FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-24 03:12:49 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
fe93803c-883f-11e8-9f0c-001b216d295b	Several Security Defects in the Bouncy Castle Crypto APIs The Legion of the Bouncy Castle reports: Release 1.60 is now available for download. CVE-2018-1000180: issue around primality tests for RSA key pair generation if done using only the low-level API. CVE-2018-1000613: lack of class checking in deserialization of XMSS/XMSS^MT private keys with BDS state information. Discovery 2018-06-30 Entry 2018-07-15 bouncycastle < 1.60 bouncycastle15 < 1.60 puppetserver ge 0 puppetserver5 < 5.3.8 puppetserver6 < 6.2.1 CVE-2018-1000180 CVE-2018-1000613 https://www.bouncycastle.org/latest_releases.html
3bd3c9f8-41ee-11ec-9bac-589cfc007716	puppet -- Unsafe HTTP Redirect Puppet reports: A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007. Discovery 2021-11-09 Entry 2021-11-10 puppet6 < 6.25.1 puppet7 < 7.12.1 puppetserver6 < 6.17.1 puppetserver7 < 7.4.2 CVE-2021-27023 https://puppet.com/security/cve/cve-2021-27023
36def7ba-6d2b-11ea-b115-643150d3111d	puppetserver and puppetdb -- Puppet Server and PuppetDB may leak sensitive information via metrics API Puppetlabs reports: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.4.0, Puppet Server 6.9.1 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. Discovery 2020-03-10 Entry 2020-03-23 puppetdb5 < 5.2.13 puppetdb6 < 6.9.1 puppetserver5 < 5.3.12 puppetserver6 < 6.9.2 CVE-2020-7943 https://puppet.com/security/cve/CVE-2020-7943/

VuXML ID

Description

fe93803c-883f-11e8-9f0c-001b216d295b

Several Security Defects in the Bouncy Castle Crypto APIs

The Legion of the Bouncy Castle reports:

Release 1.60 is now available for download.

CVE-2018-1000180: issue around primality tests for RSA key pair generation if done using only the low-level API.

CVE-2018-1000613: lack of class checking in deserialization of XMSS/XMSS^MT private keys with BDS state information.

Discovery 2018-06-30
Entry 2018-07-15
bouncycastle

< 1.60

bouncycastle15

< 1.60

puppetserver

ge 0

puppetserver5

< 5.3.8

puppetserver6

< 6.2.1

CVE-2018-1000180
CVE-2018-1000613
https://www.bouncycastle.org/latest_releases.html

3bd3c9f8-41ee-11ec-9bac-589cfc007716

puppet -- Unsafe HTTP Redirect

Puppet reports:

A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007.

Discovery 2021-11-09
Entry 2021-11-10
puppet6

< 6.25.1

puppet7

< 7.12.1

puppetserver6

< 6.17.1

puppetserver7

< 7.4.2

CVE-2021-27023
https://puppet.com/security/cve/cve-2021-27023

36def7ba-6d2b-11ea-b115-643150d3111d

puppetserver and puppetdb -- Puppet Server and PuppetDB may leak sensitive information via metrics API

Puppetlabs reports:

Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network.

PE 2018.1.13 & 2019.4.0, Puppet Server 6.9.1 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default.

Discovery 2020-03-10
Entry 2020-03-23
puppetdb5

< 5.2.13

puppetdb6

< 6.9.1

puppetserver5

< 5.3.12

puppetserver6

< 6.9.2

CVE-2020-7943
https://puppet.com/security/cve/CVE-2020-7943/