FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
6954a2b0-bda8-11eb-a04e-641c67a117d8libzmq4 -- Stack overflow

Fang-Pen Lin reports:

A remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.


Discovery 2019-06-27
Entry 2021-05-25
libzmq4
lt 4.3.2

CVE-2019-13132
https://github.com/zeromq/libzmq/releases/tag/v4.3.2
https://github.com/zeromq/libzmq/issues/3558
ports/255102
21ec4428-bdaa-11eb-a04e-641c67a117d8libzmq4 -- Denial of Service

Google's oss-fuzz project reports:

Denial-of-Service on CURVE/ZAP-protected servers by unauthenticated clients. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them.


Discovery 2020-09-07
Entry 2021-05-25
libzmq4
lt 4.3.3

CVE-2020-15166
https://github.com/zeromq/libzmq/releases/tag/v4.3.3
https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
ports/255102
8e48365a-214d-11e9-9f8a-0050562a4d7blibzmq4 -- Remote Code Execution Vulnerability

A vulnerability has been found that would allow attackers to direct a peer to jump to and execute from an address indicated by the attacker. This issue has been present since v4.2.0. Older releases are not affected. NOTE: The attacker needs to know in advance valid addresses in the peer's memory to jump to, so measures like ASLR are effective mitigations. NOTE: this attack can only take place after authentication, so peers behind CURVE/GSSAPI are not vulnerable to unauthenticated attackers.


Discovery 2019-01-08
Entry 2019-01-26
libzmq4
ge 4.2.0 lt 4.3.1

CVE-2019-6250
https://github.com/zeromq/libzmq/issues/3351
https://github.com/zeromq/libzmq/pull/3353
https://nvd.nist.gov/vuln/detail/CVE-2019-6250
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6250