Date: Wed, 1 Jun 2016 22:49:47 +0000 (UTC) From: Ryan Steinmetz <zi@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r416260 - head/security/vuxml Message-ID: <201606012249.u51MnlF2071721@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: zi Date: Wed Jun 1 22:49:47 2016 New Revision: 416260 URL: https://svnweb.freebsd.org/changeset/ports/416260 Log: - Document vulnerability in www/h2o PR: 209926 Submitted by: Dave Cottlehuber (maintainer) Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Jun 1 20:56:29 2016 (r416259) +++ head/security/vuxml/vuln.xml Wed Jun 1 22:49:47 2016 (r416260) @@ -58,6 +58,36 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="65bb1858-27de-11e6-b714-74d02b9a84d5"> + <topic>h2o -- use after free on premature connection close</topic> + <affects> + <package> + <name>h2o</name> + <range><lt>1.7.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Tim Newsha reports:</p> + <blockquote cite="http://h2o.examp1e.net/vulnerabilities.html">; + <p>When H2O tries to disconnect a premature HTTP/2 connection, it + calls free(3) to release memory allocated for the connection and + immediately after then touches the memory. No malloc-related + operation is performed by the same thread between the time it calls + free and the time the memory is touched. Fixed by Frederik + Deweerdt.</p> + </blockquote> + </body> + </description> + <references> + <url>https://h2o.examp1e.net/vulnerabilities.html</url>; + </references> + <dates> + <discovery>2016-05-17</discovery> + <entry>2016-06-01</entry> + </dates> + </vuln> + <vuln vid="36cf7670-2774-11e6-af29-f0def16c5c1b"> <topic>nginx -- a specially crafted request might result in worker process crash</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201606012249.u51MnlF2071721>