FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-16 19:33:48 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
c5bd8a25-99a6-11e9-a598-f079596b62f9expat2 -- Fix extraction of namespace prefixes from XML names

expat project reports:

XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks


Discovery 2019-06-19
Entry 2019-09-16
expat
< 2.2.7

https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
0a0670a1-3e1a-11ed-b48b-e0d55e2a8bf9expat -- Heap use-after-free vulnerability

Debian Security Advisory reports:

Rhodri James discovered a heap use-after-free vulnerability in the doContent function in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed.


Discovery 2022-09-14
Entry 2022-09-27
expat
< 2.4.9

CVE-2022-40674
https://www.debian.org/security/2022/dsa-5236
https://nvd.nist.gov/vuln/detail/CVE-2022-40674
6856d798-d950-11e9-aae4-f079596b62f9expat2 -- Fix extraction of namespace prefixes from XML names

expat project reports:

Fix heap overflow triggered by XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), and deny internal entities closing the doctype


Discovery 2019-09-13
Entry 2019-09-17
expat
< 2.2.8

https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes
5fa90ee6-bc9e-11eb-a287-e0d55e2a8bf9texproc/expat2 -- billion laugh attack

Kurt Seifried reports:

So here are the CVE's for the two big ones, libxml2 and expat. Both are affected by the expansion of internal entities (which can be used to consume resources) and external entities (which can cause a denial of service against other services, be used to port scan, etc.).

A billion laughs attack is a type of denial-of-service attack which is aimed at parsers of XML documents.


Discovery 2013-02-21
Entry 2021-05-24
expat
< 2.4.1

CVE-2013-0340
https://www.openwall.com/lists/oss-security/2013/02/22/3
https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/
https://nvd.nist.gov/vuln/detail/CVE-2013-0340
e375ff3f-7fec-11e8-8088-28d244aee256expat -- multiple vulnerabilities

Mitre reports:

An integer overflow during the parsing of XML using the Expat library.

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.


Discovery 2016-10-27
Entry 2018-07-05
expat
< 2.2.1

libwww
< 5.4.2

CVE-2016-9063
CVE-2017-9233
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9233
https://libexpat.github.io/doc/cve-2017-9233/