mirror of
https://git.FreeBSD.org/ports.git
synced 2024-12-25 04:43:33 +00:00
Document libidn2 vulnerability
This commit is contained in:
parent
9c6bdac859
commit
fb17797493
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=517921
@ -58,6 +58,41 @@ Notes:
|
||||
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
|
||||
-->
|
||||
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
|
||||
<vuln vid="f04f840d-0840-11ea-8d66-75d3253ef913">
|
||||
<topic>libidn2 -- roundtrip check vulnerability</topic>
|
||||
<affects>
|
||||
<package>
|
||||
<name>libidn2</name>
|
||||
<range><lt>2.3.0</lt></range>
|
||||
</package>
|
||||
</affects>
|
||||
<description>
|
||||
<body xmlns="http://www.w3.org/1999/xhtml">
|
||||
<p>CVE list:</p>
|
||||
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12290">
|
||||
<p>.</p>
|
||||
<p>GNU libidn2 before 2.2.0 fails to perform the roundtrip checks
|
||||
specified in RFC3490 Section 4.2 when converting A-labels to U-labels.
|
||||
This makes it possible in some circumstances for one domain to
|
||||
impersonate another. By creating a malicious domain that matches a
|
||||
target domain except for the inclusion of certain punycoded Unicode
|
||||
characters (that would be discarded when converted first to a Unicode
|
||||
label and then back to an ASCII label), arbitrary domains can be
|
||||
impersonated.</p>
|
||||
</blockquote>
|
||||
</body>
|
||||
</description>
|
||||
<references>
|
||||
<url>https://gitlab.com/libidn/libidn2/blob/master/NEWS</url>
|
||||
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12290</url>
|
||||
<cvename>CVE-2019-12290</cvename>
|
||||
</references>
|
||||
<dates>
|
||||
<discovery>2019-11-14</discovery>
|
||||
<entry>2019-11-18</entry>
|
||||
</dates>
|
||||
</vuln>
|
||||
|
||||
<vuln vid="f59af308-07f3-11ea-8c56-f8b156b6dcc8">
|
||||
<topic>GNU cpio -- multiple vulnerabilities</topic>
|
||||
<affects>
|
||||
|
Loading…
Reference in New Issue
Block a user