Date: Thu, 29 Jan 2026 18:45:44 -0500 From: "Dan Langille" <dan@langille.org> To: "Craig Leres" <leres@freebsd.org>, ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: 03bfa3969e0d - main - security/vuxml: Mark security/zeek < 8.0.6 as vulnerable as per: Message-ID: <94b576bc-7a45-43d2-992d-832c961bcabf@app.fastmail.com> In-Reply-To: <697be2f6.3b917.1d527fdf@gitrepo.freebsd.org>
index | next in thread | previous in thread | raw e-mail
On Thu, Jan 29, 2026, at 5:45 PM, Craig Leres wrote: > The branch main has been updated by leres: > > URL: > https://cgit.FreeBSD.org/ports/commit/?id=03bfa3969e0d9c35069c9c80d6c570244e5ea428 > > commit 03bfa3969e0d9c35069c9c80d6c570244e5ea428 > Author: Craig Leres <leres@FreeBSD.org> > AuthorDate: 2026-01-29 22:44:39 +0000 > Commit: Craig Leres <leres@FreeBSD.org> > CommitDate: 2026-01-29 22:44:39 +0000 > > security/vuxml: Mark security/zeek < 8.0.6 as vulnerable as per: > > https://github.com/zeek/zeek/releases/tag/v8.0.6 > > This release fixes the following potential DoS vulnerability: > > - Zeek's HTTP analyzer can be tricked into interpreting Transfer-Encoding > or Content-Length headers set in MIME entities within HTTP bodies > and change the analyzer behavior. > > Reported by: Tim Wojtulewicz > --- > security/vuxml/vuln/2026.xml | 28 ++++++++++++++++++++++++++++ > 1 file changed, 28 insertions(+) > > diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml > index c70d67182a1f..bb73ba15236f 100644 > --- a/security/vuxml/vuln/2026.xml > +++ b/security/vuxml/vuln/2026.xml > @@ -1,3 +1,31 @@ > + <vuln vid="8173e68a-88f3-4862-882c-6e58779d98e7"> > + <topic>zeek -- potential DoS vulnerability</topic> > + <affects> > +<package> > +<name></name> Name needs a value. > +<range><lt>8.0.6</lt></range> > +</package> > + </affects> > + <description> > + <body xmlns="http://www.w3.org/1999/xhtml">; > + <p>Tim Wojtulewicz of Corelight reports:</p> > + <blockquote cite="https://github.com/zeek/zeek/releases/tag/v8.0.6">; > + <p>Zeek's HTTP analyzer can be tricked into interpreting > + Transfer-Encoding or Content-Length headers set in MIME > + entities within HTTP bodies and change the analyzer > + behavior.</p> > + </blockquote> > + </body> > + </description> > + <references> > + <url>https://github.com/zeek/zeek/releases/tag/v8.0.6</url>; > + </references> > + <dates> > + <discovery>2026-01-29</discovery> > + <entry>2026-01-29</entry> > + </dates> > + </vuln> > + > <vuln vid="409d70ab-fc23-11f0-85c5-a8a1599412c6"> > <topic>chromium -- security fix</topic> > <affects> -- Dan Langille dan@langille.orghome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?94b576bc-7a45-43d2-992d-832c961bcabf>