FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-12-24 11:27:39 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
3679fd10-c5d1-11e5-b85f-0018fe623f2b	openssl -- multiple vulnerabilities OpenSSL project reports: Historically OpenSSL only ever generated DH parameters based on "safe" primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be "safe". Where an application is using DH configured with parameters based on primes that are not "safe" then an attacker could use this fact to find a peer's private DH exponent. This attack requires that the attacker complete multiple handshakes in which the peer uses the same private DH exponent. For example this could be used to discover a TLS server's private DH exponent if it's reusing the private DH exponent or it's using a static DH ciphersuite. OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk. (CVE-2016-0701) A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2. (CVE-2015-3197) Discovery 2016-01-22 Entry 2016-01-28 Modified 2016-08-09 openssl < 1.0.2_7 mingw32-openssl >= 1.0.1 lt 1.0.2f FreeBSD >= 10.2 lt 10.2_12 >= 10.1 lt 10.1_29 >= 9.3 lt 9.3_36 SA-16:11.openssl CVE-2016-0701 CVE-2015-3197 https://www.openssl.org/news/secadv/20160128.txt
4c8d1d72-9b38-11e5-aece-d050996490d0	openssl -- multiple vulnerabilities OpenSSL project reports: BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193) Certificate verify crash with missing PSS parameter (CVE-2015-3194) X509_ATTRIBUTE memory leak (CVE-2015-3195) Race condition handling PSK identify hint (CVE-2015-3196) Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794) Discovery 2015-12-03 Entry 2015-12-05 Modified 2016-08-09 openssl < 1.0.2_5 mingw32-openssl >= 1.0.1 lt 1.0.2e linux-c6-openssl < 1.0.1e_7 FreeBSD >= 10.2 lt 10.2_8 >= 10.1 lt 10.1_25 >= 9.3 lt 9.3_31 SA-15:26.openssl CVE-2015-1794 CVE-2015-3193 CVE-2015-3194 CVE-2015-3195 CVE-2015-3196 https://www.openssl.org/news/secadv/20151203.txt

VuXML ID

Description

3679fd10-c5d1-11e5-b85f-0018fe623f2b

openssl -- multiple vulnerabilities

OpenSSL project reports:

Historically OpenSSL only ever generated DH parameters based on "safe" primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be "safe". Where an application is using DH configured with parameters based on primes that are not "safe" then an attacker could use this fact to find a peer's private DH exponent. This attack requires that the attacker complete multiple handshakes in which the peer uses the same private DH exponent. For example this could be used to discover a TLS server's private DH exponent if it's reusing the private DH exponent or it's using a static DH ciphersuite. OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk. (CVE-2016-0701)

A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2. (CVE-2015-3197)

Discovery 2016-01-22
Entry 2016-01-28
Modified 2016-08-09
openssl

< 1.0.2_7

mingw32-openssl

>= 1.0.1 lt 1.0.2f

FreeBSD

>= 10.2 lt 10.2_12

>= 10.1 lt 10.1_29

>= 9.3 lt 9.3_36

SA-16:11.openssl
CVE-2016-0701
CVE-2015-3197
https://www.openssl.org/news/secadv/20160128.txt

4c8d1d72-9b38-11e5-aece-d050996490d0

openssl -- multiple vulnerabilities

OpenSSL project reports:

BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)

Certificate verify crash with missing PSS parameter (CVE-2015-3194)

X509_ATTRIBUTE memory leak (CVE-2015-3195)

Race condition handling PSK identify hint (CVE-2015-3196)

Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)

Discovery 2015-12-03
Entry 2015-12-05
Modified 2016-08-09
openssl

< 1.0.2_5

mingw32-openssl

>= 1.0.1 lt 1.0.2e

linux-c6-openssl

< 1.0.1e_7

FreeBSD

>= 10.2 lt 10.2_8

>= 10.1 lt 10.1_25

>= 9.3 lt 9.3_31

SA-15:26.openssl
CVE-2015-1794
CVE-2015-3193
CVE-2015-3194
CVE-2015-3195
CVE-2015-3196
https://www.openssl.org/news/secadv/20151203.txt