FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
d1dfc4c7-8791-11e3-a371-6805ca0b3d42rt42 -- denial-of-service attack via the email gateway

The RT development team reports:

Versions of RT between 4.2.0 and 4.2.2 (inclusive) are vulnerable to a denial-of-service attack via the email gateway; any installation which accepts mail from untrusted sources is vulnerable, regardless of the permissions configuration inside RT. This vulnerability is assigned CVE-2014-1474.

This vulnerability is caused by poor parsing performance in the Email::Address::List module, which RT depends on. We recommend that affected users upgrade their version of Email::Address::List to v0.02 or above, which resolves the issue. Due to a communications mishap, the release on CPAN will temporarily appear as "unauthorized," and the command-line cpan client will hence not install it. We expect this to be resolved shortly; in the meantime, the release is also available from our server.


Discovery 2014-01-27
Entry 2014-01-27
rt42
ge 4.2 lt 4.2.1_3

ge 4.2.2 lt 4.2.2_2

p5-Email-Address-List
< 0.02

CVE-2014-1474
http://blog.bestpractical.com/2014/01/security-vulnerability-in-rt-42.html
7a92e958-5207-11e7-8d7c-6805ca0b3d42rt and dependent modules -- multiple security vulnerabilities

BestPractical reports:

Please reference CVE/URL list for details


Discovery 2017-06-15
Entry 2017-06-15
rt42
ge 4.2.0 lt 4.2.13_1

rt44
ge 4.4.0 lt 4.4.1_1

p5-RT-Authen-ExternalAuth
ge 0.9 lt 0.27

http://lists.bestpractical.com/pipermail/rt-announce/2017-June/000297.html
CVE-2015-7686
CVE-2016-6127
CVE-2017-5361
CVE-2017-5943
CVE-2017-5944
d08f6002-c588-11e4-8495-6805ca0b3d42rt -- Remote DoS, Information disclosure and Session Hijackingvulnerabilities

Best Practical reports:

RT 3.0.0 and above, if running on Perl 5.14.0 or higher, are vulnerable to a remote denial-of-service via the email gateway; any installation which accepts mail from untrusted sources is vulnerable, regardless of the permissions configuration inside RT. This denial-of-service may encompass both CPU and disk usage, depending on RT's logging configuration. This vulnerability is assigned CVE-2014-9472.

RT 3.8.8 and above are vulnerable to an information disclosure attack which may reveal RSS feeds URLs, and thus ticket data; this vulnerability is assigned CVE-2015-1165. RSS feed URLs can also be leveraged to perform session hijacking, allowing a user with the URL to log in as the user that created the feed; this vulnerability is assigned CVE-2015-1464.


Discovery 2015-02-26
Entry 2015-03-08
rt42
ge 4.2.0 lt 4.2.10

rt40
ge 4.0.0 lt 4.0.23

http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html
CVE-2014-9472
CVE-2015-1165
CVE-2015-1464
83b38a2c-413e-11e5-bfcf-6805ca0b3d42RT -- two XSS vulnerabilities

Best Practical reports:

RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack via the user and group rights management pages. This vulnerability is assigned CVE-2015-5475. It was discovered and reported by Marcin Kopec at Data Reliance Shared Service Center.

RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS) attack via the cryptography interface. This vulnerability could allow an attacker with a carefully-crafted key to inject JavaScript into RT's user interface. Installations which use neither GnuPG nor S/MIME are unaffected.


Discovery 2015-08-12
Entry 2015-08-12
Modified 2015-08-18
rt42
ge 4.2.0 lt 4.2.12

rt40
ge 4.0.0 lt 4.0.24

CVE-2015-5475
CVE-2015-6506
http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html
416ca0f4-3fe0-11e9-bbdd-6805ca0b3d42rt -- XSS via jQuery

BestPractical reports:

The version of jQuery used in RT 4.2 and 4.4 has a Cross-site Scripting (XSS) vulnerability when using cross-domain Ajax requests. This vulnerability is assigned CVE-2015-9251. RT does not use this jQuery feature so it is not directly vulnerable. jQuery version 1.12 no longer receives official updates, however a fix was posted with recommendations for applications to patch locally, so RT will follow this recommendation and ship with a patched version.


Discovery 2019-03-05
Entry 2019-03-06
rt42
ge 4.2.0 lt 4.2.16

rt44
ge 4.4.0 lt 4.4.4

https://docs.bestpractical.com/release-notes/rt/4.4.4
https://docs.bestpractical.com/release-notes/rt/4.2.16
CVE-2015-9251
81e2b308-4a6c-11e4-b711-6805ca0b3d42rt42 -- vulnerabilities related to shellshock

Best Practical reports:

RT 4.2.0 and above may be vulnerable to arbitrary execution of code by way of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or CVE-2014-6271 -- collectively known as "Shellshock." This vulnerability requires a privileged user with access to an RT instance running with SMIME integration enabled; it applies to both mod_perl and fastcgi deployments. If you have already taken upgrades to bash to resolve "Shellshock," you are protected from this vulnerability in RT, and there is no need to apply this patch. This vulnerability has been assigned CVE-2014-7227.


Discovery 2014-10-02
Entry 2014-10-02
rt42
ge 4.2.0 lt 4.2.8

http://blog.bestpractical.com/2014/10/security-vulnerability-in-rt-42x-cve-2014-7227.html
CVE-2014-7227