FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
6856d798-d950-11e9-aae4-f079596b62f9expat2 -- Fix extraction of namespace prefixes from XML names

expat project reports:

Fix heap overflow triggered by XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), and deny internal entities closing the doctype


Discovery 2019-09-13
Entry 2019-09-17
expat
< 2.2.8

https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes
ff76f0e0-3f11-11e6-b3c8-14dae9d210b8expat2 -- denial of service

Adam Maris reports:

It was found that original patch for issues CVE-2015-1283 and CVE-2015-2716 used overflow checks that could be optimized out by some compilers applying certain optimization settings, which can cause the vulnerability to remain even after applying the patch.


Discovery 2016-06-09
Entry 2016-06-30
Modified 2016-11-30
expat
< 2.1.1_2

https://bugzilla.redhat.com/show_bug.cgi?id=1344251
CVE-2016-4472
5fa90ee6-bc9e-11eb-a287-e0d55e2a8bf9texproc/expat2 -- billion laugh attack

Kurt Seifried reports:

So here are the CVE's for the two big ones, libxml2 and expat. Both are affected by the expansion of internal entities (which can be used to consume resources) and external entities (which can cause a denial of service against other services, be used to port scan, etc.).

A billion laughs attack is a type of denial-of-service attack which is aimed at parsers of XML documents.


Discovery 2013-02-21
Entry 2021-05-24
expat
< 2.4.1

CVE-2013-0340
https://www.openwall.com/lists/oss-security/2013/02/22/3
https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/
https://nvd.nist.gov/vuln/detail/CVE-2013-0340
e375ff3f-7fec-11e8-8088-28d244aee256expat -- multiple vulnerabilities

Mitre reports:

An integer overflow during the parsing of XML using the Expat library.

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.


Discovery 2016-10-27
Entry 2018-07-05
expat
< 2.2.1

libwww
< 5.4.2

CVE-2016-9063
CVE-2017-9233
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9233
https://libexpat.github.io/doc/cve-2017-9233/
c5bd8a25-99a6-11e9-a598-f079596b62f9expat2 -- Fix extraction of namespace prefixes from XML names

expat project reports:

XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks


Discovery 2019-06-19
Entry 2019-09-16
expat
< 2.2.7

https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes