghttp2 -- DoS vulnerability

nghttp2 security advisories:

The overly large HTTP/2 SETTINGS frame payload causes denial of service.

The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%.


Discovery 2020-06-02
Entry 2020-06-03
nghttp2
libnghttp2
lt 1.41.0

https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr
CVE-2020-11080
121fec01-c042-11e9-a73f-b36f5969f162nghttp2 -- multiple vulnerabilities

nghttp2 GitHub releases:

This release fixes CVE-2019-9511 "Data Dribble" and CVE-2019-9513 "Resource Loop" vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.

CVE-2019-9511 "Data Dribble": The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

CVE-2019-9513 "Ping Flood": The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.


Discovery 2019-08-13
Entry 2019-08-16
libnghttp2
nghttp2
lt 1.39.2

https://github.com/nghttp2/nghttp2/releases
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
CVE-2019-9511
CVE-2019-9513
1fccb25e-8451-438c-a2b9-6a021e4d7a31nghttp2 -- Denial of service due to NULL pointer dereference

nghttp2 blog:

If ALTSVC frame is received by libnghttp2 and it is larger than it can accept, the pointer field which points to ALTSVC frame payload is left NULL. Later libnghttp2 attempts to access another field through the pointer, and gets segmentation fault.

ALTSVC frame is defined by RFC 7838.

The largest frame size libnghttp2 accept is by default 16384 bytes.

Receiving ALTSVC frame is disabled by default. Application has to enable it explicitly by calling nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC).

Transmission of ALTSVC is always enabled, and it does not cause this vulnerability.

ALTSVC frame is expected to be sent by server, and received by client as defined in RFC 7838.

Client and server are both affected by this vulnerability if the reception of ALTSVC frame is enabled. As written earlier, it is useless to enable reception of ALTSVC frame on server side. So, server is generally safe unless application accidentally enabled the reception of ALTSVC frame.


Discovery 2018-04-04
Entry 2018-04-13
libnghttp2
nghttp2
ge 1.10.0 lt 1.31.1

https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/
CVE-2018-1000168