FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
fceb2b08-cb76-11ec-a06f-d4c9ef517024OpenSSL -- Multiple vulnerabilities

The OpenSSL project reports:

  • The c_rehash script allows command injection (CVE-2022-1292) (Moderate)

    The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.
  • OCSP_basic_verify may incorrectly verify the response signing certificate (CVE-2022-1343) (Moderate)

    The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify.
  • Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434) (Low)

    The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable.
  • Resource leakage when decoding certificates and keys (CVE-2022-1473) (Low)

    The OPENSSL_LH_flush() function, which empties a hash table, containsa bug that breaks reuse of the memory occuppied by the removed hash table entries.

Discovery 2022-05-03
Entry 2022-05-04
Modified 2022-05-05
openssl
lt 1.1.1o,1

openssl-devel
lt 3.0.3

openssl-quictls
lt 3.0.3

CVE-2022-1292
CVE-2022-1343
CVE-2022-1434
CVE-2022-1473
https://www.openssl.org/news/secadv/20220503.txt