FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

unit -- potential security issue

Affected packages
1.11.0 <= unit < 1.34.2
1.11.0 <= unit-java < 1.34.2

Details

VuXML ID 6af5e3a3-f85a-11ef-95b9-589cfc10a551
Discovery 2025-03-03
Entry 2025-03-03

SO-AND-SO reports:

Unit 1.34.2 fixes two issues in the Java language module websocket code.

  1. It addresses a potential security issue where we could get a negative payload length that could cause the Java language module process(es) to enter an infinite loop and consume excess CPU. This was a bug carried over from the initial Java websocket code import. It has been re-issued a CVE number (CVE-2025-1695).
  2. It addresses an issue whereby decoded payload lengths would be limited to 32 bits.
[source]

References

CVE Name CVE-2025-1695
URL https://mailman.nginx.org/pipermail/unit/2025-March/QVYLJKLBIDWOJ7OLYGT27VUWH7RGBRQM.html

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.