FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
96a21236-707b-11eb-96d8-d4c9ef517024	OpenSSL -- Multiple vulnerabilities The OpenSSL project reports: Null pointer deref in X509_issuer_and_serial_hash() CVE-2021-23841 (Moderate) The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. Integer overflow in CipherUpdate CVE-2021-23840 (Low) Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. Discovery 2021-02-16 Entry 2021-02-16 Modified 2021-08-25 openssl lt 1.1.1j,1 openssl-devel lt 3.0.0.a12 FreeBSD ge 12.2 lt 12.2_10 ge 11.4 lt 11.4_13 https://www.openssl.org/news/secadv/20210216.txt CVE-2021-23841 CVE-2021-23840 CVE-2021-23839 SA-21:17.openssl

VuXML ID

Description

96a21236-707b-11eb-96d8-d4c9ef517024

OpenSSL -- Multiple vulnerabilities

The OpenSSL project reports:

Null pointer deref in X509_issuer_and_serial_hash() CVE-2021-23841

(Moderate) The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack.

Integer overflow in CipherUpdate CVE-2021-23840

(Low) Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.

Discovery 2021-02-16
Entry 2021-02-16
Modified 2021-08-25
openssl

lt 1.1.1j,1

openssl-devel

lt 3.0.0.a12

FreeBSD

ge 12.2 lt 12.2_10

ge 11.4 lt 11.4_13

https://www.openssl.org/news/secadv/20210216.txt
CVE-2021-23841
CVE-2021-23840
CVE-2021-23839
SA-21:17.openssl