FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
f0683976-5779-11ea-8a77-1c872ccb1e42OpenSMTPd -- LPE and RCE in OpenSMTPD's default install

OpenSMTPD developers reports:

An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.

An unprivileged local attacker can read the first line of an arbitrary file (for example, root's password hash in /etc/master.passwd) or the entire contents of another user's file (if this file and /var/spool/smtpd/ are on the same filesystem).


Discovery 2020-02-22
Entry 2020-02-24
Modified 2020-02-27
opensmtpd
lt 6.6.4,1

CVE-2020-8793
https://www.openwall.com/lists/oss-security/2020/02/24/4
CVE-2020-8794
https://www.openwall.com/lists/oss-security/2020/02/24/5