git: 5e8cd8807091 - main - security/vuxml: register security/keycloak vulnerability
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 16 Jan 2023 13:32:38 UTC
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=5e8cd88070910be14686cbce2f1afc4d2921d927 commit 5e8cd88070910be14686cbce2f1afc4d2921d927 Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2023-01-16 13:26:18 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-01-16 13:28:27 +0000 security/vuxml: register security/keycloak vulnerability Two Xstream related CVEs that might cause a DoS attack: * CVE-2022-40151 * CVE-2022-41966 PR: 268939 --- security/vuxml/vuln/2023.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index abc06ec29864..7705f3e3a530 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,45 @@ + <vuln vid="9d9e9439-959e-11ed-b464-b42e991fc52e"> + <topic>security/keycloak -- Multiple possible DoS attacks</topic> + <affects> + <package> + <name>keycloak</name> + <range><lt>20.0.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>CIRCL reports:</p> + <blockquote cite="https://cve.circl.lu/cve/CVE-2022-41966"> + <ul> + <li>CVE-2022-41966: XStream serializes Java objects to XML + and back again. + Versions prior to 1.4.20 may allow a remote attacker + to terminate the application with a stack + overflow error, resulting in a denial of + service only via manipulation the + processed input stream. + </li> + <li>CVE-2022-40151: If the parser is running on user + supplied input, an attacker may supply content that + causes the parser to crash by stackoverflow. This + effect may support a denial of service attack. + </li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2022-40151</cvename> + <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40151</url> + <cvename>CVE-2022-41966</cvename> + <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-41966</url> + </references> + <dates> + <discovery>2022-09-07</discovery> + <entry>2023-01-16</entry> + </dates> + </vuln> + <vuln vid="847f16e5-9406-11ed-a925-3065ec8fd3ec"> <topic>security/tor -- SOCKS4(a) inversion bug</topic> <affects>