diff options
| author | Craig Leres <leres@FreeBSD.org> | 2021-02-23 01:04:03 +0000 |
|---|---|---|
| committer | Craig Leres <leres@FreeBSD.org> | 2021-02-23 01:04:03 +0000 |
| commit | 662064e70ae175d013afb60a06a344069c7e5e67 (patch) | |
| tree | 0fd835ead074f46a877f1b9396d2ef9ff30198c9 | |
| parent | math/py-cvxpy: Update 1.1.7 -> 1.1.10 (diff) | |
security/vuxml: Mark zeek < 3.0.13 as vulnerable as per:
https://github.com/zeek/zeek/releases/tag/v3.0.13
Fix ASCII Input reader's treatment of input files containing
null-bytes. An input file containing null-bytes could lead to a
buffer-over-read, crash Zeek, and be exploited to cause Denial of
Service.
| -rw-r--r-- | security/vuxml/vuln.xml | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 3a7d75e58984..70a32cc4f32c 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -78,6 +78,34 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="3e9624b3-e92b-4460-8a5a-93247c52c5a1"> + <topic>zeek -- Remote crash vulnerability</topic> + <affects> + <package> + <name>zeek</name> + <range><lt>3.0.13</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Jon Siwek of Corelight reports:</p> + <blockquote cite="https://github.com/zeek/zeek/releases/tag/v3.0.13"> + <p>Fix ASCII Input reader's treatment of input files + containing null-bytes. An input file containing null-bytes + could lead to a buffer-over-read, crash Zeek, and be + exploited to cause Denial of Service. </p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/zeek/zeek/releases/tag/v3.0.13</url> + </references> + <dates> + <discovery>2021-02-10</discovery> + <entry>2021-02-22</entry> + </dates> + </vuln> + <vuln vid="9c03845c-7398-11eb-bc0e-2cf05d620ecc"> <topic>raptor2 -- malformed input file can lead to a segfault</topic> <affects> |