Date: Thu, 17 Aug 2023 06:07:57 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 273172] category/port: ldns used in this project is vulnerable Message-ID: <bug-273172-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273172 Bug ID: 273172 Summary: category/port: ldns used in this project is vulnerable Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: thresh416@outlook.com Branch stable/13, releng/13.0, releng/13.1, releng/13.2 What is the security issue or vulnerability? As CVE-2020-19860 described, when ldns version 1.7.1 verifies a zone file, = the ldns_rr_new_frm_str_internal function has a heap out of bounds read vulnerability. An attacker can leak information on the heap by constructing= a zone file payload. This vulnerability still exists in this project. This can be easily fixed by apply the patch of this CVE ( CVE-2020-19860 ) = , as listed in the next section. Security issue or vulnerability information CVE-2020-19860's description:https://nvd.nist.gov/vuln/detail/CVE-2020-19860 CVE-2020-19860's patch commit:NLnetLabs/ldns@15d9620 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-273172-7788>