FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-05-02 04:12:46 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
7d2336c2-4607-11e1-9f47-00e0815b8da8	spamdyke -- Buffer Overflow Vulnerabilities Secunia reports: Fixed a number of very serious errors in the usage of snprintf()/vsnprintf(). The return value was being used as the length of the string printed into the buffer, but the return value really indicates the length of the string that could be printed if the buffer were of infinite size. Because the returned value could be larger than the buffer's size, this meant remotely exploitable buffer overflows were possible, depending on spamdyke's configuration. Discovery 2012-01-15 Entry 2012-01-23 spamdyke < 4.3.0 CVE-2012-0802 https://secunia.com/advisories/47548/ http://www.spamdyke.org/documentation/Changelog.txt
a47af810-3a17-11e1-a1be-00e0815b8da8	spamdyke -- STARTTLS Plaintext Injection Vulnerability Secunia reports: The vulnerability is caused due to the TLS implementation not properly clearing transport layer buffers when upgrading from plaintext to ciphertext after receiving the "STARTTLS" command. This can be exploited to insert arbitrary plaintext data (e.g. SMTP commands) during the plaintext phase, which will then be executed after upgrading to the TLS ciphertext phase. Discovery 2012-01-04 Entry 2012-01-08 Modified 2012-01-23 spamdyke < 4.2.1 CVE-2012-0070 http://secunia.com/advisories/47435/ http://www.spamdyke.org/documentation/Changelog.txt
555ac165-2bee-11dd-bbdc-00e0815b8da8	spamdyke -- open relay Spamdyke Team reports: Fixed smtp_filter() to reject the DATA command if no valid recipients have been specified. Otherwise, a specific scenario could result in every spamdyke installation being used as an open relay. If the remote server connects and gives one or more recipients that are rejected (for relaying or blacklisting), then gives the DATA command, spamdyke will ignore all other commands, assuming that message data is being transmitted. However, because all of the recipients were rejected, qmail will reject the DATA command. From that point on, the remote server can give as many recipients as it likes and spamdyke will ignore them all -- they will not be filtered at all. After that, the remote server can give the DATA command and send the actual message data. Because spamdyke is controlling relaying, the RELAYCLIENT environment variable is set and qmail won't check for relaying either. Thanks to Mirko Buffoni for reporting this one. Discovery 2008-05-21 Entry 2008-05-27 Modified 2010-05-12 spamdyke < 3.1.8 CVE-2008-2784 http://www.spamdyke.org/documentation/Changelog.txt

VuXML ID

Description

7d2336c2-4607-11e1-9f47-00e0815b8da8

spamdyke -- Buffer Overflow Vulnerabilities

Secunia reports:

Fixed a number of very serious errors in the usage of snprintf()/vsnprintf().

The return value was being used as the length of the string printed into the buffer, but the return value really indicates the length of the string that *could* be printed if the buffer were of infinite size. Because the returned value could be larger than the buffer's size, this meant remotely exploitable buffer overflows were possible, depending on spamdyke's configuration.

Discovery 2012-01-15
Entry 2012-01-23
spamdyke

< 4.3.0

CVE-2012-0802
https://secunia.com/advisories/47548/
http://www.spamdyke.org/documentation/Changelog.txt

a47af810-3a17-11e1-a1be-00e0815b8da8

spamdyke -- STARTTLS Plaintext Injection Vulnerability

Secunia reports:

The vulnerability is caused due to the TLS implementation not properly clearing transport layer buffers when upgrading from plaintext to ciphertext after receiving the "STARTTLS" command. This can be exploited to insert arbitrary plaintext data (e.g. SMTP commands) during the plaintext phase, which will then be executed after upgrading to the TLS ciphertext phase.

Discovery 2012-01-04
Entry 2012-01-08
Modified 2012-01-23
spamdyke

< 4.2.1

CVE-2012-0070
http://secunia.com/advisories/47435/
http://www.spamdyke.org/documentation/Changelog.txt

555ac165-2bee-11dd-bbdc-00e0815b8da8

spamdyke -- open relay

Spamdyke Team reports:

Fixed smtp_filter() to reject the DATA command if no valid recipients have been specified. Otherwise, a specific scenario could result in every spamdyke installation being used as an open relay. If the remote server connects and gives one or more recipients that are rejected (for relaying or blacklisting), then gives the DATA command, spamdyke will ignore all other commands, assuming that message data is being transmitted. However, because all of the recipients were rejected, qmail will reject the DATA command. From that point on, the remote server can give as many recipients as it likes and spamdyke will ignore them all -- they will not be filtered at all. After that, the remote server can give the DATA command and send the actual message data. Because spamdyke is controlling relaying, the RELAYCLIENT environment variable is set and qmail won't check for relaying either. Thanks to Mirko Buffoni for reporting this one.

Discovery 2008-05-21
Entry 2008-05-27
Modified 2010-05-12
spamdyke

< 3.1.8

CVE-2008-2784
http://www.spamdyke.org/documentation/Changelog.txt