Date: Sun, 7 Jul 2024 20:53:48 GMT From: Thomas Zander <riggs@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 265464b9c02d - main - security/vuxml: Document vulnerability in net/traefik Message-ID: <202407072053.467Krmrh013248@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by riggs: URL: https://cgit.FreeBSD.org/ports/commit/?id=265464b9c02d1bc46235ace780281b69066a0eac commit 265464b9c02d1bc46235ace780281b69066a0eac Author: Thomas Zander <riggs@FreeBSD.org> AuthorDate: 2024-07-07 20:51:03 +0000 Commit: Thomas Zander <riggs@FreeBSD.org> CommitDate: 2024-07-07 20:51:03 +0000 security/vuxml: Document vulnerability in net/traefik Documenting CVE-2024-39321 in net/traefik: There is a vulnerability in Traefik that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. --- security/vuxml/vuln/2024.xml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 297dec1ebf75..e888468f380a 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,30 @@ + <vuln vid="767dfb2d-3c9e-11ef-a829-5404a68ad561"> + <topic>traefik -- Bypassing IP allow-lists via HTTP/3 early data requests</topic> + <affects> + <package> + <name>traefik</name> + <range><lt>2.11.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The traefik authors report:</p> + <blockquote cite="https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9">; + <p>There is a vulnerability in Traefik that allows bypassing IP allow-lists via HTTP/3 early + data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2024-39321</cvename> + <url>https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9</url>; + </references> + <dates> + <discovery>2024-07-02</discovery> + <entry>2024-07-07</entry> + </dates> + </vuln> + <vuln vid="5d921a8c-3a43-11ef-b611-84a93843eb75"> <topic>Apache httpd -- source code disclosure</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202407072053.467Krmrh013248>