Document SSL_Cypherbypass vulnerability in mod_ssl

and buffer overflow vulnerability in gaim.
author: josef <josef@FreeBSD.org> 2004-10-24 19:39:27 +0000
committer: josef <josef@FreeBSD.org> 2004-10-24 19:39:27 +0000
commit: 7af33b3b5023332820b25dd290a1947e6fb0364c (patch)
tree: 9ad375ee0e38c1e2500dac8b7fa27b097ccc1aea /security
parent: 7488b8bd539bb733c3764ca8b64bc44a28844cfd (diff)
download: FreeBSD-ports-7af33b3b5023332820b25dd290a1947e6fb0364c.zip
FreeBSD-ports-7af33b3b5023332820b25dd290a1947e6fb0364c.tar.gz
1 files changed, 71 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index e0b107c..6defc17 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -32,6 +32,77 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="1e6c4008-245f-11d9-b584-0050fc56d258">
+    <topic>gaim -- buffer overflow in MSN protocol support</topic>
+    <affects>
+      <package>
+	<name>ja-gaim</name>
+	<range><ge>0.79</ge><le>1.0.1</le></range>
+      </package>
+      <package>
+        <name>gaim</name>
+	<range><ge>0.79</ge><le>1.0.1</le></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Due to a buffer overflow in the MSN protocol support for
+	  gaim 0.79 to 1.0.1, it is possible for remote clients to do a
+	  denial-of-service attack on the application.
+	  This is caused by an unbounded copy operation, which writes
+	  to the wrong buffer.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CAN-2004-0891</cvename>
+      <url>http://gaim.sourceforge.net/security/?id=9</url>
+    </references>
+    <dates>
+      <discovery>2004-10-19</discovery>
+      <entry>2004-10-24</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="4238151d-207a-11d9-bfe2-0090962cff2a">
+    <topic>mod_ssl -- SSLCipherSuite bypass</topic>
+    <affects>
+      <package>
+	<name>ru-apache+mod_ssl</name>
+	<range><le>1.3.31+30.20+2.8.18</le></range>
+      </package>
+      <package>
+	<name>apache+mod_ssl</name>
+	<range><lt>1.3.31+2.8.20</lt></range>
+      </package>
+      <package>
+	<name>apache+mod_ssl+ipv6</name>
+	<range><le>1.3.31+2.8.18_4</le></range>
+      </package>
+      <package>
+	<name>apache2</name>
+	<range><le>2.0.52_1</le></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>It is possible for clients to use any cipher suite configured by
+	  the virtual host, whether or not a certain cipher suite is selected
+	  for a specific directory.  This might result in clients using a
+	  weaker encryption than originally configured.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CAN-2004-0885</cvename>
+      <mlist msgid="20041008152510.GE8385@redhat.com">http://marc.theaimsgroup.com/?l=apache-modssl&amp;m=109724918128044</mlist>
+      <url>http://issues.apache.org/bugzilla/show_bug.cgi?id=31505</url>
+    </references>
+    <dates>
+      <discovery>2004-10-01</discovery>
+      <entry>2004-10-23</entry>
+    </dates>
+  </vuln>
+
+
   <vuln vid="20d16518-2477-11d9-814e-0001020eed82">
     <topic>mpg123 -- buffer overflow in URL handling</topic>
     <affects>
author	josef <josef@FreeBSD.org>	2004-10-24 19:39:27 +0000
committer	josef <josef@FreeBSD.org>	2004-10-24 19:39:27 +0000
commit	7af33b3b5023332820b25dd290a1947e6fb0364c (patch)
tree	9ad375ee0e38c1e2500dac8b7fa27b097ccc1aea /security
parent	7488b8bd539bb733c3764ca8b64bc44a28844cfd (diff)
download	FreeBSD-ports-7af33b3b5023332820b25dd290a1947e6fb0364c.zip FreeBSD-ports-7af33b3b5023332820b25dd290a1947e6fb0364c.tar.gz