CVE-2020-7450: 
Linux Alpine vulnerability analysis and mitigation

In FreeBSD 12.1-STABLE before r357213, 12.1-RELEASE before 12.1-RELEASE-p2, 12.0-RELEASE before 12.0-RELEASE-p13, 11.3-STABLE before r357214, and 11.3-RELEASE before 11.3-RELEASE-p6, URL handling in libfetch with URLs containing username and/or password components is vulnerable to a heap buffer overflow. The vulnerability was discovered and disclosed in January 2020 (FreeBSD Advisory).

The vulnerability exists in libfetch(3), a multi-protocol file transfer library included with FreeBSD and used by the fetch(1) command-line tool, pkg(8) package manager, and other components. A programming error in the library allows an attacker who can specify a URL with username and/or password components to overflow libfetch(3) buffers (FreeBSD Advisory).

An attacker in control of the URL to be fetched (possibly via HTTP redirect) may cause a heap buffer overflow, which could result in program misbehavior or malicious code execution (FreeBSD Advisory).

The vulnerability was patched in FreeBSD versions after the correction date of January 28, 2020. Users should upgrade their systems to a supported FreeBSD stable or release/security branch dated after the correction date. Binary patches can be applied using the freebsd-update utility on i386 or amd64 platforms (FreeBSD Advisory).