FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-11-23 17:01:17 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
10e3ed8a-db7f-11ea-8bdf-643150d3111d	puppetdb -- Multiple vulnerabilities Puppetlabs reports: In June 2020, jackson-databind published security updates addressing several CVEs. Previous releases of PuppetDB contain a vulnerable version of jackson.core:jackson-databind. PuppetDB 5.2.18 contains an updated version of jackson-databind that has patched the vulnerabilities. Discovery 2020-07-23 Entry 2020-08-11 puppetdb5 < 5.2.18 https://puppet.com/security/cve/jackson-july-2020-security-fixes/ CVE-2020-9548 CVE-2020-14062 CVE-2020-14060 CVE-2020-14061 CVE-2020-14195
36def7ba-6d2b-11ea-b115-643150d3111d	puppetserver and puppetdb -- Puppet Server and PuppetDB may leak sensitive information via metrics API Puppetlabs reports: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.4.0, Puppet Server 6.9.1 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. Discovery 2020-03-10 Entry 2020-03-23 puppetdb5 < 5.2.13 puppetdb6 < 6.9.1 puppetserver5 < 5.3.12 puppetserver6 < 6.9.2 CVE-2020-7943 https://puppet.com/security/cve/CVE-2020-7943/

VuXML ID

Description

10e3ed8a-db7f-11ea-8bdf-643150d3111d

puppetdb -- Multiple vulnerabilities

Puppetlabs reports:

In June 2020, jackson-databind published security updates addressing several CVEs. Previous releases of PuppetDB contain a vulnerable version of jackson.core:jackson-databind. PuppetDB 5.2.18 contains an updated version of jackson-databind that has patched the vulnerabilities.

Discovery 2020-07-23
Entry 2020-08-11
puppetdb5

< 5.2.18

https://puppet.com/security/cve/jackson-july-2020-security-fixes/
CVE-2020-9548
CVE-2020-14062
CVE-2020-14060
CVE-2020-14061
CVE-2020-14195

36def7ba-6d2b-11ea-b115-643150d3111d

puppetserver and puppetdb -- Puppet Server and PuppetDB may leak sensitive information via metrics API

Puppetlabs reports:

Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network.

PE 2018.1.13 & 2019.4.0, Puppet Server 6.9.1 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default.

Discovery 2020-03-10
Entry 2020-03-23
puppetdb5

< 5.2.13

puppetdb6

< 6.9.1

puppetserver5

< 5.3.12

puppetserver6

< 6.9.2

CVE-2020-7943
https://puppet.com/security/cve/CVE-2020-7943/