Date: Wed, 2 Jun 2021 23:54:50 GMT From: Craig Leres <leres@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 29ff3797d89e - main - security/vuxml: Mark zeek < 4.0.2 as vulnerable as per: Message-ID: <202106022354.152Nso7F040129@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by leres: URL: https://cgit.FreeBSD.org/ports/commit/?id=29ff3797d89eb84c5d40bb59ba2b9f8998287b64 commit 29ff3797d89eb84c5d40bb59ba2b9f8998287b64 Author: Craig Leres <leres@FreeBSD.org> AuthorDate: 2021-06-02 23:53:02 +0000 Commit: Craig Leres <leres@FreeBSD.org> CommitDate: 2021-06-02 23:53:02 +0000 security/vuxml: Mark zeek < 4.0.2 as vulnerable as per: https://github.com/zeek/zeek/releases/tag/v4.0.2 - Fix potential Undefined Behavior in decode_netbios_name() and decode_netbios_name_type() BIFs. The latter has a possibility of a remote heap-buffer-overread, making this a potential DoS vulnerability. - Add some extra length checking when parsing mobile ipv6 packets. Due to the possibility of reading invalid headers from remote sources, this is a potential DoS vulnerability. --- security/vuxml/vuln.xml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 5e3fb6707996..88e53e619668 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,38 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="a550d62c-f78d-4407-97d9-93876b6741b9"> + <topic>zeek -- several potential DoS vulnerabilities</topic> + <affects> + <package> + <name>zeek</name> + <range><lt>4.0.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Tim Wojtulewicz of Corelight reports:</p> + <blockquote cite="https://github.com/zeek/zeek/releases/tag/v4.0.2">; + <p> Fix potential Undefined Behavior in decode_netbios_name() + and decode_netbios_name_type() BIFs. The latter has a + possibility of a remote heap-buffer-overread, making this + a potential DoS vulnerability.</p> + <p> Add some extra length checking when parsing mobile + ipv6 packets. Due to the possibility of reading invalid + headers from remote sources, this is a potential DoS + vulnerability. </p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/zeek/zeek/releases/tag/v4.0.2</url>; + </references> + <dates> + <discovery>2021-04-30</discovery> + <entry>2021-06-02</entry> + </dates> + </vuln> + <vuln vid="c7ec6375-c3cf-11eb-904f-14dae9d5a9d2"> <topic>PyYAML -- arbitrary code execution</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202106022354.152Nso7F040129>