FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-29 10:45:39 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
51a59f36-3c58-11ee-b32e-080027f5fec9	clamav -- Possible denial of service vulnerability in the HFS+ file parser Steve Smith reports: There is a possible denial of service vulnerability in the HFS+ file parser. Discovery 2023-08-15 Entry 2023-08-16 clamav < 1.1.1,1 clamav-lts < 1.0.2,1 CVE-2023-20197 https://blog.clamav.net/2023/07/2023-08-16-releases.html
fd792048-ad91-11ed-a879-080027f5fec9	clamav -- Multiple vulnerabilities Simon Scannell reports: CVE-2023-20032 Fixed a possible remote code execution vulnerability in the HFS+ file parser. CVE-2023-20052 Fixed a possible remote information leak vulnerability in the DMG file parser. Discovery 2023-02-15 Entry 2023-02-16 clamav < 1.0.1,1 clamav-lts < 0.103.8,1 CVE-2023-20032 CVE-2023-20052 https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html
68ae70c5-c5e5-11ee-9768-08002784c58d	clamav -- Multiple vulnerabilities The ClamAV project reports: CVE-2024-20290 A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for end-of-string values during scanning, which may result in a heap buffer over-read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software and consuming available system resources. CVE-2024-20328 Fixed a possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service. To fix this issue, we disabled the '%f' format string parameter. ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` environment variable, instead of '%f'. But you should do so only from within an executable, such as a Python script, and not directly in the clamd.conf "VirusEvent" command. Discovery 2024-02-07 Entry 2024-02-07 clamav < 1.2.2,1 clamav-lts < 1.0.5,1 CVE-2024-20290 CVE-2024-20328 https://blog.clamav.net/2023/11/clamav-130-122-105-released.html

VuXML ID

Description

51a59f36-3c58-11ee-b32e-080027f5fec9

clamav -- Possible denial of service vulnerability in the HFS+ file parser

Steve Smith reports:

There is a possible denial of service vulnerability in the HFS+ file parser.

Discovery 2023-08-15
Entry 2023-08-16
clamav

< 1.1.1,1

clamav-lts

< 1.0.2,1

CVE-2023-20197
https://blog.clamav.net/2023/07/2023-08-16-releases.html

fd792048-ad91-11ed-a879-080027f5fec9

clamav -- Multiple vulnerabilities

Simon Scannell reports:

CVE-2023-20032

Fixed a possible remote code execution vulnerability in the HFS+ file parser.

CVE-2023-20052

Fixed a possible remote information leak vulnerability in the DMG file parser.

Discovery 2023-02-15
Entry 2023-02-16
clamav

< 1.0.1,1

clamav-lts

< 0.103.8,1

CVE-2023-20032
CVE-2023-20052
https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html

68ae70c5-c5e5-11ee-9768-08002784c58d

clamav -- Multiple vulnerabilities

The ClamAV project reports:

CVE-2024-20290

A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for end-of-string values during scanning, which may result in a heap buffer over-read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software and consuming available system resources.

CVE-2024-20328

Fixed a possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service. To fix this issue, we disabled the '%f' format string parameter. ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` environment variable, instead of '%f'. But you should do so only from within an executable, such as a Python script, and not directly in the clamd.conf "VirusEvent" command.

Discovery 2024-02-07
Entry 2024-02-07
clamav

< 1.2.2,1

clamav-lts

< 1.0.5,1

CVE-2024-20290
CVE-2024-20328
https://blog.clamav.net/2023/11/clamav-130-122-105-released.html