FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
c1b2b492-6999-11ec-a50c-001cc0382b2fMbed TLS -- Potential double-free after an out of memory error

Manuel Pégourié-Gonnard reports:

If mbedtls_ssl_set_session() or mbedtls_ssl_get_session() were to fail with MBEDTLS_ERR_SSL_ALLOC_FAILED (in an out of memory condition), then calling mbedtls_ssl_session_free() and mbedtls_ssl_free() in the usual manner would cause an internal session buffer to be freed twice, due to two structures both having valid pointers to it after a call to ssl_session_copy().

An attacker could potentially trigger the out of memory condition, and therefore use this bug to create memory corruption, which could then be further exploited or targetted.


Discovery 2021-12-14
Entry 2021-12-30
mbedtls
lt 2.16.12

ge 2.17.0 lt 2.28.0

CVE-2021-44732
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12
bf1f47c4-7f1b-11ea-bf94-001cc0382b2fMbed TLS -- Side channel attack on ECDSA

Manuel Pégourié-Gonnard reports:

An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) can fully recover an ECDSA private key after observing a number of signature operations.


Discovery 2020-04-14
Entry 2020-04-15
mbedtls
lt 2.16.6

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04
CVE-2020-10932
293f40a0-ffa1-11e8-b258-0011d823eebdMbed TLS -- Local timing attack on RSA decryption

Janos Follath reports:

An attacker who can run code on the same machine that is performing an RSA decryption can potentially recover the plaintext through a Bleichenbacher-like oracle.


Discovery 2018-11-28
Entry 2018-12-14
mbedtls
lt 2.14.1

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-03
CVE-2018-19608
1c948fd3-dac0-11e9-81b2-0011d823eebdMbed TLS -- Side channel attack on deterministic ECDSA

Janos Follath reports:

Mbed TLS does not have a constant-time/constant-trace arithmetic library and uses blinding to protect against side channel attacks.

In the ECDSA signature routine previous Mbed TLS versions used the same RNG object for generating the ephemeral key pair and for generating the blinding values. The deterministic ECDSA function reused this by passing the RNG object created from the private key and the message to be signed as prescribed by RFC 6979. This meant that the same RNG object was used whenever the same message was signed, rendering the blinding ineffective.

If the victim can be tricked to sign the same message repeatedly, the private key may be recoverable through side channels.


Discovery 2019-09-06
Entry 2019-09-19
mbedtls
lt 2.16.3

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10
c685edd9-c045-11ea-8898-001cc0382b2fMbed TLS -- Side-channel attack on ECC key import and validation

Manuel Pégourié-Gonnard reports:

The scalar multiplication function in Mbed TLS accepts a random number generator (RNG) as an optional argument and, if provided, uses it to protect against some attacks.

It is the caller's responsibility to provide a RNG if protection against side-channel attacks is desired; however two groups of functions in Mbed TLS itself fail to pass a RNG:

  1. mbedtls_pk_parse_key() and mbedtls_pk_parse_keyfile()
  2. mbedtls_ecp_check_pub_priv() and mbedtls_pk_check_pair()

When those functions are called, scalar multiplication is computed without randomisation, a number of old and new attacks apply, allowing a powerful local attacker to fully recover the private key.


Discovery 2020-07-01
Entry 2020-07-07
mbedtls
lt 2.16.7

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07
d8382a69-4728-11e8-ba83-0011d823eebdmbed TLS (PolarSSL) -- multiple vulnerabilities

Simon Butcher reports:

  • Defend against Bellcore glitch attacks by verifying the results of RSA private key operations.
  • Fix implementation of the truncated HMAC extension. The previous implementation allowed an offline 2^80 brute force attack on the HMAC key of a single, uninterrupted connection (with no resumption of the session).
  • Reject CRLs containing unsupported critical extensions. Found by Falko Strenzke and Evangelos Karatsiolis.
  • Fix a buffer overread in ssl_parse_server_key_exchange() that could cause a crash on invalid input.
  • Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a crash on invalid input.

Discovery 2018-03-21
Entry 2018-04-23
mbedtls
lt 2.7.2

polarssl13
ge *

https://tls.mbed.org/tech-updates/releases/mbedtls-2.8.0-2.7.2-and-2.1.11-released
056ea107-5729-11ea-a2f3-001cc0382b2fMbed TLS -- Cache attack against RSA key import in SGX

Janos Follath reports:

If Mbed TLS is running in an SGX enclave and the adversary has control of the main operating system, they can launch a side channel attack to recover the RSA private key when it is being imported.

The attack only requires access to fine grained measurements to cache usage. Therefore the attack might be applicable to a scenario where Mbed TLS is running in TrustZone secure world and the attacker controls the normal world or possibly when Mbed TLS is part of a hypervisor and the adversary has full control of a guest OS.


Discovery 2020-02-18
Entry 2020-02-24
mbedtls
lt 2.16.5

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02
f4876dd4-9ca8-11e8-aa17-0011d823eebdmbed TLS -- plaintext recovery vulnerabilities

Simon Butcher reports:

  • When using a CBC based ciphersuite, a remote attacker can partially recover the plaintext.
  • When using a CBC based ciphersuite, an attacker with the ability to execute arbitrary code on the machine under attack can partially recover the plaintext by use of cache based side-channels.

Discovery 2018-07-24
Entry 2018-08-10
mbedtls
lt 2.12

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02
CVE-2018-0497
CVE-2018-0498
bcdeb6d2-f02d-11ea-838a-0011d823eebdMbed TLS -- Local side channel attack on RSA and static Diffie-Hellman

Manuel Pégourié-Gonnard reports:

An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) can recover the private keys used in RSA or static (finite-field) Diffie-Hellman operations.


Discovery 2020-09-01
Entry 2020-09-06
mbedtls
lt 2.16.8

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2
c2f107e1-2493-11e8-b3e8-001cc0382b2fmbed TLS (PolarSSL) -- remote code execution

Simon Butcher reports:

  • When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet can be used to selectively corrupt 6 bytes on the peer's heap, potentially leading to a crash or remote code execution. This can be triggered remotely from either side in both TLS and DTLS.
  • When RSASSA-PSS signature verification is enabled, sending a maliciously constructed certificate chain can be used to cause a buffer overflow on the peer's stack, potentially leading to crash or remote code execution. This can be triggered remotely from either side in both TLS and DTLS.

Discovery 2018-02-05
Entry 2018-03-10
mbedtls
lt 2.7.0

polarssl13
lt 1.3.22

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01
CVE-2018-0487
CVE-2018-0488
4c69240f-f02c-11ea-838a-0011d823eebdMbed TLS -- Local side channel attack on classical CBC decryption in (D)TLS

Manuel Pégourié-Gonnard reports:

When decrypting/authenticating (D)TLS record in a connection using a CBC ciphersuite without the Encrypt-then-Mac extension RFC 7366, Mbed TLS used dummy rounds of the compression function associated with the hash used for HMAC in order to hide the length of the padding to remote attackers, as recommended in the original Lucky Thirteen paper.

A local attacker who is able to observe the state of the cache could monitor the presence of mbedtls_md_process() in the cache in order to determine when the actual computation ends and when the dummy rounds start. This is a reliable target as it's always called at least once, in response to a previous attack. The attacker can then continue with one of many well-documented Lucky 13 variants.


Discovery 2020-09-01
Entry 2020-09-06
mbedtls
lt 2.16.8

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1
CVE-2020-16150
b70b880f-5727-11ea-a2f3-001cc0382b2fMbed TLS -- Side channel attack on ECDSA

Janos Follath reports:

Our bignum implementation is not constant time/constant trace, so side channel attacks can retrieve the blinded value, factor it (as it is smaller than RSA keys and not guaranteed to have only large prime factors), and then, by brute force, recover the key.


Discovery 2019-10-25
Entry 2020-02-24
mbedtls
lt 2.16.4

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12
CVE-2019-18222