FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-11-23 05:42:14 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
b0374722-3912-11ef-a77e-901b0e9408dc	go -- net/http: denial of service due to improper 100-continue handling The Go project reports: net/http: denial of service due to improper 100-continue handling The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. Discovery 2024-07-02 Entry 2024-07-03 go122 < 1.22.5 go121 < 1.21.12 CVE-2024-24791 https://go.dev/issue/67555
a5c64f6f-2af3-11ef-a77e-901b0e9408dc	go -- multiple vulnerabilities The Go project reports: archive/zip: mishandling of corrupt central directory record The archive/zip package's handling of certain types of invalid zip files differed from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. Discovery 2024-06-04 Entry 2024-06-15 go122 < 1.22.4 go121 < 1.21.11 CVE-2024-24789 CVE-2024-24790 https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ

VuXML ID

Description

b0374722-3912-11ef-a77e-901b0e9408dc

go -- net/http: denial of service due to improper 100-continue handling

The Go project reports:

net/http: denial of service due to improper 100-continue handling

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Discovery 2024-07-02
Entry 2024-07-03
go122

< 1.22.5

go121

< 1.21.12

CVE-2024-24791
https://go.dev/issue/67555

a5c64f6f-2af3-11ef-a77e-901b0e9408dc

go -- multiple vulnerabilities

The Go project reports:

archive/zip: mishandling of corrupt central directory record

The archive/zip package's handling of certain types of invalid zip files differed from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

Discovery 2024-06-04
Entry 2024-06-15
go122

< 1.22.4

go121

< 1.21.11

CVE-2024-24789
CVE-2024-24790
https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ