The vulnerability impacts Grafana Cloud and Grafana Enterprise instances,
and it is exploitable if a user who should not be able to access all data
sources is granted permissions to create a data source.
By default, only organization Administrators are allowed to create a data
source and have full access to all data sources. All other users need to be
explicitly granted permission to create a data source, which then means they
could exploit this vulnerability.
When a user creates a data source via the
API,
they can specify data source UID. If the UID is set to an asterisk (*),
the user gains permissions to query, update, and delete all data sources
in the organization. The exploit, however, does not stretch across
organizations â to exploit the vulnerability in several organizations, a user
would need permissions to create data sources in each organization.
The vulnerability comes from a lack of UID validation. When evaluating
permissions, we interpret an asterisk (*) as a wild card for all resources.
Therefore, we should treat it as a reserved value, and not allow the creation
of a resource with the UID set to an asterisk.
The CVSS score for this vulnerability is
6 Medium.
The phpMyFAQ Team has learned of multiple security issues that'd
been discovered in phpMyFAQ 3.2.5 and earlier. phpMyFAQ contains
cross-site scripting (XSS), SQL injection and bypass
vulnerabilities.
Emacs 29.3 is an emergency bugfix release intended to fix several security vulnerabilities.
Arbitrary Lisp code is no longer evaluated as part of turning on Org mode. This is for security reasons, to avoid evaluating malicious Lisp code.
New buffer-local variable 'untrusted-content'. When this is non-nil, Lisp programs should treat buffer contents with extra caution.
Gnus now treats inline MIME contents as untrusted. To get back previous insecure behavior, 'untrusted-content' should be reset to nil in the buffer.
LaTeX preview is now by default disabled for email attachments. To get back previous insecure behavior, set the variable 'org--latex-preview-when-risky' to a non-nil value.
Org mode now considers contents of remote files to be untrusted. Remote files are recognized by calling 'file-remote-p'.
A security vulnerability was found where a server process
running MongoDB 3.2.6 or later will allow incoming connections
to skip peer certificate validation if the server process was
started with TLS enabled (net.tls.mode set to allowTLS,
preferTLS, or requireTLS) and without a net.tls.CAFile
configured (CVE-2024-1351).
A denial of service attack can be performed on Varnish Cacher servers
that have the HTTP/2 protocol turned on. An attacker can let the
servers HTTP/2 connection control flow window run out of credits
indefinitely and prevent progress in the processing of streams,
retaining the associated resources.
Emails which consist of multiple parts (`Content-Type: multipart/*`)
incorporate boundary information stating at which point one part ends and the
next part begins.
A boundary is announced by an Content-Type header's `boundary` parameter. To
our current knowledge, RFC2046 and RFC2045 do not explicitly specify how a
parser should handle multiple boundary parameters that contain conflicting
values. As a result, there is no canonical choice which of the values should or
should not be used for mime part decomposition.
A potential security vulnerability in the bus lock regulator
mechanism for some Intel Processors may allow denial of service. Intel
is releasing firmware updates to mitigate this potential
vulnerability.
A potential security vulnerability in some Intel Processors may
allow information disclosure.
2024.1 IPU - Intel Atom Processor Advisory
A potential security vulnerability in some Intel Atom Processors
may allow information disclosure.
2024.1 IPU - Intel Xeon Processor Advisory
A potential security vulnerability in some 3rd and 4th Generation
Intel Xeon Processors when using Intel Software Guard Extensions (SGX)
or Intel Trust Domain Extensions (TDX) may allow escalation of
privilege.
2024.1 IPU OOB - Intel Xeon D Processor Advisory
A potential security vulnerability in some Intel Xeon D Processors
with Intel Software Guard Extensions (SGX) may allow information
disclosure.
Unbound 1.18.0 introduced a feature that removes EDE records from
responses with size higher than the client's advertised buffer size.
Before removing all the EDE records however, it would try to see if
trimming the extra text fields on those records would result in an
acceptable size while still retaining the EDE codes. Due to an
unchecked condition, the code that trims the text of the EDE records
could loop indefinitely. This happens when Unbound would reply with
attached EDE information on a positive reply and the client's buffer
size is smaller than the needed space to include EDE records.
The vulnerability can only be triggered when the 'ede: yes' option
is used; non default configuration.
crypto/x509: Verify panics on certificates with an
unknown public key algorithm
Verifying a certificate chain which contains a
certificate with an unknown public key algorithm will
cause Certificate.Verify to panic.
net/http: memory exhaustion in Request.ParseMultipartForm
When parsing a multipart form (either explicitly with
Request.ParseMultipartForm or implicitly with Request.FormValue,
Request.PostFormValue, or Request.FormFile), limits on the total
size of the parsed form were not applied to the memory consumed
while reading a single form line. This permitted a maliciously
crafted input containing very long lines to cause allocation of
arbitrarily large amounts of memory, potentially leading to memory
exhaustion.
net/http, net/http/cookiejar: incorrect forwarding
of sensitive headers and cookies on HTTP redirect
When following an HTTP redirect to a domain which
is not a subdomain match or exact match of the initial
domain, an http.Client does not forward sensitive headers
such as "Authorization" or "Cookie". For example, a
redirect from foo.com to www.foo.com will forward the
Authorization header, but a redirect to bar.com will not.
html/template: errors returned from MarshalJSON methods
may break template escaping
If errors returned from MarshalJSON methods contain user
controlled data, they may be used to break the contextual
auto-escaping behavior of the html/template package, allowing
for subsequent actions to inject unexpected content into
templates.
net/mail: comments in display names are incorrectly handled
The ParseAddressList function incorrectly handles comments
(text within parentheses) within display names. Since this is a
misalignment with conforming address parsers, it can result in
different trust decisions being made by programs using different
parsers.
On Linux, Node.js ignores certain environment variables if those
may have been set by an unprivileged user while the process is
running with elevated privileges with the only exception of
CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this
exception, Node.js incorrectly applies this exception even when
certain other capabilities have been set. This allows unprivileged
users to inject code that inherits the process's elevated
privileges.
curl inadvertently kept the SSL session ID for connections
in its cache even when the verify status (OCSP stapling)
test failed. A subsequent transfer to the same hostname
could then succeed if the session ID cache was still
fresh, which then skipped the verify status check.
[41495060] High CVE-2024-1669: Out of bounds memory access in Blink. Reported by Anonymous on 2024-01-26
[41481374] High CVE-2024-1670: Use after free in Mojo. Reported by Cassidy Kim(@cassidy6564) on 2023-12-06
[41487933] Medium CVE-2024-1671: Inappropriate implementation in Site Isolation. Reported by Harry Chen on 2024-01-03
[41485789] Medium CVE-2024-1672: Inappropriate implementation in Content Security Policy. Reported by Georg Felber (TU Wien) & Marco Squarcina (TU Wien) on 2023-12-19
[41490491] Medium CVE-2024-1673: Use after free in Accessibility. Reported by Weipeng Jiang (@Krace) of VRI on 2024-01-11
[40095183] Medium CVE-2024-1674: Inappropriate implementation in Navigation. Reported by David Erceg on 2019-05-27
[41486208] Medium CVE-2024-1675: Insufficient policy enforcement in Download. Reported by Bartà Âomiej Wacko on 2023-12-21
[40944847] Low CVE-2024-1676: Inappropriate implementation in Navigation. Reported by Khalil Zhani on 2023-11-21
Grafana has a
verify_email_enabled configuration option. When this option is enabled,
users are required to confirm their email addresses before the sign-up process
is complete. However, the email is only checked at the time of the sign-up.
No further verification is carried out if a userâÂÂs email address is updated
after the initial sign-up. Moreover, Grafana allows using an email address
as the userâÂÂs login name, and no verification is ever carried out for this email
address.
This means that even if the
verify_email_enabled configuration option is enabled, users can use
unverified email addresses to log into Grafana if the email address
has been changed after the sign up, or if an email address is set as the login
name.
The CVSS score for this vulnerability is [5.4 Medium] (CVSS).
CVE-2023-50868: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155
when RFC 9276 guidance is skipped) allows remote attackers to cause
a denial of service (CPU consumption for SHA-1 computations) via
DNSSEC responses in a random subdomain attack, aka the "NSEC3"
issue. The RFC 5155 specification implies that an algorithm must
perform thousands of iterations of a hash function in certain
situations.
CVE-2023-50387: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035,
6840, and related RFCs) allow remote attackers to cause a denial
of service (CPU consumption) via one or more DNSSEC responses, aka
the "KeyTrap" issue. One of the concerns is that, when
there is a zone with many DNSKEY and RRSIG records, the protocol
specification implies that an algorithm must evaluate all combinations
of DNSKEY and RRSIG records.
A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application
A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application
A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities
The jail(2) system call has not limited a visiblity of allocated
TTYs (the kern.ttys sysctl). This gives rise to an information
leak about processes outside the current jail.
Impact:
Attacker can get information about TTYs allocated on the host
or in other jails. Effectively, the information printed by "pstat
-t" may be leaked.
`bhyveload -h ` may be used to grant loader access
to the directory tree on the host. Affected versions
of bhyveload(8) do not make any attempt to restrict loader's access
to , allowing the loader to read any file the host user
has access to.
Impact:
In the bhyveload(8) model, the host supplies a userboot.so to
boot with, but the loader scripts generally come from the guest
image. A maliciously crafted script could be used to exfiltrate
sensitive data from the host accessible to the user running
bhyhveload(8), which is often the system root.
If DNSSEC validation is enabled, then an attacker who can force a
DNS server to validate a specially crafted signed domain can use a
lot of CPU in the validator. This only affects dnsmasq installations
with DNSSEC enabled.
Stichting NLnet Labs reports:
The KeyTrap [CVE-2023-50387] vulnerability works by using a
combination of Keys (also colliding Keys), Signatures and number of
RRSETs on a malicious zone. Answers from that zone can force a
DNSSEC validator down a very CPU intensive and time costly
validation path.
The NSEC3 [CVE-2023-50868] vulnerability uses specially crafted responses on a
malicious zone with multiple NSEC3 RRSETs to force a DNSSEC
validator down a very CPU intensive and time costly NSEC3 hash
calculation path.
Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEXR image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability.
[...] it is in a routine that is predominantly used for development and
testing. It is not likely to appear in production code.
Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files.
Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability
due to passing unvalidated input from a file into a string-type eval "eval".
Specifically, the issue stems from the evaluation of Number format strings
(not to be confused with printf-style format strings) within the Excel parsing logic.
phpMyFAQ doesn't implement sufficient checks to avoid XSS when
storing on attachments filenames. The 'sharing FAQ' functionality
allows any unauthenticated actor to misuse the phpMyFAQ application
to send arbitrary emails to a large range of targets. phpMyFAQ's
user removal page allows an attacker to spoof another user's
detail, and in turn make a compelling phishing case for removing
another user's account.
One step of a concurrent refresh command was run under
weak security restrictions. If a materialized view's
owner could persuade a superuser or other
high-privileged user to perform a concurrent refresh on
that view, the view's owner could control code executed
with the privileges of the user running REFRESH. The fix
for the vulnerability makes is so that all
user-determined code is run as the view's owner, as
expected.
Code execution and possible privilege escalation via
compromised InstalledVersions.php or installed.php.
Several files within the local working directory are
included during the invocation of Composer and in the
context of the executing user.
As such, under certain conditions arbitrary code
execution may lead to local privilege escalation, provide
lateral user movement or malicious code execution when
Composer is invoked within a directory with tampered
files.
All Composer CLI commands are affected, including
composer.phar's self-update.
A vulnerability in the OLE2 file format parser of ClamAV
could allow an unauthenticated, remote attacker to cause
a denial of service (DoS) condition on an affected
device. This vulnerability is due to an incorrect check
for end-of-string values during scanning, which may
result in a heap buffer over-read. An attacker could
exploit this vulnerability by submitting a crafted file
containing OLE2 content to be scanned by ClamAV on an
affected device. A successful exploit could allow the
attacker to cause the ClamAV scanning process to
terminate, resulting in a DoS condition on the affected
software and consuming available system resources.
CVE-2024-20328
Fixed a possible command injection vulnerability in the
"VirusEvent" feature of ClamAV's ClamD
service. To fix this issue, we disabled the '%f' format
string parameter. ClamD administrators may continue to
use the `CLAM_VIRUSEVENT_FILENAME` environment variable,
instead of '%f'. But you should do so only from within
an executable, such as a Python script, and not directly
in the clamd.conf "VirusEvent" command.
[1514925] Medium CVE-2024-0805: Inappropriate implementation in Downloads. Reported by Om Apip on 2024-01-01
[1515137] Medium CVE-2024-0804: Insufficient policy enforcement in iOS Security UI. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2024-01-03
[1494490] Low CVE-2024-0811: Inappropriate implementation in Extensions API. Reported by Jann Horn of Google Project Zero on 2023-10-21
[1497985] Low CVE-2024-0809: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-10-31
In Lizard v1.0 and LZ5 v2.0 (the prior release, before the product
was renamed), there is an unchecked buffer size during a memcpy in
the Lizard_decompress_LIZv1 function (lib/lizard_decompress_liz.h).
Remote attackers can leverage this vulnerability to cause a denial
of service via a crafted input file, as well as achieve remote code
execution.
CVE-2023-45286: HTTP request body disclosure in go-resty
disclosure across requests.
CVE-2023-48795: The SSH transport protocol with certain
OpenSSH extensions, found in OpenSSH before 9.6 and
other products, allows remote attackers to bypass
integrity checks.
CVE-2023-6816: Heap buffer overflow in DeviceFocusEvent
and ProcXIQueryPointer
Both DeviceFocusEvent and the XIQueryPointer reply contain a bit
for each logical button currently down. Buttons can be arbitrarily
mapped to any value up to 255 but the X.Org Server was only
allocating space for the device's number of buttons,
leading to a heap overflow if a bigger value was used.
CVE-2024-0229: Reattaching to different master device may lead
to out-of-bounds memory access
If a device has both a button class and a key class and
numButtons is zero, we can get an out-of-bounds write due
to event under-allocation in the DeliverStateNotifyEvent
function.
CVE-2024-21885: Heap buffer overflow in
XISendDeviceHierarchyEvent
The XISendDeviceHierarchyEvent() function allocates space to
store up to MAXDEVICES (256) xXIHierarchyInfo structures in info.
If a device with a given ID was removed and a new device with
the same ID added both in the same operation,
the single device ID will lead to two info structures being
written to info.
Since this case can occur for every device ID at once,
a total of two times MAXDEVICES info structures might be written
to the allocation, leading to a heap buffer overflow.
CVE-2024-21886: Heap buffer overflow in DisableDevice
The DisableDevice() function is called whenever an enabled device
is disabled and it moves the device from the inputInfo.devices
linked list to the inputInfo.off_devices linked list.
However, its link/unlink operation has an issue during the recursive
call to DisableDevice() due to the prev pointer pointing to a
removed device.
This issue leads to a length mismatch between the total number of
devices and the number of device in the list, leading to a heap
overflow and, possibly, to local privilege escalation.
The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications running
on PowerPC CPU based platforms if the CPU provides vector instructions.
A potential integer overflow has been discovered in Qt's HTTP2
implementation. If the HTTP2 implementation receives more than 4GiB
in total headers, or more than 2GiB for any given header pair, then
the internal buffers may overflow.
The SSH protocol executes an initial handshake between the
server and the client. This protocol handshake includes the
possibility of several extensions allowing different options to be
selected. Validation of the packets in the handshake is done through
sequence numbers.
Impact:
A man in the middle attacker can silently manipulate handshake
messages to truncate extension negotiation messages potentially
leading to less secure client authentication algorithms or deactivating
keystroke timing attack countermeasures.
CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore "--fragment" configuration in some circumstances, leading to a division by zero when "--fragment" is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash.
Reported by Niccolo Belli and WIPocket (Github #400, #417).
CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. (found while tracking down CVE-2023-46849 / Github #400, #417)
Slurm versions 23.11.1, 23.02.7, 22.05.11 are now available
and address a number of recently-discovered security issues.
They've been assigned CVE-2023-49933 through CVE-2023-49938.
PuTTY version 0.80 [contains] one security fix [...] for a newly discovered security issue known as the 'Terrapin'
attack, also numbered CVE-2023-48795. The issue affects widely-used
OpenSSH extensions to the SSH protocol: the ChaCha20+Poly1305
cipher system, and 'encrypt-then-MAC' mode.
In order to benefit from the fix, you must be using a fixed version
of PuTTY _and_ a server with the fix, so that they can agree to
adopt a modified version of the protocol. [...]
Design documents with matching document IDs, from databases on the
same cluster, may share a mutable Javascript environment when using
various design document functions.
As part of its stateful TCP connection tracking implementation,
pf performs sequence number validation on inbound packets. This
makes it difficult for a would-be attacker to spoof the sender and
inject packets into a TCP stream, since crafted packets must contain
sequence numbers which match the current connection state to avoid
being rejected by the firewall.
A bug in the implementation of sequence number validation means
that the sequence number is not in fact validated, allowing an
attacker who is able to impersonate the remote host and guess the
connection's port numbers to inject packets into the TCP stream.
Impact:
An attacker can, with relatively little effort, inject packets
into a TCP stream destined to a host behind a pf firewall. This
could be used to implement a denial-of-service attack for hosts
behind the firewall, for example by sending TCP RST packets to the
host.
In FreeBSD 13.2 and 14.0, the NFS client was optimized to improve
the performance of IO_APPEND writes, that is, writes which add data
to the end of a file and so extend its size. This uncovered an old
bug in some routines which copy userspace data into the kernel.
The bug also affects the NFS client's implementation of direct I/O;
however, this implementation is disabled by default by the
vfs.nfs.nfs_directio_enable sysctl and is only used to handle
synchronous writes.
Impact:
When a program running on an affected system appends data to a
file via an NFS client mount, the bug can cause the NFS client to
fail to copy in the data to be written but proceed as though the
copy operation had succeeded. This means that the data to be written
is instead replaced with whatever data had been in the packet buffer
previously. Thus, an unprivileged user with access to an affected
system may abuse the bug to trigger disclosure of sensitive
information. In particular, the leak is limited to data previously
stored in mbufs, which are used for network transmission and
reception, and for certain types of inter-process communication.
The bug can also be triggered unintentionally by system
applications, in which case the data written by the application to an
NFS mount may be corrupted. Corrupted data is written over the
network to the NFS server, and thus also susceptible to being snooped
by other hosts on the network.
Note that the bug exists only in the NFS client; the version and
implementation of the server has no effect on whether a given system
is affected by the problem.
CVE-2023-6377/ZDI-CAN-22412/ZDI-CAN-22413: X.Org
server: Out-of-bounds memory write in XKB button actions
A device has XKB button actions for each button on the
device. When a logical device switch happens (e.g. moving
from a touchpad to a mouse), the server re-calculates the
information available on the respective master device
(typically the Virtual Core Pointer). This re-calculation
only allocated enough memory for a single XKB action
rather instead of enough for the newly active physical
device's number of button. As a result, querying or
changing the XKB button actions results in out-of-bounds
memory reads and writes.
This may lead to local privilege escalation if the server is run as root or
remote code execution (e.g. x11 over ssh).
CVE-2023-6478/ZDI-CAN-22561: X.Org server:
Out-of-bounds memory read in RRChangeOutputProperty and
RRChangeProviderProperty
This fixes an OOB read and the resulting information disclosure.
Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->nUnits value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.
The server then proceeded with reading at least stuff->nUnits bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->nUnits bytes, i.e. 4GB.
Authorization Bypass Through User-Controlled Key vulnerability in
Apache ZooKeeper. If SASL Quorum Peer authentication is enabled
in ZooKeeper (quorum.auth.enableSasl=true), the authorization is
done by verifying that the instance part in SASL authentication ID
is listed in zoo.cfg server list. The instance part in SASL auth
ID is optional and if it's missing, like 'eve@EXAMPLE.COM',
the authorization check will be skipped.As a result an arbitrary
endpoint could join the cluster and begin propagating counterfeit
changes to the leader, essentially giving it complete read-write
access to the data tree.Quorum Peer authentication is not enabled
by default.
Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2,
which fixes the issue.
Alternately ensure the ensemble election/quorum communication is
protected by a firewall as this will mitigate the issue.
See the documentation for more details on correct cluster administration.
strongSwan before 5.9.12 has a buffer overflow and possible
unauthenticated remote code execution via a DH public value that
exceeds the internal buffer in charon-tkm's DH proxy. The
earliest affected version is 5.3.0. An attack can occur via a
crafted IKE_SA_INIT message.
A denial of service attack can be performed on Varnish Cache servers
that have the HTTP/2 protocol turned on. An attacker can create a large
volume of streams and immediately reset them without ever reaching the
maximum number of concurrent streams allowed for the session, causing
the Varnish server to consume unnecessary resources processing requests
for which the response will not be delivered.
Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL
Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server.
A vulnerability in charon-tkm related to processing
DH public values was discovered in strongSwan
that can result in a buffer overflow and potentially
remote code execution. All versions since
5.3.0 are affected.
Weak Authentication in Session Handling in typo3/cms-core:
In typo3 installations there are always
at least two different sites. Eg. first.example.org and
second.example.com. In affected versions a session cookie
generated for the first site can be reused on the second site
without requiring additional authentication. This
vulnerability has been addressed in versions 8.7.55, 9.5.44,
10.4.41, 11.5.33, and 12.4.8. Users are advised to upgrade.
There are no known workarounds for this vulnerability.
Information Disclosure in Install Tool in typo3/cms-install:
In affected versions the login screen of the standalone
install tool discloses the full path of the transient data
directory (e.g. /var/www/html/var/transient/). This applies
to composer-based scenarios only - classic non-composer
installations are not affected. This issue has been addressed
in version 12.4.8. Users are advised to upgrade. There are
no known workarounds for this vulnerability.
By-passing Cross-Site Scripting Protection in HTML Sanitizer:
In affected versions DOM processing instructions are not
handled correctly. This allows bypassing the cross-site
scripting mechanism of typo3/html-sanitizer. This
vulnerability has been addressed in versions 1.5.3 and 2.1.4.
Users are advised to upgrade. There are no known workarounds
for this vulnerability.
While modifying certain SQL array values, missing
overflow checks let authenticated database users write
arbitrary bytes to a memory area that facilitates
arbitrary code execution. Missing overflow checks also
let authenticated database users read a wide area of
server memory. The CVE-2021-32027 fix covered some
attacks of this description, but it missed others.
Certain aggregate function calls receiving "unknown"-type
arguments could disclose bytes of server memory from the end of
the "unknown"-type value to the next zero byte. One typically
gets an "unknown"-type value via a string literal having no type
designation. We have not confirmed or ruled out viability of
attacks that arrange for presence of notable, confidential
information in disclosed bytes.
Documentation says the pg_cancel_backend role cannot
signal "a backend owned by a superuser". On the
contrary, it can signal background workers, including
the logical replication launcher. It can signal
autovacuum workers and the autovacuum launcher.
Signaling autovacuum workers and those two launchers
provides no meaningful exploit, so exploiting this
vulnerability requires a non-core extension with a
less-resilient background worker. For example, a
non-core background worker that does not auto-restart
would experience a denial of service with respect to
that particular background worker.
Multiple signed integers overflow in function au_read_header in
src/au.c and in functions mat4_open and mat4_read_header in src/mat4.c
in Libsndfile, allows an attacker to cause Denial of Service or
other unspecified impacts.
For line-buffered streams the __sflush() function did not
correctly update the FILE object's write space member when the
write(2) system call returns an error.
Impact:
Depending on the nature of an application that calls libc's
stdio functions and the presence of errors returned from the write(2)
system call (or an overridden stdio write routine) a heap buffer
overfly may occur. Such overflows may lead to data corruption or
the execution of arbitrary code at the privilege level of the calling
program.
[1497859] High CVE-2023-5996: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab via Tianfu Cup 2023 on 2023-10-30
Excessive time spent in DH check / generation with large Q
parameter value (low).
Generating excessively long X9.42 DH keys or checking
excessively long X9.42 DH keys or parameters may be very slow.
Casper services allow limiting operations that a process can
perform. Each service maintains a specific list of permitted
operations. Certain operations can be further restricted, such as
specifying which domain names can be resolved. During the verification
of limits, the service must ensure that the new set of constraints
is a subset of the previous one. In the case of the cap_net service,
the currently limited set of domain names was fetched incorrectly.
Impact:
In certain scenarios, if only a list of resolvable domain names
was specified without setting any other limitations, the application
could submit a new list of domains including include entries not
previously in the list.
[1492698] High CVE-2023-5480: Inappropriate implementation in Payments. Reported by Vsevolod Kokorin (Slonser) of Solidlab on 2023-10-14
[1492381] High CVE-2023-5482: Insufficient data validation in USB. Reported by DarkNavy on 2023-10-13
[1492384] High CVE-2023-5849: Integer overflow in USB. Reported by DarkNavy on 2023-10-13
[1281972] Medium CVE-2023-5850: Incorrect security UI in Downloads. Reported by Mohit Raj (shadow2639) on 2021-12-22
[1473957] Medium CVE-2023-5851: Inappropriate implementation in Downloads. Reported by Shaheen Fazim on 2023-08-18
[1480852] Medium CVE-2023-5852: Use after free in Printing. Reported by [pwn2car] on 2023-09-10
[1456876] Medium CVE-2023-5853: Incorrect security UI in Downloads. Reported by Hafiizh on 2023-06-22
[1488267] Medium CVE-2023-5854: Use after free in Profiles. Reported by Dohyun Lee (@l33d0hyun) of SSD-Disclosure Labs & DNSLab, Korea Univ on 2023-10-01
[1492396] Medium CVE-2023-5855: Use after free in Reading Mode. Reported by ChaobinZhang on 2023-10-13
[1493380] Medium CVE-2023-5856: Use after free in Side Panel. Reported by Weipeng Jiang (@Krace) of VRI on 2023-10-17
[1493435] Medium CVE-2023-5857: Inappropriate implementation in Downloads. Reported by Will Dormann on 2023-10-18
[1457704] Low CVE-2023-5858: Inappropriate implementation in WebApp Provider. Reported by Axel Chong on 2023-06-24
[1482045] Low CVE-2023-5859: Incorrect security UI in Picture In Picture. Reported by Junsung Lee on 2023-09-13
Running optipng with the "-zm 3 -zc 1 -zw 256 -snip -out"
configuration options enabled raises a global-buffer-overflow bug,
which could allow a remote attacker to conduct a denial-of-service
attack or other unspecified effect on a crafted file.
A specially-crafted SSL packet could cause Zeek to
leak memory and potentially crash.
A specially-crafted series of FTP packets could cause
Zeek to log entries for requests that have already been
completed, using resources unnecessarily and potentially
causing Zeek to lose other traffic.
A specially-crafted series of SSL packets could cause
Zeek to output a very large number of unnecessary alerts
for the same record.
A specially-crafted series of SSL packets could cause
Zeek to generate very long ssl_history fields in the
ssl.log, potentially using a large amount of memory due
to unbounded state growth
A specially-crafted IEEE802.11 packet could cause
Zeek to overflow memory and potentially crash
ZDI-CAN-22153/CVE-2023-5367: X.Org server: OOB write
in XIChangeDeviceProperty/RRChangeOutputProperty
When prepending values to an existing property an
invalid offset calculation causes the existing values to
be appended at the wrong offset. The resulting memcpy()
would write into memory outside the heap-allocated
array.
ZDI-CAN-21608/CVE-2023-5380: Use-after-free bug in
DestroyWindow
This vulnerability requires a legacy multi-screen setup
with multiple protocol screens ("Zaphod"). If the pointer
is warped from one screen to the root window of the other
screen, the enter/leave code may retain a reference to the
previous pointer window. Destroying this window leaves
that reference in place, other windows may then trigger a
use-after-free bug when they are destroyed.
Moderate severity: A bug has been identified in the processing
of key and initialisation vector (IV) lengths. This can lead to
potential truncation or overruns during the initialisation of
some symmetric ciphers.
This Critical Patch Update contains 37 new security patches, plus
additional third party patches noted below, for Oracle MySQL. 9 of
these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without
requiring user credentials.
The wrong order of listen(2) and chmod(2) calls creates a
race condition that can be used by another process to
bypass desired Unix socket permissions on startup.
CVE-2023-41259 SECURITY: RT is vulnerable to unvalidated email headers in incoming email and the mail-gateway REST interface.
CVE-2023-41260 SECURITY: RT is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST interface.
CVE-2023-45024 SECURITY: RT 5.0 is vulnerable to information leakage via transaction searches made by authenticated users in the transaction query builder.
CVE-2023-43788: Out of bounds read in XpmCreateXpmImageFromBuffer
An out-of-bounds read is located in ParseComment() when reading from
a memory buffer instead of a file, as it continued to look for the
closing comment marker past the end of the buffer.
CVE-2023-43789: Out of bounds read on XPM with corrupted colormap
A corrupted colormap section may cause libXpm to read out of bounds.
CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms()
When libX11 is processing the reply from the X server to the XkbGetMap
request, if it detected the number of symbols in the new map was less
than the size of the buffer it had allocated, it always added room for
128 more symbols, instead of the actual size needed. While the
_XkbReadBufferCopyKeySyms() helper function returned an error if asked
to copy more keysyms into the buffer than there was space allocated for,
the caller never checked for an error and assumed the full set of keysyms
was copied into the buffer and could then try to read out of bounds when
accessing the buffer. libX11 1.8.7 has been patched to both fix the size
allocated and check for error returns from _XkbReadBufferCopyKeySyms().
CVE-2023-43786: stack exhaustion in XPutImage
When splitting a single line of pixels into chunks that fit in a single
request (not using the BIG-REQUESTS extension) to send to the X server,
the code did not take into account the number of bits per pixel, so would
just loop forever finding it needed to send more pixels than fit in the
given request size and not breaking them down into a small enough chunk to
fit. An XPM file was provided that triggered this bug when loaded via
libXpm's XpmReadFileToPixmap() function, which in turn calls XPutImage()
and hit this bug.
CVE-2023-43787: integer overflow in XCreateImage() leading to a heap overflow
When creating an image, there was no validation that the multiplication
of the caller-provided width by the visual's bits_per_pixel did not
overflow and thus result in the allocation of a buffer too small to hold
the data that would be copied into it. An XPM file was provided that
triggered this bug when loaded via libXpm's XpmReadFileToPixmap() function,
which in turn calls XCreateImage() and hit this bug.i
This flaw makes curl overflow a heap based buffer in the
SOCKS5 proxy handshake. When curl is asked to pass along
the hostname to the SOCKS5 proxy to allow that to resolve
the address instead of it getting done by curl itself, the
maximum length that hostname can be is 255 bytes. If the
hostname is detected to be longer than 255 bytes, curl
switches to local name resolving and instead passes on the
resolved address only to the proxy. Due to a bug, the
local variable that means "let the host resolve the name"
could get the wrong value during a slow SOCKS5 handshake,
and contrary to the intention, copy the too long hostname
to the target buffer instead of copying just the resolved
address there.
H2O is vulnerable to the HTTP/2 Rapid Reset attack.
An attacker might be able to consume more than adequate amount of
processing power of h2o and the backend servers by mounting the
attack.
The specific flaw exists within the parsing of SPF macros.
When parsing SPF macros, the process does not properly
validate user-supplied data, which can result in an integer
underflow before writing to memory. An attacker can leverage
this vulnerability to execute code in the context of the
service account.
The syscall checked only for the CAP_READ and CAP_WRITE
capabilities on the input and output file descriptors, respectively.
Using an offset is logically equivalent to seeking, and the syscall
must additionally require the CAP_SEEK capability.
Impact:
A sandboxed process with only read or write but no seek capability
on a file descriptor may be able to read data from or write data
to an arbitrary location within the file corresponding to that file
descriptor.
In certain cases using the truncate or ftruncate system call
to extend a file size populates the additional space in the file
with unallocated data from the underlying disk device, rather than
zero bytes.
Impact:
A user with write access to files on a msdosfs file system may
be able to read unintended data (for example, from a previously
deleted file).
Description: Users publishing a composer.phar to a
public web-accessible server where the composer.phar can
be executed as a php file may be impacted if PHP also has
register_argc_argv enabled in php.ini.
Workaround: Make sure register_argc_argv is disabled
in php.ini, and avoid publishing composer.phar to the web
as this really should not happen.
Access to the font glyphs in xrdp_painter.c is not bounds-checked.
Since some of this data is controllable by the user, this can result
in an out-of-bounds read within the xrdp executable. The vulnerability
allows an out-of-bounds read within a potentially privileged process.
On non-Debian platforms, xrdp tends to run as root. Potentially an
out-of-bounds write can follow the out-of-bounds read. There is no
denial-of-service impact, providing xrdp is running in forking mode. This
issue has been addressed in release 0.9.23.1. Users are advised to upgrade.
There are no known workarounds for this vulnerability.
In versions prior to 0.9.23 improper handling of session establishment
errors allows bypassing OS-level session restrictions. The `auth_start_session`
function can return non-zero (1) value on, e.g., PAM error which may result
in session restrictions such as max concurrent sessions per user by PAM
(ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't
use restrictions by PAM are not affected. This issue has been addressed in
release version 0.9.23. Users are advised to upgrade. There are no known
workarounds for this issue.
NLnet Labs Routinator 0.9.0 up to and including 0.12.1 contains a
possible path traversal vulnerability in the optional, off-by-default
keep-rrdp-responses feature that allows users to store the content
of responses received for RRDP requests. The location of these
stored responses is constructed from the URL of the request. Due
to insufficient sanitation of the URL, it is possible for an attacker
to craft a URL that results in the response being stored outside
of the directory specified for it.
Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187
allowed a remote attacker to perform an out of bounds memory write
via a crafted HTML page. (Chromium security severity: Critical)
The Tor browser is based on Firefox and GeckoView and uses also
libwep so it is affected by this bug.
This release fixes two issues in Routinator that can be exploited
remotely by rogue RPKI CAs and repositories. We therefore advise all
users of Routinator to upgrade to this release at their earliest
convenience.
The first issue, CVE-2022-39915, can lead to Routinator crashing
when trying to decode certain illegal RPKI objects.
The second issue, CVE-2022-39916, only affects users that have the
rrdp-keep-responses option enabled which allows storing all received
RRDP responses on disk. Because the file name for these responses is
derived from the URI and the path wasn't checked properly, a RRDP URI
could be constructed that results in the response stored outside the
directory, possibly overwriting existing files.
Visual Studio Code Remote Code Execution Vulnerability
A remote code execution vulnerability exists in VS Code 1.82.0 and earlier versions that working in a maliciously crafted package.json can result in executing commands locally. This scenario would require the attacker to get the VS Code user to open the malicious project and have get the user to open and work with malformed entries in the dependencies sections of the package.json file.
VS Code uses the locally installed npm command to fetch information on package dependencies. A package dependency can be named in such a way that the npm tool runs a script instead.
When curl retrieves an HTTP response, it stores the
incoming headers so that they can be accessed later via
the libcurl headers API.
However, curl did not have a limit in how many or how
large headers it would accept in a response, allowing a
malicious server to stream an endless series of headers
and eventually cause curl to run out of heap memory.
[1479274] Critical CVE-2023-4863: Heap buffer overflow in WebP. Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoüs Munk School on 2023-09-06
[1430867] Medium CVE-2023-4900: Inappropriate implementation in Custom Tabs. Reported by Levit Nudi from Kenya on 2023-04-06
[1459281] Medium CVE-2023-4901: Inappropriate implementation in Prompts. Reported by Kang Ali on 2023-06-29
[1454515] Medium CVE-2023-4902: Inappropriate implementation in Input. Reported by Axel Chong on 2023-06-14
[1446709] Medium CVE-2023-4903: Inappropriate implementation in Custom Mobile Tabs. Reported by Ahmed ElMasry on 2023-05-18
[1453501] Medium CVE-2023-4904: Insufficient policy enforcement in Downloads. Reported by Tudor Enache @tudorhacks on 2023-06-09
[1441228] Medium CVE-2023-4905: Inappropriate implementation in Prompts. Reported by Hafiizh on 2023-04-29
[1449874] Low CVE-2023-4906: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2023-05-30
[1462104] Low CVE-2023-4907: Inappropriate implementation in Intents. Reported by Mohit Raj (shadow2639) on 2023-07-04
[1451543] Low CVE-2023-4908: Inappropriate implementation in Picture in Picture. Reported by Axel Chong on 2023-06-06
[1463293] Low CVE-2023-4909: Inappropriate implementation in Interstitials. Reported by Axel Chong on 2023-07-09
File extraction limits were not correctly enforced
for files containing large amounts of missing bytes.
Sessions are sometimes not cleaned up completely
within Zeek during shutdown, potentially causing a crash
when using the -B dpd flag for debug logging.
A specially-crafted HTTP packet can cause Zeek's
filename extraction code to take a long time to process
the data.
A specially-crafted series of FTP packets made up of
a CWD request followed by a large amount of ERPT requests
may cause Zeek to spend a long time logging the commands.
A specially-crafted VLAN packet can cause Zeek to
overflow memory and potentially crash.
Redis does not correctly identify keys accessed by SORT_RO
and, as a result, may grant users executing this command
access to keys that are not explicitly authorized by the
ACL configuration.
The net80211 subsystem would fallback to the multicast key for unicast
traffic in the event the unicast key was removed. This would result in
buffered unicast traffic being exposed to any stations with access to the
multicast key.
Impact:
As described in the "Framing Frames: Bypassing Wi-Fi Encryption by
Manipulating Transmit Queues" paper, an attacker can induce an access point
to buffer frames for a client, deauthenticate the client (causing the unicast
key to be removed from the access point), and subsequent flushing of the
buffered frames now encrypted with the multicast key. This would give the
attacker access to the data.
gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable
to a bypass of the TLS handshake and included protections (like certificate
verification) and treating sent unencrypted data as if it were post-handshake
TLS encrypted data.
The go.mod toolchain directive, introduced in Go 1.21,
could be leveraged to execute scripts and binaries
relative to the root of the module when the "go" command
was executed within the module. This applies to modules
downloaded using the "go" command from the module proxy,
as well as modules downloaded directly using VCS software.
html/template: improper handling of HTML-like comments
within script contexts
The html/template package did not properly handle
HMTL-like ""
comment tokens, nor hashbang "#!" comment tokens, in
crypto/tls: panic when processing post-handshake message
on QUIC connections
Processing an incomplete post-handshake message for a QUIC
connection caused a panic.
With a 'scrub fragment reassemble' rule, a packet containing multiple IPv6
fragment headers would be reassembled, and then immediately processed. That
is, a packet with multiple fragment extension headers would not be recognized
as the correct ultimate payload. Instead a packet with multiple IPv6 fragment
headers would unexpectedly be interpreted as a fragmented packet, rather than
as whatever the real payload is.
Impact:
IPv6 fragments may bypass firewall rules written on the assumption all
fragments have been reassembled and, as a result, be forwarded or processed
by the host.
This affects all versions of package Flask-Security.
When using the `get_post_logout_redirect` and `get_post_login_redirect` functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as `\\\evil.com/path`.
This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using `'autocorrect_location_header=False`.
**Note:** Flask-Security is not maintained anymore.
A stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface.
A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials.
The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled.
For page, the vulnerability is in the "Choose a parent page" ModelAdmin view, available when managing pages via ModelAdmin.
For documents, the vulnerability is in the ModelAdmin Inspect view when displaying document fields.
Treq's request methods (`treq.get`, `treq.post`, `HTTPClient.request`, `HTTPClient.get`, etc.) accept cookies as a dictionary.
Such cookies are not bound to a single domain, and are therefore sent to *every* domain ("supercookies").
This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`.
HTTPie has the practical concept of sessions, which help users to persistently store some of the state that belongs to the outgoing requests and incoming responses on the disk for further usage.
Before 3.1.0, HTTPie didn't distinguish between cookies and hosts they belonged.
This behavior resulted in the exposure of some cookies when there are redirects originating from the actual host to a third party website.
Users are advised to upgrade.
There are no known workarounds.
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository httpie/httpie prior to 3.1.0.
The server may cause ssh-agent to load shared libraries other than
those required for PKCS#11 support. These shared libraries may have
side effects that occur on load and unload (dlopen and dlclose).
Impact:
An attacker with access to a server that accepts a forwarded
ssh-agent connection may be able to execute code on the machine running
ssh-agent. Note that the attack relies on properties of operating
system-provided libraries. This has been demonstrated on other
operating systems; it is unknown whether this attack is possible using
the libraries provided by a FreeBSD installation.
When the built-in HTTP proxy downloader middleware processes a request with `proxy` metadata, and that `proxy` metadata includes proxy credentials, the built-in HTTP proxy downloader middleware sets the `Proxy-Authentication` header, but only if that header is not already set.
There are third-party proxy-rotation downloader middlewares that set different `proxy` metadata every time they process a request.
Because of request retries and redirects, the same request can be processed by downloader middlewares more than once, including both the built-in HTTP proxy downloader middleware and any third-party proxy-rotation downloader middleware.
These third-party proxy-rotation downloader middlewares could change the `proxy` metadata of a request to a new value, but fail to remove the `Proxy-Authentication` header from the previous value of the `proxy` metadata, causing the credentials of one proxy to be leaked to a different proxy.
If you rotate proxies from different proxy providers, and any of those proxies requires credentials, you are affected, unless you are handling proxy rotation as described under **Workarounds** below.
If you use a third-party downloader middleware for proxy rotation, the same applies to that downloader middleware, and installing a patched version of Scrapy may not be enough;
patching that downloader middlware may be necessary as well.
A memory exhaustion bug exists in Wagtail's handling of uploaded images and documents.
For both images and documents, files are loaded into memory during upload for additional processing.
A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash or denial of service.
The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
It can only be exploited by admin users with permission to upload images or documents.
Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code.
Each fragment of an IPv6 packet contains a fragment header which
specifies the offset of the fragment relative to the original packet,
and each fragment specifies its length in the IPv6 header. When
reassembling the packet, the kernel calculates the complete IPv6 payload
length. The payload length must fit into a 16-bit field in the IPv6
header.
Due to a bug in the kernel, a set of carefully crafted packets can
trigger an integer overflow in the calculation of the reassembled
packet's payload length field.
Impact:
Once an IPv6 packet has been reassembled, the kernel continues
processing its contents. It does so assuming that the fragmentation
layer has validated all fields of the constructed IPv6 header. This bug
violates such assumptions and can be exploited to trigger a remote
kernel panic, resulting in a denial of service.
When GELI reads a key file from a standard input, it doesn't store it
anywhere. If the user tries to initialize multiple providers at once,
for the second and subsequent devices the standard input stream will be
already empty. In this case, GELI silently uses a NULL key as the user
key file. If the user used only a key file without a user passphrase,
the master key was encrypted with an empty key file. This might not be
noticed if the devices were also decrypted in a batch operation.
Impact:
Some GELI providers might be silently encrypted with a NULL key
file.
pam_krb5 authenticates the user by essentially running kinit(1) with
the password, getting a `ticket-granting ticket' (tgt) from the Kerberos
KDC (Key Distribution Center) over the network, as a way to verify the
password.
Normally, the system running the pam_krb5 module will also have a
keytab, a key provisioned by the KDC. The pam_krb5 module will use the
tgt to get a service ticket and validate it against the keytab, ensuring
the tgt is valid and therefore, the password is valid.
However, if a keytab is not provisioned on the system, pam_krb5 has
no way to validate the response from the KDC, and essentially trusts the
tgt provided over the network as being valid.
Impact:
In a non-default FreeBSD installation that leverages pam_krb5 for
authentication and does not have a keytab provisioned, an attacker that
is able to control both the password and the KDC responses can return a
valid tgt, allowing authentication to occur for any user on the
system.
Scrapy 1.4 allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.
The Flask-Caching extension through 2.0.2 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation.
If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code.
Multiple security vulnerabilities have been discovered in the Heimdal
implementation of the Kerberos 5 network authentication
protocols and KDC.
CVE-2022-42898 PAC parse integer overflows
CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
CVE-2019-14870 Validate client attributes in protocol-transition
CVE-2019-14870 Apply forwardable policy in protocol-transition
CVE-2019-14870 Always lookup impersonate client in DB
Impact:
A malicious actor with control of the network between a client and a
service using Kerberos for authentication can impersonate either the
client or the service, enabling a man-in-the-middle (MITM) attack
circumventing mutual authentication.
Note that, while CVE-2022-44640 is a severe vulnerability, possibly
enabling remote code execution on other platforms, the version of
Heimdal included with the FreeBSD base system cannot be exploited in
this way on FreeBSD.
ping reads raw IP packets from the network to process responses in
the pr_pack() function. As part of processing a response ping has to
reconstruct the IP header, the ICMP header and if present a "quoted
packet," which represents the packet that generated an ICMP error.
The quoted packet again has an IP header and an ICMP header.
The pr_pack() copies received IP and ICMP headers into stack buffers
for further processing. In so doing, it fails to take into account the
possible presence of IP option headers following the IP header in either
the response or the quoted packet. When IP options are present,
pr_pack() overflows the destination buffer by up to 40 bytes.
Impact:
The memory safety bugs described above can be triggered by a remote
host, causing the ping program to crash.
The ping process runs in a capability mode sandbox on all affected
versions of FreeBSD and is thus very constrained in how it can interact
with the rest of the system at the point where the bug can occur.
Responses from domain names whose public domain name suffix contains 1 or more periods (e.g. responses from `example.co.uk`, given its public domain name suffix is `co.uk`) are able to set cookies that are included in requests to any other domain sharing the same domain name suffix.
The fwctl driver implements a state machine which is executed when
the guest accesses certain x86 I/O ports. The interface lets the guest
copy a string into a buffer resident in the bhyve process' memory. A
bug in the state machine implementation can result in a buffer
overflowing when copying this string.
Impact:
A malicious, privileged software running in a guest VM can exploit
the buffer overflow to achieve code execution on the host in the bhyve
userspace process, which typically runs as root. Note that bhyve runs
in a Capsicum sandbox, so malicious code is constrained by the
capabilities available to the bhyve process.
A flaw in the cryptographic authentication scheme in Borg allowed an attacker to fake archives and potentially indirectly cause backup data loss in the repository.
The attack requires an attacker to be able to
insert files (with no additional headers) into backups
gain write access to the repository
This vulnerability does not disclose plaintext to the attacker, nor does it affect the authenticity of existing archives. Creating plausible fake archives may be feasible for empty or small archives, but is unlikely for large archives.
A vulnerability was found in django-photologue up to 3.15.1 and classified as problematic.
Affected by this issue is some unknown functionality of the file photologue/templates/photologue/photo_detail.html of the component Default Template Handler.
The manipulation of the argument object.caption leads to cross site scripting.
The attack may be launched remotely.
Upgrading to version 3.16 is able to address this issue.
The name of the patch is 960cb060ce5e2964e6d716ff787c72fc18a371e7.
It is recommended to apply a patch to fix this issue.
VDB-215906 is the identifier assigned to this vulnerability.
X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING.
Timing Oracle in RSA Decryption (CVE-2022-4304)
A timing based side channel exists in the OpenSSL RSA Decryption
implementation.
Use-after-free following BIO_new_NDEF (CVE-2023-0215)
The public API function BIO_new_NDEF is a helper function used for streaming
ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support
the SMIME, CMS and PKCS7 streaming capabilities, but may also be called
directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter
BIO onto the front of it to form a BIO chain, and then returns the new head
of the BIO chain to the caller. Under certain conditions, for example if a
CMS recipient public key is invalid, the new filter BIO is freed and the
function returns a NULL result indicating a failure. However, in this case,
the BIO chain is not properly cleaned up and the BIO passed by the caller
still retains internal pointers to the previously freed filter BIO.
Double free after calling PEM_read_bio_ex (CVE-2022-4450)
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data. In
this case PEM_read_bio_ex() will return a failure code but will populate the
header argument with a pointer to a buffer that has already been freed.
Impact:
X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
arbitrary pointers to a memcmp call, enabling them to read memory contents or
enact a denial of service. In most cases, the attack requires the attacker to
provide both the certificate chain and CRL, neither of which need to have a
valid signature. If the attacker only controls one of these inputs, the other
input must already contain an X.400 address as a CRL distribution point, which
is uncommon. As such, this vulnerability is most likely to only affect
applications which have implemented their own functionality for retrieving CRLs
over a network.
Timing Oracle in RSA Decryption (CVE-2022-4304)
A timing based side channel exists in the OpenSSL RSA Decryption implementation
which could be sufficient to recover a plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE.
Use-after-free following BIO_new_NDEF (CVE-2023-0215)
A use-after-free will occur under certain conditions. This will most likely
result in a crash.
Double free after calling PEM_read_bio_ex (CVE-2022-4450)
A double free may occur. This will most likely lead to a crash. This could be
exploited by an attacker who has the ability to supply malicious PEM files
for parsing to achieve a denial of service attack.
An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.
Ben Caller reports:
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions.
Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS.
By crafting malicious input, an attacker can cause a denial of service.
When using ssh-add(1) to add smartcard keys to ssh-agent(1) with
per-hop destination constraints, a logic error prevented the constraints
from being sent to the agent resulting in keys being added to the agent
without constraints.
Impact:
A malicious server could leverage the keys provided by a forwarded
agent that would normally not be allowed due to the logic error.
The API should only return the real Mail of a User, if the
caller is logged in. The check do to this don't work. This PR
fixes this. This not really a security issue, but can lead to
Spam.
This Critical Patch Update contains 24 new security patches for Oracle
MySQL. 11 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring
user credentials.
When issuing a ticket for a TGS renew or validate request, copy
only the server field from the outer part of the header ticket
to the new ticket. Copying the whole structure causes the
enc_part pointer to be aliased to the header ticket until
krb5_encrypt_tkt_part() is called, resulting in a double-free
if handle_authdata() fails..
PostgreSQL 15 introduced the MERGE command, which fails to test
new rows against row security policies defined for UPDATE and
SELECT. If UPDATE and SELECT policies forbid some row that
INSERT policies do not forbid, a user could store such rows.
Subsequent consequences are application-dependent. This
affects only databases that have used CREATE POLICY to define
a row security policy.
An extension script is vulnerable if it uses @extowner@,
@extschema@, or @extschema:...@ inside a quoting construct
(dollar quoting, '', or ""). No bundled extension is
vulnerable. Vulnerable uses do appear in a documentation
example and in non-bundled extensions. Hence, the attack
prerequisite is an administrator having installed files of a
vulnerable, trusted, non-bundled extension. Subject to that
prerequisite, this enables an attacker having database-level
CREATE privilege to execute arbitrary code as the bootstrap
superuser. PostgreSQL will block this attack in the core
server, so there's no need to modify individual extensions.
CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion DoS Vulnerability
When parsing Spotlight mdssvc RPC packets, one encoded
data structure is a key-value style dictionary where
keys are character strings and values can be any of
the supported types in the mdssvc protocol. Due to a
lack of type checking in callers of the function
dalloc_value_for_key(), which returns the object
associated with a key, a caller may trigger a crash in
talloc_get_size() when talloc detects that the passed in
pointer is not a valid talloc pointer. As RPC worker
processes are shared among multiple client connections,
a malicious client can crash the worker process
affecting all other clients that are also served by this
worker.
CVE-2022-2127: Out-Of-Bounds read in winbind AUTH_CRAP
When doing NTLM authentication, the client sends replies
to cryptographic challenges back to the server. These
replies have variable length. Winbind did not properly
bounds-check the lan manager response length, which
despite the lan manager version no longer being used is
still part of the protocol. If the system is running
Samba's ntlm_auth as authentication backend for services
like Squid (or a very unusual configuration with
FreeRADIUS), the vulnarebility is remotely exploitable.
If not so configured, or to exploit this vulnerability
locally, the user must have access to the privileged
winbindd UNIX domain socket (a subdirectory with name
'winbindd_privileged' under "state directory", as set in
the smb.conf). This access is normally only given so
special system services like Squid or FreeRADIUS, use
this feature.
As part of the Spotlight protocol, the initial request
returns a path associated with the sharename targeted by
the RPC request. Samba returns the real server-side
share path at this point, as well as returning the
absolute server-side path of results in search queries
by clients. Known server side paths could be used to
mount subsequent more serious security attacks or could
disclose confidential information that is part of the
path. To mitigate the issue, Samba will replace the
real server-side path with a fake path constructed from
the sharename.
CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop DoS Vulnerability
When parsing Spotlight mdssvc RPC packets sent by the
client, the core unmarshalling function sl_unpack_loop()
did not validate a field in the network packet that
contains the count of elements in an array-like
structure. By passing 0 as the count value, the attacked
function will run in an endless loop consuming 100% CPU.
This bug only affects servers where Spotlight is
explicitly enabled globally or on individual shares with
"spotlight = yes".
CVE-2023-3347: SMB2 packet signing not enforced
SMB2 packet signing is not enforced if an admin
configured "server signing = required" or for SMB2
connections to Domain Controllers where SMB2 packet
signing is mandatory. SMB2 packet signing is a
mechanism that ensures the integrity and authenticity of
data exchanged between a client and a server using the
SMB2 protocol. It provides protection against certain
types of attacks, such as man-in-the-middle attacks,
where an attacker intercepts network traffic and
modifies the SMB2 messages. Both client and server of
an SMB2 connection can require that signing is being
used. The server-side setting in Samba to configure
signing to be required is "server signing = required".
Note that on an Samba AD DCs this is also the default
for all SMB2 connections. Unless the client requires
signing which would result in signing being used on the
SMB2 connection, sensitive data might have been modified
by an attacker. Clients connecting to IPC$ on an AD DC
will require signed connections being used, so the
integrity of these connections was not affected.
crypto/tls: restrict RSA keys in certificates to <= 8192 bits
Extremely large RSA keys in certificate chains can cause
a client/server to expend significant CPU time verifying
signatures. Limit this by restricting the size of RSA keys
transmitted during handshakes to <= 8192 bits.
net/http: insufficient sanitization of Host header
The HTTP/1 client did not fully validate the contents of
the Host header. A maliciously crafted Host header could
inject additional headers or entire requests. The HTTP/1
client now refuses to send requests containing an
invalid Request.Host or Request.URL.Host value.
cmd/go: cgo code injection
The go command may generate unexpected code at build
time when using cgo. This may result in unexpected
behavior when running a go program which uses cgo.
runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary
had the setuid/setgid bit set. On Unix platforms, if a
setuid/setgid binary was executed with standard I/O file
descriptors closed, opening any files could result in
unexpected content being read/written with elevated
prilieges. Similarly if a setuid/setgid program was
terminated, either via panic or signal, it could leak the
contents of its registers.
cmd/go: improper sanitization of LDFLAGS
The go command may execute arbitrary code at build time
when using cgo. This may occur when running "go get" on a
malicious module, or when running any other command which
builds untrusted code. This is can by triggered by linker
flags, specified via a "#cgo LDFLAGS" directive.
html/template: improper sanitization of CSS values
Angle brackets (<>) were not considered dangerous
characters when inserted into CSS contexts. Templates
containing multiple actions separated by a '/' character
could result in unexpectedly closing the CSS context and
allowing for injection of unexpected HMTL, if executed
with untrusted input.
html/template: improper handling of JavaScript whitespace
Not all valid JavaScript whitespace characters were
considered to be whitespace. Templates containing
whitespace characters outside of the character set
"\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that
also contain actions may not be properly sanitized
during execution.
html/template: improper handling of empty HTML attributes
Templates containing actions in unquoted HTML attributes
(e.g. "attr={{.}}") executed with empty input could
result in output that would have unexpected results when
parsed due to HTML normalization rules. This may allow
injection of arbitrary attributes into tags.
Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:
* Exploitation requires the presence of specific libraries on
the victim system.
* Remote exploitation requires that the agent was forwarded
to an attacker-controlled system.
Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.
This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.
[1454086] High CVE-2023-3727: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-06-12
[1457421] High CVE-2023-3728: Use after free in WebRTC. Reported by Zhenghang Xiao (@Kipreyyy) on 2023-06-23
[1453465] High CVE-2023-3730: Use after free in Tab Groups. Reported by @ginggilBesel on 2023-06-09
[1450899] High CVE-2023-3732: Out of bounds memory access in Mojo. Reported by Mark Brand of Google Project Zero on 2023-06-02
[1450203] Medium CVE-2023-3733: Inappropriate implementation in WebApp Installs. Reported by Ahmed ElMasry on 2023-05-31
[1450376] Medium CVE-2023-3734: Inappropriate implementation in Picture In Picture. Reported by Thomas Orlita on 2023-06-01
[1394410] Medium CVE-2023-3735: Inappropriate implementation in Web API Permission Prompts. Reported by Ahmed ElMasry on 2022-11-29
[1434438] Medium CVE-2023-3736: Inappropriate implementation in Custom Tabs. Reported by Philipp Beer (TU Wien) on 2023-04-19
[1446754] Medium CVE-2023-3737: Inappropriate implementation in Notifications. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2023-05-19
[1434330] Medium CVE-2023-3738: Inappropriate implementation in Autofill. Reported by Hafiizh on 2023-04-18
[1405223] Low CVE-2023-3740: Insufficient validation of untrusted input in Themes. Reported by Fardeen Siddiqui on 2023-01-06
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). Supported versions that are
affected are Prior to 6.1.46 and Prior to 7.0.10. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via RDP to compromise Oracle VM VirtualBox. Successful
attacks of this vulnerability can result in takeover of Oracle VM
VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity
and Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). Supported versions that are
affected are Prior to 6.1.46 and Prior to 7.0.10. Easily exploitable
vulnerability allows low privileged attacker with logon to the
infrastructure where Oracle VM VirtualBox executes to compromise
Oracle VM VirtualBox. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of Oracle VM VirtualBox. Note:
This vulnerability applies to Windows VMs only. CVSS 3.1 Base Score
5.5 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). Supported versions that are
affected are Prior to 6.1.46 and Prior to 7.0.10. Easily exploitable
vulnerability allows high privileged attacker with logon to the
infrastructure where Oracle VM VirtualBox executes to compromise
Oracle VM VirtualBox. Successful attacks require human interaction
from a person other than the attacker. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang
or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox.
CVSS 3.1 Base Score 4.2 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H).
A specially crafted Lua script executing in Redis can
trigger a heap overflow in the cjson and cmsgpack
libraries, and result in heap corruption and potentially
remote code execution.
Extracting key names from a command and a list of
arguments may, in some cases, trigger a heap overflow and
result in reading random heap memory, heap corruption and
potentially remote code execution. Specifically: using
COMMAND GETKEYS* and validation of key names in ACL rules.
cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/.
An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2
that allows users to store malicious values that may be executed
by other users at a later time via get_request in lib/function.php.
If redirect_to parameter has set value starting with
\\example.com redirect will be created with header Location:
/\\example.com that will redirect to example.com domain.
The SoftEther VPN project received a high level code review and technical assistance from Cisco Systems, Inc. of the United States from April to June 2023 to fix several vulnerabilities in the SoftEther VPN code.
The risk of exploitation of any of the fixed vulnerabilities is low under normal usage and environment, and actual attacks are very difficult. However, SoftEther VPN is now an open source VPN software used by 7.4 million unique users worldwide, and is used daily by many users to defend against the risk of blocking attacks by national censorship firewalls and attempts to eavesdrop on communications. Therefore, as long as the slightest attack possibility exists, there is great value in preventing vulnerabilities as much as possible in anticipation of the most sophisticated cyber attackers in the world, such as malicious ISPs and man-in-the-middle attackers on national Internet communication channels. These fixes are important and useful patches for users who use SoftEther VPN and the Internet for secure communications to prevent advanced attacks that can theoretically be triggered by malicious ISPs and man-in-the-middle attackers on national Internet communication pathways.
The fixed vulnerabilities are CVE-2023-27395, CVE-2023-22325, CVE-2023-32275, CVE-2023-27516, CVE-2023-32634, and CVE-2023-31192. All of these were discovered in an outstanding code review of SoftEther VPN by Cisco Systems, Inc.
CVE-2023-27395: Heap overflow in SoftEther VPN DDNS client functionality at risk of crashing and theoretically arbitrary code execution caused by a malicious man-in-the-middle attacker such like ISP-level or on national Internet communication channels
CVE-2023-22325: Integer overflow in the SoftEther VPN DDNS client functionality could result in crashing caused by a malicious man-in-the-middle attacker such like ISP-level or on national Internet communication channels
CVE-2023-32275: Vulnerability that allows the administrator himself of a 32-bit version of VPN Client or VPN Server to see the 32-bit value heap address of each of trusted CA's certificates in the VPN process
CVE-2023-27516: If the user forget to set the administrator password of SoftEther VPN Client and enable remote administration with blank password, the administrator password of VPN Client can be changed remotely or VPN client can be used remotely by anonymouse third person
CVE-2023-32634: If an attacker succeeds in launching a TCP relay program on the same port as the VPN Client on a local computer running the SoftEther VPN Client before the VPN Client process is launched, the TCP relay program can conduct a man-in-the-middle attack on communication between the administrator and the VPN Client process
CVE-2023-31192: When SoftEther VPN Client connects to an untrusted VPN Server, an invalid redirection response for the clustering (load balancing) feature causes 20 bytes of uninitialized stack space to be read
Grafana validates Azure Active Directory accounts based on the email claim.
On Azure AD, the profile email field is not unique across Azure AD tenants.
This can enable a Grafana account takeover and authentication bypass when
Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application.
The CVSS score for this vulnerability is 9.4 Critical.
Buffer overflows in InitExt.c in libX11 prior to 1.8.6 [CVE-2023-3138]
The functions in src/InitExt.c in libX11 prior to 1.8.6 do not check
that the values provided for the Request, Event, or Error IDs are
within the bounds of the arrays that those functions write to, using
those IDs as array indexes. Instead they trusted that they were called
with values provided by an Xserver that was adhering to the bounds
specified in the X11 protocol, as all X servers provided by X.Org do.
As the protocol only specifies a single byte for these values, an
out-of-bounds value provided by a malicious server (or a malicious
proxy-in-the-middle) can only overwrite other portions of the Display
structure and not write outside the bounds of the Display structure
itself. Testing has found it is possible to at least cause the client
to crash with this memory corruption.
A information disclosure vulnerability exists in VS Code 1.79.0 and earlier versions on Windows when file system operations are performed on malicious UNC paths. Examples include reading or resolving metadata of such paths. An authorised attacker must send the user a malicious file and convince the user to open it for the vulnerability to occur. Exploiting this vulnerability could allow the disclosure of NTLM hashes.
An updated version of the XMLTooling library that is part of the
OpenSAML and Shibboleth Service Provider software is now available
which corrects a server-side request forgery (SSRF) vulnerability.
Including certain legal but "malicious in intent" content in the
KeyInfo element defined by the XML Signature standard will result
in attempts by the SP's shibd process to dereference untrusted
URLs.
While the content of the URL must be supplied within the message
and does not include any SP internal state or dynamic content,
there is at minimum a risk of denial of service, and the attack
could be combined with others to create more serious vulnerabilities
in the future.
gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded
to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well
as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727).
gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters
following the specification for URLs defined by WHATWG in response to CVE-2023-24329.
gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal
based on the input if no out_file was specified.
gh-104049: Do not expose the local on-disk location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when launching with
shell=True.
gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open().
gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter
argument that allows limiting tar features than may be surprising or dangerous, such as creating
files outside the destination directory.
gh-102126: Fixed a deadlock at shutdown when clearing thread states if any finalizer tries to
acquire the runtime head lock.
gh-100892: Fixed a crash due to a race while iterating over thread states in clearing
threading.local.
We have discovered a vulnerability with GrafanaâÂÂs data source query
endpoints that could end up crashing a Grafana instance.
If you have public dashboards (PD) enabled, we
are scoring this as a CVSS 7.5 High.
If you have disabled PD, this vulnerability is still a risk,
but triggering the issue requires data source read privileges
and access to the Grafana API through a developer script.
Grafana can allow an attacker in the Viewer role
to send alerts by API Alert - Test. This option,
however, is not available in the user panel UI for the Viewer role.
The CVSS score for this vulnerability is 4.1 Medium
(CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N).
qpress before PierreLvx/qpress 20220819 and before version 11.3,
as used in Percona XtraBackup and other products, allows directory
traversal via ../ in a .qp file.
[1410191] High CVE-2023-2929: Out of bounds write in Swiftshader. Reported by Jaehun Jeong(@n3sk) of Theori on 2023-01-25
[1443401] High CVE-2023-2930: Use after free in Extensions. Reported by asnine on 2023-05-08
[1444238] High CVE-2023-2931: Use after free in PDF. Reported by Huyna at Viettel Cyber Security on 2023-05-10
[1444581] High CVE-2023-2932: Use after free in PDF. Reported by Huyna at Viettel Cyber Security on 2023-05-11
[1445426] High CVE-2023-2933: Use after free in PDF. Reported by Quang Nguyá» n (@quangnh89) of Viettel Cyber Security and Nguyen Phuong on 2023-05-15
[1429720] High CVE-2023-2934: Out of bounds memory access in Mojo. Reported by Mark Brand of Google Project Zero on 2023-04-01
[1440695] High CVE-2023-2935: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-04-27
[1443452] High CVE-2023-2936: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-05-08
[1413813] Medium CVE-2023-2937: Inappropriate implementation in Picture In Picture. Reported by NDevTK on 2023-02-08
[1416350] Medium CVE-2023-2938: Inappropriate implementation in Picture In Picture. Reported by Alesandro Ortiz on 2023-02-15
[1427431] Medium CVE-2023-2939: Insufficient data validation in Installer. Reported by ycdxsb from VARAS@IIE on 2023-03-24
[1426807] Medium CVE-2023-2940: Inappropriate implementation in Downloads. Reported by Axel Chong on 2023-03-22
[1430269] Low CVE-2023-2941: Inappropriate implementation in Extensions API. Reported by Jasper Rebane on 2023-04-04
Kanboard is project management software that focuses on the Kanban
methodology. Due to improper handling of elements under the
`contentEditable` element, maliciously crafted clipboard content
can inject arbitrary HTML tags into the DOM. A low-privileged
attacker with permission to attach a document on a vulnerable
Kanboard instance can trick the victim into pasting malicious
screenshot data and achieve cross-site scripting if CSP is improperly
configured. This issue has been patched in version 1.2.29.
A specially-crafted series of FTP packets with a CMD
command with a large path followed by a very large number
of replies could cause Zeek to spend a long time processing
the data.
A specially-crafted with a truncated header can cause
Zeek to overflow memory and potentially crash.
A specially-crafted series of SMTP packets can cause
Zeek to generate a very large number of events and take
a long time to process them.
A specially-crafted series of POP3 packets containing
MIME data can cause Zeek to spend a long time dealing
with each individual file ID.
While CVE-2016-2193 fixed most interaction between row security and
user ID changes, it missed a scenario involving function
inlining. This leads to potentially incorrect policies being
applied in cases where role-specific policies are used and a
given query is planned under one role and then executed under
other roles. This scenario can happen under security definer
functions or when a common user and query is planned
initially and then re-used across multiple SET ROLEs.
Applying an incorrect policy may permit a user to complete
otherwise-forbidden reads and modifications. This affects
only databases that have used CREATE POLICY to define a row
security policy.
This enabled an attacker having database-level CREATE
privilege to execute arbitrary code as the bootstrap
superuser. Database owners have that right by default,
and explicit grants may extend it to other users.
Visual Studio Code Information Disclosure Vulnerability
A information disclosure vulnerability exists in VS Code 1.78.0 and earlier versions on Windows when file system operations are performed on malicious UNC paths. Examples include reading or resolving metadata of such paths. An authorised attacker must send the user a malicious file and convince the user to open it for the vulnerability to occur. Exploiting this vulnerability could allow the disclosure of NTLM hashes.
Malformed HTTP/1.1 requests can crash worker processes.
occasionally locking up child workers and causing denial of
service, and an outage dropping any open connections.
Sensitive data could be exposed in logs of cloud-init before version
23.1.2. An attacker could use this information to find hashed
passwords and possibly escalate their privilege.
In Artifex Ghostscript through 10.01.0, there is a buffer overflow
leading to potential corruption of data internal to the PostScript
interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode,
TBCPEncode, and TBCPDecode. If the write buffer is filled to one
byte less than full, and one then tries to write an escaped character,
two bytes are written.
An issue in how go handles backticks (`) with Javascript can lead to
an injection of arbitrary code into go templates. While Grafana Labs software
contains potentially vulnerable versions of go, we have not identified any
exploitable use cases at this time.
The CVSS score for this vulnerability is 0.0 (adjusted), 9.8 (base).
When setting up Grafana, there is an option to enable
JWT authentication. Enabling this will allow users to authenticate towards
the Grafana instance with a special header (default X-JWT-Assertion
).
In Grafana, there is an additional way to authenticate using JWT called
URL login where the token is passed as a query parameter.
When using this option, a JWT token is passed to the data source as a header,
which leads to exposure of sensitive information to an unauthorized party.
The CVSS score for this vulnerability is 4.2 Medium
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP
client into a web page. Prior to version 3.71.0, plain text messages
containing HTML tags are rendered as HTML in the search results.
To exploit this, an attacker needs to trick a user into searching
for a specific message containing an HTML injection payload. No
cross-site scripting attack is possible due to the hardcoded content
security policy. Version 3.71.0 of the SDK patches over the issue.
As a workaround, restarting the client will clear the HTML injection.
CVE-2023-25652: By feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch)
CVE-2023-29007: A specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug that can be used to inject arbitrary configuration into user's git config. This can result in arbitrary execution of code, by inserting values for core.pager, core.editor and so on
Jellyfin is a free-software media system. Versions starting with
10.8.0 and prior to 10.8.10 and prior have a directory traversal
vulnerability inside the `ClientLogController`, specifically
`/ClientLog/Document`. When combined with a cross-site scripting
vulnerability (CVE-2023-30627), this can result in file write and
arbitrary code execution. Version 10.8.10 has a patch for this
issue. There are no known workarounds.
This Critical Patch Update contains 34 new security patches, plus
additional third party patches noted below, for Oracle MySQL. 11 of
these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without
requiring user credentials.
[1430644] Medium CVE-2023-2137: Heap buffer overflow in sqlite. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2023-04-05
Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Versions
from 0.9.0 to 0.12.0 (including) did not properly fail blocking
read operations on TLS connections when the transport hit timeouts.
Instead it entered an endless loop retrying the read operation,
consuming CPU resources. This could be exploited for denial of
service attacks. If trace level logging was enabled, it would also
produce an excessive amount of log output during the loop, consuming
disk space.
Receiving DNS responses from async DNS requests (via
A specially-crafted stream of FTP packets containing a
command reply with many intermediate lines can cause Zeek
to spend a large amount of time processing data.
A specially-crafted set of packets containing extremely
large file offsets cause cause the reassembler code to
allocate large amounts of memory.
The DNS manager does not correctly expire responses
that don't contain any data, such those containing NXDOMAIN
or NODATA status codes. This can lead to Zeek allocating
large amounts of memory for these responses and never
deallocating them.
A specially-crafted stream of RDP packets can cause
Zeek to spend large protocol validation.
A specially-crafted stream of SMTP packets can cause
Zeek to spend large amounts of time processing data.
The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack.
pyca/cryptography's wheels include a statically linked copy of OpenSSL.
The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue.
More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and https://www.openssl.org/news/secadv/20230207.txt.
If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL.
Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.
A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory.
Any secret information in an async status file will be readable by a malicious user on that system.
This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.
An issue was discovered in the FFmpeg package, where
vp3_decode_frame in libavcodec/vp3.c lacks check of the
return value of av_malloc() and will cause a null pointer
dereference, impacting availability.
A null pointer dereference issue was discovered in
'FFmpeg' in decode_main_header() function of
libavformat/nutdec.c file. The flaw occurs because the
function lacks check of the return value of
avformat_new_stream() and triggers the null pointer
dereference error, causing an application to crash.
A vulnerability classified as problematic has been found
in ffmpeg. This affects an unknown part of the file
libavcodec/rpzaenc.c of the component QuickTime RPZA Video
Encoder. The manipulation of the argument y_size leads to
out-of-bounds read. It is possible to initiate the attack
remotely. The name of the patch is
92f9b28ed84a77138105475beba16c146bdaf984. It is recommended
to apply a patch to fix this issue. The associated
identifier of this vulnerability is VDB-213543.
It by default trusts the messages and metadata stored in backends (result stores).
When reading task metadata from the backend, the data is deserialized.
Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
When using the Django integration of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry.
These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application.
Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.
Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.
This has been patched in version 65.5.1. The patch backported to the revision 44.1.1_1.
Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.
Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.
This has been patched in version 65.5.1. The patch backported to the revision 63.1.0_1.
Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.
Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.
This has been patched in version 65.5.1. The patch backported to the revision 58.5.3_3.
The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
The reference kernel of the CONV_3D_TRANSPOSE TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result.
Instead of `data_ptr += num_channels;` it should be `data_ptr += output_num_channels;` as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels.
An attacker can craft a model with a specific number of input channels in a way similar to the attached example script.
It is then possible to write specific values through the bias of the layer outside the bounds of the buffer.
This attack only works if the reference kernel resolver is used in the interpreter (i.e. `experimental_op_resolver_type=tf.lite.experimental.OpResolverType.BUILTIN_REF` is used).
redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner.
The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3, but [are believed to be incomplete](https://github.com/redis/redis-py/issues/2665).
CVE-2023-28859 has been assigned the issues caused by the incomplete fixes.
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking.
The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.
The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
redis-py through 4.5.3 and 4.4.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request.
NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method.
An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0.
By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data.
Kang Hong Jin, Neophytos Christou, Ã¥ÂÂÃ¥ÂÂ溠and Pattarakrit Rattankul report:
Another instance of CVE-2022-35935, where `SobolSample` is vulnerable to a denial of service via assumed scalar inputs, was found and fixed.
Pattarakrit Rattankul reports:
Another instance of CVE-2022-35991, where `TensorListScatter` and `TensorListScatterV2` crash via non scalar inputs in`element_shape`, was found in eager mode and fixed.
Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.
OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution for `lxml`, and could lead to arbitrary file reads from an attacker-controlled XML payload.
Denial of service (DoS) vulnerability in Nicotine+ starting with version 3.0.3 and prior to version 3.2.1 allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character.
The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header.
An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0.
When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the ``connection_info`` element in all Block Storage v3 Attachments API calls containing that element.
This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume.
Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API, should an attacker discover the Management API endpoint.
HTTP and MIME header parsing can allocate large amounts
of memory, even when parsing small inputs, potentially
leading to a denial of service. Certain unusual patterns
of input data can cause the common function used to parse
HTTP and MIME headers to allocate substantially more
memory than required to hold the parsed headers. An
attacker can exploit this behavior to cause an HTTP
server to allocate large amounts of memory from a small
request, potentially leading to memory exhaustion and a
denial of service. With fix, header parsing now correctly
allocates only the memory required to hold parsed headers.
Calling any of the Parse functions on Go source code
which contains //line directives with very large line
numbers can cause an infinite loop due to integer
overflow.
html/template: backticks not treated as string delimiters
Templates did not properly consider backticks (`) as
Javascript string delimiters, and as such did not escape
them as expected. Backticks are used, since ES6, for JS
template literals. If a template contained a Go template
action within a Javascript template literal, the contents
of the action could be used to terminate the literal,
injecting arbitrary Javascript code into the Go template.
As ES6 template literals are rather complex, and
themselves can do string interpolation, we've decided
to simply disallow Go template actions from being used
inside of them (e.g. "var a = {{.}}"), since there is no
obviously safe way to allow this behavior. This takes the
same approach as github.com/google/safehtml.
Template.Parse will now return an Error when it encounters
templates like this, with a currently unexported ErrorCode
with a value of 12. This ErrorCode will be exported in the
next major release.
net/http, net/textproto: denial of service from excessive
memory allocation
HTTP and MIME header parsing could allocate large
amounts of memory, even when parsing small inputs.
Certain unusual patterns of input data could cause the
common function used to parse HTTP and MIME headers to
allocate substantially more memory than required to hold
the parsed headers. An attacker can exploit this
behavior to cause an HTTP server to allocate large
amounts of memory from a small request, potentially
leading to memory exhaustion and a denial of service.
Header parsing now correctly allocates only the memory
required to hold parsed headers.
net/http, net/textproto, mime/multipart: denial of service
from excessive resource consumption
Multipart form parsing can consume large amounts of CPU
and memory when processing form inputs containing very
large numbers of parts. This stems from several causes:
mime/multipart.Reader.ReadForm limits the total memory a
parsed multipart form can consume. ReadForm could
undercount the amount of memory consumed, leading it to
accept larger inputs than intended. Limiting total
memory does not account for increased pressure on the
garbage collector from large numbers of small
allocations in forms with many parts. ReadForm could
allocate a large number of short-lived buffers, further
increasing pressure on the garbage collector. The
combination of these factors can permit an attacker to
cause an program that parses multipart forms to consume
large amounts of CPU and memory, potentially resulting
in a denial of service. This affects programs that use
mime/multipart.Reader.ReadForm, as well as form parsing
in the net/http package with the Request methods
FormFile, FormValue, ParseMultipartForm, and
PostFormValue. ReadForm now does a better job of
estimating the memory consumption of parsed forms, and
performs many fewer short-lived allocations. In
addition, mime/multipart.Reader now imposes the
following limits on the size of parsed forms: Forms
parsed with ReadForm may contain no more than 1000
parts. This limit may be adjusted with the environment
variable GODEBUG=multipartmaxparts=. Form parts parsed
with NextPart and NextRawPart may contain no more than
10,000 header fields. In addition, forms parsed with
ReadForm may contain no more than 10,000 header fields
across all parts. This limit may be adjusted with the
environment variable GODEBUG=multipartmaxheaders=.
An incomplete access check on dnsHostName allows
authenticated but otherwise unprivileged users to
delete this attribute from any object in the directory.
The Samba AD DC administration tool, when operating
against a remote LDAP server, will by default send
new or reset passwords over a signed-only connection.
The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for
CVE-2018-10919 Confidential attribute disclosure via
LDAP filters was insufficient and an attacker may be
able to obtain confidential BitLocker recovery keys
from a Samba AD DC.
Installations with such secrets in their Samba AD
should assume they have been obtained and need replacing.
[1414018] High CVE-2023-1810: Heap buffer overflow in Visuals. Reported by Weipeng Jiang (@Krace) of VRI on 2023-02-08
[1420510] High CVE-2023-1811: Use after free in Frames. Reported by Thomas Orlita on 2023-03-01
[1418224] Medium CVE-2023-1812: Out of bounds memory access in DOM Bindings. Reported by Shijiang Yu on 2023-02-22
[1423258] Medium CVE-2023-1813: Inappropriate implementation in Extensions. Reported by Axel Chong on 2023-03-10
[1417325] Medium CVE-2023-1814: Insufficient validation of untrusted input in Safe Browsing. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2023-02-18
[1278708] Medium CVE-2023-1815: Use after free in Networking APIs. Reported by DDV_UA on 2021-12-10
[1413919] Medium CVE-2023-1816: Incorrect security UI in Picture In Picture. Reported by NDevTK on 2023-02-08
[1418061] Medium CVE-2023-1817: Insufficient policy enforcement in Intents. Reported by Axel Chong on 2023-02-22
[1223346] Medium CVE-2023-1818: Use after free in Vulkan. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research, Eric Lawrence, Microsoft, Patrick Walker (@HomeSen), and Kirtikumar Anandrao Ramchandani on 2021-06-24
[1406588] Medium CVE-2023-1819: Out of bounds read in Accessibility. Reported by Microsoft Edge Team on 2023-01-12
[1408120] Medium CVE-2023-1820: Heap buffer overflow in Browser History. Reported by raven at KunLun lab on 2023-01-17
[1413618] Low CVE-2023-1821: Inappropriate implementation in WebShare. Reported by Axel Chong on 2023-02-07
[1066555] Low CVE-2023-1822: Incorrect security UI in Navigation. Reported by ê°Âì°짠on 2020-04-01
[1406900] Low CVE-2023-1823: Inappropriate implementation in FedCM. Reported by Jasper Rebane (popstonia) on 2023-01-13
A ReDoS issue was discovered in the URI component. The URI
parser mishandles invalid URLs that have specific
characters. It causes an increase in execution time for
parsing strings to URI objects.
Applications that use a non-default option when verifying certificates may be
vulnerable to an attack from a malicious CA to circumvent certain checks.
The function X509_VERIFY_PARAM_add0_policy() is documented to
implicitly enable the certificate policy check when doing certificate
verification. However the implementation of the function does not
enable the check which allows certificates with invalid or incorrect
policies to pass the certificate verification.
Today we are issuing security releases of matrix-js-sdk and matrix-react-sdk
to patch a pair of High severity vulnerabilities (CVE-2023-28427 /
GHSA-mwq8-fjpf-c2gr for matrix-js-sdk and CVE-2023-28103 / GHSA-6g43-88cp-w5gv
for matrix-react-sdk).
The issues involve prototype pollution via events containing special strings
in key locations, which can temporarily disrupt normal functioning of matrix-js-sdk
and matrix-react-sdk, potentially impacting the consumer's ability to process data
safely.
When a user adds a Graphite data source, they can then use the data source
in a dashboard. This capability contains a feature to use Functions. Once
a function is selected, a small tooltip appears when hovering over the name
of the function. This tooltip allows you to delete the selected Function
from your query or show the Function Description. However, no sanitization
is done when adding this description to the DOM.
Since it is not uncommon to connect to public data sources, an attacker
could host a Graphite instance with modified Function Descriptions containing
XSS payloads. When the victim uses it in a query and accidentally hovers
over the Function Description, an attacker-controlled XSS payload
will be executed.
The severity of this vulnerability is of CVSSv3.1 5.7 Medium
(CVSS: AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N (5.7)).
ZDI-CAN-19866/CVE-2023-1393: X.Org Server Overlay Window Use-After-Free
Local Privilege Escalation Vulnerability
If a client explicitly destroys the compositor overlay window (aka COW),
the Xserver would leave a dangling pointer to that window in the CompScreen
structure, which will trigger a use-after-free later.
Elixir 0.8.0 uses Blowfish in CFB mode without constructing a unique initialization vector (IV), which makes it easier for context-dependent users to obtain sensitive information and decrypt the database.
The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.
An issue was discovered in py-lmdb 0.97. For certain values of md_flags, mdb_node_add does not properly set up a memcpy destination, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
An issue was discovered in py-lmdb 0.97. For certain values of mp_flags, mdb_page_touch does not properly set up mc->mc_pg[mc->top], leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
An issue was discovered in py-lmdb 0.97. mdb_node_del does not validate a memmove in the case of an unexpected node->mn_hi, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
An issue was discovered in py-lmdb 0.97. For certain values of mn_flags, mdb_cursor_set triggers a memcpy with an invalid write operation within mdb_xcursor_init1. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
An issue was discovered in py-lmdb 0.97. There is a divide-by-zero error in the function mdb_env_open2 if mdb_env_read_header obtains a zero value for a certain size field. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
Carefully crafted input can cause header parsing in Rack
to take an unexpected amount of time, possibly resulting
in a denial of service attack vector. Any applications
that parse headers using Rack (virtually all Rails
applications) are impacted.
Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows
attackers to modify the personal bookmark store via a crafted
message. The attacker can change the display of group chats or
force a victim to join a group chat; the victim may then be tricked
into disclosing sensitive information.
A vulnerability identified in the implementation of Tailscale SSH in FreeBSD
allowed commands to be run with a higher privilege group ID than that specified
by Tailscale SSH access rules.
CVE-2022-46285: Infinite loop on unclosed comments
When reading XPM images from a file with libXpm 3.5.14 or older, if a
comment in the file is not closed (i.e. a C-style comment starts with
"/*" and is missing the closing "*/"), the ParseComment() function will
loop forever calling getc() to try to read the rest of the comment,
failing to notice that it has returned EOF, which may cause a denial of
service to the calling program.
This issue was found by Marco Ivaldi of the Humanativa Group's HN Security team.
The fix is provided in
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148
CVE-2022-44617: Runaway loop on width of 0 and enormous height
When reading XPM images from a file with libXpm 3.5.14 or older, if a
image has a width of 0 and a very large height, the ParsePixels() function
will loop over the entire height calling getc() and ungetc() repeatedly,
or in some circumstances, may loop seemingly forever, which may cause a denial
of service to the calling program when given a small crafted XPM file to parse.
This issue was found by Martin Ettl.
The fix is provided in
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/f80fa6ae47ad4a5beacb28
and
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/c5ab17bcc34914c0b0707d
CVE-2022-4883: compression commands depend on $PATH
By default, on all platforms except MinGW, libXpm will detect if a filename
ends in .Z or .gz, and will when reading such a file fork off an uncompress
or gunzip command to read from via a pipe, and when writing such a file will
fork off a compress or gzip command to write to via a pipe.
In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH
to find the commands. If libXpm is called from a program running with
raised privileges, such as via setuid, then a malicious user could set
$PATH to include programs of their choosing to be run with those privileges.
This issue was found by Alan Coopersmith of the Oracle Solaris team.
curl supports communicating using the TELNET protocol
and as a part of this it offers users to pass on user
name and "telnet options" for the server
negotiation.
Due to lack of proper input scrubbing and without it
being the documented functionality, curl would pass on
user name and telnet options to the server as
provided. This could allow users to pass in carefully
crafted content that pass on content or do option
negotiation without the application intending to do
so. In particular if an application for example allows
users to provide the data or parts of the data.
CVE-2023-27534
curl supports SFTP transfers. curl's SFTP implementation
offers a special feature in the path component of URLs:
a tilde (~) character as the first path element in the
path to denotes a path relative to the user's home
directory. This is supported because of wording in the
once proposed to-become RFC draft that was to dictate
how SFTP URLs work.
Due to a bug, the handling of the tilde in SFTP path did
however not only replace it when it is used stand-alone
as the first path element but also wrongly when used as
a mere prefix in the first element.
Using a path like /~2/foo when accessing a server using
the user dan (with home directory /home/dan) would then
quite surprisingly access the file /home/dan2/foo.
This can be taken advantage of to circumvent filtering
or worse.
CVE-2023-27535
libcurl would reuse a previously created FTP connection
even when one or more options had been changed that
could have made the effective user a very different one,
thus leading to the doing the second transfer with wrong
credentials.
libcurl keeps previously used connections in a
connection pool for subsequent transfers to reuse if one
of them matches the setup. However, several FTP settings
were left out from the configuration match checks,
making them match too easily. The settings in questions
are CURLOPT_FTP_ACCOUNT,
CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC and
CURLOPT_USE_SSL level.
CVE-2023-27536
ibcurl would reuse a previously created connection even
when the GSS delegation (CURLOPT_GSSAPI_DELEGATION)
option had been changed that could have changed the
user's permissions in a second transfer.
libcurl keeps previously used connections in a
connection pool for subsequent transfers to reuse if one
of them matches the setup. However, this GSS delegation
setting was left out from the configuration match
checks, making them match too easily, affecting
krb5/kerberos/negotiate/GSSAPI transfers.
CVE-2023-27537
libcurl supports sharing HSTS data between separate
"handles". This sharing was introduced without
considerations for do this sharing across separate
threads but there was no indication of this fact in the
documentation.
Due to missing mutexes or thread locks, two threads
sharing the same HSTS data could end up doing a
double-free or use-after-free.
CVE-2023-27538
libcurl would reuse a previously created connection even
when an SSH related option had been changed that should
have prohibited reuse.
libcurl keeps previously used connections in a
connection pool for subsequent transfers to reuse if one
of them matches the setup. However, two SSH settings
were left out from the configuration match checks,
making them match too easily.
CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
HTTP response splitting (cve.mitre.org).
HTTP Response Smuggling vulnerability in Apache HTTP Server
via mod_proxy_uwsgi. This issue affects Apache HTTP Server:
from 2.4.30 through 2.4.55.
Special characters in the origin response header can
truncate/split the response forwarded to the client.
CVE-2023-25690: HTTP request splitting with mod_rewrite
and mod_proxy (cve.mitre.org).
Some mod_proxy configurations on Apache HTTP Server versions
2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along
with some form of RewriteRule or ProxyPassMatch in which a
non-specific pattern matches some portion of the user-supplied
request-target (URL) data and is then re-inserted into the
proxied request-target using variable substitution.
Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26306 - LibreOffice
Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice
crypto/elliptic: incorrect P-256 ScalarMult and
ScalarBaseMult results
The ScalarMult and ScalarBaseMult methods of the P256
Curve may return an incorrect result if called with some
specific unreduced scalars (a scalar larger than the
order of the curve).
The Multipart MIME parsing code in Rack limits the number
of file parts, but does not limit the total number of
parts that can be uploaded. Carefully crafted requests can
abuse this and cause multipart parsing to take longer than
expected.
A cleartext transmission of sensitive information
vulnerability exists in curl < v7.88.0 that could
cause HSTS functionality fail when multiple URLs are
requested serially. Using its HSTS support, curl can be
instructed to use HTTPS instead of using an insecure
clear-text HTTP step even when HTTP is provided in the
URL. This HSTS mechanism would however surprisingly be
ignored by subsequent transfers when done on the same
command line because the state would not be properly
carried on.
CVE-2023-23915
A cleartext transmission of sensitive information
vulnerability exists in curl < v7.88.0 that could
cause HSTS functionality to behave incorrectly when
multiple URLs are requested in parallel. Using its HSTS
support, curl can be instructed to use HTTPS instead of
using an insecure clear-text HTTP step even when HTTP is
provided in the URL. This HSTS mechanism would however
surprisingly fail when multiple transfers are done in
parallel as the HSTS cache file gets overwritten by the
most recently completed transfer. A later HTTP-only
transfer to the earlier host name would then *not* get
upgraded properly to HSTS.
CVE-2023-23916
An allocation of resources without limits or throttling
vulnerability exists in curl < v7.88.0 based on the
"chained" HTTP compression algorithms, meaning
that a server response can be compressed multiple times
and potentially with different algorithms. The number of
acceptable "links" in this "decompression
chain" was capped, but the cap was implemented on a
per-header basis allowing a malicious server to insert a
virtually unlimited number of compression steps simply
by using many headers. The use of such a decompression
chain could result in a "malloc bomb", making
curl end up spending enormous amounts of allocated heap
memory, or trying to and returning out of memory errors.
A vulnerability related to certificate verification in TLS-based EAP methods
was discovered in strongSwan that results in a denial of service
but possibly even remote code execution. Versions 5.9.8 and 5.9.9
may be affected.
During an internal audit of Grafana on January 1, a member of the security
team found a stored XSS vulnerability affecting the core text plugin.
The stored XSS vulnerability requires several user interactions in order
to be fully exploited. The vulnerability was possible due to ReactâÂÂs render
cycle that will pass through the unsanitized HTML code, but in the next cycle,
the HTML is cleaned up and saved in GrafanaâÂÂs database.
The CVSS score for this vulnerability is 6.4 Medium
(CVSS:6.4/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).
Specially crafted SRANDMEMBER, ZRANDMEMBER, and
HRANDFIELD commands can trigger an integer overflow,
resulting in a runtime assertion and termination of the
Redis server process.
CVE-2022-36021
String matching commands (like SCAN or KEYS) with a
specially crafted pattern to trigger a denial-of-service
attack on Redis, causing it to hang and consume 100% CPU
time.
During an internal audit of Grafana on January 25, a member of the security
team found a stored XSS vulnerability affecting the core geomap plugin.
The stored XSS vulnerability was possible because map attributions werenâÂÂt
properly sanitized, allowing arbitrary JavaScript to be executed in the context
of the currently authorized user of the Grafana instance.
The CVSS score for this vulnerability is 7.3 High
(CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
During an internal audit of Grafana on January 30, a member
of the engineering team found a stored XSS vulnerability affecting
the TraceView panel.
The stored XSS vulnerability was possible because the value of a spanâÂÂs
attributes/resources were not properly sanitized, and this will be rendered
when the spanâÂÂs attributes/resources are expanded.
The CVSS score for this vulnerability is 7.3 High
(CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
GNU Emacs through 28.2 allows attackers to execute
commands via shell metacharacters in the name of a
source-code file, because lib-src/etags.c uses the
system C library function in its implementation of the
etags program. For example, a victim may use the
"etags -u *" command (suggested in the etags
documentation) in a situation where the current working
directory has contents that depend on untrusted input.
CVE-2022-48338
An issue was discovered in GNU Emacs through 28.2. In
ruby-mode.el, the ruby-find-library-file function has a
local command injection vulnerability. The
ruby-find-library-file function is an interactive
function, and bound to C-c C-f. Inside the function, the
external command gem is called through
shell-command-to-string, but the feature-name parameters
are not escaped. Thus, malicious Ruby source files may
cause commands to be executed.
CVE-2022-48339
An issue was discovered in GNU Emacs through
28.2. htmlfontify.el has a command injection
vulnerability. In the hfy-istext-command function, the
parameter file and parameter srcdir come from external
input, and parameters are not escaped. If a file name or
directory name contains shell metacharacters, code may
be executed.
FreeRDP based clients on unix systems using
`/parallel` command line switch might read uninitialized
data and send it to the server the client is currently
connected to. FreeRDP based server implementations are not
affected.
All FreeRDP based clients when using the `/video`
command line switch might read uninitialized data, decode
it as audio/video and display the result. FreeRDP based
server implementations are not affected.
git log has the ability to display commits using an arbitrary
format with its --format specifiers. This functionality is also
exposed to git archive via the export-subst gitattribute.
When processing the padding operators (e.g., %<(, %<|(,
%>(, %>>(, or %><( ), an integer overflow can occur in
pretty.c::format_and_pad_commit() where a size_t is improperly
stored as an int, and then added as an offset to a subsequent
memcpy() call.
This overflow can be triggered directly by a user running a
command which invokes the commit formatting machinery (e.g., git
log --format=...). It may also be triggered indirectly through
git archive via the export-subst mechanism, which expands format
specifiers inside of files within the repository during a git
archive.
This integer overflow can result in arbitrary heap writes, which
may result in remote code execution.
Receiving DNS responses from async DNS requests (via
the lookup_addr, etc BIF methods) with the TTL set to
zero could cause the DNS manager to eventually stop being
able to make new requests.
Specially-crafted FTP packets with excessively long
usernames, passwords, or other fields could cause log
writes to use large amounts of disk space.
The find_all and find_all_ordered BIF methods could
take extremely large amounts of time to process incoming
data depending on the size of the input.
gitattributes are used to define unique attributes corresponding
to paths in your repository. These attributes are defined by
.gitattributes file(s) within your repository.
The parser used to read these files has multiple integer
overflows, which can occur when parsing either a large number
of patterns, a large number of attributes, or attributes with
overly-long names.
These overflows may be triggered via a malicious
.gitattributes file. However, Git automatically splits lines at
2KB when reading .gitattributes from a file, but not when parsing
it from the index. Successfully exploiting this vulnerability
depends on the location of the .gitattributes file in question.
This integer overflow can result in arbitrary heap reads
and writes, which may result in remote code execution.
Using a specially-crafted repository, Git can be tricked into using
its local clone optimization even when using a non-local transport.
Though Git will abort local clones whose source $GIT_DIR/objects
directory contains symbolic links (c.f., CVE-2022-39253), the objects
directory itself may still be a symbolic link.
These two may be combined to include arbitrary files based on known
paths on the victim's filesystem within the malicious repository's
working copy, allowing for data exfiltration in a similar manner as
CVE-2022-39253.
This PR refactors and improves the password hashing code within
gitea and makes it possible for server administrators to set the
password hashing parameters.
In addition it takes the opportunity to adjust the settings for
pbkdf2 in order to make the hashing a little stronger.
Add command to bulk set must-change-password
As part of administration sometimes it is appropriate to
forcibly tell users to update their passwords.
This PR creates a new command gitea admin user
must-change-password which will set the MustChangePassword flag on
the provided users.
A request smuggling attack is possible when using
MaxBytesHandler. When using MaxBytesHandler, the body of
an HTTP request is not fully consumed. When the server
attempts to read HTTP2 frames from the connection, it
will instead be reading the body of the HTTP request,
which could be attacker-manipulated to represent
arbitrary HTTP2 requests.
path/filepath: path traversal in filepath.Clean on Windows
On Windows, the filepath.Clean function could transform
an invalid path such as a/../c:/b into the valid path
c:\b. This transformation of a relative (if invalid)
path into an absolute path could enable a directory
traversal attack. The filepath.Clean function will now
transform this path into the relative (but still
invalid) path .\c:\b.
net/http, mime/multipart: denial of service from excessive
resource consumption
Multipart form parsing with
mime/multipart.Reader.ReadForm can consume largely
unlimited amounts of memory and disk files. This also
affects form parsing in the net/http package with the
Request methods FormFile, FormValue, ParseMultipartForm,
and PostFormValue.
crypto/tls: large handshake records may cause panics
Both clients and servers may send large TLS handshake
records which cause servers and clients,
respectively, to panic when attempting to construct responses.
net/http: avoid quadratic complexity in HPACK decoding
A maliciously crafted HTTP/2 stream could cause
excessive CPU consumption in the HPACK decoder,
sufficient to cause a denial of service from a small
number of small requests.
A vulnerability was found that the response times to malformed RSA
ciphertexts in ClientKeyExchange differ from response times of
ciphertexts with correct PKCS#1 v1.5 padding. Only TLS ciphertext
processing is affected.
A security issue was found where an unprivileged user is
able to create service accounts for root or other admin
users and then is able to assume their access policies
via the generated credentials.
This release contains 15 security fixes, including:
[1402270] High CVE-2023-0696: Type Confusion in V8. Reported by Haein Lee at KAIST Hacking Lab on 2022-12-18
[1341541] High CVE-2023-0697: Inappropriate implementation in Full screen mode. Reported by Ahmed ElMasry on 2022-07-03
[1403573] High CVE-2023-0698: Out of bounds read in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2022-12-25
[1371859] Medium CVE-2023-0699: Use after free in GPU. Reported by 7o8v and Cassidy Kim(@cassidy6564) on 2022-10-06
[1393732] Medium CVE-2023-0700: Inappropriate implementation in Download. Reported by Axel Chong on 2022-11-26
[1405123] Medium CVE-2023-0701: Heap buffer overflow in WebUI. Reported by Sumin Hwang of SSD Labs on 2023-01-05
[1316301] Medium CVE-2023-0702: Type Confusion in Data Transfer. Reported by Sri on 2022-04-14
[1405574] Medium CVE-2023-0703: Type Confusion in DevTools. Reported by raven at KunLun lab on 2023-01-07
[1385982] Low CVE-2023-0704: Insufficient policy enforcement in DevTools. Reported by Rhys Elsmore and Zac Sims of the Canva security team on 2022-11-18
[1238642] Low CVE-2023-0705: Integer overflow in Core. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-11
A modified, unauthenticated server can send an
unterminated string during the establishment of Kerberos
transport encryption. When a libpq client application
has a Kerberos credential cache and doesn't explicitly
disable option gssencmode, a server can cause libpq to
over-read and report an error message containing
uninitialized bytes from and following its receive
buffer. If libpq's caller somehow makes that message
accessible to the attacker, this achieves a disclosure
of the over-read bytes. We have not confirmed or ruled
out viability of attacks that arrange for a crash or for
presence of notable, confidential information in
disclosed bytes.
A third-party penetration test of Grafana found a vulnerability
in the snapshot functionality. The value of the originalUrl parameter
is automatically generated. The purpose of the presented originalUrl parameter
is to provide a user who views the snapshot with the possibility to click
on the Local Snapshot button in the Grafana web UI
and be presented with the dashboard that the snapshot captured. The value
of the originalUrl parameter can be arbitrarily chosen by a malicious user that
creates the snapshot. (Note: This can be done by editing the query thanks
to a web proxy like Burp.)
We have assessed this vulnerability as having a CVSS score of 6.7 MEDIUM
(CVSS:6.7/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L).
On 2022-12-16 during an internal audit of Grafana, a member of the security
team found a stored XSS vulnerability affecting the core plugin GeoMap.
The stored XSS vulnerability was possible due to SVG-files weren't properly
sanitized and allowed arbitrary JavaScript to be executed in the context
of the currently authorized user of the Grafana instance.
TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.
TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.
TightVNC code version 1.3.10 contains heap buffer overflow in InitialiseRFBConnection function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.
TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity.
X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) (High):
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING.
Timing Oracle in RSA Decryption (CVE-2022-4304) (Moderate):
A timing based side channel exists in the OpenSSL RSA Decryption implementation
which could be sufficient to recover a plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE.
X.509 Name Constraints Read Buffer Overflow (CVE-2022-4203) (Moderate):
A read buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs
after certificate chain signature verification and requires either a
CA to have signed the malicious certificate or for the application to
continue certificate verification despite failure to construct a path
to a trusted issuer.
Use-after-free following BIO_new_NDEF (CVE-2023-0215) (Moderate):
The public API function BIO_new_NDEF is a helper function used for streaming
ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the
SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by
end user applications.
Double free after calling PEM_read_bio_ex (CVE-2022-4450) (Moderate):
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data.
If the function succeeds then the "name_out", "header" and "data" arguments are
populated with pointers to buffers containing the relevant decoded data. The
caller is responsible for freeing those buffers. It is possible to construct a
PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()
will return a failure code but will populate the header argument with a pointer
to a buffer that has already been freed. If the caller also frees this buffer
then a double free will occur. This will most likely lead to a crash. This
could be exploited by an attacker who has the ability to supply malicious PEM
files for parsing to achieve a denial of service attack.
Invalid pointer dereference in d2i_PKCS7 functions (CVE-2023-0216) (Moderate):
An invalid pointer dereference on read can be triggered when an
application tries to load malformed PKCS7 data with the
d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.
NULL dereference validating DSA public key (CVE-2023-0217) (Moderate):
An invalid pointer dereference on read can be triggered when an
application tries to check a malformed DSA public key by the
EVP_PKEY_public_check() function. This will most likely lead
to an application crash. This function can be called on public
keys supplied from untrusted sources which could allow an attacker
to cause a denial of service attack.
NULL dereference during PKCS7 data verification (CVE-2023-0401) (Moderate):
A NULL pointer can be dereferenced when signatures are being
verified on PKCS7 signed or signedAndEnveloped data. In case the hash
algorithm used for the signature is known to the OpenSSL library but
the implementation of the hash algorithm is not available the digest
initialization will fail. There is a missing check for the return
value from the initialization function which later leads to invalid
usage of the digest API most likely leading to a crash.
Prometheus and its exporters can be secured by a web.yml file that
specifies usernames and hashed passwords for basic authentication.
Passwords are hashed with bcrypt, which means that even if you have
access to the hash, it is very hard to find the original password
back. Passwords are hashed with bcrypt, which means that even if you
have access to the hash, it is very hard to find the original
password back. However, a flaw in the way this mechanism was
implemented in the exporter toolkit makes it possible with people
who know the hashed password to authenticate against Prometheus.
A request can be forged by an attacker to poison the internal cache
used to cache the computation of hashes and make subsequent requests
successful. This cache is used in both happy and unhappy scenarios
in order to limit side channel attacks that could tell an attacker
if a user is present in the file or not.
A missing field in the SMB FSControl script-land record could
cause a heap buffer overflow when receiving packets containing
those header types.
Receiving a series of packets that start with HTTP/1.0
and then switch to HTTP/0.9 could cause Zeek to spend a
large amount of time processing the packets.
Receiving large numbers of FTP commands sequentially
from the network with bad data in them could cause Zeek
to spend a large amount of time processing the packets,
and generate a large amount of events.
Prometheus and its exporters can be secured by a web.yml file that
specifies usernames and hashed passwords for basic authentication.
Passwords are hashed with bcrypt, which means that even if you have
access to the hash, it is very hard to find the original password
back. Passwords are hashed with bcrypt, which means that even if you
have access to the hash, it is very hard to find the original
password back. However, a flaw in the way this mechanism was
implemented in the exporter toolkit makes it possible with people
who know the hashed password to authenticate against Prometheus.
A request can be forged by an attacker to poison the internal cache
used to cache the computation of hashes and make subsequent requests
successful. This cache is used in both happy and unhappy scenarios
in order to limit side channel attacks that could tell an attacker
if a user is present in the file or not.
We have recently been made aware of a security vulnerability in Plex Media Server versions prior to 1.25.0 that could allow a local Windows user to obtain administrator privileges without authorization. To be clear, this required the user to already have local, physical access to the computer (just with a different user account on Windows). There are no indications that this exploit could be used from a remote machine.
Plex Media Server versions 1.25.0.5282 and newer are not subject to this vulnerability, and feature additional hardening to prevent similar issues from occurring in the future. Users running older server versions are encouraged to update their Plex Media Server installations.
NLnet Labs Krill supports direct access to the RRDP repository
content through its built-in web server at the "/rrdp" endpoint.
Prior to 0.12.1 a direct query for any existing directory under
"/rrdp/", rather than an RRDP file such as "/rrdp/notification.xml"
as would be expected, causes Krill to crash. If the built-in "/rrdp"
endpoint is exposed directly to the internet, then malicious remote
parties can cause the publication server to crash. The repository
content is not affected by this, but the availability of the server
and repository can cause issues if this attack is persistent and is
not mitigated. .
It seems #90 is not completely fixed in 7.8.
(that is, even after CVE-2017-1000501 and CVE-2020-29600 are fixed).
In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a
partial absolute pathname (omitting the initial /etc), even
though it was intended to only read a file in the /etc/awstats/awstats.conf format.
NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
fish is a command line shell. fish version 3.1.0 through
version 3.3.1 is vulnerable to arbitrary code execution.
git repositories can contain per-repository
configuration that change the behavior of git, including
running arbitrary commands. When using the default
configuration of fish, changing to a directory
automatically runs git commands in order to display
information about the current repository in the prompt.
If an attacker can convince a user to change their
current directory into one controlled by the attacker,
such as on a shared file system or extracted archive,
fish will run arbitrary commands under the attacker's
control. This problem has been fixed in fish 3.4.0. Note
that running git in these directories, including using
the git tab completion, remains a potential trigger for
this issue. As a workaround, remove the
fish_git_prompt function from the prompt.
This Critical Patch Update contains 37 new security patches for
Oracle MySQL. 8 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network withouti
requiring user credentials.
Carefully crafted input can cause the Range header
parsing component in Rack to take an unexpected amount
of time, possibly resulting in a denial of service
attack vector. Any applications that deal with Range
requests (such as streaming applications, or
applications that serve files) may be impacted.
CVE-2022-44571
Carefully crafted input can cause Content-Disposition
header parsing in Rack to take an unexpected amount of
time, possibly resulting in a denial of service attack
vector. This header is used typically used in multipart
parsing. Any applications that parse multipart posts
using Rack (virtually all Rails applications) are
impacted.
CVE-2022-44572
Carefully crafted input can cause RFC2183 multipart
boundary parsing in Rack to take an unexpected amount of
time, possibly resulting in a denial of service attack
vector. Any applications that parse multipart posts
using Rack (virtually all Rails applications) are
impacted.
CVE-2022-41966: XStream serializes Java objects to XML
and back again.
Versions prior to 1.4.20 may allow a remote attacker
to terminate the application with a stack
overflow error, resulting in a denial of
service only via manipulation the
processed input stream.
CVE-2022-40151: If the parser is running on user
supplied input, an attacker may supply content that
causes the parser to crash by stackoverflow. This
effect may support a denial of service attack.
TROVE-2022-002: The SafeSocks option for SOCKS4(a) is inverted leading to SOCKS4 going through
This is a report from hackerone:
We have classified this as medium considering that tor was not defending in-depth for dangerous SOCKS request and so any user relying on SafeSocks 1 to make sure they don't link DNS leak and their Tor traffic wasn't safe afterall for SOCKS4(a).
Tor Browser doesn't use SafeSocks 1 and SOCKS4 so at least the likely vast majority of users are not affected.
GNU Emacs through 28.2 allows attackers to execute
commands via shell metacharacters in the name of a
source-code file, because lib-src/etags.c uses the system
C library function in its implementation of the ctags
program. For example, a victim may use the "ctags *"
command (suggested in the ctags documentation) in a
situation where the current working directory has contents
that depend on untrusted input.
CVE-2022-24823: When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory
CVE-2020-7238: Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.
CVE-2019-2684: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE
CVE-2022-25857: The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
CVE-2022-42003: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
CVE-2022-42004: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays.
When running Apache Cassandra with
the following configuration:
enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false
it is possible for an attacker to execute arbitrary code on
the host. The attacker would need to have enough permissions
to create user defined functions in the cluster to be able
to exploit this.
CVE-2022-46340/ZDI-CAN-19265: X.Org Server XTestSwapFakeInput stack
overflow
The swap handler for the XTestFakeInput request of the XTest extension
may corrupt the stack if GenericEvents with lengths larger than 32 bytes
are sent through a the XTestFakeInput request.
This issue does not affect systems where client and server use the same
byte order.
CVE-2022-46341/ZDI-CAN-19381: X.Org Server XIPassiveUngrab
out-of-bounds access
The handler for the XIPassiveUngrab request accesses out-of-bounds
memory when invoked with a high keycode or button code.
CVE-2022-46342/ZDI-CAN-19400: X.Org Server XvdiSelectVideoNotify
use-after-free
The handler for the XvdiSelectVideoNotify request may write to memory
after it has been freed.
CVE-2022-46343/ZDI-CAN-19404: X.Org Server ScreenSaverSetAttributes
use-after-free
The handler for the ScreenSaverSetAttributes request may write to memory
after it has been freed.
CVE-2022-46344/ZDI-CAN-19405: X.Org Server XIChangeProperty
out-of-bounds access
The handler for the XIChangeProperty request has a length-validation
issues, resulting in out-of-bounds memory reads and potential
information disclosure.
CVE-2022-4283/ZDI-CAN-19530: X.Org Server XkbGetKbdByName use-after-free
The XkbCopyNames function left a dangling pointer to freed memory,
resulting in out-of-bounds memory access on subsequent XkbGetKbdByName
requests.
A command injection vulnerability allows an
unauthenticated user to execute arbitrary code on a server
running Cacti, if a specific data source was selected for
any monitored device.
The biggest issue is resolving CVE-2022-4170, which allows command
execution inside urxvt from within the terminal (that means anything that
can output text in the terminal can start commands in the context of the
urxvt process, even remotely).
When doing HTTP(S) transfers, libcurl might erroneously
use the read callback
(CURLOPT_READFUNCTION) to ask for data to
send, even when the CURLOPT_POSTFIELDS
option has been set, if the same handle previously was
used to issue a PUT request which used that
callback. This flaw may surprise the application and
cause it to misbehave and either send off the wrong data
or use memory after free or similar in the subsequent
POST request. The problem exists in the
logic for a reused handle when it is changed from a PUT
to a POST.
curl can be told to parse a .netrc file for
credentials. If that file ends in a line with
consecutive non-white space letters and no newline, curl
could read past the end of the stack-based buffer, and
if the read works, write a zero byte possibly beyond its
boundary. This will in most cases cause a segfault or
similar, but circumstances might also cause different
outcomes. If a malicious user can provide a custom netrc
file to an application or otherwise affect its contents,
this flaw could be used as denial-of-service.
CVE-2022-42915: HTTP proxy double-free
f curl is told to use an HTTP proxy for a transfer with
a non-HTTP(S) URL, it sets up the connection to the
remote server by issuing a CONNECT request to the proxy,
and then tunnels the rest of protocol through. An HTTP
proxy might refuse this request (HTTP proxies often only
allow outgoing connections to specific port numbers,
like 443 for HTTPS) and instead return a non-200
response code to the client. Due to flaws in the
error/cleanup handling, this could trigger a double-free
in curl if one of the following schemes were used in the
URL for the transfer: dict, gopher, gophers, ldap,
ldaps, rtmp, rtmps, telnet
CVE-2022-42916: HSTS bypass via IDN
curl's HSTS check could be bypassed to trick it to keep
using HTTP. Using its HSTS support, curl can be
instructed to use HTTPS directly instead of using an
insecure clear-text HTTP step even when HTTP is provided
in the URL. This mechanism could be bypassed if the host
name in the given URL uses IDN characters that get
replaced to ASCII counterparts as part of the IDN
conversion. Like using the character UTF-8 U+3002
(IDEOGRAPHIC FULL STOP) instead of the common ASCII full
stop (U+002E) .. Like this: http://curlãÂÂseãÂÂ
This release contains 8 security fixes, including:
[1383991] High CVE-2022-4436: Use after free in Blink Media. Reported by Anonymous on 2022-11-15
[1394692] High CVE-2022-4437: Use after free in Mojo IPC. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-11-30
[1381871] High CVE-2022-4438: Use after free in Blink Frames. Reported by Anonymous on 2022-11-07
[1392661] High CVE-2022-4439: Use after free in Aura. Reported by Anonymous on 2022-11-22
[1382761] Medium CVE-2022-4440: Use after free in Profiles. Reported by Anonymous on 2022-11-09
gh-100001: python -m http.server no longer allows terminal control characters sent
within a garbage request to be printed to the stderr server log.
This is done by changing the http.server BaseHTTPRequestHandler .log_message method
to replace control characters with a \xHH hex escape before printing.
gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.
gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related
name resolution functions no longer involves a quadratic algorithm. This prevents a
potential CPU denial of service if an out-of-spec excessive length hostname involving
bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects
potentially allow for an attacker to supply such a name.
gh-98739: Update bundled libexpat to 2.5.0.
gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example
script. The script no longer uses a shell to run openssl commands. Issue reported and
initial fix by Caleb Shortt. Patch by Victor Stinner.
os, net/http: avoid escapes from os.DirFS and http.Dir on Windows
The os.DirFS function and http.Dir type provide access to a
tree of files rooted at a given directory. These functions
permitted access to Windows device files under that root. For
example, os.DirFS("C:/tmp").Open("COM1") would open the COM1 device.
Both os.DirFS and http.Dir only provide read-only filesystem access.
In addition, on Windows, an os.DirFS for the directory \(the root
of the current drive) can permit a maliciously crafted path to escape
from the drive and access any path on the system.
The behavior of os.DirFS("") has changed. Previously, an empty root
was treated equivalently to "/", so os.DirFS("").Open("tmp") would
open the path "/tmp". This now returns an error.
net/http: limit canonical header cache by bytes, not entries
An attacker can cause excessive memory growth in a Go server
accepting HTTP/2 requests. HTTP/2 server connections contain a
cache of HTTP header keys sent by the client. While the total number
of entries in this cache is capped, an attacker sending very large
keys can cause the server to allocate approximately 64 MiB per open
connection.
If an application that generates HTTP responses using the
cgi gem with untrusted user input, an attacker can exploit
it to inject a malicious HTTP response header and/or body.
Also, the contents for a CGI::Cookie object
were not checked properly. If an application creates a
CGI::Cookie object based on user input, an
attacker may exploit it to inject invalid attributes in
Set-Cookie header. We think such applications
are unlikely, but we have included a change to check
arguments for CGI::Cookie#initialize
preventatively.
A vulnerability identified in the Tailscale client allows a
malicious website to access the peer API, which can then be used
to access Tailscale environment variables.
If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
MITKRB5-SA-2022-001 Vulnerabilities in PAC parsing:
Due to an integer overflow vulnerabilities in PAC parsing
An authenticated attacker may be able to cause a KDC or kadmind
process to crash by reading beyond the bounds of allocated memory,
creating a denial of service.
On 32-bit platforms an authenticated attacker may be able to
cause heap corruption resulting in an RCE.
When using the forget password on the login page, a POST request is made
to the /api/user/password/sent-reset-email URL. When the username
or email does not exist, a JSON response contains a âÂÂuser not foundâ message.
The CVSS score for this vulnerability is 5.3 Moderate
IPython 8.0.1, 7.31.1 and 5.11 are security releases that change some
default values in order to prevent potential Execution with Unnecessary
Privileges.
On July 4th as a result of an internal security audit we have discovered
a bypass in the plugin signature verification by exploiting a versioning flaw.
We believe that this vulnerability is rated at CVSS 6.1
(CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L).
On September 7th as a result of an internal security audit we have discovered
that Grafana could leak the authentication cookie of users to plugins. After
further analysis the vulnerability impacts data source and plugin proxy
endpoints under certain conditions.
We believe that this vulnerability is rated at CVSS 6.8
(CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)
Grafana admins can invite other members to the organization they are
an admin for. When admins add members to the organization, non existing users
get an email invite, existing members are added directly to the organization.
When an invite link is sent, it allows users to sign up with whatever
username/email address the user chooses and become a member of the organization.
The CVSS score for this vulnerability is 6.4 Moderate
On June 26 a security researcher contacted Grafana Labs to disclose
a vulnerability with the GitLab data source plugin that could leak the API key
to GitLab. After further analysis the vulnerability impacts data source
and plugin proxy endpoints with authentication tokens but under some conditions.
We believe that this vulnerability is rated at CVSS 4.9
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
On September 7, as a result of an internal security audit, we discovered
a security vulnerability in GrafanaâÂÂs basic authentication related to the usage
of username and email address.
n Grafana, a userâÂÂs username and email address are unique fields, which
means no other user can have the same username or email address as another user.
In addition, a user can have an email address as a username, and the Grafana
login allows users to sign in with either username or email address. This
creates an unusual behavior, where user_1 can register with one email
address and user_2 can register their username as user_1âÂÂs
email address. As a result, user_1 would be prevented from signing
in to Grafana, since user_1 password wonâÂÂt match with user_2
email address.
The CVSS score for this vulnerability is 4.3 moderate
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).
Internal security audit identified a race condition in the Grafana codebase,
which allowed an unauthenticated user to query an arbitrary endpoint in Grafana.
A race condition in the
HTTP context creation could make a HTTP request being assigned
the authentication/authorization middlewares of another call. Under heavy load
it is possible that a call protected by a privileged middleware receives instead
the middleware of a public query. As a result, an unauthenticated user can
successfully query protected endpoints.
The CVSS score for this vulnerability is 9.8 Critical
A request forgery attack can be performed on Varnish Cache servers that
have the HTTP/2 protocol turned on. An attacker may introduce
characters through the HTTP/2 pseudo-headers that are invalid in the
context of an HTTP/1 request line, causing the Varnish server to
produce invalid HTTP/1 requests to the backend. This may in turn be
used to successfully exploit vulnerabilities in a server behind the
Varnish server.
Fix an issue where a specially-crafted FTP packet can
cause Zeek to spend large amounts of time attempting to
search for valid commands in the data stream.
Fix a possible overflow in the Zeek dictionary code
that may lead to a memory leak.
Fix an issue where a specially-crafted packet can
cause Zeek to spend large amounts of time reporting
analyzer violations.
Fix a possible assert and crash in the HTTP analyzer
when receiving a specially crafted packet.
Fix an issue where a specially-crafted HTTP or SMTP
packet can cause Zeek to spend a large amount of time
attempting to search for filenames within the packet data.
Fix two separate possible crashes when converting
processed IP headers for logging via the raw_packet event
handlers.
A request smuggling attack can be performed on Varnish Cache servers by
requesting that certain headers are made hop-by-hop, preventing the
Varnish Cache servers from forwarding critical headers to the backend.
Among the headers that can be filtered this way are both Content-Length
and Host, making it possible for an attacker to both break the HTTP/1
protocol framing, and bypass request to host routing in VCL.
flaw was found in darkhttpd. Invalid error handling allows
remote attackers to cause denial-of-service by accessing a
file with a large modification date. The highest threat
from this vulnerability is to system availability.
Sudo 1.8.0 through 1.9.12, with the crypt() password backend,
contains a plugins/sudoers/auth/passwd.c array-out-of-bounds
error that can result in a heap-based buffer over-read. This
can be triggered by arbitrary local users with access to sudo
by entering a password of seven characters or fewer. The impact
could vary depending on the system libraries, compiler,
and processor architecture.
X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602) (High):
A buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking.
X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)
(High): A buffer overrun can be triggered in X.509 certificate
verification, specifically in name constraint checking.
syscall, os/exec: unsanitized NUL in environment
variables
On Windows, syscall.StartProcess and os/exec.Cmd did not
properly check for invalid environment variable values. A
malicious environment variable value could exploit this
behavior to set a value for a different environment
variable. For example, the environment variable string
"A=B\x00C=D" set the variables "A=B" and "C=D".
This Critical Patch Update contains 37 new security patches for
Oracle MySQL. 11 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a
network without requiring user credentials
The DES (for Samba 4.11 and earlier) and Triple-DES decryption
routines in the Heimdal GSSAPI library allow a length-limited write
buffer overflow on malloc() allocated memory when presented with a
maliciously small packet.
This release contains 14 security fixes, including:
[1369871] High CVE-2022-3652: Type Confusion in V8. Reported by srodulv and ZNMchtss at S.S.L Team on 2022-09-30
[1354271] High CVE-2022-3653: Heap buffer overflow in Vulkan. Reported by SeongHwan Park (SeHwa) on 2022-08-19
[1365330] High CVE-2022-3654: Use after free in Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-09-19
[1343384] Medium CVE-2022-3655: Heap buffer overflow in Media Galleries. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-07-11
[1345275] Medium CVE-2022-3656: Insufficient data validation in File System. Reported by Ron Masas, Imperva on 2022-07-18
[1351177] Medium CVE-2022-3657: Use after free in Extensions. Reported by Omri Bushari, Talon Cyber Security on 2022-08-09
[1352817] Medium CVE-2022-3658: Use after free in Feedback service on Chrome OS. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-08-14
[1355560] Medium CVE-2022-3659: Use after free in Accessibility. Reported by @ginggilBesel on 2022-08-23
[1327505] Medium CVE-2022-3660: Inappropriate implementation in Full screen mode. Reported by Irvan Kurniawan (sourc7) on 2022-05-20
[1350111] Low CVE-2022-3661: Insufficient data validation in Extensions. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2022-08-04
gh-97616: Fix multiplying a list by an integer (list *= int): detect
the integer overflow when the new allocated length is close to the
maximum size. Issue reported by Jordan Limor. Patch by Victor Stinner.
gh-97612: Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses
a shell to run openssl commands. Issue reported and initial fix by
Caleb Shortt. Patch by Victor Stinner.
Two security issues were identified in the ngx_http_mp4_module,
which might allow an attacker to cause a worker process crash
or worker process memory disclosure by using a specially crafted
mp4 file, or might have potential other impact (CVE-2022-41741,
CVE-2022-41742).
When relying on the `--local` clone optimization, Git dereferences
symbolic links in the source repository before creating hardlinks
(or copies) of the dereferenced link in the destination repository.
This can lead to surprising behavior where arbitrary files are
present in a repository's `$GIT_DIR` when cloning from a malicious
repository.
Git will no longer dereference symbolic links via the `--local`
clone mechanism, and will instead refuse to clone repositories that
have symbolic links present in the `$GIT_DIR/objects` directory.
Additionally, the value of `protocol.file.allow` is changed to be
"user" by default.
CVE-2022-39260
An overly-long command string given to `git shell` can result in
overflow in `split_cmdline()`, leading to arbitrary heap writes and
remote code execution when `git shell` is exposed and the directory
`$HOME/git-shell-commands` exists.
`git shell` is taught to refuse interactive commands that are
longer than 4MiB in size. `split_cmdline()` is hardened to reject
inputs larger than 2GiB.
[1364604] High CVE-2022-3445: Use after free in Skia. Reported by Nan Wang (@eternalsakura13) and Yong Liu of 360 Vulnerability Research Institute on 2022-09-16
[1368076] High CVE-2022-3446: Heap buffer overflow in WebSQL. Reported by Kaijie Xu (@kaijieguigui) on 2022-09-26
[1366582] High CVE-2022-3447: Inappropriate implementation in Custom Tabs. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2022-09-22
[1363040] High CVE-2022-3448: Use after free in Permissions API. Reported by raven at KunLun lab on 2022-09-13
[1364662] High CVE-2022-3449: Use after free in Safe Browsing. Reported by asnine on 2022-09-17
[1369882] High CVE-2022-3450: Use after free in Peer Connection. Reported by Anonymous on 2022-09-30
The KDC and the kpasswd service share a single account
and set of keys, allowing them to decrypt each other's
tickets. A user who has been requested to change their
password can exploit this to obtain and use tickets to
other services.
CVE-2022-32744
The KDC accepts kpasswd requests encrypted with any key
known to it. By encrypting forged kpasswd requests with
its own key, a user can change the passwords of other
users, enabling full domain takeover.
CVE-2022-32745
Samba AD users can cause the server to access
uninitialised data with an LDAP add or modify request,
usually resulting in a segmentation fault.
CVE-2022-32746
The AD DC database audit logging module can be made to
access LDAP message values that have been freed by a
preceding database module, resulting in a
use-after-free. This is only possible when modifying
certain privileged attributes, such as
userAccountControl.
CVE-2022-32742
SMB1 Client with write access to a share can cause
server memory contents to be written into a file or
printer.
Due to a mistake in error handling, data in RRDP snapshot and delta files
that isnâÂÂt correctly base 64 encoded is treated as a fatal error and causes
Routinator to exit.
Worst case impact of this vulnerability is denial of service for the RPKI
data that Routinator provides to routers. This may stop your network from
validating route origins based on RPKI data. This vulnerability does not
allow an attacker to manipulate RPKI data. We are not aware of exploitation
of this vulnerability at this point in time.
Starting with release 0.11.3, Routinator handles encoding errors by rejecting
the snapshot or delta file and continuing with validation. In case of an
invalid delta file, it will try using the snapshot instead. If a snapshot file
is invalid, the update of the repository will fail and an update through rsync
is attempted.
archive/tar: unbounded memory consumption when reading
headers
Reader.Read did not set a limit on the maximum size of
file headers. A maliciously crafted archive could cause
Read to allocate unbounded amounts of memory, potentially
causing resource exhaustion or panics. Reader.Read now
limits the maximum size of header blocks to 1 MiB.
net/http/httputil: ReverseProxy should not forward
unparseable query parameters
Requests forwarded by ReverseProxy included the raw
query parameters from the inbound request, including
unparseable parameters rejected by net/http. This could
permit query parameter smuggling when a Go proxy
forwards a parameter with an unparseable value.
ReverseProxy will now sanitize the query parameters in
the forwarded query when the outbound request's Form
field is set after the ReverseProxy.Director function
returns, indicating that the proxy has parsed the query
parameters. Proxies which do not parse query parameters
continue to forward the original query parameters
unchanged.
regexp/syntax: limit memory used by parsing regexps
The parsed regexp representation is linear in the size
of the input, but in some cases the constant factor can be
as high as 40,000, making relatively small regexps consume
much larger amounts of memory.
Each regexp being parsed is now limited to a 256 MB
memory footprint. Regular expressions whose
representation would use more space than that are now
rejected. Normal use of regular expressions is
unaffected.
Zydis users of versions v3.2.0 and older
that use the string functions provided in zycore in order to
append untrusted user data to the formatter buffer within
their custom formatter hooks can run into heap buffer
overflows. Older versions of Zydis failed to properly
initialize the string object within the formatter buffer,
forgetting to initialize a few fields, leaving their value
to chance. This could then in turn cause zycore functions
like ZyanStringAppend to make incorrect calculations for the
new target size, resulting in heap memory corruption.
A vulnerability named 'Non-Responsive Delegation Attack'
(NRDelegation Attack) has been discovered in various DNS
resolving software. The NRDelegation Attack works by having
a malicious delegation with a considerable number of non
responsive nameservers. The attack starts by querying a
resolver for a record that relies on those unresponsive
nameservers. The attack can cause a resolver to spend a lot
of time/resources resolving records under a malicious
delegation point where a considerable number of unresponsive
NS records reside. It can trigger high CPU usage in some
resolver implementations that continually look in the cache
for resolved NS records in that delegation.
Two critical severity vulnerabilities in end-to-end encryption were
found in the SDKs which power Element, Beeper, Cinny, SchildiChat,
Circuli, Synod.im and any other clients based on matrix-js-sdk,
matrix-ios-sdk or matrix-android-sdk2.
Rhodri James discovered a heap use-after-free vulnerability in the doContent function in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed.
This release contains 20 security fixes, including:
[1358907] High CVE-2022-3304: Use after free in CSS. Reported by Anonymous on 2022-09-01
[1343104] High CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools. Reported by NDevTK on 2022-07-09
[1319229] High CVE-2022-3305: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-24
[1320139] High CVE-2022-3306: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-27
[1323488] High CVE-2022-3307: Use after free in Media. Reported by Anonymous Telecommunications Corp. Ltd. on 2022-05-08
[1342722] Medium CVE-2022-3308: Insufficient policy enforcement in Developer Tools. Reported by Andrea Cappa (zi0Black) @ Shielder on 2022-07-08
[1348415] Medium CVE-2022-3309: Use after free in Assistant. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2022-07-29
[1240065] Medium CVE-2022-3310: Insufficient policy enforcement in Custom Tabs. Reported by Ashwin Agrawal from Optus, Sydney on 2021-08-16
[1302813] Medium CVE-2022-3311: Use after free in Import. Reported by Samet Bekmezci @sametbekmezci on 2022-03-04
[1303306] Medium CVE-2022-3312: Insufficient validation of untrusted input in VPN. Reported by Andr.Ess on 2022-03-06
[1317904] Medium CVE-2022-3313: Incorrect security UI in Full Screen. Reported by Irvan Kurniawan (sourc7) on 2022-04-20
[1328708] Medium CVE-2022-3314: Use after free in Logging. Reported by Anonymous on 2022-05-24
[1322812] Medium CVE-2022-3315: Type confusion in Blink. Reported by Anonymous on 2022-05-05
[1333623] Low CVE-2022-3316: Insufficient validation of untrusted input in Safe Browsing. Reported by Sven Dysthe (@svn_dy) on 2022-06-07
[1300539] Low CVE-2022-3317: Insufficient validation of untrusted input in Intents. Reported by Hafiizh on 2022-02-24
[1318791] Low CVE-2022-3318: Use after free in ChromeOS Notifications. Reported by GraVity0 on 2022-04-22
Due to inconsistent handling of internal URIs Squid is
vulnerable to Exposure of Sensitive Information about
clients using the proxy. This problem allows a trusted
client to directly access cache manager information
bypassing the manager ACL protection. The available cache
manager information contains records of internal network
structure, client credentials, client identity and client
traffic behaviour.
On August 9 an internal security review identified a vulnerability
in the Grafana which allows an escalation from Admin privileges
to Server Admin when Auth proxy authentication is used.
Auth proxy allows to authenticate a user by only providing the username
(or email) in a X-WEBAUTH-USER HTTP header: the trust assumption
is that a front proxy will take care of authentication and that Grafana server
is publicly reachable only with this front proxy.
Executing a XAUTOCLAIM command on a stream key in a
specific state, with a specially crafted COUNT argument,
may cause an integer overflow, a subsequent heap overflow,
and potentially lead to remote code execution. The problem
affects Redis versions 7.0.0 or newer.
The org.postgresql/postgresql driver has been updated to version 42.4.1 to address CVE-2022-31197, which is an SQL injection risk that according to the CVE report, can only be exploited if an attacker controls the database to the extent that they can adjust relevant tables to have "malicious" column names.
This release includes 11 security fixes, including:
[1358381] High CVE-2022-3195: Out of bounds write in Storage. Reported by Ziling Chen and Nan Wang (@eternalsakura13) of 360 Vulnerability Research Institute on 2022-08-31
[1358090] High CVE-2022-3196: Use after free in PDF. Reported by triplepwns on 2022-08-30
[1358075] High CVE-2022-3197: Use after free in PDF. Reported by triplepwns on 2022-08-30
[1355682] High CVE-2022-3198: Use after free in PDF. Reported by MerdroidSG on 2022-08-23
[1355237] High CVE-2022-3199: Use after free in Frames. Reported by Anonymous on 2022-08-22
[1355103] High CVE-2022-3200: Heap buffer overflow in Internals. Reported by Richard Lorenz, SAP on 2022-08-22
[1343104] High CVE-2022-3201: Insufficient validation of untrusted input in DevTools. Reported by NDevTK on 2022-07-09
Events retrieved from a remote homeserver using /get_missing_events did
not have their signatures verified correctly. This could potentially allow
a remote homeserver to provide invalid/modified events to Dendrite via this
endpoint.
Note that this does not apply to events retrieved through other endpoints
(e.g. /event, /state) as they have been correctly verified.
Homeservers that have federation disabled are not vulnerable.
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal),
16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number
of digits in string form is above a limit to avoid potential denial of service attacks
due to the algorithmic complexity.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when
an URI path starts with //. Vulnerability discovered, and initial fix proposed, by
Hamza Avvan.
net/http: handle server errors after sending GOAWAY
A closing HTTP/2 server connection could hang forever
waiting for a clean shutdown that was preempted by a
subsequent fatal error. This failure mode could be
exploited to cause a denial of service.
net/url: JoinPath does not strip relative path components
in all circumstances
JoinPath and URL.JoinPath would not remove ../ path
components appended to a relative path.
On July 21, an internal security review identified an unauthorized file disclosure vulnerability in the Grafana Image Renderer plugin when HTTP remote rendering is used. The Chromium browser embedded in the Grafana Image Renderer allows for âÂÂprintingâ of unauthorized files in a PNG file. This makes it possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake data source (this applies if the user has admin permissions in Grafana).
zlib through 1.2.12 has a heap-based buffer over-read or buffer
overflow in inflate in inflate.c via a large gzip header extra
field.
Impact:
Applications that call inflateGetHeader may be vulnerable to a
buffer overflow. Note that inflateGetHeader is not used by anything
in the FreeBSD base system, but may be used by third party
software.
The vulnerabilities give an adversary who you share a
room with the ability to carry out a denial-of-service
attack against the affected clients, making it not show all
of a user's rooms or spaces and/or causing minor temporary
corruption.
This release contains 24 security fixes, including:
[1340253] Critical CVE-2022-3038: Use after free in Network Service. Reported by Sergei Glazunov of Google Project Zero on 2022-06-28
[1343348] High CVE-2022-3039: Use after free in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-07-11
[1341539] High CVE-2022-3040: Use after free in Layout. Reported by Anonymous on 2022-07-03
[1345947] High CVE-2022-3041: Use after free in WebSQL. Reported by Ziling Chen and Nan Wang(@eternalsakura13) of 360 Vulnerability Research Institute on 2022-07-20
[1338553] High CVE-2022-3042: Use after free in PhoneHub. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-06-22
[1336979] High CVE-2022-3043: Heap buffer overflow in Screen Capture. Reported by @ginggilBesel on 2022-06-16
[1051198] High CVE-2022-3044: Inappropriate implementation in Site Isolation. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2020-02-12
[1339648] High CVE-2022-3045: Insufficient validation of untrusted input in V8. Reported by Ben Noordhuis on 2022-06-26
[1346245] High CVE-2022-3046: Use after free in Browser Tag. Reported by Rong Jian of VRI on 2022-07-21
[1342586] Medium CVE-2022-3047: Insufficient policy enforcement in Extensions API. Reported by Maurice Dauer on 2022-07-07
[1303308] Medium CVE-2022-3048: Inappropriate implementation in Chrome OS lockscreen. Reported by Andr.Ess on 2022-03-06
[1316892] Medium CVE-2022-3049: Use after free in SplitScreen. Reported by @ginggilBesel on 2022-04-17
[1337132] Medium CVE-2022-3050: Heap buffer overflow in WebUI. Reported by Zhihua Yao of KunLun Lab on 2022-06-17
[1345245] Medium CVE-2022-3051: Heap buffer overflow in Exosphere. Reported by @ginggilBesel on 2022-07-18
[1346154] Medium CVE-2022-3052: Heap buffer overflow in Window Manager. Reported by Khalil Zhani on 2022-07-21
[1267867] Medium CVE-2022-3053: Inappropriate implementation in Pointer Lock. Reported by Jesper van den Ende (Pelican Party Studios) on 2021-11-08
[1290236] Medium CVE-2022-3054: Insufficient policy enforcement in DevTools. Reported by Kuilin Li on 2022-01-24
[1351969] Medium CVE-2022-3055: Use after free in Passwords. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-08-11
[1329460] Low CVE-2022-3056: Insufficient policy enforcement in Content Security Policy. Reported by Anonymous on 2022-05-26
[1336904] Low CVE-2022-3057: Inappropriate implementation in iframe Sandbox. Reported by Gareth Heyes on 2022-06-16
[1337676] Low CVE-2022-3058: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-06-20
Fix a possible overflow and crash in the ARP analyzer
when receiving a specially crafted packet. Due to the
possibility of this happening with packets received from
the network, this is a potential DoS vulnerability.
Fix a possible overflow and crash in the Modbus analyzer
when receiving a specially crafted packet. Due to the
possibility of this happening with packets received from
the network, this is a potential DoS vulnerability.
Fix two possible crashes when converting IP headers for
output via the raw_packet event. Due to the possibility of
this happening with packets received from the network, this
is a potential DoS vulnerability. Note that the raw_packet
event is not enabled by default so these are likely
low-severity issues.
Fix an abort related to an error related to the ordering
of record fields when processing DNS EDNS headers via events.
Due to the possibility of this happening with packets
received from the network, this is a potential DoS
vulnerability. Note that the dns_EDNS events are not
implemented by default so this is likely a low-severity
issue.
The power level parsing within gomatrixserverlib was failing to parse the "events_default"
key of the m.room.power_levels event, defaulting the event default power level to zero in all cases.
In rooms where the "events_default" power level had been changed, this could result in
events either being incorrectly authorised or rejected by Dendrite servers.
This release contains 11 security fixes, including:
[1349322] Critical CVE-2022-2852: Use after free in FedCM. Reported by Sergei Glazunov of Google Project Zero on 2022-08-02
[1337538] High CVE-2022-2854: Use after free in SwiftShader. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-06-18
[1345042] High CVE-2022-2855: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-07-16
[1338135] High CVE-2022-2857: Use after free in Blink. Reported by Anonymous on 2022-06-21
[1341918] High CVE-2022-2858: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
[1350097] High CVE-2022-2853: Heap buffer overflow in Downloads. Reported by Sergei Glazunov of Google Project Zero on 2022-08-04
[1345630] High CVE-2022-2856: Insufficient validation of untrusted input in Intents. Reported by Ashley Shen and Christian Resell of Google Threat Analysis Group on 2022-07-19
[1338412] Medium CVE-2022-2859: Use after free in Chrome OS Shell. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-22
[1345193] Medium CVE-2022-2860: Insufficient policy enforcement in Cookies. Reported by Axel Chong on 2022-07-18
[1346236] Medium CVE-2022-2861: Inappropriate implementation in Extensions API. Reported by Rong Jian of VRI on 2022-07-21
A particular case of memory sharing is mishandled in the virtual
memory system. This is very similar to SA-21:08.vm, but with a
different root cause.
Impact:
An unprivileged local user process can maintain a mapping of a page
after it is freed, allowing that process to read private data
belonging to other processes or the kernel.
We have discovered a critical arbitrary file write vulnerability
in the rsync utility that allows malicious remote servers to write
arbitrary files inside the directories of connecting peers.
The server chooses which files/directories are sent to the client.
Due to the insufficient controls inside the do_server_recv function
a malicious rysnc server (or Man-in-The-Middle attacker) can
overwrite arbitrary files in the rsync client target directory and
subdirectories.
When dumping core and saving process information, proc_getargv()
might return an sbuf which have a sbuf_len() of 0 or -1, which is not
properly handled.
Impact:
An out-of-bound read can happen when user constructs a specially
crafted ps_string, which in turn can cause the kernel to crash.
The implementation of lib9p's handling of RWALK messages was
missing a bounds check needed when unpacking the message contents.
The missing check means that the receipt of a specially crafted
message will cause lib9p to overwrite unrelated memory.
Impact:
The bug can be triggered by a malicious bhyve guest kernel to
overwrite memory in the bhyve(8) process. This could potentially lead
to user-mode code execution on the host, subject to bhyve's Capsicum
sandbox.
A denial of service attack can be performed against Varnish Cache
servers by specially formatting the reason phrase of the backend response
status line. In order to execute an attack, the attacker would have to
be able to influence the HTTP/1 responses that the Varnish Server
receives from its configured backends. A successful attack would cause
the Varnish Server to assert and automatically restart.
When gnutls_pkcs7_verify cannot verify signature against
given trust list, it starts creating a chain of
certificates starting from identified signer up to known
root. During the creation of this chain the signer
certificate gets freed which results in double free when
the same signer certificate is freed at the end of the
algorithm.
In release 5.4.0 there were 3 vulnerabilities listed as
fixed in wolfSSL. Two relatively new reports, one dealing with a DTLS
1.0/1.2 denial of service attack and the other a ciphertext attack on
ECC/DH operations. The last vulnerability listed was a public
disclosure of a previous attack on AMD devices fixed since wolfSSL
version 5.1.0. Coordination of the disclosure of the attack was done
responsibly, in cooperation with the researchers, waiting for the
public release of the attack details since it affects multiple
security libraries.
novel type of the "ghost domain names" attack. The vulnerability
works by targeting an Unbound instance. Unbound is queried for a
rogue domain name when the cached delegation information is about to
expire. The rogue nameserver delays the response so that the cached
delegation information is expired. Upon receiving the delayed answer
containing the delegation information, Unbound overwrites the now
expired entries. This action can be repeated when the delegation
information is about to expire making the rogue delegation
information ever-updating.
novel type of the "ghost domain names" attack. The vulnerability
works by targeting an Unbound instance. Unbound is queried for a
subdomain of a rogue domain name. The rogue nameserver returns
delegation information for the subdomain that updates Unbound's
delegation cache. This action can be repeated before expiry of the
delegation information by querying Unbound for a second level
subdomain which the rogue nameserver provides new delegation
information.
This release contains 27 security fixes, including:
[1325699] High CVE-2022-2603: Use after free in Omnibox. Reported by Anonymous on 2022-05-16
[1335316] High CVE-2022-2604: Use after free in Safe Browsing. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-10
[1338470] High CVE-2022-2605: Out of bounds read in Dawn. Reported by Looben Yang on 2022-06-22
[1330489] High CVE-2022-2606: Use after free in Managed devices API. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-31
[1286203] High CVE-2022-2607: Use after free in Tab Strip. Reported by @ginggilBesel on 2022-01-11
[1330775] High CVE-2022-2608: Use after free in Overview Mode. Reported by Khalil Zhani on 2022-06-01
[1338560] High CVE-2022-2609: Use after free in Nearby Share. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-06-22
[1278255] Medium CVE-2022-2610: Insufficient policy enforcement in Background Fetch. Reported by Maurice Dauer on 2021-12-09
[1320538] Medium CVE-2022-2611: Inappropriate implementation in Fullscreen API. Reported by Irvan Kurniawan (sourc7) on 2022-04-28
[1321350] Medium CVE-2022-2612: Side-channel information leakage in Keyboard input. Reported by Erik Kraft (erik.kraft5@gmx.at), Martin Schwarzl (martin.schwarzl@iaik.tugraz.at) on 2022-04-30
[1325256] Medium CVE-2022-2613: Use after free in Input. Reported by Piotr Tworek (Vewd) on 2022-05-13
[1341907] Medium CVE-2022-2614: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
[1268580] Medium CVE-2022-2615: Insufficient policy enforcement in Cookies. Reported by Maurice Dauer on 2021-11-10
[1302159] Medium CVE-2022-2616: Inappropriate implementation in Extensions API. Reported by Alesandro Ortiz on 2022-03-02
[1292451] Medium CVE-2022-2617: Use after free in Extensions API. Reported by @ginggilBesel on 2022-01-31
[1308422] Medium CVE-2022-2618: Insufficient validation of untrusted input in Internals. Reported by asnine on 2022-03-21
[1332881] Medium CVE-2022-2619: Insufficient validation of untrusted input in Settings. Reported by Oliver Dunk on 2022-06-04
[1337304] Medium CVE-2022-2620: Use after free in WebUI. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-17
[1323449] Medium CVE-2022-2621: Use after free in Extensions. Reported by Huyna at Viettel Cyber Security on 2022-05-07
[1332392] Medium CVE-2022-2622: Insufficient validation of untrusted input in Safe Browsing. Reported by Imre Rad (@ImreRad) and @j00sean on 2022-06-03
[1337798] Medium CVE-2022-2623: Use after free in Offline. Reported by raven at KunLun lab on 2022-06-20
[1339745] Medium CVE-2022-2624: Heap buffer overflow in PDF. Reported by YU-CHANG CHEN and CHIH-YEN CHANG, working with DEVCORE Internship Program on 2022-06-27
This Critical Patch Update contains 34 new security patches plus
additional third party patches noted below for Oracle MySQL. 10 of
these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without
requiring user credentials.
Easily exploitable vulnerability allows high privileged
attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox.
Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of Oracle VM VirtualBox.
It is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP to take over an existing Grafana account under some conditions.
An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. (Note: Grafana Alerting is activated by default in Grafana 9.0.)
net/http: improper sanitization of Transfer-Encoding
header
The HTTP/1 client accepted some invalid
Transfer-Encoding headers as indicating a "chunked"
encoding. This could potentially allow for request
smuggling, but only if combined with an intermediate
server that also improperly failed to reject the header
as invalid.
When httputil.ReverseProxy.ServeHTTP was called with a
Request.Header map containing a nil value for the
X-Forwarded-For header, ReverseProxy would set the client
IP as the value of the X-Forwarded-For header, contrary to
its documentation. In the more usual case where a Director
function set the X-Forwarded-For header value to nil,
ReverseProxy would leave the header unmodified as
expected.
compress/gzip: stack exhaustion in Reader.Read
Calling Reader.Read on an archive containing a large
number of concatenated 0-length compressed files can
cause a panic due to stack exhaustion.
encoding/xml: stack exhaustion in Unmarshal
Calling Unmarshal on a XML document into a Go struct
which has a nested field that uses the any field tag can
cause a panic due to stack exhaustion.
encoding/xml: stack exhaustion in Decoder.Skip
Calling Decoder.Skip when parsing a deeply nested XML
document can cause a panic due to stack exhaustion.
encoding/gob: stack exhaustion in Decoder.Decode
Calling Decoder.Decode on a message which contains
deeply nested structures can cause a panic due to stack
exhaustion.
path/filepath: stack exhaustion in Glob
Calling Glob on a path which contains a large number of
path separators can cause a panic due to stack
exhaustion.
io/fs: stack exhaustion in Glob
Calling Glob on a path which contains a large number of
path separators can cause a panic due to stack
exhaustion.
go/parser: stack exhaustion in all Parse* functions
Calling any of the Parse functions on Go source code
which contains deeply nested types or declarations can
cause a panic due to stack exhaustion.
Git is vulnerable to privilege escalation in all platforms.
An unsuspecting user could still be affected by the issue
reported in CVE-2022-24765, for example when navigating as
root into a shared tmp directory that is owned by them, but
where an attacker could create a git repository.
mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../
directory traversal during the ZIP archive cleaning process. This
primarily affects mat2 web instances, in which clients could obtain
sensitive information via a crafted archive.
HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding
(Medium)(CVE-2022-32213)
The llhttp parser in the http module does not correctly parse and
validate Transfer-Encoding headers. This can lead to HTTP Request
Smuggling (HRS).
HTTP Request Smuggling - Improper Delimiting of Header Fields
(Medium)(CVE-2022-32214)
The llhttp parser in the http module does not strictly use the CRLF
sequence to delimit HTTP requests. This can lead to HTTP Request
Smuggling (HRS).
HTTP Request Smuggling - Incorrect Parsing of Multi-line
Transfer-Encoding (Medium)(CVE-2022-32215)
The llhttp parser in the http module does not correctly handle
multi-line Transfer-Encoding headers. This can lead to HTTP Request
Smuggling (HRS).
DNS rebinding in --inspect via invalid IP addresses
(High)(CVE-2022-32212)
The IsAllowedHost check can easily be bypassed because IsIPAddress
does not properly check if an IP address is invalid or not. When an
invalid IPv4 address is provided (for instance 10.0.2.555 is
provided), browsers (such as Firefox) will make DNS requests to the
DNS server, providing a vector for an attacker-controlled DNS server
or a MITM who can spoof DNS responses to perform a rebinding attack
and hence connect to the WebSocket debugger, allowing for arbitrary
code execution. This is a bypass of CVE-2021-22884.
Attempt to read openssl.cnf from /home/iojs/build/ upon startup
(Medium)(CVE-2022-32222)
When Node.js starts on linux based systems, it attempts to read
/home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf,
which ordinarily doesn't exist. On some shared systems an attacker may
be able create this file and therefore affect the default OpenSSL
configuration for other users.
OpenSSL - AES OCB fails to encrypt some bytes
(Medium)(CVE-2022-2097)
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly
optimised implementation will not encrypt the entirety of the data
under some circumstances. This could reveal sixteen bytes of data that
was preexisting in the memory that wasn't written. In the special case
of "in place" encryption, sixteen bytes of the plaintext would be
revealed. Since OpenSSL does not support OCB based cipher suites for
TLS and DTLS, they are both unaffected.
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
implementation will not encrypt the entirety of the data under some
circumstances. This could reveal sixteen bytes of data that was
preexisting in the memory that wasn't written. In the special case of
"in place" encryption, sixteen bytes of the plaintext would be revealed.
The OpenSSL 3.0.4 release introduced a serious bug in the RSA
implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
This issue makes the RSA implementation with 2048 bit private keys
incorrect on such machines and memory corruption will happen during
the computation. As a consequence of the memory corruption an attacker
may be able to trigger a remote code execution on the machine performing
the computation.
SSL/TLS servers or other servers using 2048 bit RSA private keys running
on machines supporting AVX512IFMA instructions of the X86_64 architecture
are affected by this issue.
This release fixes a vulnerability with Synapse's URL preview feature. URL previews
of some web pages can lead to unbounded recursion, causing the request to either fail,
or in some cases crash the running Synapse process.
Note that:
Homeservers with the url_preview_enabled configuration option set to false
(the default value) are unaffected.
Instances with the enable_media_repo configuration option set to false are
also unaffected, as this also disables the URL preview functionality.
In mitmproxy 7.0.4 and below, a malicious client or server is able to
perform HTTP request smuggling attacks through mitmproxy. This means
that a malicious client/server could smuggle a request/response through
mitmproxy as part of another request/response's HTTP message body. While
mitmproxy would only see one request, the target server would see
multiple requests. A smuggled request is still captured as part of
another request's body, but it does not appear in the request list and
does not go through the usual mitmproxy event hooks, where users may
have implemented custom access control checks or input sanitization.
Unless you use mitmproxy to protect an HTTP/1 service, no action is required.
CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop
mechanism. Apache HTTP Server 2.4.53 and earlier may not send the
X-Forwarded-* headers to the origin server based on client side
Connection header hop-by-hop mechanism. This may be used to bypass
IP based authentication on the origin server/application.
CVE-2022-30556: Information Disclosure in mod_lua with websockets.
Apache HTTP Server 2.4.53 and earlier may return lengths to
applications calling r:wsread() that point past the end of the
storage allocated for the buffer.
CVE-2022-30522: mod_sed denial of service. If Apache HTTP Server
2.4.53 is configured to do transformations with mod_sed in contexts
where the input to mod_sed may be very large, mod_sed may make
excessively large memory allocations and trigger an abort.
CVE-2022-29404: Denial of service in mod_lua r:parsebody. In Apache
HTTP Server 2.4.53 and earlier, a malicious request to a lua script
that calls r:parsebody(0) may cause a denial of service due to no
default limit on possible input size.
CVE-2022-28615: Read beyond bounds in ap_strcmp_match(). Apache
HTTP Server 2.4.53 and earlier may crash or disclose information due
to a read beyond bounds in ap_strcmp_match() when provided with an
extremely large input buffer. While no code distributed with the
server can be coerced into such a call, third-party modules or lua
scripts that use ap_strcmp_match() may hypothetically be affected.
CVE-2022-28614: read beyond bounds via ap_rwrite(). The ap_rwrite()
function in Apache HTTP Server 2.4.53 and earlier may read unintended
memory if an attacker can cause the server to reflect very large
input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts()
function.
CVE-2022-28330: read beyond bounds in mod_isapi. Apache HTTP Server
2.4.53 and earlier on Windows may read beyond bounds when configured
to process requests with the mod_isapi module.
CVE-2022-26377: mod_proxy_ajp: Possible request smuggling.
Inconsistent Interpretation of HTTP Requests ('HTTP Request
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
allows an attacker to smuggle requests to the AJP server it forwards
requests to.
crypto/rand: rand.Read hangs with extremely large buffers
On Windows, rand.Read will hang indefinitely if passed a
buffer larger than 1 << 32 - 1 bytes.
crypto/tls: session tickets lack random ticket_age_add
Session tickets generated by crypto/tls did not contain
a randomly generated ticket_age_add. This allows an
attacker that can observe TLS handshakes to correlate
successive connections by comparing ticket ages during
session resumption.
os/exec: empty Cmd.Path can result in running unintended
binary on Windows
If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or
cmd.CombinedOutput are executed when Cmd.Path is unset
and, in the working directory, there are binaries named
either "..com" or "..exe", they will be executed.
path/filepath: Clean(`.\c:`) returns `c:` on Windows
On Windows, the filepath.Clean function could convert an
invalid path to a valid, absolute path. For example,
Clean(`.\c:`) returned `c:`.
Fix potential hang in the DNS analyzer when receiving
a specially-crafted packet. Due to the possibility of
this happening with packets received from the network,
this is a potential DoS vulnerability.
This release contains 32 security fixes, including:
[1324864] Critical CVE-2022-1853: Use after free in Indexed DB. Reported by Anonymous on 2022-05-12
[1320024] High CVE-2022-1854: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-04-27
[1228661] High CVE-2022-1855: Use after free in Messaging. Reported by Anonymous on 2021-07-13
[1323239] High CVE-2022-1856: Use after free in User Education. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-06
[1227995] High CVE-2022-1857: Insufficient policy enforcement in File System API. Reported by Daniel Rhea on 2021-07-11
[1314310] High CVE-2022-1858: Out of bounds read in DevTools. Reported by EllisVlad on 2022-04-07
[1322744] High CVE-2022-1859: Use after free in Performance Manager. Reported by Guannan Wang (@Keenan7310) of Tencent Security Xuanwu Lab on 2022-05-05
[1297209] High CVE-2022-1860: Use after free in UI Foundations. Reported by @ginggilBesel on 2022-02-15
[1316846] High CVE-2022-1861: Use after free in Sharing. Reported by Khalil Zhani on 2022-04-16
[1236325] Medium CVE-2022-1862: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2021-08-04
[1292870] Medium CVE-2022-1863: Use after free in Tab Groups. Reported by David Erceg on 2022-02-01
[1320624] Medium CVE-2022-1864: Use after free in WebApp Installs. Reported by Yuntao You (@GraVity0) of Bytedance Wuheng Lab on 2022-04-28
[1289192] Medium CVE-2022-1865: Use after free in Bookmarks. Reported by Rong Jian of VRI on 2022-01-20
[1292264] Medium CVE-2022-1866: Use after free in Tablet Mode. Reported by @ginggilBesel on 2022-01-29
[1315563] Medium CVE-2022-1867: Insufficient validation of untrusted input in Data Transfer. Reported by Michal Bentkowski of Securitum on 2022-04-12
[1301203] Medium CVE-2022-1868: Inappropriate implementation in Extensions API. Reported by Alesandro Ortiz on 2022-02-28
[1309467] Medium CVE-2022-1869: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2022-03-23
[1323236] Medium CVE-2022-1870: Use after free in App Service. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-06
[1308199] Low CVE-2022-1871: Insufficient policy enforcement in File System API. Reported by Thomas Orlita on 2022-03-21
[1310461] Low CVE-2022-1872: Insufficient policy enforcement in Extensions API. Reported by ChaobinZhang on 2022-03-26
[1305394] Low CVE-2022-1873: Insufficient policy enforcement in COOP. Reported by NDevTK on 2022-03-11
[1251588] Low CVE-2022-1874: Insufficient policy enforcement in Safe Browsing. Reported by hjy79425575 on 2021-09-21
[1306443] Low CVE-2022-1875: Inappropriate implementation in PDF. Reported by NDevTK on 2022-03-15
[1313600] Low CVE-2022-1876: Heap buffer overflow in DevTools. Reported by @ginggilBesel on 2022-04-06
The 2022 April Critical Patch Update contains 43 new security
patches for Oracle MySQL. 11 of these vulnerabilities may be
remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials.
Fixed a possible double-free vulnerability in the OLE2 file
parser. Issue affects versions 0.104.0 through 0.104.2. Issue
identified by OSS-Fuzz.
Fixed a possible infinite loop vulnerability in the CHM file
parser. Issue affects versions 0.104.0 through 0.104.2 and LTS
version 0.103.5 and prior versions. Thank you to Michaà  Dardas
for reporting this issue.
Fixed a possible NULL-pointer dereference crash in the scan
verdict cache check. Issue affects versions 0.103.4, 0.103.5,
0.104.1, and 0.104.2. Thank you to Alexander Patrakov and
Antoine Gatineau for reporting this issue.
Fixed a possible infinite loop vulnerability in the TIFF file
parser. Issue affects versions 0.104.0 through 0.104.2 and LTS
version 0.103.5 and prior versions. The issue only occurs if the
"--alert-broken-media" ClamScan option is enabled. For ClamD,
the affected option is "AlertBrokenMedia yes", and for libclamav
it is the "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option. Thank
you to Michaà  Dardas for reporting this issue.
Fixed a possible memory leak in the HTML file parser /
Javascript normalizer. Issue affects versions 0.104.0 through
0.104.2 and LTS version 0.103.5 and prior versions. Thank you to
Michaà  Dardas for reporting this issue.
Fixed a possible multi-byte heap buffer overflow write
vulnerability in the signature database load module. The fix was
to update the vendored regex library to the latest version.
Issue affects versions 0.104.0 through 0.104.2 and LTS version
0.103.5 and prior versions. Thank you to Michaà  Dardas for
reporting this issue.
When called with a non-zero flags parameter, the
syscall.Faccessat function could incorrectly report that a
file is accessible. This bug only occurs on Linux systems.
Confine additional operations within "security restricted
operation" sandboxes.
Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW,
and pg_amcheck activated the "security restricted operation" protection
mechanism too late, or even not at all in some code paths.
A user having permission to create non-temporary objects within a
database could define an object that would execute arbitrary SQL
code with superuser permissions the next time that autovacuum
processed the object, or that some superuser ran one of the affected
commands against it.
This release contains 13 security fixes, including:
[1316990] High CVE-2022-1633: Use after free in Sharesheet. Reported by Khalil Zhani on 2022-04-18
[1314908] High CVE-2022-1634: Use after free in Browser UI. Reported by Khalil Zhani on 2022-04-09
[1319797] High CVE-2022-1635: Use after free in Permission Prompts. Reported by Anonymous on 2022-04-26
[1297283] High CVE-2022-1636: Use after free in Performance APIs. Reported by Seth Brenith, Microsoft on 2022-02-15
[1311820] High CVE-2022-1637: Inappropriate implementation in Web Contents. Reported by Alesandro Ortiz on 2022-03-31
[1316946] High CVE-2022-1638: Heap buffer overflow in V8 Internationalization. Reported by DoHyun Lee (@l33d0hyun) of DNSLab, Korea University on 2022-04-17
[1317650] High CVE-2022-1639: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-04-19
[1320592] High CVE-2022-1640: Use after free in Sharing. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-28
[1305068] Medium CVE-2022-1641: Use after free in Web UI Diagnostics. Reported by Rong Jian of VRI on 2022-03-10
Modules for TCP syslog reception have a heap buffer
overflow when octet-counted framing is used. The attacker
can corrupt heap values, leading to data integrity issues
and availability impact. Remote code execution is unlikely
to happen but not impossible..
The c_rehash script allows command injection (CVE-2022-1292)
(Moderate) The c_rehash script does not properly sanitise shell
metacharacters to prevent command injection. This script is distributed
by some operating systems in a manner where it is automatically
executed. On such operating systems, an attacker could execute arbitrary
commands with the privileges of the script.
OCSP_basic_verify may incorrectly verify the response signing
certificate (CVE-2022-1343) (Moderate) The function
`OCSP_basic_verify` verifies the signer certificate on an OCSP response.
In the case where the (non-default) flag OCSP_NOCHECKS is used then the
response will be positive (meaning a successful verification) even in
the case where the response signing certificate fails to verify.
Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434)
(Low) The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite
incorrectly uses the AAD data as the MAC key. This makes the MAC key
trivially predictable.
Resource leakage when decoding certificates and keys (CVE-2022-1473)
(Low) The OPENSSL_LH_flush() function, which empties a hash table,
containsa bug that breaks reuse of the memory occuppied by the removed
hash table entries.
The code vulnerability can be easily exploited by an
attacker by sending a malicious email to a victim that
uses RainLoop as a mail client. When the email is viewed
by the victim, the attacker gains full control over the
session of the victim and can steal any of their emails,
including those that contain highly sensitive information
such as passwords, documents, and password reset links.
A large (more than 5 MB) PEM input can cause a stack
overflow in Decode, leading the program to crash.
crypto/elliptic: tolerate all oversized scalars in generic
P-256.
A crafted scalar input longer than 32 bytes can
cause P256().ScalarMult or P256().ScalarBaseMult to panic.
Indirect uses through crypto/ecdsa and crypto/tls are
unaffected. amd64, arm64, ppc64le, and s390x are
unaffected.
crypto/x509: non-compliant certificates can cause a panic
in Verify on macOS in Go 1.18.
Verifying certificate chains containing certificates
which are not compliant with RFC 5280 causes
Certificate.Verify to panic on macOS. These chains can be
delivered through TLS and can cause a crypto/tls or
net/http client to crash.
This is an announcement to let you know that Rails 7.0.2.4, 6.1.5.1,
6.0.4.8, and 5.2.7.1 have been released!
These are security releases so please update as soon as you can. Once
again we've made these releases based on the last release tag, so
hopefully upgrading will go smoothly.
The releases address two vulnerabilities, CVE-2022-22577, and
CVS-2022-27777. They are both XSS vulnerabilities, so please take a look
at the forum posts to see how (or if) they might possibly impact your
application.
Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted RESP mult-bulk protocol data.
When parsing multi-bulk (array-like) replies, hiredis fails to check if count * sizeof(redisReply*) can be represented in SIZE_MAX. If it can not, and the calloc() call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow.
This release contains 30 security fixes, including:
[1313905] High CVE-2022-1477: Use after free in Vulkan. Reported by SeongHwan Park (SeHwa) on 2022-04-06
[1299261] High CVE-2022-1478: Use after free in SwiftShader. Reported by SeongHwan Park (SeHwa) on 2022-02-20
[1305190] High CVE-2022-1479: Use after free in ANGLE. Reported by Jeonghoon Shin of Theori on 2022-03-10
[1307223] High CVE-2022-1480: Use after free in Device API. Reported by @uwu7586 on 2022-03-17
[1302949] High CVE-2022-1481: Use after free in Sharing. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-03-04
[1304987] High CVE-2022-1482: Inappropriate implementation in WebGL. Reported by Christoph Diehl, Microsoft on 2022-03-10
[1314754] High CVE-2022-1483: Heap buffer overflow in WebGPU. Reported by Mark Brand of Google Project Zero on 2022-04-08
[1297429] Medium CVE-2022-1484: Heap buffer overflow in Web UI Settings. Reported by Chaoyuan Peng (@ret2happy) on 2022-02-15
[1299743] Medium CVE-2022-1485: Use after free in File System API. Reported by Anonymous on 2022-02-22
[1314616] Medium CVE-2022-1486: Type Confusion in V8. Reported by Brendon Tiszka on 2022-04-08
[1304368] Medium CVE-2022-1487: Use after free in Ozone. Reported by Sri on 2022-03-09
[1302959] Medium CVE-2022-1488: Inappropriate implementation in Extensions API. Reported by Thomas Beverley from Wavebox.io on 2022-03-04
[1300561] Medium CVE-2022-1489: Out of bounds memory access in UI Shelf. Reported by Khalil Zhani on 2022-02-25
[1301840] Medium CVE-2022-1490: Use after free in Browser Switcher. Reported by raven at KunLun lab on 2022-03-01
[1305706] Medium CVE-2022-1491: Use after free in Bookmarks. Reported by raven at KunLun lab on 2022-03-12
[1315040] Medium CVE-2022-1492: Insufficient data validation in Blink Editing. Reported by Michal Bentkowski of Securitum on 2022-04-11
[1275414] Medium CVE-2022-1493: Use after free in Dev Tools. Reported by Zhihua Yao of KunLun Lab on 2021-12-01
[1298122] Medium CVE-2022-1494: Insufficient data validation in Trusted Types. Reported by Masato Kinugawa on 2022-02-17
[1301180] Medium CVE-2022-1495: Incorrect security UI in Downloads. Reported by Umar Farooq on 2022-02-28
[1306391] Medium CVE-2022-1496: Use after free in File Manager. Reported by Zhiyi Zhang and Zhunki from Codesafe Team of Legendsec at Qi'anxin Group on 2022-03-15
[1264543] Medium CVE-2022-1497: Inappropriate implementation in Input. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-10-29
[1297138] Low CVE-2022-1498: Inappropriate implementation in HTML Parser. Reported by SeungJu Oh (@real_as3617) on 2022-02-14
[1000408] Low CVE-2022-1499: Inappropriate implementation in WebAuthentication. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-09-04
[1223475] Low CVE-2022-1500: Insufficient data validation in Dev Tools. Reported by Hoang Nguyen on 2021-06-25
[1293191] Low CVE-2022-1501: Inappropriate implementation in iframe. Reported by Oriol Brufau on 2022-02-02
By exploiting weaknesses in the Lua script execution
environment, an attacker with access to Redis can inject
Lua code that will execute with the (potentially higher)
privileges of another Redis user.
CVE-2022-24736
An attacker attempting to load a specially crafted Lua
script can cause NULL pointer dereference which will
result with a crash of the redis-server process.
Fix potential unbounded state growth in the FTP
analyzer when receiving a specially-crafted stream of
commands. This may lead to a buffer overflow and cause
Zeek to crash. Due to the possibility of this happening
with packets received from the network, this is a potential
DoS vulnerabilty.
An arbitrary file write vulnerability was found in GNU
gzip's zgrep utility. When zgrep is applied on the
attacker's chosen file name (for example, a crafted
file name), this can overwrite an attacker's content
to an arbitrary attacker-selected file. This flaw
occurs due to insufficient validation when processing
filenames with two or more newlines where selected
content and the target file names are embedded in
crafted multi-line file names. This flaw allows a
remote, low privileged attacker to force zgrep to
write arbitrary files on the system.
SMTP Command Injection in Appointment Emails via Newlines: as newlines
and special characters are not sanitized in the email value in the JSON
request, a malicious attacker can inject newlines to break out of the
`RCPT TO:` SMTP command and begin injecting
arbitrary SMTP commands.
AST-2022-001 - When using STIR/SHAKEN, its possible
to download files that are not certificates. These files
could be much larger than what you would expect to
download.
AST-2022-002 - When using STIR/SHAKEN, its possible
to send arbitrary requests like GET to interfaces such
as localhost using the Identity header.
Some databases can use backslashes to escape certain
characters, such as backticks. If input is provided to
func_odbc which includes backslashes it is possible for
func_odbc to construct a broken SQL query and the SQL
query to fail.
Due to a bug in an internal function that converts a String
to a Float, some convertion methods like Kernel#Float
and String#to_f could cause buffer over-read.
A typical consequence is a process termination due to
segmentation fault, but in a limited circumstances, it may
be exploitable for illegal memory read.
The Composer method VcsDriver::getFileContent() with
user-controlled $file or $identifier arguments is susceptible
to an argument injection vulnerability. It can be leveraged
to gain arbitrary command execution if the Mercurial or
the Git driver are used.
Subversion servers reveal 'copyfrom' paths that should be hidden according
to configured path-based authorization (authz) rules. When a node has been
copied from a protected location, users with access to the copy can see the
'copyfrom' path of the original. This also reveals the fact that the node
was copied. Only the 'copyfrom' path is revealed; not its contents. Both
httpd and svnserve servers are vulnerable.
While looking up path-based authorization rules, mod_dav_svn servers
may attempt to use memory which has already been freed.
Due to a bug in the Regexp compilation process, creating
a Regexp object with a crafted source string could cause
the same memory to be freed twice. This is known as a
"double free" vulnerability. Note that, in general, it
is considered unsafe to create and use a Regexp object
generated from untrusted input. In this case, however,
following a comprehensive assessment, we treat this issue
as a vulnerability.
mutt_decode_uuencoded(), the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in message parts, for example fragments of other messages, passphrases or keys in replys
The total size of the user-provided nmreq to nmreq_copyin() was
first computed and then trusted during the copyin. This
time-of-check to time-of-use bug could lead to kernel memory
corruption. [CVE-2022-23084]
A user-provided integer option was passed to nmreq_copyin() without
checking if it would overflow. This insufficient bounds checking
could lead to kernel memory corruption. [CVE-2022-23085]
Impact:
On systems configured to include netmap in their devfs_ruleset, a
privileged process running in a jail can affect the host
environment.
Certain inputs can cause zlib's compression routine to overwrite an
internal buffer with compressed data. This issue may require the use
of uncommon or non-default compression parameters.
Impact:
The out-of-bounds write may result in memory corruption and an
application crash or kernel panic.
Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and
mpt drivers allocated a buffer of a caller-specified size, but
copied to it a fixed size header. Other heap content would be
overwritten if the specified size was too small.
Impact:
Users with access to the mpr, mps or mpt device node may overwrite
heap data, potentially resulting in privilege escalation. Note that
the device node is only accessible to root and members of the operator
group.
The e1000 network adapters permit a variety of modifications to an
Ethernet packet when it is being transmitted. These include the
insertion of IP and TCP checksums, insertion of an Ethernet VLAN
header, and TCP segmentation offload ("TSO"). The e1000 device model
uses an on-stack buffer to generate the modified packet header when
simulating these modifications on transmitted packets.
When checksum offload is requested for a transmitted packet, the
e1000 device model used a guest-provided value to specify the checksum
offset in the on-stack buffer. The offset was not validated for
certain packet types.
Impact:
A misbehaving bhyve guest could overwrite memory in the bhyve
process on the host, possibly leading to code execution in the host
context.
The bhyve process runs in a Capsicum sandbox, which (depending on
the FreeBSD version and bhyve configuration) limits the impact of
exploiting this issue.
The 802.11 beacon handling routine failed to validate the length of
an IEEE 802.11s Mesh ID before copying it to a heap-allocated
buffer.
Impact:
While a FreeBSD Wi-Fi client is in scanning mode (i.e., not
associated with a SSID) a malicious beacon frame may overwrite kernel
memory, leading to remote code execution.
Possible vulnerability [...] found in latest dnsmasq. It [was] found
with help of oss-fuzz Google project by me and short after that
independently also by Richard Johnson of Trellix Threat Labs.
It is affected only by DHCPv6 requests, which could be crafted to
modify already freed memory. [...] We think it might be triggered
remotely, but we do not think it could be used to execute remote
code.
When Gitea is built and configured for PAM authentication
it skips checking authorization completely. Therefore expired
accounts and accounts with expired passwords can still login.
When a location containing backslashes is presented, the existing
protections against open redirect are bypassed, because browsers
will convert adjacent forward and backslashes within the location
to double forward slashes.
A vulnerability was discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed.
On 64-bit platforms, an extremely deeply nested expression can
cause regexp.Compile to cause goroutine stack exhaustion, forcing
the program to exit. Note this applies to very large expressions, on
the order of 2MB.
OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials. This issue is resolved in OpenVPN 2.4.12 and v2.5.6.
After changing the options weechat.network.gnutls_ca_system or
weechat.network.gnutls_ca_user, the TLS verification function is lost.
Consequently, any connection to a server with TLS is made without
verifying the certificate, which could lead to a man-in-the-middle
attack. Connection to IRC servers with TLS is affected, as well as any
connection a server made by a plugin or a script using the function
hook_connect.
This security and maintenance release features 1 bug fix in addition to 3 security fixes.
Because this is a security release, it is recommended that you update your sites immediately.
All versions since WordPress 3.7 have also been updated.
The security team would like to thank the following people for responsively reporting
vulnerabilities, allowing them to be fixed in this release:
-Melar Dev, for finding a Prototype Pollution Vulnerability in a jQuery dependency
-Ben Bidner of the WordPress security team, for finding a Stored Cross Site Scripting Vulnerability
-Researchers from Johns Hopkins University, for finding a Prototype Pollution Vulnerability in the block editor
The paper "Fragment and Forge: Breaking Wi-Fi Through Frame
Aggregation and Fragmentation" reported a number of security
vulnerabilities in the 802.11 specification related to frame
aggregation and fragmentation.
Additionally, FreeBSD 12.x missed length validation of SSIDs and
Information Elements (IEs).
Impact:
As reported on the FragAttacks website, the "design flaws are hard
to abuse because doing so requires user interaction or is only
possible when using uncommon network settings." Under suitable
conditions an attacker may be able to extract sensitive data or inject
data.
Infinite loop in BN_mod_sqrt() reachable when parsing certificates
(High)
The BN_mod_sqrt() function, which computes a modular square root,
contains a bug that can cause it to loop forever for non-prime
moduli.
Internally this function is used when parsing certificates that
contain elliptic curve public keys in compressed form or explicit
elliptic curve parameters with a base point encoded in compressed
form.
It is possible to trigger the infinite loop by crafting a
certificate that has invalid explicit curve parameters.
Since certificate parsing happens prior to verification of the
certificate signature, any process that parses an externally
supplied certificate may thus be subject to a denial of service
attack. The infinite loop can also be reached when parsing crafted
private keys as they can contain explicit elliptic curve
parameters.
Thus vulnerable situations include:
TLS clients consuming server certificates
TLS servers consuming client certificates
Hosting providers taking certificates or private keys from
customers
Certificate authorities parsing certification requests from
subscribers
Anything else which parses ASN.1 elliptic curve parameters
Also any other applications that use the BN_mod_sqrt() where the
attacker can control the parameter values are vulnerable to this DoS
issue.
httpd fails to close inbound connection when errors are
encountered discarding the request body, exposing the server to HTTP
Request Smuggling
core: Possible buffer overflow with very large or unlimited
LimitXMLRequestBody (low) (CVE-2022-22721)
If LimitXMLRequestBody
is set to allow request bodies larger than 350MB (defaults to 1M) on 32
bit systems an integer overflow happens which later causes out of
bounds writes.
This release contains 11 security fixes, including:
[1299422] Critical CVE-2022-0971: Use after free in Blink
Layout. Reported by Sergei Glazunov of Google Project Zero on
2022-02-21
[1301320] High CVE-2022-0972: Use after free in Extensions.
Reported by Sergei Glazunov of Google Project Zero on
2022-02-28
[1297498] High CVE-2022-0973: Use after free in Safe Browsing.
Reported by avaue and Buff3tts at S.S.L. on 2022-02-15
[1291986] High CVE-2022-0974: Use after free in Splitscreen.
Reported by @ginggilBesel on 2022-01-28
[1295411] High CVE-2022-0975: Use after free in ANGLE. Reported
by SeongHwan Park (SeHwa) on 2022-02-09
[1296866] High CVE-2022-0976: Heap buffer overflow in GPU.
Reported by Omair on 2022-02-13
[1299225] High CVE-2022-0977: Use after free in Browser UI.
Reported by Khalil Zhani on 2022-02-20
[1299264] High CVE-2022-0978: Use after free in ANGLE. Reported
by Cassidy Kim of Amber Security Lab, OPPO Mobile
Telecommunications Corp. Ltd. on 2022-02-20
[1302644] High CVE-2022-0979: Use after free in Safe Browsing.
Reported by anonymous on 2022-03-03
[1302157] Medium CVE-2022-0980: Use after free in New Tab Page.
Reported by Krace on 2022-03-02
Teeworlds up to and including 0.7.5 is vulnerable to Buffer Overflow. A map parser does not validate m_Channels value coming from a map file, leading to a buffer overflow. A malicious server may offer a specially crafted map that will overwrite client's stack causing denial of service or code execution.
AST-2022-004 - The header length on incoming STUN
messages that contain an ERROR-CODE attribute is not
properly checked. This can result in an integer underflow.
Note, this requires ICE or WebRTC support to be in use
with a malicious remote party.
AST-2022-005 - When acting as a UAC, and when placing
an outgoing call to a target that then forks Asterisk may
experience undefined behavior (crashes, hangs, etc) after
a dialog set is prematurely freed.
AST-2022-006 - If an incoming SIP message contains a
malformed multi-part body an out of bounds read access
may occur, which can result in undefined behavior. Note,
its currently uncertain if there is any externally
exploitable vector within Asterisk for this issue, but
providing this as a security issue out of caution.
This release contains 28 security fixes, including:
[1289383] High CVE-2022-0789: Heap buffer overflow in ANGLE.
Reported by SeongHwan Park (SeHwa) on 2022-01-21
[1274077] High CVE-2022-0790: Use after free in Cast UI.
Reported by Anonymous on 2021-11-26
[1278322] High CVE-2022-0791: Use after free in Omnibox.
Reported by Zhihua Yao of KunLun Lab on 2021-12-09
[1285885] High CVE-2022-0792: Out of bounds read in ANGLE.
Reported by Jaehun Jeong (@n3sk) of Theori on 2022-01-11
[1291728] High CVE-2022-0793: Use after free in Views. Reported
by Thomas Orlita on 2022-01-28
[1294097] High CVE-2022-0794: Use after free in WebShare.
Reported by Khalil Zhani on 2022-02-04
[1282782] High CVE-2022-0795: Type Confusion in Blink Layout.
Reported by 0x74960 on 2021-12-27
[1295786] High CVE-2022-0796: Use after free in Media. Reported
by Cassidy Kim of Amber Security Lab, OPPO Mobile
Telecommunications Corp. Ltd. on 2022-02-10
[1281908] High CVE-2022-0797: Out of bounds memory access in
Mojo. Reported by Sergei Glazunov of Google Project Zero on
2021-12-21
[1283402] Medium CVE-2022-0798: Use after free in MediaStream.
Reported by Samet Bekmezci @sametbekmezci on 2021-12-30
[1279188] Medium CVE-2022-0799: Insufficient policy enforcement
in Installer. Reported by Abdelhamid Naceri (halov) on
2021-12-12
[1242962] Medium CVE-2022-0800: Heap buffer overflow in Cast UI.
Reported by Khalil Zhani on 2021-08-24
[1231037] Medium CVE-2022-0801: Inappropriate implementation in
HTML parser. Reported by Michal Bentkowski of Securitum on
2021-07-20
[1270052] Medium CVE-2022-0802: Inappropriate implementation in
Full screen mode. Reported by Irvan Kurniawan (sourc7) on
2021-11-14
[1280233] Medium CVE-2022-0803: Inappropriate implementation in
Permissions. Reported by Abdulla Aldoseri on 2021-12-15
[1264561] Medium CVE-2022-0804: Inappropriate implementation in
Full screen mode. Reported by Irvan Kurniawan (sourc7) on
2021-10-29
[1290700] Medium CVE-2022-0805: Use after free in Browser
Switcher. Reported by raven at KunLun Lab on 2022-01-25
[1283434] Medium CVE-2022-0806: Data leak in Canvas. Reported by
Paril on 2021-12-31
[1287364] Medium CVE-2022-0807: Inappropriate implementation in
Autofill. Reported by Alesandro Ortiz on 2022-01-14
[1292271] Medium CVE-2022-0808: Use after free in Chrome OS
Shell. Reported by @ginggilBesel on 2022-01-29
[1293428] Medium CVE-2022-0809: Out of bounds memory access in
WebXR. Reported by @uwu7586 on 2022-02-03
The SVG sanitizer library enshrined/svg-sanitize before version
0.15.0 did not remove HTML elements wrapped in a CDATA section.
As a result, SVG content embedded in HTML (fetched as text/html)
was susceptible to cross-site scripting. Plain SVG files
(fetched as image/svg+xml) were not affected.
The ElGamal implementation in Crypto++ through 8.5 allows plaintext
recovery because, during interaction between two cryptographic
libraries, a certain dangerous combination of the prime defined by
the receiver's public key, the generator defined by the receiver's
public key, and the sender's ephemeral exponents can lead to a
cross-configuration attack against OpenPGP.
seatd-launch could use a user-specified socket path instead of the
internally generated socket path, and would unlink the socket path
before use to guard against collision with leftover sockets. This
meant that a caller could freely control what file path would be
unlinked and replaced with a user-owned seatd socket for the duration
of the session.
If seatd-launch had the SUID bit set, this could be used by a
malicious user to remove files with the privileges of the owner of
seatd-launch, which is likely root, and replace it with a user-owned
domain socket.
This does not directly allow retrieving the contents of existing
files, and the user-owned socket file is at the current time not
believed to be directly useful for further exploitation.
python-tuf is a Python reference implementation of The Update Framework (TUF). In both clients (`tuf/client` and `tuf/ngclient`), there is a path traversal vulnerability that in the worst case can overwrite files ending in `.json` anywhere on the client system on a call to `get_one_valid_targetinfo()`. It occurs because the rolename is used to form the filename, and may contain path traversal characters (ie `../../name.json`). The impact is mitigated by a few facts: It only affects implementations that allow arbitrary rolename selection for delegated targets metadata, The attack requires the ability to A) insert new metadata for the path-traversing role and B) get the role delegated by an existing targets metadata, The written file content is heavily restricted since it needs to be a valid, signed targets file. The file extension is always .json. A fix is available in version 0.19 or newer. There are no workarounds that do not require code changes. Clients can restrict the allowed character set for rolenames, or they can store metadata in files named in a way that is not vulnerable: neither of these approaches is possible without modifying python-tuf.
Recently, the Qt Project's security team was made aware of an issue regarding QProcess and determined it to be a security issue on Unix-based platforms only. We do not believe this to be a considerable risk for applications as the likelihood of it being triggered is minimal.
Specifically, the problem is around using QProcess to start an application without having an absolute path, and as a result, it depends on it finding it in the PATH environment variable. As a result, it may be possible for an attacker to place their copy of the executable in question inside the working/current directory for the QProcess and have it invoked that instead.
crypto/elliptic: fix IsOnCurve for big.Int values that are not
valid coordinates
Some big.Int values that are not valid field elements (negative or
overflowing) might cause Curve.IsOnCurve to incorrectly return true.
Operating on those values may cause a panic or an invalid curve
operation. Note that Unmarshal will never return such values.
math/big: prevent large memory consumption in Rat.SetString
An attacker can cause unbounded memory growth in a program using
(*Rat).SetString due to an unhandled overflow.
cmd/go: prevent branches from materializing into versions
A branch whose name resembles a version tag (such as "v1.0.0" or
"subdir/v2.0.0-dev") can be considered a valid version by the go
command. Materializing versions from branches might be unexpected
and bypass ACLs that limit the creation of tags but not branches.
This release contains 11 security fixes, including:
[1290008] High CVE-2022-0603: Use after free in File Manager.
Reported by Chaoyuan Peng (@ret2happy) on 2022-01-22
[1273397] High CVE-2022-0604: Heap buffer overflow in Tab
Groups. Reported by Krace on 2021-11-24
[1286940] High CVE-2022-0605: Use after free in Webstore API.
Reported by Thomas Orlita on 2022-01-13
[1288020] High CVE-2022-0606: Use after free in ANGLE. Reported
by Cassidy Kim of Amber Security Lab, OPPO Mobile
Telecommunications Corp. Ltd. on 2022-01-17
[1250655] High CVE-2022-0607: Use after free in GPU. Reported by
0x74960 on 2021-09-17
[1270333] High CVE-2022-0608: Integer overflow in Mojo. Reported
by Sergei Glazunov of Google Project Zero on 2021-11-16
An integer underflow leading to a heap overflow in the sesman server allows any unauthenticated attacker which is accessible to a sesman server (listens by default on localhost when installing xrdp, but can be remote if configured otherwise) to execute code as root.
Cookie and Authorization headers are leaked when following cross-origin redirects in twited.web.client.RedirectAgent and twisted.web.client.BrowserLikeRedirectAgent.
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.
Prototype pollution via console.table properties (Low)(CVE-2022-21824)
Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.
On Jan. 16, an external security researcher, Jasu Viding contacted Grafana to disclose an XSS vulnerability in the way that Grafana handles data sources. Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).
On Jan. 18, security researchers @jub0bs and @abrahack contacted Grafana to disclose a CSRF vulnerability which allows anonymous attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).
On Jan. 18, an external security researcher, Kürà Âad ALSAN from NSPECT.IO (@nspectio on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs. This vulnerability only impacts the following API endpoints:
/teams/:teamId - an authenticated attacker can view unintended data by querying for the specific team ID.
/teams/:search - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to.
/teams/:teamId/members - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.
We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
Some prompt expansion sequences, such as %F, support 'arguments'
which are themselves expanded in case they contain colour values,
etc. This additional expansion would trigger PROMPT_SUBST evaluation,
if enabled. This could be abused to execute code the user didn't
expect. e.g., given a certain prompt configuration, an attacker
could trick a user into executing arbitrary code by having them
check out a Git branch with a specially crafted name.
XLookupColor() and other X libraries function lack proper validation
of the length of their string parameters. If those parameters can be
controlled by an external application (for instance a color name that
can be emitted via a terminal control sequence) it can lead to the
emission of extra X protocol requests to the X server.
The Rust Security Response WG was notified that the
std::fs::remove_dir_all standard library function is vulnerable to a
race condition enabling symlink following (CWE-363). An attacker could
use this security issue to trick a privileged program into deleting
files and directories the attacker couldn't otherwise access or
delete.
When receiving QUIC frames in certain order, HTTP/3 server-side
implementation of h2o can be misguided to treat uninitialized
memory as HTTP/3 frames that have been received. When h2o is
used as a reverse proxy, an attacker can abuse this vulnerability
to send internal state of h2o to backend servers controlled by
the attacker or third party. Also, if there is an HTTP endpoint
that reflects the traffic sent from the client, an attacker can
use that reflector to obtain internal state of h2o.
This internal state includes traffic of other connections in
unencrypted form and TLS session tickets.
This vulnerability exists in h2o server with HTTP/3
support, between commit 93af138 and d1f0f65. None of the
released versions of h2o are affected by this vulnerability.
Under certain conditions involving use of the highlight buffer
while text is scrolling on the console, console data may overwrite
data structures associated with the system console or other kernel
memory.
Impact:
Users with access to the system console may be able to cause system
misbehaviour.
CVE-2021-43566: Malicious client using an SMB1 or NFS race to allow
a directory to be created in an area of the server file system not
exported under the share definition.
CVE-2021-44141: Information leak via symlinks of existance of files
or directories outside of the exported share.
A request smuggling attack can be performed on HTTP/1 connections on
Varnish Cache servers. The smuggled request would be treated as an additional
request by the Varnish server, go through normal VCL processing, and injected
as a spurious response on the client connection.
BN_mod_exp may produce incorrect results on MIPS (Moderate)
There is a carry propagation bug in the MIPS32 and MIPS64 squaring
procedure. Many EC algorithms are affected, including some of the
TLS 1.3 default curves. Impact was not analyzed in detail, because the
pre-requisites for attack are considered unlikely and include reusing
private keys. Analysis suggests that attacks against RSA and DSA as a
result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH are considered just feasible
(although very difficult) because most of the work necessary to deduce
information about a private key may be performed offline. The amount
of resources required for such an attack would be significant.
However, for an attack on TLS to be meaningful, the server would have
to share the DH private key among multiple clients, which is no longer
an option since CVE-2016-0701.
[OpenEXR Version 3.1.4 is a] patch release that [...]
addresses one public security vulnerability:
CVE-2021-45942 Heap-buffer-overflow in
Imf_3_1::LineCompositeTask::execute [and several]
specific OSS-fuzz issues [...].
In Mustache.php v2.0.0 through v2.14.0, Sections tag can
lead to arbitrary php code execution even if
strict_callables is true when section value is
controllable.
We discovered a Local Privilege Escalation (from any user to root) in
polkit's pkexec, a SUID-root program that is installed by default on
every major Linux distribution.
Fixed a denial-of-service vulnerability in the gmp plugin that
was caused by an integer overflow when processing RSASSA-PSS
signatures with very large salt lengths. This vulnerability has
been registered as CVE-2021-41990.
Fixed a denial-of-service vulnerability in the in-memory
certificate cache if certificates are replaced and a very large
random value caused an integer overflow. This vulnerability has
been registered as CVE-2021-41991.
Fixed a vulnerability in the EAP client implementation
that was caused by incorrectly handling early EAP-Success
messages. It may allow to bypass the client and in some
scenarios even the server authentication, or could lead to
a denial-of-service attack. This vulnerability has been
registered as CVE-2021-45079.
AIDE before 0.17.4 allows local users to obtain root privileges
via crafted file metadata (such as XFS extended attributes or
tmpfs ACLs), because of a heap-based buffer overflow.
Aide uses a fixed size (16k bytes) for the return buffer in
encode_base64/decode_base64 functions. This results in a segfault
if aide processes a file with too large extended attribute value
or ACL.
This release contains 26 security fixes, including:
[1284367] Critical CVE-2022-0289: Use after free in Safe
browsing. Reported by Sergei Glazunov of Google Project Zero on
2022-01-05
[1260134][1260007] High CVE-2022-0290: Use after free in Site
isolation. Reported by Brendon Tiszka and Sergei Glazunov of
Google Project Zero on 2021-10-15
[1281084] High CVE-2022-0291: Inappropriate implementation in
Storage. Reported by Anonymous on 2021-12-19
[1270358] High CVE-2022-0292: Inappropriate implementation in
Fenced Frames. Reported by Brendon Tiszka on 2021-11-16
[1283371] High CVE-2022-0293: Use after free in Web packaging.
Reported by Rong Jian and Guang Gong of 360 Alpha Lab on
2021-12-30
[1273017] High CVE-2022-0294: Inappropriate implementation in
Push messaging. Reported by Rong Jian and Guang Gong of 360 Alpha
Lab on 2021-11-23
[1278180] High CVE-2022-0295: Use after free in Omnibox.
Reported by Weipeng Jiang (@Krace) and Guang Gong of 360
Vulnerability Research Institute on 2021-12-09
[1283375] High CVE-2022-0296: Use after free in Printing.
Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability
Research Institute on 2021-12-30
[1274316] High CVE-2022-0297: Use after free in Vulkan. Reported
by Cassidy Kim of Amber Security Lab, OPPO Mobile
Telecommunications Corp. Ltd. on 2021-11-28
[1212957] High CVE-2022-0298: Use after free in Scheduling.
Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-25
[1275438] High CVE-2022-0300: Use after free in Text Input
Method Editor. Reported by Rong Jian and Guang Gong of 360 Alpha
Lab on 2021-12-01
[1276331] High CVE-2022-0301: Heap buffer overflow in DevTools.
Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability
Research on 2021-12-03
[1278613] High CVE-2022-0302: Use after free in Omnibox.
Reported by Weipeng Jiang (@Krace) and Guang Gong of 360
Vulnerability Research Institute on 2021-12-10
[1281979] High CVE-2022-0303: Race in GPU Watchdog. Reported by
Yigit Can YILMAZ (@yilmazcanyigit) on 2021-12-22
[1282118] High CVE-2022-0304: Use after free in Bookmarks.
Reported by Rong Jian and Guang Gong of 360 Alpha Lab on
2021-12-22
[1282354] High CVE-2022-0305: Inappropriate implementation in
Service Worker API. Reported by @uwu7586 on 2021-12-23
[1283198] High CVE-2022-0306: Heap buffer overflow in PDFium.
Reported by Sergei Glazunov of Google Project Zero on
2021-12-29
[1281881] Medium CVE-2022-0307: Use after free in Optimization
Guide. Reported by Samet Bekmezci @sametbekmezci on
2021-12-21
[1282480] Medium CVE-2022-0308: Use after free in Data Transfer.
Reported by @ginggilBesel on 2021-12-24
[1240472] Medium CVE-2022-0309: Inappropriate implementation in
Autofill. Reported by Alesandro Ortiz on 2021-08-17
[1283805] Medium CVE-2022-0310: Heap buffer overflow in Task
Manager. Reported by Samet Bekmezci @sametbekmezci on
2022-01-03
[1283807] Medium CVE-2022-0311: Heap buffer overflow in Task
Manager. Reported by Samet Bekmezci @sametbekmezci on
2022-01-03
This Critical Patch Update contains 78 new security patches for
Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without
requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle
MySQL is 7.4
It was discovered that an internal Prosody library to load XML based on
does not properly restrict the XML features allowed in parsed
XML data. Given suitable attacker input, this results in expansion of
recursive entity references from DTDs (CWE-776). In addition,
depending on the libexpat version used, it may also allow injections
using XML External Entity References (CWE-611).
Fix for invalid pointer read that may cause a crash. This issue affects
0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the
CL_SCAN_GENERAL_COLLECT_METADATA scan option
(the clamscan --gen-json option) is enabled.
Fix a bug affecting both uriNormalizeSyntax* and uriMakeOwner*
functions where the text range in .hostText would not be duped using
malloc but remain unchanged (and hence "not owned") for URIs with
an IPv4 or IPv6 address hostname; depending on how an application
uses uriparser, this could lead the application into a use-after-free
situation.
As the second half, fix uriFreeUriMembers* functions that would not
free .hostText memory for URIs with an IPv4 or IPv6 address host;
also, calling uriFreeUriMembers* multiple times on a URI of this
very nature would result in trying to free pointers to stack
(rather than heap) memory.
Fix functions uriNormalizeSyntax* for out-of-memory situations
(i.e. malloc returning NULL) for URIs containing empty segments
(any of user info, host text, query, or fragment) where previously
pointers to stack (rather than heap) memory were freed.
This release contains 37 security fixes, including:
[$TBD][1275020] Critical CVE-2022-0096: Use after free in
Storage. Reported by Yangkang (@dnpushme) of 360 ATA on
2021-11-30
[1117173] High CVE-2022-0097: Inappropriate implementation in
DevTools. Reported by David Erceg on 2020-08-17
[1273609] High CVE-2022-0098: Use after free in Screen Capture.
Reported by @ginggilBesel on 2021-11-24
[1245629] High CVE-2022-0099: Use after free in Sign-in.
Reported by Rox on 2021-09-01
[1238209] High CVE-2022-0100: Heap buffer overflow in Media
streams API. Reported by Cassidy Kim of Amber Security Lab, OPPO
Mobile Telecommunications Corp. Ltd. on 2021-08-10
[1249426] High CVE-2022-0101: Heap buffer overflow in Bookmarks.
Reported by raven (@raid_akame) on 2021-09-14
[1260129] High CVE-2022-0102: Type Confusion in V8 . Reported by
Brendon Tiszka on 2021-10-14
[1272266] High CVE-2022-0103: Use after free in SwiftShader.
Reported by Abraruddin Khan and Omair on 2021-11-21
[1273661] High CVE-2022-0104: Heap buffer overflow in ANGLE.
Reported by Abraruddin Khan and Omair on 2021-11-25
[1274376] High CVE-2022-0105: Use after free in PDF. Reported by
Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications
Corp. Ltd. on 2021-11-28
[1278960] High CVE-2022-0106: Use after free in Autofill.
Reported by Khalil Zhani on 2021-12-10
[1248438] Medium CVE-2022-0107: Use after free in File Manager
API. Reported by raven (@raid_akame) on 2021-09-10
[1248444] Medium CVE-2022-0108: Inappropriate implementation in
Navigation. Reported by Luan Herrera (@lbherrera_) on
2021-09-10
[1261689] Medium CVE-2022-0109: Inappropriate implementation in
Autofill. Reported by Young Min Kim (@ylemkimon), CompSec Lab at
Seoul National University on 2021-10-20
[1237310] Medium CVE-2022-0110: Incorrect security UI in
Autofill. Reported by Alesandro Ortiz on 2021-08-06
[1241188] Medium CVE-2022-0111: Inappropriate implementation in
Navigation. Reported by garygreen on 2021-08-18
[1255713] Medium CVE-2022-0112: Incorrect security UI in Browser
UI. Reported by Thomas Orlita on 2021-10-04
[1039885] Medium CVE-2022-0113: Inappropriate implementation in
Blink. Reported by Luan Herrera (@lbherrera_) on 2020-01-07
[1267627] Medium CVE-2022-0114: Out of bounds memory access in
Web Serial. Reported by Looben Yang on 2021-11-06
[1268903] Medium CVE-2022-0115: Uninitialized Use in File API.
Reported by Mark Brand of Google Project Zero on 2021-11-10
[1272250] Medium CVE-2022-0116: Inappropriate implementation in
Compositing. Reported by Irvan Kurniawan (sourc7) on
2021-11-20
[1115847] Low CVE-2022-0117: Policy bypass in Service Workers.
Reported by Dongsung Kim (@kid1ng) on 2020-08-13
[1238631] Low CVE-2022-0118: Inappropriate implementation in
WebShare. Reported by Alesandro Ortiz on 2021-08-11
[1262953] Low CVE-2022-0120: Inappropriate implementation in
Passwords. Reported by CHAKRAVARTHI (Ruler96) on 2021-10-25
OpenDMARC releases prior to 1.4.1 are susceptible to the following
vulnerabilities:
(CVE-2019-16378) OpenDMARC through 1.3.2 and 1.4.x through
1.4.0-Beta1 is prone to a signature-bypass vulnerability with
multiple From: addresses, which might affect applications that
consider a domain name to be relevant to the origin of an e-mail
message.
(CVE-2019-20790) OpenDMARC through 1.3.2 and 1.4.x, when used
with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC
authentication in situations where the HELO field is inconsistent
with the MAIL FROM field.
(CVE-2020-12272) OpenDMARC through 1.3.2 and 1.4.x allows
attacks that inject authentication results to provide false
information about the domain that originated an e-mail
message.
(CVE-2020-12460) OpenDMARC through 1.3.2 and 1.4.x through
1.4.0-Beta1 has improper null termination in the function
opendmarc_xml_parse that can result in a one-byte heap overflow in
opendmarc_xml when parsing a specially crafted DMARC aggregate
report. This can cause remote memory corruption.
If mbedtls_ssl_set_session() or mbedtls_ssl_get_session() were to
fail with MBEDTLS_ERR_SSL_ALLOC_FAILED (in an out of memory
condition), then calling mbedtls_ssl_session_free() and
mbedtls_ssl_free() in the usual manner would cause an internal
session buffer to be freed twice, due to two structures both having
valid pointers to it after a call to ssl_session_copy().
An attacker could potentially trigger the out of memory condition,
and therefore use this bug to create memory corruption, which could
then be further exploited or targetted.
OpenDMARC 1.4.1 and 1.4.1.1 will dereference a NULL pointer when
encountering a multi-value From: header field. A remote attacker can
send a specially crafted message resulting in a denial of service.
CVE-2021-45046 was issued shortly following the release of OpenSearch 1.2.1. This new CVE advises upgrading from Log4j 2.15.0 (used in OpenSearch 1.2.1) to Log4j 2.16.0. Out of an abundance of caution, the team is releasing OpenSearch 1.2.2 which includes Log4j 2.16.0. While there has been no observed reproduction of the issue described in CVE-2021-45046, Log4j 2.16.0 takes much more extensive JNDI mitigation measures.
CVE-2021-45105 for Log4j was issued after the release of OpenSearch 1.2.2. This CVE advises upgrading to Log4j 2.17.0. While there has been no observed reproduction of the issue described in CVE-2021-45105 in OpenSearch, we have released OpenSearch 1.2.3 which updates Log4j to version 2.17.0.
I ended up finding OpenGrok, and after careful testing, discovered that OpenGrok insecurely deserializes XML input, which can lead to Remote Code Execution. This vulnerability was found in all versions of OpenGrok <1.6.8 and was reported to Oracle. The vulnerability has now been patched in OpenGrok 1.6.9, and has been issued a CVE. (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2322)
moderate: Possible NULL dereference or SSRF in forward proxy
configurations in Apache HTTP Server 2.4.51 and earlier (CVE-2021-44224)
A crafted URI sent to httpd configured as a forward proxy
(ProxyRequests on) can cause a crash (NULL pointer dereference) or, for
configurations mixing forward and reverse proxy declarations, can allow
for requests to be directed to a declared Unix Domain Socket endpoint
(Server Side Request Forgery).
high: Possible buffer overflow when parsing multipart content in
mod_lua of Apache HTTP Server 2.4.51 and earlier (CVE-2021-44790) A
carefully crafted request body can cause a buffer overflow in the
mod_lua multipart parser (r:parsebody() called from Lua scripts).
It was found that the fix to address CVE-2021-44228 in Apache
Log4j 2.15.0 was incomplete in certain non-default
configurations. This could allows attackers with control over
Thread Context Map (MDC) input data when the logging
configuration uses a non-default Pattern Layout with either a
Context Lookup (for example, $${ctx:loginId}) or a Thread
Context Map pattern (%X, %mdc, or %MDC) to craft malicious input
data using a JNDI Lookup pattern resulting in a denial of
service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt
to restrict JNDI LDAP lookups to localhost by default. Log4j
2.16.0 fixes this issue by removing support for message lookup
patterns and disabling JNDI functionality by default.
get_url_spec_param(): Free memory of compiled pattern spec
before bailing.
Reported by Joshua Rogers (Opera) who also provided the fix.
Commit 652b4b7cb0. OVE-20211201-0003. CVE-2021-44540.
process_encrypted_request_headers(): Free header memory when
failing to get the request destination.
Reported by Joshua Rogers (Opera) who also provided the fix.
Commit 0509c58045. OVE-20211201-0002. CVE-2021-44541.
send_http_request(): Prevent memory leaks when handling errors
Reported by Joshua Rogers (Opera) who also provided the fix.
Commit c48d1d6d08. OVE-20211201-0001. CVE-2021-44542.
Invalid handling of X509_verify_cert() internal errors in libssl
(Moderate)
Internally libssl in OpenSSL calls X509_verify_cert() on the client
side to verify a certificate supplied by a server. That function may
return a negative return value to indicate an internal error (for
example out of memory). Such a negative return value is mishandled by
OpenSSL and will cause an IO function (such as SSL_connect() or
SSL_do_handshake()) to not indicate success and a subsequent call to
SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY.
This return value is only supposed to be returned by OpenSSL if the
application has previously called SSL_CTX_set_cert_verify_callback().
Since most applications do not do this the
SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be
totally unexpected and applications may not behave correctly as a
result. The exact behaviour will depend on the application but it
could result in crashes, infinite loops or other similar incorrect
responses.
Today we are releasing security updates to libolm, matrix-js-sdk,
and several clients including Element Web / Desktop. Users are
encouraged to upgrade as soon as possible.
These releases mitigate a buffer overflow in olm_session_describe,
a libolm debugging function used by matrix-js-sdk in its end-to-end
encryption (E2EE) implementation. If you rely on matrix-js-sdk for
E2EE, you are affected.
A recently published security issue (CVE-2021-44228) affects several versions of the broadly-used Apache Log4j library. Some software in the OpenSearch project includes versions of Log4j referenced in this CVE. While, at time of writing, the team has not found a reproduceable example in OpenSearch of remote code execution (RCE) described in this issue, its severity is such that all users should take mitigation measures. As recommended by the advisory, the team has released OpenSearch 1.2.1, which updates Log4j to version 2.15.0. For those who cannot upgrade to 1.2.1, the Log4j website outlines additional measures to mitigate the issue. This patch release also addresses CVE-2021-4352 in the OpenSearch Docker distributions..
A vulnerability through which authenticated users could read out fully lowercase or fully uppercase .md files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrary .csv files through directory traversal. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.
The vulnerable URL path is:/api/plugins/.*/markdown/.* for .md files
A vulnerability through which authenticated users could read out fully lowercase or fully uppercase .md files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrary .csv files through directory traversal. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.
Apache Log4j2 JNDI features do not protect against attacker
controlled LDAP and other JNDI related endpoints. An attacker
who can control log messages or paramters can execute arbitrary
code from attacker-controller LDAP servers when message lookup
substitution is enabled.
If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victimâÂÂs browser.
The user visiting the malicious link must be unauthenticated, and the link must be for a page that contains the login button in the menu bar.
There are two ways an unauthenticated user can open a page in Grafana that contains the login button:
Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.
The link is to an unauthenticated page. The following pages are vulnerable:
/dashboard-solo/snapshot/*
/dashboard/snapshot/*
/invite/:code
The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }}
An example of an expression would be: {{constructor.constructor(âÂÂalert(1)âÂÂ)()}}. This can be included in the link URL like this:
When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated, and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.
Incorrect initialization logic of RAR decoder objects in
7-Zip 18.03 and before can lead to usage of
uninitialized memory, allowing remote attackers to cause
a denial of service (segmentation fault) or execute
arbitrary code via a crafted RAR archive.
When the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update usersâ roles in other organizations in which they are not an admin.
Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.
The vulnerable URL path is:/public/plugins/<âÂÂplugin-idâÂÂ> where <âÂÂplugin-idâÂÂ> is the plugin ID for any installed plugin.
Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance:
net/http: limit growth of header canonicalization cache. An
attacker can cause unbounded memory growth in a Go server accepting
HTTP/2 requests.
syscall: donâÂÂt close fd 0 on ForkExec error. When a Go program
running on a Unix system is out of file descriptors and calls
syscall.ForkExec (including indirectly by using the os/exec
package), syscall.ForkExec can close file descriptor 0 as it fails.
If this happens (or can be provoked) repeatedly, it can result in
misdirected I/O such as writing network traffic intended for one
connection to a different connection, or content intended for one
file to a different one.
This release contains 22 security fixes, including:
[1267661] High CVE-2021-4052: Use after free in web apps.
Reported by Wei Yuan of MoyunSec VLab on 2021-11-07
[1267791] High CVE-2021-4053: Use after free in UI. Reported by
Rox on 2021-11-08
[1265806] High CVE-2021-4079: Out of bounds write in WebRTC.
Reported by Brendon Tiszka on 2021-11-01
[1239760] High CVE-2021-4054: Incorrect security UI in autofill.
Reported by Alesandro Ortiz on 2021-08-13
[1268738] High CVE-2021-4078: Type confusion in V8. Reported by
Nan Wang (@eternalsakura13) and Guang Gong of 360 Alpha Lab on
2021-11-09
[1266510] High CVE-2021-4055: Heap buffer overflow in
extensions. Reported by Chen Rong on 2021-11-03
[1260939] High CVE-2021-4056: Type Confusion in loader. Reported
by @__R0ng of 360 Alpha Lab on 2021-10-18
[1262183] High CVE-2021-4057: Use after free in file API.
Reported by Sergei Glazunov of Google Project Zero on
2021-10-21
[1267496] High CVE-2021-4058: Heap buffer overflow in ANGLE.
Reported by Abraruddin Khan and Omair on 2021-11-06
[1270990] High CVE-2021-4059: Insufficient data validation in
loader. Reported by Luan Herrera (@lbherrera_) on 2021-11-17
[1271456] High CVE-2021-4061: Type Confusion in V8. Reported by
Paolo Severini on 2021-11-18
[1272403] High CVE-2021-4062: Heap buffer overflow in BFCache.
Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2021-11-22
[1273176] High CVE-2021-4063: Use after free in developer tools.
Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability
Research on 2021-11-23
[1273197] High CVE-2021-4064: Use after free in screen capture.
Reported by @ginggilBesel on 2021-11-23
[1273674] High CVE-2021-4065: Use after free in autofill.
Reported by 5n1p3r0010 on 2021-11-25
[1274499] High CVE-2021-4066: Integer underflow in ANGLE.
Reported by Jaehun Jeong(@n3sk) of Theori on 2021-11-29
[1274641] High CVE-2021-4067: Use after free in window manager.
Reported by @ginggilBesel on 2021-11-29
[1265197] Low CVE-2021-4068: Insufficient validation of
untrusted input in new tab page. Reported by NDevTK on
2021-10-31
Memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures (Critical)
NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR
are vulnerable to a heap overflow when handling DER-encoded DSA or
RSA-PSS signatures. Applications using NSS for handling signatures
encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be
impacted. Applications using NSS for certificate validation or other
TLS, X.509, OCSP or CRL functionality may be impacted, depending on
how they configure NSS.
A security vulnerability that causes buffer overflow when
you pass a very large string (> 700 MB) to
CGI.escape_html on a platform where
long type takes 4 bytes, typically, Windows.
The old versions of CGI::Cookie.parse applied
URL decoding to cookie names. An attacker could exploit
this vulnerability to spoof security prefixes in cookie
names, which may be able to trick a vulnerable
application.
By this fix, CGI::Cookie.parse no longer
decodes cookie names. Note that this is an incompatibility
if cookie names that you are using include
non-alphanumeric characters that are URL-encoded.
Date's parsing methods including Date.parse
are using Regexps internally, some of which are vulnerable
against regular expression denial of service. Applications
and libraries that apply such methods to untrusted input
may be affected.
This release patches one high severity issue affecting
Synapse installations 1.47.0 and earlier using the media repository.
An attacker could cause these Synapses to download a remote file
and store it in a directory outside the media repository.
Note that:
This only affects homeservers using Synapse's built-in media
repository, as opposed to synapse-s3-storage-provider or
matrix-media-repo.
Attackers cannot control the exact name or destination of the
stored file.
heap buffer overflow running advzip with "-l poc" option
Running 'advzip -l poc' with the attached file raises heap buffer overflow
which may allow a remote attacker to cause unspecified impact including denial-of-service attack.
I expected the program to terminate without segfault, but the program crashes as follow. [...]
A potential XSS attack via the user options page has been reported by
Harsh Jaiswal. This is fixed. CVE-2021-43331 (LP: #1949401).
A potential for for a list moderator to carry out an off-line brute force
attack to obtain the list admin password has been reported by Andre
Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed.
CVE-2021-43332 (LP: #1949403)
CVE-2021-23214: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
CVE-2021-23222: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.
A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007.
A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first pluginsync.
This Critical Patch Update contains 66 new security patches for
Oracle MySQL. 8 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without
requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle
MySQL is 9.8.
Note: MariaDB only vulnerable against CVE-2021-35604
packet.py in pyrad before 2.1 uses weak random numbers to generate RADIUS authenticators and hash passwords, which makes it easier for remote attackers to obtain sensitive information via a brute force attack.
The CreateID function in packet.py in pyrad before 2.1 uses sequential packet IDs, which makes it easier for remote attackers to spoof packets by predicting the next ID, a different vulnerability than CVE-2013-0294.
debug/macho fails out when loading a file that contains a dynamic
symbol table command that indicates a larger number of symbols than
exist in the loaded symbol table.
Previously, opening a zip with (*Reader).Open could result in a
panic if the zip contained a file whose name was exclusively made up
of slash characters or ".." path elements. Open could also panic if
passed the empty string directly as an argument.
This release contains 8 security fixes, including:
[1259864] High CVE-2021-37997 : Use after free in Sign-In.
Reported by Wei Yuan of MoyunSec VLab on 2021-10-14
[1259587] High CVE-2021-37998 : Use after free in Garbage
Collection. Reported by Cassidy Kim of Amber Security Lab, OPPO
Mobile Telecommunications Corp. Ltd. on 2021-10-13
[1251541] High CVE-2021-37999 : Insufficient data validation in
New Tab Page. Reported by Ashish Arun Dhone on 2021-09-21
[1249962] High CVE-2021-38000 : Insufficient validation of
untrusted input in Intents. Reported by Clement Lecigne, Neel
Mehta, and Maddie Stone of Google Threat Analysis Group on
2021-09-15
[1260577] High CVE-2021-38001 : Type Confusion in V8. Reported
by @s0rrymybad of Kunlun Lab via Tianfu Cup on 2021-10-16
[1260940] High CVE-2021-38002 : Use after free in Web Transport.
Reported by @__R0ng of 360 Alpha Lab, ? via Tianfu Cup on
2021-10-16
Command mail from mailutils package used in mail actions
like mail-whois can execute command if unescaped sequences
(\n~) are available in "foreign" input (for instance in
whois output).
A potential for for a list member to carry out an off-line brute
force attack to obtain the list admin password has been reported by
Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is
fixed.
A CSRF attack via the user options page could allow takeover of a
users account. This is fixed.
This release contains 19 security fixes, including:
[1246631] High CVE-2021-37981: Heap buffer overflow in Skia.
Reported by Yangkang (@dnpushme) of 360 ATA on 2021-09-04
[1248661] High CVE-2021-37982: Use after free in Incognito.
Reported by Weipeng Jiang (@Krace) from Codesafe Team of
Legendsec at Qi'anxin Group on 2021-09-11
[1249810] High CVE-2021-37983: Use after free in Dev Tools.
Reported by Zhihua Yao of KunLun Lab on 2021-09-15
[1253399] High CVE-2021-37984: Heap buffer overflow in PDFium.
Reported by Antti Levomäki, Joonas Pihlaja andChristian Jali
from Forcepoint on 2021-09-27
[1241860] High CVE-2021-37985: Use after free in V8. Reported
by Yangkang (@dnpushme) of 360 ATA on 2021-08-20
[1242404] Medium CVE-2021-37986: Heap buffer overflow in
Settings. Reported by raven (@raid_akame) on 2021-08-23
[1206928] Medium CVE-2021-37987: Use after free in Network APIs.
Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-08
[1228248] Medium CVE-2021-37988: Use after free in Profiles.
Reported by raven (@raid_akame) on 2021-07-12
[1233067] Medium CVE-2021-37989: Inappropriate implementation
in Blink. Reported by Matt Dyas, Ankur Sundara on 2021-07-26
[1247395] Medium CVE-2021-37990: Inappropriate implementation
in WebView. Reported by Kareem Selim of CyShield on
2021-09-07
[1250660] Medium CVE-2021-37991: Race in V8. Reported by Samuel
Gross of Google Project Zero on 2021-09-17
[1253746] Medium CVE-2021-37992: Out of bounds read in WebAudio.
Reported by sunburst@Ant Security Light-Year Lab on
2021-09-28
[1255332] Medium CVE-2021-37993: Use after free in PDF
Accessibility. Reported by Cassidy Kim of Amber Security Lab,
OPPO Mobile Telecommunications Corp. Ltd. on 2021-10-02
[1243020] Medium CVE-2021-37996: Insufficient validation of
untrusted input in Downloads. Reported by Anonymous on
2021-08-24
[1100761] Low CVE-2021-37994: Inappropriate implementation in
iFrame Sandbox. Reported by David Erceg on 2020-06-30
[1242315] Low CVE-2021-37995: Inappropriate implementation in
WebApp Installer. Reported by Terence Eden on 2021-08-23
sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
supplemental groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the
command as a different user. Instead these commands would inherit
the groups that sshd(8) was started with.
Depending on system configuration, inherited groups may allow
AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
gain unintended privilege.
Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
enabled by default in sshd_config(5).
A malicious user with permission to create documents in a
database is able to attach a HTML attachment to a document.
If a CouchDB admin opens that attachment in a browser, e.g.
via the CouchDB admin interface Fauxton, any JavaScript code
embedded in that HTML attachment will be executed within the
security context of that admin. A similar route is available
with the already deprecated _show and _list functionality.
A flaw was found in Ansible Engine's ansible-connection
module, where sensitive information such as the Ansible
user credentials is disclosed by default in the traceback
error message. The highest threat from this vulnerability
is to confidentiality.
Apache OpenOffice opens dBase/DBF documents and shows the contents as spreadsheets. DBF are database files with data organized in fields. When reading DBF data the size of certain fields is not checked: the data is just copied into local variables. A carefully crafted document could overflow the allocated space, leading to the execution of arbitrary code by altering the contents of the program stack. This issue affects Apache OpenOffice up to and including version 4.1.10
It is possible for an attacker to manipulate signed documents and macros to appear to come from a trusted source. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25633 for the LibreOffice advisory
It is possible for an attacker to manipulate the timestamp of signed documents. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25634 for the LibreOffice advisory.
It is possible for an attacker to manipulate documents to appear to be signed by a trusted source. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25635 for the LibreOffice advisory.
When invoking functions from WASM modules, built using GOARCH=wasm
GOOS=js, passing very large arguments can cause portions of the module
to be overwritten with data from the arguments.
If using wasm_exec.js to execute WASM modules, users will need to
replace their copy after rebuilding any modules.
critical: Path Traversal and Remote Code Execution in Apache HTTP
Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
(CVE-2021-42013).
It was found that the fix for CVE-2021-41773 in Apache HTTP
Server 2.4.50 was insufficient. An attacker could use a path
traversal attack to map URLs to files outside the directories
configured by Alias-like directives.
If files outside of these directories are not protected by the
usual default configuration "require all denied", these requests
can succeed. If CGI scripts are also enabled for these aliased
pathes, this could allow for remote code execution.
This issue only affects Apache 2.4.49 and Apache 2.4.50 and not
earlier versions.
Acknowledgements: Reported by Juan Escobar from Dreamlab
Technologies, Fernando Munoz from NULL Life CTF Team, and
Shungo Kumasaka
Unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths:
/dashboard/snapshot/:key, or
/api/snapshots/:key
If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path:
/api/snapshots-delete/:deleteKey
Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths:
/api/snapshots/:key, or
/api/snapshots-delete/:deleteKey
The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.
Integer to heap buffer overflow handling certain string commands
and network payloads, when proto-max-bulk-len is manually configured.
CVE-2021-32762
Integer to heap buffer overflow issue in redis-cli and redis-sentinel
parsing large multi-bulk replies on some older and less common platforms.
CVE-2021-32687
Integer to heap buffer overflow with intsets, when set-max-intset-entries
is manually configured to a non-default, very large value.
CVE-2021-32675
Denial Of Service when processing RESP request payloads with a large
number of elements on many connections.
CVE-2021-32672
Random heap reading issue with Lua Debugger.
CVE-2021-32628
Integer to heap buffer overflow handling ziplist-encoded data types,
when configuring a large, non-default value for hash-max-ziplist-entries,
hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value.
CVE-2021-32627
Integer to heap buffer overflow issue with streams, when configuring
a non-default, large value for proto-max-bulk-len and
client-query-buffer-limit.
CVE-2021-32626
Specially crafted Lua scripts may result with Heap buffer overflow.
(T285515, CVE-2021-41798) SECURITY: XSS vulnerability in Special:Search.
(T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can cause a full
table scan.
(T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection of
Special:Contributions.
(T279090, CVE-2021-41801) SECURITY: ReplaceText continues performing
actions if the user no longer has the correct permission (such as by being
blocked).
This release contains 4 security fixes, including:
[1245578] High CVE-2021-37974: Use after free in Safe Browsing.
Reported by Weipeng Jiang (@Krace) from Codesafe Team of
Legendsec at Qi'anxin Group on 2021-09-01
[1252918] High CVE-2021-37975: Use after free in V8. Reported by
Anonymous on 2021-09-24
[1251787] Medium CVE-2021-37976: Information leak in core.
Reported by Clement Lecigne from Google TAG, with technical
assistance from Sergei Glazunov and Mark Brand from Google
Project Zero on 2021-09-21
Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976
exist in the wild.
][1251727] High CVE-2021-37973 : Use after free in Portals.
Reported by Clement Lecigne from Google TAG, with technical
assistance from Sergei Glazunov and Mark Brand from Google Project
Zero on 2021-09-21
Google is aware that an exploit for CVE-2021-37973 exists in the wild.
Version 0.17.0 and older of mod_auth_mellon allows the redirect URL
validation to be bypassed by specifying an URL formatted as
///fishing-site.example.com/logout.html
Paths from log stream make it into system() unchecked,
potentially leading to commands being run on the system
unintentionally. This requires either bad scripting or a
malicious package to be installed, and is considered low
severity.
Fix potential unbounded state growth in the PIA
analyzer when receiving a connection with either a large
number of zero-length packets, or one which continues
ack-ing unseen segments. It is possible to run Zeek out
of memory in these instances and cause it to crash. Due
to the possibility of this happening with packets received
from the network, this is a potential DoS vulnerability.
This update contains 19 security fixes, including:
[1243117] High CVE-2021-37956: Use after free in Offline use.
Reported by Huyna at Viettel Cyber Security on 2021-08-24
[1242269] High CVE-2021-37957: Use after free in WebGPU.
Reported by Looben Yang on 2021-08-23
[1223290] High CVE-2021-37958: Inappropriate implementation in
Navigation. Reported by James Lee (@Windowsrcer) on
2021-06-24
[1229625] High CVE-2021-37959: Use after free in Task Manager.
Reported by raven (@raid_akame) on 2021-07-15
[1247196] High CVE-2021-37960: Inappropriate implementation in
Blink graphics. Reported by Atte Kettunen of OUSPG on
2021-09-07
[1228557] Medium CVE-2021-37961: Use after free in Tab Strip.
Reported by Khalil Zhani on 2021-07-13
[1231933] Medium CVE-2021-37962: Use after free in Performance
Manager. Reported by Sri on 2021-07-22
[1199865] Medium CVE-2021-37963: Side-channel information
leakage in DevTools. Reported by Daniel Genkin and Ayush Agarwal,
University of Michigan, Eyal Ronen and Shaked Yehezkel, Tel Aviv
University, Sioli O'Connell, University of Adelaide, and Jason
Kim, Georgia Institute of Technology on 2021-04-16
[1203612] Medium CVE-2021-37964: Inappropriate implementation in
ChromeOS Networking. Reported by Hugo Hue and Sze Yiu Chau of the
Chinese University of Hong Kong on 2021-04-28
[1239709] Medium CVE-2021-37965: Inappropriate implementation in
Background Fetch API. Reported by Maurice Dauer on 2021-08-13
[1238944] Medium CVE-2021-37966: Inappropriate implementation in
Compositing. Reported by Mohit Raj (shadow2639) on 2021-08-11
[1243622] Medium CVE-2021-37967: Inappropriate implementation in
Background Fetch API. Reported by SorryMybad (@S0rryMybad) of
Kunlun Lab on 2021-08-26
[1245053] Medium CVE-2021-37968: Inappropriate implementation in
Background Fetch API. Reported by Maurice Dauer on 2021-08-30
[1245879] Medium CVE-2021-37969: Inappropriate implementation in
Google Updater. Reported by Abdelhamid Naceri (halov) on
2021-09-02
[1248030] Medium CVE-2021-37970: Use after free in File System
API. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on
2021-09-09
[1219354] Low CVE-2021-37971: Incorrect security UI in Web
Browser UI. Reported by Rayyan Bijoora on 2021-06-13
[1234259] Low CVE-2021-37972: Out of bounds read in
libjpeg-turbo. Reported by Xu Hanyu and Lu Yutao from
Panguite-Forensics-Lab of Qianxin on 2021-07-29
The SSH protocol keeps track of two shared secrets during the lifetime
of the session. One of them is called `secret_hash` and and the other
`session_id`. Initially, both of them are the same, but after key
re-exchange, previous `session_id` is kept and used as an input to new
`secret_hash`.
Historically, both of these buffers had shared length variable, which
worked as long as these buffers were same. But the key re-exchange
operation can also change the key exchange method, which can be based on
hash of different size, eventually creating `secret_hash` of different
size than the `session_id` has.
This becomes an issue when the `session_id` memory is zeroized or when
it is used again during second key re-exchange.
These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal security review of node-tar and additional external bounty reports have resulted in another 5 CVE being remediated in core npm CLI dependencies including node-tar, and npm arborist.
cares upgrade - Improper handling of untypical characters in domain names (High) (CVE-2021-22931)
Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of host names returned by Domain Name Servers in the Node.js DNS library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
Use after free on close http2 on stream canceling (High) (CVE-2021-22940)
Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. The issue is a follow on to CVE-2021-22930 as the issue was not completely resolved in the fix for CVE-2021-22930.
Incomplete validation of rejectUnauthorized parameter (Low) (CVE-2021-22939)
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
libuv upgrade - Out of bounds read (Medium) (CVE-2021-22918)
Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes.
Windows installer - Node Installer Local Privilege Escalation (Medium) (CVE-2021-22921)
Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.
npm upgrade - ssri Regular Expression Denial of Service (ReDoS) (High) (CVE-2021-27290)
This is a vulnerability in the ssri npm module which may be vulnerable to denial of service attacks.
npm upgrade - hosted-git-info Regular Expression Denial of Service (ReDoS) (Medium) (CVE-2021-23362)
This is a vulnerability in the hosted-git-info npm module which may be vulnerable to denial of service attacks.
seatd-launch used execlp, which reads the PATH environment variable to
search for the requested executable, to execute seatd. This meant that
the caller could freely control what executable was loaded by adding a
user-writable directory to PATH.
If seatd-launch had the SUID bit set, this could be used by a
malicious user with the ability to execute seatd-launch to mount a
privilege escalation attack to the owner of seatd-launch, which is
likely root.
This release includes 11 security fixes, including:
[1237533] High CVE-2021-30625: Use after free in Selection API.
Reported by Marcin Towalski of Cisco Talos on 2021-08-06
[1241036] High CVE-2021-30626: Out of bounds memory access in
ANGLE. Reported by Jeonghoon Shin of Theori on 2021-08-18
[1245786] High CVE-2021-30627: Type Confusion in Blink layout.
Reported by Aki Helin of OUSPG on 2021-09-01
[1241123] High CVE-2021-30628: Stack buffer overflow in ANGLE.
Reported by Jaehun Jeong(@n3sk) of Theori on 2021-08-18
[1243646] High CVE-2021-30629: Use after free in Permissions.
Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec
at Qi'anxin Group on 2021-08-26
[1244568] High CVE-2021-30630: Inappropriate implementation in
Blink. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on
2021-08-30
[1246932] High CVE-2021-30631: Type Confusion in Blink layout.
Reported by Atte Kettunen of OUSPG on 2021-09-06
[1247763] High CVE-2021-30632: Out of bounds write in V8.
Reported by Anonymous on 2021-09-08
[1247766] High CVE-2021-30633: Use after free in Indexed DB API.
Reported by Anonymous on 2021-09-08
Google is aware that exploits for CVE-2021-30632 and CVE-2021-30633
exist in the wild.
Today we are disclosing a critical security issue affecting
multiple Matrix clients and libraries including Element
(Web/Desktop/Android), FluffyChat, Nheko, Cinny, and SchildiChat.
Specifically, in certain circumstances it may be possible to
trick vulnerable clients into disclosing encryption keys for
messages previously sent by that client to user accounts later
compromised by an attacker.
Exploiting this vulnerability to read encrypted messages requires
gaining control over the recipientâÂÂs account. This requires either
compromising their credentials directly or compromising their homeserver.
HashiCorp Consul Raft RPC layer allows non-server agents with a
valid certificate signed by the same CA to access server-only
functionality, enabling privilege escalation.
An oversight in the previous fix still allows for an OOM
panic when the indicated directory size in the archive
header is so large that subtracting it from the archive
size overflows a uint64, effectively bypassing the check
that the number of files in the archive is reasonable.
bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid
a potential race condition.
bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the
fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used
on Windows and macOS.
bpo-43124: Made the internal putcmd function in smtplib sanitize input for
presence of \r and \n characters to avoid (unlikely) command injection.
bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address
strings. Leading zeros are ambiguous and interpreted as octal notation by some
libraries. For example the legacy function socket.inet_aton() treats leading
zeros as octal notation. glibc implementation of modern inet_pton() does not
accept any leading zeros. For a while the ipaddress module used to accept ambiguous
leading zeros.
Version 5.9_2 contains security fix for PPPoE servers.
Insufficient validation of incoming PPPoE Discovery request
specially crafted by unauthenticated user might lead to unexpected
termination of the process. The problem affects mpd versions
since 5.0. Installations not using PPPoE server configuration
were not affected.
bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the
fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used
on Windows and macOS.
bpo-43124: Made the internal putcmd function in smtplib sanitize input for
presence of \r and \n characters to avoid (unlikely) command injection.
bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid
a potential race condition.
bpo-41180: Add auditing events to the marshal module, and stop raising
code.__init__ events for every unmarshalled code object. Directly instantiated
code objects will continue to raise an event, and audit event handlers should
inspect or collect the raw marshal data. This reduces a significant performance
overhead when loading from .pyc files.
bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the
fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used
on Windows and macOS.
bpo-43124: Made the internal putcmd function in smtplib sanitize input for
presence of \r and \n characters to avoid (unlikely) command injection.
Fixed CVE-2021-33582: Certain user inputs are used as hash table keys during processing. A poorly chosen string hashing algorithm meant that the user could control which bucket their data was stored in, allowing a malicious user to direct many inputs to a single bucket. Each subsequent insertion to the same bucket requires a strcmp of every other entry in it. At tens of thousands of entries, each new insertion could keep the CPU busy in a strcmp loop for minutes.
The string hashing algorithm has been replaced with a better one, and now also uses a random seed per hash table, so malicious inputs cannot be precomputed.
This release contains 27 security fixes, including:
[1233975] High CVE-2021-30606: Use after free in Blink. Reported
by Nan Wang (@eternalsakura13) and koocola (@alo_cook) of 360
Alpha Lab on 2021-07-28
[1235949] High CVE-2021-30607: Use after free in Permissions.
Reported by Weipeng Jiang (@Krace) from Codesafe Team of
Legendsec at Qi'anxin Group on 2021-08-03
[1219870] High CVE-2021-30608: Use after free in Web Share.
Reported by Huyna at Viettel Cyber Security on 2021-06-15
[1239595] High CVE-2021-30609: Use after free in Sign-In.
Reported by raven (@raid_akame) on 2021-08-13
[1200440] High CVE-2021-30610: Use after free in Extensions API.
Reported by Igor Bukanov from Vivaldi on 2021-04-19
[1233942] Medium CVE-2021-30611: Use after free in WebRTC.
Reported by Nan Wang (@eternalsakura13) and koocola (@alo_cook) of
360 Alpha Lab on 2021-07-28
[1234284] Medium CVE-2021-30612: Use after free in WebRTC.
Reported by Nan Wang (@eternalsakura13) and koocola (@alo_cook) of
360 Alpha Lab on 2021-07-29
[1209622] Medium CVE-2021-30613: Use after free in Base
internals. Reported by Yangkang (@dnpushme) of 360 ATA on
2021-05-16
[1207315] Medium CVE-2021-30614: Heap buffer overflow in
TabStrip. Reported by Huinian Yang (@vmth6) of Amber Security Lab,
OPPO Mobile Telecommunications Corp. Ltd. on 2021-05-10
[1208614] Medium CVE-2021-30615: Cross-origin data leak in
Navigation. Reported by NDevTK on 2021-05-12
[1231432] Medium CVE-2021-30616: Use after free in Media.
Reported by Anonymous on 2021-07-21
[1226909] Medium CVE-2021-30617: Policy bypass in Blink.
Reported by NDevTK on 2021-07-07
[1232279] Medium CVE-2021-30618: Inappropriate implementation in
DevTools. Reported by @DanAmodio and @mattaustin from Contrast
Security on 2021-07-23
[1235222] Medium CVE-2021-30619: UI Spoofing in Autofill.
Reported by Alesandro Ortiz on 2021-08-02
[1063518] Medium CVE-2021-30620: Insufficient policy enforcement
in Blink. Reported by Jun Kokatsu, Microsoft Browser Vulnerability
Research on 2020-03-20
[1204722] Medium CVE-2021-30621: UI Spoofing in Autofill.
Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability
Research on 2021-04-30
[1224419] Medium CVE-2021-30622: Use after free in WebApp
Installs. Reported by Jun Kokatsu, Microsoft Browser Vulnerability
Research on 2021-06-28
[1223667] Low CVE-2021-30623: Use after free in Bookmarks.
Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2021-06-25
[1230513] Low CVE-2021-30624: Use after free in Autofill.
Reported by Wei Yuan of MoyunSec VLab on 2021-07-19
In certain circumstances, fetchmail 6.4.21 and older would
not encrypt the session using STARTTLS/STLS, and might not have
cleared session state across the TLS negotiation.
The ggatec(8) daemon does not validate the size of a response before writing
it to a fixed-sized buffer. This allows to overwrite the stack of ggatec(8).
Impact:
A malicious ggated(8) or an attacker in a priviledged network position can
overwrite the stack with crafted content and potentially execute arbitrary
code.
Null pointer deref in X509_issuer_and_serial_hash()
CVE-2021-23841 (Moderate) The OpenSSL public API function
X509_issuer_and_serial_hash() attempts to create a unique hash
value based on the issuer and serial number data contained within
an X509 certificate. However it fails to correctly handle any errors
that may occur while parsing the issuer field (which might occur if
the issuer field is maliciously constructed). This may subsequently
result in a NULL pointer deref and a crash leading to a potential
denial of service attack.
Integer overflow in CipherUpdate CVE-2021-23840 (Low)
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
may overflow the output length argument in some cases where the
input length is close to the maximum permissable length for an
integer on the platform. In such cases the return value from the
function call will be 1 (indicating success), but the output length
value will be negative. This could cause applications to behave
incorrectly or crash.
Certain VirtIO-based device models failed to handle errors when fetching
I/O descriptors. Such errors could be triggered by a malicious guest.
As a result, the device model code could be tricked into operating on
uninitialized I/O vectors, leading to memory corruption.
Impact:
A malicious guest may be able to crash the bhyve process. It may be
possible to exploit the memory corruption bugs to achieve arbitrary code
execution in the bhyve process.
The passive mode in FTP communication allows an out of boundary read while
libfetch uses strtol to parse the relevant numbers into address bytes. It
does not check if the line ends prematurely. If it does, the for-loop
condition checks for *p == '\0' one byte too late because p++ was already
performed.
Impact:
The connection buffer size can be controlled by a malicious FTP server
because the size is increased until a newline is encountered (or no more
characters are read). This also allows to move the buffer into more
interesting areas within the address space, potentially parsing relevant
numbers for the attacker. Since these bytes become available to the server
in form of a new TCP connection to a constructed port number or even part of
the IPv6 address this is a potential information leak.
The OpenBSDBCrypt.checkPassword utility method compared incorrect
data when checking the password, allowing incorrect passwords to
indicate they were matching with previously hashed ones that were
different.
Bouncy Castle BC Java before 1.66 has a timing issue within the EC
math library that can expose information about the private key when
an attacker is able to observe timing information for the generation
of multiple deterministic ECDSA signatures.
This release contains 9 security fixes, including:
[1234764] High CVE-2021-30598: Type Confusion in V8. Reported by
Manfred Paul on 2021-07-30
[1234770] High CVE-2021-30599: Type Confusion in V8. Reported by
Manfred Paul on 2021-07-30
[1231134] High CVE-2021-30600: Use after free in Printing.
Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2021-07-20
[1234009] High CVE-2021-30601: Use after free in Extensions API.
Reported by koocola(@alo_cook) and Nan Wang(@eternalsakura13) of
360 Alpha Lab on 2021-07-28
[1230767] High CVE-2021-30602: Use after free in WebRTC.
Reported by Marcin Towalski of Cisco Talos on 2021-07-19
[1233564] High CVE-2021-30603: Race in WebAudio. Reported by
Sergei Glazunov of Google Project Zero on 2021-07-27
[1234829] High CVE-2021-30604: Use after free in ANGLE. Reported
by Seong-Hwan Park (SeHwa) of SecunologyLab on 2021-07-30
There's a flaw in the BFD library of binutils in versions before 2.36.
An attacker who supplies a crafted file to an application linked with BFD,
and using the DWARF functionality, could cause an impact to system
availability by way of excessive memory consumption.
A purpose-crafted query can read arbitrary bytes of
server memory. In the default configuration, any
authenticated database user can complete this attack at
will. The attack does not require the ability to create
objects. If server settings include
max_worker_processes=0, the known versions of this
attack are infeasible. However, undiscovered variants of
the attack may be independent of that setting.
Marco Ivaldi (marco.ivaldi () mediaservice net) reports:
A buffer overflow in the CheckMonitor() function in the Common
Desktop Environment 2.3.1 and earlier and 1.6 and earlier,
as distributed with Oracle Solaris 10 1/13 (Update 11) and
earlier, allows local users to gain root privileges via a long
palette name passed to dtsession in a malicious .Xdefaults
file.
xtrlock did not block multitouch events so an attacker could still
input and thus control various programs such as Chromium, etc. via
so-called "multitouch" events including pan scrolling, "pinch and
zoom" or even being able to provide regular mouse clicks by
depressing the touchpad once and then clicking with a secondary
finger.
A net/http/httputil ReverseProxy can panic due to a race
condition if its Handler aborts with ErrAbortHandler, for
example due to an error in copying the response body. An
attacker might be able to force the conditions leading to
the race condition.
This Critical Patch Update contains 41 new security patches for
Oracle MySQL. 10 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without
requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle
MySQL is 8.8.
MariaDB is affected by CVE-2021-2372 and CVE-2021-2389 only.
It was discovered that Prosody allows any entity to access the list of
admins, members, owners and banned entities of any federated XMPP group chat
of which they know the address.
When a log message exceeds c. 2 kByte in size, for instance, with very long
header contents, and depending on verbosity option, fetchmail can crash or
misreport each first log message that requires a buffer reallocation.
Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data (eg user names) as well as configuration data provided by an administrator.
In limited circumstances it was possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm.
A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS.
Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.
Bahruz Jabiyev, Steven Sprecher and Kaan Onarlioglu of NEU seclab reports:
Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: Tomcat incorrectly ignored the transfer-encoding header if the client declared it would only accept an HTTP/1.0 response; Tomcat honoured the identify encoding; and Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
On 32-bit versions, Redis BITFIELD command is vulnerable to integer
overflow that can potentially be exploited to corrupt the heap,
leak arbitrary heap contents or trigger remote code execution.
The vulnerability involves constructing specially crafted bit
commands which overflow the bit offset.
This problem only affects 32-bit versions of Redis.
If an authenticated client connected with MQTT v5 sent
a malformed CONNACK message to the broker a NULL pointer
dereference occurred, most likely resulting in a
segfault.
(Note: a CVE is referenced in the github commit but it
appears to be for a python-bleach vulnerability so it is
not included here.)
Depending on the timing, it's possible for Asterisk to
crash when using a TLS connection if the underlying socket
parent/listener gets destroyed during the handshake.
When Asterisk receives a re-INVITE without SDP after
having sent a BYE request a crash will occur. This occurs
due to the Asterisk channel no longer being present while
code assumes it is.
This release contains 35 security fixes, including:
][1210985] High CVE-2021-30565: Out of bounds write in Tab
Groups. Reported by David Erceg on 2021-05-19
[1202661] High CVE-2021-30566: Stack buffer overflow in
Printing. Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2021-04-26
[1211326] High CVE-2021-30567: Use after free in DevTools.
Reported by DDV_UA on 2021-05-20
[1219886] High CVE-2021-30568: Heap buffer overflow in WebGL.
Reported by Yangkang (@dnpushme) of 360 ATA on 2021-06-15
[1218707] High CVE-2021-30569: Use after free in sqlite.
Reported by Chris Salls (@salls) of Makai Security on
2021-06-11
[1101897] High CVE-2021-30571: Insufficient policy enforcement
in DevTools. Reported by David Erceg on 2020-07-03
[1214234] High CVE-2021-30572: Use after free in Autofill.
Reported by Weipeng Jiang (@Krace) from Codesafe Team of
Legendsec at Qi'anxin Group on 2021-05-28
[1216822] High CVE-2021-30573: Use after free in GPU. Reported
by Security For Everyone Team - https://securityforeveryone.com on
2021-06-06
[1227315] High CVE-2021-30574: Use after free in protocol
handling. Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2021-07-08
[1213313] Medium CVE-2021-30575: Out of bounds read in Autofill.
Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2021-05-26
[1194896] Medium CVE-2021-30576: Use after free in DevTools.
Reported by David Erceg on 2021-04-01
[1204811] Medium CVE-2021-30577: Insufficient policy enforcement
in Installer. Reported by Jan van der Put (REQON B.V) on
2021-05-01
[1201074] Medium CVE-2021-30578: Uninitialized Use in Media.
Reported by Chaoyuan Peng on 2021-04-21
[1207277] Medium CVE-2021-30579: Use after free in UI framework.
Reported by Weipeng Jiang (@Krace) from Codesafe Team of
Legendsec at Qi'anxin Group on 2021-05-10
[1189092] Medium CVE-2021-30580: Insufficient policy enforcement
in Android intents. Reported by @retsew0x01 on 2021-03-17
[1194431] Medium CVE-2021-30581: Use after free in DevTools.
Reported by David Erceg on 2021-03-31
[1205981] Medium CVE-2021-30582: Inappropriate implementation in
Animation. Reported by George Liu on 2021-05-05
[1179290] Medium CVE-2021-30583: Insufficient policy enforcement
in image handling on Windows. Reported by Muneaki Nishimura
(nishimunea) on 2021-02-17
[1213350] Medium CVE-2021-30584: Incorrect security UI in
Downloads. Reported by @retsew0x01 on 2021-05-26
[1023503] Medium CVE-2021-30585: Use after free in sensor
handling. Reported by niarci on 2019-11-11
[1201032] Medium CVE-2021-30586: Use after free in dialog box
handling on Windows. Reported by kkomdal with kkwon and neodal on
2021-04-21
[1204347] Medium CVE-2021-30587: Inappropriate implementation in
Compositing on Windows. Reported by Abdulrahman Alqabandi,
Microsoft Browser Vulnerability Research on 2021-04-30
[1195650] Low CVE-2021-30588: Type Confusion in V8. Reported by
Jose Martinez (tr0y4) from VerSprite Inc. on 2021-04-04
[1180510] Low CVE-2021-30589: Insufficient validation of
untrusted input in Sharing. Reported by Kirtikumar Anandrao
Ramchandani (@Kirtikumar_A_R) and Patrick Walker (@homesen) on
2021-02-20
crypto/tls clients can panic when provided a certificate of
the wrong type for the negotiated parameters. net/http clients
performing HTTPS requests are also affected. The panic can be
triggered by an attacker in a privileged network position
without access to the server certificate's private key, as
long as a trusted ECDSA or Ed25519 certificate for the server
exists (or can be issued), or the client is configured with
Config.InsecureSkipVerify. Clients that disable all TLS_RSA
cipher suites (that is, TLS 1.0âÂÂ1.2 cipher suites without
ECDHE), as well as TLS 1.3-only clients, are unaffected.
Multiple vulnerabilities covering buffer overflows, out-of-bounds,
read of uninitialized memory and denial of serivce. The heap
overflow is triggered when Exiv2 is used to read the metadata of
a crafted image file. An attacker could potentially exploit the
vulnerability to gain code execution, if they can trick the victim
into running Exiv2 on a crafted image file. The out-of-bounds read
is triggered when Exiv2 is used to write metadata into a crafted
image file. An attacker could potentially exploit the vulnerability
to cause a denial of service by crashing Exiv2, if they can trick
the victim into running Exiv2 on a crafted image file. The read of
uninitialized memory is triggered when Exiv2 is used to read the
metadata of a crafted image file. An attacker could potentially
exploit the vulnerability to leak a few bytes of stack memory, if
they can trick the victim into running Exiv2 on a crafted image
file.
Jonathon Knudsen of Synopsys Cybersecurity Research Center reports:
All versions prior to 3.8.16 are prone to a denial of service
vulnerability due to improper input validation in AMQP 1.0 client
connection endpoint. A malicious client can exploit the vulnerability
by sending malicious AMQP messages to the target RabbitMQ instance
having the AMQP 1.0 plugin enabled.
When parsing a frame header, validate that the frame_size is less than
or equal to INT32_MAX. Given frame_max is limited between 0 and
INT32_MAX in amqp_login and friends, this does not change the API.
This prevents a potential buffer overflow when a malicious client sends
a frame_size that is close to UINT32_MAX, in which causes an overflow
when computing state->target_size resulting in a small value there. A
buffer is then allocated with the small amount, then memcopy copies the
frame_size writing to memory beyond the end of the buffer.
CVE-2021-29157: Dovecot does not correctly escape kid and azp
fields in JWT tokens.
This may be used to supply attacker controlled keys to validate
tokens in some configurations. This requires attacker
to be able to write files to
local disk.
CVE-2021-33515: On-path attacker could inject plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client. Only the SMTP submission service is
affected.
Sieve interpreter is not protected against abusive
scripts that claim excessive resource usage. Fixed by limiting the
user CPU time per single script execution and cumulatively over
several script runs within a configurable timeout period. Sufficiently
large CPU time usage is summed in the Sieve script binary and execution
is blocked when the sum exceeds the limit within that time. The block
is lifted when the script is updated after the resource usage times out.
An argument injection vulnerability in the Dragonfly
gem before 1.4.0 for Ruby allows remote attackers to read
and write to arbitrary files via a crafted URL when the
verify_url option is disabled. This may lead to code
execution. The problem occurs because the generate and
process features mishandle use of the ImageMagick convert
utility.
It was discovered that when a user receives and downloads
a file in Dino, URI-encoded path separators in the file name
will be decoded, allowing an attacker to traverse
directories and create arbitrary files in the context of the
user.
Drupal core's sanitization API fails to properly filter
cross-site scripting under certain circumstances.
Not all sites and users are affected, but configuration
changes to prevent the exploit might be impractical
and will vary between sites. Therefore, we recommend
all sites update to this release as soon as
possible.
The function polkit_system_bus_name_get_creds_sync is used to get the
uid and pid of the process requesting the action. It does this by
sending the unique bus name of the requesting process, which is
typically something like ":1.96", to dbus-daemon. These unique names
are assigned and managed by dbus-daemon and cannot be forged, so this
is a good way to check the privileges of the requesting process.
The vulnerability happens when the requesting process disconnects from
dbus-daemon just before the call to
polkit_system_bus_name_get_creds_sync starts. In this scenario, the
unique bus name is no longer valid, so dbus-daemon sends back an error
reply. This error case is handled in
polkit_system_bus_name_get_creds_sync by setting the value of the
error parameter, but it still returns TRUE, rather than FALSE.
This behavior means that all callers of
polkit_system_bus_name_get_creds_sync need to carefully check whether
an error was set. If the calling function forgets to check for errors
then it will think that the uid of the requesting process is 0 (because
the AsyncGetBusNameCredsData struct is zero initialized). In other
words, it will think that the action was requested by a root process,
and will therefore allow it.
The :class:`~urllib.request.AbstractBasicAuthHandler` class
of the :mod:`urllib.request` module uses an inefficient
regular expression which can be exploited by an
attacker to cause a denial of service
The SetString and UnmarshalText methods of math/big.Rat may cause a
panic or an unrecoverable fatal error if passed inputs with very
large exponents.
ReverseProxy in net/http/httputil could be made to forward certain
hop-by-hop headers, including Connection. In case the target of the
ReverseProxy was itself a reverse proxy, this would let an attacker
drop arbitrary headers, including those set by the
ReverseProxy.Director.
The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr
functions in net, and their respective methods on the Resolver type
may return arbitrary values retrieved from DNS which do not follow
the established RFC 1035 rules for domain names. If these names are
used without further sanitization, for instance unsafely included in
HTML, they may allow for injection of unexpected content. Note that
LookupTXT may still return arbitrary values that could require
sanitization before further use.
The NewReader and OpenReader functions in archive/zip can cause a
panic or an unrecoverable fatal error when reading an archive that
claims to contain a large number of files, regardless of its actual
size.
Fix potential Undefined Behavior in decode_netbios_name()
and decode_netbios_name_type() BIFs. The latter has a
possibility of a remote heap-buffer-overread, making this
a potential DoS vulnerability.
Add some extra length checking when parsing mobile
ipv6 packets. Due to the possibility of reading invalid
headers from remote sources, this is a potential DoS
vulnerability.
A vulnerability was discovered in the PyYAML library
in versions before 5.4, where it is susceptible to arbitrary
code execution when it processes untrusted YAML files
through the full_load method or with the FullLoader loader.
Applications that use the library to process untrusted
input may be vulnerable to this flaw. This flaw allows
an attacker to execute arbitrary code on the system by
abusing the python/object/new constructor. This flaw is
due to an incomplete fix for CVE-2020-1747.
When AuthnResponse messages are not signed (which is
permitted by the specifiation), all assertion's signatures should be
checked, but currently after the first signed assertion is checked all
following assertions are accepted without checking their signature, and
the last one is considered the main assertion.
Prometheus is an open-source monitoring system and time series
database. In 2.23.0, Prometheus changed its default UI to the New
ui. To ensure a seamless transition, the URL's prefixed by /new
redirect to /. Due to a bug in the code, it is possible for an
attacker to craft an URL that can redirect to any other URL, in the
/new endpoint. If a user visits a prometheus server with a
specially crafted address, they can be redirected to an arbitrary
URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In
2.28.0, the /new endpoint will be removed completely. The
workaround is to disable access to /new via a reverse proxy in
front of Prometheus.
An integer overflow bug in Redis version 6.0 or newer can be
exploited using the STRALGO LCS command to corrupt the heap and
potentially result with remote code execution. This is a result
of an incomplete fix by CVE-2021-29477.
libradius did not perform sufficient validation of received messages.
rad_get_attr(3) did not verify that the attribute length is valid before
subtracting the length of the Type and Length fields. As a result, it
could return success while also providing a bogus length of SIZE_T_MAX -
2 for the Value field.
When processing attributes to find an optional authenticator,
is_valid_response() failed to verify that each attribute length is
non-zero and could thus enter an infinite loop.
Impact:
A server may use libradius(3) to process messages from RADIUS clients.
In this case, a malicious client could trigger a denial-of-service in
the server. A client using libradius(3) to process messages from a
server is susceptible to the same problem.
The impact of the rad_get_attr(3) bug depends on how the returned length
is validated and used by the consumer. It is possible that libradius(3)
applications will crash or enter an infinite loop when calling
rad_get_attr(3) on untrusted RADIUS messages.
The FreeBSD kernel enables SMAP during boot when the CPU reports that
the SMAP capability is present. Subroutines such as copyin() and
copyout() are responsible for disabling SMAP around the sections of code
that perform user memory accesses.
Such subroutines must handle page faults triggered when user memory is
not mapped. The kernel's page fault handler checks the validity of the
fault, and if it is indeed valid it will map a page and resume copying.
If the fault is invalid, the fault handler returns control to a
trampoline which aborts the operation and causes an error to be
returned. In this second scenario, a bug in the implementation of SMAP
support meant that SMAP would remain disabled until the thread returns
to user mode.
Impact:
This bug may be used to bypass the protections provided by SMAP for the
duration of a system call. It could thus be combined with other kernel
bugs to craft an exploit.
This release contains 32 security fixes, including:
[1208721] High CVE-2021-30521: Heap buffer overflow in Autofill.
Reported by ZhanJia Song on 2021-05-13
[1176218] High CVE-2021-30522: Use after free in WebAudio.
Reported by Piotr Bania of Cisco Talos on 2021-02-09
[1187797] High CVE-2021-30523: Use after free in WebRTC.
Reported by Tolyan Korniltsev on 2021-03-13
[1197146] High CVE-2021-30524: Use after free in TabStrip.
Reported by David Erceg on 2021-04-08
[1197888] High CVE-2021-30525: Use after free in TabGroups.
Reported by David Erceg on 2021-04-11
[1198717] High CVE-2021-30526: Out of bounds write in
TabStrip. Reported by David Erceg on 2021-04-13
[1199198] High CVE-2021-30527: Use after free in WebUI.
Reported by David Erceg on 2021-04-15
[1206329] High CVE-2021-30528: Use after free in
WebAuthentication. Reported by Man Yue Mo of GitHub Security Lab on
2021-05-06
[1195278] Medium CVE-2021-30529: Use after free in Bookmarks.
Reported by koocola (@alo_cook) and Nan Wang (@eternalsakura13) of
360 Alpha Lab on 2021-04-02
[1201033] Medium CVE-2021-30530: Out of bounds memory access
in WebAudio. Reported by kkwon on 2021-04-21
[1115628] Medium CVE-2021-30531: Insufficient policy
enforcement in Content Security Policy. Reported by Philip Papurt on
2020-08-12
[1117687] Medium CVE-2021-30532: Insufficient policy
enforcement in Content Security Policy. Reported by Philip Papurt on
2020-08-18
[1145553] Medium CVE-2021-30533: Insufficient policy
enforcement in PopupBlocker. Reported by Eliya Stein on
2020-11-04
[1151507] Medium CVE-2021-30534: Insufficient policy
enforcement in iFrameSandbox. Reported by Alesandro Ortiz on
2020-11-20
[1194899] Medium CVE-2021-30535: Double free in ICU. Reported
by nocma, leogan, cheneyxu of WeChat Open Platform Security Team on
2021-04-01
[1145024] Medium CVE-2021-21212: Insufficient data validation
in networking. Reported by Hugo Hue and Sze Yiu Chau of the Chinese
University of Hong Kong on 2020-11-03
[1194358] Low CVE-2021-30536: Out of bounds read in V8.
Reported by Chris Salls (@salls) on 2021-03-31
[830101] Low CVE-2021-30537: Insufficient policy enforcement
in cookies. Reported by Jun Kokatsu (@shhnjk) on 2018-04-06
[1115045] Low CVE-2021-30538: Insufficient policy enforcement
in content security policy. Reported by Tianze Ding (@D1iv3) of
Tencent Security Xuanwu Lab on 2020-08-11
[971231] Low CVE-2021-30539: Insufficient policy enforcement
in content security policy. Reported by unnamed researcher on
2019-06-05
[1184147] Low CVE-2021-30540: Incorrect security UI in
payments. Reported by @retsew0x01 on 2021-03-03
1-byte memory overwrite might occur during DNS server response
processing if the "resolver" directive was used, allowing an
attacker who is able to forge UDP packets from the DNS server
to cause worker process crash or, potentially, arbitrary code
execution.
Denial-of-Service on CURVE/ZAP-protected servers by
unauthenticated clients.
If a raw TCP socket is opened and connected to an endpoint that is fully
configured with CURVE/ZAP, legitimate clients will not be able to exchange
any message. Handshakes complete successfully, and messages are delivered to
the library, but the server application never receives them.
A remote, unauthenticated client connecting to a
libzmq application, running with a socket listening with CURVE
encryption/authentication enabled, may cause a stack overflow and
overwrite the stack with arbitrary data, due to a buffer overflow in
the library. Users running public servers with the above configuration
are highly encouraged to upgrade as soon as possible, as there are no
known mitigations.
In the pg_partman (aka PG Partition Manager) extension before 4.5.1
for PostgreSQL, arbitrary code execution can be achieved via
SECURITY DEFINER functions because an explicit search_path is not
set.
So here are the CVE's for the two big ones, libxml2 and expat.
Both are affected by the expansion of internal entities
(which can be used to consume resources) and external entities
(which can cause a denial of service against other services, be
used to port scan, etc.).
A billion laughs attack is a type of denial-of-service attack
which is aimed at parsers of XML documents.
A flaw was found in libxml2. Exponential entity expansion attack
its possible bypassing all existing protection mechanisms and
leading to denial of service.
Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE
Using an INSERT ... ON CONFLICT ... DO UPDATE command on a
purpose-crafted table, an attacker can read arbitrary bytes of
server memory. In the default configuration, any authenticated
database user can create prerequisite objects and complete this
attack at will. A user lacking the CREATE and TEMPORARY privileges
on all databases and the CREATE privilege on all schemas cannot use
this attack at will..
Buffer overrun from integer overflow in array subscripting
calculations
While modifying certain SQL array values, missing bounds checks let
authenticated database users write arbitrary bytes to a wide area of
server memory.
Using an UPDATE ... RETURNING on a purpose-crafted partitioned
table, an attacker can read arbitrary bytes of server memory. In the
default configuration, any authenticated database user can create
prerequisite objects and complete this attack at will. A user
lacking the CREATE and TEMPORARY privileges on all databases and the
CREATE privilege on all schemas typically cannot use this attack at
will.
Several vulnerabilities have been discovered in ImageMagick:
CVE-2021-20309: A flaw was found in ImageMagick in versions before 6.9.12,
where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger
undefined behavior via a crafted image file submitted to an application using ImageMagick.
CVE-2021-20176: A divide-by-zero flaw was found in ImageMagick 6.9.11-57 in gem.c.
This flaw allows an attacker who submits a crafted file that is processed by ImageMagick
to trigger undefined behavior through a division by zero.
CVE-2020-29599: ImageMagick before 6.9.11-40 mishandles the -authenticate option,
which allows setting a password for password-protected PDF files.
Several vulnerabilities have been discovered in ImageMagick:
CVE-2021-20313: A flaw was found in ImageMagick in versions before 7.0.11.
A potential cipher leak when the calculate signatures in TransformSignature is possible.
CVE-2021-20312: A flaw was found in ImageMagick in versions 7.0.11,
where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger
undefined behavior via a crafted image file that is submitted by an attacker and
processed by an application using ImageMagick.
CVE-2021-20311: A flaw was found in ImageMagick in versions before 7.0.11,
where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c
may trigger undefined behavior via a crafted image file that is submitted by an
attacker processed by an application using ImageMagick.
CVE-2021-20310: A flaw was found in ImageMagick in versions before 7.0.11,
where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger
undefined behavior via a crafted image file that is submitted by an attacker
and processed by an application using ImageMagick.
CVE-2021-20309: A flaw was found in ImageMagick in versions before 7.0.11,
where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger
undefined behavior via a crafted image file submitted to an application using ImageMagick.
This advisory details 5 new security vulnerabilities discovered in the
Prosody.im XMPP server software. All issues are fixed in the 0.11.9
release default configuration.
CVE-2021-32918: DoS via insufficient memory consumption controls
CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU consumption
CVE-2021-32921: Use of timing-dependent string comparison with sensitive values
CVE-2021-32917: Use of mod_proxy65 is unrestricted in default configuration
"Push rules" can specify conditions under which they will match,
including event_match, which matches event content against a
pattern including wildcards.
Certain patterns can cause very poor performance in the matching
engine, leading to a denial-of-service when processing moderate
length events.
This release contains 19 security fixes, including:
[1180126] High CVE-2021-30506: Incorrect security UI in Web App
Installs. Reported by @retsew0x01 on 2021-02-19
[1178202] High CVE-2021-30507: Inappropriate implementation in
Offline. Reported by Alison Huffman, Microsoft Browser
Vulnerability Research on 2021-02-14
[1195340] High CVE-2021-30508: Heap buffer overflow in Media
Feeds. Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2021-04-02
[1196309] High CVE-2021-30509: Out of bounds write in Tab Strip.
Reported by David Erceg on 2021-04-06
[1197436] High CVE-2021-30510: Race in Aura. Reported by Weipeng
Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group
on 2021-04-09
[1197875] High CVE-2021-30511: Out of bounds read in Tab Groups.
Reported by David Erceg on 2021-04-10
[1200019] High CVE-2021-30512: Use after free in Notifications.
Reported by ZhanJia Song on 2021-04-17
[1200490] High CVE-2021-30513: Type Confusion in V8. Reported by
Man Yue Mo of GitHub Security Lab on 2021-04-19
[1200766] High CVE-2021-30514: Use after free in Autofill.
Reported by koocola (@alo_cook) and Nan Wang (@eternalsakura13) of
360 Alpha Lab on 2021-04-20
[1201073] High CVE-2021-30515: Use after free in File API.
Reported by Rong Jian and Guang Gong of 360 Alpha Lab on
2021-04-21
[1201446] High CVE-2021-30516: Heap buffer overflow in History.
Reported by ZhanJia Song on 2021-04-22
[1203122] High CVE-2021-30517: Type Confusion in V8. Reported by
laural on 2021-04-27
[1203590] High CVE-2021-30518: Heap buffer overflow in Reader
Mode. Reported by Jun Kokatsu, Microsoft Browser Vulnerability
Research on 2021-04-28
[1194058] Medium CVE-2021-30519: Use after free in Payments.
Reported by asnine on 2021-03-30
[1193362] Medium CVE-2021-30520: Use after free in Tab Strip.
Reported by Khalil Zhani on 2021-04-03
Fixed CVE-2021-32056: Remote authenticated users could bypass intended access restrictions on certain server annotations. Additionally, a long-standing bug in replication did not allow server annotations to be replicated. Combining these two bugs, a remote authenticated user could stall replication, requiring administrator intervention.
http.ReadRequest can stack overflow due to recursion when given a
request with a very large header (~8-10MB depending on the
architecture). A http.Server which overrides the default max header
of 1MB by setting Server.MaxHeaderBytes to a much larger value could
also be vulnerable in the same way.
An incomplete fix was found for the fix of the flaw CVE-2020-1733
ansible: insecure temporary directory when running become_user from
become directive. The provided fix is insufficient to prevent the
race condition on systems using ACLs and FUSE filesystems..
bpo-43434: Creating a sqlite3.Connection object now also produces a
sqlite3.connect auditing event. Previously this event was only produced
by sqlite3.connect() calls. Patch by Erlend E. Aasland.
bpo-43882: The presence of newline or tab characters in parts of a URL
could allow some forms of attacks.Following the controlling specification
for URLs defined by WHATWG urllib.parse() now removes A SCII newlines
and tabs from URLs, preventing such attacks.
bpo-43472: Ensures interpreter-level audit hooks receive the cpython.
PyInterpreterState_New event when called through the _xxsubinterpreters
module.
bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4
address strings. Leading zeros are ambiguous and interpreted as octal
notation by some libraries. For example the legacy function socket.inet_aton()
treats leading zeros as octal notatation. glibc implementation of modern
inet_pton() does not accept any leading zeros. For a while the ipaddress
module used to accept ambiguous leading zeros.
bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability
in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has
quadratic worst-case complexity and it allows cause a denial of service
when identifying crafted invalid RFCs. This ReDoS issue is on the client
side and needs remote attackers to control the HTTP server.
bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame,
and generator code/frame attribute access.
This Critical Patch Update contains 49 new security patches for
Oracle MySQL. 10 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without
requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle
MySQL is 9.8.
MariaDB is affected by CVE-2021-2166 and CVE-2021-2154 only
An integer overflow bug in Redis version 6.0 or newer could be
exploited using the STRALGO LCS command to corrupt the heap and
potentially result with remote code execution.
Vulnerability in the COPY command for large intsets
An integer overflow bug in Redis 6.2 could be exploited to corrupt
the heap and potentially result with remote code execution.
The vulnerability involves changing the default set-max-intset-entries
configuration value, creating a large set key that consists of
integer values and using the COPY command to duplicate it.
The integer overflow bug exists in all versions of Redis starting
with 2.6, where it could result with a corrupted RDB or DUMP payload,
but not exploited through COPY (which did not exist before 6.2).
RDoc used to call Kernel#open to open a local file. If a Ruby project
has a file whose name starts with | and ends with tags, the command
following the pipe character is executed. A malicious Ruby project
could exploit it to run an arbitrary command execution against a user
who attempts to run rdoc command.
Earlier versions of Sympa require a parameter named cookie in sympa.conf
configuration file.
This parameter was used to make some identifiers generated by the system
unpredictable. For example, it was used as following:
To be used as a salt to encrypt passwords stored in the database by
the RC4 symmetric key algorithm.
Note that RC4 is no longer considered secure enough and is not supported
in the current version of Sympa.
To prevent attackers from sending crafted messages to achieve XSS and
so on in message archives.
There were the following problems with the use of this parameter.
This parameter, for its purpose, should be different for each
installation, and once set, it cannot be changed. As a result, some sites
have been operating without setting this parameter. This completely
invalidates the security measures described above.
Even if this parameter is properly set, it may be considered not being
strong enough against brute force attacks.
Session recovery feature contains a null pointer deference.
The cookie-based session recovery feature added in V3.0 contains a
flaw that is exploitable on systems *not* using the feature if a
specially crafted cookie is supplied.
This manifests as a crash in the shibd daemon/service process.
Because it is very simple to trigger this condition remotely, it
results in a potential denial of service condition exploitable by
a remote, unauthenticated attacker.
Fix null-pointer dereference when encountering an
invalid enum name in a config/input file that tries to
read it into a set[enum]. For those that have such an
input feed whose contents may come from external/remote
sources, this is a potential DoS vulnerability.
OpenVPN 2.5.1 and earlier versions allows a remote attackers to
bypass authentication and access control channel data on servers
configured with deferred authentication, which can be used to
potentially trigger further information leaks.
ssh-agent(1): fixed a double-free memory corruption that was
introduced in OpenSSH 8.2 . We treat all such memory faults as
potentially exploitable. This bug could be reached by an attacker
with access to the agent socket.
On modern operating systems where the OS can provide information
about the user identity connected to a socket, OpenSSH ssh-agent
and sshd limit agent socket access only to the originating user
and root. Additional mitigation may be afforded by the system's
malloc(3)/free(3) implementation, if it detects double-free
conditions.
The most likely scenario for exploitation is a user forwarding an
agent either to an account shared with a malicious user or to a
host with an attacker holding root access.
The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to be careful opening documents from unknown and unverified sources. The mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink.
We received a report from Jonathan Leitschuh about a vulnerability
of custom repositories in dependency POMs. We've split this up
into three separate issues:
Possible Man-In-The-Middle-Attack due to custom repositories
using HTTP.
More and more repositories use HTTPS nowadays, but this
hasn't always been the case. This means that Maven Central contains
POMs with custom repositories that refer to a URL over HTTP. This
makes downloads via such repository a target for a MITM attack. At
the same time, developers are probably not aware that for some
downloads an insecure URL is being used. Because uploaded POMs to
Maven Central are immutable, a change for Maven was required. To
solve this, we extended the mirror configuration with blocked
parameter, and we added a new external:http:* mirror selector (like
existing external:*), meaning "any external URL using HTTP".
The decision was made to block such external HTTP repositories by default:
this is done by providing a mirror in the conf/settings.xml blocking
insecure HTTP external URLs.
Possible Domain Hijacking due to custom repositories using abandoned
domains
Sonatype has analyzed which domains were abandoned and has claimed these
domains.
Possible hijacking of downloads by redirecting to custom repositories
This one was the hardest to analyze and explain. The short story is:
you're safe, dependencies are only downloaded from repositories within
their context. So there are two main questions: what is the context and
what is the order? The order is described on the Repository Order page.
The first group of repositories are defined in the settings.xml (both user
and global). The second group of repositories are based on inheritence,
with ultimately the super POM containing the URL to Maven Central. The
third group is the most complex one but is important to understand the
term context: repositories from the effective POMs from the dependency
path to the artifact. So if a dependency was defined by another dependency
or by a Maven project, it will also include their repositories. In the end
this is not a bug, but a design feature.
Add content-type headers to raw KV responses to prevent XSS attacks
(CVE-2020-25864). audit-logging: Parse endpoint URL to prevent
requests from bypassing the audit log (CVE-2021-28156).
The search feature of mdBook (introduced in version 0.1.4) was
affected by a cross site scripting vulnerability that allowed an
attacker to execute arbitrary JavaScript code on an user's browser
by tricking the user into typing a malicious search query, or
tricking the user into clicking a link to the search page with the
malicious search query prefilled.
mdBook 0.4.5 fixes the vulnerability by properly escaping the search
query.
Directory Traversal with ../ sequences occurs in AccountsService
before 0.6.50 because of an insufficient path check in
user_change_icon_file_authorized_cb() in user.c.
This release contains 37 security fixes, including:
[1025683] High CVE-2021-21201: Use after free in permissions.
Reported by Gengming Liu, Jianyu Chen at Tencent Keen Security
Lab on 2019-11-18
[1188889] High CVE-2021-21202: Use after free in extensions.
Reported by David Erceg on 2021-03-16
[1192054] High CVE-2021-21203: Use after free in Blink.
Reported by asnine on 2021-03-24
[1189926] High CVE-2021-21204: Use after free in Blink.
Reported by Chelse Tsai-Simek, Jeanette Ulloa, and Emily
Voigtlander of Seesaw on 2021-03-19
[1165654] High CVE-2021-21205: Insufficient policy enforcement
in navigation. Reported by Alison Huffman, Microsoft Browser
Vulnerability Research on 2021-01-12
[1195333] High CVE-2021-21221: Insufficient validation of
untrusted input in Mojo. Reported by Guang Gong of Alpha Lab,
Qihoo 360 on 2021-04-02
[1185732] Medium CVE-2021-21207: Use after free in IndexedDB.
Reported by koocola (@alo_cook) and Nan Wang (@eternalsakura13)
of 360 Alpha Lab on 2021-03-08
[1039539] Medium CVE-2021-21208: Insufficient data validation
in QR scanner. Reported by Ahmed Elsobky (@0xsobky) on
2020-01-07
[1143526] Medium CVE-2021-21209: Inappropriate implementation
in storage. Reported by Tom Van Goethem (@tomvangoethem) on
2020-10-29
[1184562] Medium CVE-2021-21210: Inappropriate implementation
in Network. Reported by @bananabr on 2021-03-04
[1103119] Medium CVE-2021-21211: Inappropriate implementation
in Navigation. Reported by Akash Labade (m0ns7er) on
2020-07-08
[1145024] Medium CVE-2021-21212: Incorrect security UI in
Network Config UI. Reported by Hugo Hue and Sze Yiu Chau of the
Chinese University of Hong Kong on 2020-11-03
[1161806] Medium CVE-2021-21213: Use after free in WebMIDI.
Reported by raven (@raid_akame) on 2020-12-25
[1170148] Medium CVE-2021-21214: Use after free in Network API.
Reported by Anonymous on 2021-01-24
[1172533] Medium CVE-2021-21215: Inappropriate implementation
in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser
Vulnerability Research on 2021-01-30
[1173297] Medium CVE-2021-21216: Inappropriate implementation
in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser
Vulnerability Research on 2021-02-02
[1166462] Low CVE-2021-21217: Uninitialized Use in PDFium.
Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on
2021-01-14
[1166478] Low CVE-2021-21218: Uninitialized Use in PDFium.
Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on
2021-01-14
[1166972] Low CVE-2021-21219: Uninitialized Use in PDFium.
Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on
2021-01-15
[1196781] High CVE-2021-21206: Use after free in Blink. Reported
by Anonymous on 2021-04-07
[1196683] High CVE-2021-21220: Insufficient validation of
untrusted input in V8 for x86_64. Reported by Bruno Keith (@bkth_)
and Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_it)
via ZDI (ZDI-CAN-13569) on 2021-04-07>
libcurl does not strip off user credentials from the URL when
automatically populating the Referer: HTTP request header field
in outgoing HTTP requests, and therefore risks leaking sensitive
data to the server that is the target of the second HTTP request.
libcurl automatically sets the Referer: HTTP request header field
in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set.
With the curl tool, it is enabled with --referer ";auto".
Enabled by default, libcurl supports the use of TLS 1.3 session
tickets to resume previous TLS sessions to speed up subsequent
TLS handshakes.
When using a HTTPS proxy and TLS 1.3, libcurl can confuse session
tickets arriving from the HTTPS proxy but work as if they arrived
from the remote server and then wrongly "short-cut" the host
handshake. The reason for this confusion is the modified sequence
from TLS 1.2 when the session ids would provided only during the
TLS handshake, while in TLS 1.3 it happens post hand-shake and
the code was not updated to take that changed behavior into account.
When confusing the tickets, a HTTPS proxy can trick libcurl to use
the wrong session ticket resume for the host and thereby circumvent
the server TLS certificate check and make a MITM attack to be
possible to perform unnoticed.
This flaw can allow a malicious HTTPS proxy to MITM the traffic.
Such a malicious HTTPS proxy needs to provide a certificate that
curl will accept for the MITMed server for an attack to work -
unless curl has been told to ignore the server certificate check.
Remove the getfile feature of the pydoc module which could be
abused to read arbitrary files on the disk (directory traversal
vulnerability). Moreover, even source code of Python modules
can contain sensitive data like passwords.
A particular case of memory sharing is mishandled in the virtual memory
system. It is possible and legal to establish a relationship where
multiple descendant processes share a mapping which shadows memory of an
ancestor process. In this scenario, when one process modifies memory
through such a mapping, the copy-on-write logic fails to invalidate
other mappings of the source page. These stale mappings may remain even
after the mapped pages have been reused for another purpose.
Impact:
An unprivileged local user process can maintain a mapping of a page
after it is freed, allowing that process to read private data belonging
to other processes or the kernel.
High: CA certificate check bypass with X509_V_FLAG_X509_STRICT
(CVE-2021-3450) The X509_V_FLAG_X509_STRICT flag enables
additional security checks of the certificates present in a
certificate chain. It is not set by default.
High: NULL pointer deref in signature_algorithms processing
(CVE-2021-3449) An OpenSSL TLS server may crash if sent a
maliciously crafted renegotiation ClientHello message from a client.
If a TLSv1.2 renegotiation ClientHello omits the
signature_algorithms extension (where it was present in the initial
ClientHello), but includes a signature_algorithms_cert extension
then a NULL pointer dereference will result, leading to a crash and
a denial of service attack.
Due to a race condition between lookup of ".." and remounting a filesystem,
a process running inside a jail might access filesystem hierarchy outside
of jail.
Impact:
A process with superuser privileges running inside a jail configured
with the allow.mount permission (not enabled by default) could change the root
directory outside of the jail, and thus gain full read and write access
to all files and directories in the system.
OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High) (CVE-2021-3450)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
OpenSSL - NULL pointer deref in signature_algorithms processing (High) (CVE-2021-3449)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
npm upgrade - Update y18n to fix Prototype-Pollution (High) (CVE-2020-7774)
This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh
An unprivileged process can configure an accept filter on a listening
socket. This is done using the setsockopt(2) system call. The process
supplies the name of the accept filter which is to be attached to the
socket, as well as a string containing filter-specific information.
If the filter implements the accf_create callback, the socket option
handler attempts to preserve the process-supplied argument string. A
bug in the socket option handler caused this string to be freed
prematurely, leaving a dangling pointer. Additional operations on the
socket can turn this into a double free or a use-after-free.
Impact:
The bug may be exploited to trigger local privilege escalation or
kernel memory disclosure.
A stack overflow in pupnp 1.16.1 can cause the denial of service through the
Parser_parseDocument() function. ixmlNode_free() will release a child node
recursively, which will consume stack space and lead to a crash.
When parsing and serializing a crafted XML document, REXML gem
(including the one bundled with Ruby) can create a wrong XML
document whose structure is different from the original one.
The impact of this issue highly depends on context, but it may
lead to a vulnerability in some programs that are using REXML.
[1181228] High CVE-2021-21194: Use after free in screen capture.
Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2021-02-23
[1182647] High CVE-2021-21195: Use after free in V8.
Reported by Bohan Liu (@P4nda20371774) and Moon Liang of Tencent
Security Xuanwu Lab on 2021-02-26
[1175992] High CVE-2021-21196: Heap buffer overflow in
TabStrip. Reported by Khalil Zhani on 2021-02-08
[1173903] High CVE-2021-21197: Heap buffer overflow in
TabStrip. Reported by Abdulrahman Alqabandi, Microsoft Browser
Vulnerability Research on 2021-02-03
[1184399] High CVE-2021-21198: Out of bounds read in IPC.
Reported by Mark Brand of Google Project Zero on 2021-03-03
[1179635] High CVE-2021-21199: Use Use after free in Aura.
Reported by Weipeng Jiang (@Krace) from Codesafe Team of
Legendsec at Qi'anxin Group and Evangelos Foutras
CVE-2020-27840: An anonymous attacker can crash the Samba AD DC
LDAP server by sending easily crafted DNs as
part of a bind request. More serious heap corruption
is likely also possible.
CVE-2021-20277: User-controlled LDAP filter strings against
the AD DC LDAP server may crash the LDAP server.
I've prepared a new bug-fix release of Nettle, a low-level
cryptographics library, to fix a serious bug in the function to
verify ECDSA signatures. Implications include an assertion failure,
which could be used for denial-of-service, when verifying signatures
on the secp_224r1 and secp521_r1 curves.
Even when no assert is triggered in ecdsa_verify, ECC point
multiplication may get invalid intermediate values as input, and
produce incorrect results. [...] It appears difficult to construct
an alleged signature that makes the function misbehave in such a way
that an invalid signature is accepted as valid, but such attacks
can't be ruled out without further analysis.
Apache SpamAssassin 3.4.5 was recently released [1], and fixes
an issue of security note where malicious rule configuration (.cf)
files can be configured to run system commands.
In Apache SpamAssassin before 3.4.5, exploits can be injected in
a number of scenarios. In addition to upgrading to SA 3.4.5,
users should only use update channels or 3rd party .cf files from
trusted places.
[In configurations where the forwarding server address contains an @
character for specifying a sending interface or source address, the]
random source port behavior was disabled, making cache poisoning
attacks possible.
This only affects configurations of the form server=1.1.1.1@em0 or
server=1.1.1.1@192.0.2.1, i. e. those that specify an interface to
send through, or an IP address to send from, or use together with
NetworkManager.
This is a security issue because it enables MITM modification of
request bodies that are meant to have integrity guaranteed by chunk
signatures.
In a PUT request using aws-chunked encoding, MinIO ordinarily
verifies signatures at the end of a chunk. This check can be skipped
if the client sends a false chunk size that is much greater than the
actual data sent: the server accepts and completes the request
without ever reaching the end of the chunk + thereby without ever
checking the chunk signature.
This release includes 5 security fixes, including:
[1167357] High CVE-2021-21191: Use after free in WebRTC.
Reported by raven (@raid_akame) on 2021-01-15
[1181387] High CVE-2021-21192: Heap buffer overflow in tab
groups. Reported by Abdulrahman Alqabandi, Microsoft Browser
Vulnerability Research on 2021-02-23
[1186287] High CVE-2021-21193: Use after free in Blink.
Reported by Anonymous on 2021-03-09
Integer overflow in the read_fragment_table_4 function in unsquash-4.c in Squashfs and sasquatch allows remote attackers to cause a denial of service (application crash) via a crafted input, which triggers a stack-based buffer overflow.
The Decode, DecodeElement, and Skip methods of an xml.Decoder
provided by xml.NewTokenDecoder may enter an infinite loop when
operating on a custom xml.TokenReader which returns an EOF in the
middle of an open XML element.
The Reader.Open API, new in Go 1.16, will panic when used on a ZIP
archive containing files that start with "../".
HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (Critical) (CVE-2021-22883)
Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
DNS rebinding in --inspect (CVE-2021-22884)
Affected Node.js versions are vulnerable to a DNS rebinding attack when the whitelist includes "localhost6". When "localhost6" is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the "localhost6" domain. As long as the attacker uses the "localhost6" domain, they can still apply the attack described in CVE-2018-7160.
OpenSSL - Integer overflow in CipherUpdate (CVE-2021-23840)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt
When Asterisk sends a re-invite initiating T.38 faxing
and the endpoint responds with a m=image line and zero
port, a crash will occur in Asterisk. This is a reoccurrence
of AST-2019-004.
This release includes 47 security fixes, including the below.
Google is aware of reports that an exploit for CVE-2021-21166 exists
in the wild. Please see URL for details.
SaltStack reports multiple security vulnerabilities in Salt
CVE-2021-3197: The Salt-API.s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.
CVE-2021-25281: The Salt-API does not have eAuth credentials for the wheel_async client.
CVE-2021-25282: The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.
CVE-2021-25283: The jinja renderer does not protect against server-side template injection attacks.
CVE-2021-25284: webutils write passwords in cleartext to /var/log/salt/minion
CVE-2021-3148: command injection in salt.utils.thin.gen_thin()
CVE-2020-35662: Several places where Salt was not verifying the SSL cert by default.
CVE-2021-3144: eauth Token can be used once after expiration.
CVE-2020-28972: Code base not validating SSL/TLS certificate of the server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack
CVE-2020-28243: Local Privilege Escalation in the Minion.
Limited Unauthenticated License Read: We addressed a security vulnerability that allowed for the unauthenticated reading of Vault licenses from DR Secondaries.
Due to a race condition in the jail_remove(2) implementation, it
may fail to kill some of the processes.
Impact:
A process running inside a jail can avoid being killed during jail
termination. If a jail is subsequently started with the same root
path, a lingering jailed process may be able to exploit the window
during which a devfs filesystem is mounted but the jail's devfs
ruleset has not been applied, to access device nodes which are
ordinarily inaccessible. If the process is privileged, it may be able
to escape the jail and gain full access to the system.
Grant mapping operations often occur in batch hypercalls, where a
number of operations are done in a single hypercall, the success or
failure of each one reported to the backend driver, and the backend
driver then loops over the results, performing follow-up actions
based on the success or failure of each operation.
Unfortunately, when running in HVM/PVH mode, the FreeBSD backend
drivers mishandle this: Some errors are ignored, effectively implying
their success from the success of related batch elements. In other
cases, errors resulting from one batch element lead to further batch
elements not being inspected, and hence successful ones to not be
possible to properly unmap upon error recovery.
Impact:
A malicious or buggy frontend driver may be able to cause resource
leaks in the domain running the corresponding backend driver.
A regression in the login.access(5) rule processor has the effect
of causing rules to fail to match even when they should not. This
means that rules denying access may be ignored.
Impact:
The configuration in login.access(5) may not be applied, permitting
login access to users even when the system is configured to deny it.
When a process, such as jexec(8) or killall(1), calls jail_attach(2)
to enter a jail, the jailed root can attach to it using ptrace(2) before
the current working directory is changed.
Impact:
A process with superuser privileges running inside a jail could change
the root directory outside of the jail, thereby gaining full read and
writing access to all files and directories in the system.
Redis 4.0 or newer uses a configurable limit for
the maximum supported bulk input size. By default,
it is 512MB which is a safe value for all platforms.
If the limit is significantly increased, receiving a
large request from a client may trigger several
integer overflow scenarios, which would result with
buffer overflow and heap corruption.
Fix ASCII Input reader's treatment of input files
containing null-bytes. An input file containing null-bytes
could lead to a buffer-over-read, crash Zeek, and be
exploited to cause Denial of Service.
An unauthenticated remote attacker could replay SRTP
packets which could cause an Asterisk instance configured
without strict RTP validation to tear down calls
prematurely.
If a registered user is tricked into dialing a malicious
number that sends lots of 181 responses to Asterisk, each
one will cause a 181 to be sent back to the original
caller with an increasing number of entries in the
"Supported" header. Eventually the number of entries in
the header exceeds the size of the entry array and causes
a crash.
Due to a signedness comparison mismatch, an authenticated
WebRTC client could cause a stack overflow and Asterisk
crash by sending multiple hold/unhold requests in quick
succession.
When re-negotiating for T.38 if the initial remote
response was delayed just enough Asterisk would send both
audio and T.38 in the SDP. If this happened, and the
remote responded with a declined T.38 stream then Asterisk
would crash.
This release contains 10 security fixes, including:
[1138143] High CVE-2021-21149: Stack overflow in Data Transfer.
Reported by Ryoya Tsukasaki on 2020-10-14
[1172192] High CVE-2021-21150: Use after free in Downloads.
Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2021-01-29
[1165624] High CVE-2021-21151: Use after free in Payments.
Reported by Khalil Zhani on 2021-01-12
[1166504] High CVE-2021-21152: Heap buffer overflow in Media.
Reported by Anonymous on 2021-01-14
[1155974] High CVE-2021-21153: Stack overflow in GPU Process.
Reported by Jan Ruge of ERNW GmbH on 2020-12-06
[1173269] High CVE-2021-21154: Heap buffer overflow in Tab
Strip. Reported by Abdulrahman Alqabandi, Microsoft Browser
Vulnerability Research on 2021-02-01
[1175500] High CVE-2021-21155: Heap buffer overflow in Tab
Strip. Reported by Khalil Zhani on 2021-02-07
[1177341] High CVE-2021-21156: Heap buffer overflow in V8.
Reported by Sergei Glazunov of Google Project Zero on
2021-02-11
[1170657] Medium CVE-2021-21157: Use after free in Web
Sockets. Reported by Anonymous on 2021-01-26
In OAuth2 Proxy before version 7.0.0, for users that use the
whitelist domain feature, a domain that ended in a similar way to
the intended domain could have been allowed as a redirect.
Subversion's mod_authz_svn module will crash if the server is using
in-repository authz rules with the AuthzSVNReposRelativeAccessFile
option and a client sends a request for a non-existing repository URL.
[1170176] High CVE-2021-21148: Heap buffer overflow in V8.
Reported by Mattias Buelens on 2021-01-24. Google is aware of
reports that an exploit for CVE-2021-21148 exists in the wild.
1169317] Critical CVE-2021-21142: Use after free in Payments.
Reported by Khalil Zhani on 2021-01-21
[1163504] High CVE-2021-21143: Heap buffer overflow in
Extensions. Reported by Allen Parker and Alex Morgan of MU on
2021-01-06
[1163845] High CVE-2021-21144: Heap buffer overflow in Tab
Groups. Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2021-01-07
[1154965] High CVE-2021-21145: Use after free in Fonts. Reported
by Anonymous on 2020-12-03
[1161705] High CVE-2021-21146: Use after free in Navigation.
Reported by Alison Huffman and Choongwoo Han of Microsoft Browser
Vulnerability Research on 2020-12-24
[1162942] Medium CVE-2021-21147: Inappropriate implementation in
Skia. Reported by Roman Starkov on 2021-01-04
Thanks to @phith0n from our community upon a code review, discovered an SSRF (Server Side Request Forgery) in our Browser API implementation. We have not observed this report/attack in the wild or reported elsewhere in the community at large.
All users are advised to upgrade ASAP.
The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.).
In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed.
Some OSes (including Linux, FreeBSD, and NetBSD) are processing watch
events using a single thread. If the events are received faster than
the thread is able to handle, they will get queued.
As the queue is unbound, a guest may be able to trigger a OOM in
the backend.
Several file systems were not properly initializing the d_off field
of the dirent structures returned by VOP_READDIR. In particular,
tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so.
As a result, eight uninitialized kernel stack bytes may be leaked to
userspace by these file systems. This problem is not present in
FreeBSD 11.
Additionally, msdosfs(5) was failing to zero-fill a pair of padding
fields in the dirent structure, resulting in a leak of three
uninitialized bytes.
Impact:
Kernel stack disclosures may leak sensitive information which could
be used to compromise the security of the system.
pngcheck versions 3.0.0 and earlier have a pair of buffer-overrun
bugs related to the sPLT and PPLT chunks (the latter is a MNG-only
chunk, but it gets noticed even in PNG files if the -s option is used).
Both bugs are fixed in version 3.0.1, released on 24 January 2021.
Again, while all known vulnerabilities are fixed in this version,
the code is quite crufty, so it would be safest to assume there are
still some problems hidden in there. As always, use at your own risk.
When invoked as sudoedit, the same set of command line options
are now accepted as for sudo -e. The -H and -P options are now
rejected for sudoedit and sudo -e which matches the sudo 1.7
behavior. This is part of the fix for CVE-2021-3156.
Fixed a potential buffer overflow when unescaping backslashes in
the command's arguments. Normally, sudo escapes special characters
when running a command via a shell (sudo -s or sudo -i). However,
it was also possible to run sudoedit with the -s or -i flags in
which case no escaping had actually been done, making a buffer
overflow possible. This fixes CVE-2021-3156.
rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a
denial of service (mailbox unavailability) by sending email messages
with sequences of semicolon characters in RFC822 address fields
(aka terminators of empty groups). A small email message from the
attacker can cause large memory consumption, and the victim
may then be unable to see email messages from other persons.
In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema were trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.
The server in Chocolate Doom 3.0.0 and Crispy Doom 5.8.0 doesn't validate
the user-controlled num_players value, leading to a buffer overflow. A
malicious user can overwrite the server's stack.
This release contains 36 security fixes, including:
[1137179] Critical CVE-2021-21117: Insufficient policy
enforcement in Cryptohome. Reported by Rory McNamara on
2020-10-10
[1161357] High CVE-2021-21118: Insufficient data validation in
V8. Reported by Tyler Nighswander (@tylerni7) of Theori on
2020-12-23
[1160534] High CVE-2021-21119: Use after free in Media. Reported
by Anonymous on 2020-12-20
[1160602] High CVE-2021-21120: Use after free in WebSQL.
Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha
Lab on 2020-12-21
[1161143] High CVE-2021-21121: Use after free in Omnibox.
Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2020-12-22
[1162131] High CVE-2021-21122: Use after free in Blink. Reported
by Renata Hodovan on 2020-12-28
[1137247] High CVE-2021-21123: Insufficient data validation in
File System API. Reported by Maciej Pulikowski on 2020-10-11
[1131346] High CVE-2021-21124: Potential user after free in
Speech Recognizer. Reported by Chaoyang Ding(@V4kst1z) from
Codesafe Team of Legendsec at Qi'anxin Group on 2020-09-23
[1152327] High CVE-2021-21125: Insufficient policy enforcement
in File System API. Reported by Ron Masas (Imperva) on
2020-11-24
[1163228] High CVE-2020-16044: Use after free in WebRTC.
Reported by Ned Williamson of Project Zero on 2021-01-05
[1108126] Medium CVE-2021-21126: Insufficient policy enforcement
in extensions. Reported by David Erceg on 2020-07-22
[1115590] Medium CVE-2021-21127: Insufficient policy enforcement
in extensions. Reported by Jasminder Pal Singh, Web Services Point
WSP, Kotkapura on 2020-08-12
[1138877] Medium CVE-2021-21128: Heap buffer overflow in Blink.
Reported by Liang Dong on 2020-10-15
[1140403] Medium CVE-2021-21129: Insufficient policy enforcement
in File System API. Reported by Maciej Pulikowski on
2020-10-20
[1140410] Medium CVE-2021-21130: Insufficient policy enforcement
in File System API. Reported by Maciej Pulikowski on
2020-10-20
[1140417] Medium CVE-2021-21131: Insufficient policy enforcement
in File System API. Reported by Maciej Pulikowski on
2020-10-20
[1128206] Medium CVE-2021-21132: Inappropriate implementation in
DevTools. Reported by David Erceg on 2020-09-15
[1157743] Medium CVE-2021-21133: Insufficient policy enforcement
in Downloads. Reported by wester0x01
(https://twitter.com/wester0x01) on 2020-12-11
[1157800] Medium CVE-2021-21134: Incorrect security UI in Page
Info. Reported by wester0x01 (https://twitter.com/wester0x01) on
2020-12-11
[1157818] Medium CVE-2021-21135: Inappropriate implementation in
Performance API. Reported by ndevtk on 2020-12-11
[1038002] Low CVE-2021-21136: Insufficient policy enforcement in
WebView. Reported by Shiv Sahni, Movnavinothan V and Imdad
Mohammed on 2019-12-27
[1093791] Low CVE-2021-21137: Inappropriate implementation in
DevTools. Reported by bobblybear on 2020-06-11
[1122487] Low CVE-2021-21138: Use after free in DevTools.
Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec
at Qi'anxin Group on 2020-08-27
[1136327] Low CVE-2021-21140: Uninitialized Use in USB. Reported
by David Manouchehri on 2020-10-08
[1140435] Low CVE-2021-21141: Insufficient policy enforcement in
File System API. Reported by Maciej Pulikowski on 2020-10-20
There are broadly two sets of problems. The first is subtle errors
in dnsmasq's protections against the chronic weakness of the DNS
protocol to cache-poisoning attacks; the Birthday attack, Kaminsky,
etc.[...]
the second set of errors is a good old fashioned buffer overflow in
dnsmasq's DNSSEC code. If DNSSEC validation is enabled, an
installation is at risk.
The go command may execute arbitrary code at build time when cgo is
in use on Windows. This may occur when running "go get", or
any other command that builds code. Only users who build untrusted
code (and don't execute it) are affected. In addition to Windows
users, this can also affect Unix users who have "." listed
explicitly in their PATH and are running "go get" or build
commands outside of a module or with module mode disabled.
The P224() Curve implementation can in rare circumstances generate
incorrect outputs, including returning invalid points from
ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not
crypto/tls) packages support P-224 ECDSA keys, but they are not
supported by publicly trusted certificate authorities. No other
standard library or golang.org/x/crypto package supports or uses the
P-224 curve.
cloud-init release 20.4.1 is now available. This is a hotfix
release, that contains a single patch to address a security issue in
cloud-init 20.4.
Briefly, for users who provide more than one unique SSH key to
cloud-init and have a shared AuthorizedKeysFile configured in
sshd_config, cloud-init 20.4 started writing all of these keys to such a
file, granting all such keys SSH access as root.
It's worth restating this implication: if you are using the default
AuthorizedKeysFile setting in /etc/ssh/sshd_config, as most will be,
then you are _not_ affected by this issue.
A memory corruption issue was found in Artifex
Ghostscript 9.50 and 9.52. Use of a non-standard
PostScript operator can allow overriding of file access
controls. The 'rsearch' calculation for the 'post' size
resulted in a size that was too large, and could underflow
to max uint32_t. This was fixed in commit
5d499272b95a6b890a1397e11d20937de000d31b.
Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.
HTTP Request Smuggling in nodejs (Low) (CVE-2020-8287)
Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.
iThis is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt.
A potential information leak in sudoedit that could be used to
test for the existence of directories not normally accessible to
the user in certain circumstances. When creating a new file,
sudoedit checks to make sure the parent directory of the new file
exists before running the editor. However, a race condition exists
if the invoking user can replace (or create) the parent directory.
If a symbolic link is created in place of the parent directory,
sudoedit will run the editor as long as the target of the link
exists.If the target of the link does not exist, an error message
will be displayed. The race condition can be used to test for the
existence of an arbitrary directory. However, it _cannot_ be used
to write to an arbitrary location.
When processing SVG files, the python package CairoSVG uses two regular
expressions which are vulnerable to Regular Expression Denial of Service
(REDoS).
If an attacker provides a malicious SVG, it can make cairosvg get stuck
processing the file for a very long time.
This release includes 16 security fixes, including:
[1148749] High CVE-2021-21106: Use after free in autofill.
Reported by Weipeng Jiang (@Krace) from Codesafe Team of
Legendsec at Qi'anxin Group on 2020-11-13
[1153595] High CVE-2021-21107: Use after free in drag and
drop. Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2020-11-30
[1155426] High CVE-2021-21108: Use after free in media.
Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2020-12-04
[1152334] High CVE-2021-21109: Use after free in payments.
Reported by Rong Jian and Guang Gong of 360 Alpha Lab on
2020-11-24
[1152451] High CVE-2021-21110: Use after free in safe
browsing. Reported by Anonymous on 2020-11-24
[1149125] High CVE-2021-21111: Insufficient policy enforcement
in WebUI. Reported by Alesandro Ortiz on 2020-11-15
[1151298] High CVE-2021-21112: Use after free in Blink.
Reported by YoungJoo Lee(@ashuu_lee) of Raon Whitehat on
2020-11-20
[1155178] High CVE-2021-21113: Heap buffer overflow in Skia.
Reported by tsubmunu on 2020-12-03
[1148309] High CVE-2020-16043: Insufficient data validation in
networking. Reported by Samy Kamkar, Ben Seri at Armis, Gregory
Vishnepolsky at Armis on 2020-11-12
[1150065] High CVE-2021-21114: Use after free in audio.
Reported by Man Yue Mo of GitHub Security Lab on 2020-11-17
[1157790] High CVE-2020-15995: Out of bounds write in V8.
Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu
Lab on 2020-12-11
[1157814] High CVE-2021-21115: Use after free in safe browsing.
Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2020-12-11
[1151069] Medium CVE-2021-21116: Heap buffer overflow in audio.
Reported by Alison Huffman, Microsoft Browser Vulnerability
Research on 2020-11-19
When imap hibernation is active, an attacker can cause Dovecot to
discover file system directory structure and access other users'
emails using specially crafted command.
The attacker must have valid credentials to access the
mail server.
Mail delivery / parsing crashed when the 10 000th MIME part was
message/rfc822 (or if parent was multipart/digest). This happened
due to earlier MIME parsing changes for CVE-2020-12100.
The websocket module before v3.8.1 contains a double free
vulnerability. When combined with a HTTP reverse proxy this
vulnerability can be used by any user who is [GKZ]-lined to remotely
crash an InspIRCd server.
A remote, unauthenticated attacker can trigger a race condition
leading to a crash, or possibly arbitrary code execution, by sending crafted queries with a GSS-TSIG signature.
A remote, unauthenticated attacker can cause a denial of service by
sending crafted queries with a GSS-TSIG signature.
A remote, unauthenticated attacker might be able to cause a double-free,
leading to a crash or possibly arbitrary code execution by sending crafted queries with a GSS-TSIG signature.
The X.509 GeneralName type is a generic type for representing
different types of names. One of those name types is known as
EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which
compares different instances of a GENERAL_NAME to see if they
are equal or not. This function behaves incorrectly when both
GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer
dereference and a crash may occur leading to a possible denial
of service attack.
A malicious or poorly-implemented homeserver can inject malformed events
into a room by specifying a different room id in the path of a /send_join,
/send_leave, /invite or /exchange_third_party_invite request.
This can lead to a denial of service in which future events will not be
correctly sent to other servers over federation.
This affects any server which accepts federation requests from untrusted
servers.
Unbound and NSD when writing the PID file would not check if an
existing file was a symlink. This could allow for a local symlink \
attack if an attacker has access to the user Unbound/NSD runs as.
CVE-2020-29363: Out-of-bounds write in
p11_rpc_buffer_get_byte_array_value function A heap-based buffer
overflow has been discovered in the RPC protocol used by p11-kit
server/remote commands and the client library. When the remote
entity supplies a serialized byte array in a CK_ATTRIBUTE, the
receiving entity may not allocate sufficient length for the buffer
to store the deserialized value.
CVE-2020-29362: Out-of-bounds read in p11_rpc_buffer_get_byte_array
function A heap-based buffer over-read has been discovered in
the RPC protocol used by thep11-kit server/remote commands and the
client library. When the remote entity supplies a byte array through
a serialized PKCS#11 function call, the receiving entity may allow
the reading of up to 4 bytes of memory past the heap
allocation.
CVE-2020-29361: Integer overflow when allocating memory for arrays
of attributes and object identifiers Multiple integer overflows
have been discovered in the array allocations in the p11-kit library
and the p11-kit list command, where overflow checks are missing
before calling realloc or calloc.
Increase the permissions to read from the
/connect/ca/configuration endpoint to operator:write.
Previously Connect CA configuration, including the private
key, set via this endpoint could be read back by an operator
with operator:read privileges.
When an ICMPv6 error message is received, the FreeBSD ICMPv6 stack
may extract information from the message to hand to upper-layer
protocols. As a part of this operation, it may parse IPv6 header
options from a packet embedded in the ICMPv6 message.
The handler for a routing option caches a pointer into the packet
buffer holding the ICMPv6 message. However, when processing
subsequent options the packet buffer may be freed, rendering the
cached pointer invalid. The network stack may later dereference the
pointer, potentially triggering a use-after-free.
Impact:
A remote host may be able to trigger a read of freed kernel memory.
This may trigger a kernel panic if the address had been unmapped.
Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling.
First, rtsold(8) failed to perform sufficient bounds checking on the
extent of the option. In particular, it does not verify that the
option does not extend past the end of the received packet before
processing its contents. The kernel currently ignores such
malformed packets but still passes them to userspace programs.
Second, when processing a DNSSL option, rtsold(8) decodes domain
name labels per an encoding specified in RFC 1035 in which the first
octet of each label contains the label's length. rtsold(8) did not
validate label lengths correctly and could overflow the destination
buffer.
Impact:
It is believed that these bugs could be exploited to gain remote
code execution within the rtsold(8) daemon, which runs as root.
Note that rtsold(8) only processes messages received from hosts
attached to the same physical link as the interface(s) on which
rtsold(8) is listening.
In FreeBSD 12.2 rtsold(8) runs in a Capsicum sandbox, limiting the
scope of a compromised rtsold(8) process.
artifact: Fixed a bug where interpolation can be used in the
artifact destination field to write artifact payloads outside
the allocation directory.
template: Fixed a bug where interpolation can be used in the
template source and destination fields to read or write files
outside the allocation directory even when disable_file_sandbox
was set to false (the default).
template: Fixed a bug where the disable_file_sandbox
configuration was only respected for the template file function
and not the template source and destination fields.
Updates are now available for v12.x, v14.x and v15.x Node.js release lines for the following issues.
Denial of Service through DNS request (CVE-2020-8277)
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of service by getting the application to resolve a DNS record with a larger number of responses.
There is an integer overflow and a double free vulnerability in
the way LibX11 handles locales. The integer overflow is a necessary
precursor to the double free.
SaltStack reports multiple security vulnerabilities in Salt 3002:
CVE-2020-16846: Prevent shell injections in netapi ssh client.
CVE-2020-17490: Prevent creating world readable private keys with the tls execution module.
CVE-2020-25592: Properly validate eauth credentials and tokens along with their ACLs.
Prior to this change eauth was not properly validated when calling Salt ssh via the salt-api.
Any value for 'eauth' or 'token' would allow a user to bypass authentication and make calls
to Salt ssh.
A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem,
QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic
when provided crafted large inputs. For the panic to happen,
the divisor or modulo argument must be larger than 3168 bits
(on 32-bit architectures) or 6336 bits (on 64-bit architectures).
Multiple math/big.Rat methods are similarly affected.
The go command may execute arbitrary code at build time when
cgo is in use. This may occur when running go get on a malicious
package, or any other command that builds untrusted code. This
can be caused by a malicious gcc flags specified via a #cgo
directive.
The go command may execute arbitrary code at build time when
cgo is in use. This may occur when running go get on a malicious
package, or any other command that builds untrusted code. This
can be caused by malicious unquoted symbol names.
CVE-2020-13958 Unrestricted actions leads to arbitrary code execution in crafted documents
Description
A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target users file system. These hyperlinks can be triggered unconditionally. In fixed versions no internal protocol may be called from the document event handler and other hyperlinks require a control-click.
Severity: Low
There are no known exploits of this vulnerability. A proof-of-concept demonstration exists.
Thanks to the reporter for discovering this issue.
Acknowledgments
The Apache OpenOffice Security Team would like to thank Imre Rad for discovering and reporting this attack vector.
raptor_xml_writer_start_element_common in raptor_xml_writer.c in Raptor RDF Syntax Library 2.0.15 miscalculates the maximum nspace declarations for the XML writer, leading to heap-based buffer overflows (sometimes seen in raptor_qname_format_as_xml).
If Asterisk is challenged on an outbound INVITE and
the nonce is changed in each response, Asterisk will
continually send INVITEs in a loop. This causes Asterisk
to consume more and more memory since the transaction
will never terminate (even if the call is hung up),
ultimately leading to a restart or shutdown of Asterisk.
Outbound authentication must be configured on the endpoint
for this to occur.
Upon receiving a new SIP Invite, Asterisk did not
return the created dialog locked or referenced. This
caused a gap between the creation of the dialog object,
and its next use by the thread that created it. Depending
upon some off nominal circumstances, and timing it was
possible for another thread to free said dialog in this
gap. Asterisk could then crash when the dialog object,
or any of its dependent objects were de-referenced, or
accessed next by the initial creation thread.
This release contains 10 security fixes, including:
[1138911] High CVE-2020-16004: Use after free in user interface.
Reported by Leecraso and Guang Gong of 360 Alpha Lab working with
360 BugCloud on 2020-10-15
[1139398] High CVE-2020-16005: Insufficient policy enforcement
in ANGLE. Reported by Jaehun Jeong (@n3sk) of Theori on
2020-10-16
[1133527] High CVE-2020-16006: Inappropriate implementation in
V8. Reported by Bill Parks on 2020-09-29
[1125018] High CVE-2020-16007: Insufficient data validation in
installer. Reported by Abdelhamid Naceri (halov) on
2020-09-04
[1134107] High CVE-2020-16008: Stack buffer overflow in WebRTC.
Reported by Tolya Korniltsev on 2020-10-01
[1143772] High CVE-2020-16009: Inappropriate implementation in
V8. Reported by Clement Lecigne of Google's Threat Analysis Group
and Samuel Groà of Google Project Zero on 2020-10-29
[1144489] High CVE-2020-16011: Heap buffer overflow in UI on
Windows. Reported by Sergei Glazunov of Google Project Zero on
2020-11-01
There are reports that an exploit for CVE-2020-16009 exists in the
wild.
Ten security issues affect WordPress versions 5.5.1 and earlier. If you havent yet updated to 5.5,
all WordPress versions since 3.7 have also been updated to fix the following security issues:
-Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests.
-Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network.
-Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables.
-Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC.
-Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE.
-Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs.
-Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion.
A Denial of Service condition in Motion-Project Motion 3.2 through
4.3.1 allows remote unauthenticated users to cause a webu.c
segmentation fault and kill the main process via a crafted HTTP
request
In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).
In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).
[1125337] High CVE-2020-16000: Inappropriate implementation in
Blink. Reported by amaebi_jp on 2020-09-06
[1135018] High CVE-2020-16001: Use after free in media.
Reported by Khalil Zhani on 2020-10-05
[1137630] High CVE-2020-16002: Use after free in PDFium.
Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec
at Qi'anxin Group on 2020-10-13
[1139963] High CVE-2020-15999: Heap buffer overflow in
Freetype. Reported by Sergei Glazunov of Google Project Zero on
2020-10-19
[1134960] Medium CVE-2020-16003: Use after free in printing.
Reported by Khalil Zhani on 2020-10-04
The fallback authentication endpoint served via Synapse were vulnerable
to cross-site scripting (XSS) attacks. The impact depends on the
configuration of the domain that Synapse is deployed on, but may allow
access to cookies and other browser data, CSRF vulnerabilities, and
access to other resources served on the same domain or parent domains.
CVE-2020-25829: An issue has been found in PowerDNS Recursor where a
remote attacker can cause the cached records for a given name to be
updated to the âBogusâ DNSSEC validation state, instead of their actual
DNSSEC âSecureâ state, via a DNS ANY query. This results in a denial
of service for installations that always validate (dnssec=validate)
and for clients requesting validation when on-demand validation is
enabled (dnssec=process).
This release contains 35 security fixes, including:
[1127322] Critical CVE-2020-15967: Use after free in payments.
Reported by Man Yue Mo of GitHub Security Lab on 2020-09-11
[1126424] High CVE-2020-15968: Use after free in Blink.
Reported by Anonymous on 2020-09-09
[1124659] High CVE-2020-15969: Use after free in WebRTC.
Reported by Anonymous on 2020-09-03
[1108299] High CVE-2020-15970: Use after free in NFC. Reported
by Man Yue Mo of GitHub Security Lab on 2020-07-22
[1114062] High CVE-2020-15971: Use after free in printing.
Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on
2020-08-07
[1115901] High CVE-2020-15972: Use after free in audio.
Reported by Anonymous on 2020-08-13
[1133671] High CVE-2020-15990: Use after free in autofill.
Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo 360 on
2020-09-30
[1133688] High CVE-2020-15991: Use after free in password
manager. Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo
360 on 2020-09-30
[1106890] Medium CVE-2020-15973: Insufficient policy
enforcement in extensions. Reported by David Erceg on
2020-07-17
[1104103] Medium CVE-2020-15974: Integer overflow in Blink.
Reported by Juno Im (junorouse) of Theori on 2020-07-10
[1110800] Medium CVE-2020-15975: Integer overflow in
SwiftShader. Reported by Anonymous on 2020-07-29
[1123522] Medium CVE-2020-15976: Use after free in WebXR.
Reported by YoungJoo Lee (@ashuu_lee) of Raon Whitehat on
2020-08-31
[1083278] Medium CVE-2020-6557: Inappropriate implementation
in networking. Reported by Matthias Gierlings and Marcus Brinkmann
(NDS Ruhr-University Bochum) on 2020-05-15
[1097724] Medium CVE-2020-15977: Insufficient data validation
in dialogs. Reported by Narendra Bhati (@imnarendrabhati) on
2020-06-22
[1116280] Medium CVE-2020-15978: Insufficient data validation
in navigation. Reported by Luan Herrera (@lbherrera_) on
2020-08-14
[1127319] Medium CVE-2020-15979: Inappropriate implementation
in V8. Reported by Avihay Cohen (@SeraphicAlgorithms) on
2020-09-11
[1092453] Medium CVE-2020-15980: Insufficient policy
enforcement in Intents. Reported by Yongke Wang (@Rudykewang) and
Aryb1n (@aryb1n) of Tencent Security Xuanwu Lab on 2020-06-08
[1123023] Medium CVE-2020-15981: Out of bounds read in audio.
Reported by Christoph Guttandin on 2020-08-28
[1039882] Medium CVE-2020-15982: Side-channel information
leakage in cache. Reported by Luan Herrera (@lbherrera_) on
2020-01-07
[1076786] Medium CVE-2020-15983: Insufficient data validation
in webUI. Reported by Jun Kokatsu, Microsoft Browser Vulnerability
Research on 2020-04-30
[1080395] Medium CVE-2020-15984: Insufficient policy
enforcement in Omnibox. Reported by Rayyan Bijoora on
2020-05-07
[1099276] Medium CVE-2020-15985: Inappropriate implementation
in Blink. Reported by Abdulrahman Alqabandi, Microsoft Browser
Vulnerability Research on 2020-06-25
[1100247] Medium CVE-2020-15986: Integer overflow in media.
Reported by Mark Brand of Google Project Zero on 2020-06-29
[1127774] Medium CVE-2020-15987: Use after free in WebRTC.
Reported by Philipp Hancke on 2020-09-14
[1110195] Medium CVE-2020-15992: Insufficient policy
enforcement in networking. Reported by Alison Huffman, Microsoft
Browser Vulnerability Research on 2020-07-28
[1092518] Low CVE-2020-15988: Insufficient policy enforcement
in downloads. Reported by Samuel Attard on 2020-06-08
[1108351] Low CVE-2020-15989: Uninitialized Use in PDFium.
Reported by Gareth Evans (Microsoft) on 2020-07-22
The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:
CVE-2018-14721 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks
CVE-2018-14720 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct external XML entity (XXE) attacks
CVE-2018-14719 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code
CVE-2018-14718 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code
CVE-2018-14371 Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter
The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:
CVE-2020-6950 Eclipse Mojarra vulnerable to path trasversal flaw via either loc/con parameters
The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:
CVE-2019-12086 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9
KDE Connect: packet manipulation can be exploited in a Denial of Service attack
Risk Rating
Important
CVE
CVE-2020-26164
Versions
kdeconnect <= 20.08.1
Author
Albert Vaca Cintora
Date
2 October 2020
Overview
An attacker on your local network could send maliciously crafted
packets to other hosts running kdeconnect on the network, causing
them to use large amounts of CPU, memory or network connections,
which could be used in a Denial of Service attack within the
network.
Impact
Computers that run kdeconnect are susceptible to DoS attacks from
the local network.
Workaround
We advise you to stop KDE Connect when on untrusted networks like
those on airports or conferences.
Since kdeconnect is dbus activated it is relatively hard to make
sure it stays stopped so the brute force approach is to uninstall
the kdeconnect package from your system and then run
kquitapp5 kdeconnectd
Just install the package again once you're back in a trusted
network.
Solution
KDE Connect 20.08.2 patches several code paths that could result
in a DoS.
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. This issue is fixed in version 9.5.3. As a workaround, one can remove the caldav.php file to block access to CalDAV server.
Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the
default temporary directory identified by the Java
system property java.io.tmpdir for several tasks and
may thus leak sensitive information. The fixcrlf and
replaceregexp tasks also copy files from the temporary
directory back into the build tree allowing an attacker
to inject modified source files into the build
process.
Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is:
The heap based buffer overflow can be used to get code execution. The component is:
function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop
condition. The attack vector is: Bug can be used when application pass invalid utf-8
strings to functions like pango_itemize.
CVE-2020-17482: An issue has been found in PowerDNS Authoritative
Server before 4.3.1 where an authorized user with the
ability to insert crafted records into a zone might
be able to leak the content of uninitialized memory.
Such a user could be a customer inserting data via a
control panel, or somebody with access to the REST
API. Crafted records cannot be inserted via AXFR.
[1100136] High CVE-2020-15960: Out of bounds read in storage.
Reported by Anonymous on 2020-06-28
[1114636] High CVE-2020-15961: Insufficient policy
enforcement in extensions. Reported by David Erceg on
2020-08-10
[1121836] High CVE-2020-15962: Insufficient policy
enforcement in serial. Reported by Leecraso and Guang Gong of 360
Alpha Lab working with 360 BugCloud on 2020-08-26
[1113558] High CVE-2020-15963: Insufficient policy
enforcement in extensions. Reported by David Erceg on
2020-08-06
[1126249] High CVE-2020-15965: Out of bounds write in V8.
Reported by Lucas Pinheiro, Microsoft Browser Vulnerability
Research on 2020-09-08
[1113565] Medium CVE-2020-15966: Insufficient policy
enforcement in extensions. Reported by David Erceg on
2020-08-06
[1121414] Low CVE-2020-15964: Insufficient data validation in
media. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on
2020-08-25
Affected Synapse versions assume that all events have an "origin" field set. If an event
without the "origin" field is sent into a federated room, servers not already joined to
the room will be unable to do so due to failing to fetch the malformed event.
Impact:
An attacker could cause a denial of service by deliberately sending a malformed event
into a room, thus preventing new servers (and thus their users) from joining the
room.
bpo-39603: Prevent http header injection by rejecting control characters in http.client.putrequest(â¦).
bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (CVE-2020-15523).
bpo-41004: CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).
bpo-39073: Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
bpo-38576: Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised.
bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.
bpo-38945: Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process.
bpo-38804: Fixes a ReDoS vulnerability in http.cookiejar. Patch by Ben Caller.
bpo-39017: Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
bpo-41183: Use 3072 RSA keys and SHA-256 signature for test certs and keys.
bpo-39503: AbstractBasicAuthHandler of urllib.request now parses all WWW-Authenticate HTTP headers and accepts multiple challenges per header: use the realm of the first Basic challenge.
NC-SA-2020-026 (low): Password of share by mail is not hashed when
given on the create share call
A logic error in Nextcloud Server 19.0.0 caused a plaintext storage
of the share password when it was given on the initial create API
call.
AMD and Intel CPUs support hardware virtualization using specialized data
structures that control various aspects of guest operation. These are the
Virtual Machine Control Structure (VMCS) on Intel CPUs, and the Virtual
Machine Control Block (VMCB) on AMD CPUs. Insufficient access controls allow
root users, including those running in a jail, to change these data
structures.
Impact:
An attacker with host root access (including to a jailed bhyve instance) can
use this vulnerability to achieve kernel code execution.
Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues.
HTTP Request Smuggling due to CR-to-Hyphen conversion (High) (CVE-2020-8201)
Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.
Impacts:
All versions of the 14.x and 12.x releases line
Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical) (CVE-2020-8251)
Node.js is vulnerable to HTTP denial of service (DOS) attacks based on delayed requests submission which can make the server unable to accept new connections. The fix a new http.Server option called requestTimeout with a default value of 0 which means it is disabled by default. This should be set when Node.js is used as an edge server, for more details refer to the documentation.
Impacts:
All versions of the 14.x release line
fs.realpath.native on may cause buffer overflow (Medium) (CVE-2020-8252)
libuv's realpath implementation incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
Impacts:
All versions of the 10.x release line
All versions of the 12.x release line
All versions of the 14.x release line before 14.9.0
A ftpd(8) bug in the implementation of the file system sandbox, combined
with capabilities available to an authenticated FTP user, can be used to
escape the file system restriction configured in ftpchroot(5).
Moreover, the bug allows a malicious client to gain root privileges.
Impact:
A malicious FTP user can gain privileged access to an affected system.
A programming error in the ure(4) device driver caused some Realtek USB
Ethernet interfaces to incorrectly report packets with more than 2048 bytes
in a single USB transfer as having a length of only 2048 bytes.
An adversary can exploit this to cause the driver to misinterpret part of the
payload of a large packet as a separate packet, and thereby inject packets
across security boundaries such as VLANs.
Impact:
An attacker that can send large frames (larger than 2048 bytes in size) to be
received by the host (be it VLAN, or non-VLAN tagged packet), can inject
arbitrary packets to be received and processed by the host. This includes
spoofing packets from other hosts, or injecting packets to other VLANs than
the host is on.
A number of AMD virtualization instructions operate on host physical
addresses, are not subject to nested page table translation, and guest use of
these instructions was not trapped.
Impact:
From kernel mode a malicious guest can write to arbitrary host memory (with
some constraints), affording the guest full control of the host.
The AYIYA and GTPv1 parsing/decapsulation logic may
leak memory -- These leaks have potential for remote
exploitation to cause Denial of Service via resource
exhaustion.
Chen Nan of Chaitin Security Research Lab reports:
Fix buffer overflow introduced in version 5.8: processing of
template %aX in a RADIUS authentication response might lead
to unexpected termination of the mpd5 process.
Installations not using RADIUS or not using %aX templates
in RADIUS attributes were not affected.
Fix buffer overflow in parsing of L2TP control packets
introduced in version 4.0 that initially brought in L2TP
support: a specially crafted incoming L2TP control packet
might lead to unexpected termination of the process.
Installations with neither L2TP clients nor L2TP server
configured are not affected.
Version 5.9 contains security fix for L2TP clients and servers.
Insufficient validation of incoming L2TP control packet
specially crafted by unauthenticated user might lead to unexpected
termination of the process. The problem affects mpd versions
since 4.0 that brought in initial support for L2TP.
Installations not using L2TP clients nor L2TP server configuration were not affected.
It was found by oss-fuzz that the server sending a
"no_renegotiation" alert in an unexpected timing, followed by an
invalid second handshake can cause a TLS 1.3 client to crash via a
null-pointer dereference. The crash happens in the application's
error handling path, where the gnutls_deinit function is called
after detecting a handshake failure.
When decrypting/authenticating (D)TLS record in a connection using
a CBC ciphersuite without the Encrypt-then-Mac extension RFC 7366,
Mbed TLS used dummy rounds of the compression function associated
with the hash used for HMAC in order to hide the length of the
padding to remote attackers, as recommended in the original Lucky
Thirteen paper.
A local attacker who is able to observe the state of the cache
could monitor the presence of mbedtls_md_process() in the cache in
order to determine when the actual computation ends and when the
dummy rounds start. This is a reliable target as it's always called
at least once, in response to a previous attack. The attacker can
then continue with one of many well-documented Lucky 13
variants.
An attacker with access to precise enough timing and memory access
information (typically an untrusted operating system attacking a
secure enclave such as SGX or the TrustZone secure world) can
recover the private keys used in RSA or static (finite-field)
Diffie-Hellman operations.
CVE-2020-24583: Incorrect permissions on intermediate-level directories
on Python 3.7+
On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied
to intermediate-level directories created in the process of uploading
files and to intermediate-level collected static directories when using
the collectstatic management command.
CVE-2020-24584: Permission escalation in intermediate-level directories
of the file system cache on Python 3.7+
On Python 3.7+, the intermediate-level directories of the file system
cache had the system's standard umask rather than 0o077 (no group or
others permissions).
Importing an OpenPGP key having a preference list for AEAD algorithms
will lead to an array overflow and thus often to a crash or other
undefined behaviour.
Importing an arbitrary key can often easily be triggered by an attacker
and thus triggering this bug. Exploiting the bug aside from crashes is
not trivial but likely possible for a dedicated attacker. The major
hurdle for an attacker is that only every second byte is under their
control with every first byte having a fixed value of 0x04.
When parsing option 119 data, dhclient(8) computes the uncompressed domain
list length so that it can allocate an appropriately sized buffer to store
the uncompressed list. The code to compute the length failed to handle
certain malformed input, resulting in a heap overflow when the uncompressed
list is copied into in inadequately sized buffer.
Impact:
The heap overflow could in principle be exploited to achieve remote code
execution. The affected process runs with reduced privileges in a Capsicum
sandbox, limiting the immediate impact of an exploit. However, it is
possible the bug could be combined with other vulnerabilities to escape the
sandbox.
When a Handler does not explicitly set the Content-Type header, both
CGI implementations default to âtext/htmlâ. If an attacker can make
a server generate content under their control (e.g. a JSON
containing user data or an uploaded image file) this might be
mistakenly returned by the server as âtext/htmlâ. If a victim visits
such a page they could get the attacker's code executed in the
context of the server origin. If an attacker can make a server
generate content under their control (e.g. a JSON containing user
data or an uploaded image file) this might be mistakenly returned by
the server as âtext/htmlâ. If a victim visits such a page they could
get the attacker's code executed in the context of the server
origin.
A maliciously crafted TAR archive containing symlink entries
would install files anywhere in the user's home directory upon extraction.
Proof of concept
For testing, an example of malicious archive can be found at
dirsymlink.tar
Impact
Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart.
Workaround
Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain symlink entries pointing outside the extraction folder.
The 'Extract' context menu from the Dolphin file manager shouldn't be used.
Solution
Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR archives.
This update includes 20 security fixes, including:
[1109120] High CVE-2020-6558: Insufficient policy
enforcement in iOS. Reported by Alison Huffman, Microsoft Browser
Vulnerability Research on 2020-07-24
[1116706] High CVE-2020-6559: Use after free in presentation
API. Reported by Liu Wei and Wu Zekai of Tencent Security Xuanwu
Lab on 2020-08-15
[1108181] Medium CVE-2020-6560: Insufficient policy
enforcement in autofill. Reported by Nadja Ungethuem from
www.unnex.de on 2020-07-22
[932892] Medium CVE-2020-6561: Inappropriate implementation
in Content Security Policy. Reported by Rob Wu on 2019-02-16
[1086845] Medium CVE-2020-6562: Insufficient policy
enforcement in Blink. Reported by Masato Kinugawa on
2020-05-27
[1104628] Medium CVE-2020-6563: Insufficient policy
enforcement in intent handling. Reported by Pedro Oliveira on
2020-07-12
[841622] Medium CVE-2020-6564: Incorrect security UI in
permissions. Reported by Khalil Zhani on 2018-05-10
[1029907] Medium CVE-2020-6565: Incorrect security UI in
Omnibox. Reported by Khalil Zhani on 2019-12-02
[1065264] Medium CVE-2020-6566: Insufficient policy
enforcement in media. Reported by Jun Kokatsu, Microsoft Browser
Vulnerability Research on 2020-03-27
[937179] Low CVE-2020-6567: Insufficient validation of
untrusted input in command line handling. Reported by Joshua
Graham of TSS on 2019-03-01
[1092451] Low CVE-2020-6568: Insufficient policy enforcement
in intent handling. Reported by Yongke Wang(@Rudykewang) and
Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab on 2020-06-08
[995732] Low CVE-2020-6569: Integer overflow in WebUSB.
Reported by guaixiaomei on 2019-08-20
[1084699] Low CVE-2020-6570: Side-channel information leakage
in WebRTC. Reported by Signal/Tenable on 2020-05-19
[1085315] Low CVE-2020-6571: Incorrect security UI in Omnibox.
Reported by Rayyan Bijoora on 2020-05-21
chrony-3.5.1 [...] fixes a security issue in writing of the pidfile.
When chronyd is configured to save the pidfile in a directory where the
chrony user has write permissions (e.g. /var/run/chrony - the default
since chrony-3.4), an attacker that compromised the chrony user account
could create a symbolic link at the location of the pidfile to make
chronyd starting with root privileges follow the symlink and write its
process ID to a file for which the chrony user doesn't have write
permissions, causing a denial of service, or data loss.
This issue was reported by Matthias Gerstner of SUSE.
Vulnerable applications: all adns callers.
Exploitable by: the local recursive resolver.
Likely worst case: Remote code execution.
Vulnerable applications: those that make SOA queries.
Exploitable by: upstream DNS data sources.
Likely worst case: DoS (crash of the adns-using application)
Vulnerable applications: those that use adns_qf_quoteok_query.
Exploitable by: sources of query domain names.
Likely worst case: DoS (crash of the adns-using application)
Vulnerable applications: adnshost.
Exploitable by: code responsible for framing the input.
Likely worst case: DoS (adnshost crashes at EOF).
Users are always granted permissions to cd into a directory. The
check for whether execute is present on directories is a de-facto
no-op. This cannot be mitigated without upgrading. Even setting
an explicit "deny - execute" NFSv4 ACE will be bypassed.
Issue 2:
All ACEs for the owner_group (group@) and regular groups
(group:) are granted the current user. This means that
POSIX mode 770 is de-facto 777, and the below ACL is also de-facto
777 because the groupmember check for builtin_administrators
returns True.
A field disclosure flaw was found in Elasticsearch when running
a scrolling search with Field Level Security. If a user runs
the same query another more privileged user recently ran,
the scrolling search can leak fields that should be hidden.
This could result in an attacker gaining additional permissions
against a restricted index.
bpo-29778: Ensure python3.dll is loaded from correct locations when
Python is embedded (CVE-2020-15523).
bpo-41004: CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface
and ipaddress.IPv6Interface incorrectly generated constant hash values
of 32 and 128 respectively. This resulted in always causing hash collisions.
The fix uses hash() to generate hash values for the tuple of (address, mask
length, network address).
bpo-39603: Prevent http header injection by rejecting control characters
in http.client.putrequest(...).
An application that performs multiple requests with libcurl's multi API
and sets the CURLOPT_CONNECT_ONLY option, might in rare circumstances
experience that when subsequently using the setup connect-only transfer,
libcurl will pick and use the wrong connection - and instead pick
another one the application has created since then.
CURLOPT_CONNECT_ONLY is the option to tell libcurl to not perform an
actual transfer, only connect. When that operation is completed, libcurl
remembers which connection it used for that transfer and "easy handle".
It remembers the connection using a pointer to the internal connectdata
struct in memory.
If more transfers are then done with the same multi handle before the
connect-only connection is used, leading to the initial connect-only
connection to get closed (for example due to idle time-out) while also
new transfers (and connections) are setup, such a new connection might
end up getting the exact same memory address as the now closed
connect-only connection.
If after those operations, the application then wants to use the
original transfer's connect-only setup to for example use
curl_easy_send() to send raw data over that connection, libcurl could
erroneously find an existing connection still being alive at the address
it remembered since before even though this is now a new and different
connection.
The application could then accidentally send data over that connection
which wasn't at all intended for that recipient, entirely unknowingly.
Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a
Directory Traversal vulnerability which allows an attacker to access
arbitrary files that are readable by the process running Icinga Web
2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2.
A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway).
The vulnerability is related to the injection of HTTP headers via a CORS
ExposeHeader tag. The newline character in the ExposeHeader tag in the
CORS configuration file generates a header injection in the response
when the CORS request is made.
In June 2020, jackson-databind published security updates addressing several CVEs. Previous releases of PuppetDB contain a vulnerable version of jackson.core:jackson-databind. PuppetDB 5.2.18 contains an updated version of jackson-databind that has patched the vulnerabilities.
mod_http2: Important: Push Diary Crash on Specifically
Crafted HTTP/2 Header (CVE-2020-9490)
A specially crafted value for the 'Cache-Digest' header in a HTTP/2
request would result in a crash when the server actually tries to
HTTP/2 PUSH a resource afterwards.
mod_proxy_uwsgi: Moderate: mod_proxy_uwsgi buffer overflow
(CVE-2020-11984)
info disclosure and possible RCE
mod_http2: Moderate: Push Diary Crash on Specifically Crafted
HTTP/2 Header (CVE-2020-11993)
When trace/debug was enabled for the HTTP/2 module and on certain
traffic edge patterns, logging statements were made on the wrong
connection, causing concurrent use of memory pools.
When handling a 32-bit sendmsg(2) call, the compat32 subsystem copies the
control message to be transmitted (if any) into kernel memory, and adjusts
alignment of control message headers. The code which performs this work
contained a time-of-check to time-of-use (TOCTOU) vulnerability which allows a
malicious userspace program to modify control message headers after they were
validated by the kernel.
Impact:
The TOCTOU bug can be exploited by an unprivileged malicious userspace program
to trigger privilege escalation.
A missing length validation code common to these three drivers means that a
malicious USB device could write beyond the end of an allocated network
packet buffer.
Impact:
An attacker with physical access to a USB port and the ability to bring a
network interface up may be able to use a specially crafted USB device to
gain kernel or user-space code execution.
Certain invalid inputs to ReadUvarint or ReadVarint could cause
those functions to read an unlimited number of bytes from the
ByteReader argument before returning an error. This could lead to
processing more input than expected when the caller is reading
directly from the network and depends on ReadUvarint and ReadVarint
only consuming a small, bounded number of bytes, even from invalid
inputs.
Various security issues could be used by an attacker to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code.
CVE-2020-11655: SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.
CVE-2020-13434: SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.
CVE-2020-13435: SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.
CVE-2020-13630: ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.
CVE-2020-13631: SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.
CVE-2020-13632: ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.
In case an attacker manages to generate a valid cryptographic message authentication
code (HMAC-SHA1) - either by using a different existing vulnerability or in case the
internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a
TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php
which again contains the encryptionKey as well as credentials of the database management
system being used.
In case a database server is directly accessible either via internet or in a shared hosting
network, this allows to completely retrieve, manipulate or delete database contents.
This includes creating an administration user account - which can be used to trigger remote
code execution by injecting custom extensions.
It has been discovered that an internal verification mechanism can be used to generate
arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic
message authentication code (HMAC-SHA1) and can lead to various attack chains as described
below.
Allocation for pixmap data in AllocatePixmap() does not initialize
the memory in xserver, it leads to leak uninitialize heap memory to
clients. When the X server runs with elevated privileges.
This flaw can lead to ASLR bypass, which when combined with other
flaws (known/unknown) could lead to lead to privilege elevation in
the client.
The X Input Method (XIM) client implementation in libX11 has some
integer overflows and signed/unsigned comparison issues that can
lead to heap corruption when handling malformed messages from an
input method.
Ark: maliciously crafted archive can install files outside the extraction directory.
Risk Rating:
Important
CVE:
CVE-2020-16116
Versions:
ark <= 20.04.3
Author:
Elvis Angelaccio
Date:
30 July 2020
Overview
A maliciously crafted archive with "../" in the file paths
would install files anywhere in the user's home directory upon extraction.
Proof of concept
For testing, an example of malicious archive can be found at
https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip
Impact
Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart
Workaround
Users should not use the 'Extract' context menu from the Dolphin file manager.
Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain entries with "../" in the file path.
Solution
Ark 20.08.0 prevents loading of malicious archives and shows a warning message
to the users.
Alternatively,
https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f
can be applied to previous releases.
Credits
Thanks to Dominik Penner for finding and reporting this issue and thanks to
Elvis Angelaccio and Albert Astals Cid for fixing it.
It was discovered the fix for CVE-2018-19758 was not complete and
still allows a read beyond the limits of a buffer in
wav_write_header() function in wav.c. A local attacker may use
this flaw to make the application crash.
[1105318] High CVE-2020-6537: Type Confusion in V8. Reported by
Alphalaab on 2020-07-14
[1096677] High CVE-2020-6538: Inappropriate implementation in
WebView. Reported by Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n)
of Tencent Security Xuanwu Lab on 2020-06-18
[1104061] High CVE-2020-6532: Use after free in SCTP. Reported
by Anonymous on 2020-07-09
[1105635] High CVE-2020-6539: Use after free in CSS. Reported
by Oriol Brufau on 2020-07-14
[1105720] High CVE-2020-6540: Heap buffer overflow in Skia.
Reported by Zhen Zhou of NSFOCUS Security Team on 2020-07-15
[1106773] High CVE-2020-6541: Use after free in WebUSB. Reported
by Sergei Glazunov of Google Project Zero on 2020-07-17
Integer overflow due to missing input sanitation in rdpegfx channel
All FreeRDP clients are affected
The input rectangles from the server are not checked against local
surface coordinates and blindly accepted. A malicious server can send
data that will crash the client later on (invalid length arguments to
a memcpy)
When a form page type is made available to Wagtail editors through the
wagtail.contrib.forms app, and the page template is built using
Django's standard form rendering helpers such as form.as_p (as directed
in the documentation), any HTML tags used within a form field's help
text will be rendered unescaped in the page. Allowing HTML within help
text is an intentional design decision by Django; however, as a matter
of policy Wagtail does not allow editors to insert arbitrary HTML by
default, as this could potentially be used to carry out cross-site
scripting attacks, including privilege escalation. This functionality
should therefore not have been made available to editor-level users.
The vulnerability is not exploitable by an ordinary site visitor
without access to the Wagtail admin.
An h2c direct connection did not release the HTTP/1.1 processor after
the upgrade to HTTP/2. If a sufficient number of such requests were
made, an OutOfMemoryException could occur leading to a denial of service.
The payload length in a WebSocket frame was not correctly validated.
Invalid payload lengths could trigger an infinite loop. Multiple
requests with invalid payload lengths could lead to a denial of service.
A specially crafted sequence of HTTP/2 requests could trigger high CPU
usage for several seconds. If a sufficient number of such requests were
made on concurrent HTTP/2 connections, the server could become unresponsive.
Vulnerabilities in VirtualBox core can allow users
with logon access to the infrastructure where Oracle VM
VirtualBox executes to compromise Oracle VM VirtualBox.
Successful attacks of these vulnerabilities can result
in unauthorized access to critical data, access to all
Oracle VM VirtualBox accessible data, unauthorized ability
to cause a hang or frequently repeatable crash (complete
DOS) or takeover of Oracle VM VirtualBox.
Fixed a vulnerability a malicious user could exploit to replace
a scan target's directory with a symlink to another path to trick
clamscan, clamdscan, or clamonacc into removing or moving a different
file (such as a critical system file). The issue would affect users
that use the --move or --remove options for clamscan, clamdscan and
clamonacc.
CVE-2020-3327
Fixed a vulnerability in the ARJ archive-parsing module in ClamAV
0.102.3 that could cause a denial-of-service (DoS) condition.
Improper bounds checking resulted in an out-of-bounds read that could
cause a crash. The previous fix for this CVE in version 0.102.3 was
incomplete. This fix correctly resolves the issue.
CVE-2020-3481
Fixed a vulnerability in the EGG archive module in ClamAV 0.102.0
- 0.102.3 that could cause a denial-of-service (DoS) condition.
Improper error handling could cause a crash due to a NULL pointer
dereference. This vulnerability is mitigated for those using the
official ClamAV signature databases because the file type signatures
in daily.cvd will not enable the EGG archive parser in affected
versions.
This update contains 38 security fixes, including:
[1103195] Critical CVE-2020-6510: Heap buffer overflow in
background fetch. Reported by Leecraso and Guang Gong of 360
Alpha Lab working with 360 BugCloud on 2020-07-08
[1074317] High CVE-2020-6511: Side-channel information leakage
in content security policy. Reported by Mikhail Oblozhikhin on
2020-04-24
[1084820] High CVE-2020-6512: Type Confusion in V8. Reported by
nocma, leogan, cheneyxu of WeChat Open Platform Security Team on
2020-05-20
[1091404] High CVE-2020-6513: Heap buffer overflow in PDFium.
Reported by Aleksandar Nikolic of Cisco Talos on 2020-06-04
[1076703] High CVE-2020-6514: Inappropriate implementation in
WebRTC. Reported by Natalie Silvanovich of Google Project Zero on
2020-04-30
[1082755] High CVE-2020-6515: Use after free in tab strip.
Reported by DDV_UA on 2020-05-14
[1092449] High CVE-2020-6516: Policy bypass in CORS. Reported by
Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n) of Tencent Security
Xuanwu Lab on 2020-06-08
[1095560] High CVE-2020-6517: Heap buffer overflow in history.
Reported by ZeKai Wu (@hellowuzekai) of Tencent Security Xuanwu
Lab on 2020-06-16
[986051] Medium CVE-2020-6518: Use after free in developer
tools. Reported by David Erceg on 2019-07-20
[1064676] Medium CVE-2020-6519: Policy bypass in CSP. Reported
by Gal Weizman (@WeizmanGal) of PerimeterX on 2020-03-25
[1092274] Medium CVE-2020-6520: Heap buffer overflow in Skia.
Reported by Zhen Zhou of NSFOCUS Security Team on 2020-06-08
[1075734] Medium CVE-2020-6521: Side-channel information leakage
in autofill. Reported by Xu Lin (University of Illinois at
Chicago), Panagiotis Ilia (University of Illinois at Chicago),
Jason Polakis (University of Illinois at Chicago) on
2020-04-27
[1052093] Medium CVE-2020-6522: Inappropriate implementation in
external protocol handlers. Reported by Eric Lawrence of Microsoft
on 2020-02-13
[1080481] Medium CVE-2020-6523: Out of bounds write in Skia.
Reported by Liu Wei and Wu Zekai of Tencent Security Xuanwu Lab on
2020-05-08
[1081722] Medium CVE-2020-6524: Heap buffer overflow in
WebAudio. Reported by Sung Ta (@Mipu94) of SEFCOM Lab, Arizona
State University on 2020-05-12
[1091670] Medium CVE-2020-6525: Heap buffer overflow in Skia.
Reported by Zhen Zhou of NSFOCUS Security Team on 2020-06-05
[1074340] Low CVE-2020-6526: Inappropriate implementation in
iframe sandbox. Reported by Jonathan Kingston on 2020-04-24
[992698] Low CVE-2020-6527: Insufficient policy enforcement in
CSP. Reported by Zhong Zhaochen of andsecurity.cn on
2019-08-10
[1063690] Low CVE-2020-6528: Incorrect security UI in basic
auth. Reported by Rayyan Bijoora on 2020-03-22
[978779] Low CVE-2020-6529: Inappropriate implementation in
WebRTC. Reported by kaustubhvats7 on 2019-06-26
[1016278] Low CVE-2020-6530: Out of bounds memory access in
developer tools. Reported by myvyang on 2019-10-21
[1042986] Low CVE-2020-6531: Side-channel information leakage in
scroll to text. Reported by Jun Kokatsu, Microsoft Browser
Vulnerability Research on 2020-01-17
[1069964] Low CVE-2020-6533: Type Confusion in V8. Reported by
Avihay Cohen @ SeraphicAlgorithms on 2020-04-11
[1072412] Low CVE-2020-6534: Heap buffer overflow in WebRTC.
Reported by Anonymous on 2020-04-20
[1073409] Low CVE-2020-6535: Insufficient data validation in
WebUI. Reported by Jun Kokatsu, Microsoft Browser Vulnerability
Research on 2020-04-22
[1080934] Low CVE-2020-6536: Incorrect security UI in PWAs.
Reported by Zhiyang Zeng of Tencent security platform department
on 2020-05-09
This Critical Patch Update contains 40 new security patches for
Oracle MySQL. 6 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without
requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle
MySQL is 9.8.
This Pre-Release Announcement provides advance information about the
Oracle Critical Patch Update for July 2020, which will be released on
Tuesday, July 14, 2020.
CVE-2020-9802: Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2020-9803: Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2020-9805: Processing maliciously crafted web content may lead to universal cross site scripting.
CVE-2020-9806: Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2020-9807: Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2020-9843: Processing maliciously crafted web content may lead to a cross site scripting attack.
CVE-2020-9850: A remote attacker may be able to cause arbitrary code execution.
CVE-2020-13753: CLONE_NEWUSER could potentially be used to confuse xdg- desktop-portal, which allows access outside the sandbox. TIOCSTI can be used to directly execute commands outside the sandbox by writing to the controlling terminalâs input buffer.
posix_spawnp spawns a new thread with a limited stack allocated on the heap
before delegating to execvp for the final execution within that thread.
execvp would previously make unbounded allocations on the stack, directly
proportional to the length of the user-controlled PATH environment variable.
Impact:
Long values in the user-controlled PATH environment variable cause
posix_spawnp to write beyond the end of stack that was allocated, ultimately
overflowing the heap-allocated stack with a direct copy of the value stored
in PATH.
The scalar multiplication function in Mbed TLS accepts a random
number generator (RNG) as an optional argument and, if provided,
uses it to protect against some attacks.
It is the caller's responsibility to provide a RNG if protection
against side-channel attacks is desired; however two groups of
functions in Mbed TLS itself fail to pass a RNG:
mbedtls_pk_parse_key() and mbedtls_pk_parse_keyfile()
mbedtls_ecp_check_pub_priv() and mbedtls_pk_check_pair()
When those functions are called, scalar multiplication is computed
without randomisation, a number of old and new attacks apply,
allowing a powerful local attacker to fully recover the private
key.
The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient
regular expression which can be exploited by an attacker to cause a denial of service.
Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben
Caller and Matt Schwager.
Disallow control characters in hostnames in http.client, addressing CVE-2019-18348.
Such potentially malicious header injection URLs now cause a InvalidURL to be raised.
Disallow CR or LF in email.headerregistry.Address arguments to guard against header
injection attacks.
D-Bus has a file descriptor leak, which can lead to denial of service when the dbus-daemon runs out of file descriptors.
An unprivileged local attacker can use this to attack the system dbus-daemon, leading to denial of service for all users of the machine.
Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.
A malicious homeserver could force Synapse to reset the state in a room to a small subset of the correct state. This affects all Synapse deployments which federate with untrusted servers.
HTML pages served via Synapse were vulnerable to clickjacking attacks. This predominantly affects homeservers with single-sign-on enabled, but all server administrators are encouraged to upgrade.
CVE-2020-14196: An issue has been found in PowerDNS Recursor where the ACL applied to the internal
web server via webserver-allow-from is not properly enforced, allowing a remote attacker to send
HTTP queries to the internal web server, bypassing the restriction.
In the default configuration the API webserver is not enabled. Only installations using a
non-default value for webserver and webserver-address are affected.
The issue is that STUN/TURN response buffer is not initialized properly. (CWE 665)
This is a leak of information between different client connections. One client (an attacker)
could use their connection to intelligently query coturn to get interesting bytes in the
padding bytes from the connection of another client.
The xrdp-sesman service can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350.
Improper serialization of MongoDB Server's internal authorization state permits a user with valid credentials to bypass IP source address protection mechanisms following administrative action.
Two vulnerabilities were fixed in the upstream repository:
The bark_noise_hybridmp function allows remote attackers
to cause a denial of service (out-of-bounds access and
application crash) or possibly have unspecified other
impact via a crafted file.
mapping0_forward does not validate the number of
channels, which allows remote attackers to cause a denial
of service (heap-based buffer overflow or over-read) or
possibly have unspecified other impact via a crafted
file.
[Release 0.74] fixes the following security issues:
New configuration option to disable PuTTY's default policy of
changing its host key algorithm preferences to prefer keys it
already knows. (There is a theoretical information leak in this
policy.) [CVE-2020-14002]
In some situations an SSH server could cause PuTTY to access freed
mdmory by pretending to accept an SSH key and then refusing the
actual signature. It can only happen if you're using an SSH agent.
In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2.
In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user. The most likely scenario for this vulnerability is with someone who has an API account to the system. The issue is patched in version 9.5.2. A proof-of-concept with technical details is available in the linked advisory.
In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ.
In GLPI before version 9.5.2, the pluginimage.send.php endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in /files/. Some of the sensitive information that is compromised are the user sessions, logs, and more. An attacker would be able to get the Administrators session token and use that to authenticate. The issue is patched in version 9.5.2.
In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2
CVE-2019-8842: The ippReadIO function may under-read an
extension.
CVE-2020-3898: The ppdOpen function did not handle invalid UI
constraint. ppdcSource::get_resolution function did not handle
invalid resolution strings. An application may be able to gain
elevated privileges.
CVE-2020-8169: Partial password leak over DNS on HTTP redirect
libcurl can be tricked to prepend a part of the password to the
host name before it resolves it, potentially leaking the partial
password over the network and to the DNS server(s).
libcurl can be given a username and password for HTTP
authentication when requesting an HTTP resource - used for HTTP
Authentication such as Basic, Digest, NTLM and similar. The
credentials are set, either together with CURLOPT_USERPWD or
separately with CURLOPT_USERNAME and CURLOPT_PASSWORD. Important
detail: these strings are given to libcurl as plain C strings and
they are not supposed to be URL encoded.
In addition, libcurl also allows the credentials to be set in the
URL, using the standard RFC 3986 format:
http://user:password@host/path. In this case, the name and password
are URL encoded as that's how they appear in URLs.
If the options are set, they override the credentials set in the
URL.
Internally, this is handled by storing the credentials in the "URL
object" so that there is only a single set of credentials stored
associated with this single URL.
When libcurl handles a relative redirect (as opposed to an
absolute URL redirect) for an HTTP transfer, the server is only
sending a new path to the client and that path is applied on to the
existing URL. That "applying" of the relative path on top of an
absolute URL is done by libcurl first generating a full absolute
URL out of all the components it has, then it applies the redirect
and finally it deconstructs the URL again into its separate
components.
This security vulnerability originates in the fact that curl did
not correctly URL encode the credential data when set using one of
the curl_easy_setopt options described above. This made curl
generate a badly formatted full URL when it would do a redirect and
the final re-parsing of the URL would then go bad and wrongly
consider a part of the password field to belong to the host name.
The wrong host name would then be used in a name resolve lookup,
potentially leaking the host name + partial password in clear text
over the network (if plain DNS was used) and in particular to the
used DNS server(s).
CVE-2020-8177: curl overwrite local file with -J
curl can be tricked by a malicious server to overwrite a local
file when using -J (--remote-header-name) and -i (--include) in the
same command line.
The command line tool offers the -J option that saves a remote
file using the file name present in the Content-Disposition:
response header. curl then refuses to overwrite an existing local
file using the same name, if one already exists in the current
directory.
The -J flag is designed to save a response body, and so it doesn't
work together with -i and there's logic that forbids it. However,
the check is flawed and doesn't properly check for when the options
are used in the reversed order: first using -J and then -i were
mistakenly accepted.
The result of this mistake was that incoming HTTP headers could
overwrite a local file if one existed, as the check to avoid the
local file was done first when body data was received, and due to
the mistake mentioned above, it could already have received and
saved headers by that time.
The saved file would only get response headers added to it, as it
would abort the saving when the first body byte arrives. A
malicious server could however still be made to send back virtually
anything as headers and curl would save them like this, until the
first CRLF-CRLF sequence appears.
(Also note that -J needs to be used in combination with -O to have
any effect.)
Vulnerability in ClamAV's MEW unpacking feature that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
Reported by Secunia Research at Flexera.
Fix for a 2-byte buffer over-read bug in ClamAV&s PDF parsing code.
Reported by Alex Gaynor.
CVE-2018-14680:
An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It does not reject blank CHM filenames.
CVE-2018-14681:
An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte overwrite.
CVE-2018-14682:
An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the TOLOWER() macro for CHM decompression. Additionally, 0.100.2 reverted 0.100.1's patch for CVE-2018-14679, and applied libmspack's version of the fix in its place.
CVE-2019-8842: The ippReadIO function may under-read an
extension.
CVE-2020-3898: The ppdOpen function did not handle invalid UI
constraint. ppdcSource::get_resolution function did not handle
invalid resolution strings. An application may be able to gain
elevated privileges.
GNU libidn2 before 2.2.0 fails to perform the roundtrip checks
specified in RFC3490 Section 4.2 when converting A-labels to U-labels.
This makes it possible in some circumstances for one domain to
impersonate another. By creating a malicious domain that matches a
target domain except for the inclusion of certain punycoded Unicode
characters (that would be discarded when converted first to a Unicode
label and then back to an ASCII label), arbitrary domains can be
impersonated.
Rails 6.0.3.2 has been released! This version of Rails contains an
important security patch, and you should upgrade! The release contains
only one patch that addresses CVE-2020-8185.
An assertion check in BIND (that is meant to prevent going beyond
the end of a buffer when processing incoming data) can be
incorrectly triggered by a large response during zone transfer.
The asterisk character ("*") is allowed in DNS zone files, where
it is most commonly present as a wildcard at a terminal node of
the Domain Name System graph. However, the RFCs do not require
and BIND does not enforce that an asterisk character be present
only at a terminal node.
A problem can occur when an asterisk is present in an empty
non-terminal location within the DNS graph. If such a node exists,
after a series of queries, named can reach an inconsistent state
that results in the failure of an assertion check in rbtdb.c,
followed by the program exiting due to the assertion failure.
A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11
allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file.
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7
through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct
Regular Expression Denial of Service (ReDoS) attacks against a client
because of urllib.request.AbstractBasicAuthHandler catastrophic
backtracking.
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x
through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as
demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in
the host component of a URL) followed by an HTTP header.
Updates are now available for all supported Node.js release lines for the following issues.
TLS session reuse can lead to host certificate verification bypass (High) (CVE-2020-8172)
The 'session' event could be emitted before the 'secureConnect' event. It should not be, because the
connection may fail to be authorized. If it was saved an authorized connection could be established
later with the session ticket. Note that the https agent caches sessions, so is vulnerable to this.
The 'session' event will now only be emitted after the 'secureConnect' event, and only for authorized
connections.
HTTP/2 Large Settings Frame DoS (Low) (CVE-2020-11080)
Receiving unreasonably large HTTP/2 SETTINGS frames can consume 100% CPU to process all the settings,
blocking all other activities until complete.
The HTTP/2 session frame is limited to 32 settings by default. This can be configured if necessary
using the maxSettings option.
napi_get_value_string_*() allows various kinds of memory corruption (High) (CVE-2020-8174)
Calling napi_get_value_string_latin1(), napi_get_value_string_utf8(), or napi_get_value_string_utf16()
with a non-NULL buf, and a bufsize of 0 will cause the entire string value to be written to buf,
probably overrunning the length of the buffer.
A exploit has not been reported and it may be difficult but the following is suggested:
All users of LTS Node.js versions should update to the versions announced in this security post.
This will address the issue for any non pre-built add-on.
Maintainers who support EOL Node.js versions and/or build against a version of Node.js that did not
support N-API internally should update to use the new versions of node-addon-api 1.x and 2.x that
will be released soon after this announcement.
ICU-20958 Prevent SEGV_MAPERR in append (High) (CVE-2020-10531)
An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An
integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend()
function in common/unistr.cpp.
Fix was applied to 10.x in an abundance of caution, even though there is no known way to trigger the
overflow in 10.x.
ZNC 1.8.0 up to 1.8.1-rc1 allows attackers to trigger an application
crash (with a NULL pointer dereference) if echo-message is not enabled
and there is no network.
If the push/pop level of the USB HID state is not restored within
the processing of the same HID item, an invalid memory location may be
used for subsequent HID item processing.
Impact:
An attacker with physical access to a USB port may be able to use a
specially crafted USB device to gain kernel or user-space code execution.
CVE-2020-13254: Potential data leakage via malformed memcached keys
In cases where a memcached backend does not perform key validation, passing
malformed cache keys could result in a key collision, and potential data leakage.
In order to avoid this vulnerability, key validation is added to the memcached
cache backends.
CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget
Query parameters for the admin ForeignKeyRawIdWidget were not properly URL
encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query
parameters are correctly URL encoded.
It was found that GnuTLS 3.6.4 introduced a regression in the TLS
protocol implementation. This caused the TLS server to not securely
construct a session ticket encryption key considering the
application supplied secret, allowing a MitM attacker to bypass
authentication in TLS 1.3 and recover previous conversations in TLS
1.2.
The overly large HTTP/2 SETTINGS frame payload causes denial of service.
The proof of concept attack involves a malicious client constructing a
SETTINGS frame with a length of 14,400 bytes (2400 individual settings
entries) over and over again. The attack causes the CPU to spike at 100%.
CVE-2020-10995: An issue in the DNS protocol has been found that allow malicious parties to use
recursive DNS services to attack third party authoritative name servers. The attack uses a crafted
reply by an authoritative name server to amplify the resulting traffic between the recursive and
other authoritative name servers. Both types of service can suffer degraded performance as an effect.
CVE-2020-12244: An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in
the answer section of a NXDOMAIN response lacking an SOA were not properly validated in
SyncRes::processAnswer. This would allow an attacker in position of man-in-the-middle to send a
NXDOMAIN answer for a name that does exist, bypassing DNSSEC validation.
CVE-2020-10030: An issue has been found in PowerDNS Authoritative Server allowing an attacker
with enough privileges to change the system's hostname to cause disclosure of uninitialized memory
content via a stack-based out-of-bounds read. It only occurs on systems where gethostname() does
not null-terminate the returned string if the hostname is larger than the supplied buffer. Linux
systems are not affected because the buffer is always large enough. OpenBSD systems are not affected
because the returned hostname is always null-terminated. Under some conditions this issue can lead
to the writing of one null-byte out-of-bounds on the stack, causing a denial of service or possibly
arbitrary code execution.
epson2: fixes CVE-2020-12867 (GHSL-2020-075) and several memory management issues found while addressing that CVE
epsonds: addresses out-of-bound memory access issues to fix CVE-2020-12862 (GHSL-2020-082) and CVE-2020-12863 (GHSL-2020-083), addresses a buffer overflow fixing CVE-2020-12865 (GHSL-2020-084) and disables network autodiscovery to mitigate CVE-2020-12866 (GHSL-2020-079), CVE-2020-12861 (GHSL-2020-080) and CVE-2020-12864 (GHSL-2020-081). Note that this backend does not support network scanners to begin with.
magicolor: fixes a floating point exception and uninitialized data read
A vulnerability has been discovered in Sympa web interface
by which attacker can execute arbitrary code with root privileges.
Sympa uses two sorts of setuid wrappers:
FastCGI wrappers
newaliases wrapper
The FastCGI wrappers wwsympa-wrapper.fcgi and
sympa_soap_server-wrapper.fcgi were used to make the web
interface running under privileges of a dedicated user.
The newaliases wrapper (sympa_newaliases-wrapper) allows
Sympa to update the alias database with root privileges.
Since these setuid wrappers did not clear environment variables,
if environment variables like PERL5LIB were injected,
forged code might be loaded and executed under privileges of setuid-ed
users.
Javier Moreno discovered a vulnerability in Sympa web
interface that can cause denial of service (DoS) attack.
By submitting requests with malformed parameters, this
flaw allows to create junk files in Sympa's directory
for temporary files. And particularly by tampering token
to prevent CSRF, it allows to originate exessive
notification messages to listmasters.
The jQuery project released version 3.5.0, and as part of that,
disclosed two security vulnerabilities that affect all prior versions.
As mentioned in the jQuery blog, both are: ... Security issues in
jQuerys DOM manipulation methods, as in .html(), .append(), and the others.
Security advisories for both of these issues have been published on GitHub.
Drupal 7 has an Open Redirect vulnerability.
For example, a user could be tricked into visiting a specially crafted link
which would redirect them to an arbitrary external URL. The vulnerability is
caused by insufficient validation of the destination query parameter in the
drupal_goto() function.
Vulnerability Details:
Sending malformed NOOP command causes crash in submission, submission-login or
lmtp service.
Risk:
Remote attacker can keep submission-login service down, causing denial of
service attack. For lmtp the risk is neglible, as lmtp is usually behind a
trusted MTA.
Steps to reproduce:
Send ``NOOP EE"FY`` to submission port, or similarly malformed command.
Vulnerability Details:
Sending command followed by sufficient number of newlines triggers a
use-after-free bug that might crash submission-login, submission or
lmtp service.
Risk:
Remote attacker can keep submission-login service down, causing denial
of service attack. For lmtp the risk is neglible, as lmtp is usually
behind a trusted MTA.
Steps to reproduce:
This can be currently reproduced with ASAN or Valgrind. Reliable way to
crash has not yet been discovered.
Vulnerability Details:
Sending mail with empty quoted localpart causes submission or lmtp component
to crash.
Risk:
Malicious actor can cause denial of service to mail delivery by repeatedly
sending mails with bad sender or recipient address.
Steps to reproduce:
Send mail with envelope sender or recipient as <""@example.org>.
Workaround:
For submission there is no workaround, but triggering the bug requires valid
credentials.
For lmtp, one can implement sufficient filtering on MTA level to prevent mails
with such addresses from ending up in LMTP delivery.
I have discovered a way to trigger an out of boundary write while
parsing a huge json file through a malicious input source. It can be
triggered if an attacker has control over the input stream or if a
huge load during filesystem operations can be triggered.
This Critical Patch Update contains 45 new security patches for
Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without
requiring user credentials.
MariaDB reports 4 of these vulnerabilities exist in their software
The ClearFuncs class processes unauthenticated requests and
unintentionally exposes the _send_pub() method, which can be used to
queue messages directly on the master publish server. Such messages
can be used to trigger minions to run arbitrary commands as root.
The ClearFuncs class also exposes the method _prep_auth_info(),
which returns the "root key" used to authenticate commands from the
local root user on the master server. This "root key" can then be
used to remotely call administrative commands on the master server.
This unintentional exposure provides a remote un-authenticated
attacker with root-equivalent access to the salt master.
The wheel module contains commands used to read and write files
under specific directory paths. The inputs to these functions are
concatenated with the target directory and the resulting path is not
canonicalized, leading to an escape of the intended path restriction.
The get_token() method of the salt.tokens.localfs class (which is
exposed to unauthenticated requests by the ClearFuncs class) fails
to sanitize the token input parameter which is then used as a
filename, allowing insertion of ".." path elements and thus reading
of files outside of the intended directory. The only restriction is
that the file has to be deserializable by salt.payload.Serial.loads().
CVE-2020-3327: Fixed a vulnerability in the ARJ archive-parsing module
in ClamAV 0.102.2 that could cause a denial-of-service condition.
Improper bounds checking of an unsigned variable results in an
out-of-bounds read which causes a crash. Special thanks to Daehui Chang
and Fady Othman for helping identify the ARJ parsing vulnerability.
CVE-2020-3341: Fixed a vulnerability in the PDF-parsing module in ClamAV
0.101 - 0.102.2 that could cause a denial-of-service condition. Improper
size checking of a buffer used to initialize AES decryption routines
results in an out-of-bounds read, which may cause a crash. OSS-Fuzz
discovered this vulnerability.
CVE-2020-11063: TYPO3-CORE-SA-2020-001: Information Disclosure in
Password Reset
It has been discovered that time-based attacks can be used with the
password reset functionality for backend users. This allows an attacker
to verify whether a backend user account with a given email address
exists or not.
CVE-2020-11064: TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form
Engine
It has been discovered that HTML placeholder attributes containing
data of other database records are vulnerable to cross-site scripting. A
valid backend user account is needed to exploit this vulnerability.
CVE-2020-11065: TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link
Handling
It has been discovered that link tags generated by typolink
functionality are vulnerable to cross-site scripting - properties being
assigned as HTML attributes have not been parsed correctly.
CVE-2020-11066: TYPO3-CORE-SA-2020-004: Class destructors causing
side-effects when being unserialized
Calling unserialize() on malicious user-submitted content can result
in the following scenarios:
- trigger deletion of arbitrary directory in file system (if writable
for web server)
- trigger message submission via email using identity of web site
(mail relay)
Another insecure deserialization vulnerability is required to actually
exploit mentioned aspects.
CVE-2020-11067: TYPO3-CORE-SA-2020-005: Insecure Deserialization in
Backend User Settings
It has been discovered that backend user settings (in $BE_USER->uc) are
vulnerable to insecure deserialization. In combination with
vulnerabilities of 3rd party components this can lead to remote code
execution. A valid backend user account is needed to exploit this
vulnerability.
CVE-2020-11069: TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to
Backend User Interface
It has been discovered that the backend user interface and install tool
are vulnerable to same-site request forgery. A backend user can be
tricked into interacting with a malicious resource an attacker
previously managed to upload to the web server - scripts are then
executed with the privileges of the victimsâ user session.
In a worst case scenario new admin users can be created which can
directly be used by an attacker. The vulnerability is basically a
cross-site request forgery (CSRF) triggered by a cross-site scripting
vulnerability (XSS) - but happens on the same target host - thus, itâ
actually a same-site request forgery (SSRF).
Malicious payload such as HTML containing JavaScript might be provided
by either an authenticated backend user or by a non-authenticated user
using a 3rd party extension - e.g. file upload in a contact form with
knowing the target location.
The attacked victim requires an active and valid backend or install
tool user session at the time of the attack to be successful.
Requests to create cryptography sessions using a MAC did not validate the
user-supplied MAC key length. The cryptodev module allocates a buffer whose
size is this user-suppled length.
Impact:
An unprivileged process can trigger a kernel panic.
The SCTP layer does improper checking when an application tries to update
a shared key. Therefore an unprivileged local user can trigger a use-after-
free situation, for example by specific sequences of updating shared keys and
closing the SCTP association.
Impact:
Triggering the use-after-free situation may result in unintended kernel
behaviour including a kernel panic.
libalias(3) packet handlers do not properly validate the packet length before
accessing the protocol headers. As a result, if a libalias(3) module does
not properly validate the packet length before accessing the protocol header,
it is possible for an out of bound read or write condition to occur.
Impact:
A malicious attacker could send specially constructed packets that exploit
the lack of validation allowing the attacker to read or write memory either
from the kernel (for the in-kernel NAT implementation) or from the process
space for natd (for the userspace implementation).
The FTP packet handler in libalias incorrectly calculates some packet
lengths. This may result in disclosing small amounts of memory from the
kernel (for the in-kernel NAT implementation) or from the process space for
natd (for the userspace implementation).
Impact:
A malicious attacker could send specially constructed packets that exploit the
erroneous calculation allowing the attacker to disclose small amount of memory
either from the kernel (for the in-kernel NAT implementation) or from the
process space for natd (for the userspace implementation).
After a certificate error was overridden by the user,
qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg).
However, when the affected website was subsequently loaded again,
the URL was mistakenly displayed as green (colors.statusbar.url.success_https).
While the user already has seen a certificate error prompt at this point
(or set content.ssl_strict to false which is not recommended),
this could still provide a false sense of security.
A content injection vulnerability via the options login page has
been discovered and reported by Vishal Singh.
An issue similar to CVE-2018-13796 exists at different endpoint & param. It can lead to a phishing attack.
(added 2020-05-07) This is essentially the same as
https://bugs.launchpad.net/mailman/+bug/1873722 except the vector is
the private archive login page and the attack only succeeds if the
list's roster visibility (private_roster) setting is 'Anyone'.
CVE-2020-11037: Potential timing attack on password-protected private pages
This release addresses a potential timing attack on pages or documents
that have been protected with a shared password through Wagtail's
"Privacy" controls. This password check is performed through a
character-by-character string comparison, and so an attacker who is
able to measure the time taken by this check to a high degree of
accuracy could potentially use timing differences to gain knowledge of
the password. (This is understood to be feasible on a local network, but
not on the public internet.)
The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib 1.11.1 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted audio file.
Create a specifically crafted image file that could trigger an out of bounds read
Send a specifically crafter request to the microdns service discovery, potentially triggering various memory management issues
Impact
If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.
While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed.
We have not seen exploits performing code execution through these vulnerabilities
CVE-2019-19721 affects VLC 3.0.8 and earlier, and only reads 1 byte out of bound
In FullLoader python/object/new constructor, implemented by
construct_python_object_apply, has support for setting the
state of a deserialized instance through the set_python_instance_state
method. After setting the state, some operations are performed
on the instance to complete its initialization, however it is
possible for an attacker to set the instance' state in such a way
that arbitrary code is executed by the FullLoader.
This patch tries to block such attacks in FullLoader by
preventing set_python_instance_state from setting arbitrar
properties. It implements a blacklist that includes extend method
(called by construct_python_object_apply) and all special
methods (e.g. __set__, __setitem__, etc.).
Users who need special attributes being set in the state of a
deserialized object can still do it through the UnsafeLoader, which
however should not be used on untrusted input. Additionally, they can
subclass FullLoader and redefine state_blacklist_regexp to include the
additional attributes they need, passing the subclassed loader to
yaml.load.
bleach.clean behavior parsing style attributes could result in a
regular expression denial of service (ReDoS).
Calls to bleach.clean with an allowed tag with an allowed style
attribute are vulnerable to ReDoS. For example, bleach.clean(...,
attributes={'a': ['style']}).
This Critical Patch Update contains 45 new security patches for
Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without
requiring user credentials.
Server or client applications that call the SSL_check_chain()
function during or after a TLS 1.3 handshake may crash due to a NULL
pointer dereference as a result of incorrect handling of the
"signature_algorithms_cert" TLS extension. The crash occurs if an
invalid or unrecognized signature algorithm is received from the
peer.
Impact:
A malicious peer could exploit the NULL pointer dereference crash,
causing a denial of service attack.
Git uses external "credential helper" programs to store and retrieve passwords or
other credentials from secure storage provided by the operating system. Specially-crafted
URLs that are considered illegal as of the recently published Git versions can cause Git
to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers
will interpret this as matching any URL, and will return some unspecified stored password,
leaking the password to an attacker's server.
CVE-2020-11001: Possible XSS attack via page revision comparison view
This release addresses a cross-site scripting (XSS) vulnerability on
the page revision comparison view within the Wagtail admin interface. A
user with a limited-permission editor account for the Wagtail admin
could potentially craft a page revision history that, when viewed by a
user with higher privileges, could perform actions with that user
credentials. The vulnerability is not exploitable by an ordinary site
visitor without access to the Wagtail admin.
Git uses external "credential helper" programs to store and retrieve passwords or
other credentials from secure storage provided by the operating system.
Specially-crafted URLs that contain an encoded newline can inject unintended values
into the credential helper protocol stream, causing the credential helper to retrieve
the password for one server for an HTTP request being made to another
server, resulting in credentials for the former being sent to the
latter.
Libntlm through 1.5 relies on a fixed buffer size for
tSmbNtlmAuthRequest, tSmbNtlmAuthChallenge, and tSmbNtlmAuthResponse
read and write operations, as demonstrated by a stack-based buffer
over-read in buildSmbNtlmAuthRequest in smbutil.c for a crafted NTLM
request.
Incomplete packet data validation may result in accessing
out-of-bounds memory (CVE-2019-5614) or may access memory after it has
been freed (CVE-2019-15874).
Impact:
Access to out of bounds or freed mbuf data can lead to a kernel panic or
other unpredictable results.
All HTTP clients in twisted.web.client now raise a ValueError when
called with a method and/or URL that contain invalid characters. This
mitigates CVE-2019-12387. Thanks to Alex Brasetvik for reporting this
vulnerability.
The HTTP/2 server implementation now enforces TCP flow control on
control frame messages and times out clients that send invalid data
without reading responses. This closes CVE-2019-9512 (Ping Flood),
CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood). Thanks
to Jonathan Looney and Piotr Sikora.
twisted.web.http was subject to several request smuggling attacks.
Requests with multiple Content-Length headers were allowed
(CVE-2020-10108, thanks to Jake Miller from Bishop Fox and ZeddYu Lu
for reporting this) and now fail with a 400; requests with a
Content-Length header and a Transfer-Encoding header honored the first
header (CVE-2020-10109, thanks to Jake Miller from Bishop Fox for
reporting this) and now fail with a 400; requests whose
Transfer-Encoding header had a value other than "chunked" and
"identity" (thanks to ZeddYu Lu) were allowed and now fail with a 400.
The libssh team reports (originally reported by Yasheng Yang from
Google):
A malicious client or server could crash the counterpart implemented
with libssh AES-CTR ciphers are used and don't get fully initialized. It
will crash when it tries to cleanup the AES-CTR ciphers when closing the
connection.
The WebKitGTK project reports the following vulnerability.
Processing maliciously crafted web content may lead to arbitrary code execution or application crash (denial of service). Description: A memory corruption issue (use-after-free) was addressed with improved memory handling.
A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and
prior when using the Extract-Zip function from the win_unzip module as the
extracted file(s) are not checked if they belong to the destination folder. An
attacker could take advantage of this flaw by crafting an archive anywhere in
the file system, using a path traversal. This issue is fixed in 2.10.
A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5
and prior when a password is set with the argument "password" of svn module,
it is used on svn command line, disclosing to other users within the same
node. An attacker could take advantage by reading the cmdline file from that
particular PID on the procfs.
A flaw was found in Ansible Engine when using Ansible Vault for editing
encrypted files. When a user executes "ansible-vault edit", another user
on the same computer can read the old and new secret, as it is created in
a temporary file with mkstemp and the returned file descriptor is closed
and the method write_data is called to write the existing secret in the
file. This method will delete the file before recreating it insecurely.
All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
The Drupal project uses the third-party library CKEditor, which has
released a security improvement that is needed to protect some
Drupal configurations.
Vulnerabilities are possible if Drupal is configured to use the
WYSIWYG CKEditor for your site's users. An attacker that can createor
edit content may be able to exploit this Cross Site Scripting (XSS)
vulnerability to target users with access to the WYSIWYG CKEditor,
and this may include site admins with privileged access.
The latest versions of Drupal update CKEditor to 4.14 to mitigate
the vulnerabilities.
There is a time frame between allocating peer-id and initializing data
channel key (which is performed on receiving push request or on async
push-reply) in which the existing peer-id float checks do not work right.
If a "rogue" data channel packet arrives during that time frame from
another address and with same peer-id, this would cause client to float
to that new address.
The net effect of this behaviour is that the VPN session for the
"victim client" is broken. Since the "attacker client" does not have
suitable keys, it can not inject or steal VPN traffic from the other
session. The time window is small and it can not be used to attack
a specific client's session, unless some other way is found to make it
disconnect and reconnect first.
An attacker with access to precise enough timing and memory access
information (typically an untrusted operating system attacking a
secure enclave such as SGX or the TrustZone secure world) can fully
recover an ECDSA private key after observing a number of signature
operations.
This updates includes 32 security fixes, including:
[1019161] High CVE-2020-6454: Use after free in extensions.
Reported by Leecraso and Guang Gong of Alpha Lab, Qihoo 360 on
2019-10-29
[1043446] High CVE-2020-6423: Use after free in audio.
Reported by Anonymous on 2020-01-18
[1059669] High CVE-2020-6455: Out of bounds read in WebSQL.
Reported by Nan Wang(@eternalsakura13) and Guang Gong of Alpha Lab,
Qihoo 360 on 2020-03-09
[1031479] Medium CVE-2020-6430: Type Confusion in V8.
Reported by Avihay Cohen @ SeraphicAlgorithms on 2019-12-06
[1040755] Medium CVE-2020-6456: Insufficient validation of
untrusted input in clipboard. Reported by MichaÅ Bentkowski of
Securitum on 2020-01-10
[852645] Medium CVE-2020-6431: Insufficient policy
enforcement in full screen. Reported by Luan Herrera (@lbherrera_)
on 2018-06-14
[965611] Medium CVE-2020-6432: Insufficient policy
enforcement in navigations. Reported by David Erceg on
2019-05-21
[1043965] Medium CVE-2020-6433: Insufficient policy
enforcement in extensions. Reported by David Erceg on
2020-01-21
[1048555] Medium CVE-2020-6434: Use after free in devtools.
Reported by HyungSeok Han (DaramG) of Theori on 2020-02-04
[1032158] Medium CVE-2020-6435: Insufficient policy
enforcement in extensions. Reported by Sergei Glazunov of Google
Project Zero on 2019-12-09
[1034519] Medium CVE-2020-6436: Use after free in window
management. Reported by Igor Bukanov from Vivaldi on 2019-12-16
[639173] Low CVE-2020-6437: Inappropriate implementation in
WebView. Reported by Jann Horn on 2016-08-19
[714617] Low CVE-2020-6438: Insufficient policy enforcement in
extensions. Reported by Ng Yik Phang on 2017-04-24
[868145] Low CVE-2020-6439: Insufficient policy enforcement in
navigations. Reported by remkoboonstra on 2018-07-26
[894477] Low CVE-2020-6440: Inappropriate implementation in
extensions. Reported by David Erceg on 2018-10-11
[959571] Low CVE-2020-6441: Insufficient policy enforcement in
omnibox. Reported by David Erceg on 2019-05-04
[1013906] Low CVE-2020-6442: Inappropriate implementation in
cache. Reported by B@rMey on 2019-10-12
[1040080] Low CVE-2020-6443: Insufficient data validation in
developer tools. Reported by @lovasoa (Ophir LOJKINE) on
2020-01-08
[922882] Low CVE-2020-6444: Uninitialized Use in WebRTC.
Reported by mlfbrown on 2019-01-17
[933171] Low CVE-2020-6445: Insufficient policy enforcement in
trusted types. Reported by Jun Kokatsu, Microsoft Browser
Vulnerability Research on 2019-02-18
[933172] Low CVE-2020-6446: Insufficient policy enforcement in
trusted types. Reported by Jun Kokatsu, Microsoft Browser
Vulnerability Research on 2019-02-18
[991217] Low CVE-2020-6447: Inappropriate implementation in
developer tools. Reported by David Erceg on 2019-08-06
[1037872] Low CVE-2020-6448: Use after free in V8. Reported by
Guang Gong of Alpha Lab, Qihoo 360 on 2019-12-26
When parsing certain JSON documents, the json gem (including the
one bundled with Ruby) can be coerced into creating arbitrary objects
in the target system.
This is the same issue as CVE-2013-0269. The previous fix was incomplete,
which addressed JSON.parse(user_input), but didnât address some other
styles of JSON parsing including JSON(user_input) and
JSON.parse(user_input, nil).
See CVE-2013-0269 in detail. Note that the issue was exploitable to
cause a Denial of Service by creating many garbage-uncollectable
Symbol objects, but this kind of attack is no longer valid because
Symbol objects are now garbage-collectable. However, creating arbitrary
bjects may cause severe security consequences depending upon the
application code.
Please update the json gem to version 2.3.0 or later. You can use
gem update json to update it. If you are using bundler, please add
gem "json", ">= 2.3.0" to your Gemfile.
The main driver for this release is that it contains a fix for a serious
vulnerability that was responsibly reported last week by Felix Wilhelm
from Google Project Zero, affecting the HPACK decoder used for HTTP/2.
CVE-2020-11100 was assigned to this issue.
mod_proxy_ftp: Use of uninitialized value with malicious backend FTP
server.
SECURITY: CVE-2020-1927
rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
matches and substitutions with encoded line break characters.
The fix for CVE-2019-10098 was not effective.
It was found that GnuTLS 3.6.3 introduced a regression in the DTLS
protocol implementation. This caused the DTLS client to not
contribute any randomness to the DTLS negotiation breaking the
security guarantees of the DTLS protocol.
In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library chosen is sodium.
In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6.
In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "alert(1)" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by an outside party through the following steps: 1. Create a user with the surname `" onmouseover="alert(document.cookie)` and an empty first name. 2. With this user, create a ticket 3. As an administrator (or other privileged user) open the created ticket 4. On the "last update" field, put your mouse on the name of the user 5. The XSS fires This is fixed in version 9.4.6.
In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.
In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token. This is fixed in version 9.4.6.
In GLPI before version 9.4.6, there is a SQL injection vulnerability for all helpdesk instances. Exploiting this vulnerability requires a technician account. This is fixed in version 9.4.6.
In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.
The ALTER ... DEPENDS ON EXTENSION sub-commands do not perform
authorization checks, which can allow an unprivileged user to drop
any function, procedure, materialized view, index, or trigger under
certain conditions. This attack is possible if an administrator has
installed an extension and an unprivileged user can CREATE, or an
extension owner either executes DROP EXTENSION predictably or can be
convinced to execute DROP EXTENSION.
Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network.
PE 2018.1.13 & 2019.4.0, Puppet Server 6.9.1 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default.
Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master.
Puppet 6.13.0 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior.
Incorrect use of a potentially user-controlled pointer in the kernel
allowed vnet jailed users to panic the system and potentially execute
aribitrary code in the kernel.
Impact:
Users with root level access (or the PRIV_NET_IFCREATE privilege)
can panic the system, or potentially escape the jail or execute
arbitrary code with kernel priviliges.
When a TCP server transmits or retransmits a TCP SYN-ACK segment
over IPv6, the Traffic Class field is not initialized. This also
applies to challenge ACK segments, which are sent in response to
received RST segments during the TCP connection setup phase.
Impact:
For each TCP SYN-ACK (or challenge TCP-ACK) segment sent over IPv6,
one byte of kernel memory is transmitted over the network.
The driver-specific ioctl(2) command handlers in oce(4) failed to
check whether the caller has sufficient privileges to perform the
corresponding operation.
Impact:
The oce(4) handler permits unprivileged users to send passthrough
commands to device firmware.
A missing NUL-termination check for the jail_set(2) configration
option "osrelease" may return more bytes when reading the jail
configuration back with jail_get(2) than were originally set.
Impact:
For jails with a non-default setting of children.max > 0 ("nested
jails") a superuser inside a jail can create a jail and may be able to
read and take advantage of exposed kernel memory.
The driver-specific ioctl(2) command handlers in ixl(4) failed to
check whether the caller has sufficient privileges to perform the
corresponding operation.
Impact:
The ixl(4) handler permits unprivileged users to trigger updates to
the device's non-volatile memory (NVM).
* ``bleach.clean`` behavior parsing embedded MathML and SVG content
with RCDATA tags did not match browser behavior and could result in
a mutation XSS.
Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or
``svg`` tags and one or more of the RCDATA tags ``script``,
``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or
``xmp`` in the allowed tags whitelist were vulnerable to a mutation
XSS.
* ``bleach.clean`` behavior parsing ``noscript`` tags did not match
browser behavior.
Calls to ``bleach.clean`` allowing ``noscript`` and one or more of
the raw text tags (``title``, ``textarea``, ``script``, ``style``,
``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable
to a mutation XSS.
This release addresses the following security issues:
Potential Denial of Service due to memory leak in DNS
TSIG message parsing.
Potential Denial of Service due to memory leak (or assertion
when compiling with assertions enabled) when receiving a
second SSH KEX message after a first.
Potential Denial of Service due to buffer read overflow
and/or memory leaks in Kerberos analyzer. The buffer
read overflow could occur when the Kerberos message
indicates it contains an IPv6 address, but does not send
enough data to parse out a full IPv6 address. A memory
leak could occur when processing KRB_KDC_REQ KRB_KDC_REP
messages for message types that do not match a known/expected
type.
Potential Denial of Service when sending many zero-length
SSL/TLS certificate data. Such messages underwent the
full Zeek file analysis treatment which is expensive (and
meaninguless here) compared to how cheaply one can "create"
or otherwise indicate many zero-length contained in an
SSL message.
Potential Denial of Service due to buffer read overflow
in SMB transaction data string handling. The length of
strings being parsed from SMB messages was trusted to be
whatever the message claimed instead of the actual length
of data found in the message.
Potential Denial of Service due to null pointer dereference
in FTP ADAT Base64 decoding.
Potential Denial of Service due buffer read overflow in
FTP analyzer word/whitespace handling. This typically
won't be a problem in most default deployments of Zeek
since the FTP analyzer receives data from a ContentLine
(NVT) support analyzer which first null-terminates the
buffer used for further FTP parsing.
Okular can be tricked into executing local binaries via specially crafted
PDF files.
This binary execution can require almost no user interaction.
No parameters can be passed to those local binaries.
We have not been able to identify any binary that will cause actual damage,
be it in the hardware or software level, when run without parameters.
We remain relatively confident that for this issue to do any actual damage,
it has to run a binary specially crafted. That binary must have been deployed
to the user system via another method, be it the user downloading it directly
as an email attachment, webpage download, etc. or by the system being already
compromised.
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4
allows SQL Injection if untrusted data is used as a tolerance parameter
in GIS functions and aggregates on Oracle. By passing a suitably crafted
tolerance to GIS functions and aggregates on Oracle, it was possible to
break escaping and inject malicious SQL.
[The 1.11.1] release includes a security fix impacting installations using Single Sign-On (i.e. SAML2 or CAS) for authentication. Administrators of such installations are encouraged to upgrade as soon as possible.
Updates are now available for all active Node.js release lines for the following issues.
HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)
Affected Node.js versions can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system.
HTTP header values do not have trailing OWS trimmed (High) (CVE-2019-15606)
Optional whitespace should be trimmed from HTTP header values. Its presence may allow attackers to bypass security checks based on HTTP header values.
Remotely trigger an assertion on a TLS server with a malformed certificate string (High) (CVE-2019-15604)
Connecting to a NodeJS TLS server with a client certificate that has a type 19 string in its subjectAltName will crash the TLS server if it tries to read the peer certificate.
Strict HTTP header parsing (None)
Increase the strictness of HTTP header parsing. There are no known vulnerabilities addressed, but lax HTTP parsing has historically been a source of problems. Some commonly used sites are known to generate invalid HTTP headers, a --insecure-http-parser CLI option or insecureHTTPParser http option can be used if necessary for interoperability, but is not recommended.
Three ntp vulnerabilities, Depending on configuration, may have
little impact up to termination of the ntpd process.
NTP Bug 3610: Process_control() should exit earlier on short
packets. On systems that override the default and enable ntpdc
(mode 7) fuzz testing detected that a short packet will cause
ntpd to read uninitialized data.
NTP Bug 3596: An unauthenticated unmonitored ntpd is vulnerable
to attack on IPv4 with highly predictable transmit timestamps. An
off-path attacker who can query time from the victim's ntp which
receives time from an unauthenticated time source must be able to
send from a spoofed IPv4 address of upstream ntp server and and
the victim must be able to process a large number of packets with
the spoofed IPv4 address of the upstream server. After eight or
more successful attacks in a row the attacker can either modify
the victim's clock by a small amount or cause ntpd to terminate.
The attack is especially effective when unusually short poll
intervals have been configured.
NTP Bug 3592: The fix for https://bugs.ntp.org/3445 introduced
a bug such that a ntp can be prevented from initiating a time
volley to its peer resulting in a DoS.
All three NTP bugs may result in DoS or terimation of the ntp
daemon.
Librsvg now has limits on the number of loaded XML elements,
and the number of referenced elements within an SVG document. This
is to mitigate malicious SVGs which try to consume all memory, and
those which try to consume an exponential amount of CPU time.
Fix stack exhaustion with circular references in
Fix a denial-of-service condition from exponential explosion
of rendered elements, through nested use of SVG
Ihe insert_note_steps function in readmidi.c in TiMidity++ 2.14.0
can cause a denial of service(divide-by-zero error and application
crash) via a crafted mid file.
The resample_gauss function in resample.c in TiMidity++ 2.14.0
can cause a denial of service(heap-buffer-overflow) via a crafted
mid file.
The play_midi function in playmidi.c in TiMidity++ 2.14.0 can
cause a denial of service(large loop and CPU consumption) via
a crafted mid file.
An out of bounds read in smtpd allows an attacker to inject arbitrary
commands into the envelope file which are then executed as root.
Separately, missing privilege revocation in smtpctl allows arbitrary
commands to be run with the _smtpq group.
An unprivileged local attacker can read the first line of an arbitrary
file (for example, root's password hash in /etc/master.passwd) or the
entire contents of another user's file (if this file and
/var/spool/smtpd/ are on the same filesystem).
If Mbed TLS is running in an SGX enclave and the adversary has
control of the main operating system, they can launch a side
channel attack to recover the RSA private key when it is being
imported.
The attack only requires access to fine grained measurements to
cache usage. Therefore the attack might be applicable to a scenario
where Mbed TLS is running in TrustZone secure world and the
attacker controls the normal world or possibly when Mbed TLS is
part of a hypervisor and the adversary has full control of a guest
OS.
We discovered a minor vulnerability in OpenSMTPD, OpenBSD's mail server:
an unprivileged local attacker can read the first line of an arbitrary
file (for example, root's password hash in /etc/master.passwd) or the
entire contents of another user's file (if this file and
/var/spool/smtpd/ are on the same filesystem).
Our bignum implementation is not constant time/constant trace, so
side channel attacks can retrieve the blinded value, factor it (as
it is smaller than RSA keys and not guaranteed to have only large
prime factors), and then, by brute force, recover the key.
lib-smtp doesn't handle truncated command parameters properly, resulting
in infinite loop taking 100% CPU for the process. This happens for LMTP
(where it doesn't matter so much) and also for submission-login where
unauthenticated users can trigger it.
Aki also reports:
Snippet generation crashes if:
message is large enough that message-parser returns multiple body
blocks
The first block(s) don't contain the full snippet (e.g. full of
whitespace)
input ends with '>'
FreeBSD uses a two-process model for running a VM. For booting non-FreeBSD
guests, a modified grub-emu is used (grub-bhyve). Grub-bhyve executes command
from guest grub.cfg file. This is a security problem because grub was never
written to handle inputs from OS as untrusted. In the current design, grub
and guest OS works across trust boundaries. This exposes a grub to untrusted
inputs from guest.
grub-bhyve (emu) is built without SDL graphics support which reduces lot of
gfx attack surface, however font loading code is still accessible. Guest can
provide arbitrary font file, which is parsed by grub-bhyve running as root.
In grub-core/font/font.c, read_section_as_string() allocates
section->length + 1 bytes of memory. However, untrusted
section->length is an unsigned 32-bit number, and the result can
overflow to malloc(0). This can result in a controlled buffer
overflow via the 'loadfont' command in a guest VM grub2.cfg, eventually leading
to privilege escalation from guest to host.
Reno Robert also reports:
GRUB supports commands to read and write addresses of choice. In
grub-bhyve, these commands provide a way to write to arbitrary virtual
addresses within the grub-bhyve process. This is another way for a guest
grub2.cfg, run by the host, to eventually escalate privileges.
These vulnerabilities are mitigated by disabling the 'loadfont', 'write_dword',
'read_dword', 'inl', 'outl', and other width variants of the same functionality in
grub2-bhyve.
There is also work in progress to sandbox the grub-bhyve utility such that
an escaped guest ends up with nobody:nobody in a Capsium sandbox. It is not
included in 0.40_8.
In libexif, there is a possible out of bounds write due to an integer overflow.
This could lead to remote escalation of privilege in the media content provider
with no additional execution privileges needed. User interaction is needed for
exploitation.
NGINX before 1.17.7, with certain error_page configurations, allows HTTP
request smuggling, as demonstrated by the ability of an attacker to read
unauthorized web pages in environments where NGINX is being fronted by a
load balancer.
A flaw was found in the way ksh evaluates certain environment
variables. An attacker could use this flaw to override or bypass
environment restrictions to execute shell commands. Services and
applications that allow remote unauthenticated attackers to
provide one of those environment variables could allow them to
exploit this issue remotely.
A denial-of-service (DoS) condition may occur when using the optional
credit card data-loss-prevention (DLP) feature. Improper bounds checking of
an unsigned variable resulted in an out-of-bounds read, which causes a crash.
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3
allows SQL Injection if untrusted data is used as a StringAgg delimiter
(e.g., in Django applications that offer downloads of data as a series
of rows with a user-specified column delimiter). By passing a suitably
crafted delimiter to a contrib.postgres.aggregates.StringAgg instance,
it was possible to break escaping and inject malicious SQL.
In an environment where a user is only allowed to copy files and
not to execute applications, it would be possible to pass a location
which contains commands to be executed in additon.
When the libssh SCP client connects to a server, the scp
command, which includes a user-provided path, is executed
on the server-side. In case the library is used in a way
where users can influence the third parameter of
ssh_scp_new(), it would become possible for an attacker to
inject arbitrary commands, leading to a compromise of the
remote target.
This Critical Patch Update contains 17 new security fixes for
Oracle MySQL. 5 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without
requiring user credentials.
A nefarious rule configuration (.cf) files can be configured to
run system commands. This issue is less stealthy and attempts to
exploit the issue will throw warnings.
Thanks to Damian Lukowski at credativ for reporting the issue
ethically. With this bug unpatched, exploits can be injected in a
number of scenarios though doing so remotely is difficult. In
addition to upgrading to SA 3.4.4, we again recommend that users
should only use update channels or 3rd party .cf files from trusted
places.
Sudo's pwfeedback option can be used to provide visual feedback
when the user is inputting their password. For each key press,
an asterisk is printed. This option was added in response to
user confusion over how the standard Password: prompt disables
the echoing of key presses. While pwfeedback is not enabled by
default in the upstream version of sudo, some systems, such as
Linux Mint and Elementary OS, do enable it in their default
sudoers files.
Due to a bug, when the pwfeedback option is enabled in the
sudoers file, a user may be able to trigger a stack-based buffer
overflow. This bug can be triggered even by users not listed in
the sudoers file. There is no impact unless pwfeedback has been
enabled.
nefarious rule configuration (.cf) files can be configured to
run system commands similar to CVE-2018-11805. This issue
is less stealthy and attempts to exploit the issue will throw
warnings.
An incorrect check allows an attacker to trick mbox delivery
into executing arbitrary commands as root and lmtp delivery
into executing arbitrary commands as an unprivileged user
A programming error allows an attacker who can specify a URL with a
username and/or password components to overflow libfetch(3) buffers.
Impact:
An attacker in control of the URL to be fetched (possibly via HTTP
redirect) may cause a heap buffer overflow, resulting in program
misbehavior or malicious code execution.
A missing check means that an attacker can reinject an old packet and
it will be accepted and processed by the IPsec endpoint.
Impact:
The impact depends on the higher-level protocols in use over IPsec.
For example, an attacker who can capture and inject packets could
cause an action that was intentionally performed once to be repeated.
Due to incorrect initialization of a stack data structure, up to 20
bytes of kernel data stored previously stored on the stack will be
exposed to a crashing user process.
The implementation of ACL inheritance in the Samba AD DC was not complete,
and so absent a 'full-sync' replication, ACLs could get out of sync between
domain controllers.
CVE-2019-14907
When processing untrusted string input Samba can read past the end of the
allocated buffer when printing a "Conversion error" message to the logs.
CVE-2019-19344
During DNS zone scavenging (of expired dynamic entries) there is a read of
memory after it has been freed.
This release addresses several security problems, as well as
addressing CVE-2019-19911.
CVE-2019-19911 is regarding FPX images. If an image reports that it
has a large number of bands, a large amount of resources will be
used when trying to process the image. This is fixed by limiting the
number of bands to those usable by Pillow.
Buffer overruns were found when processing an SGI, PCX or FLI image.
Checks have been added to prevent this.
Overflow checks have been added when calculating the size of a
memory block to be reallocated in the processing of a TIFF image.
.A potential security vulnerability in Intel(R) Processor Graphics
may allow information disclosure. Intel is releasing software
updates to mitigate this potential vulnerability.
Description: Insufficient control flow in certain data
structures for some Intel(R) Processors with Intel(R) Processor
Graphics may allow an unauthenticated user to potentially enable
information disclosure via local access.
This patch provides mitigation for Gen9 hardware only. Patches
for Gen7 and Gen7.5 will be provided later. Note that Gen8 is not
impacted due to a previously implemented workaround. The mitigation
involves using an existing hardware feature to forcibly clear down
all EU state at each context switch.
By using an older and less-secure form of open(), it is
possible for untrusted template files to cause reads/writes
outside of the template directories. This vulnerability is
a component of the recent Citrix exploit.
A code execution vulnerability exists in the directory rehashing
functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4
directory can cause an out-of-bounds write on the stack, resulting
in code execution. An attacker can corrupt a partition to trigger
this vulnerability.
Theodore Y. Ts'o reports:
E2fsprogs 1.45.5 [...:] Fix a potential out of bounds write when
checking a maliciously corrupted file system. This is probably not
exploitable on 64-bit platforms, but may be exploitable on 32-bit
binaries depending on how the compiler lays out the stack variables.
(Addresses CVE-2019-5188)
When viewing graphs, some input variables are not properly checked
(SQL injection possible).
Multiple instances of lib/functions.php are affected by unsafe
deserialization of user-controlled data to populate arrays. An
authenticated attacker could use this to influence object data
values and control actions taken by Cacti or potentially cause
memory corruption in the PHP module.
GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work.
There's a possible information leak / session hijack vulnerability in
Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12
and 2.0.8. Attackers may be able to find and hijack sessions by using
timing attacks targeting the session id. Session ids are usually stored
and indexed in a database that uses some kind of scheme for speeding up
lookups of that session id. By carefully measuring the amount of time
it takes to look up a session, an attacker may be able to find a valid
session id and hijack the session. The session id itself may be
generated randomly, but the way the session is indexed by the backing
store does not use a secure comparison.
Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so youll want to upgrade.
If you havent yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues.
-Props to Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API.
-Props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS)
could be stored in well-crafted links.
-Props to the WordPress.org Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named
colon attribute.
-Props to Nguyen The Duc for discovering a stored XSS vulnerability using block editor content.
It has been discovered that the output of field validation errors in the Form Framework is vulnerable
to cross-site scripting.
It has been discovered that t3:// URL handling and typolink functionality are vulnerable to cross-site
scripting. Not only regular backend forms are affected but also frontend extensions which use the rendering
with typolink.
It has been discovered that the output table listing in the Files backend module is vulnerable to cross-site
scripting when a file extension contains malicious sequences. Access to the file system of the server - either
directly or through synchronization - is required to exploit the vulnerability.
It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable
to directory traversal. Admin privileges are required in order to exploit this vulnerability. Since TYPO3 v9 LTS,
System Maintainer privileges are required as well.
Failing to properly escape user submitted content, class QueryGenerator is vulnerable to SQL injection.
Having system extension ext:lowlevel installed and a valid backend user having administrator privileges are
required to exploit this vulnerability.
It has been discovered that classes QueryGenerator and QueryView are vulnerable to insecure deserialization.
Requirements for successfully exploiting this vulnerability (one of the following):
- having system extension ext:lowlevel (Backend Module: DB Check) installed and valid backend user having
administrator privileges
- having system extension ext:sys_action installed and valid backend user having limited privileges
TYPO3 allows to upload files either in the backend user interface as well as in custom developed extensions.
To reduce the possibility to upload potential malicious code TYPO3 uses the fileDenyPattern to deny e.g. user
submitted PHP scripts from being persisted. Besides that it is possible for any editor to upload file assets
using the file module (fileadmin) or changing their avatar image shown in the TYPO3 backend.
Per default TYPO3 allows to upload and store HTML and SVG files as well using the mentioned functionalities.
Custom extension implementations probably would also accept those files when only the fileDenyPattern is evaluated.
Since HTML and SVG files - which might contain executable JavaScript code per W3C standard - could be directly
displayed in web clients, the whole web application is exposed to be vulnerable concerning Cross-Site Scripting.
Currently the following scenarios are known - given an authenticated regular editor is able to upload files using
the TYPO3 backend:
- directly target a potential victim to a known public resource in a URL, e.g. /fileadmin/malicious.svg or
/fileadmin/malicious.html
- using the TypoScript content object âSVGâ (implemented in class ScalableVectorGraphicsContentObject)
having renderMode set to inline for SVG files (available since TYPO3 v9.0)
- custom implementations that directly output and render markup of HTML and SVG files
SVG files that are embedded using an img src=âmalicious.svgâ tag are not vulnerable since potential
scripts are not executed in these scenarios (see https://www.w3.org/wiki/SVG_Security). The icon API of TYPO3
is not scope of this announcement since SVG icons need to be registered using an individual implementation,
which is not considered as user submitted content.
It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization.
User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey
as secret - invalid or unsigned payload is not deserialized.
However, since sensitive information could have been leaked by accident (e.g. in repositories or in commonly
known and unprotected backup files), there is the possibility that attackers know the private encryptionKey
and are able to calculate the required HMAC-SHA1 to allow a malicious payload to be deserialized.
Requirements for successfully exploiting this vulnerability (all of the following):
- rendering at least one Extbase plugin in the frontend
- encryptionKey has been leaked (from LocalConfiguration.php or corresponding .env file).
A visit to install.php can cause cached data to become corrupted.
This could cause a site to be impaired until caches are rebuilt.
Drupal 8 core's file_save_upload() function does not strip the
leading and trailing dot ('.') from filenames, like Drupal 7 did.
Users with the ability to upload files with any extension in
conjunction with contributed modules may be able to use this to
upload system files such as .htaccess in order to bypass protections
afforded by Drupal's default .htaccess file. After this fix,
file_save_upload() now trims leading and trailing dots from filenames.
The Media Library module has a security vulnerability whereby it
doesn't sufficiently restrict access to media items in certain
configurations.
The Drupal project uses the third-party library Archive_Tar, which
has released a security-related feature that impacts some Drupal
configurations. Multiple vulnerabilities are possible if Drupal is
configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and
processes them. The latest versions of Drupal update Archive_Tar to
1.4.9 to mitigate the file processing vulnerabilities.
rsaz_512_sqr overflow bug on x86_64 (CVE-2019-1551) (Low)
There is an overflow bug in the x64_64 Montgomery squaring procedure
used in exponentiation with 512-bit moduli. No EC algorithms are
affected. Analysis suggests that attacks against 2-prime RSA1024,
3-prime RSA1536, and DSA1024 as a result of this defect would be very
difficult to perform and are not believed likely. Attacks against
DH512 are considered just feasible. However, for an attack the target
would have to re-use the DH512 private key, which is not recommended
anyway. Also applications directly using the low level API BN_mod_exp
may be affected if they use BN_FLG_CONSTTIME.
The [synapse 1.7.1] release includes several security fixes as well
as a fix to a bug exposed by the security fixes. All previous releases
of Synapse are affected. Administrators are encouraged to upgrade as
soon as possible.
Fix a bug which could cause room events to be incorrectly authorized
using events from a different room.
Fix a bug causing responses to the /context client endpoint to not
use the pruned version of the event.
Fix a cause of state resets in room versions 2 onwards.
Mail with group address as sender will cause a signal 11 crash in push
notification drivers. Group address as recipient can cause crash in some
drivers.
A flaw was found in, ghostscript versions prior to 9.50, in the
.pdf_hook_DSC_Creator procedure where it did not properly secure
its privileged calls, enabling scripts to bypass `-dSAFER`
restrictions. A specially crafted PostScript file could disable
security protection and then have access to the file system, or
execute arbitrary commands.
A flaw was found in all ghostscript versions 9.x before 9.50, in
the .setuserparams2 procedure where it did not properly secure its
privileged calls, enabling scripts to bypass `-dSAFER`
restrictions. A specially crafted PostScript file could disable
security protection and then have access to the file system, or
execute arbitrary commands.
A flaw was found in ghostscript, versions 9.x before 9.50, in the
setsystemparams procedure where it did not properly secure its
privileged calls, enabling scripts to bypass `-dSAFER`
restrictions. A specially crafted PostScript file could disable
security protection and then have access to the file system, or
execute arbitrary commands.
A flaw was found in, ghostscript versions prior to 9.50, in the
.pdfexectoken and other procedures where it did not properly secure
its privileged calls, enabling scripts to bypass `-dSAFER`
restrictions. A specially crafted PostScript file could disable
security protection and then have access to the file system, or
execute arbitrary commands.
This security fix is part of an ongoing effort to improve the security of the Designer feature
and is designated PMASA-2019-5. There is also an improvement for how we sanitize git version
information shown on the home page.
As part of IPU 2019.2, INTEL-SA-00242 advises that insufficient
access control may allow an authenticated user to potentially
enable escalation of privilege via local access.
INTEL-SA-00260 advises that insufficient access control may
allow an authenticated user to potentially enable denial of
service via local access.
CVE-2019-19118: Privilege escalation in the Django admin.
Since Django 2.1, a Django model admin displaying a parent model with related
model inlines, where the user has view-only permissions to a parent model but
edit permissions to the inline model, would display a read-only view of the parent
model but editable forms for the inline.
Submitting these forms would not allow direct edits to the parent model, but would
trigger the parent model's save() method, and cause pre and post-save signal handlers
to be invoked. This is a privilege escalation as a user who lacks permission to edit
a model should not be able to trigger its save-related signals.
NIST reports: (by search in the range 2018/01/01 - 2019/11/10):
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email
file as a result of excessively long scan times. The issue is resolved by implementing
several maximums in parsing MIME messages and by optimizing use of memory allocation.
Intel discovered a previously published erratum on some Intel
platforms can be exploited by malicious software to potentially cause
a denial of service by triggering a machine check that will crash or
hang the system.
Malicious guest operating systems may be able to crash the host.
Starting with version 1.26, the devcpu-data port/package includes
updates and mitigations for the following technical and security
advisories (depending on CPU model).
Updated microcode includes mitigations for
CPU issues, but may also cause a performance regression due
to the JCC erratum mitigation. Please visit
http://www.intel.com/benchmarks for further information.
Please visit http://www.intel.com/security for
detailed information on these advisories as well as a list of
CPUs that are affected.
Operating a CPU without the latest microcode may result in erratic or
unpredictable behavior, including system crashes and lock ups.
Certain issues listed in this advisory may result in the leakage of
privileged system information to unprivileged users. Please refer to
the security advisories listed above for detailed information.
Recent versions of Unbound contain a vulnerability that can cause shell
code execution after receiving a specially crafted answer. This issue
can only be triggered if unbound was compiled with --enable-ipsecmod
support, and ipsecmod is enabled and used in the configuration.
A remote authenticated Asterisk Manager Interface (AMI)
user without system authorization could use a specially
crafted Originate AMI request to execute arbitrary system
commands.
A SIP request can be sent to Asterisk that can change
a SIP peers IP address. A REGISTER does not need to occur,
and calls can be hijacked as a result. The only thing
that needs to be known is the peers name; authentication
details such as passwords do not need to be known. This
vulnerability is only exploitable when the nat option is
set to the default, or auto_force_rport.
Problem Description: Due to incorrect data management Squid is
vulnerable to a information disclosure when processing HTTP Digest
Authentication.
Severity: Nonce tokens contain the raw byte value of a pointer which sits
within heap memory allocation. This information reduces ASLR protections
and may aid attackers isolating memory areas to target for remote code
execution attacks.
This stable release fixes several potential vulnerabilities
CVE-2015-1197: cpio, when using the --no-absolute-filenames
option, allows local users to write to arbitrary files
via a symlink attack on a file in an archive.
CVE-2016-2037: The cpio_safer_name_suffix function in
util.c allows remote attackers to cause a denial of service
(out-of-bounds write) via a crafted cpio file.
CVE-2019-14866: Improper input validation when writing
tar header fields leads to unexpected tar generation.
CVE-2017-8372: The mad_layer_III function in layer3.c in Underbit MAD
libmad 0.15.1b, if NDEBUG is omitted, allows remote attackers to cause a
denial of service (assertion failure and application exit) via a crafted
audio file.
CVE-2017-8373: The mad_layer_III function in layer3.c in Underbit MAD
libmad 0.15.1b allows remote attackers to cause a denial of service
(heap-based buffer overflow and application crash) or possibly have
unspecified other impact via a crafted audio file.
CVE-2017-8374: The mad_bit_skip function in bit.c in Underbit MAD
libmad 0.15.1b allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) via a crafted audio
file.
Several RCE vulnerabilities have been found and corrected in 2.14.15:
CVE-2019-16530: An attacker with elevated privileges can upload a
specially crafted file. That file can contain commands that will
be executed on the system, with the same privileges as the user
running the server.
CVE-2019-15893: A Remote Code Execution vulnerability has been
discovered in Nexus Repository Manager requiring immediate
action. The vulnerability allows for an attacker with
administrative access to NXRM to create repostories that can
grant access to read/execute system data outside the scope of
NXRM.
CVE-2019-5475: A vulnerability has been found that can allow
user's with administrative privileges to run processes on the
target server, that the nxrm os user has access to.
cdf_read_property_info in cdf.c in file through 5.37 does not
restrict the number of CDF_VECTOR elements, which allows a heap-based
buffer overflow (4-byte out-of-bounds write).
This Critical Patch Update contains 31 new security fixes for
Oracle MySQL. 6 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without
requiring user credentials.
When a comment in an issue or PR mentions a user using
@username, the mentioned user receives a mail notification even if
they don't have permission to see the originating repository.
A bug has been discovered in Varnish Cache where we fail to
clear a pointer between the handling of one client requests and the next
on the same connection. This can under specific circumstances lead to
information being leaked from the connection workspace.
When sudo is configured to allow a user to run commands as an
arbitrary user via the ALL keyword in a Runas specification, it
is possible to run commands as root by specifying the user ID -1
or 4294967295.
This can be used by a user with sufficient sudo privileges to
run commands as root even if the Runas specification explicitly
disallows root access as long as the ALL keyword is listed first
in the Runas specification.
Log entries for commands run this way will list the target user
as 4294967295 instead of root. In addition, PAM session modules
will not be run for the command.
The decompressor used in bzip2 contains a bug which can
lead to an out-of-bounds write when processing a specially
crafted bzip2(1) file.
bzip2recover contains a heap use-after-free bug which
can be triggered when processing a specially crafted bzip2(1)
file.
Impact:
An attacker who can cause maliciously crafted input to
be processed may trigger either of these bugs. The bzip2recover
bug may cause a crash, permitting a denial-of-service. The
bzip2 decompressor bug could potentially be exploited to
execute arbitrary code.
Note that some utilities, including the tar(1) archiver
and the bspatch(1) binary patching utility (used in portsnap(8)
and freebsd-update(8)) decompress bzip2(1)-compressed data
internally; system administrators should assume that their
systems will at some point decompress bzip2(1)-compressed
data even if they never explicitly invoke the bunzip2(1)
utility.
The ICMPv6 input path incorrectly handles cases where
an MLDv2 listener query packet is internally fragmented
across multiple mbufs.
Impact:
A remote attacker may be able to cause an out-of-bounds
read or write that may cause the kernel to attempt to access
an unmapped page and subsequently panic.
A function extracting the length from type-length-value
encoding is not properly validating the submitted length.
Impact:
A remote user could cause, for example, an out-of-bounds
read, decoding of unrelated data, or trigger a crash of the
software such as bsnmpd resulting in a denial of service.
The e1000 network adapters permit a variety of modifications
to an Ethernet packet when it is being transmitted. These
include the insertion of IP and TCP checksums, insertion
of an Ethernet VLAN header, and TCP segmentation offload
("TSO"). The e1000 device model uses an on-stack buffer to
generate the modified packet header when simulating these
modifications on transmitted packets.
When TCP segmentation offload is requested for a transmitted
packet, the e1000 device model used a guest-provided value
to determine the size of the on-stack buffer without
validation. The subsequent header generation could overflow
an incorrectly sized buffer or indirect a pointer composed
of stack garbage.
Impact:
A misbehaving bhyve guest could overwrite memory in the
bhyve process on the host.
Due do a missing check in the code of m_pulldown(9) data
returned may not be contiguous as requested by the caller.
Impact:
Extra checks in the IPv6 code catch the error condition
and trigger a kernel panic leading to a remote DoS
(denial-of-service) attack with certain Ethernet interfaces.
At this point it is unknown if any other than the IPv6 code
paths can trigger a similar condition.
The kernel driver for /dev/midistat implements a handler
for read(2). This handler is not thread-safe, and a
multi-threaded program can exploit races in the handler to
cause it to copy out kernel memory outside the boundaries
of midistat's data buffer.
Impact:
The races allow a program to read kernel memory within
a 4GB window centered at midistat's data buffer. The buffer
is allocated each time the device is opened, so an attacker
is not limited to a static 4GB region of memory.
On 32-bit platforms, an attempt to trigger the race may
cause a page fault in kernel mode, leading to a panic.
System calls operating on file descriptors obtain a
reference to relevant struct file which due to a programming
error was not always put back, which in turn could be used
to overflow the counter of affected struct file.
Impact:
A local user can use this flaw to obtain access to files,
directories, sockets, etc., opened by processes owned by
other users. If obtained struct file represents a directory
from outside of user's jail, it can be used to access files
outside of the jail. If the user in question is a jailed
root they can obtain root privileges on the host system.
bpo-38243: Escape the server title of xmlrpc.server.DocXMLRPCServer when rendering
the document page as HTML.
bpo-38174: Update vendorized expat library version to 2.2.8, which resolves
CVE-2019-15903.
bpo-37764: Fixes email._header_value_parser.get_unstructured going into an infinite
loop for a specific case in which the email header does not have trailing whitespace,
and the case in which it contains an invalid encoded word.
bpo-37461: Fix an infinite loop when parsing specially crafted email headers.
bpo-34155: Fix parsing of invalid email addresses with more than one @
(e.g. a@b@c.com.) to not return the part before 2nd @ as valid email address.
An issue was discovered in Pillow before 6.2.0. When reading specially
crafted invalid image files, the library can either allocate very large
amounts of memory or take an extremely long period of time to process
the image.
mod_perl2 2.0.11 fixes Arbitrary Perl code execution in the context
of the user account via a user-owned .htaccess.
mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary
Perl code by placing it in a user-owned .htaccess file, because
(contrary to the documentation) there is no configuration option
that permits Perl code for the administrator's control of HTTP
request processing without also permitting unprivileged users
to run Perl code in the context of the user account that runs
Apache HTTP Server processes.
Due to an error in parsing NOTIFY queries, it is possible for Unbound
to continue processing malformed queries and may ultimately result in a
pointer dereference in uninitialized memory. This results in a crash of
the Unbound daemon.
In Cacti through 1.2.6, authenticated users may bypass authorization checks
(for viewing a graph) via a direct graph_json.php request with a modified
local_graph_id parameter.
This release includes security fixes. Please check the topics below for
details.
CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
File.fnmatch?
A NUL injection vulnerability of Ruby built-in methods (File.fnmatch
and File.fnmatch?) was found. An attacker who has the control of the
path pattern parameter could exploit this vulnerability to make path
matching pass despite the intention of the program author.
CVE-2019-16201: Regular Expression Denial of Service vulnerability of
WEBrick's Digest access authentication
Regular expression denial of service vulnerability of WEBrick's Digest
authentication module was found. An attacker can exploit this
vulnerability to cause an effective denial of service against a WEBrick
service.
CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
There is an HTTP response splitting vulnerability in WEBrick bundled
with Ruby.
CVE-2019-16255: A code injection vulnerability of Shell#[] and
Shell#test
A code injection vulnerability of Shell#[] and Shell#test in a standard
library (lib/shell.rb) was found.
Sicheng Liu of Beijing DBSEC Technology Co., Ltd reports:
Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init.
An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server versions less than 4.0.11, 3.6.14, and 3.4.22 to run attacker defined code as the user running the utility.
Mitch Wasson of Cisco's Advanced Malware Protection Group reports:
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones.
net/http (through net/textproto) used to accept and normalize invalid
HTTP/1.1 headers with a space before the colon, in violation of RFC 7230.
If a Go server is used behind a reverse proxy that accepts and forwards
but doesn't normalize such invalid headers, the reverse proxy and the
server can interpret the headers differently. This can lead to filter
bypasses or request smuggling, the latter if requests from separate clients
are multiplexed onto the same connection by the proxy. Such invalid headers
are now rejected by Go servers, and passed without normalization to Go
client applications.
A packet containing a malformed DUID can cause the kea-dhcp6 server to terminate (CVE-2019-6472) [Medium]
An invalid hostname option can cause the kea-dhcp4 server to terminate (CVE-2019-6473) [Medium]
An oversight when validating incoming client requests can lead to a situation where the Kea server
will exit when trying to restart (CVE-2019-6474) [Medium]
Mbed TLS does not have a constant-time/constant-trace arithmetic
library and uses blinding to protect against side channel
attacks.
In the ECDSA signature routine previous Mbed TLS versions used the
same RNG object for generating the ephemeral key pair and for
generating the blinding values. The deterministic ECDSA function
reused this by passing the RNG object created from the private key
and the message to be signed as prescribed by RFC 6979. This meant
that the same RNG object was used whenever the same message was
signed, rendering the blinding ineffective.
If the victim can be tricked to sign the same message repeatedly,
the private key may be recoverable through side channels.
This is a security patch release to address a potential
Denial of Service vulnerability:
The NTLM analyzer did not properly handle AV Pair sequences
that were either empty or unterminated, resulting in
invalid memory access or heap buffer over-read. The NTLM
analyzer is enabled by default and used in the analysis
of SMB, DCE/RPC, and GSSAPI protocols.
XML names with multiple colons could end up in the
wrong namespace, and take a high amount of RAM and CPU
resources while processing, opening the door to
use for denial-of-service attacks
libcurl can be told to use kerberos over FTP to a server, as set with
the CURLOPT_KRBLEVEL option.
During such kerberos FTP data transfer, the server sends data to curl
in blocks with the 32 bit size of each block first and then that amount
of data immediately following.
A malicious or just broken server can claim to send a very large block
and if by doing that it makes curl's subsequent call to realloc() to
fail, curl would then misbehave in the exit path and double-free the
memory.
In practical terms, an up to 4 GB memory area may very well be fine to
allocate on a modern 64 bit system but on 32 bit systems it will fail.
Kerberos FTP is a rarely used protocol with curl. Also, Kerberos
authentication is usually only attempted and used with servers that the
client has a previous association with.
CVE-2019-5482: TFTP small blocksize heap buffer overflow
libcurl contains a heap buffer overflow in the function
(tftp_receive_packet()) that receives data from a TFTP server. It can
call recvfrom() with the default size for the buffer rather than with
the size that was used to allocate it. Thus, the content that might
overwrite the heap memory is controlled by the server.
This flaw is only triggered if the TFTP server sends an OACK without
the BLKSIZE option, when a BLKSIZE smaller than 512 bytes was requested
by the TFTP client. OACK is a TFTP extension and is not used by all
TFTP servers.
Users choosing a smaller block size than default should be rare as the
primary use case for changing the size is to make it larger.
It is rare for users to use TFTP across the Internet. It is most
commonly used within local networks. TFTP as a protocol is always
inherently insecure.
This issue was introduced by the add of the TFTP BLKSIZE option
handling. It was previously incompletely fixed by an almost identical
issue called CVE-2019-5436.
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe().
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression.
Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
If your Exim server accepts TLS connections, it is vulnerable. This does
not depend on the TLS libray, so both, GnuTLS and OpenSSL are affected.
The vulnerability is exploitable by sending a SNI ending in a
backslash-null sequence during the initial TLS handshake. The exploit
exists as a POC. For more details see the document qualys.mbx
When audio frames are given to the audio transcoding
support in Asterisk the number of samples are examined
and as part of this a message is output to indicate that
no samples are present. A change was done to suppress
this message for a particular scenario in which the message
was not relevant. This change assumed that information
about the origin of a frame will always exist when in
reality it may not.
This issue presented itself when an RTP packet containing
no audio (and thus no samples) was received. In a particular
transcoding scenario this audio frame would get turned
into a frame with no origin information. If this new frame
was then given to the audio transcoding support a crash
would occur as no samples and no origin information would
be present. The transcoding scenario requires the genericplc
option to be set to enabled (the default) and a transcoding
path from the source format into signed linear and then
from signed linear into another format.
Note that there may be other scenarios that have not
been found which can cause an audio frame with no origin
to be given to the audio transcoding support and thus
cause a crash.
Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues.
The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors.
The second was a cross-site scripting vulnerability in stored comments.
Props to Tim Coen for disclosing an issue where validation and sanitization
of a URL could lead to an open redirect.
Props to Anshul Jain for disclosing reflected cross-site scripting during media uploads.
Props to Zhouyuan Yang of Fortinets FortiGuard Labs who disclosed a vulnerability
for cross-site scripting (XSS) in shortcode previews.
Props to Ian Dunn of the Core Security Team for finding and disclosing a case where
reflected cross-site scripting could be found in the dashboard.
Props to Soroush Dalilifrom NCC Group for disclosing an issue with URL
sanitization that can lead to cross-site scripting (XSS) attacks.
In addition to the above changes, we are also updating jQuery on older versions of WordPress.
This change was added in 5.2.1 and is now being brought to older versions.
On a Samba SMB server for all versions of Samba from 4.9.0 clients are
able to escape outside the share root directory if certain
configuration parameters set in the smb.conf file.
There are multiple vulnerabilities about Cross-Site Scripting (XSS) in
jQuery shipped with RDoc which bundled in Ruby. All Ruby users are
recommended to update Ruby to the latest release which includes the
fixed version of RDoc.
CVE-2019-11733: Stored passwords in 'Saved Logins' can
be copied without master password entry
When a master password is set, it is required to be
entered again before stored passwords can be accessed in the 'Saved
Logins' dialog. It was found that locally stored passwords can be
copied to the clipboard thorough the 'copy password' context menu item
without re-entering the master password if the master password had
been previously entered in the same session, allowing for potential
theft of stored passwords.
Vulnerability Details:
IMAP and ManageSieve protocol parsers do not properly handle NUL byte
when scanning data in quoted strings, leading to out of bounds heap
memory writes.
Risk:
This vulnerability allows for out-of-bounds writes to objects stored on
the heap up to 8096 bytes in pre-login phase, and 65536 bytes post-login
phase, allowing sufficiently skilled attacker to perform complicated
attacks that can lead to leaking private information or remote code
execution. Abuse of this bug is very difficult to observe, as it does
not necessarily cause a crash. Attempts to abuse this bug are not
directly evident from logs.
HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion
Recently, a series of DoS attack vulnerabilities have been reported on a broad range of HTTP/2 stacks. Among the vulnerabilities, H2O is exposed to the following:
CVE-2019-9512 "Ping Flood": The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9514 "Reset Flood": The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVE-2019-9515 "Settings Flood": The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion
Recently, a series of DoS attack vulnerabilities have been reported on a broad range of HTTP/2 stacks. Among the vulnerabilities, H2O is exposed to the following:
CVE-2019-9512 "Ping Flood": The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9514 "Reset Flood": The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVE-2019-9515 "Settings Flood": The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.
Updates are now available for all active Node.js release lines, including Linux ARMv6 builds for Node.js 8.x (which had been delayed).
We recommend that all Node.js users upgrade to a version listed below as soon as possible.
Vulnerabilities Fixed
Impact: All versions of Node.js 8 (LTS "Carbon"), Node.js 10 (LTS "Dubnium"), and Node.js 12 (Current) are vulnerable to the following:
CVE-2019-9511 "Data Dribble": The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9512 "Ping Flood": The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9513 "Resource Loop": The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
CVE-2019-9514 "Reset Flood": The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVE-2019-9515 "Settings Flood": The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9516 "0-Length Headers Leak": The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
CVE-2019-9517 "Internal Data Buffering": The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVE-2019-9518 "Empty Frames Flood": The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service. (Discovered by Piotr Sikora of Google)
An out of bounds write was possible within ClamAV&s NSIS bzip2 library when attempting decompression in cases where the number of selectors exceeded the max limit set by the library (CVE-2019-12900). The issue has been resolved by respecting that limit.
The zip bomb vulnerability mitigated in 0.101.3 has been assigned the CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-bomb mitigation was immediately identified. To remediate the zip-bomb scan time issue, a scan time limit has been introduced in 0.101.4. This limit now resolves ClamAV's vulnerability to CVE-2019-12625.
Security:
* Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)
* Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)
* Fix a read buffer overflow in the FAAD decoder
* Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438)
* Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)
* Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778)
* Fix a use after free in the ASF demuxer (CVE-2019-14533)
* Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)
* Fix a null dereference in the dvdnav demuxer
* Fix a null dereference in the ASF demuxer (CVE-2019-14534)
* Fix a null dereference in the AVI demuxer
* Fix a division by zero in the CAF demuxer (CVE-2019-14498)
* Fix a division by zero in the ASF demuxer (CVE-2019-14535)
A carefully constructed commit object with a very large number
of parents may lead to potential out-of-bounds writes or
potential denial of service.
The ProgramData configuration file is always read for compatibility
with Git for Windows and Portable Git installations. The ProgramData
location is not necessarily writable only by administrators, so we
now ensure that the configuration file is owned by the administrator
or the current user.
X.Org xdm 1.1.10, 1.1.11, and possibly other versions,
when performing authentication using certain implementations of
the crypt API function that can return NULL, allows remote
attackers to cause a denial of service (NULL pointer dereference
and crash) by attempting to log into an account whose password
field contains invalid characters, as demonstrated using the crypt
function from glibc 2.17 and later with (1) the "!" character in
the salt portion of a password field or (2) a password that has
been encrypted using DES or MD5 in FIPS-140 mode.
mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",
could lead to an overwrite of memory in the pushing request's pool,
leading to crashes. The memory copied is that of the configured push
link header values, not data supplied by the client.
SECURITY: CVE-2019-9517
mod_http2: a malicious client could perform a DoS attack by flooding
a connection with requests and basically never reading responses
on the TCP connection. Depending on h2 worker dimensioning, it was
possible to block those with relatively few connections.
SECURITY: CVE-2019-10098
rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
matches and substitutions with encoded line break characters.
SECURITY: CVE-2019-10092
Remove HTML-escaped URLs from canned error responses to prevent misleading
text/links being displayed via crafted links.
SECURITY: CVE-2019-10097
mod_remoteip: Fix stack buffer overflow and NULL pointer deference
when reading the PROXY protocol header.
CVE-2019-10082
mod_http2: Using fuzzed network input, the http/2 session
handling could be made to read memory after being freed,
during connection shutdown.
I've rolled out Webmin version 1.930 and Usermin version 1.780
for all repositories. This release includes several security
fixes, including one potentially serious one caused by malicious
code inserted into Webmin and Usermin at some point on our build
infrastructure. We're still investigating how and when, but the
exploitable code has never existed in our github repositories, so
we've rebuilt from git source on new infrastructure (and checked
to be sure the result does not contain the malicious code).
I don't have a changelog for these releases yet, but I wanted
to announce them immediately due to the severity of this issue.
To exploit the malicious code, your Webmin installation must have
Webmin -> Webmin Configuration -> Authentication -> Password
expiry policy set to Prompt users with expired passwords to enter
a new one. This option is not set by default, but if it is set,
it allows remote code execution.
This release addresses CVE-2019-15107, which was disclosed
earlier today. It also addresses a handful of XSS issues that we
were notified about, and a bounty was awarded to the researcher
(a different one) who found them.
This release fixes CVE-2019-9511 "Data Dribble" and CVE-2019-9513
"Resource Loop" vulnerability in nghttpx and nghttpd. Specially crafted
HTTP/2 frames cause Denial of Service by consuming CPU time. Check out
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for details. For nghttpx, additionally limiting inbound traffic by
--read-rate and --read-burst options is quite effective against this
kind of attack.
CVE-2019-9511 "Data Dribble": The attacker requests a large amount of
data from a specified resource over multiple streams. They manipulate
window size and stream priority to force the server to queue the data in
1-byte chunks. Depending on how efficiently this data is queued, this
can consume excess CPU, memory, or both, potentially leading to a
denial of service.
CVE-2019-9513 "Ping Flood": The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume
excess CPU, memory, or both, potentially leading to a denial of service.
Jesse Smith (upstream author of the doas program) reported:
Previous versions of "doas" transferred most environment variables, such
as USER, HOME, and PATH from the original user to the target user.
Passing these variables could cause files in the wrong path or
home directory to be read (or written to), which resulted in potential
security problems.
Many thanks to Sander Bos for reporting this issue and explaining
how it can be exploited.
Several security issues were identified in nginx HTTP/2
implementation which might cause excessive memory consumption
and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).
The issues affect nginx compiled with the ngx_http_v2_module (not
compiled by default) if the http2 option of the listen directive
is used in a configuration file.
A command injection vulnerability in Nokogiri v1.10.3 and earlier
allows commands to be executed in a subprocess by Ruby's Kernel.open
method. Processes are vulnerable only if the undocumented method
Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.
This vulnerability appears in code generated by the Rexical gem
versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate
lexical scanner code for parsing CSS queries. The underlying
vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to
this version of Rexical in Nokogiri v1.10.4.
This is a security patch release to address potential
Denial of Service vulnerabilities:
Null pointer dereference in the RPC analysis code. RPC
analyzers (e.g. MOUNT or NFS) are not enabled in the
default configuration.
Signed integer overflow in BinPAC-generated parser code.
The result of this is Undefined Behavior with respect to
the array bounds checking conditions that BinPAC generates,
so it's unpredictable what an optimizing compiler may
actually do under the assumption that signed integer
overlows should never happen. The specific symptom which
lead to finding this issue was with the PE analyzer causing
out-of-memory crashes due to large allocations that were
otherwise prevented when the array bounds checking logic
was changed to prevent any possible signed integer overlow.
The KDE Community has released a security announcement:
The syntax Key[$e]=$(shell command) in *.desktop files, .directory files, and configuration files
(typically found in ~/.config) was an intentional feature of KConfig, to allow flexible configuration.
This could however be abused by malicious people to make the users install such files and get code
executed even without intentional action by the user.
Given a suitable `SECURITY DEFINER` function, an attacker can execute arbitrary
SQL under the identity of the function owner. An attack requires `EXECUTE`
permission on the function, which must itself contain a function call having
inexact argument type match. For example, `length('foo'::varchar)` and
`length('foo')` are inexact, while `length('foo'::text)` is exact.
As part of exploiting this vulnerability, the attacker uses `CREATE DOMAIN`
to create a type in a `pg_temp` schema. The attack pattern and fix are similar
to that for CVE-2007-2138.
Writing `SECURITY DEFINER` functions continues to require following
the considerations noted in the documentation:
In a database containing hypothetical, user-defined hash equality operators,
an attacker could read arbitrary bytes of server memory. For an attack to
become possible, a superuser would need to create unusual operators.
It is possible for operators not purpose-crafted for attack to have
the properties that enable an attack, but we are not aware of specific examples.
GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user. This vulnerability can be exploited to take control of admin account. This vulnerability could be also abused to obtain other sensitive fields like API keys or password hashes.
CVE-2019-14232: Denial-of-service possibility in
django.utils.text.Truncator
If django.utils.text.Truncator's chars() and words() methods were
passed the html=True argument, they were extremely slow to evaluate
certain inputs due to a catastrophic backtracking vulnerability in a
regular expression. The chars() and words() methods are used to
implement the truncatechars_html and truncatewords_html template
filters, which were thus vulnerable
The regular expressions used by Truncator have been simplified in
order to avoid potential backtracking issues. As a consequence, trailing
punctuation may now at times be included in the truncated output.
CVE-2019-14233: Denial-of-service possibility in strip_tags()
Due to the behavior of the underlying HTMLParser,
django.utils.html.strip_tags() would be extremely slow to evaluate
certain inputs containing large sequences of nested incomplete HTML
entities. The strip_tags() method is used to implement the corresponding
striptags template filter, which was thus also vulnerable.
strip_tags() now avoids recursive calls to HTMLParser when progress
removing tags, but necessarily incomplete HTML entities, stops being
made.
Remember that absolutely NO guarantee is provided about the results of
strip_tags() being HTML safe. So NEVER mark safe the result of a
strip_tags() call without escaping it first, for example with
django.utils.html.escape().
CVE-2019-14234: SQL injection possibility in key and index lookups for
JSONField/HStoreField
Key and index lookups for JSONField and key lookups for HStoreField
were subject to SQL injection, using a suitably crafted dictionary,
with dictionary expansion, as the **kwargs passed to QuerySet.filter().
CVE-2019-14235: Potential memory exhaustion in
django.utils.encoding.uri_to_iri()
If passed certain inputs, django.utils.encoding.uri_to_iri() could lead
to significant memory usage due to excessive recursion when
re-percent-encoding invalid UTF-8 octet sequences.
uri_to_iri() now avoids recursion when re-percent-encoding invalid
UTF-8 octet sequences.
CVE-2018-14618: NTLM password overflow via integer overflow
The internal function Curl_ntlm_core_mk_nt_hash multiplies the length
of the password by two (SUM) to figure out how large temporary storage
area to allocate from the heap.
The length value is then subsequently used to iterate over the
password and generate output into the allocated storage buffer. On
systems with a 32 bit size_t, the math to calculate SUM triggers an
integer overflow when the password length exceeds 2GB (2^31 bytes).
This integer overflow usually causes a very small buffer to actually
get allocated instead of the intended very huge one, making the use of
that buffer end up in a heap buffer overflow.
If a process attempts to transmit rights over a UNIX-domain
socket and an error causes the attempt to fail, references
acquired on the rights are not released and are leaked.
This bug can be used to cause the reference counter to wrap
around and free the corresponding file structure.
Impact:
A local user can exploit the bug to gain root privileges
or escape from a jail.
To implement one particular ioctl, the Linux emulation
code used a special interface present in the cd(4) driver
which allows it to copy subchannel information directly to
a kernel address. This interface was erroneously made
accessible to userland, allowing users with read access to
a cd(4) device to arbitrarily overwrite kernel memory when
some media is present in the device.
Impact:
A user in the operator group can make use of this interface
to gain root privileges on a system with a cd(4) device
when some media is present in the device.
EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant
(EAP peer) does not to validate the received scalar and element values
in EAP-pwd-Commit messages properly. This could result in attacks that
would be able to complete EAP-pwd authentication exchange without the
attacker having to know the used password.
See
https://w1.fi/security/2019-4/eap-pwd-missing-commit-validation.txt
for a detailed description of the bug.
Impact:
All wpa_supplicant and hostapd versions with EAP-pwd support.
Insufficient validation of environment variables in the
telnet client supplied in FreeBSD can lead to stack-based
buffer overflows. A stack- based overflow is present in the
handling of environment variables when connecting via the
telnet client to remote telnet servers.
This issue only affects the telnet client. Inbound telnet
sessions to telnetd(8) are not affected by this issue.
Impact:
These buffer overflows may be triggered when connecting
to a malicious server, or by an active attacker in the
network path between the client and server. Specially crafted
TELNET command sequences may cause the execution of arbitrary
code with the privileges of the user invoking telnet(1).
A bug in the pf(4) IPv6 fragment reassembly logic
incorrectly uses the last extension header offset from the
last received packet instead of from the first packet.
Impact:
Malicious IPv6 packets with different IPv6 extensions
could cause a kernel panic or potentially a filtering rule
bypass.
The code which handles a close(2) of a descriptor created
by posix_openpt(2) fails to undo the configuration which
causes SIGIO to be raised. This bug can lead to a
write-after-free of kernel memory.
Impact:
The bug permits malicious code to trigger a write-after-free,
which may be used to gain root privileges or escape a
jail.
States in pf(4) let ICMP and ICMP6 packets pass if they
have a packet in their payload matching an existing condition.
pf(4) does not check if the outer ICMP or ICMP6 packet has
the same destination IP as the source IP of the inner
protocol packet.
Impact:
A maliciously crafted ICMP/ICMP6 packet could bypass the
packet filter rules and be passed to a host that would
otherwise be unavailable.
Due to insufficient initialization of memory copied to
userland in the components listed above small amounts of
kernel memory may be disclosed to userland processes.
Impact:
A user who can invoke 32-bit FreeBSD ioctls may be able
to read the contents of small portions of kernel memory.
Such memory might contain sensitive information, such
as portions of the file cache or terminal buffers. This
information might be directly useful, or it might be leveraged
to obtain elevated privileges in some way; for example, a
terminal buffer might include a user-entered password.
On some Intel processors utilizing speculative execution
a local process may be able to infer stale information from
microarchitectural buffers to obtain a memory disclosure.
Impact:
An attacker may be able to read secret data from the
kernel or from a process when executing untrusted code (for
example, in a web browser).
A crafted malicious authenticated mode 6 (ntpq) packet from a
permitted network address can trigger a NULL pointer dereference,
crashing ntpd.
Note that for this attack to work, the sending
system must be on an address that the target's ntpd accepts mode 6
packets from, and must use a private key that is specifically
listed as being used for mode 6 authorization.
Impact: The ntpd daemon can crash due to the NULL pointer
dereference, causing a denial of service.
Mitigation:
Use restrict noquery to limit addresses that can send mode 6
queries.
Limit access to the private controlkey in ntp.keys.
While processing acknowledgements, the RACK code uses
several linked lists to maintain state entries. A malicious
attacker can cause the lists to grow unbounded. This can
cause an expensive list traversal on every packet being
processed, leading to resource exhaustion and a denial of
service.
Impact:
An attacker with the ability to send specially crafted
TCP traffic to a victim system can degrade network performance
and/or consume excessive CPU by exploiting the inefficiency
of traversing the potentially very large RACK linked lists
with relatively small bandwidth cost.
System calls operating on file descriptors obtain a
reference to relevant struct file which due to a programming
error was not always put back, which in turn could be used
to overflow the counter of affected struct file.
Impact:
A local user can use this flaw to obtain access to files,
directories, sockets etc. opened by processes owned by other
users. If obtained struct file represents a directory from
outside of user's jail, it can be used to access files
outside of the jail. If the user in question is a jailed
root they can obtain root privileges on the host system.
With certain inputs, iconv may write beyond the end of
the output buffer.
Impact:
Depending on the way in which iconv is used, an attacker
may be able to create a denial of service, provoke incorrect
program behavior, or induce a remote code execution. iconv
is a libc library function and the nature of possible attacks
will depend on the way in which iconv is used by applications
or daemons.
A bug causes up to three bytes of kernel stack memory
to be written to disk as uninitialized directory entry
padding. This data can be viewed by any user with read
access to the directory. Additionally, a malicious user
with write access to a directory can cause up to 254 bytes
of kernel stack memory to be exposed.
Impact:
Some amount of the kernel stack is disclosed and written
out to the filesystem.
A local or remote attacker can execute programs with root privileges - if you've an unusual configuration.
If your configuration uses the ${sort } expansion for items that can be controlled by an attacker (e.g. $local_part, $domain). The default config, as shipped by the Exim developers, does not contain ${sort }.
The vulnerability is exploitable either remotely or locally and could
be used to execute other programs with root privilege. The ${sort }
expansion re-evaluates its items.
A vulnerability in register allocation in JavaScript can
lead to type confusion, allowing for an arbitrary read and
write. This leads to remote code execution inside the
sandboxed content process when triggered.
CVE-2018-12387:
A vulnerability where the JavaScript JIT compiler inlines
Array.prototype.push with multiple arguments that results
in the stack pointer being off by 8 bytes after a
bailout. This leaks a memory address to the calling
function which can be used as part of an exploit inside
the sandboxed content process.
This Critical Patch Update contains 45 new security fixes for
Oracle MySQL. 4 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without
requiring user credentials.
A malicious SSH-1 server could trigger a buffer overrun by sending
extremely short RSA keys, or certain bad packet length fields.
Either of these could happen before host key verification, so even
if you trust the server you *intended* to connect to, you would
still be at risk.
(However, the SSH-1 protocol is obsolete, and recent versions of
PuTTY do not try it by default, so you are only at risk if you work
with old servers and have explicitly configured SSH-1.)
If a malicious process found a way to impersonate Pageant, then it
could cause an integer overflow in any of the SSH client tools
(PuTTY, Plink, PSCP, PSFTP) which accessed the malicious Pageant.
Other security-related bug fixes include:
The 'trust sigil' system introduced in PuTTY 0.71 to protect
against server spoofing attacks had multiple bugs. Trust sigils
were not turned off after login in the SSH-1 and Rlogin protocols,
and not turned back on if you used the Restart Session command.
Both are now fixed.
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with additional text
after the address and only quad-dotted notation without trailing whitespaces. Some
inet_aton() implementations ignore whitespace and all data after whitespace, e.g.'127.0.0.1
whatever'.
bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file:// and
local_file:// URL schemes in URLopener().open() and URLopener().retrieve() of
urllib.request.
bpo-36742: Fixes mishandling of pre-normalization characters in urlsplit().
bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded whitespace
or control characters through into the underlying http client request. Such potentially
malicious header injection URLs now cause an http.client.InvalidURL exception to be
raised.
bpo-33529: Prevent fold function used in email header encoding from entering infinite
loop when there are too many non-ASCII characters in a header.
bpo-35755: shutil.which() now uses os.confstr("CS_PATH") if available and if the PATH
environment variable is not set. Remove also the current directory from posixpath.defpath.
On Unix, shutil.which() and the subprocess module no longer search the executable in the
current directory if the PATH environment variable is not set.
When T.38 faxing is done in Asterisk a T.38 reinvite
may be sent to an endpoint to switch it to T.38. If the
endpoint responds with an improperly formatted SDP answer
including both a T.38 UDPTL stream and an audio or video
stream containing only codecs not allowed on the SIP peer
or user a crash will occur. The code incorrectly assumes
that there will be at least one common codec when T.38
is also in the SDP answer.
Insufficient vetting of parameters passed with the
Prompt:Open IPC message between child and parent processes
can result in the non-sandboxed parent process opening web
content chosen by a compromised child process. When combined
with additional vulnerabilities this could result in executing
arbitrary code on the user's computer.
bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file://
and local_file:// URL schemes in URLopener().open() and URLopener().retrieve()
of urllib.request.
bpo-36742: Fixes mishandling of pre-normalization characters in urlsplit().
bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded
whitespace or control characters through into the underlying http client
request. Such potentially malicious header injection URLs now cause an
http.client.InvalidURL exception to be raised.
bpo-36216: Changes urlsplit() to raise ValueError when the URL contains
characters that decompose under IDNA encoding (NFKC-normalization) into
characters that affect how the URL is parsed.
bpo-33529: Prevent fold function used in email header encoding from
entering infinite loop when there are too many non-ASCII characters in
a header.
bpo-35121: Don't send cookies of domain A without Domain attribute to
domain B when domain A is a suffix match of domain B while using a cookiejar
with http.cookiejar.DefaultCookiePolicy policy. Patch by Karthikeyan
Singaravelan.
Security fixes:
T197279, CVE-2019-12468: Directly POSTing to Special:ChangeEmail would allow
for bypassing reauthentication, allowing for potential account takeover.
T204729, CVE-2019-12473: Passing invalid titles to the API could cause a DoS
by querying the entire `watchlist` table.
T207603, CVE-2019-12471: Loading user JavaScript from a non-existent account
allows anyone to create the account, and XSS the users' loading that script.
T208881: blacklist CSS var().
T199540, CVE-2019-12472: It is possible to bypass the limits on IP range
blocks (`$wgBlockCIDRLimit`) by using the API.
T212118, CVE-2019-12474: Privileged API responses that include whether a
recent change has been patrolled may be cached publicly.
T209794, CVE-2019-12467: A spammer can use Special:ChangeEmail to send out
spam with no rate limiting or ability to block them.
T25227, CVE-2019-12466: An account can be logged out without using a token(CRRF)
T222036, CVE-2019-12469: Exposed suppressed username or log in Special:EditTags.
T222038, CVE-2019-12470: Exposed suppressed log in RevisionDelete page.
T221739, CVE-2019-11358: Fix potential XSS in jQuery.
When deployed behind a reverse-proxy connecting to Django via HTTPS,
django.http.HttpRequest.scheme would incorrectly detect client requests
made via HTTP as using HTTPS. This entails incorrect results for is_secure(),
and build_absolute_uri(), and that HTTP requests would not be redirected to
HTTPS in accordance with SECURE_SSL_REDIRECT.
An authenticated user could create a stack-based buffer overflow
by changing their own password to a purpose-crafted value. In addition
to the ability to crash the PostgreSQL server, this could be further
exploited to execute arbitrary code as the PostgreSQL operating system account.
Additionally, a rogue server could send a specifically crafted
message during the SCRAM authentication process and cause a libpq-enabled client
to either crash or execute arbitrary code as the client's operating system account.
This issue is fixed by upgrading and restarting your PostgreSQL
server as well as your libpq installations. All users running
PostgreSQL 10, 11, and 12 beta are encouraged to upgrade as soon as possible.
Modules.cpp in ZNC before 1.7.4-rc1 allows remote authenticated
non-admin users to escalate privileges and execute arbitrary
code by loading a module with a crafted name.
CVE-2019-10162: An issue has been found in PowerDNS Authoritative Server allowing an authorized user to
cause the server to exit by inserting a crafted record in a MASTER type zone under their control. The
issue is due to the fact that the Authoritative Server will exit when it runs into a parsing error while
looking up the NS/A/AAAA records it is about to use for an outgoing notify.
CVE-2019-10163: An issue has been found in PowerDNS Authoritative Server allowing a remote, authorized
master server to cause a high CPU load or even prevent any further updates to any slave zone by sending
a large number of NOTIFY messages. Note that only servers configured as slaves are affected by this issue.
A type confusion vulnerability can occur when manipulating
JavaScript objects due to issues in Array.pop. This can allow
for an exploitable crash. We are aware of targeted attacks in
the wild abusing this flaw.
CVE-2019-11708: sandbox escape using Prompt:Open
Insufficient vetting of parameters passed with the
Prompt:Open IPC message between child and parent processes can
result in the non-sandboxed parent process opening web content
chosen by a compromised child process. When combined with
additional vulnerabilities this could result in executing
arbitrary code on the user's computer.
CVE-2019-11703: Heap buffer overflow in icalparser.c
A flaw in Thunderbird's implementation of iCal causes a heap
buffer overflow in parser_get_next_char when processing certain
email messages, resulting in a potentially exploitable crash.
CVE-2019-11704: Heap buffer overflow in icalvalue.c
A flaw in Thunderbird's implementation of iCal causes a heap
buffer overflow in icalmemory_strdup_and_dequote when processing
certain email messages, resulting in a potentially exploitable
crash.
CVE-2019-11705: Stack buffer overflow in icalrecur.c
A flaw in Thunderbird's implementation of iCal causes a stack
buffer overflow in icalrecur_add_bydayrules when processing
certain email messages, resulting in a potentially exploitable
crash.
CVE-2019-11706: Type confusion in icalproperty.c
A flaw in Thunderbird's implementation of iCal causes a type
confusion in icaltimezone_get_vtimezone_properties when
processing certain email messages, resulting in a crash.
A type confusion vulnerability can occur when
manipulating JavaScript objects due to issues in
Array.pop. This can allow for an exploitable crash. We are
aware of targeted attacks in the wild abusing this flaw.
The ReadFrame function in the avi.c file uses a variable i_width_bytes,
which is obtained directly from the file. It is a signed integer.
It does not do a strict check before the memory operation(memmove, memcpy),
which may cause a buffer overflow.
CVE-2019-7175: In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c.
CVE-2019-7395: In ImageMagick before 7.0.8-25, a memory leak exists in WritePSDChannel in coders/psd.c.
CVE-2019-7396: In ImageMagick before 7.0.8-25, a memory leak exists in ReadSIXELImage in coders/sixel.c.
CVE-2019-7397: In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in WritePDFImage in coders/pdf.c.
CVE-2019-7398: In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c.
CVE-2019-9956: In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file.
CVE-2019-10131: An off-by-one read vulnerability was discovered in ImageMagick before version 7.0.7-28 in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program.
CVE-2019-10649: In ImageMagick 7.0.8-36 Q16, there is a memory leak in the function SVGKeyValuePairs of coders/svg.c, which allows an attacker to cause a denial of service via a crafted image file.
CVE-2019-10650: In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file.
CVE-2019-10714: LocaleLowercase in MagickCore/locale.c in ImageMagick before 7.0.8-32 allows out-of-bounds access, leading to a SIGSEGV.
CVE-2019-11470: The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file.
CVE-2019-11472: ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first.
CVE-2019-11597: In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file.
CVE-2019-11598: In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c.
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.
A vulnerability was found that allows an attacker to
trigger a CSRF attack against a phpMyAdmin user. The
attacker can trick the user, for instance through a broken
tag pointing at the victim's
phpMyAdmin database, and the attacker can potentially
deliver a payload (such as a specific INSERT or DELETE
statement) through the victim.
Severity
We consider this vulnerability to be severe.
Mitigation factor
Only the 'cookie'
auth_type is affected; users can temporary use
phpMyAdmin's http authentication as a workaround.
CVE-2019-11831: By-passing protection of Phar Stream Wrapper Interceptor.
In order to intercept file invocations like file_exists or stat on compromised Phar archives
the base name has to be determined and checked before allowing to be handled by PHP
Phar stream handling.
The current implementation is vulnerable to path traversal leading to scenarios where the
Phar archive to be assessed is not the actual (compromised) file.
We received a report of a possible remote exploit. Currently there is no evidence of an active use of this exploit.
A patch exists already, is being tested, and backported to all
versions we released since (and including) 4.87.
The severity depends on your configuration. It depends on how close to
the standard configuration your Exim runtime configuration is. The
closer the better.
The clickable "Current URL" link generated by AdminURLFieldWidget displayed the
provided value without validating it as a safe URL. Thus, an unvalidated value stored
in the database, or a value provided as a URL query parameter payload, could result
in an clickable JavaScript link..
jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution. If an unsanitized source object contained an enumerable __proto__ property,
it could extend the native Object.prototype.
Buildbot accepted user-submitted authorization token from OAuth and used
it to authenticate user.
The vulnerability can lead to malicious attackers to authenticate as legitimate users
of a Buildbot instance without knowledge of the victim's login credentials on certain
scenarios.
If an attacker has an application authorized to access data of another user at the
same Identity Provider as the used by the Buildbot instance, then he can acquire a token
to access the data of that user, supply the token to the Buildbot instance and successfully
login as the victim.
The following Denial of Service vulnerabilities are addressed:
Integer type mismatches in BinPAC-generated parser code
and Bro analyzer code may allow for crafted packet data
to cause unintentional code paths in the analysis logic
to be taken due to unsafe integer conversions causing the
parser and analysis logic to each expect different fields
to have been parsed. One such example, reported by Maksim
Shudrak, causes the Kerberos analyzer to dereference a
null pointer. CVE-2019-12175 was assigned for this issue.
The Kerberos parser allows for several fields to be left
uninitialized, but they were not marked with an &optional
attribute and several usages lacked existence checks.
Crafted packet data could potentially cause an attempt
to access such uninitialized fields, generate a runtime
error/exception, and leak memory. Existence checks and
&optional attributes have been added to the relevent
Kerberos fields.
BinPAC-generated protocol parsers commonly contain fields
whose length is derived from other packet input, and for
those that allow for incremental parsing, BinPAC did not
impose a limit on how large such a field could grow,
allowing for remotely-controlled packet data to cause
growth of BinPAC's flowbuffer bounded only by the numeric
limit of an unsigned 64-bit integer, leading to memory
exhaustion. There is now a generalized limit for how
large flowbuffers are allowed to grow, tunable by setting
"BinPAC::flowbuffer_capacity_max".
An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.
An issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the function SSHParseBanner is composed only of a \n character, then the program runs into a heap-based buffer over-read. This occurs because the erroneous search for \r results in an integer underflow.
Serendipity before 2.1.5 has XSS via EXIF data that is mishandled in the templates/2k11/admin/media_choose.tpl Editor Preview feature or the templates/2k11/admin/media_items.tpl Media Library feature.
OCaml before 4.03.0 does not properly handle sign extensions, which allows remote attackers to conduct buffer overflow attacks or obtain sensitive information as demonstrated by a long string to the String.copy function.
* CVE-2019-10691: Trying to login with 8bit username containing
invalid UTF8 input causes auth process to crash if auth policy is
enabled. This could be used rather easily to cause a DoS. Similar
crash also happens during mail delivery when using invalid UTF8 in
From or Subject header when OX push notification driver is used.
CVE-2019-5435: Integer overflows in curl_url_set()
libcurl contains two integer overflows in the curl_url_set()
function that if triggered, can lead to a too small buffer
allocation and a subsequent heap buffer overflow.
The flaws only exist on 32 bit architectures and require
excessive string input lengths.
CVE-2019-5436: TFTP receive buffer overflow
libcurl contains a heap buffer overflow in the function
(tftp_receive_packet()) that recevives data from a TFTP server. It
calls recvfrom() with the default size for the buffer rather than
with the size that was used to allocate it. Thus, the content that
might overwrite the heap memory is entirely controlled by the server.
The flaw exists if the user selects to use a "blksize" of 504 or
smaller (default is 512). The smaller size that is used, the larger
the possible overflow becomes.
Users chosing a smaller size than default should be rare as the
primary use case for changing the size is to make it larger.
It is rare for users to use TFTP across the Internet. It is most
commonly used within local networks.
The Rust Programming Language Standard Library 1.34.x
before 1.34.2 contains a stabilized method which, if
overridden, can violate Rust's safety guarantees and
cause memory unsafety. If the Error::type_id method
is overridden then any type can be safely cast to any
other type, causing memory safety vulnerabilities in
safe code (e.g., out-of-bounds write or read). Code
that does not manually implement Error::type_id is
unaffected.
The checksum validation in the S4U2Self handler in the embedded Heimdal KDC
did not first confirm that the checksum was keyed, allowing replacement of the
requested target (client) principal
Authenticated users with write permission can trigger a symlink traversal to write
or detect files outside the Samba share.
PostgreSQL maintains statistics for tables by sampling
data available in columns; this data is consulted during
the query planning process. Prior to this release, a user
able to execute SQL queries with permissions to read a
given column could craft a leaky operator that could
read whatever data had been sampled from that column.
If this happened to include values from rows that the user
is forbidden to see by a row security policy, the user
could effectively bypass the policy. This is fixed by only
allowing a non-leakproof operator to use this data if
there are no relevant row security policies for the table.
Prior to this release, a user running PostgreSQL 11 can read
arbitrary bytes of server memory by executing a purpose-crafted
INSERT statement to a partitioned table.
Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting. This can lead to denial-of-service attack by persistent attacker(s).
Aki Tuomi reports:
Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent. This can lead to denial-of-service attack by persistent attacker(s).
A CRLF can be injected in Location header of /auth/login and /auth/logout
This is due to lack of input validation in the buildbot redirection code.
It was not found a way to impact Buildbot product own security through
this vulnerability, but it could be used to compromise other sites
hosted on the same domain as Buildbot.
- cookie injection a master domain (ie if your buildbot is on
buildbot.buildbot.net, one can inject a cookie on *.buildbot.net,
which could impact another website hosted in your domain)
- HTTP response splitting and cache poisoning (browser or proxy) are
also typical impact of this vulnerability class, but might be impractical
to exploit.
CVE-2019-10909: Escape validation messages in the PHP templating engine.
CVE-2019-10910: Check service IDs are valid.
CVE-2019-10911: Add a separator in the remember me cookie hash.
jQuery 3.4.0 includes a fix for some unintended behavior when using
jQuery.extend(true, {}, ...). If an unsanitized source object contained
an enumerable __proto__ property, it could extend the native Object.prototype.
This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous
jQuery versions.
It's possible that this vulnerability is exploitable with some Drupal modules.
As a precaution, this Drupal security release backports the fix to jQuery.extend(),
without making any other changes to the jQuery version that is included in
Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site
via some other module such as jQuery Update.
Potential side channel attacks in the SAE implementations used
by both hostapd and wpa_supplicant (see CVE-2019-9494 and VU#871675).
EAP-pwd uses a similar design for deriving PWE from the password and
while a specific attack against EAP-pwd is not yet known to be tested,
there is no reason to believe that the EAP-pwd implementation would
be immune against the type of cache attack that was identified for the
SAE implementation. Since the EAP-pwd implementation in hostapd (EAP
server) and wpa_supplicant (EAP peer) does not support MODP groups,
the timing attack described against SAE is not applicable for the
EAP-pwd implementation.
See
https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt
for a detailed description of the bug.
Impact:
All wpa_supplicant and hostapd versions with EAP-pwd support
(CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled
in the runtime configuration).
Side channel attacks in the SAE implementations used by both
hostapd (AP) and wpa_supplicant (infrastructure BSS station/mesh
station). SAE (Simultaneous Authentication of Equals) is also known
as WPA3-Personal. The discovered side channel attacks may be able to
leak information about the used password based on observable timing
differences and cache access patterns. This might result in full
password recovery when combined with an offline dictionary attack and
if the password is not strong enough to protect against dictionary
attacks.
See
https://w1.fi/security/2019-1/sae-side-channel-attacks.txt
for a detailed description of the bug.
Impact:
All wpa_supplicant and hostapd versions with SAE support
(CONFIG_SAE=y in the build configuration and SAE being enabled in
the runtime configuration).
When hostapd is used to operate an access point with SAE
(Simultaneous Authentication of Equals; also known as WPA3-Personal),
an invalid authentication sequence could result in the hostapd process
terminating due to a NULL pointer dereference when processing SAE
confirm message. This was caused by missing state validation steps
when processing the SAE confirm message in hostapd/AP mode.
See
https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt
for a detailed description of the bug.
Impact:
All hostapd versions with SAE support (CONFIG_SAE=y in the build
configuration and SAE being enabled in the runtime configuration).
EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant
(EAP peer) does not to validate fragmentation reassembly state
properly for a case where an unexpected fragment could be received.
This could result in process termination due to NULL pointer
dereference.
See
https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt
for a detailed description of the bug.
Impact:
All wpa_supplicant and hostapd versions with EAP-pwd support could
suffer a denial of service attack through process termination.
Two security vulnerabilities have recently been identified in the Envoy proxy.
The vulnerabilities are centered on the fact that Envoy did not normalize
HTTP URI paths and did not fully validate HTTP/1.1 header values. These
vulnerabilities impact Istio features that rely on Envoy to enforce any of
authorization, routing, or rate limiting.
It was found that the superexec operator was available in the
internal dictionary in ghostscript before 9.27. A specially crafted
PostScript file could use this flaw in order to, for example, have
access to the file system outside of the constrains imposed by
-dSAFER.
It was found that the forceput operator could be extracted from
the DefineResource method in ghostscript before 9.27. A specially
crafted PostScript file could use this flaw in order to, for
example, have access to the file system outside of the constrains
imposed by -dSAFER.
Tavis Ormandy from Google Project Zero found a memory
corruption (double free) vulnerability in the certificate
verification API. Any client or server application that verifies
X.509 certificates with GnuTLS 3.5.8 or later is affected.
It was found using the TLS fuzzer tools that decoding a
malformed TLS1.3 asynchronous message can cause a server crash
via an invalid pointer access. The issue affects GnuTLS server
applications since 3.6.4.
Critical Patch Update Oracle MySQL Executive Summary
This Critical Patch Update contains 44 new security fixes for
Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without
requiring user credentials.
The Oracle MySQL products and versions affected by vulnerabilities
that are fixed in this Critical Patch Update are: MySQL Server, versions
5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
Further details will be published by Oracle on 2019-04-16
set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a
file's origin URL in the user.xdg.origin.url metadata attribute
of the extended attributes of the downloaded file, which allows
local users to obtain sensitive information (e.g., credentials
contained in the URL) by reading this attribute, as demonstrated
by getfattr. This also applies to Referer information in the
user.xdg.referrer.url metadata attribute.
Login pages tend to take a parameter for redirecting back to a page
after successful login, e.g. /login?next=/notebooks/mynotebook.ipynb, so
that you aren't disrupted too much if you try to visit a page, but have
to authenticate first. An Open Redirect Vulnerability is when a
malicious person crafts a link pointing to the login page of a trusted
site, but setting the "redirect after successful login" parameter to
send the user to their own site, instead of a page on the authenticated
site (the notebook or JupyterHub server), e.g.
/login?next=http://badwebsite.biz. This doesn't necessarily compromise
anything immediately, but it enables phishing if users don't notice
that the domain has changed, e.g. by showing a fake "re-enter your
password" page. Servers generally have to validate the redirect URL to
avoid this. Both JupyterHub and Notebook already do this, but the
validation didn't take into account all possible ways to redirect to
other sites, so some malicious URLs could still be crafted to redirect
away from the server (the above example does not work in any recent
version of either package). Only certain browsers (Chrome and Firefox,
not Safari) could be redirected from the JupyterHub login page, but all
browsers could be redirected away from a standalone notebook server.
A security issue was discovered with the Kubernetes kubectl cp
command that could enable a directory traversal replacing or
deleting files on a userâs workstation.
In OpenJPEG 2.3.0, there is an integer overflow vulnerability in the
opj_t1_encode_cblks function (openjp2/t1.c). Remote attackers could
leverage this vulnerability to cause a denial of service via a crafted
bmp file.
Vulnerability Details:
When reading FTS or POP3-UIDL header from dovecot index, the input
buffer size is not bound, and data is copied to target structure causing
stack overflow.
Risk:
This can be used for local root privilege escalation or executing
arbitrary code in dovecot process context. This requires ability to
directly modify dovecot indexes.
Steps to reproduce:
Produce dovecot.index.log entry that creates an FTS header which has
more than 12 bytes of data.
Trigger dovecot indexer-worker or run doveadm index.
Dovecot will crash.
Mitigations:
Since 2.3.0 dovecot has been compiled with stack smash protection, ASLR,
read-only GOT tables and other techniques that make exploiting this bug
much harder.
Under certain circumstances the File module/subsystem allows a malicious
user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
bpo-35746: [CVE-2019-5010] Fix a NULL pointer deref in ssl module. The
cert parser did not handle CRL distribution points with empty DP or URI
correctly. A malicious or buggy certificate can result into segfault.
Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas Edet
of Cisco.
It was discovered that libXdmcp before 1.1.3 used weak
entropy to generate session keys on platforms without
arc4random_buf() but with getentropy(). On a multi-user system using
xdmcp, a local attacker could potentially use information available
from the process list to brute force the key, allowing them to
hijack other users' sessions.
Please note, that since FreeBSD provides arc4random_buf(), it is
unknown if FreeBSD is affected by this vulnerability
An issue has been found in PowerDNS Authoritative Server when the HTTP remote backend is used in RESTful mode (without post=1 set), allowing a remote user to cause the HTTP backend to connect to an attacker-specified host instead of the configured one, via a crafted DNS query. This can be used to cause a denial of service by preventing the remote backend from getting a response, content spoofing if the attacker can time its own query so that subsequent queries will use an attacker-controlled HTTP server instead of the configured one, and possibly information disclosure if the Authoritative Server has access to internal servers.
Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3 have been released! These contain the following important security fixes. It is recommended that users upgrade as soon as possible:
CVE-2019-5418 File Content Disclosure in Action View
CVE-2019-5419 Denial of Service Vulnerability in Action View
5.7.6 contains a security fix for a cross-site inclusion (XSSI)
vulnerability, where files at a known URL could be included in a page
from an unauthorized website if the user is logged into a Jupyter
server. The fix involves setting the X-Content-Type-Options: nosniff
header, and applying CSRF checks previously on all non-GET API requests
to GET requests to API endpoints and the /files/ endpoint.
The attacking page is able to access some contents of files when using
Internet Explorer through script errors, but this has not been
demonstrated with other browsers. A CVE has been requested for this
vulnerability.
0-byte record padding oracle (CVE-2019-1559) (Moderate)
If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive
one) then OpenSSL can respond differently to the calling application if
a 0 byte record is received with invalid padding compared to if a 0 byte
record is received with an invalid MAC. If the application then behaves
differently based on that in a way that is detectable to the remote peer,
then this amounts to a padding oracle that could be used to decrypt data.
Low: ChaCha20-Poly1305 with long nonces (CVE-2019-1543)
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce
input for every encryption operation. RFC 7539 specifies that the nonce
value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce
length and front pads the nonce with 0 bytes if it is less than 12 bytes.
However it also incorrectly allows a nonce to be set of up to 16 bytes.
In this case only the last 12 bytes are significant and any additional
leading bytes are ignored.
The version of jQuery used in RT 4.2 and 4.4 has a
Cross-site Scripting (XSS) vulnerability when using
cross-domain Ajax requests. This vulnerability is assigned
CVE-2015-9251. RT
does not use this jQuery feature so it is not directly
vulnerable. jQuery version 1.12 no longer receives official
updates, however a fix was posted with recommendations for
applications to patch locally, so RT will follow this
recommendation and ship with a patched version.
rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in allowscp permission that can result in Local command execution. This attack appear to be exploitable via An authorized SSH user with the allowscp permission.
Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands.
slixmpp version before commit 7cd73b594e8122dddf847953fcfc85ab4d316416
contains an incorrect Access Control vulnerability in XEP-0223 plugin
(Persistent Storage of Private Data via PubSub) options profile, used
for the configuration of default access model that can result in
all of the contacts of the victim can see private data having been
published to a PEP node. This attack appears to be exploitable
if the user of this library publishes any private data on PEP,
the node isn't configured to be private. This vulnerability appears
to have been fixed in commit 7cd73b594e8122dddf847953fcfc85ab4d316416
which is included in slixmpp 1.4.2.
gunicorn version 19.4.5 contains a CWE-113: Improper
Neutralization of CRLF Sequences in HTTP Headers vulnerability
in process_headers function in gunicorn/http/wsgi.py
that can result in an attacker causing the server to
return arbitrary HTTP headers.
Updates are now available for all active Node.js release lines. In addition to fixes for security flaws in Node.js, they also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2r which contains a fix for a moderate severity security vulnerability.
For these releases, we have decided to withhold the fix for the Misinterpretation of Input (CWE-115) flaw mentioned in the original announcement. This flaw is very low severity and we are not satisfied that we had a complete and stable fix ready for release. We will be seeking to address this flaw via alternate mechanisms in the near future. In addition, we have introduced an additional CVE for a change in Node.js 6 that we have decided to classify as a Denial of Service (CWE-400) flaw.
We recommend that all Node.js users upgrade to a version listed below as soon as possible.
OpenSSL: 0-byte record padding oracle (CVE-2019-1559)
OpenSSL 1.0.2r contains a fix for CVE-2019-1559 and is included in the releases for Node.js versions 6 and 8 only. Node.js 10 and 11 are not impacted by this vulnerability as they use newer versions of OpenSSL which do not contain the flaw.
Under certain circumstances, a TLS server can be forced to respond differently to a client if a zero-byte record is received with an invalid padding compared to a zero-byte record with an invalid MAC. This can be used as the basis of a padding oracle attack to decrypt data.
Only TLS connections using certain ciphersuites executing under certain conditions are exploitable. We are currently unable to determine whether the use of OpenSSL in Node.js exposes this vulnerability. We are taking a cautionary approach and recommend the same for users. For more information, see the advisory and a detailed write-up by the reporters of the vulnerability.
CVE-2019-6212 - Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2019-6215 - Processing maliciously crafted web content may lead to arbitrary code execution. A type confusion issue was addressed with improved memory handling.
CVE-2019-6216 - Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2019-6217 - Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2019-6226 - Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2019-6227 - Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling.
CVE-2019-6229 - Processing maliciously crafted web content may lead to universal cross site scripting. A logic issue was addressed with improved validation.
CVE-2019-6233 - Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling.
CVE-2019-6234 - Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling.
The callee-save registers are used by kernel and for
some of them (%r8, %r10, and for non-PTI configurations,
%r9) the content is not sanitized before return from syscalls,
potentially leaking sensitive information.
Impact:
Typically an address of some kernel data structure used
in the syscall implementation, is exposed.
FreeBSD 12.0 attempts to handle the case where the
receiving process does not provide a sufficiently large
buffer for an incoming control message containing rights.
In particular, to avoid leaking the corresponding descriptors
into the receiving process' descriptor table, the kernel
handles the truncation case by closing descriptors referenced
by the discarded message.
The code which performs this operation failed to release
a reference obtained on the file corresponding to a received
right. This bug can be used to cause the reference counter
to wrap around and free the file structure.
Impact:
A local user can exploit the bug to gain root privileges
or escape from a jail.
libcurl contains a heap buffer out-of-bounds read flaw.
The function handling incoming NTLM type-2 messages
(lib/vauth/ntlm.c:ntlm_decode_type2_target) does not validate incoming
data correctly and is subject to an integer overflow vulnerability.
Using that overflow, a malicious or broken NTLM server could trick
libcurl to accept a bad length + offset combination that would lead to a
buffer read out-of-bounds.
libcurl contains a stack based buffer overflow vulnerability.
The function creating an outgoing NTLM type-3 header
(lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()), generates the
request HTTP header contents based on previously received data. The
check that exists to prevent the local buffer from getting overflowed is
implemented wrongly (using unsigned math) and as such it does not
prevent the overflow from happening.
This output data can grow larger than the local buffer if very large
"nt response" data is extracted from a previous NTLMv2 header provided
by the malicious or broken HTTP server.
Such a "large value" needs to be around 1000 bytes or more. The actual
payload data copied to the target buffer comes from the NTLMv2 type-2
response header.
libcurl contains a heap out-of-bounds read in the code handling the
end-of-response for SMTP.
If the buffer passed to smtp_endofresp() isn't NUL terminated and
contains no character ending the parsed number, and len is set to 5,
then the strtol() call reads beyond the allocated buffer. The read
contents will not be returned to the caller.
Normally Dovecot is configured to authenticate
imap/pop3/managesieve/submission clients using regular username/password
combination. Some installations have also required clients to present a
trusted SSL certificate on top of that. It's also possible to configure
Dovecot to take the username from the certificate instead of from the
user provided authentication. It's also possible to avoid having a
password at all, only trusting the SSL certificate.
If the provided trusted SSL certificate is missing the username field,
Dovecot should be failing the authentication. However, the earlier
versions will take the username from the user provided authentication
fields (e.g. LOGIN command). If there is no additional password
verification, this allows the attacker to login as anyone else in the
system.
This affects only installations using:
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
Attacker must also have access to a valid trusted certificate without
the ssl_cert_username_field in it. The default is commonName, which
almost certainly exists in all certificates. This could happen for
example if ssl_cert_username_field is a field that normally doesn't
exist, and attacker has access to a web server's certificate (and key),
which is signed with the same CA.
Attack can be migitated by having the certificates with proper Extended
Key Usage, such as 'TLS Web Server' and 'TLS Web Server Client'.
Also, ssl_cert_username_field setting was ignored with external SMTP
AUTH, because none of the MTAs (Postfix, Exim) currently send the
cert_username field. This may have allowed users with trusted
certificate to specify any username in the authentication. This does not
apply to Dovecot Submission service.
0.06 2019-01-02
- Changes to address CVE-2018-18898 which could allow DDoS-type attacks.
Thanks to Lukas Kramer for reporting the issue and Alex Vandiver for
contributing fixes.
- Fix pathological backtracking for unkown regex
- Fix pathological backtracking in obs-phrase(i.e. obs-display-name)
- Fix pathological backtracking in cfws, quoted strings
When AllowArbitraryServer configuration set
to true, with the use of a rogue MySQL server,
an attacker can read any file on the server that the web
server's user can access.
phpMyadmin attempts to block the use of LOAD DATA
INFILE, but due to a bug in PHP,
this check is not honored. Additionally, when using the
'mysql' extension, mysql.allow_local_infile
is enabled by default. Both of these conditions allow the
attack to occur.
Severity
We consider this vulnerability to be critical.
Mitigation factor
This attack can be mitigated by setting the
`AllowArbitraryServer` configuration directive to false
(which is the default value).
Affected Versions
phpMyAdmin versions from at least 4.0 through 4.8.4 are
affected
Summary
SQL injection in Designer feature
Description
A vulnerability was reported where a specially crafted
username can be used to trigger an SQL injection attack
through the designer feature.
Severity
We consider this vulnerability to be serious.
Affected Versions
phpMyAdmin versions from 4.5.0 through 4.8.4 are affected
The Requests package before 2.20.0 for Python sends an HTTP Authorization header
to an http URI upon receiving a same-hostname https-to-http redirect, which makes
it easier for remote attackers to discover credentials by sniffing the network.
A timing side channel during ECC key generation could leak information about the
high bits of the secret scalar. Such information allows an attacker to perform a
brute force attack on the key somewhat more efficiently than they would otherwise.
Found by Ján JanÄár using ECTester.
A vulnerability has been found that would allow attackers to direct a peer to
jump to and execute from an address indicated by the attacker.
This issue has been present since v4.2.0. Older releases are not affected.
NOTE: The attacker needs to know in advance valid addresses in the peer's
memory to jump to, so measures like ASLR are effective mitigations.
NOTE: this attack can only take place after authentication, so peers behind
CURVE/GSSAPI are not vulnerable to unauthenticated attackers.
SECURITY: CVE-2018-17199
mod_session: mod_session_cookie does not respect expiry time allowing
sessions to be reused.
SECURITY: CVE-2019-0190
mod_ssl: Fix infinite loop triggered by a client-initiated
renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
later. PR 63052.
SECURITY: CVE-2018-17189
mod_http2: fixes a DoS attack vector. By sending slow request bodies
to resources not consuming them, httpd cleanup code occupies a server
thread unnecessarily. This was changed to an immediate stream reset
which discards all stream state and incoming data.
CVE-2019-3806: An issue has been found in PowerDNS Recursor where Lua hooks are
not properly applied to queries received over TCP in some specific combination of
settings, possibly bypassing security policies enforced using Lua.
When the recursor is configured to run with more than one thread (threads=X) and to
do the distribution of incoming queries to the worker threads itself
(pdns-distributes-queries=yes), the Lua script is not properly loaded in the thread
handling incoming TCP queries, causing the Lua hooks to not be properly applied.
CVE-2019-3807: An issue has been found in PowerDNS Recursor where records in the
answer section of responses received from authoritative servers with the AA flag not
set were not properly validated, allowing an attacker to bypass DNSSEC validation.
A remote code execution vulnerability exists in PHP's built-in
phar stream wrapper when performing file operations on an untrusted phar:// URI.
Some Drupal code (core, contrib, and custom) may be performing file operations on
insufficiently validated user input, thereby being exposed to this vulnerability.
This vulnerability is mitigated by the fact that such code paths typically require
access to an administrative permission or an atypical configuration.
A specially crafted chart may be able to unpack content into locations on
the filesystem outside of the chart's path, potentially
overwriting existing files.
Out-of-bounds read in uriParse*Ex* for incomplete URIs with IPv6
addresses with embedded IPv4 address, e.g. "//[::44.1";
mitigated if passed parameter afterLast points to readable memory
containing a '\0' byte.
An attacker could craft a malicious URL that could make spoofed content
appear on the default page generated by the django.views.defaults.page_not_found()
view.
Note that this update can not automatically fix possible damage
done by using -setperms, -setugids or -restore with rpm 4.14.2, it
merely fixes the functionlity itself. Any damage needs to be
investigated and fixed manually, such as using -verify and -restore
or reinstalling packages.
SAML messages, assertions, and metadata all commonly contain
date/time information in a standard XML format.
Invalid formatted data in such fields cause an exception of a type
that was not handled properly in the V3 software and causes a crash
(usually to the shibd daemon process, but possibly to Apache in rare
cases). Note that the crash occurs prior to evaluation of a message's
authenticity, so can be exploited by an untrusted attacker.
The problem is believed to be specific to the V3 software and would
not cause a crash in the older, now unsupported, V2 software.
Bro 2.6.1 updates the embedded SQLite to version 3.26.0
to address the "Magellan" remote code execution vulnerability.
The stock Bro configuration/scripts don't use SQLite by
default, but custom user scripts/packages may.
Due to insufficient validation of network-provided data
it may be possible for a malicious attacker to craft a bootp
packet which could cause a stack buffer overflow.
Impact:
It is possible that the buffer overflow could lead to a
Denial of Service or remote code execution.
WordPress versions 5.0 and earlier are affected by the following bugs, which are
fixed in version 5.0.1. Updated versions of WordPress 4.9 and older releases are
also available, for users who have not yet updated to 5.0.
Karim El Ouerghemmi discovered that authors could alter meta data to delete files
that they werenât authorized to.
Simon Scannell of RIPS Technologies discovered that authors could create posts of
unauthorized post types with specially crafted input.
Sam Thomas discovered that contributors could craft meta data in a way that resulted
in PHP object injection.
Tim Coen discovered that contributors could edit new comments from higher-privileged
users, potentially leading to a cross-site scripting vulnerability.
Tim Coen also discovered that specially crafted URL inputs could lead to a cross-site
scripting vulnerability in some circumstances. WordPress itself was not affected,
but plugins could be in some situations.
Team Yoast discovered that the user activation screen could be indexed by search
engines in some uncommon configurations, leading to exposure of email addresses,
and in some rare cases, default generated passwords.
Tim Coen and Slavco discovered that authors on Apache-hosted sites could upload
specifically crafted files that bypass MIME verification, leading to a cross-site
scripting vulnerability.
An attacker who can run code on the same machine that is
performing an RSA decryption can potentially recover the plaintext
through a Bleichenbacher-like oracle.
CKEditor 4.11 fixes an XSS vulnerability in the HTML parser reported by maxarr.
The vulnerability stemmed from the fact that it was possible to execute XSS inside
the CKEditor source area after persuading the victim to: (i) switch CKEditor to
source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker,
into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode.
Although this is an unlikely scenario, we recommend to upgrade to the latest editor version.
Failing to properly encode user input, online media asset rendering
(*.youtube and *.vimeo files) is vulnerable to cross-site scripting. A valid backend user
account or write access on the server system (e.g. SFTP) is needed in order to exploit this
vulnerability.
Failing to properly encode user input, notifications shown in modal windows in the TYPO3
backend are vulnerable to cross-site scripting. A valid backend user account is needed in
order to exploit this vulnerability.
Failing to properly encode user input, login status display is vulnerable to cross-site
scripting in the website frontend. A valid user account is needed in order to exploit this
vulnerability - either a backend user or a frontend user having the possibility to modify
their user profile.
Template patterns that are affected are:
###FEUSER_[fieldName]### using system extension felogin
for regular frontend rendering
(pattern can be defined individually using TypoScript setting
config.USERNAME_substToken)
It has been discovered that cookies created in the Install Tool are not hardened to be
submitted only via HTTP. In combination with other vulnerabilities such as cross-site
scripting it can lead to hijacking an active and valid session in the Install Tool.
The Install Tool exposes the current TYPO3 version number to non-authenticated users.
Online Media Asset Handling (*.youtube and *.vimeo files) in the TYPO3 backend is vulnerable
to denial of service. Putting large files with according file extensions results in high
consumption of system resources. This can lead to exceeding limits of the current PHP process
which results in a dysfunctional backend component. A valid backend user account or write
access on the server system (e.g. SFTP) is needed in order to exploit this vulnerability.
TYPO3âs built-in record registration functionality (aka âbasic shopping cartâ) using recs
URL parameters is vulnerable to denial of service. Failing to properly ensure that anonymous
user sessions are valid, attackers can use this vulnerability in order to create an arbitrary
amount of individual session-data records in the database.
Database Administrator could achieve privilege escalation to
the account that CouchDB runs under, by abusing insufficient validation
in the HTTP API, escaping security controls implemented in previous
releases.
Local file inclusion through transformation feature
Description
A flaw has been found where an attacker can exploit
phpMyAdmin to leak the contents of a local file. The
attacker must have access to the phpMyAdmin Configuration
Storage tables, although these can easily be created in any
database to which the attacker has access. An attacker must
have valid credentials to log in to phpMyAdmin; this
vulnerability does not allow an attacker to circumvent the
login system.
Severity
We consider this vulnerability to be severe.
Summary
XSRF/CSRF vulnerability in phpMyAdmin
Description
By deceiving a user to click on a crafted URL, it is
possible to perform harmful SQL operations such as renaming
databases, creating new tables/routines, deleting designer
pages, adding/deleting users, updating user passwords,
killing SQL processes, etc.
Severity
We consider this vulnerability to be of moderate severity.
Summary
XSS vulnerability in navigation tree
Description
A Cross-Site Scripting vulnerability was found in the
navigation tree, where an attacker can deliver a payload to
a user through a specially-crafted database/table name.
Severity
We consider this attack to be of moderate severity.
Mitigation factor
The stored XSS vulnerabilities can be triggered only by
someone who logged in to phpMyAdmin, as the usual token
protection prevents non-logged-in users from accessing the
required forms.
Insufficient and improper checking in the NFS server
code could cause a denial of service or possibly remote
code execution via a specially crafted network packet.
Impact:
A remote attacker could cause the NFS server to crash,
resulting in a denial of service, or possibly execute
arbitrary code on the server.
Updates are now available for all active Node.js release lines. These include fixes for the vulnerabilities identified in the initial announcement. They also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2q, and upgrades of Node.js 10 and 11 to OpenSSL 1.1.0j.
We recommend that all Node.js users upgrade to a version listed below as soon as possible.
Debugger port 5858 listens on any interface by default (CVE-2018-12120)
All versions of Node.js 6 are vulnerable and the severity is HIGH. When the debugger is enabled with node --debug or node debug, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as node --debug=localhost. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.
Denial of Service with large HTTP headers (CVE-2018-12121)
All versions of 6 and later are vulnerable and the severity is HIGH. By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.
The total size of HTTP headers received by Node.js now must not exceed 8192 bytes.
"Slowloris" HTTP Denial of Service (CVE-2018-12122)
All versions of Node.js 6 and later are vulnerable and the severity is LOW. An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time. Attack potential is mitigated by the use of a load balancer or other proxy layer.
A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout(), this aids in protecting against excessive resource retention and possible Denial of Service.
Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)
All versions of Node.js 6 and later are vulnerable and the severity is LOW. If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.
HTTP request splitting (CVE-2018-12116)
Node.js 6 and 8 are vulnerable and the severity is MEDIUM. If Node.js can be convinced to use unsanitized user-provided Unicode data for the path option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.
OpenSSL Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side-channel attack. An attacker could use variations in the signing algorithm to recover the private key.
OpenSSL Timing vulnerability in DSA signature generation (CVE-2018-0734)
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side-channel attack. An attacker could use variations in the signing algorithm to recover the private key.
OpenSSL Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side-channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key.
Insufficient bounds checking in one of the device models
provided by bhyve(8) can permit a guest operating system
to overwrite memory in the bhyve(8) processing possibly
permitting arbitary code execution.
Impact:
A guest OS using a firmware image can cause the bhyve
process to crash, or possibly execute arbitrary code on the
host as root.
CVE-2018-16855: An issue has been found in PowerDNS Recursor where a remote attacker sending a DNS query can trigger an out-of-bounds memory read while computing the hash of the query for a packet cache lookup, possibly leading to a crash. When the PowerDNS Recursor is run inside a supervisor like supervisord or systemd, a crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.
The SSH server implementation of AsyncSSH before 1.12.1 does not properly check
whether authentication is completed before processing other requests
A customized SSH client can simply skip the authentication step.
* Fixed: Out-of-bounds write in uriComposeQuery* and uriComposeQueryEx*
Commit 864f5d4c127def386dd5cc926ad96934b297f04e
Thanks to Google Autofuzz team for the report!
* Fixed: Detect integer overflow in uriComposeQuery* and uriComposeQueryEx*
Commit f76275d4a91b28d687250525d3a0c5509bbd666f
Thanks to Google Autofuzz team for the report!
* Fixed: Protect uriResetUri* against acting on NULL input
Commit f58c25069cf4a986fe17a80c5b38687e31feb539
Rails 4.2.11, 5.0.7.1, 5.1.6.1 and 5.2.1.1 have been released! These
contain the following important security fixes, and it is recommended
that users upgrade as soon as possible
CVE-2018-16476 Broken Access Control vulnerability in Active Job:
Carefully crafted user input can cause Active Job to deserialize it
using GlobalId and allow an attacker to have access to information that
they should not have.
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP
PUTs enabled (e.g. via setting the readonly initialisation
parameter of the Default to false) it was possible to upload a
JSP file to the server via a specially crafted request. This
JSP could then be requested and any code it contained would be
executed by the server.
FasterXML jackson-databind before 2.8.11.1 and 2.9.x before
2.9.5 allows unauthenticated remote code execution because of
an incomplete fix for the CVE-2017-7525 deserialization flaw.
This is exploitable by sending maliciously crafted JSON input
to the readValue method of the ObjectMapper, bypassing a
blacklist that is ineffective if the c3p0 libraries are
available in the classpath.
messagelib is the library used by KMail to display emails.
messagelib by default displays emails as plain text, but gives the user
an option to "Prefer HTML to plain text" in the settings and if that option
is not enabled there is way to enable HTML display when an email contains HTML.
Some HTML emails can trick messagelib into opening a new browser window when
displaying said email as HTML.
This happens even if the option to allow the HTML emails to access
remote servers is disabled in KMail settings.
This means that the owners of the servers referred in the email can see
in their access logs your IP address.
Vulnerability in the Oracle GlassFish Server component of
Oracle Fusion Middleware (subcomponent: Administration).
Supported versions that are affected are 3.0.1 and 3.1.2.
Easily exploitable vulnerability allows low privileged attacker
with logon to the infrastructure where Oracle GlassFish Server
executes to compromise Oracle GlassFish Server. Successful
attacks of this vulnerability can result in unauthorized read
access to a subset of Oracle GlassFish Server accessible data.
CVSS v3.0 Base Score 3.3 (Confidentiality impacts).
Vulnerability in the Oracle GlassFish Server component of Oracle
Fusion Middleware (subcomponent: Core). Supported versions that
are affected are 2.1.1, 3.0.1 and 3.1.2. Easily exploitable
vulnerability allows unauthenticated attacker with network access
via SMTP to compromise Oracle GlassFish Server. Successful
attacks require human interaction from a person other than the
attacker. Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of Oracle
GlassFish Server accessible data. CVSS v3.0 Base Score 4.3
(Integrity impacts).
Vulnerability in the Oracle GlassFish Server component of
Oracle Fusion Middleware (subcomponent: Security). Supported
versions that are affected are 2.1.1, 3.0.1 and 3.1.2.
Easily exploitable vulnerability allows unauthenticated attacker
with network access via LDAP to compromise Oracle GlassFish Server.
Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle GlassFish Server
accessible data as well as unauthorized read access to a subset of
Oracle GlassFish Server accessible data and unauthorized ability
to cause a partial denial of service (partial DOS) of Oracle
GlassFish Server. CVSS v3.0 Base Score 7.3 (Confidentiality,
Integrity and Availability impacts).
Vulnerability in the Oracle GlassFish Server component of Oracle
Fusion Middleware (subcomponent: Security). Supported versions that
are affected are 2.1.1, 3.0.1 and 3.1.2. Easily exploitable
vulnerability allows unauthenticated attacker with network access
via HTTP to compromise Oracle GlassFish Server. Successful attacks
of this vulnerability can result in unauthorized update, insert or
delete access to some of Oracle GlassFish Server accessible data as
well as unauthorized read access to a subset of Oracle GlassFish
Server accessible data and unauthorized ability to cause a partial
denial of service (partial DOS) of Oracle GlassFish Server.
CVSS v3.0 Base Score 7.3 (Confidentiality, Integrity and
Availability impacts).
Vulnerability in the Oracle GlassFish Server component of Oracle
Fusion Middleware (subcomponent: Security). Supported versions that
are affected are 2.1.1, 3.0.1 and 3.1.2. Difficult to exploit
vulnerability allows unauthenticated attacker with network access
via multiple protocols to compromise Oracle GlassFish Server. While
the vulnerability is in Oracle GlassFish Server, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in takeover of Oracle GlassFish Server.
CVSS v3.0 Base Score 9.0 (Confidentiality, Integrity and
Availability impacts).
CVE-2018-10851: An issue has been found in PowerDNS Authoritative Server allowing
an authorized user to cause a memory leak by inserting a specially crafted record
in a zone under their control, then sending a DNS query for that record. The issue
is due to the fact that some memory is allocated before the parsing and is not
always properly released if the record is malformed. When the PowerDNS
Authoritative Server is run inside the guardian (--guardian), or inside a
supervisor like supervisord or systemd, an out-of-memory crash will lead to an
automatic restart, limiting the impact to a somewhat degraded service.
CVE-2018-14626: An issue has been found in PowerDNS Authoritative Server allowing
a remote user to craft a DNS query that will cause an answer without DNSSEC
records to be inserted into the packet cache and be returned to clients asking for
DNSSEC records, thus hiding the presence of DNSSEC signatures for a specific qname
and qtype. For a DNSSEC-signed domain, this means that DNSSEC validating clients
will consider the answer to be bogus until it expires from the packet cache,
leading to a denial of service.
CVE-2018-10851: An issue has been found in PowerDNS Recursor allowing
a malicious authoritative server to cause a memory leak by sending specially
crafted records. The issue is due to the fact that some memory is allocated
before the parsing and is not always properly released if the record is malformed.
When the PowerDNS Recursor is run inside a supervisor like supervisord or systemd,
an out-of-memory crash will lead to an automatic restart, limiting the impact to
a somewhat degraded service.
CVE-2018-14626: An issue has been found in PowerDNS Recursor allowing a remote
user to craft a DNS query that will cause an answer without DNSSEC records to be
inserted into the packet cache and be returned to clients asking for DNSSEC
records, thus hiding the presence of DNSSEC signatures for a specific qname and
qtype. For a DNSSEC-signed domain, this means that clients performing DNSSEC
validation by themselves might consider the answer to be bogus until it expires
from the packet cache, leading to a denial of service.
CVE-2018-14644: An issue has been found in PowerDNS Recursor where a remote attacker
sending a DNS query for a meta-type like OPT can lead to a zone being wrongly cached
as failing DNSSEC validation. It only arises if the parent zone is signed, and all
the authoritative servers for that parent zone answer with FORMERR to a query for at
least one of the meta-types. As a result, subsequent queries from clients requesting
DNSSEC validation will be answered with a ServFail.
There is a buffer overflow vulnerability in dns_srv
and dns_naptr functions of Asterisk that allows an attacker
to crash Asterisk via a specially crafted DNS SRV or NAPTR
response. The attackers request causes Asterisk to segfault
and crash.
Various KDE applications share a plugin system to create thumbnails
of various file types for displaying in file managers, file dialogs, etc.
kio-extras contains a thumbnailer plugin for HTML files.
The HTML thumbnailer was incorrectly accessing some content of
remote URLs listed in HTML files. This meant that the owners of the servers
referred in HTML files in your system could have seen in their access logs
your IP address every time the thumbnailer tried to create the thumbnail.
The HTML thumbnailer has been removed in upcoming KDE Applications 18.12.0
because it was actually not creating thumbnails for files at all.
Microarchitecture timing vulnerability in ECC scalar
multiplication. Severity: Low
OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has
been shown to be vulnerable to a microarchitecture timing side channel
attack. An attacker with sufficient access to mount local timing
attacks during ECDSA signature generation could recover the private
key.
An issue was discovered in GNU patch through 2.7.6. There is a segmentation fault, associated with a NULL pointer dereference, leading to a denial of service in the intuit_diff_type function in pch.c, aka a "mangled rename" issue.
A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.
GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility. This is similar to FreeBSD's CVE-2015-1418 however although they share a common ancestry the code bases have diverged over time.
Timing vulnerability in ECDSA signature generation
(CVE-2018-0735): The OpenSSL ECDSA signature algorithm has been
shown to be vulnerable to a timing side channel attack. An
attacker could use variations in the signing algorithm to
recover the private key (Low).
Timing vulnerability in DSA signature generation (CVE-2018-0734):
Avoid a timing attack that leaks information via a side channel
that triggers when a BN is resized. Increasing the size of the
BNs prior to doing anything with them suppresses the attack (Low).
CVE-2018-16850: SQL injection in pg_upgrade and pg_dump,
via CREATE TRIGGER ... REFERENCING.
Using a purpose-crafted trigger definition, an attacker can run
arbitrary SQL statements with superuser privileges when a superuser
runs pg_upgrade on the database or during a pg_dump dump/restore
cycle. This attack requires a CREATE privilege on some non-temporary
schema or a TRIGGER privilege on a table. This is exploitable in the
default PostgreSQL configuration, where all users have CREATE
privilege on public schema.
Two security issues were identified in nginx HTTP/2 implementation,
which might cause excessive memory consumption (CVE-2018-16843)
and CPU usage (CVE-2018-16844).
The issues affect nginx compiled with the ngx_http_v2_module (not
compiled by default) if the "http2" option of the "listen" directive is
used in a configuration file.
A security issue was identified in the ngx_http_mp4_module, which might
allow an attacker to cause infinite loop in a worker process, cause a
worker process crash, or might result in worker process memory
isclosure by using a specially crafted mp4 file (CVE-2018-16845).
The issue only affects nginx if it is built with the ngx_http_mp4_module
(the module is not built by default) and the "mp4" directive is used in
the configuration file. Further, the attack is only possible if an
attacker is able to trigger processing of a specially crafted mp4 file
with the ngx_http_mp4_module.
he path module allows users with the 'administer paths' to create pretty URLs
for content. In certain circumstances the user can enter a particular path that
triggers an open redirect to a malicious url.The issue is mitigated by the fact
that the user needs the administer paths permission to exploit.
When sending email some variables were not being sanitized for shell arguments,
which could lead to remote code execution.
This issue has been created for public disclosure of an XSS
vulnerability that was responsibly reported (independently) by Shubham
Pathak and @yasinS (Yasin Soliman).
In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in
sanitized output when a crafted SVG element is republished.
CVE-2018-16839: SASL password overflow via integer overflow
libcurl contains a buffer overrun in the SASL authentication code.
The internal function Curl_auth_create_plain_message fails to
correctly verify that the passed in lengths for name and password
aren't too long, then calculates a buffer size to allocate.
On systems with a 32 bit size_t, the math to calculate the buffer size
triggers an integer overflow when the user name length exceeds 2GB
(2^31 bytes). This integer overflow usually causes a very small buffer
to actually get allocated instead of the intended very huge one, making
the use of that buffer end up in a heap buffer overflow.
This bug is very similar to CVE-2017-14618.
It affects curl 7.33.0 to 7.61.1.
CVE-2018-16840: use-after-free in handle close
libcurl contains a heap use-after-free flaw in code related to closing
an easy handle.
When closing and cleaning up an "easy" handle in the Curl_close()
function, the library code first frees a struct (without nulling the
pointer) and might then subsequently erroneously write to a struct
field within that already freed struct.
curl contains a heap out of buffer read vulnerability.
The command line tool has a generic function for displaying warning
and informational messages to stderr for various situations. For
example if an unknown command line argument is used, or passed to it in
a "config" file.
This display function formats the output to wrap at 80 columns. The
wrap logic is however flawed, so if a single word in the message is
itself longer than 80 bytes the buffer arithmetic calculates the
remainder wrong and will end up reading behind the end of the buffer.
This could lead to information disclosure or crash.
This vulnerability could lead to a security issue if used in this or
similar situations:
1. a server somewhere uses the curl command line to run something
2. if it fails, it shows stderr to the user
3. the server takes user input for parts of its command line input
4. user provides something overly long that triggers this crash
5. the stderr output may now contain user memory contents that wasn't
meant to be available
An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality
of the LIVE555 RTSP server library. A specially crafted packet can cause a stack-based buffer
overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability.
CVE-2018-16395: OpenSSL::X509::Name equality check does not work
correctly
An instance of OpenSSL::X509::Name contains entities such as CN, C and
so on. Some two instances of OpenSSL::X509::Name are equal only when
all entities are exactly equal. However, there is a bug that the
equality check is not correct if the value of an entity of the
argument (right-hand side) starts with the value of the receiver
(left-hand side). So, if a malicious X.509 certificate is passed to
compare with an existing certificate, there is a possibility to be
judged incorrectly that they are equal.
CVE-2018-16396: Tainted flags are not propagated in Array#pack and
String#unpack with some directives
Array#pack method converts the receiver's contents into a string with
specified format. If the receiver contains some tainted objects, the
returned string also should be tainted. String#unpack method which
converts the receiver into an array also should propagate its tainted
flag to the objects contained in the returned array. But, with B, b, H
and h directives, the tainted flags are not propagated. So, if a script
processes unreliable inputs by Array#pack and/or String#unpack with
these directives and checks the reliability with tainted flags, the
check might be wrong.
libssh versions 0.6 and above have an authentication bypass
vulnerability in the server code. By presenting the server an
SSH2_MSG_USERAUTH_SUCCESS message in place of the
SSH2_MSG_USERAUTH_REQUEST message which the server would expect to
initiate authentication, the attacker could successfully authentciate
without any credentials.
A memory leak bug was discovered in Toxcore that can be triggered remotely to
exhaust oneâs system memory, resulting in a denial of service attack.
The bug is present in the TCP Server module of Toxcore and therefore it
affects mostly bootstrap nodes. Regular Tox clients generally have the
TCP Server functionality disabled by default, leaving them unaffected.
The authentication protocol allows an oracle attack that could
potentially be exploited.
If a man-in-the-middle has intercepted the TCP connection it
might be able to force plaintext UDP packets between two nodes for up to
a PingInterval period.
CVE-2018-16984: Password hash disclosure to "view only" admin users
If an admin user has the change permission to the user model, only part
of the password hash is displayed in the change form. Admin users with the
view (but not change) permission to the user model were displayed the entire
hash. While it's typically infeasible to reverse a strong password hash, if
your site uses weaker password hashing algorithms such as MD5 or SHA1, it
could be a problem.
libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences.
CVE-2018-17144, a fix for which was released on September 18th in Bitcoin Core versions 0.16.3 and 0.17.0rc4, includes both a Denial of Service component and a critical inflation vulnerability. It was originally reported to several developers working on Bitcoin Core, as well as projects supporting other cryptocurrencies, including ABC and Unlimited on September 17th as a Denial of Service bug only, however we quickly determined that the issue was also an inflation vulnerability with the same root cause and fix.
In Apache SpamAssassin, using HTML::Parser, we setup an object and
hook into the begin and end tag event handlers In both cases, the
"open" event is immediately followed by a "close" event - even if
the tag *does not* close in the HTML being parsed.
Because of this, we are missing the "text" event to deal with
the object normally. This can cause carefully crafted emails that
might take more scan time than expected leading to a Denial of
Service.
Fix a reliance on "." in @INC in one configuration script. Whether
this can be exploited in any way is uncertain.
Fix a potential Remote Code Execution bug with the PDFInfo plugin.
Thanks to cPanel Security Team for their report of this issue.
Fourth, this release fixes a local user code injection in the
meta rule syntax. Thanks again to cPanel Security Team for their
report of this issue.
A severe bug was found in the game client which could allow a malicious user to execute arbitrary code through the Lua engine by using specially-crafted code in add-ons, saves, replays, or networked games. This issue affects all platforms and all existing releases since Wesnoth version 1.7.0.
Users of all previous version should upgrade immediately.
low: DoS for HTTP/2 connections by continuous SETTINGS
By sending continous SETTINGS frames of maximum size an ongoing
HTTP/2 connection could be kept busy and would never time out. This
can be abused for a DoS on the server. This only affect a server
that has enabled the h2 protocol.
An authentication bypass flaw was found in the smart_proxy_dynflow
component used by Foreman. A malicious attacker can use this flaw to
remotely execute arbitrary commands on machines managed by vulnerable
Foreman instances, in a highly privileged context.
A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profile directory. This issue is only exploitable in combination with another vulnerability allowing an attacker to write data into the local cache or from locally installed malware. This issue also triggers a non-exploitable startup crash for users switching between the Nightly and Release versions of Firefox if the same profile is used.
There is a stack overflow vulnerability in the
res_http_websocket.so module of Asterisk that allows an
attacker to crash Asterisk via a specially crafted HTTP
request to upgrade the connection to a websocket. The
attackers request causes Asterisk to run out of stack
space and crash.
As a workaround disable HTTP websocket access by not
loading the res_http_websocket.so module.
The XML parsing engine for Plex Media Server's SSDP/UPNP
functionality is vulnerable to an XML External Entity
Processing (XXE) attack. Unauthenticated attackers on the same LAN can
use this vulnerability to:
Access arbitrary files from the filesystem with the same permission as
the user account running Plex.
Initiate SMB connections to capture NetNTLM challenge/response and
crack to clear-text password.
Initiate SMB connections to relay NetNTLM challenge/response and
achieve Remote Command Execution in Windows domains.
An issue was discovered in SDDM through 0.17.0. If configured with ReuseSession=true, the password is not checked for users with an already existing session. Any user with access to the system D-Bus can therefore unlock any graphical session.
The default configuration of SDDM on FreeBSD is not affected, since it has ReuseSession=false.
Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the
configuration and secret if authentication is missing and the API's port
is publicly reachable.
Ghostscript contains an optional -dSAFER option, which is supposed
to prevent unsafe PostScript operations. Multiple PostScript
operations bypass the protections provided by -dSAFER, which can
allow an attacker to execute arbitrary commands with arbitrary
arguments. This vulnerability can also be exploited in applications
that leverage Ghostscript, such as ImageMagick, GraphicsMagick,
evince, Okular, Nautilus, and others.
Exploit code for this vulnerability is publicly available.
On the 20th of August at 1800 CEST we were contacted about a
potential security issue with the âremember meâ cookie Grafana
sets upon login. The issue targeted users without a local Grafana
password (LDAP & OAuth users) and enabled a potential attacker
to generate a valid cookie knowing only a username.
All installations which use the Grafana LDAP or OAuth
authentication features must be upgraded as soon as possible. If
you cannot upgrade, you should switch authentication mechanisms
or put additional protections in front of Grafana such as a
reverse proxy.
Fix array bounds checking in BinPAC: for arrays
that are fields within a record, the bounds check
was based on a pointer to the start of the record
rather than the start of the array field, potentially
resulting in a buffer over-read.
Fix SMTP command string comparisons: the number
of bytes compared was based on the user-supplied
string length and can lead to incorrect matches.
e.g. giving a command of "X" incorrectly matched
"X-ANONYMOUSTLS" (and an empty commands match
anything).
Address potential vectors for Denial of Service:
"Weird" events are now generally suppressed/sampled
by default according to some tunable parameters.
Improved handling of empty lines in several text
protocol analyzers that can cause performance issues
when seen in long sequences.
Add `smtp_excessive_pending_cmds' weird which
serves as a notification for when the "pending
command" queue has reached an upper limit and been
cleared to prevent one from attempting to slowly
exhaust memory.
This fixes a potential denial of service (DoS) attack
against client connections by a malicious server. During a TLS
communication handshake, where both client and server agree to
use a cipher-suite using DH or DHE (Diffie-Hellman, in both
ephemeral and non-ephemeral modes), a malicious server can
send a very large prime value to the client. Because this has
been unbounded in OpenSSL, the client can be forced to spend
an unreasonably long period of time to generate a key,
potentially causing a denial of service.
OpenSSL: ECDSA key extraction via local side-channel
Attackers with access to observe cache-timing may be able
to extract DSA or ECDSA private keys by causing the victim to
create several signatures and watching responses. This flaw
does not have a CVE due to OpenSSL policy to not assign itself
CVEs for local-only vulnerabilities that are more academic
than practical. This vulnerability was discovered by Keegan
Ryan at NCC Group and impacts many cryptographic libraries
including OpenSSL.
Unintentional exposure of uninitialized memory
Only Node.js 10 is impacted by this flaw.
Node.js TSC member Nikita Skovoroda discovered an argument
processing flaw that causes Buffer.alloc() to return
uninitialized memory. This method is intended to be safe and
only return initialized, or cleared, memory. The third
argument specifying encoding can be passed as a number, this
is misinterpreted by Buffer's internal "fill" method as the
start to a fill operation. This flaw may be abused where
Buffer.alloc() arguments are derived from user input to return
uncleared memory blocks that may contain sensitive
information.
Out of bounds (OOB) write
Node.js TSC member Nikita Skovoroda discovered an OOB write
in Buffer that can be used to write to memory outside of a
Buffer's memory space. This can corrupt unrelated Buffer
objects or cause the Node.js process to crash.
When used with UCS-2 encoding (recognized by Node.js under
the names 'ucs2', 'ucs-2', 'utf16le' and 'utf-16le'),
Buffer#write() can be abused to write outside of the bounds of
a single Buffer. Writes that start from the second-to-last
position of a buffer cause a miscalculation of the maximum
length of the input bytes to be written.
Teun Beijers reported a cross-site scripting (XSS) vulnerability in
the Edit Filter page which allows execution of arbitrary code
(if CSP settings permit it) when displaying a filter with a crafted
name. Prevent the attack by sanitizing the filter name before display.
Ãmer Cıtak, Security Researcher at Netsparker, reported this
vulnerability, allowing remote attackers to inject arbitrary code
(if CSP settings permit it) through a crafted PATH_INFO on
view_filters_page.php. Prevent the attack by sanitizing the output
of $_SERVER['PHP_SELF'] before display.
The put_chars function in html_r.c in Twibright Links 2.14 allows
remote attackers to cause a denial of service (buffer over-read)
via a crafted HTML file.
On certain Intel 64-bit x86 systems there is a period
of time during terminal fault handling where the CPU may
use speculative execution to try to load data. The CPU may
speculatively access the level 1 data cache (L1D). Data
which would otherwise be protected may then be determined
by using side channel methods.
This issue affects bhyve on FreeBSD/amd64 systems.
Impact:
An attacker executing user code, or kernel code inside
of a virtual machine, may be able to read secret data from
the kernel or from another virtual machine.
A researcher has notified us of a DoS attack applicable
to another operating system. While FreeBSD may not be
vulnerable to that exact attack, we have identified several
places where inadequate DoS protection could allow an
attacker to consume system resources.
It is not necessary that the attacker be able to establish
two-way communication to carry out these attacks. These
attacks impact both IPv4 and IPv6 fragment reassembly.
Impact:
In the worst case, an attacker could send a stream of
crafted fragments with a low packet rate which would consume
a substantial amount of CPU.
Other attack vectors allow an attacker to send a stream
of crafted fragments which could consume a large amount of
CPU or all available mbuf clusters on the system.
These attacks could temporarily render a system unreachable
through network interfaces or temporarily render a system
unresponsive. The effects of the attack should clear within
60 seconds after the attack stops.
When using WPA2, EAPOL-Key frames with the Encrypted
flag and without the MIC flag set, the data field was
decrypted first without verifying the MIC. When the dta
field was encrypted using RC4, for example, when negotiating
TKIP as a pairwise cipher, the unauthenticated but decrypted
data was subsequently processed. This opened wpa_supplicant(8)
to abuse by decryption and recovery of sensitive information
contained in EAPOL-Key messages.
See
https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
for a detailed description of the bug.
Impact:
All users of the WPA2 TKIP pairwise cipher are vulnerable
to information, for example, the group key.
A Cross-Site Scripting vulnerability was found in the
file import feature, where an attacker can deliver a payload
to a user through importing a specially-crafted file.
Severity
We consider this attack to be of moderate severity.
The functions XGetFontPath, XListExtensions, and XListFonts are
vulnerable to an off-by-one override on malicious server responses.
The server replies consist of chunks consisting of a length byte
followed by actual string, which is not NUL-terminated.
While parsing the response, the length byte is overridden with '\0',
thus the memory area can be used as storage of C strings later on.
To be able to NUL-terminate the last string, the buffer is reserved
with an additional byte of space. For a boundary check, the variable
chend (end of ch) was introduced, pointing at the end of the buffer
which ch initially points to. Unfortunately there is a difference
in handling "the end of ch". While chend points at the first byte
that must not be written to, the for-loop uses chend as the last
byte that can be written to. Therefore, an off-by-one can occur.
The length value is interpreted as signed char on many systems
(depending on default signedness of char), which can lead to an out
of boundary write up to 128 bytes in front of the allocated storage,
but limited to NUL byte(s).
If the server sends a reply in which even the first string would
overflow the transmitted bytes, list[0] (or flist[0]) will be set to
NULL and a count of 0 is returned. If the resulting list is freed
with XFreeExtensionList or XFreeFontPath later on, the first Xfree
call is turned into Xfree (NULL-1) which will most likely trigger a
segmentation fault. Casting the length value to unsigned char fixes
the problem and allows string values with up to 255 characters.
All versions of Samba from 4.0.0 onwards are vulnerable to infinite
query recursion caused by CNAME loops. Any dns record can be added via
ldap by an unprivileged user using the ldbadd tool, so this is a
security issue.
When configured to accept smart-card authentication, Samba's KDC will call
talloc_free() twice on the same memory if the principal in a validly signed
certificate does not match the principal in the AS-REQ.
During the processing of an LDAP search before Samba's AD DC returns
the LDAP entries to the client, the entries are cached in a single
memory object with a maximum size of 256MB. When this size is
reached, the Samba process providing the LDAP service will follow the
NULL pointer, terminating the process.
During the processing of an DNS zone in the DNS management DCE/RPC server,
the internal DNS server or the Samba DLZ plugin for BIND9, if the
DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS
property is set, the server will follow a NULL pointer and terminate
A user in a Samba AD domain can crash the KDC when Samba is built in the
non-default MIT Kerberos configuration.
AD DC Configurations watching for bad passwords (to restrict brute forcing
of passwords) in a window of more than 3 minutes may not watch for bad
passwords at all.
A vulnerability was found in how wpa_supplicant processes
EAPOL-Key frames. It is possible for an attacker to modify
the frame in a way that makes wpa_supplicant decrypt the Key
Data field without requiring a valid MIC value in the frame,
i.e., without the frame being authenticated. This has a
potential issue in the case where WPA2/RSN style of EAPOL-Key
construction is used with TKIP negotiated as the pairwise
cipher. It should be noted that WPA2 is not supposed to be
used with TKIP as the pairwise cipher. Instead, CCMP is
expected to be used and with that pairwise cipher, this
vulnerability is not applicable in practice.
When TKIP is negotiated as the pairwise cipher, the EAPOL-Key
Key Data field is encrypted using RC4. This vulnerability
allows unauthenticated EAPOL-Key frames to be processed and
due to the RC4 design, this makes it possible for an attacker
to modify the plaintext version of the Key Data field with
bitwise XOR operations without knowing the contents. This can
be used to cause a denial of service attack by modifying
GTK/IGTK on the station (without the attacker learning any of
the keys) which would prevent the station from accepting
received group-addressed frames. Furthermore, this might be
abused by making wpa_supplicant act as a decryption oracle to
try to recover some of the Key Data payload (GTK/IGTK) to get
knowledge of the group encryption keys.
Full recovery of the group encryption keys requires multiple
attempts (128 connection attempts per octet) and each attempt
results in disconnection due to a failure to complete the 4-way
handshake. These failures can result in the AP/network getting
disabled temporarily or even permanently (requiring user action
to re-enable) which may make it impractical to perform the
attack to recover the keys before the AP has already changes
the group keys. By default, wpa_supplicant is enforcing at
minimum a ten second wait time between each failed connection
attempt, i.e., over 20 minutes waiting to recover each octet
while hostapd AP implementation uses 10 minute default for GTK
rekeying when using TKIP. With such timing behavior, practical
attack would need large number of impacted stations to be
trying to connect to the same AP to be able to recover
sufficient information from the GTK to be able to determine
the key before it gets changed.
Samba releases 4.7.0 to 4.8.3 (inclusive) contain an error which
allows authentication using NTLMv1 over an SMB1 transport (either
directory or via NETLOGON SamLogon calls from a member server), even
when NTLMv1 is explicitly disabled on the server.
Missing input sanitization checks on some of the input parameters to
LDB database layer cause the LDAP server and DNS server to crash when
following a NULL pointer.
Samba releases 3.2.0 to 4.8.3 (inclusive) contain an error in
libsmbclient that could allow a malicious server to overwrite
client heap memory by returning an extra long filename in a directory
listing.
Missing database output checks on the returned directory attributes
from the LDB database layer cause the DsCrackNames call in the DRSUAPI
server to crash when following a NULL pointer.
All versions of the Samba Active Directory LDAP server from 4.0.0
onwards are vulnerable to the disclosure of confidential attribute
values, both of attributes where the schema SEARCH_FLAG_CONFIDENTIAL
(0x80) searchFlags bit and where an explicit Access Control Entry has
been specified on the ntSecurityDescriptor.
CVE-2017-6949: Unchecked malloc() call in SRFI-4
constructors when allocating in non-GC memory, resulting
in potential 1-word buffer overrun and/or segfault
CVE-2017-9334: "length" crashes on improper lists
CVE-2017-11343: The randomization factor of the symbol
table was set before the random seed was set, causing it
to have a fixed value on many platforms
Fix heap write overflow of PrimitiveInfo and PointInfo arrays. This is
another manefestation of CVE-2016-2317, which should finally be fixed
correctly due to active detection/correction of pending overflow rather
than using estimation.
CVE-2018-10915: Certain host connection parameters defeat
client-side security defenses
libpq, the client connection API for PostgreSQL that is also used
by other connection libraries, had an internal issue where it did not
reset all of its connection state variables when attempting to
reconnect. In particular, the state variable that determined whether
or not a password is needed for a connection would not be reset, which
could allow users of features requiring libpq, such as the "dblink" or
"postgres_fdw" extensions, to login to servers they should not be able
to access.
CVE-2018-10925: Memory disclosure and missing authorization in
`INSERT ... ON CONFLICT DO UPDATE`
An attacker able to issue CREATE TABLE can read arbitrary bytes of
server memory using an upsert (`INSERT ... ON CONFLICT DO UPDATE`)
query. By default, any user can exploit that. A user that has
specific INSERT privileges and an UPDATE privilege on at least one
column in a given table can also update other columns using a view and
an upsert query.
When using a CBC based ciphersuite, a remote attacker can
partially recover the plaintext.
When using a CBC based ciphersuite, an attacker with the
ability to execute arbitrary code on the machine under attack
can partially recover the plaintext by use of cache based
side-channels.
Database Administrator could achieve privilege escalation to
the account that CouchDB runs under, by abusing insufficient validation
in the HTTP API, escaping security controls implemented in previous
releases.
SAML messages, assertions, and metadata all commonly make use of the
XML Signature KeyInfo construct, which expresses information about
keys and certificates used in signing or encrypting XML.
The Apache Santuario XML Security for C++ library contained code
paths at risk of dereferencing null pointers when processing various
kinds of malformed KeyInfo hints typically found in signed or
encrypted XML. The usual effect is a crash, and in the case of the
Shibboleth SP software, a crash in the shibd daemon, which prevents
access to protected resources until the daemon is restarted.
One of the data structures that holds TCP segments uses
an inefficient algorithm to reassemble the data. This causes
the CPU time spent on segment processing to grow linearly
with the number of segments in the reassembly queue.
Impact:
An attacker who has the ability to send TCP traffic to
a victim system can degrade the victim system's network
performance and/or consume excessive CPU by exploiting the
inefficiency of TCP reassembly handling, with relatively
small bandwidth cost.
The Python Cryptographic Authority (PyCA) project reports:
finalize_with_tag() allowed tag truncation by default which can allow tag forgery in some cases. The method now enforces the min_tag_length provided to the GCM constructor
cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
Doorkeeper version 4.2.0 and later contains a Incorrect Access Control
vulnerability in Token revocation API's authorized method that can
result in Access tokens are not revoked for public OAuth apps, leaking
access until expiry.
will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site.
Multiple vulnerabilities have been found in FFmpeg. Please refer
to CVE list for details.
Note: CVE-2017-15186 and CVE-2017-15672 affect only the 3.3 branch
before 3.3.5, CVE-2017-16840 and CVE-2017-17081 have been fixed
in 3.4.1. They're listed here for completeness of the record.
[850350] High CVE-2018-6153: Stack buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-06-07
[848914] High CVE-2018-6154: Heap buffer overflow in WebGL. Reported by Omair on 2018-06-01
[842265] High CVE-2018-6155: Use after free in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-11
[841962] High CVE-2018-6156: Heap buffer overflow in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-10
[840536] High CVE-2018-6157: Type confusion in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-07
[812667] Medium CVE-2018-6150: Cross origin information disclosure in Service Workers. Reported by Rob Wu on 2018-02-15
[805905] Medium CVE-2018-6151: Bad cast in DevTools. Reported by Rob Wu on 2018-01-25
[805445] Medium CVE-2018-6152: Local file write in DevTools. Reported by Rob Wu on 2018-01-24
[841280] Medium CVE-2018-6158: Use after free in Blink. Reported by Zhe Jin, Luyao Liu from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-05-09
[837275] Medium CVE-2018-6159: Same origin policy bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-04-26
[839822] Medium CVE-2018-6160: URL spoof in Chrome on iOS. Reported by evi1m0 of Bilibili Security Team on 2018-05-04
[826552] Medium CVE-2018-6161: Same origin policy bypass in WebAudio. Reported by Jun Kokatsu (@shhnjk) on 2018-03-27
[804123] Medium CVE-2018-6162: Heap buffer overflow in WebGL. Reported by Omair on 2018-01-21
[849398] Medium CVE-2018-6163: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-06-04
[848786] Medium CVE-2018-6164: Same origin policy bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-06-01
[847718] Medium CVE-2018-6165: URL spoof in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-05-30
[835554] Medium CVE-2018-6166: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-04-21
[833143] Medium CVE-2018-6167: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-04-15
[828265] Medium CVE-2018-6168: CORS bypass in Blink. Reported by Gunes Acar and Danny Y. Huang of Princeton University, Frank Li of UC Berkeley on 2018-04-03
[394518] Medium CVE-2018-6169: Permissions bypass in extension installation. Reported by Sam P on 2014-07-16
[862059] Medium CVE-2018-6170: Type confusion in PDFium. Reported by Anonymous on 2018-07-10
[851799] Medium CVE-2018-6171: Use after free in WebBluetooth. Reported by amazon@mimetics.ca on 2018-06-12
[847242] Medium CVE-2018-6172: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-05-28
[836885] Medium CVE-2018-6173: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-04-25
[835299] Medium CVE-2018-6174: Integer overflow in SwiftShader. Reported by Mark Brand of Google Project Zero on 2018-04-20
[826019] Medium CVE-2018-6175: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-03-26
[666824] Medium CVE-2018-6176: Local user privilege escalation in Extensions. Reported by Jann Horn of Google Project Zero on 2016-11-18
[826187] Low CVE-2018-6177: Cross origin information leak in Blink. Reported by Ron Masas (Imperva) on 2018-03-27
[823194] Low CVE-2018-6178: UI spoof in Extensions. Reported by Khalil Zhani on 2018-03-19
[816685] Low CVE-2018-6179: Local file information leak in Extensions. Reported by Anonymous on 2018-02-26
[797461] Low CVE-2018-6044: Request privilege escalation in Extensions. Reported by Wob Wu on 2017-12-23
[791324] Low CVE-2018-4117: Cross origin information leak in Blink. Reported by AhsanEjaz - @AhsanEjazA on 2017-12-03
[866821] Various fixes from internal audits, fuzzing and other initiatives
Attributes that have URI values weren't properly sanitized if the
values contained character entities. Using character entities, it
was possible to construct a URI value with a scheme that was not
allowed that would slide through unsanitized.
This security issue was introduced in Bleach 2.1. Anyone using
Bleach 2.1 is highly encouraged to upgrade.
During key agreement in a TLS handshake using a DH(E) based
ciphersuite a malicious server can send a very large prime value
to the client. This will cause the client to spend an unreasonably
long period of time generating a key for this prime resulting in a
hang until the client has finished. This could be exploited in a
Denial Of Service attack.
bsixel 1.8.1 has a memory leak in sixel_decoder_decode in
decoder.c, image_buffer_resize in fromsixel.c, sixel_decode_raw in
fromsixel.c and sixel_allocator_new in allocator.c
VideoLAN VLC media player 2.2.x is prone to a use after free
vulnerability which an attacker can leverage to execute arbitrary
code via crafted MKV files. Failed exploit attempts will likely
result in denial of service conditions.
DoS for HTTP/2 connections by crafted requests
(CVE-2018-1333). By specially crafting HTTP/2 requests, workers
would be allocated 60 seconds longer than necessary, leading to
worker exhaustion and a denial of service. (low)
mod_md, DoS via Coredumps on specially crafted requests
(CVE-2018-8011). By specially crafting HTTP requests, the mod_md
challenge handler would dereference a NULL pointer and cause the
child process to segfault. This could be used to DoS the server.
(moderate)
ZNC before 1.7.1-rc1 does not properly validate untrusted lines
coming from the network, allowing a non-admin user to escalate his
privilege and inject rogue values into znc.conf.
ZNC before 1.7.1-rc1 is prone to a path traversal flaw via ../ in
a web skin name to access files outside of the intended skins
directories.
Fixes a remote code injection vulnerability when "subscribing"
to an IMAP mailbox, either via $imap_check_subscribed, or via the
function in the browser menu. Mutt was generating a
"mailboxes" command and sending that along to the muttrc parser.
However, it was not escaping "`", which executes code and inserts
the result. This would allow a malicious IMAP server to execute
arbitrary code (for $imap_check_subscribed).
Fixes POP body caching path traversal vulnerability.
It has been discovered that TYPO3âs Salted Password system extension (which is a mandatory system component)
is vulnerable to Authentication Bypass when using hashing methods which are related by PHP class inheritance.
In standard TYPO3 core distributions stored passwords using the blowfish hashing algorithm can be overridden
when using MD5 as the default hashing algorithm by just knowing a valid username.
Per default the Portable PHP hashing algorithm (PHPass) is used which is not vulnerable.
Phar files (formerly known as "PHP archives") can act als self extracting archives which leads to the fact
that source code is executed when Phar files are invoked. The Phar file format is not limited to be stored
with a dedicated file extension - "bundle.phar" would be valid as well as "bundle.txt" would be. This way,
Phar files can be obfuscated as image or text file which would not be denied from being uploaded and persisted
to a TYPO3 installation. Due to a missing sanitization of user input, those Phar files can be invoked by
manipulated URLs in TYPO3 backend forms. A valid backend user account is needed to exploit this vulnerability.
In theory the attack vector would be possible in the TYPO3 frontend as well, however no functional exploit
has been identified so far.
Failing to properly dissociate system related configuration from user generated configuration,
the Form Framework (system extension "form") is vulnerable to SQL injection and Privilege Escalation.
Basically instructions can be persisted to a form definition file that were not configured to be modified -
this applies to definitions managed using the form editor module as well as direct file upload using the regular
file list module. A valid backend user account as well as having system extension form activated are needed
in order to exploit this vulnerability.
It has been discovered that the Form Framework (system extension "form") is vulnerable to Insecure Deserialization
when being used with the additional PHP PECL package âyamlâ, which is capable of unserializing YAML contents
to PHP objects. A valid backend user account as well as having PHP setting "yaml.decode_php" enabled is needed
to exploit this vulnerability.
Due to a CSRF vulnerability affecting the qute://settings page,
it was possible for websites to modify qutebrowser settings.
Via settings like editor.command, this possibly allowed websites
to execute arbitrary code.
Database Administrator could achieve privilege escalation to
the account that CouchDB runs under, by abusing insufficient validation
in the HTTP API, escaping security controls implemented in previous
releases.
NIST reports (by search in the range 2017/01/01 - 2018/07/06):
17 security fixes in this release:
Heap-based buffer overflow in the __zzip_get32 function in fetch.c.
Heap-based buffer overflow in the __zzip_get64 function in fetch.c.
Heap-based buffer overflow in the zzip_mem_entry_extra_block function
in memdisk.c.
The zzip_mem_entry_new function in memdisk.c allows remote attackers
to cause a denial of service (out-of-bounds read and crash) via a
crafted ZIP file.
The prescan_entry function in fseeko.c allows remote attackers to cause
a denial of service (NULL pointer dereference and crash) via crafted
ZIP file.
The zzip_mem_entry_new function in memdisk.c cause a NULL pointer
dereference and crash via a crafted ZIP file.
seeko.c cause a denial of service (assertion failure and crash) via a
crafted ZIP file.
A segmentation fault caused by invalid memory access in the
zzip_disk_fread function because the size variable is not validated
against the amount of file->stored data.
A memory alignment error and bus error in the __zzip_fetch_disk_trailer
function of zzip/zip.c.
A bus error caused by loading of a misaligned address in the
zzip_disk_findfirst function.
An uncontrolled memory allocation and a crash in the __zzip_parse_root_directory
function.
An invalid memory address dereference was discovered in zzip_disk_fread
in mmapped.c.
A memory leak triggered in the function zzip_mem_disk_new in
memdisk.c.
An integer overflow during the parsing of XML using the Expat library.
XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat
XML Parser Library) allows attackers to put the parser in an infinite
loop using a malformed external entity definition from an external DTD.
Fix heap buffer overflow while trying to emit access log
- see references for full details.
CVE-2018-0608: Buffer overflow in H2O version 2.2.4 and
earlier allows remote attackers to execute arbitrary code or
cause a denial of service (DoS) via unspecified vectors.
A Cross-Site Scripting vulnerability was found in the
Designer feature, where an attacker can deliver a
payload to a user through a specially-crafted database
name.
Severity
We consider this attack to be of moderate severity.
Summary
File inclusion and remote code execution attack
Description
A flaw has been discovered where an attacker can include
(view and potentially execute) files on the server.
The vulnerability comes from a portion of code where
pages are redirected and loaded within phpMyAdmin, and an
improper test for whitelisted pages.
An attacker must be authenticated, except in these
situations:
$cfg['AllowArbitraryServer'] = true: attacker can
specify any host he/she is already in control of, and
execute arbitrary code on phpMyAdmin
$cfg['ServerDefault'] = 0: this bypasses the login and
runs the vulnerable code without any authentication
Severity
We consider this to be severe.
Mitigation
factor
Configuring PHP with a restrictive
`open_basedir` can greatly restrict an attacker's ability to
view files on the server. Vulnerable systems should not be
run with the phpMyAdmin directives
$cfg['AllowArbitraryServer'] = true or $cfg['ServerDefault']
= 0
A subset of Intel processors can allow a local thread
to infer data from another thread through a speculative
execution side channel when Lazy FPU state restore is
used.
Impact:
Any local thread can potentially read FPU state information
from other threads running on the host. This could include
cryptographic keys when the AES-NI CPU feature is present.
Insecure handling of user_name and gid fields (CVE-2018-10995)
While fixes are only available for the supported 17.02 and 17.11
releases, it is believed that similar vulnerabilities do affect past
versions as well. The only resolution is to upgrade Slurm to a fixed
release.
Denial of Service Vulnerability in HTTP/2 (CVE-2018-7161)
All versions of 8.x and later are vulnerable and the severity is
HIGH. An attacker can cause a denial of service (DoS) by causing a
node server providing an http2 server to crash. This can be
accomplished by interacting with the http2 server in a manner that
triggers a cleanup bug where objects are used in native code after
they are no longer available. This has been addressed by updating
the http2 implementation. Thanks to Jordan Zebor at F5 Networks for
reporting this issue.
Denial of Service, nghttp2 dependency (CVE-2018-1000168)
All versions of 9.x and later are vulnerable and the severity is
HIGH. Under certain conditions, a malicious client can trigger an
uninitialized read (and a subsequent segfault) by sending a
malformed ALTSVC frame. This has been addressed through an by
updating nghttp2.
Denial of Service Vulnerability in TLS (CVE-2018-7162)
All versions of 9.x and later are vulnerable and the severity is
HIGH. An attacker can cause a denial of service (DoS) by causing a
node process which provides an http server supporting TLS server to
crash. This can be accomplished by sending duplicate/unexpected
messages during the handshake. This vulnerability has been addressed
by updating the TLS implementation. Thanks to Jordan Zebor at F5
Networks all of his help investigating this issue with the Node.js
team.
Memory exhaustion DoS on v9.x (CVE-2018-7164)
Versions 9.7.0 and later are vulnerable and the severity is MEDIUM.
A bug introduced in 9.7.0 increases the memory consumed when reading
from the network into JavaScript using the net.Socket object
directly as a stream. An attacker could use this cause a denial of
service by sending tiny chunks of data in short succession. This
vulnerability was restored by reverting to the prior behaviour.
Calls to Buffer.fill() and/or Buffer.alloc() may hang (CVE-2018-7167)
Calling Buffer.fill() or Buffer.alloc() with some parameters can
lead to a hang which could result in a Denial of Service. In order
to address this vulnerability, the implementations of Buffer.alloc()
and Buffer.fill() were updated so that they zero fill instead of
hanging in these cases.
Markus Brinkmann discovered that [the] parsing of gpg command line
output with regexes isn't anchored to the beginning of the line,
which means an attacker can generate a malicious key that simply has
the verification string as part of its username.
This has a number of nasty consequences:
an attacker who manages to write into your ~/.password-store
and also inject a malicious key into your keyring can replace
your .gpg-id key and have your passwords encrypted under
additional keys;
if you have extensions enabled (disabled by default), an
attacker who manages to write into your ~/.password-store and
also inject a malicious key into your keyring can replace your
extensions and hence execute code.
AST-2018-004 - When processing a SUBSCRIBE request the
res_pjsip_pubsub module stores the accepted formats present
in the Accept headers of the request. This code did not
limit the number of headers it processed despite having
a fixed limit of 32. If more than 32 Accept headers were
present the code would write outside of its memory and
cause a crash.
AST-2018-005 - A crash occurs when a number of
authenticated INVITE messages are sent over TCP or TLS
and then the connection is suddenly closed. This issue
leads to a segmentation fault.
When endpoint specific ACL rules block a SIP request
they respond with a 403 forbidden. However, if an endpoint
is not identified then a 401 unauthorized response is
sent. This vulnerability just discloses which requests
hit a defined endpoint. The ACL rules cannot be bypassed
to gain access to the disclosed endpoints.
When connected to Asterisk via TCP/TLS if the client
abruptly disconnects, or sends a specially crafted message
then Asterisk gets caught in an infinite loop while trying
to read the data stream. Thus rendering the system as
unusable.
GnuPG did not sanitize input file names, which may then be output to
the terminal. This could allow terminal control sequences or fake
status messages to be injected into the output.
A heap buffer overflow can occur in the Skia library when
rasterizing paths using a maliciously crafted SVG file
with anti-aliasing turned off. This results in a
potentially exploitable crash.
Multiple fixes and improvements to BinPAC generated code related to array parsing, with potential impact to all Bro's BinPAC-generated analyzers in the form of buffer over-reads or other invalid memory accesses depending on whether a particular analyzer incorrectly assumed that the evaulated-array-length expression is actually the number of elements that were parsed out from the input.
The NCP analyzer (not enabled by default and also updated to actually work with newer Bro APIs in the release) performed a memory allocation based directly on a field in the input packet and using signed integer storage. This could result in a signed integer overflow and memory allocations of negative or very large size, leading to a crash or memory exhaustion. The new NCP::max_frame_size tuning option now limits the maximum amount of memory that can be allocated.
In affected versions of Git, code to sanity-check pathnames on
NTFS can result in reading out-of-bounds memory.
In affected versions of Git, remote code execution can
occur. With a crafted .gitmodules file, a malicious project can
execute an arbitrary script on a machine that runs "git clone
--recurse-submodules" because submodule "names" are obtained from
this file, and then appended to $GIT_DIR/modules, leading to
directory traversal with "../" in a name. Finally, post-checkout
hooks from a submodule are executed, bypassing the intended design
in which hooks are not obtained from a remote server.
A denial-of-service vulnerability in the IKEv2 key derivation was fixed
if the openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated as
PRF (which is not FIPS-compliant). So this should only affect very specific setups,
but in such configurations all strongSwan versions since 5.0.1 may be affected.
A denial-of-service vulnerability in the stroke plugin was fixed.
When reading a message from the socket the plugin did not check the received length.
Unless a group is configured, root privileges are required to access that socket,
so in the default configuration this shouldn't be an issue, but all strongSwan versions may be affected.
An error in zone database reference counting can
lead to an assertion failure if a server which is
running an affected version of BIND attempts
several transfers of a slave zone in quick
succession.
A problem with the implementation of the new
serve-stale feature in BIND 9.12 can lead to
an assertion failure in rbtdb.c, even when
stale-answer-enable is off. Additionally,
problematic interaction between the serve-stale
feature and NSEC aggressive negative caching can
in some cases cause undesirable behavior from named,
such as a recursion loop or excessive logging.
In the X.Org X server before 2017-06-19, a user authenticated to
an X Session could crash or execute code in the context of the X
Server by exploiting a stack overflow in the endianness conversion
of X Events.
Uninitialized data in endianness conversion in the XEvent handling
of the X.Org X Server before 2017-06-19 allowed authenticated
malicious users to access potentially privileged data from the X
server.
curl might overflow a heap based memory buffer when closing down an
FTP connection with very long server command replies.
When doing FTP transfers, curl keeps a spare "closure handle" around
internally that will be used when an FTP connection gets shut down
since the original curl easy handle is then already removed.
FTP server response data that gets cached from the original transfer
might then be larger than the default buffer size (16 KB) allocated in
the "closure handle", which can lead to a buffer overwrite. The
contents and size of that overwrite is controllable by the server.
This situation was detected by an assert() in the code, but that was
of course only preventing bad stuff in debug builds. This bug is very
unlikely to trigger with non-malicious servers.
We are not aware of any exploit of this flaw.
CVE-2018-1000301: RTSP bad headers buffer over-read
curl can be tricked into reading data beyond the end of a heap based
buffer used to store downloaded content.
When servers send RTSP responses back to curl, the data starts out
with a set of headers. curl parses that data to separate it into a
number of headers to deal with those appropriately and to find the end
of the headers that signal the start of the "body" part.
The function that splits up the response into headers is called
Curl_http_readwrite_headers() and in situations where it can't find a
single header in the buffer, it might end up leaving a pointer pointing
into the buffer instead of to the start of the buffer which then later
on may lead to an out of buffer read when code assumes that pointer
points to a full buffer size worth of memory to use.
This could potentially lead to information leakage but most likely a
crash/denial of service for applications if a server triggers this flaw.
A stack-based buffer over-read in the ParseRiffHeaderConfig function of cli/riff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service attack or possibly have unspecified other impact via a maliciously crafted RF64 file.
The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (heap-based buffer over-read) or possibly overwrite the heap via a maliciously crafted DSDIFF file.
The ParseCaffHeaderConfig function of the cli/caff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (global buffer over-read), or possibly trigger a buffer overflow or incorrect memory allocation, via a maliciously crafted CAF file.
Thuan Pham reports:
An issue was discovered in WavPack 5.1.0 and earlier. The WAV parser component contains a vulnerability that allows writing to memory because ParseRiffHeaderConfig in riff.c does not reject multiple format chunks.
An issue was discovered in WavPack 5.1.0 and earlier. The W64 parser component contains a vulnerability that allows writing to memory because ParseWave64HeaderConfig in wave64.c does not reject multiple format chunks.
An issue was discovered in WavPack 5.1.0 and earlier for WAV input. Out-of-bounds writes can occur because ParseRiffHeaderConfig in riff.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation.
An issue was discovered in WavPack 5.1.0 and earlier for DSDiff input. Out-of-bounds writes can occur because ParseDsdiffHeaderConfig in dsdiff.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation.
An issue was discovered in WavPack 5.1.0 and earlier for W64 input. Out-of-bounds writes can occur because ParseWave64HeaderConfig in wave64.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation.
The agent to master security subsystem ensures that the Jenkins
master is protected from maliciously configured agents. A path
traversal vulnerability allowed agents to escape whitelisted
directories to read and write to files they should not be able to
access.
Black Duck Hub Plugin's API endpoint was affected by an XML
External Entity (XXE) processing vulnerability. This allowed an
attacker with Overall/Read access to have Jenkins parse a maliciously
crafted file that uses external entities for extraction of secrets
from the Jenkins master, server-side request forgery, or
denial-of-service attacks.
Several other lower severity issues were reported, see reference
url for details.
The MOV SS and POP SS instructions inhibit debug exceptions
until the instruction boundary following the next instruction.
If that instruction is a system call or similar instruction
that transfers control to the operating system, the debug
exception will be handled in the kernel context instead of
the user context.
Impact:
An authenticated local attacker may be able to read
sensitive data in kernel memory, control low-level operating
system functions, or may panic the system.
A specially crafted REGISTER message with a malformed branch or
From tag triggers an off-by-one heap-based buffer overflow in the
tmx_check_pretran function in modules/tmx/tmx_pretran.c
kwallet-pam was doing file writing and permission changing
as root that with correct timing and use of carefully
crafted symbolic links could allow a non privileged user
to become the owner of any file on the system.
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x.
This potentially allows attackers to exploit multiple attack vectors on a Drupal site,
which could result in the site being compromised. This vulnerability is related to
Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002.
Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
[826626] Critical CVE-2018-6085: Use after free in Disk Cache. Reported by Ned Williamson on 2018-03-28
[827492] Critical CVE-2018-6086: Use after free in Disk Cache. Reported by Ned Williamson on 2018-03-30
[813876] High CVE-2018-6087: Use after free in WebAssembly. Reported by Anonymous on 2018-02-20
[822091] High CVE-2018-6088: Use after free in PDFium. Reported by Anonymous on 2018-03-15
[808838] High CVE-2018-6089: Same origin policy bypass in Service Worker. Reported by Rob Wu on 2018-02-04
[820913] High CVE-2018-6090: Heap buffer overflow in Skia. Reported by ZhanJia Song on 2018-03-12
[771933] High CVE-2018-6091: Incorrect handling of plug-ins by Service Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-10-05
[819869] High CVE-2018-6092: Integer overflow in WebAssembly. Reported by Natalie Silvanovich of Google Project Zero on 2018-03-08
[780435] Medium CVE-2018-6093: Same origin bypass in Service Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-01
[633030] Medium CVE-2018-6094: Exploit hardening regression in Oilpan. Reported by Chris Rohlf on 2016-08-01
[637098] Medium CVE-2018-6095: Lack of meaningful user interaction requirement before file upload. Reported by Abdulrahman Alqabandi (@qab) on 2016-08-11
[776418] Medium CVE-2018-6096: Fullscreen UI spoof. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-19
[806162] Medium CVE-2018-6097: Fullscreen UI spoof. Reported by xisigr of Tencent's Xuanwu Lab on 2018-01-26
[798892] Medium CVE-2018-6098: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-01-03
[808825] Medium CVE-2018-6099: CORS bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-02-03
[811117] Medium CVE-2018-6100: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-02-11
[813540] Medium CVE-2018-6101: Insufficient protection of remote debugging prototol in DevTools . Reported by Rob Wu on 2018-02-19
[813814] Medium CVE-2018-6102: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-20
[816033] Medium CVE-2018-6103: UI spoof in Permissions. Reported by Khalil Zhani on 2018-02-24
[820068] Medium CVE-2018-6104: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-03-08
[803571] Medium CVE-2018-6105: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-01-18
[805729] Medium CVE-2018-6106: Incorrect handling of promises in V8. Reported by lokihardt of Google Project Zero on 2018-01-25
[808316] Medium CVE-2018-6107: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-02
[816769] Medium CVE-2018-6108: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-27
[710190] Low CVE-2018-6109: Incorrect handling of files by FileAPI. Reported by Dominik Weber (@DoWeb_) on 2017-04-10
[777737] Low CVE-2018-6110: Incorrect handling of plaintext files via file:// . Reported by Wenxiang Qian (aka blastxiang) on 2017-10-24
[780694] Low CVE-2018-6111: Heap-use-after-free in DevTools. Reported by Khalil Zhani on 2017-11-02
[798096] Low CVE-2018-6112: Incorrect URL handling in DevTools. Reported by Rob Wu on 2017-12-29
[805900] Low CVE-2018-6113: URL spoof in Navigation. Reported by Khalil Zhani on 2018-01-25
[811691] Low CVE-2018-6114: CSP bypass. Reported by Lnyas Zhang on 2018-02-13
[819809] Low CVE-2018-6115: SmartScreen bypass in downloads. Reported by James Feher on 2018-03-07
[822266] Low CVE-2018-6116: Incorrect low memory handling in WebAssembly. Reported by Jin from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. on 2018-03-15
[822465] Low CVE-2018-6117: Confusing autofill settings. Reported by Spencer Dailey on 2018-03-15
[822424] Low CVE-2018-6084: Incorrect use of Distributed Objects in Google Software Updater on MacOS. Reported by Ian Beer of Google Project Zero on 2018-03-15
Defend against Bellcore glitch attacks by verifying the results
of RSA private key operations.
Fix implementation of the truncated HMAC extension. The
previous implementation allowed an offline 2^80 brute force
attack on the HMAC key of a single, uninterrupted connection
(with no resumption of the session).
Reject CRLs containing unsupported critical extensions. Found
by Falko Strenzke and Evangelos Karatsiolis.
Fix a buffer overread in ssl_parse_server_key_exchange() that
could cause a crash on invalid input.
Fix a buffer overread in ssl_parse_server_psk_hint() that could
cause a crash on invalid input.
MySQL Multiple Flaws Let Remote Authenticated Users Access and
Modify Data, Remote and Local Users Deny Service, and Local Users
Access Data and Gain Elevated Privileges
A local user can exploit a flaw in the Replication component
to gain elevated privileges [CVE-2018-2755].
A remote authenticated user can exploit a flaw in the GIS
Extension component to cause denial of service conditions
[CVE-2018-2805].
A remote authenticated user can exploit a flaw in the InnoDB
component to cause denial of service conditions [CVE-2018-2782,
CVE-2018-2784, CVE-2018-2819].
A remote authenticated user can exploit a flaw in the Security
Privileges component to cause denial of service conditions
[CVE-2018-2758, CVE-2018-2818].
A remote authenticated user can exploit a flaw in the DDL
component to cause denial of service conditions
[CVE-2018-2817].
A remote authenticated user can exploit a flaw in the Optimizer
component to cause denial of service conditions [CVE-2018-2775,
CVE-2018-2778, CVE-2018-2779, CVE-2018-2780, CVE-2018-2781,
CVE-2018-2816].
A remote user can exploit a flaw in the Client programs
component to cause denial of service conditions [CVE-2018-2761,
CVE-2018-2773].
A remote authenticated user can exploit a flaw in the InnoDB
component to partially modify data and cause denial of service
conditions [CVE-2018-2786, CVE-2018-2787].
A remote authenticated user can exploit a flaw in the Optimizer
component to partially modify data and cause denial of service
conditions [CVE-2018-2812].
A local user can exploit a flaw in the Cluster ndbcluster/plugin
component to cause denial of service conditions [CVE-2018-2877].
A remote authenticated user can exploit a flaw in the InnoDB
component to cause denial of service conditions [CVE-2018-2759,
CVE-2018-2766, CVE-2018-2777, CVE-2018-2810].
A remote authenticated user can exploit a flaw in the DML
component to cause denial of service conditions [CVE-2018-2839].
A remote authenticated user can exploit a flaw in the
Performance Schema component to cause denial of service conditions
[CVE-2018-2846].
A remote authenticated user can exploit a flaw in the Pluggable
Auth component to cause denial of service conditions
[CVE-2018-2769].
A remote authenticated user can exploit a flaw in the Group
Replication GCS component to cause denial of service conditions
[CVE-2018-2776].
A local user can exploit a flaw in the Connection component to
cause denial of service conditions [CVE-2018-2762].
A remote authenticated user can exploit a flaw in the Locking
component to cause denial of service conditions [CVE-2018-2771].
A remote authenticated user can exploit a flaw in the DDL
component to partially access data [CVE-2018-2813].
CKEditor, a third-party JavaScript library included in Drupal
core, has fixed a cross-site scripting (XSS) vulnerability. The
vulnerability stemmed from the fact that it was possible to execute
XSS inside CKEditor when using the image2 plugin (which Drupal 8
core also uses).
The OpenSSL RSA Key generation algorithm has been shown to be
vulnerable to a cache timing side channel attack. An attacker
with sufficient access to mount cache timing attacks during the
RSA key generation process could recover the private key.
CVE-2018-7600: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6,
and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because
of an issue affecting multiple subsystems with default or common module configurations.
The ipsec-tools racoon daemon contains a remotely exploitable computational
complexity attack when parsing and storing isakmp fragments. The implementation
permits a remote attacker to exhaust computational resources on the remote endpoint
by repeatedly sending isakmp fragment packets in a particular order such that
the worst-case computational complexity is realized in the algorithm utilized
to determine if reassembly of the fragments can take place.
If ALTSVC frame is received by libnghttp2 and it is larger than it can
accept, the pointer field which points to ALTSVC frame payload is left
NULL. Later libnghttp2 attempts to access another field through the
pointer, and gets segmentation fault.
ALTSVC frame is defined by RFC 7838.
The largest frame size libnghttp2 accept is by default 16384 bytes.
Receiving ALTSVC frame is disabled by default. Application has to
enable it explicitly by calling
nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC).
Transmission of ALTSVC is always enabled, and it does not cause this
vulnerability.
ALTSVC frame is expected to be sent by server, and received by client
as defined in RFC 7838.
Client and server are both affected by this vulnerability if the
reception of ALTSVC frame is enabled. As written earlier, it is useless
to enable reception of ALTSVC frame on server side. So, server is
generally safe unless application accidentally enabled the reception of
ALTSVC frame.
This update primarily fixes a recently discovered IMAP-cmd-injection
vulnerability caused by insufficient input validation within
the archive plugin.
Details about the vulnerability are published under CVE-2018-9846.
The Jenkins CLI sent different error responses for commands with
view and agent arguments depending on the existence of the specified
views or agents to unauthorized users. This allowed attackers to
determine whether views or agents with specified names exist.
The Jenkins CLI now returns the same error messages to unauthorized
users independent of the existence of specified view or agent
names
Some JavaScript confirmation dialogs included the item name in an
unsafe manner, resulting in a possible cross-site scripting
vulnerability exploitable by users with permission to create or
configure items.
JavaScript confirmation dialogs that include the item name now
properly escape it, so it can be safely displayed.
There were multiple server-side request forgery issues in the Services feature.
An attacker could make requests to servers within the same network of the GitLab
instance. This could lead to information disclosure, authentication bypass, or
potentially code execution. This issue has been assigned
CVE-2018-8801.
Gitlab Auth0 integration issue
There was an issue with the GitLab omniauth-auth0 configuration
which resulted in the Auth0 integration signing in the wrong users.
Insufficient validation of user-provided font parameters
can result in an integer overflow, leading to the use of
arbitrary kernel memory as glyph data. Characters that
reference this data can be displayed on the screen, effectively
disclosing kernel memory.
Impact:
Unprivileged users may be able to access privileged
kernel data.
Such memory might contain sensitive information, such
as portions of the file cache or terminal buffers. This
information might be directly useful, or it might be leveraged
to obtain elevated privileges in some way; for example, a
terminal buffer might include a user-entered password.
The length field of the option header does not count the
size of the option header itself. This causes a problem
when the length is zero, the count is then incremented by
zero, which causes an infinite loop.
In addition there are pointer/offset mistakes in the
handling of IPv4 options.
Impact:
A remote attacker who is able to send an arbitrary packet,
could cause the remote target machine to crash.
A use-after-free vulnerability can occur in the
compositor during certain graphics operations when a raw
pointer is used instead of a reference counted one. This
results in a potentially exploitable crash.
CVE-2017-17742: HTTP response splitting in WEBrick
If a script accepts an external input and outputs it without
modification as a part of HTTP responses, an attacker can use newline
characters to deceive the clients that the HTTP response header is
stopped at there, and can inject fake HTTP responses after the newline
characters to show malicious contents to the clients.
CVE-2018-6914: Unintentional file and directory creation with
directory traversal in tempfile and tmpdir
Dir.mktmpdir method introduced by tmpdir library accepts the prefix
and the suffix of the directory which is created as the first parameter.
The prefix can contain relative directory specifiers "../", so this
method can be used to target any directory. So, if a script accepts an
external input as the prefix, and the targeted directory has
inappropriate permissions or the ruby process has inappropriate
privileges, the attacker can create a directory or a file at any
directory.
CVE-2018-8777: DoS by large request in WEBrick
If an attacker sends a large request which contains huge HTTP headers,
WEBrick try to process it on memory, so the request causes the
out-of-memory DoS attack.
CVE-2018-8778: Buffer under-read in String#unpack
String#unpack receives format specifiers as its parameter, and can
be specified the position of parsing the data by the specifier @. If a
big number is passed with @, the number is treated as the negative
value, and out-of-buffer read is occurred. So, if a script accepts an
external input as the argument of String#unpack, the attacker can read
data on heaps.
CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
UNIXServer.open accepts the path of the socket to be created at the
first parameter. If the path contains NUL (\0) bytes, this method
recognize that the path is completed before the NUL bytes. So, if a
script accepts an external input as the argument of this method, the
attacker can make the socket file in the unintentional path. And,
UNIXSocket.open also accepts the path of the socket to be created at
the first parameter without checking NUL bytes like UNIXServer.open.
So, if a script accepts an external input as the argument of this
method, the attacker can accepts the socket file in the unintentional
path.
CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte
in Dir
Dir.open, Dir.new, Dir.entries and Dir.empty? accept the path of the
target directory as their parameter. If the parameter contains NUL (\0)
bytes, these methods recognize that the path is completed before the
NUL bytes. So, if a script accepts an external input as the argument of
these methods, the attacker can make the unintentional directory
traversal.
Node.js Inspector DNS rebinding vulnerability (CVE-2018-7160)
Node.js 6.x and later include a debugger protocol (also known as "inspector") that can be activated by the --inspect and related command line flags. This debugger service was vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution.
'path' module regular expression denial of service (CVE-2018-7158)
The 'path' module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x.
Spaces in HTTP Content-Length header values are ignored (CVE-2018-7159)
The HTTP parser in all current versions of Node.js ignores spaces in the Content-Length header, allowing input such as Content-Length: 1 2 to be interpreted as having a value of 12. The HTTP specification does not allow for spaces in the Content-Length value and the Node.js HTTP parser has been brought into line on this particular difference.
Constructed ASN.1 types with a recursive definition could
exceed the stack (CVE-2018-0739)
Constructed ASN.1 types with a recursive definition (such as can be
found in PKCS7) could eventually exceed the stack given malicious input
with excessive recursion. This could result in a Denial Of Service
attack. There are no such structures used within SSL/TLS that come from
untrusted sources so this is considered safe.
rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
There is an overflow bug in the AVX2 Montgomery multiplication
procedure used in exponentiation with 1024-bit moduli. This only
affects processors that support the AVX2 but not ADX extensions
like Intel Haswell (4th generation).
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig
enabled (CVE-2017-15710)
mod_session: CGI-like applications that intend to read from
mod_session's 'SessionEnv ON' could be fooled into reading
user-supplied data instead. (CVE-2018-1283)
mod_cache_socache: Fix request headers parsing to avoid a possible
crash with specially crafted input data. (CVE-2018-1303)
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production
LogLevel. (CVE-2018-1301)
core: Configure the regular expression engine to match '$' to the
end of the input string only, excluding matching the end of any
embedded newline characters. Behavior can be changed with new
directive 'RegexDefaultOptions'. (CVE-2017-15715)
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers.
(CVE-2018-1312)
The decode_ihdr_chunk function in libavcodec/pngdec.c in
FFmpeg before 2.7.2 does not enforce uniqueness of the IHDR
(aka image header) chunk in a PNG image, which allows remote
attackers to cause a denial of service (out-of-bounds array
access) or possibly have unspecified other impact via a
crafted image with two or more of these chunks.
Multiple integer underflows in the ff_mjpeg_decode_frame
function in libavcodec/mjpegdec.c in FFmpeg before 2.7.2
allow remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified
other impact via crafted MJPEG data.
The ff_sbr_apply function in libavcodec/aacsbr.c in
FFmpeg before 2.7.2 does not check for a matching AAC frame
syntax element before proceeding with Spectral Band
Replication calculations, which allows remote attackers to
cause a denial of service (out-of-bounds array access) or
possibly have unspecified other impact via crafted AAC
data.
The ff_mpv_common_init function in libavcodec/mpegvideo.c
in FFmpeg before 2.7.2 does not properly maintain the
encoding context, which allows remote attackers to cause a
denial of service (invalid pointer access) or possibly have
unspecified other impact via crafted MPEG data.
The destroy_buffers function in libavcodec/sanm.c in
FFmpeg before 2.7.2 does not properly maintain height and
width values in the video context, which allows remote
attackers to cause a denial of service (segmentation
violation and application crash) or possibly have
unspecified other impact via crafted LucasArts Smush video
data.
The allocate_buffers function in libavcodec/alac.c in
FFmpeg before 2.7.2 does not initialize certain context
data, which allows remote attackers to cause a denial of
service (segmentation violation) or possibly have
unspecified other impact via crafted Apple Lossless Audio
Codec (ALAC) data.
The sws_init_context function in libswscale/utils.c in
FFmpeg before 2.7.2 does not initialize certain pixbuf data
structures, which allows remote attackers to cause a denial
of service (segmentation violation) or possibly have
unspecified other impact via crafted video data.
The ff_frame_thread_init function in
libavcodec/pthread_frame.c in FFmpeg before 2.7.2 mishandles
certain memory-allocation failures, which allows remote
attackers to cause a denial of service (invalid pointer
access) or possibly have unspecified other impact via a
crafted file, as demonstrated by an AVI file.
The ff_rv34_decode_init_thread_copy function in
libavcodec/rv34.c in FFmpeg before 2.7.2 does not initialize
certain structure members, which allows remote attackers to
cause a denial of service (invalid pointer access) or
possibly have unspecified other impact via crafted (1) RV30
or (2) RV40 RealVideo data.
The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in
FFmpeg before 2.8.4 does not validate the number of
decomposition levels before proceeding with Discrete Wavelet
Transform decoding, which allows remote attackers to cause a
denial of service (out-of-bounds array access) or possibly
have unspecified other impact via crafted JPEG 2000
data.
The ff_get_buffer function in libavcodec/utils.c in
FFmpeg before 2.8.4 preserves width and height values after
a failure, which allows remote attackers to cause a denial
of service (out-of-bounds array access) or possibly have
unspecified other impact via a crafted .mov file.
The msrle_decode_pal4 function in msrledec.c in Libav
before 10.7 and 11.x before 11.4 and FFmpeg before 2.0.7,
2.2.x before 2.2.15, 2.4.x before 2.4.8, 2.5.x before 2.5.6,
and 2.6.x before 2.6.2 allows remote attackers to have
unspecified impact via a crafted image, related to a pixel
pointer, which triggers an out-of-bounds array access.
The update_dimensions function in libavcodec/vp8.c in
FFmpeg through 2.8.1, as used in Google Chrome before
46.0.2490.71 and other products, relies on a
coefficient-partition count during multi-threaded operation,
which allows remote attackers to cause a denial of service
(race condition and memory corruption) or possibly have
unspecified other impact via a crafted WebM file.
The ljpeg_decode_yuv_scan function in
libavcodec/mjpegdec.c in FFmpeg before 2.8.2 omits certain
width and height checks, which allows remote attackers to
cause a denial of service (out-of-bounds array access) or
possibly have unspecified other impact via crafted MJPEG
data.
The ff_hevc_parse_sps function in libavcodec/hevc_ps.c in
FFmpeg before 2.8.2 does not validate the Chroma Format
Indicator, which allows remote attackers to cause a denial
of service (out-of-bounds array access) or possibly have
unspecified other impact via crafted High Efficiency Video
Coding (HEVC) data.
The decode_uncompressed function in libavcodec/faxcompr.c
in FFmpeg before 2.8.2 does not validate uncompressed runs,
which allows remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified
other impact via crafted CCITT FAX data.
The init_tile function in libavcodec/jpeg2000dec.c in
FFmpeg before 2.8.2 does not enforce minimum-value and
maximum-value constraints on tile coordinates, which allows
remote attackers to cause a denial of service (out-of-bounds
array access) or possibly have unspecified other impact via
crafted JPEG 2000 data.
The jpeg2000_read_main_headers function in
libavcodec/jpeg2000dec.c in FFmpeg before 2.6.5, 2.7.x
before 2.7.3, and 2.8.x through 2.8.2 does not enforce
uniqueness of the SIZ marker in a JPEG 2000 image, which
allows remote attackers to cause a denial of service
(out-of-bounds heap-memory access) or possibly have
unspecified other impact via a crafted image with two or
more of these markers.
Integer overflow in the ff_ivi_init_planes function in
libavcodec/ivi.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3,
and 2.8.x through 2.8.2 allows remote attackers to cause a
denial of service (out-of-bounds heap-memory access) or
possibly have unspecified other impact via crafted image
dimensions in Indeo Video Interactive data.
The smka_decode_frame function in libavcodec/smacker.c in
FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through
2.8.2 does not verify that the data size is consistent with
the number of channels, which allows remote attackers to
cause a denial of service (out-of-bounds array access) or
possibly have unspecified other impact via crafted Smacker
data.
Use-after-free vulnerability in the ff_h264_free_tables
function in libavcodec/h264.c in FFmpeg before 2.3.6 allows
remote attackers to cause a denial of service or possibly
have unspecified other impact via crafted H.264 data in an
MP4 file, as demonstrated by an HTML VIDEO element that
references H.264 data.
There is a possible XSS vulnerability in rails-html-sanitizer. The gem
allows non-whitelisted attributes to be present in sanitized output
when input with specially-crafted HTML fragments, and these attributes
can lead to an XSS attack on target applications.
Fixed an HTML injection vulnerability that could allow XSS.
When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2,
a specially crafted HTML fragment can cause libxml2 to generate
improperly escaped output, allowing non-whitelisted attributes to be
used on whitelisted elements.
Sanitize now performs additional escaping on affected attributes to
prevent this.
This issue has been created for public disclosure of an XSS / code
injection vulnerability that was responsibly reported by the Shopify
Application Security Team.
Loofah allows non-whitelisted attributes to be present in sanitized
output when input with specially-crafted HTML fragments.
In Jupyter Notebook before 5.4.1, a maliciously forged notebook file
can bypass sanitization to execute JavaScript in the notebook context.
Specifically, invalid HTML is 'fixed' by jQuery after sanitization,
making it dangerous.
An attacker able to exploit this vulnerability can extract files
of the server the application is running on. This may include
configuration files, log files and additionally all files that are
readable for all users on the system. This issue is
post-authentication. That means an attacker would need valid
credentials for the application to log in or needs to exploit an
additional vulnerability of which we are not aware of at this point
of time.
An attacker would also be able to delete files on the system, if
the user running the application has the rights to do so.
Does this issue affect me?
Likely yes, if you are using Squirrelmail. We checked the latest
development version, which is 1.5.2-svn and the latest version
available for download at this point of time, 1.4.22. Both contain
the vulnerable code.
Several issues were discovered with incomplete sanitization of
user-provided text strings, which could potentially lead to SQL
injection attacks against SlurmDBD itself. Such exploits could lead to a
loss of accounting data, or escalation of user privileges on the cluster.
Xiph.Org libvorbis 1.3.5 allows Remote Code Execution
upon freeing uninitialized memory in the function
vorbis_analysis_headerout() in info.c when
vi->channels<=0, a similar issue to Mozilla bug
550184.
In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read
vulnerability exists in the function mapping0_forward() in
mapping0.c, which may lead to DoS when operating on a
crafted audio file with vorbis_analysis().
A number of issues relating to speculative execution
were found last year and publicly announced January 3rd.
Two of these, known as Meltdown and Spectre V2, are addressed
here.
This issue relies on an affected CPU speculatively
executing instructions beyond a faulting instruction. When
this happens, changes to architectural state are not
committed, but observable changes may be left in micro-
architectural state (for example, cache). This may be used
to infer privileged data.
Missing null pointer checks may crash the external
print server process.
On a Samba 4 AD DC any authenticated user can change
other user's passwords over LDAP, including the
passwords of administrative users and service accounts.
When the truncated HMAC extension is enabled and CBC is used,
sending a malicious application packet can be used to selectively
corrupt 6 bytes on the peer's heap, potentially leading to a
crash or remote code execution. This can be triggered remotely
from either side in both TLS and DTLS.
When RSASSA-PSS signature verification is enabled, sending a
maliciously constructed certificate chain can be used to cause a
buffer overflow on the peer's stack, potentially leading to crash
or remote code execution. This can be triggered remotely from
either side in both TLS and DTLS.
Failure to properly bounds check a buffer used for processing
DHCP options allows a malicious server (or an entity
masquerading as a server) to cause a buffer overflow (and
resulting crash) in dhclient by sending a response containing a
specially constructed options section.
A malicious client which is allowed to send very large amounts
of traffic (billions of packets) to a DHCP server can eventually
overflow a 32-bit reference counter, potentially causing dhcpd
to crash.
Laurent Delosieres, Secunia Research at Flexera Software reports:
Secunia Research has discovered a vulnerability in libsndfile, which can be
exploited by malicious people to disclose potentially sensitive information.
The vulnerability is caused due to an error in the "aiff_read_chanmap()" function
(src/aiff.c), which can be exploited to cause an out-of-bounds read memory access
via a specially crafted AIFF file. The vulnerability is confirmed in version 1.0.28.
Other versions may also be affected.
CVE-2017-8361 (Medium): The flac_buffer_copy function in flac.c in
libsndfile 1.0.28 allows remote attackers to cause a denial of service
(buffer overflow and application crash) or possibly have unspecified
other impact via a crafted audio file.
CVE-2017-8362 (Medium): The flac_buffer_copy function in flac.c in
libsndfile 1.0.28 allows remote attackers to cause a denial of service
(invalid read and application crash) via a crafted audio file.
CVE-2017-8363 (Medium): The flac_buffer_copy function in flac.c in
libsndfile 1.0.28 allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) via a crafted audio
file.
CVE-2017-8365 (Medium): The i2les_array function in pcm.c in libsndfile
1.0.28 allows remote attackers to cause a denial of service (buffer
over-read and application crash) via a crafted audio file.
manxorist on Github reports:
CVE-2017-12562 (High): Heap-based Buffer Overflow in the
psf_binheader_writef function in common.c in libsndfile through
1.0.28 allows remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact.
Xin-Jiang on Github reports:
CVE-2017-14634 (Medium): In libsndfile 1.0.28, a divide-by-zero
error exists in the function double64_init() in double64.c, which
may lead to DoS when playing a crafted audio file.
CVE-2017-14245 (Medium): An out of bounds read in the function
d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote
DoS attack or information disclosure, related to mishandling of
the NAN and INFINITY floating-point values.
CVE-2017-14246 (Medium): An out of bounds read in the function
d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote
DoS attack or information disclosure, related to mishandling of the
NAN and INFINITY floating-point values.
my123px on Github reports:
CVE-2017-17456 (Medium): The function d2alaw_array() in alaw.c of
libsndfile 1.0.29pre1 may lead to a remote DoS attack (SEGV on unknown
address 0x000000000000), a different vulnerability than CVE-2017-14245.
CVE-2017-17457 (Medium): The function d2ulaw_array() in ulaw.c of
libsndfile 1.0.29pre1 may lead to a remote DoS attack (SEGV on unknown
address 0x000000000000), a different vulnerability than CVE-2017-14246.
Shibboleth SP software vulnerable to additional data forgery flaws
The XML processing performed by the Service Provider software has
been found to be vulnerable to new flaws similar in nature to the
one addressed in an advisory last month.
These bugs involve the use of other XML constructs rather than
entity references, and therefore required additional mitigation once
discovered. As with the previous issue, this flaw allows for
changes to an XML document that do not break a digital signature but
can alter the user data passed through to applications behind the SP
and result in impersonation attacks and exposure of protected
information.
As before, the use of XML Encryption is a significant mitigation,
but we have not dismissed the possibility that attacks on the
Response "envelope" may be possible, in both the original and this
new case. No actual attacks of this nature are known, so deployers
should prioritize patching systems that expect to handle unencrypted
SAML assertions.
An updated version of XMLTooling-C (V1.6.4) is available that
protects against these new attacks, and should help prevent similar
vulnerabilities in the future.
Unlike the previous case, these bugs are NOT prevented by any
existing Xerces-C parser version on any platform and cannot be
addressed by any means other than the updated XMLTooling-C library.
The Service Provider software relies on a generic XML parser to
process SAML responses and there are limitations in older versions
of the parser that make it impossible to fully disable Document Type
Definition (DTD) processing.
Through addition/manipulation of a DTD, it's possible to make
changes to an XML document that do not break a digital signature but
are mishandled by the SP and its libraries. These manipulations can
alter the user data passed through to applications behind the SP and
result in impersonation attacks and exposure of protected
information.
While newer versions of the xerces-c3 parser are configured by the
SP into disallowing the use of a DTD via an environment variable,
this feature is not present in the xerces-c3 parser before version
3.1.4, so an additional fix is being provided now that an actual DTD
exploit has been identified. Xerces-c3-3.1.4 was committed to the
ports tree already on 2016-07-26.
Several security fixes in this release, including:
[780450] High CVE-2018-6031: Use after free in PDFium. Reported by Anonymous on 2017-11-01
[787103] High CVE-2018-6032: Same origin bypass in Shared Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-20
[793620] High CVE-2018-6033: Race when opening downloaded files. Reported by Juho Nurminen on 2017-12-09
[784183] Medium CVE-2018-6034: Integer overflow in Blink. Reported by Tobias Klein (www.trapkit.de) on 2017-11-12
[797500] Medium CVE-2018-6035: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
[797500] Medium CVE-2018-6035: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
[753645] Medium CVE-2018-6037: Insufficient user gesture requirements in autofill. Reported by Paul Stone of Context Information Security on
2017-08-09
[774174] Medium CVE-2018-6038: Heap buffer overflow in WebGL. Reported by cloudfuzzer on 2017-10-12
[775527] Medium CVE-2018-6039: XSS in DevTools. Reported by Juho Nurminen on 2017-10-17
[778658] Medium CVE-2018-6040: Content security policy bypass. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-26
[760342] Medium CVE-2018-6041: URL spoof in Navigation. Reported by Luan Herrera on 2017-08-29
[773930] Medium CVE-2018-6042: URL spoof in OmniBox. Reported by Khalil Zhani on 2017-10-12
[785809] Medium CVE-2018-6043: Insufficient escaping with external URL handlers. Reported by 0x09AL on 2017-11-16
[797497] Medium CVE-2018-6045: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
[798163] Medium CVE-2018-6046: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-31
[799847] Medium CVE-2018-6047: Cross origin URL leak in WebGL. Reported by Masato Kinugawa on 2018-01-08
[763194] Low CVE-2018-6048: Referrer policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-09-08
[771848] Low CVE-2017-15420: URL spoofing in Omnibox. Reported by Drew Springall (@_aaspring_) on 2017-10-05
[774438] Low CVE-2018-6049: UI spoof in Permissions. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-13
[774842] Low CVE-2018-6050: URL spoof in OmniBox. Reported by Jonathan Kew on 2017-10-15
[441275] Low CVE-2018-6051: Referrer leak in XSS Auditor. Reported by Antonio Sanso (@asanso) on 2014-12-11
[615608] Low CVE-2018-6052: Incomplete no-referrer policy implementation. Reported by Tanner Emek on 2016-05-28
[758169] Low CVE-2018-6053: Leak of page thumbnails in New Tab Page. Reported by Asset Kabdenov on 2017-08-23
[797511] Low CVE-2018-6054: Use after free in WebUI. Reported by Rob Wu on 2017-12-24
Bugs in Git, Subversion, and Mercurial were just announced and patched
which allowed arbitrary local command execution if a malicious name was
used for the remote server, such as starting with - to pass options to
the ssh client:
git clone ssh://-oProxyCommand=some-command...
CVS has a similar problem with the -d option:
Tested vanilla CVS 1.12.13, and Gentoo CVS 1.12.12-r11.
LibreOffice Calc supports a WEBSERVICE function to obtain data by URL.
Vulnerable versions of LibreOffice allow WEBSERVICE to take a local file
URL (e.g file://) which can be used to inject local files into the
spreadsheet without warning the user. Subsequent formulas can operate on
that inserted data and construct a remote URL whose path leaks the local
data to a remote attacker.
In later versions of LibreOffice without this flaw, WEBSERVICE has now
been limited to accessing http and https URLs along with bringing
WEBSERVICE URLs under LibreOffice Calc's link management infrastructure.
Note: This vulnerability has been identified upstream
as CVE-2018-1055, but NVD/Mitre are advising it's a reservation
duplicate of CVE-2018-6871 which should be used instead.
Security constraints defined by annotations of Servlets were only
applied once a Servlet had been loaded. Because security constraints
defined in this way apply to the URL pattern and any URLs below that
point, it was possible - depending on the order Servlets were loaded -
for some security constraints not to be applied. This could have exposed
resources to users who were not authorised to access them.
The URL pattern of "" (the empty string) which exactly maps to the
context root was not correctly handled when used as part of a security
constraint definition. This caused the constraint to be ignored. It was,
therefore, possible for unauthorised users to gain access to web
application resources that should have been protected. Only security
constraints with a URL pattern of the empty string were affected.
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses.
This problem allows a remote server delivering certain ESI
response syntax to trigger a denial of service for all clients
accessing the Squid service.
Due to unrelated changes Squid-3.5 has become vulnerable to some
regular ESI server responses also triggering this issue.
This problem is limited to the Squid custom ESI parser.
Squid built to use libxml2 or libexpat XML parsers do not have
this problem.
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses or downloading
intermediate CA certificates.
This problem allows a remote client delivering certain HTTP
requests in conjunction with certain trusted server responses to
trigger a denial of service for all clients accessing the Squid
service.
AST-2018-002 - By crafting an SDP message with an
invalid media format description Asterisk crashes when
using the pjsip channel driver because pjproject's sdp
parsing algorithm fails to catch the invalid media format
description.
AST-2018-003 - By crafting an SDP message body with
an invalid fmtp attribute Asterisk crashes when using the
pjsip channel driver because pjproject's fmtp retrieval
function fails to check if fmtp value is empty (set empty
if previously parsed as invalid).
The GitLab SnippetFinder component contained an information disclosure
which allowed access to snippets restricted to Only team members or
configured as disabled. The issue is now resolved in the latest version.
LDAP API authorization issue
An LDAP API endpoint contained an authorization vulnerability which
unintentionally disclosed bulk LDAP groups data. This issue is now fixed in
the latest release.
Persistent XSS mermaid markdown
The mermaid markdown feature contained a persistent XSS issue that is now
resolved in the latest release.
Insecure direct object reference Todo API
The Todo API was vulnerable to an insecure direct object reference issue
which resulted in an information disclosure of confidential data.
GitHub import access control issue
An improper access control weakness issue was discovered in the GitHub
import feature. The issue allowed an attacker to create projects under other
accounts which they shouldn't have access to. The issue is now resolved in
the latest version.
Protected variables information disclosure
The CI jobs protected tag feature contained a vulnerability which
resulted in an information disclosure of protected variables. The issue is
now resolved in the latest release.
Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that
was caused by insufficient input validation. One of the configurable
parameters in algorithm identifier structures for RSASSA-PSS signatures is the
mask generation function (MGF). Only MGF1 is currently specified for this
purpose. However, this in turn takes itself a parameter that specifies the
underlying hash function. strongSwan's parser did not correctly handle the
case of this parameter being absent, causing an undefined data read.
his vulnerability has been registered as CVE-2018-6459.
This is a security release that fixes an integer overflow in code generated by binpac. This issue can be used by remote attackers to crash Bro (i.e. a DoS attack). There also is a possibility this can be exploited in other ways. (CVE pending.)
Bro before Bro v2.5.2 is vulnerable to an out of bounds write in the ContentLine analyzer allowing remote attackers to cause a denial of service (crash) and possibly other exploitation.
A flaw was found in the embedded DNS library used in consul which
may allow a denial of service attack. Consul was updated to include
the fixed version.
CVE-2018-5800: An off-by-one error within the "LibRaw::kodak_ycbcr_load_raw()"
function (internal/dcraw_common.cpp) can be exploited to cause a heap-based
buffer overflow and subsequently cause a crash.
CVE-2017-5801: An error within the "LibRaw::unpack()" function
(src/libraw_cxx.cpp) can be exploited to trigger a NULL pointer dereference.
CVE-2017-5802: An error within the "kodak_radc_load_raw()" function
(internal/dcraw_common.cpp) related to the "buf" variable can be exploited
to cause an out-of-bounds read memory access and subsequently cause a crash.
CVE-2017-16909: An error related to the "LibRaw::panasonic_load_raw()"
function (dcraw_common.cpp) can be exploited to cause a heap-based buffer
overflow and subsequently cause a crash via a specially crafted TIFF image.
CVE-2017-16910: An error within the "LibRaw::xtrans_interpolate()" function
(internal/dcraw_common.cpp) can be exploited to cause an invalid read
memory access.
The Quagga BGP daemon, bgpd, does not properly bounds
check the data sent with a NOTIFY to a peer, if an attribute
length is invalid. Arbitrary data from the bgpd process
may be sent over the network to a peer and/or it may crash.
The Quagga BGP daemon, bgpd, can double-free memory
when processing certain forms of UPDATE message, containing
cluster-list and/or unknown attributes.
The Quagga BGP daemon, bgpd, can overrun internal BGP
code-to-string conversion tables used for debug by 1
pointer value, based on input.
The Quagga BGP daemon, bgpd, can enter an infinite
loop if sent an invalid OPEN message by a configured peer.
A remote code execution vulnerability has been spotted in use
against some users running PyBitmessage v0.6.2. The cause was
identified and a fix has been added and released as 0.6.3.2. (Will be
updated if/when CVE will be available.)
Jenkins did not properly prevent specifying relative paths that
escape a base directory for URLs accessing plugin resource files. This
allowed users with Overall/Read permission to download files from the
Jenkins master they should not have access to.
bchunk 1.2.0 and 1.2.1 is vulnerable to a heap-based buffer
overflow (with a resultant invalid free) and crash when processing a
malformed CUE (.cue) file.
It was discovered that the uwsgi_expand_path function in utils.c in
Unbit uWSGI, an application container server, has a stack-based buffer
overflow via a large directory length that can cause a
denial-of-service (application crash) or stack corruption.
There is a possible integer overflow in PyString_DecodeEscape
function of the file stringobject.c, which can be abused to gain
a heap overflow, possibly leading to arbitrary code execution.
mpv through 0.28.0 allows remote attackers to execute arbitrary code
via a crafted web site, because it reads HTML documents containing
VIDEO elements, and accepts arbitrary URLs in a src attribute without
a protocol whitelist in player/lua/ytdl_hook.lua. For example, an
av://lavfi:ladspa=file= URL signifies that the product should call
dlopen on a shared object file located at an arbitrary local pathname.
The issue exists because the product does not consider that youtube-dl
can provide a potentially unsafe URL.
Heap-based buffer overflow in the
NCompress::NShrink::CDecoder::CodeReal method in 7-Zip before
18.00 and p7zip allows remote attackers to cause a denial of
service (out-of-bounds write) or potentially execute arbitrary
code via a crafted ZIP archive.
Insufficient exception handling in the method
NCompress::NRar3::CDecoder::Code of 7-Zip before 18.00 and p7zip
can lead to multiple memory corruptions within the PPMd code,
alows remote attackers to cause a denial of service (segmentation
fault) or execute arbitrary code via a crafted RAR archive.
Calls into build_benocde that use %zu could crash on 64 bit
machines due to the size change of size_t. Someone can force
READ_ENC_IA to fail allowing an internal_error to be thrown
and bring down the client.
An XSS vulnerability in the user options CGI could allow a crafted URL
to execute arbitrary javascript in a user's browser. A related issue
could expose information on a user's options page without requiring
login.
CVE-2018-6188: Information leakage in AuthenticationForm
A regression in Django 1.11.8 made AuthenticationForm run its
confirm_login_allowed() method even if an incorrect password is entered.
This can leak information about a user, depending on what messages
confirm_login_allowed() raises. If confirm_login_allowed() isn't
overridden, an attacker enter an arbitrary username and see if that user
has been set to is_active=False. If confirm_login_allowed() is
overridden, more sensitive details could be leaked.
This issue is fixed with the caveat that AuthenticationForm can no
longer raise the "This account is inactive." error if the authentication
backend rejects inactive users (the default authentication backend,
ModelBackend, has done that since Django 1.10). This issue will be
revisited for Django 2.1 as a fix to address the caveat will likely be too
invasive for inclusion in older versions.
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. A abort of
SASL authentication results in a memory leak in Dovecot auth client
used by login processes. The leak has impact in high performance
configuration where same login processes are reused and can cause the
process to crash due to memory exhaustion.
Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code.
During TLS 1.2 exchanges, handshake hashes are generated which
point to a message buffer. This saved data is used for later
messages but in some cases, the handshake transcript can
exceed the space available in the current buffer, causing the
allocation of a new buffer. This leaves a pointer pointing to
the old, freed buffer, resulting in a use-after-free when
handshake hashes are then calculated afterwards. This can
result in a potentially exploitable crash.
A stack-based buffer overflow within GNOME gcab through
0.7.4 can be exploited by malicious attackers to cause a
crash or, potentially, execute arbitrary code via a
crafted .cab file.
libcurl 7.1 through 7.57.0 might accidentally leak authentication
data to third parties. When asked to send custom headers in its HTTP
requests, libcurl will send that set of headers first to the host in
the initial URL but also, if asked to follow redirects and a 30X HTTP
response code is returned, to the host mentioned in URL in the
`Location:` response header value. Sending the same set of headers to
subsequest hosts is in particular a problem for applications that pass
on custom `Authorization:` headers, as this header often contains
privacy sensitive information or data that could allow others to
impersonate the libcurl-using client's request.
[778505] Critical CVE-2017-15407: Out of bounds write in QUIC. Reported by
Ned Williamson on 2017-10-26
[762374] High CVE-2017-15408: Heap buffer overflow in PDFium. Reported by
Ke Liu of Tencent's Xuanwu LAB on 2017-09-06
[763972] High CVE-2017-15409: Out of bounds write in Skia. Reported by
Anonymous on 2017-09-11
[765921] High CVE-2017-15410: Use after free in PDFium. Reported by
Luat Nguyen of KeenLab, Tencent on 2017-09-16
[770148] High CVE-2017-15411: Use after free in PDFium. Reported by
Luat Nguyen of KeenLab, Tencent on 2017-09-29
[727039] High CVE-2017-15412: Use after free in libXML. Reported by
Nick Wellnhofer on 2017-05-27
[766666] High CVE-2017-15413: Type confusion in WebAssembly. Reported by
Gaurav Dewan of Adobe Systems India Pvt. Ltd. on 2017-09-19
[765512] Medium CVE-2017-15415: Pointer information disclosure in IPC call.
Reported by Viktor Brange of Microsoft Offensive Security Research Team on 2017-09-15
[779314] Medium CVE-2017-15416: Out of bounds read in Blink. Reported by
Ned Williamson on 2017-10-28
[699028] Medium CVE-2017-15417: Cross origin information disclosure in Skia.
Reported by Max May on 2017-03-07
[765858] Medium CVE-2017-15418: Use of uninitialized value in Skia. Reported by
Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-09-15
[780312] Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink.
Reported by Jun Kokatsu on 2017-10-31
[777419] Medium CVE-2017-15420: URL spoofing in Omnibox. Reported by
WenXu Wu of Tencent's Xuanwu Lab on 2017-10-23
[774382] Medium CVE-2017-15422: Integer overflow in ICU. Reported by
Yuan Deng of Ant-financial Light-Year Security Lab on 2017-10-13
[780484] Medium CVE-2017-15430: Unsafe navigation in Chromecast Plugin.
Reported by jinmo123 on 2017-01-11
[778101] Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL.
Reported by Greg Hudson on 2017-10-25
[756226] Low CVE-2017-15424: URL Spoof in Omnibox. Reported by
Khalil Zhani on 2017-08-16
[756456] Low CVE-2017-15425: URL Spoof in Omnibox. Reported by
xisigr of Tencent's Xuanwu Lab on 2017-08-17
[757735] Low CVE-2017-15426: URL Spoof in Omnibox. Reported by
WenXu Wu of Tencent's Xuanwu Lab on 2017-08-18
[768910] Low CVE-2017-15427: Insufficient blocking of Javascript in Omnibox.
Reported by Junaid Farhan on 2017-09-26
[792099] Various fixes from internal audits, fuzzing and other initiatives
An issue has been found in the DNSSEC validation component of
PowerDNS Recursor, allowing an ancestor delegation NSEC or NSEC3
record to be used to wrongfully prove the non-existence of a RR
below the owner name of that record. This would allow an attacker in
position of man-in-the-middle to send a NXDOMAIN answer for a name
that does exist.
We discovered a vulnerability in the processing of wildcard synthesized
NSEC records. While synthesis of NSEC records is allowed by RFC4592,
these synthesized owner names should not be used in the NSEC processing.
This does, however, happen in Unbound 1.6.7 and earlier versions.
Password updater working with PostgreSQL - The cron for updating legacy password hashes was running invalid queries on PostgreSQL.
Deleting orphaned attachments w/ large number of orphaned attachments - Orphaned attachment deletion was improved to be able to delete them when a large number of orphaned attachments exist.
Multiple bugfixes for retrieving image size - Multiple issues with retrieving the image size of JPEGs and temporary files were resolved.
Issues with updating from phpBB 3.0.6 - Inconsistencies in the way parent modules were treated caused issues with updating from older phpBB 3.0 versions.
Forum / topic icon blurriness - Fixed issues with forum and topic icons looking blurry on some browsers.
Not all vulnerabilities are relevant for all flavors/versions of the
servers and clients
Vulnerability allows low privileged attacker with network access
via multiple protocols to compromise MySQL Server. Successful attacks
of this vulnerability can result in unauthorized ability to cause a
hang or frequently repeatable crash (complete DOS) of MySQL Server.
GIS: CVE-2018-2573, DDL CVE-2018-2622, Optimizer: CVE-2018-2640,
CVE-2018-2665, CVE-2018-2668, Security:Privileges: CVE-2018-2703,
Partition: CVE-2018-2562.
Vulnerability allows high privileged attacker with network access
via multiple protocols to compromise MySQL Server. Successful attacks
of this vulnerability can result in unauthorized ability to cause a
hang or frequently repeatable crash (complete DOS) of MySQL Server.
InnoDB: CVE-2018-2565, CVE-2018-2612 DML: CVE-2018-2576,
CVE-2018-2646, Stored Procedure: CVE-2018-2583, Performance Schema:
CVE-2018-2590, Partition: CVE-2018-2591, Optimizer: CVE-2018-2600,
CVE-2018-2667, Security:Privileges: CVE-2018-2696, Replication:
CVE-2018-2647.
Vulnerability allows a low or high privileged attacker with network
access via multiple protocols to compromise MySQL Server with
unauthorized creation, deletion, modification or access to data/
critical data. InnoDB: CVE-2018-2612, Performance Schema:
CVE-2018-2645, Replication: CVE-2018-2647, Partition: CVE-2018-2562.
Today we are releasing versions 10.3.4, 10.2.6, and 10.1.6 for
GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain a number of important security fixes,
including two that prevent remote code execution, and we strongly
recommend that all GitLab installations be upgraded to one of these
versions immediately.
The transmission bittorrent client uses a client/server
architecture, the user interface is the client which communicates
to the worker daemon using JSON RPC requests.
As with all HTTP RPC schemes like this, any website can send
requests to the daemon listening on localhost with XMLHttpRequest(),
but the theory is they will be ignored because clients must prove
they can read and set a specific header, X-Transmission-Session-Id.
Unfortunately, this design doesn't work because of an attack called
"DNS rebinding". Any website can simply create a dns name that they
are authorized to communicate with, and then make it resolve to
localhost.
Exploitation is simple, you could set script-torrent-done-enabled
and run any command, or set download-dir to /home/user/ and then
upload a torrent for .bashrc.
Shibboleth SP software vulnerable to forged user attribute data
The Service Provider software relies on a generic XML parser to
process SAML responses and there are limitations in older versions
of the parser that make it impossible to fully disable Document Type
Definition (DTD) processing.
Through addition/manipulation of a DTD, it's possible to make
changes to an XML document that do not break a digital signature but
are mishandled by the SP and its libraries. These manipulations can
alter the user data passed through to applications behind the SP and
result in impersonation attacks and exposure of protected
information.
While newer versions of the xerces-c3 parser are configured by the
SP into disallowing the use of a DTD via an environment variable,
this feature is not present in the xerces-c3 parser before version
3.1.4, so an additional fix is being provided now that an actual DTD
exploit has been identified. Xerces-c3-3.1.4 was committed to the
ports tree already on 2016-07-26.
Awstats version 7.6 and earlier is vulnerable to a path traversal
flaw in the handling of the "config" and "migrate" parameters resulting
in unauthenticated remote code execution.
Jann Horn of Google Project Zero
Security reported that speculative execution performed
by modern CPUs could leak information through a timing
side-channel attack. Microsoft Vulnerability Research
extended this attack to browser JavaScript engines and
demonstrated that code on a malicious web page could
read data from other web sites (violating the
same-origin policy) or private data from the browser
itself.
Since this new class of attacks involves measuring
precise time intervals, as a parti al, short-term,
mitigation we are disabling or reducing the precision of
several time sources in Firefox. The precision of
performance.now() has been reduced from 5μs
to 20μs, and the SharedArrayBuffer feature
has been disabled because it can be used to construct a
high-resolution timer.
A stack out-of-bounds read occurs in match_at() during regular
expression searching. A logical error involving order of validation
and access in match_at() could result in an out-of-bounds read from
a stack buffer (CVE-2017-9224).
A heap out-of-bounds write or read occurs in next_state_val()
during regular expression compilation. Octal numbers larger than 0xff
are not handled correctly in fetch_token() and fetch_token_in_cc().
A malformed regular expression containing an octal number in the form
of '\700' would produce an invalid code point value larger than 0xff
in next_state_val(), resulting in an out-of-bounds write memory
corruption (CVE-2017-9226).
A stack out-of-bounds read occurs in mbc_enc_len() during regular
expression searching. Invalid handling of reg->dmin in
forward_search_range() could result in an invalid pointer dereference,
as an out-of-bounds read from a stack buffer (CVE-2017-9227).
A heap out-of-bounds write occurs in bitset_set_range() during
regular expression compilation due to an uninitialized variable from
an incorrect state transition. An incorrect state transition in
parse_char_class() could create an execution path that leaves a
critical local variable uninitialized until it's used as an index,
resulting in an out-of-bounds write memory corruption (CVE-2017-9228).
A SIGSEGV occurs in left_adjust_char_head() during regular expression
compilation. Invalid handling of reg->dmax in forward_search_range() could
result in an invalid pointer dereference, normally as an immediate
denial-of-service condition (CVE-2017-9228).
The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon.
The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions.
The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xname follows" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions.
When installing themes with unterminated colour formatting
sequences, Irssi may access data beyond the end of the string.
While waiting for the channel synchronisation, Irssi may
incorrectly fail to remove destroyed channels from the query list,
resulting in use after free conditions when updating the state later
on.
Certain incorrectly formatted DCC CTCP messages could cause NULL
pointer dereference.
Overlong nicks or targets may result in a NULL pointer dereference
while splitting the message.
In certain cases Irssi may fail to verify that a Safe channel ID
is long enough, causing reads beyond the end of the string.
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before
1.3.3 allows unauthorized access to arbitrary files on the host's filesystem,
including configuration files, as exploited in the wild in November 2017.
The attacker must be able to authenticate at the target system with a valid
username/password as the attack requires an active session.
An attacker who is logged into OTRS as an agent can request special URLs
from OTRS which can lead to the execution of shell commands with the
permissions of the web server user.
An attacker who is logged into OTRS as a customer can use the ticket search
form to disclose internal article information of their customer tickets.
An attacker who is logged into OTRS as an agent can manipulate form
parameters and execute arbitrary shell commands with the permissions of the
OTRS or web server user.
An attacker can send a specially prepared email to an OTRS system. If this
system has cookie support disabled, and a logged in agent clicks a link in this
email, the session information could be leaked to external systems, allowing the
attacker to take over the agentâs session.
CVE-2017-13098 ("ROBOT"), a Bleichenbacher oracle in TLS
when RSA key exchange is negotiated. This potentially affected
BCJSSE servers and any other TLS servers configured to use JCE
for the underlying crypto - note the two TLS implementations
using the BC lightweight APIs are not affected by this.
A select set of SIP messages create a dialog in Asterisk.
Those SIP messages must contain a contact header. For
those messages, if the header was not present and using
the PJSIP channel driver, it would cause Asterisk to
crash. The severity of this vulnerability is somewhat
mitigated if authentication is enabled. If authentication
is enabled a user would have to first be authorized before
reaching the crash point.
By deceiving a user to click on a crafted URL, it is
possible to perform harmful database operations such as
deleting records, dropping/truncating tables etc.
The cPanel Security Team discovered a vulnerability in Passenger
that allows users to list the contents of arbitrary files on the
system. CVE-2017-16355 has been assigned to this issue.
A non-privileged X client can instruct X server running under root
to open any file by creating own directory with "fonts.dir",
"fonts.alias" or any font file being a symbolic link to any other
file in the system. X server will then open it. This can be issue
with special files such as /dev/watchdog.
If a pattern contains '?' character, any character in the string
is skipped, even if it is '\0'. The rest of the matching then reads
invalid memory.
Without the checks a malformed PCF file can cause the library to
make atom from random heap memory that was behind the `strings`
buffer. This may crash the process or leak information.
It is possible to trigger heap overflows due to an integer
overflow while parsing images and a signedness issue while
parsing comments.
The integer overflow occurs because the chosen limit 0x10000
for dimensions is too large for 32 bit systems, because each pixel
takes 4 bytes. Properly chosen values allow an overflow which in
turn will lead to less allocated memory than needed for subsequent
reads.
The signedness bug is triggered by reading the length of a comment
as unsigned int, but casting it to int when calling the function
XcursorCommentCreate. Turning length into a negative value allows
the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
addition of sizeof (XcursorComment) + 1 makes it possible to
allocate less memory than needed for subsequent reads.
gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before launching
the program specified by the BROWSER environment variable, which might
allow remote attackers to conduct argument-injection attacks via a crafted
URL.
A race condition during Jenkins startup could result in the wrong
order of execution of commands during initialization.
On Jenkins 2.81 and newer, including LTS 2.89.1, this could in
rare cases (we estimate less than 20% of new instances) result in
failure to initialize the setup wizard on the first startup.
There is a very short window of time after startup during which
Jenkins may no longer show the "Please wait while Jenkins is
getting ready to work" message, but Cross-Site Request Forgery
(CSRF) protection may not yet be effective.
Data Confidentiality/Integrity Vulnerability - CVE-2017-15896
Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.
Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.
Also included in OpenSSL update - CVE 2017-3738
Note that CVE 2017-3738 of OpenSSL-1.0.2 affected Node but it was low severity.
Etienne Stalmans from the Heroku product security team reports:
There is a command injection vulnerability in Net::FTP bundled with Ruby.
Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the pipe character "|", the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
User without access to private Wiki can see it on the project page
Matthias Burtscher reported that it was possible for a user to see a
private Wiki on the project page without having the corresponding
permission.
E-mail address disclosure through member search fields
Hugo Geoffroy reported via HackerOne that it was possible to find out the
full e-mail address of any user by brute-forcing the member search
field.
Groups API leaks private projects
An internal code review discovered that users were able to list private
projects they had no access to by using the Groups API.
Cross-Site Scripting (XSS) possible by editing a comment
Sylvain Heiniger reported via HackerOne that it was possible for
arbitrary JavaScript code to be executed when editing a comment.
Issue API allows any user to create a new issue even when issues are
restricted or disabled
Mohammad Hasbini reported that any user could create a new issues in a
project even when issues were disabled or restricted to team members in the
project settings.
If a compound RTCP packet is received containing more
than one report (for example a Receiver Report and a
Sender Report) the RTCP stack will incorrectly store
report information outside of allocated memory potentially
causing a crash.
The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.
A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.
No size checking is done when setting the user field
for Party B on a CDR. Thus, it is possible for someone
to use an arbitrarily large string and write past the end
of the user field storage buffer. The earlier AST-2017-001
advisory for the CDR user field overflow was for the Party
A buffer.
A memory leak occurs when an Asterisk pjsip session
object is created and that call gets rejected before the
session itself is fully established. When this happens
the session object never gets destroyed. This then leads
to file descriptors and RTP ports being leaked as well.
If the chan_skinny (AKA SCCP protocol) channel driver
is flooded with certain requests it can cause the asterisk
process to use excessive amounts of virtual memory
eventually causing asterisk to stop processing requests
of any kind.
NTLM buffer overflow via integer overflow
(CVE-2017-8816) libcurl contains a buffer overrun flaw
in the NTLM authentication code.
The internal function Curl_ntlm_core_mk_ntlmv2_hash sums up
the lengths of the user name + password (= SUM) and multiplies
the sum by two (= SIZE) to figure out how large storage to
allocate from the heap.
FTP wildcard out of bounds read (CVE-2017-8817)
libcurl contains a read out of bounds flaw in the FTP wildcard
function.
libcurl's FTP wildcard matching feature, which is enabled with
the CURLOPT_WILDCARDMATCH option can use a built-in wildcard
function or a user provided one. The built-in wildcard function
has a flaw that makes it not detect the end of the pattern
string if it ends with an open bracket ([) but instead it will
continue reading the heap beyond the end of the URL buffer that
holds the wildcard.
SSL out of buffer access (CVE-2017-8818)
libcurl contains an out boundary access flaw in SSL related code.
When allocating memory for a connection (the internal struct
called connectdata), a certain amount of memory is allocated at
the end of the struct to be used for SSL related structs. Those
structs are used by the particular SSL library libcurl is built
to use. The application can also tell libcurl which specific SSL
library to use if it was built to support more than one.
Invoking SSL_read()/SSL_write() while in an error state
causes data to be passed without being decrypted/encrypted
directly from the SSL/TLS record layer.
In order to exploit this issue an application bug would
have to be present that resulted in a call to
SSL_read()/SSL_write() being issued after having already
received a fatal error. [CVE-2017-3737]
There is an overflow bug in the x86_64 Montgomery
multiplication procedure used in exponentiation with 1024-bit
moduli. This only affects processors that support the AVX2
but not ADX extensions like Intel Haswell (4th generation).
[CVE-2017-3738] This bug only affects FreeBSD 11.x.
Impact:
Applications with incorrect error handling may inappropriately
pass unencrypted data. [CVE-2017-3737]
Mishandling of carry propagation will produce incorrect
output, and make it easier for a remote attacker to obtain
sensitive private-key information. No EC algorithms are
affected and analysis suggests that attacks against RSA and
DSA as a result of this defect would be very difficult to
perform and are not believed likely.
Attacks against DH1024 are considered just feasible
(although very difficult) because most of the work necessary
to deduce information about a private key may be performed
offline. The amount of resources required for such an attack
would be very significant and likely only accessible to a
limited number of attackers. However, for an attack on TLS
to be meaningful, the server would have to share the DH1024
private key among multiple clients, which is no longer an
option since CVE-2016-0701. [CVE-2017-3738]
Read/write after SSL object in error state (CVE-2017-3737)
OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error
state" mechanism. The intent was that if a fatal error occurred
during a handshake then OpenSSL would move into the error state and
would immediately fail if you attempted to continue the handshake.
This works as designed for the explicit handshake functions
(SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to
a bug it does not work correctly if SSL_read() or SSL_write() is
called directly. In that scenario, if the handshake fails then a
fatal error will be returned in the initial function call. If
SSL_read()/SSL_write() is subsequently called by the application for
the same SSL object then it will succeed and the data is passed
without being decrypted/encrypted directly from the SSL/TLS record
layer.
rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
There is an overflow bug in the AVX2 Montgomery multiplication
procedure used in exponentiation with 1024-bit moduli. No EC
algorithms are affected. Analysis suggests that attacks against
RSA and DSA as a result of this defect would be very difficult to
perform and are not believed likely. Attacks against DH1024 are
considered just feasible, because most of the work necessary to
deduce information about a private key may be performed offline.
The amount of resources required for such an attack would be
significant. However, for an attack on TLS to be meaningful, the
server would have to share the DH1024 private key among multiple
clients, which is no longer an option since CVE-2016-0701.
A vulnerability was found in how a number of implementations
can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK,
or IGTK) by replaying a specific frame that is used to
manage the keys.
Impact:
Such reinstallation of the encryption key can result in
two different types of vulnerabilities: disabling replay
protection and significantly reducing the security of
encryption to the point of allowing frames to be decrypted
or some parts of the keys to be determined by an attacker
depending on which cipher is used.
Not all information in the struct ptrace_lwpinfo is
relevant for the state of any thread, and the kernel does
not fill the irrelevant bytes or short strings. Since the
structure filled by the kernel is allocated on the kernel
stack and copied to userspace, a leak of information of the
kernel stack of the thread is possible from the debugger.
Impact:
Some bytes from the kernel stack of the thread using
ptrace(PT_LWPINFO) call can be observed in userspace.
Named paths are globally scoped, meaning a process located
in one jail can read and modify the content of POSIX shared
memory objects created by a process in another jail or the
host system.
Impact:
A malicious user that has access to a jailed system is
able to abuse shared memory by injecting malicious content
in the shared memory region. This memory region might be
executed by applications trusting the shared memory, like
Squid.
This issue could lead to a Denial of Service or local
privilege escalation.
The kernel does not properly clear the memory of the
kld_file_stat structure before filling the data. Since the
structure filled by the kernel is allocated on the kernel
stack and copied to userspace, a leak of information from
the kernel stack is possible.
Impact:
Some bytes from the kernel stack can be observed in
userspace.
If an X.509 certificate has a malformed IPAddressFamily
extension, OpenSSL could do a one-byte buffer overread.
[CVE-2017-3735]
There is a carry propagating bug in the x86_64 Montgomery
squaring procedure. This only affects processors that support
the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th
generation) and later or AMD Ryzen. [CVE-2017-3736] This
bug only affects FreeBSD 11.x.
Impact:
Application using OpenSSL may display erroneous certificate
in text format. [CVE-2017-3735]
Mishandling of carry propagation will produce incorrect
output, and make it easier for a remote attacker to obtain
sensitive private-key information. No EC algorithms are
affected, analysis suggests that attacks against RSA and
DSA as a result of this defect would be very difficult to
perform and are not believed likely.
Attacks against DH are considered just feasible (although
very difficult) because most of the work necessary to deduce
information about a private key may be performed offline.
The amount of resources required for such an attack would
be very significant and likely only accessible to a limited
number of attackers. An attacker would additionally need
online access to an unpatched system using the target private
key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. [CVE-2017-3736]
A wrong if statement in the varnishd source code means that
synthetic objects in stevedores which over-allocate, may leak up to page
size of data from a malloc(3) memory allocation.
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.
Incorrect implementation of access controls allows remote users to
override repository restrictions in Borg servers. A user able to
access a remote Borg SSH server is able to circumvent access controls
post-authentication. Affected releases: 1.1.0, 1.1.1, 1.1.2. Releases
1.0.x are NOT affected.
The scp_v0s_accept function in the session manager uses an untrusted integer as a write length,
which allows local users to cause a denial of service (buffer overflow and application crash)
or possibly have unspecified other impact via a crafted input stream.
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
Directory traversal vulnerability in minion id validation in SaltStack.
Allows remote minions with incorrect credentials to authenticate to a
master via a crafted minion ID. Credit for discovering the security flaw
goes to: Julian Brost (julian@0x4a42.net). NOTE: this vulnerability exists
because of an incomplete fix for CVE-2017-12791.
Remote Denial of Service with a specially crafted authentication request.
Credit for discovering the security flaw goes to: Julian Brost
(julian@0x4a42.net)
A vulnerability exists in the BGP daemon of FRR where a malformed BGP UPDATE
packet can leak information from the BGP daemon and cause a denial of
service by crashing the daemon.
By carefully crafting invalid values in the Cseq and
the Via header port, pjprojects packet parsing code can
create strings larger than the buffer allocated to hold
them. This will usually cause Asterisk to crash immediately.
The packets do not have to be authenticated.
The Shibboleth Service Provider software includes a MetadataProvider
plugin with the plugin type "Dynamic" to obtain metadata on demand
from a query server, in place of the more typical mode of
downloading aggregates separately containing all of the metadata to
load.
All the plugin types rely on MetadataFilter plugins to perform
critical security checks such as signature verification, enforcement
of validity periods, and other checks specific to deployments.
Due to a coding error, the "Dynamic" plugin fails to configure
itself with the filters provided to it and thus omits whatever
checks they are intended to perform, which will typically leave
deployments vulnerable to active attacks involving the substitution
of metadata if the network path to the query service is
compromised.
The PHP development team announces the immediate availability of PHP
5.6.32. This is a security release. Several security bugs were fixed in this
release. All PHP 5.6 users are encouraged to upgrade to this version.
The PHP development team announces the immediate availability of PHP
7.0.25. This is a security release. Several security bugs were fixed in this
release. All PHP 7.0 users are encouraged to upgrade to this version.
The PHP development team announces the immediate availability of PHP
7.1.11. This is a bugfix release, with several bug fixes included. All PHP
7.1 users are encouraged to upgrade to this version.
Stored cross-site scripting (XSS) vulnerability in "geminabox"
(Gem in a Box) before 0.13.10 allows attackers to inject arbitrary
web script via the "homepage" value of a ".gemspec" file, related
to views/gem.erb and views/index.erb.
Konversation has support for colors in IRC messages. Any malicious user connected to the same IRC network can send a carefully crafted message that will crash the Konversation user client.
Jenkins stores metadata related to people, which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping. This potentially resulted in a number of problems.
Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.
bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
Severity: Moderate
There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that
attacks against RSA and DSA as a result of this defect would be
very difficult to perform and are not believed likely. Attacks
against DH are considered just feasible (although very difficult)
because most of the work necessary to deduce information about a
private key may be performed offline.
Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
Severity: Low
This issue was previously announced in security advisory
https://www.openssl.org/news/secadv/20170828.txt, but the fix has
not previously been included in a release due to its low severity.
WordPress versions 4.8.2 and earlier are affected by an issue
where $wpdb->prepare() can create unexpected and unsafe queries
leading to potential SQL injection (SQLi). WordPress core is not
directly vulnerable to this issue, but we've added hardening to
prevent plugins and themes from accidentally causing a vulnerability.
In Wireshark 2.4.0 to 2.4.1, the DOCSIS dissector could go into an infinite loop. This was addressed in plugins/docsis/packet-docsis.c by adding decrements.
In Wireshark 2.4.0 to 2.4.1, the RTSP dissector could crash. This was addressed in epan/dissectors/packet-rtsp.c by correcting the scope of a variable.
In Wireshark 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, and 2.0.0 to 2.0.15, the DMP dissector could crash. This was addressed in epan/dissectors/packet-dmp.c by validating a string length.
In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the BT ATT dissector could crash. This was addressed in epan/dissectors/packet-btatt.c by considering a case where not all of the BTATT packets have the same encapsulation level.
In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the MBIM dissector could crash or exhaust system memory. This was addressed in epan/dissectors/packet-mbim.c by changing the memory-allocation approach.
Wget contains two vulnerabilities, a stack overflow and a heap
overflow, in the handling of HTTP chunked encoding. By convincing
a user to download a specific link over HTTP, an attacker may be
able to execute arbitrary code with the privileges of the user.
Wget contains two vulnerabilities, a stack overflow and a heap
overflow, in the handling of HTTP chunked encoding. By convincing
a user to download a specific link over HTTP, an attacker may be
able to execute arbitrary code with the privileges of the user.
CVE-2017-3157: Arbitrary file disclosure in Calc and Writer
By exploiting the way OpenOffice renders embedded objects, an attacker could craft a document that allows reading in a file from the user's filesystem. Information could be retrieved by the attacker by, e.g., using hidden sections to store the information, tricking the user into saving the document and convincing the user to sent the document back to the attacker.
The vulnerability is mitigated by the need for the attacker to know the precise file path in the target system, and the need to trick the user into saving the document and sending it back.
CVE-2017-9806: Out-of-Bounds Write in Writer's WW8Fonts Constructor
A vulnerability in the OpenOffice Writer DOC file parser, and specifically in the WW8Fonts Constructor, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution.
CVE-2017-12607: Out-of-Bounds Write in Impress' PPT Filter
A vulnerability in OpenOffice's PPT file parser, and specifically in PPTStyleSheet, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution.
CVE-2017-12608: Out-of-Bounds Write in Writer's ImportOldFormatStyles
A vulnerability in OpenOffice Writer DOC file parser, and specifically in ImportOldFormatStyles, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution.
Cross-Site Scripting (XSS) vulnerability in the Markdown sanitization
filter
Yasin Soliman via HackerOne reported a Cross-Site Scripting (XSS)
vulnerability in the GitLab markdown sanitization filter. The sanitization
filter was not properly stripping invalid characters from URL schemes and
was therefore vulnerable to persistent XSS attacks anywhere Markdown was
supported.
Cross-Site Scripting (XSS) vulnerability in search bar
Josh Unger reported a Cross-Site Scripting (XSS) vulnerability in the
issue search bar. Usernames were not being properly HTML escaped inside the
author filter would could allow arbitrary script execution.
Open redirect in repository git redirects
Eric Rafaloff via HackerOne reported that GitLab was vulnerable to an
open redirect vulnerability when redirecting requests for repository names
that include the git extension. GitLab was not properly removing dangerous
parameters from the params field before redirecting which could allow an
attacker to redirect users to arbitrary hosts.
Username changes could leave repositories behind
An internal code review discovered that a bug in the code that moves
repositories during a username change could potentially leave behind
projects, allowing an attacker who knows the previous username to
potentially steal the contents of repositories on instances that are not
configured with hashed namespaces.
Node.js was susceptible to a remote DoS attack due to a change that came in as part of zlib v1.2.9. In zlib v1.2.9 8 became an invalid value for the windowBits parameter and Node's zlib module will crash or throw an exception (depending on the version)
libcurl contains a buffer overrun flaw in the IMAP handler.
An IMAP FETCH response line indicates the size of the returned data,
in number of bytes. When that response says the data is zero bytes,
libcurl would pass on that (non-existing) data with a pointer and
the size (zero) to the deliver-data function.
libcurl's deliver-data function treats zero as a magic number and
invokes strlen() on the data to figure out the length. The strlen()
is called on a heap based buffer that might not be zero terminated
so libcurl might read beyond the end of it into whatever memory lies
after (or just crash) and then deliver that to the application as if
it was actually downloaded.
In MIT krb5 1.7 and later, an authenticated attacker can cause an
assertion failure in krb5kdc by sending an invalid S4U2Self or
S4U2Proxy request.
CVE-2017-11462:
RFC 2744 permits a GSS-API implementation to delete an existing
security context on a second or subsequent call to gss_init_sec_context()
or gss_accept_sec_context() if the call results in an error.
This API behavior has been found to be dangerous, leading to the
possibility of memory errors in some callers. For safety, GSS-API
implementations should instead preserve existing security contexts
on error until the caller deletes them.
All versions of MIT krb5 prior to this change may delete acceptor
contexts on error. Versions 1.13.4 through 1.13.7, 1.14.1 through
1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts
on error.
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys.
Lucene XML parser does not explicitly prohibit doctype declaration and expansion of external entities which leads to arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions.
Solr "RunExecutableListener" class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API with add-listener command.
An exploitable heap based buffer overflow vulnerability exists in the read_biff_next_record function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.
An exploitable heap-based buffer overflow vulnerability exists in the read_legacy_biff function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.
In libosip2 in GNU oSIP 4.1.0 and 5.0.0, a malformed SIP message can lead to a heap buffer overflow in the msg_osip_body_parse() function defined in osipparser2/osip_message_parse.c, resulting in a remote DoS.
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.
There is a possible unsafe object desrialization vulnerability in
RubyGems. It is possible for YAML deserialization of gem specifications
to bypass class white lists. Specially crafted serialized objects can
possibly be used to escalate to remote code execution.
There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.
There is a reachable assertion abort in the function TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.
Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
X.Org thanks Michal Srb of SuSE for finding these issues
and bringing them to our attention, Julien Cristau of
Debian for getting the fixes integrated, and Adam Jackson
of Red Hat for publishing the release.
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
libcurl may read outside of a heap allocated buffer when doing FTP.
When libcurl connects to an FTP server and successfully logs in
(anonymous or not), it asks the server for the current directory with
the PWD command. The server then responds with a 257 response containing
the path, inside double quotes. The returned path name is then kept by
libcurl for subsequent uses.
Due to a flaw in the string parser for this directory name, a directory
name passed like this but without a closing double quote would lead to
libcurl not adding a trailing NUL byte to the buffer holding the name.
When libcurl would then later access the string, it could read beyond
the allocated heap buffer and crash or wrongly access data beyond the
buffer, thinking it was part of the path.
A malicious server could abuse this fact and effectively prevent
libcurl-based clients to work with it - the PWD command is always issued
on new FTP connections and the mistake has a high chance of causing a
segfault.
There is a programming error in the Heimdal implementation
that used an unauthenticated, plain-text version of the
KDC-REP service name found in a ticket.
Impact:
An attacker who has control of the network between a
client and the service it talks to will be able to impersonate
the service, allowing a successful man-in-the-middle (MITM)
attack that circumvents the mutual authentication.
A remote attacker may be able to cause an affected SSH
server to use excessive amount of CPU by sending very long
passwords, when PasswordAuthentication is enabled by the
system administrator.
Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the Questions field in an "Add New FAQ" action.
Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the "Title of your FAQ" field in the Configuration Module.
In LibRaw through 0.18.4, an out of bounds read flaw related to kodak_65000_load_raw has been reported in dcraw/dcraw.c and internal/dcraw_common.cpp. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash.
In sam2p 0.49.3, a heap-based buffer overflow exists in the pcxLoadImage24 function of the file in_pcx.cpp.
In sam2p 0.49.3, the in_xpm_reader function in in_xpm.cpp has an integer signedness error, leading to a crash when writing to an out-of-bounds array element.
In sam2p 0.49.3, an integer overflow exists in the pcxLoadImage24 function of the file in_pcx.cpp, leading to an invalid write operation.
In sam2p 0.49.3, the pcxLoadRaster function in in_pcx.cpp has an integer signedness error leading to a heap-based buffer overflow.
Because of an integer overflow in sam2p 0.49.3, a loop executes 0xffffffff times, ending with an invalid read of size 1 in the Image::Indexed::sortPal function in image.cpp. However, this also causes memory corruption because of an attempted write to the invalid d[0xfffffffe] array element.
In sam2p 0.49.3, there is an invalid read of size 2 in the parse_rgb function in in_xpm.cpp. However, this can also cause a write to an illegal address.
Malicious attacker create GEM file with crafted homepage value
(gem.homepage in .gemspec file) includes XSS payload.
The attacker access geminabox system and uploads the gem file
(or uses CSRF/SSRF attack to do so).
From now on, any user access Geminabox web server, executes the
malicious XSS payload, that will delete any gems on the server,
and won't let users use the geminabox anymore. (make victim's
browser crash or redirect them to other hosts).
The bounds check in read_key() was performed after using the value,
instead of before. If 'key-method 1' is used, this allowed an
attacker to send a malformed packet to trigger a stack buffer
overflow. [...]
Note that 'key-method 1' has been replaced by 'key method 2' as the
default in OpenVPN 2.0 (released on 2005-04-17), and explicitly
deprecated in 2.4 and marked for removal in 2.5. This should limit
the amount of users impacted by this issue.
An exploitable buffer overflow vulnerability exists in the tag parsing functionality of LibOFX 0.9.11. A specially crafted OFX file can cause a write out of bounds resulting in a buffer overflow on the stack. An attacker can construct a malicious OFX file to trigger this vulnerability.
The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0 mishandles EOCD records, which allows remote attackers to cause a denial of service (memory allocation failure in _zip_cdir_grow in zip_dirent.c) via a crafted ZIP archive.
In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c.
The ReadCAPTIONImage function in coders/caption.c in ImageMagick allows remote attackers to cause a denial of service (infinite loop) via a crafted font file.
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as demonstrated by a backslash character at the end of a bean_id to modules/Emails/DetailView.php. An attacker could exploit these vulnerabilities by sending a crafted SQL request to the affected areas. An exploit could allow the attacker to modify the SQL database. Proper SQL escaping has been added to prevent such exploits.
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a query string. Proper input validation has been added to mitigate this issue.
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along.
A Stack-based Buffer Overflow was discovered in xtrans_interpolate in internal/dcraw_common.cpp in LibRaw before 0.18.3. It could allow a remote denial of service or code execution attack.
The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information.
Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors.
An exploitable buffer overflow vulnerability exists in the tag parsing functionality of Ledger-CLI 3.1.1. A specially crafted journal file can cause an integer underflow resulting in code execution. An attacker can construct a malicious journal file to trigger this vulnerability.
An exploitable use-after-free vulnerability exists in the account parsing component of the Ledger-CLI 3.1.1. A specially crafted ledger file can cause a use-after-free vulnerability resulting in arbitrary code execution. An attacker can convince a user to load a journal file to trigger this vulnerability.
Ansible versions 2.2.3 and earlier are vulnerable to an information disclosure flaw due to the interaction of call back plugins and the no_log directive where the information may not be sanitized properly.
DeleteBitBuffer in libbitbuf/bitbuffer.c in mp4tools aacplusenc 0.17.5 allows remote attackers to cause a denial of service (invalid memory write, SEGV on unknown address 0x000000000030, and application crash) or possibly have unspecified other impact via a crafted .wav file, aka a NULL pointer dereference.
CVE-2017-12814: $ENV{$key} stack buffer overflow on Windows
A possible stack buffer overflow in the %ENV code on Windows has been
fixed by removing the buffer completely since it was superfluous anyway.
CVE-2017-12837: Heap buffer overflow in regular expression compiler
Compiling certain regular expression patterns with the case-insensitive
modifier could cause a heap buffer overflow and crash perl. This has now
been fixed.
CVE-2017-12883: Buffer over-read in regular expression parser
For certain types of syntax error in a regular expression pattern, the
error message could either contain the contents of a random, possibly
large, chunk of memory, or could crash perl. This has now been fixed.
[765433] High CVE-2017-5121: Out-of-bounds access in V8. Reported by
Jordan Rabet, Microsoft Offensive Security Research and Microsoft
ChakraCore team on 2017-09-14
[752423] High CVE-2017-5122: Out-of-bounds access in V8. Reported by
Choongwoo Han of Naver Corporation on 2017-08-04
[767508] Various fixes from internal audits, fuzzing and other initiatives
Apache httpd allows remote attackers to read secret data from
process memory if the Limit directive can be set in a user's
.htaccess file, or if httpd.conf has certain misconfigurations,
aka Optionsbleed. This affects the Apache HTTP Server through
2.2.34 and 2.4.x through 2.4.27. The attacker sends an
unauthenticated OPTIONS HTTP request when attempting to read
secret data. This is a use-after-free issue and thus secret data
is not always sent, and the specific data depends on many factors
including configuration. Exploitation with .htaccess can be
blocked with a patch to the ap_limit_section function in
server/core.c.
CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
If a malicious format string which contains a precious specifier (*)
is passed and a huge minus value is also passed to the specifier,
buffer underrun may be caused. In such situation, the result may
contains heap, or the Ruby interpreter may crash.
CVE-2017-10784: Escape sequence injection vulnerability in the Basic
authentication of WEBrick
When using the Basic authentication of WEBrick, clients can pass an
arbitrary string as the user name. WEBrick outputs the passed user name
intact to its log, then an attacker can inject malicious escape
sequences to the log and dangerous control characters may be executed
on a victimâs terminal emulator.
This vulnerability is similar to a vulnerability already fixed, but
it had not been fixed in the Basic authentication.
CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
If a malicious string is passed to the decode method of OpenSSL::ASN1,
buffer underrun may be caused and the Ruby interpreter may crash.
CVE-2017-14064: Heap exposure vulnerability in generating JSON
The generate method of JSON module optionally accepts an instance of
JSON::Ext::Generator::State class. If a malicious instance is passed,
the result may include contents of heap.
Insufficient RTCP packet validation could allow reading
stale buffer contents and when combined with the "nat"
and "symmetric_rtp" options allow redirecting where
Asterisk sends the next RTCP report.
The RTP stream qualification to learn the source address
of media always accepted the first RTP packet as the new
source and allowed what AST-2017-005 was mitigating. The
intent was to qualify a series of packets before accepting
the new source address.
The RTP/RTCP stack will now validate RTCP packets before processing them.
Charles A. Roelli has found a security flaw in the enriched mode in GNU Emacs.
When Emacs renders MIME text/enriched data (Internet RFC 1896), it
is vulnerable to arbitrary code execution. Since Emacs-based mail
clients decode "Content-Type: text/enriched", this code is exploitable
remotely. This bug affects GNU Emacs versions 19.29 through 25.2.
In older versions, HTML autoescaping was disabled in a portion of the template
for the technical 500 debug page. Given the right circumstances, this allowed a
cross-site scripting attack. This vulnerability shouldn't affect most production
sites since you shouldn't run with DEBUG = True (which makes this page accessible)
in your production settings.
AST-2017-005 - A change was made to the strict RTP
support in the RTP stack to better tolerate late media
when a reinvite occurs. When combined with the symmetric
RTP support this introduced an avenue where media could
be hijacked. Instead of only learning a new address when
expected the new code allowed a new source address to be
learned at all times.
AST-2017-006 - The app_minivm module has an "externnotify"
program configuration option that is executed by the
MinivmNotify dialplan application. The application uses
the caller-id name and number as part of a built string
passed to the OS shell for interpretation and execution.
Since the caller-id name and number can come from an
untrusted source, a crafted caller-id name or number
allows an arbitrary shell command injection.
There is an Integer overflow in the hash_int function of the libpspp library
in GNU PSPP 0.10.5-pre2 (CVE-2017-10791).
There is a NULL Pointer Dereference in the function ll_insert() of the libpspp
library in GNU PSPP 0.10.5-pre2 (CVE-2017-10792).
There is an illegal address access in the function output_hex() in data/data-out.c
of the libpspp library in GNU PSPP 0.11.0 that will lead to remote denial of service (CVE-2017-12958).
There is a reachable assertion abort in the function dict_add_mrset() in data/dictionary.c
of the libpspp library in GNU PSPP 0.11.0 that will lead to a remote denial of service attack (CVE-2017-12959).
There is a reachable assertion abort in the function dict_rename_var() in data/dictionary.c
of the libpspp library in GNU PSPP 0.11.0 that will lead to remote denial of service (CVE-2017-12960).
There is an assertion abort in the function parse_attributes() in data/sys-file-reader.c
of the libpspp library in GNU PSPP 0.11.0 that will lead to remote denial of service (CVE-2017-12961).
The following vulnerabilities have been reported: a DNS request
hijacking vulnerability, an ANSI escape sequence vulnerability, a DoS
vulnerability in the query command, and a vulnerability in the gem
installer that allowed a malicious gem to overwrite arbitrary
files.
Poppler is prone to a stack-based buffer-overflow
vulnerability.
Successful exploits may allow attackers to crash the affected
application, resulting in denial-of-service condition. Due to the
nature of this issue, arbitrary code execution may be possible but
this has not been confirmed.
Fix XSS vulnerability in one of the code examples, CVE-2017-11503. The
code_generator.phps example did not filter user input prior to output. This
file is distributed with a .phps extension, so it it not normally executable
unless it is explicitly renamed, so it is safe by default. There was also an
undisclosed potential XSS vulnerability in the default exception handler
(unused by default). Patches for both issues kindly provided by Patrick
Monnerat of the Fedora Project.
The first issue can lead to a denial of service on 32-bit if a backend
sends crafted answers, and the second to an alteration of dnsdist's ACL
if the API is enabled, writable and an authenticated user is tricked
into visiting a crafted website.
Correct a flaw in minion id validation which could allow certain
minions to authenticate to a master despite not having the correct
credentials. To exploit the vulnerability, an attacker must create a
salt-minion with an ID containing characters that will cause a
directory traversal.
Credit for discovering the security flaw goes to: Vernhk@qq.com
SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN)
allows post-authentication remote code execution via a sendmail.cf
file that is mishandled in a popen call. It's possible to exploit this
vulnerability to execute arbitrary shell commands on the remote
server.
An exploitable code execution vulnerability exists in the trapper command
functionality of Zabbix Server 2.4.X. A specially crafted set of packets
can cause a command injection resulting in remote code execution. An attacker
can make requests from an active Zabbix Proxy to trigger this vulnerability.
supervisord can be configured to run an HTTP server on a TCP socket and/or a Unix domain socket.
The HTTP server is how supervisorctl communicates with supervisord. If an HTTP server has been
enabled, it will always serve both HTML pages and an XML-RPC interface. A vulnerability has been
found where an authenticated client can send a malicious XML-RPC request to supervisord that
will run arbitrary shell commands on the server. The commands will be run as the same user as
supervisord. Depending on how supervisord has been configured, this may be root.
This vulnerability can only be exploited by an authenticated client or if supervisord has been
configured to run an HTTP server without authentication. If authentication has not been enabled,
supervisord will log a message at the critical level every time it starts.
Mercurial's symlink auditing was incomplete prior to 4.3, and could be
abused to write to files outside the repository.
CVE-2017-1000116
Mercurial was not sanitizing hostnames passed to ssh, allowing shell
injection attacks on clients by specifying a hostname starting with
-oProxyCommand. This is also present in Git (CVE-2017-1000117) and
Subversion (CVE-2017-9800), so please patch those tools as well if you
have them installed.
A Subversion client sometimes connects to URLs provided by the repository.
This happens in two primary cases: during 'checkout', 'export', 'update', and
'switch', when the tree being downloaded contains svn:externals properties;
and when using 'svnsync sync' with one URL argument.
A maliciously constructed svn+ssh:// URL would cause Subversion clients to
run an arbitrary shell command. Such a URL could be generated by a malicious
server, by a malicious user committing to a honest server (to attack another
user of that server's repositories), or by a proxy server.
The vulnerability affects all clients, including those that use file://,
http://, and plain (untunneled) svn://.
An external code review performed by Recurity-Labs identified a remote
command execution vulnerability in git that could be exploited via the "Repo
by URL" import option in GitLab. The command line git client was not
properly escaping command line arguments in URLs using the SSH protocol
before invoking the SSH client. A specially crafted URL could be used to
execute arbitrary shell commands on the GitLab server.
To fully patch this vulnerability two fixes were needed. The Omnibus
versions of GitLab contain a patched git client. For source users who may
still be running an older version of git, GitLab now also blocks import URLs
containing invalid host and usernames.
This issue has been assigned CVE-2017-12426.
Improper sanitization of GitLab export files on import
GitLab versions 8.13.3, 8.12.8, 8.11.10, 8.10.13, and 8.9.12 contained a
patch for a critical directory traversal vulnerability in the GitLab export
feature that could be exploited by including symlinks in the export file and
then re-importing it to a GitLab instance. This vulnerability was patched by
checking for and removing symlinks in these files on import.
Recurity-Labs also determined that this fix did not properly remove symlinks for
hidden files. Though not as dangerous as the original vulnerability hidden file
symlinks could still be used to steal copies of git repositories belonging to
other users if the path to the git repository was known by the attacker. An
updated fix has been included in these releases that properly removes all
symlinks.
This import option was not made available to non-admin users until GitLab
8.13.0.
CVE-2016-3092 is a denial of service vulnerability that has been
corrected in the Apache Commons FileUpload component. It occurred
when the length of the multipart boundary was just below the size of
the buffer (4096 bytes) used to read the uploaded file. This caused
the file upload process to take several orders of magnitude longer
than if the boundary length was the typical tens of bytes.
Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti
1.1.13 allows remote authenticated users to inject arbitrary web script
or HTML via specially crafted HTTP Referer headers.
ProFTPD ... controls whether the home directory of a user could
contain a symbolic link through the AllowChrootSymlinks
configuration option, but checks only the last path component when
enforcing AllowChrootSymlinks. Attackers with local access could
bypass the AllowChrootSymlinks control by replacing a path
component (other than the last one) with a symbolic link.
JabberD is prone to an authentication-bypass vulnerability.
An attacker can exploit this issue to bypass the authentication
mechanism and perform unauthorized actions. This may lead to
further attacks.
Genivia gSOAP is prone to a stack-based buffer-overflow
vulnerability because it fails to properly bounds check user-supplied
data before copying it into an insufficiently sized buffer.
A remote attacker may exploit this issue to execute arbitrary code
in the context of the affected device. Failed attempts will likely
cause a denial-of-service condition.
After sending this payload, collectd seems to be entering endless while()
loop in packet_parse consuming high CPU resources, possibly crash/gets killed after a while.
RSA public keys passed to the gmp plugin aren't validated sufficiently
before attempting signature verification, so that invalid input might
lead to a floating point exception. [CVE-2017-9022]
ASN.1 CHOICE types are not correctly handled by the ASN.1 parser when
parsing X.509 certificates with extensions that use such types. This
could lead to infinite looping of the thread parsing a specifically crafted certificate.
Cross-site scripting (XSS) vulnerability in link.php in Cacti
1.1.12 allows remote anonymous users to inject arbitrary web
script or HTML via the id parameter.
The comic book backend in evince 3.24.0 (and earlier) is vulnerable to a command injection bug that can be used to execute arbitrary commands when a CBT file is opened.
The same vulnerability affects atril, the Evince fork.
important: Read after free in mod_http2 (CVE-2017-9789)
When under stress, closing many connections, the HTTP/2 handling
code would sometimes access memory after it has been freed,
resulting in potentially erratic behaviour.
important: Uninitialized memory reflection in mod_auth_digest
(CVE-2017-9788) The value placeholder in [Proxy-]Authorization
headers of type 'Digest' was not initialized or reset before or
between successive key=value assignments. by mod_auth_digest.
Providing an initial key with no '=' assignment could reflect
the stale value of uninitialized pool memory used by the prior
request, leading to leakage of potentially confidential
information, and a segfault.
Updates are now available for all active Node.js release lines as
well as the 7.x line. These include the fix for the high severity
vulnerability identified in the initial announcement, one additional
lower priority Node.js vulnerability in the 4.x release line, as well
as some lower priority fixes for Node.js dependencies across the
current release lines.
Constant Hashtable Seeds (CVE pending)
Node.js was susceptible to hash flooding remote DoS attacks as the
HashTable seed was constant across a given released version of
Node.js. This was a result of building with V8 snapshots enabled by
default which caused the initially randomized seed to be overwritten
on startup. Thanks to Jann Horn of Google Project Zero for reporting
this vulnerability.
This is a high severity vulnerability and applies to all active
release lines (4.x, 6.x, 8.x) as well as the 7.x line.
http.get with numeric authorization options creates uninitialized
buffers
Application code that allows the auth field of the options object
used with http.get() to be set to a number can result in an
uninitialized buffer being created/used as the authentication
string.
This is a low severity defect and only applies to the 4.x release
line.
A security issue was identified in nginx range filter. A specially
crafted request might result in an integer overflow and incorrect
processing of ranges, potentially resulting in sensitive information
leak (CVE-2017-7529).
When receiving messages with invalid time stamps, Irssi
would try to dereference a NULL pointer.
While updating the internal nick list, Irssi may
incorrectly use the GHashTable interface and free the nick while
updating it. This will then result in use-after-free conditions on each
access of the hash table.
Fix double-free in server TCP listener cleanup A double-free in
the server could be triggered by an authenticated user if dropbear
is running with -a (Allow connections to forwarded ports from any
host) This could potentially allow arbitrary code execution as root
by an authenticated user.
Fix information disclosure with ~/.ssh/authorized_keys symlink.
Dropbear parsed authorized_keys as root, even if it were a symlink.
The fix is to switch to user permissions when opening authorized_keys.
Tor 0.3.0.9 fixes a path selection bug that would allow a client
to use a guard that was in the same network family as a chosen exit
relay. This is a security regression; all clients running earlier
versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or
0.3.1.4-alpha.
The second vulnerability (CVE-2017-9773) is a DOS vulnerability.
This only affects Horde installations that do not have a configured image
handling backend, and thus use the "Null" image driver. It is exploitable by
a logged in user clicking on a maliciously crafted URL.
Exim supports the use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time.
In May/June 2017 Guido Vranken threw a fuzzer at OpenVPN 2.4.2. In
the process he found several vulnerabilities and reported them to
the OpenVPN project. [...] The first releases to have these fixes are OpenVPN 2.4.3 and 2.3.17.
This is a list of fixed important vulnerabilities:
Remotely-triggerable ASSERT() on malformed IPv6 packet
Pre-authentication remote crash/information disclosure for clients
Potential double-free in --x509-alt-username
Remote-triggerable memory leaks
Post-authentication remote DoS when using the --x509-track option
Null-pointer dereference in establish_http_proxy_passthru()
The fist vulnerability (CVE-2017-9774) is a Remote Code Execution
vulnerability and is exploitable by a logged in user sending a
maliciously crafted GET request to the Horde server.
ap_get_basic_auth_pw() Authentication Bypass (CVE-2017-3167):
Use of the ap_get_basic_auth_pw() by third-party modules outside
of the authentication phase may lead to authentication requirements
being bypassed.
mod_ssl Null Pointer Dereference (CVE-2017-3169): mod_ssl may
dereference a NULL pointer when third-party modules
call ap_hook_process_connection() during an HTTP request to an HTTPS
port.
mod_http2 Null Pointer Dereference (CVE-2017-7659): A maliciously
constructed HTTP/2 request could cause mod_http2 to dereference a NULL
pointer and crash the server process.
ap_find_token() Buffer Overread (CVE-2017-7668): The HTTP strict
parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token
list parsing, which allows ap_find_token() to search past the end of its
input string. By maliciously crafting a sequence of request headers, an
attacker may be able to cause a segmentation fault, or to force
ap_find_token() to return an incorrect value.
mod_mime Buffer Overread (CVE-2017-7679): mod_mime can read one
byte past the end of a buffer when sending a malicious Content-Type
response header.
1. a file: URL that doesn't use two slashes following the colon, or
2. is told that file is the default scheme to use for URLs without scheme
... and the given path starts with a drive letter and libcurl is built for
Windows or DOS, then libcurl would copy the path with a wrong offset, so that
the end of the given path would write beyond the malloc buffer. Up to seven
bytes too much.
These updates resolve use-after-free vulnerabilities that
could lead to code execution (CVE-2017-3075, CVE-2017-3081,
CVE-2017-3083, CVE-2017-3084).
These updates resolve memory corruption vulnerabilities that
could lead to code execution (CVE-2017-3076, CVE-2017-3077,
CVE-2017-3078, CVE-2017-3079, CVE-2017-3082).
Roundcube Webmail allows arbitrary password resets by
authenticated users. The problem is caused by an improperly restricted
exec call in the virtualmin and sasl drivers of the password plugin.
It was found using the TLS fuzzer tools that decoding a status
response TLS extension with valid contents could lead to a crash
due to a null pointer dereference. The issue affects GnuTLS server
applications.
An input validation flaw was found in Ansible, where it fails to
properly mark lookup-plugin results as unsafe. If an attacker could
control the results of lookup() calls, they could inject Unicode
strings to be parsed by the jinja2 templating system, result in
code execution.
The TLS session cache in FreeRADIUS before 3.0.14 fails to
reliably prevent resumption of an unauthenticated session, which
allows remote attackers (such as malicious 802.1X supplicants) to
bypass authentication via PEAP or TTLS.
An untrusted user may be able to set the http_proxy variable to
an invalid address. If this happens, this will trigger the
configured 'failmode' behavior, which defaults to safe. Safe
mode causes the authentication to report a success.
Commit f469fc6 (2010-10-02) inadvertently caused the
previous hop realm to not be added to the transit path of issued
tickets. This may, in some cases, enable bypass of capath policy in
Heimdal versions 1.5 through 7.2. Note, this may break sites that rely
on the bug. With the bug some incomplete [capaths] worked, that should
not have. These may now break authentication in some cross-realm
configurations. (CVE-2017-6594)
Information Disclosure in Issue and Merge Request Trackers
During an internal code review a critical vulnerability in the GitLab
Issue and Merge Request trackers was discovered. This vulnerability could
allow a user with access to assign ownership of an issue or merge request to
another user to disclose that user's private token, email token, email
address, and encrypted OTP secret. Reporter-level access to a GitLab project
is required to exploit this flaw.
SSRF when importing a project from a Repo by URL
GitLab instances that have enabled project imports using "Repo by URL"
were vulnerable to Server-Side Request Forgery attacks. By specifying a
project import URL of localhost an attacker could target services that are
bound to the local interface of the server. These services often do not
require authentication. Depending on the service an attacker might be able
craft an attack using the project import request URL.
Links in Environments tab vulnerable to tabnabbing
edio via HackerOne reported that user-configured Environment links
include target=_blank but do not also include rel: noopener
noreferrer. Anyone clicking on these links may therefore be subjected to
tabnabbing attacks where a link back to the requesting page is maintained
and can be manipulated by the target server.
Accounts with email set to "Do not show on profile" have addresses
exposed in public atom feed
Several GitLab users reported that even with "Do not show on profile"
configured for their email addresses those addresses were still being leaked
in Atom feeds if they commented on a public project.
A vulnerability was discovered in the NTP server's parsing
of configuration directives. [CVE-2017-6464]
A vulnerability was found in NTP, in the parsing of
packets from the DPTS Clock. [CVE-2017-6462]
A vulnerability was discovered in the NTP server's parsing
of configuration directives. [CVE-2017-6463]
A vulnerability was found in NTP, affecting the origin
timestamp check function. [CVE-2016-9042]
Impact:
A remote, authenticated attacker could cause ntpd to
crash by sending a crafted message. [CVE-2017-6463,
CVE-2017-6464]
A malicious device could send crafted messages, causing
ntpd to crash. [CVE-2017-6462]
An attacker able to spoof messages from all of the
configured peers could send crafted packets to ntpd, causing
later replies from those peers to be discarded, resulting
in denial of service. [CVE-2016-9042]
ipfilter(4), capable of stateful packet inspection, using
the "keep state" or "keep frags" rule options, will not
only maintain the state of connections, such as TCP streams
or UDP communication, it also maintains the state of
fragmented packets. When a packet fragments are received
they are cached in a hash table (and linked list). When a
fragment is received it is compared with fragments already
cached in the hash table for a match. If it does not match
the new entry is used to create a new entry in the hash
table. If on the other hand it does match, unfortunately
the wrong entry is freed, the entry in the hash table. This
results in use after free panic (and for a brief moment
prior to the panic a memory leak due to the wrong entry
being freed).
Impact:
Carefully feeding fragments that are allowed to pass by
an ipfilter(4) firewall can be used to cause a panic followed
by reboot loop denial of service attack.
[There] is a zip file of EXR images that cause segmentation faults in the OpenEXR library (tested against 2.2.0).
CVE-2017-9110
In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash.
CVE-2017-9111
In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h could cause the application to crash or execute arbitrary code.
CVE-2017-9112
In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash.
CVE-2017-9113
In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp could cause the application to crash or execute arbitrary code.
CVE-2017-9114
In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ImfFastHuf.cpp could cause the application to crash.
CVE-2017-9115
In OpenEXR 2.2.0, an invalid write of size 2 in the = operator function in half.h could cause the application to crash or execute arbitrary code.
CVE-2017-9116
In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function in ImfZip.cpp could cause the application to crash.
All versions of Samba from 3.5.0 onwards are vulnerable to a remote
code execution vulnerability, allowing a malicious client to upload
a shared library to a writable share, and then cause the server to
load and execute it.
NVIDIA GPU Display Driver contains vulnerabilities in the
kernel mode layer handler where not correctly validated user
input, NULL pointer dereference, and incorrect access control
may lead to denial of service or potential escalation of
privileges.
An integer signedness error was found in miniupnp's miniwget
allowing an unauthenticated remote entity typically located on the
local network segment to trigger a heap corruption or an access
violation in miniupnp's http response parser when processing a
specially crafted chunked-encoded response to a request for the
xml root description url.
A remote crash can be triggered by sending a SIP packet
to Asterisk with a specially crafted CSeq header and a
Via header with no branch parameter. The issue is that
the PJSIP RFC 2543 transaction key generation algorithm
does not allocate a large enough buffer. By overrunning
the buffer, the memory allocation table becomes corrupted,
leading to an eventual crash.
The multi-part body parser in PJSIP contains a logical
error that can make certain multi-part body parts attempt
to read memory from outside the allowed boundaries. A
specially-crafted packet can trigger these invalid reads
and potentially induce a crash.
This issues is in PJSIP, and so the issue can be fixed
without performing an upgrade of Asterisk at all. However,
we are releasing a new version of Asterisk with the bundled
PJProject updated to include the fix.
If you are running Asterisk with chan_sip, this issue
does not affect you.
A remote memory exhaustion can be triggered by sending
an SCCP packet to Asterisk system with "chan_skinny"
enabled that is larger than the length of the SCCP header
but smaller than the packet length specified in the header.
The loop that reads the rest of the packet doesn't detect
that the call to read() returned end-of-file before the
expected number of bytes and continues infinitely. The
"partial data" message logging in that tight loop causes
Asterisk to exhaust all available memory.
The import/export feature did not properly check for symbolic links
in user-provided archives and therefore it was possible for an
authenticated user to retrieve the contents of any file
accessible to the GitLab service account. This included
sensitive files such as those that contain secret tokens used
by the GitLab service to authenticate users.
OpenVPN v2.4.0 was audited for security vulnerabilities independently by
Quarkslabs (funded by OSTIF) and Cryptography Engineering (funded by
Private Internet Access) between December 2016 and April 2017. The
primary findings were two remote denial-of-service vulnerabilities.
Fixes to them have been backported to v2.3.15.
An authenticated client can do the 'three way handshake'
(P_HARD_RESET, P_HARD_RESET, P_CONTROL), where the P_CONTROL packet
is the first that is allowed to carry payload. If that payload is
too big, the OpenVPN server process will stop running due to an
ASSERT() exception. That is also the reason why servers using
tls-auth/tls-crypt are protected against this attack - the P_CONTROL
packet is only accepted if it contains the session ID we specified,
with a valid HMAC (challenge-response). (CVE-2017-7478)
An authenticated client can cause the server's the packet-id
counter to roll over, which would lead the server process to hit an
ASSERT() and stop running. To make the server hit the ASSERT(), the
client must first cause the server to send it 2^32 packets (at least
196 GB).
CVE-2017-7486: pg_user_mappings view discloses foreign server
passwords. This applies to new databases, see the release notes for
the procedure to apply the fix to an existing database.
KAuth contains a logic flaw in which the service invoking dbus
is not properly checked.
This allows spoofing the identity of the caller and with some
carefully crafted calls can lead to gaining root from an
unprivileged account.
I was using American Fuzzy Lop (afl-fuzz) to fuzz input to the
mime-parse test program. Is fixing these crashes something you're
interested in? The input files can be found here:
https://github.com/rwhitworth/libetpan-fuzz/.
The files can be executed as ./mime-parse id_filename to cause
seg faults.
International Components for Unicode (ICU) for C/C++
before 2017-02-13 has an out-of-bounds write caused by a
heap-based buffer overflow related to the utf8TextAccess
function in common/utext.cpp and the utext_setNativeIndex*
function.
International Components for Unicode (ICU) for C/C++
before 2017-02-13 has an out-of-bounds write caused by a
heap-based buffer overflow related to the utf8TextAccess
function in common/utext.cpp and the utext_moveIndex32*
function.
passdb/userdb dict: Don't double-expand %variables in keys. If dict
was used as the authentication passdb, using specially crafted
%variables in the username could be used to cause DoS.
LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if
SSL_get_verify_result is relied upon for a later check of a
verification result, in a use case where a user-provided verification
callback returns 1, as demonstrated by acceptance of invalid
certificates by nginx.
DNS protocols were designed with the assumption that a certain
amount of trust could be presumed between the operators of primary
and secondary servers for a given zone. However, in current
practice some organizations have scenarios which require them to
accept zone data from sources that are not fully trusted (for
example: providers of secondary name service). A party who is
allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS
updates) can overwhelm the server which is accepting data by
intentionally or accidentally exhausting that server's memory.
WeeChat before 1.7.1 allows a remote crash by sending a filename via DCC to
the IRC plugin. This occurs in the irc_ctcp_dcc_filename_without_quotes
function during quote removal, with a buffer overflow.
[695826] High CVE-2017-5057: Type confusion in PDFium. Credit to
Guang Gong of Alpha Team, Qihoo 360
[694382] High CVE-2017-5058: Heap use after free in Print Preview.
Credit to Khalil Zhani
[684684] High CVE-2017-5059: Type confusion in Blink. Credit to
SkyLined working with Trend Micro's Zero Day Initiative
[683314] Medium CVE-2017-5060: URL spoofing in Omnibox. Credit to
Xudong Zheng
[672847] Medium CVE-2017-5061: URL spoofing in Omnibox. Credit to
Haosheng Wang (@gnehsoah)
[702896] Medium CVE-2017-5062: Use after free in Chrome Apps.
Credit to anonymous
[700836] Medium CVE-2017-5063: Heap overflow in Skia. Credit to
Sweetchip
[693974] Medium CVE-2017-5064: Use after free in Blink. Credit to
Wadih Matar
[704560] Medium CVE-2017-5065: Incorrect UI in Blink. Credit to
Khalil Zhani
[690821] Medium CVE-2017-5066: Incorrect signature handing in Networking.
Credit to Prof. Zhenhua Duan, Prof. Cong Tian, and Ph.D candidate Chu Chen
(ICTT, Xidian University)
[648117] Medium CVE-2017-5067: URL spoofing in Omnibox. Credit to
Khalil Zhani
[691726] Low CVE-2017-5069: Cross-origin bypass in Blink. Credit to
Michael Reizelman
[713205] Various fixes from internal audits, fuzzing and other initiatives
libcurl would attempt to resume a TLS session even if the client
certificate had changed. That is unacceptable since a server by
specification is allowed to skip the client certificate check on
resume, and may instead use the old identity which was established
by the previous certificate (or no certificate).
libcurl supports by default the use of TLS session id/ticket to
resume previous TLS sessions to speed up subsequent TLS handshakes.
They are used when for any reason an existing TLS connection
couldn't be kept alive to make the next handshake faster.
This flaw is a regression and identical to CVE-2016-5419 reported
on August 3rd 2016, but affecting a different version range.
In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to
cause a stack-based buffer overflow via a specially crafted
FLAC file.
In libsndfile before 1.0.28, an error in the
"header_read()" function (common.c) when handling ID3 tags
can be exploited to cause a stack-based buffer overflow
via a specially crafted FLAC file.
In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to
cause a segmentation violation (with write memory access)
via a specially crafted FLAC file during a resample
attempt, a similar issue to CVE-2017-7585.
In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to
cause a segmentation violation (with read memory access)
via a specially crafted FLAC file during a resample
attempt, a similar issue to CVE-2017-7585.
An out-of-bounds write in the Graphite 2 library
triggered with a maliciously crafted Graphite font. This
results in a potentially exploitable crash. This issue was
fixed in the Graphite 2 library as well as Mozilla
products.
An out-of-bounds write during Base64 decoding operation
in the Network Security Services (NSS) library due to
insufficient memory being allocated to the buffer. This
results in a potentially exploitable crash. The NSS library
has been updated to fix this issue to address this issue and
Firefox 53 has been updated with NSS version 3.29.5.
A flaw in DRBG number generation within the Network
Security Services (NSS) library where the internal state V
does not correctly carry bits over. The NSS library has been
updated to fix this issue to address this issue and Firefox
53 has been updated with NSS version 3.29.5.
CVE-2016-10195: The name_parse function in evdns.c in
libevent before 2.1.6-beta allows remote attackers to have
unspecified impact via vectors involving the label_len
variable, which triggers an out-of-bounds stack read.
CVE-2016-10196: Stack-based buffer overflow in the
evutil_parse_sockaddr_port function in evutil.c in libevent
before 2.1.6-beta allows attackers to cause a denial of
service (segmentation fault) via vectors involving a long
string in brackets in the ip_as_string argument.
CVE-2016-10197: The search_make_new function in evdns.c
in libevent before 2.1.6-beta allows attackers to cause a
denial of service (out-of-bounds read) via an empty
hostname.
This Critical Patch Update contains 39 new security fixes for
Oracle MySQL. 11 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a
network without requiring user credentials.
A query with a specific set of characteristics could
cause a server using DNS64 to encounter an assertion
failure and terminate.
An attacker could deliberately construct a query,
enabling denial-of-service against a server if it
was configured to use the DNS64 feature and other
preconditions were met.
Mistaken assumptions about the ordering of records in
the answer section of a response containing CNAME or
DNAME resource records could lead to a situation in
which named would exit with an assertion failure when
processing a response in which records occurred in an
unusual order.
named contains a feature which allows operators to
issue commands to a running server by communicating
with the server process over a control channel,
using a utility program such as rndc.
A regression introduced in a recent feature change
has created a situation under which some versions of
named can be caused to exit with a REQUIRE assertion
failure if they are sent a null command string.
The content auto-download of id Tech 3 can be used to deliver
maliciously crafted content, that triggers downloading of
further content and loading and executing it as native code
with user credentials. This affects ioquake3, ioUrbanTerror,
OpenArena, the original Quake 3 Arena and other forks.
There were two bugs in curl's parser for the command line option
--write-out (or -w for short) that would skip the end of string
zero byte if the string ended in a % (percent) or \ (backslash),
and it would read beyond that buffer in the heap memory and it
could then potentially output pieces of that memory to the
terminal or the target file etc..
The XSA-29 fix introduced an insufficient check on XENMEM_exchange
input, allowing the caller to drive hypervisor memory accesses
outside of the guest provided input/output arrays.
A malicious or buggy 64-bit PV guest may be able to access all of
system memory, allowing for all of privilege escalation, host
crashes, and information leaks.
NVIDIA GPU Display Driver contains vulnerabilities in the
kernel mode layer handler where multiple integer overflows,
improper access control, and improper validation of a user
input may cause a denial of service or potential escalation
of privileges.
No size checking is done when setting the user field
on a CDR. Thus, it is possible for someone to use an
arbitrarily large string and write past the end of the
user field storage buffer. This allows the possibility
of remote code injection.
Unprivileged guests may be able to stall progress of the control
domain or driver domain, possibly leading to a Denial of Service
(DoS) of the entire host.
A vulnerability was discovered where the restrictions
caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are
bypassed under certain PHP versions. This can allow the
login of users who have no password set even if the
administrator has set $cfg['Servers'][$i]['AllowNoPassword']
to false (which is also the default).
This behavior depends on the PHP version used (it seems
PHP 5 is affected, while PHP 7.0 is not).
Severity
We consider this vulnerability to be of moderate severity.
A privileged user within the guest VM can cause a heap overflow in
the device model process, potentially escalating their privileges to
that of the device model process.
Use after free while producing list of netjoins (CWE-416).
This issue was found and reported to us by APic.
This issue usually leads to segmentation faults.
Targeted code execution should be difficult.
When using the NIO connector with sendfile and HTTPS enabled, if a
client breaks the connection while reading the response an infinite loop
is entered leading to a denial of service.
When a response for a request with a request body is
returned to the user agent before the request body is
fully read, by default Tomcat swallows the remaining
request body so that the next request on the connection
may be processed. There was no limit to the size of
request body that Tomcat would swallow. This permitted
a limited Denial of Service as Tomcat would never close
the connection and a processing thread would remain
allocated to the connection.
Moderate: Security Manager bypass CVE-2014-7810
Malicious web applications could use expression
language to bypass the protections of a Security
Manager as expressions were evaluated within a
privileged code section.
An integer overflow in createImageBitmap() was reported
through the Pwn2Own contest. The fix for this vulnerability
disables the experimental extensions to the
createImageBitmap API. This function runs in the content
sandbox, requiring a second vulnerability to compromise a
user's computer.
Tomcat does not properly restrict XSLT stylesheets, which allows
remote attackers to bypass security-manager restrictions and read
arbitrary files via a crafted web application that provides an XML
external entity declaration in conjunction with an entity
reference, related to an XML External Entity (XXE) issue.
An integer overflow, when operated behind a reverse proxy, allows
remote attackers to conduct HTTP request smuggling attacks via a
crafted Content-Length HTTP header.
An integer overflow in parseChunkHeader allows remote attackers
to cause a denial of service (resource consumption) via a malformed
chunk size in chunked transfer coding of a request during the
streaming of data.
In addition to a number of bug fixes and small improvements,
security vulnerabilities have been discovered and fixed. We highly
recommend that you upgrade your sites as soon as possible.
Upgrading should be very straightforward. As per our usual policy,
admins of all registered Moodle sites will be notified of security
issue details directly via email and we'll publish details more
widely in a week.
When using FORM authentication it was possible to bypass the security
constraint checks in the FORM authenticator by appending
"/j_security_check" to the end of the URL if some other component
(such as the Single-Sign-On valve) had called request.setUserPrincipal()
before the call to FormAuthenticator#authenticate().
Many versions of PuTTY prior to 0.68 have a heap-corrupting integer
overflow bug in the ssh_agent_channel_data function which processes
messages sent by remote SSH clients to a forwarded agent connection. [...]
This bug is only exploitable at all if you have enabled SSH
agent forwarding, which is turned off by default. Moreover, an
attacker able to exploit this bug would have to have already be able
to connect to the Unix-domain socket representing the forwarded
agent connection. Since any attacker with that capability would
necessarily already be able to generate signatures with your agent's
stored private keys, you should in normal circumstances be defended
against this vulnerability by the same precautions you and your
operating system were already taking to prevent untrusted people
from accessing your SSH agent.
If a malicious peer supplies a certificate with a specially
crafted secp224k1 public key, then an attacker can cause the
server or client to attempt to free block of memory held on
stack. Depending on the platform, this could result in a Denial
of Service (client crash) or potentially could be exploited to
allow remote code execution with the same privileges as the host
application.
If the client and the server both support MD5 and the client
can be tricked to authenticate to a malicious server, then the
malicious server can impersonate the client. To launch this man
in the middle attack, the adversary has to compute a
chosen-prefix MD5 collision in real time. This is very expensive
computationally, but can be practical. Depending on the
platform, this could result in a Denial of Service (client crash)
or potentially could be exploited to allow remote code execution
with the same privileges as the host application.
A bug in the logic of the parsing of a PEM encoded Certificate
Revocation List in mbedtls_x509_crl_parse() can result in an
infinite loop. In versions before 1.3.10 the same bug results in
an infinite recursion stack overflow that usually crashes the
application. Methods and means of acquiring the CRLs is not part
of the TLS handshake and in the strict TLS setting this
vulnerability cannot be triggered remotely. The vulnerability
cannot be triggered unless the application explicitly calls
mbedtls_x509_crl_parse() or mbedtls_x509_crl_parse_file()on a PEM
formatted CRL of untrusted origin. In which case the
vulnerability can be exploited to launch a denial of service
attack against the application.
A directory traversal issue was found in KTNEF which can be
exploited by tricking a user into opening a malicious winmail.dat
file. The issue allows to write files with the permission of the user
opening the winmail.dat file during extraction.
Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.
This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password@host), and in the
path and the query (e.g. access tokens).
This attack can be carried out remotely (over the LAN) since proxy settings
allow "Detect Proxy Configuration Automatically".
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victim's LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.
ikiwiki 3.20161219 does not properly check if a revision changes
the access permissions for a page on sites with the git and
recentchanges plugins and the CGI interface enabled, which allows
remote attackers to revert certain changes by leveraging permissions
to change the page before the revision was made.
When CGI::FormBuilder->field("foo") is called in list context
(and in particular in the arguments to a subroutine that takes named
arguments), it can return zero or more values for foo from the CGI
request, rather than the expected single value. This breaks the
usual Perl parsing convention for named arguments, similar to
CVE-2014-1572 in Bugzilla (which was caused by a similar API design
issue in CGI.pm).
Fixed an XSS vulnerability in Security Library method xss_clean().
Fixed a possible file inclusion vulnerability in Loader Library
method vars().
Fixed a possible remote code execution vulnerability in the Email
Library when âmailâ or âsendmailâ are used (thanks to Paul Buonopane
from NamePros).
Added protection against timing side-channel attacks in Security
Library method csrf_verify().
Added protection against BREACH attacks targeting the CSRF token
field generated by Form Helper function form_open().
The ikiwiki maintainers discovered further flaws similar to
CVE-2016-9646 in the passwordauth plugin's use of
CGI::FormBuilder, with a more serious impact:
An attacker who can log in to a site with a password can log in as
a different and potentially more privileged user.
An attacker who can create a new account can set arbitrary fields
in the user database for that account
A buffer overflow error was found in the POSIX unit's procedures
process-execute and process-spawn.
Additionally, a memory leak existed in this code, which would be
triggered when an error is raised during argument and environment
processing.
Irregex versions before 0.9.6 contain a resource exhaustion
vulnerability: when compiling deeply nested regexes containing the
"+" operator due to exponential expansion behaviour.
Due to improper handling of alert packets, OpenSSL would
consume an excessive amount of CPU time processing undefined
alert messages.
Impact:
A remote attacker who can initiate handshakes with an
OpenSSL based server can cause the server to consume a lot
of computation power with very little bandwidth usage, and
may be able to use this technique in a leveraged Denial of
Service attack.
SSL_VERIFYSTATUS ignored
curl and libcurl support "OCSP stapling", also known as the TLS
Certificate Status Request extension (using the
CURLOPT_SSL_VERIFYSTATUS option). When telling curl to use this
feature, it uses that TLS extension to ask for a fresh proof of
the server's certificate's validity. If the server doesn't support
the extension, or fails to provide said proof, curl is expected to
return an error.
Due to a coding mistake, the code that checks for a test success or
failure, ends up always thinking there's valid proof, even when
there is none or if the server doesn't support the TLS extension in
question. Contrary to how it used to function and contrary to how
this feature is documented to work.
This could lead to users not detecting when a server's certificate
goes invalid or otherwise be mislead that the server is in a better
shape than it is in reality.
In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine
cirrus_bitblt_cputovideo fails to check whether the specified
memory region is safe. A malicious guest administrator can cause
an out of bounds memory write, very likely exploitable as a
privilege escalation.
The web site used by this port, http://fbsdmon.org, has been taken over by cybersquatters. That means that users are sending their system info to an unknown party.
Andrew Bartlett of Catalyst reported a defect affecting certain
applications using the Libevent evbuffer API. This defect leaves
applications which pass insanely large inputs to evbuffers open
to a possible heap overflow or infinite loop. In order to exploit
this flaw, an attacker needs to be able to find a way to provoke
the program into trying to make a buffer chunk larger than what
will fit into a single size_t or off_t.
Severity: High
During a renegotiation handshake if the Encrypt-Then-Mac
extension is negotiated where it was not in the original
handshake (or vice-versa) then this can cause OpenSSL to
crash (dependent on ciphersuite). Both clients and servers
are affected.
This issue does not affect OpenSSL version 1.0.2.
ifread.c in gif2png, as used in OptiPNG before 0.7.6, allows remote attackers to cause a denial of service (uninitialized memory read) via a crafted GIF file.
The bmp_read_rows function in pngxtern/pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (invalid memory write and crash) via a series of delta escapes in a crafted BMP image.
Heap-based buffer overflow in the bmp_read_rows function in pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (out-of-bounds read or write access and crash) or possibly execute arbitrary code via a crafted image file.
Off-by-one error in the bmp_rle4_fread function in pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (out-of-bounds read or write access and crash) or possibly execute arbitrary code via a crafted image file, which triggers a heap-based buffer overflow.
libcurl will reuse NTLM-authenticated proxy connections
without properly making sure that the connection was
authenticated with the same credentials as set for this
transfer.
The REPL server is vulnerable to
the HTTP inter-protocol attack
The âmkdirâ procedure of GNU Guile, an implementation of
the Scheme programming language, temporarily changed the processâ umask
to zero. During that time window, in a multithreaded application, other
threads could end up creating files with insecure permissions.
I have just released Shotwell 0.24.5 and 0.25.4 which turn
on HTTPS encryption all over the publishing plugins.
Users using Tumblr and Yandex.Fotki publishing are strongly
advised to change their passwords and reauthenticate Shotwell
to those services after upgrade.
Users of Picasa and Youtube publishing are strongly advised
to reauthenticate (Log out and back in) Shotwell to those
services after upgrade.
WordPress versions 4.7.1 and earlier are affected by three security
issues:
The user interface for assigning taxonomy terms in Press This is
shown to users who do not have permissions to use it.
WP_Query is vulnerable to a SQL injection (SQLi) when passing
unsafe data. WordPress core is not directly vulnerable to this
issue, but weâve added hardening to prevent plugins and
themes from accidentally causing a vulnerability.
A cross-site scripting (XSS) vulnerability was discovered in the
posts list table.
An unauthenticated privilege escalation vulnerability was
discovered in a REST API endpoint.
A security vulnerability in the Intel(R) Ethernet Controller X710
and Intel(R) Ethernet Controller XL710 family of products
(Fortville) has been found in the Non-Volatile Flash Memory (NVM)
image.
The PHP development team announces the immediate availability of
PHP 7.0.15. This is a security release. Several security bugs were
fixed in this release.
The PHP development team announces the immediate availability of
PHP 5.6.30. This is a security release. Several security bugs were
fixed in this release.
When an application with Groovy on classpath uses standard Java
serialization mechanisms, e.g. to communicate between servers or to
store local data, it is possible for an attacker to bake a special
serialized object that will execute code directly when deserialized.
All applications which rely on serialization and do not isolate the
code which deserializes objects are subject to this vulnerability.
This is similar to CVE-2015-3253 but this exploit involves extra
wrapping of objects and catching of exceptions which are now safe
guarded against.
MQTT (MQ Telemetry Transport) connection authentication with a
username/password pair succeeds if an existing username is
provided but the password is omitted from the connection
request. Connections that use TLS with a client-provided
certificate are not affected.
CVE-2016-3492: Remote security vulnerability in 'Server: Optimizer'
sub component.
CVE-2016-5616, CVE-2016-6663: Race condition allows local users with
certain permissions to gain privileges by leveraging use of my_copystat
by REPAIR TABLE to repair a MyISAM table.
CVE-2016-5617, CVE-2016-6664: mysqld_safe, when using file-based
logging, allows local users with access to the mysql account to gain
root privileges via a symlink attack on error logs and possibly other
files.
CVE-2016-5624: Remote security vulnerability in 'Server: DML' sub
component.
CVE-2016-5626: Remote security vulnerability in 'Server: GIS' sub
component.
CVE-2016-5629: Remote security vulnerability in 'Server: Federated'
sub component.
CVE-2016-8283: Remote security vulnerability in 'Server: Types' sub
component.
The ssh-agent(1) agent supports loading a PKCS#11 module
from outside a trusted whitelist. An attacker can request
loading of a PKCS#11 module across forwarded agent-socket.
[CVE-2016-10009]
When privilege separation is disabled, forwarded Unix
domain sockets would be created by sshd(8) with the privileges
of 'root' instead of the authenticated user. [CVE-2016-10010]
Impact:
A remote attacker who have control of a forwarded
agent-socket on a remote system and have the ability to
write files on the system running ssh-agent(1) agent can
run arbitrary code under the same user credential. Because
the attacker must already have some control on both systems,
it is relatively hard to exploit this vulnerability in a
practical attack. [CVE-2016-10009]
When privilege separation is disabled (on FreeBSD,
privilege separation is enabled by default and has to be
explicitly disabled), an authenticated attacker can potentially
gain root privileges on systems running OpenSSH server.
[CVE-2016-10010]
PHPMailer is prone to an local information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information
that may aid in launching further attacks.
Computest found and exploited several issues
that allow a compromised host to execute commands
on the Ansible controller and thus gain access
to other hosts controlled by that controller.
A malformed query response received by a recursive
server in response to a query of RTYPE ANY could
trigger an assertion failure while named is attempting
to add the RRs in the query response to the cache.
Depending on the type of query and the EDNS options
in the query they receive, DNSSEC-enabled authoritative
servers are expected to include RRSIG and other RRsets
in their responses to recursive servers.
DNSSEC-validating servers will also make specific queries
for DS and other RRsets.
Whether DNSSEC-validating or not, an error in processing
malformed query responses that contain DNSSEC-related
RRsets that are inconsistent with other RRsets in the
same query response can trigger an assertion failure.
Although the combination of properties which triggers
the assertion should not occur in normal traffic, it
is potentially possible for the assertion to be triggered
deliberately by an attacker sending a specially-constructed
answer.
An unusually-formed answer containing a DS resource
record could trigger an assertion failure. While the
combination of properties which triggers the assertion
should not occur in normal traffic, it is potentially
possible for the assertion to be triggered deliberately
by an attacker sending a specially-constructed answer
having the required properties.
An error in handling certain queries can cause an
assertion failure when a server is using the
nxdomain-redirect feature to cover a zone for which
it is also providing authoritative service.
A vulnerable server could be intentionally stopped
by an attacker if it was using a configuration that
met the criteria for the vulnerability and if the
attacker could cause it to accept a query that
possessed the required attributes.
These updates resolve a security bypass vulnerability that could
lead to information disclosure (CVE-2017-2938).
These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2017-2932, CVE-2017-2936,
CVE-2017-2937).
These updates resolve heap buffer overflow vulnerabilities that
could lead to code execution (CVE-2017-2927, CVE-2017-2933,
CVE-2017-2934, CVE-2017-2935).
These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2017-2925, CVE-2017-2926, CVE-2017-2928,
CVE-2017-2930, CVE-2017-2931).
The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL
versions and forks is vulnerable to timing attacks when signing with the
standardized elliptic curve P-256 despite featuring constant-time curve
operations and modular inversion. A software defect omits setting the
BN_FLG_CONSTTIME flag for nonces, failing to take a secure code path in
the BN_mod_inverse method and therefore resulting in a cache-timing attack
vulnerability.
A malicious user with local access can recover ECDSA P-256 private keys.
The issue allows a local attacker to cause a Denial of Service,
but can potentially result in Privilege Escalation since
the daemon is running as root. while any local user can
connect to the Unix socket.
Fixed by patch which is released with hpcsc-lite 1.8.20.
Lynx is vulnerable to POODLE by still supporting vulnerable
version of SSL. Lynx is also vulnerable to URL attacks by incorrectly
parsing hostnames ending with an '?'.
It was found using the OSS-FUZZ fuzzer infrastructure that
decoding a specially crafted OpenPGP certificate could lead
to heap and stack overflows. (GNUTLS-SA-2017-2)
It was found using the OSS-FUZZ fuzzer infrastructure that
decoding a specially crafted X.509 certificate with Proxy
Certificate Information extension present could lead to a
double free. (GNUTLS-SA-2017-1)
Two unrelated buffer overflows can be used by a malicious server to overwrite parts of the heap and crash the client (or possibly execute arbitrary code).
These packages have reached End of Life status and/or have
been removed from the Ports Tree. They may contain undocumented
security issues. Please take caution and find alternative
software as soon as possible.
... discovered 3 fresh and previously unknown vulnerabilities
(CVE-2016-7479, CVE-2016-7480, CVE-2016-7478) in the PHP 7
unserialize mechanism.
The first two vulnerabilities allow attackers to take full control
over servers, allowing them to do anything they want with the
website, from spreading malware to defacing it or stealing customer
data.
The last vulnerability generates a Denial of Service attack which
basically hangs the website, exhausts its memory consumption, and
shuts it down.
The PHP security team issued fixes for two of the vulnerabilities
on the 13th of October and 1st of December.
A use-after-free vulnerability exists in H2O up to and including
version 2.0.4 / 2.1.0-beta3 that can be used by a remote attacker to
mount DoS attacks and / or information theft.
An independent research uncovered a critical vulnerability in
PHPMailer that could potentially be used by (unauthenticated)
remote attackers to achieve remote arbitrary code execution in
the context of the web server user and remotely compromise the
target web application.
To exploit the vulnerability an attacker could target common
website components such as contact/feedback forms, registration
forms, password email resets and others that send out emails with
the help of a vulnerable version of the PHPMailer class.
The first patch of the vulnerability CVE-2016-10033 was incomplete.
This advisory demonstrates the bypass of the patch. The bypass allows
to carry out Remote Code Execution on all current versions (including
5.2.19).
Reported this to upstream 8 months ago without response,
so: libupnp's default behaviour allows anyone to write to your
filesystem. Seriously. Find a device running a libupnp based server
(Shodan says there's rather a lot), and POST a file to /testfile.
Then GET /testfile ... and yeah if the server is running as root
(it is) and is using / as the web root (probably not, but maybe)
this gives full host fs access.
Scott Tenaglia reports:
There is a heap buffer overflow vulnerability in the
create_url_list function in upnp/src/gena/gena_device.c.
An independent research uncovered a critical vulnerability in
PHPMailer that could potentially be used by (unauthenticated)
remote attackers to achieve remote arbitrary code execution in
the context of the web server user and remotely compromise the
target web application.
To exploit the vulnerability an attacker could target common
website components such as contact/feedback forms, registration
forms, password email resets and others that send out emails with
the help of a vulnerable version of the PHPMailer class.
[CVE-2016-2123] Authenticated users can supply malicious dnsRecord attributes
on DNS objects and trigger a controlled memory corruption.
[CVE-2016-2125] Samba client code always requests a forwardable ticket
when using Kerberos authentication. This means the target server, which must be in the current or trusted
domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to
fully impersonate the authenticated user or service.
[CVE-2016-2126] A remote, authenticated, attacker can cause the winbindd process
to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum.
A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions.
Exim leaks the private DKIM signing key to the log files.
Additionally, if the build option EXPERIMENTAL_DSN_INFO=yes is used,
the key material is included in the bounce message.
libcurl's (new) internal function that returns a good 32bit
random value was implemented poorly and overwrote the pointer
instead of writing the value into the buffer the pointer
pointed to.
This random value is used to generate nonces for Digest and
NTLM authentication, for generating boundary strings in HTTP
formposts and more. Having a weak or virtually non-existent
random there makes these operations vulnerable.
This function is brand new in 7.52.0 and is the result of an
overhaul to make sure libcurl uses strong random as much as
possible - provided by the backend TLS crypto libraries when
present. The faulty function was introduced in this commit.
Due to incorrect comparison of request headers Squid can deliver
responses containing private data to clients it should not have
reached.
This problem allows a remote attacker to discover private and
sensitive information about another clients browsing session.
Potentially including credentials which allow access to further
sensitive resources. This problem only affects Squid configured
to use the Collapsed Forwarding feature. It is of particular
importance for HTTPS reverse-proxy sites with Collapsed
Forwarding.
Squid security advisory 2016:11 reports:
Due to incorrect HTTP conditional request handling Squid can
deliver responses containing private data to clients it should not
have reached.
This problem allows a remote attacker to discover private and
sensitive information about another clients browsing session.
Potentially including credentials which allow access to further
sensitive resources..
vim before patch 8.0.0056 does not properly validate values for the
'filetype', 'syntax' and 'keymap' options, which may result in the
execution of arbitrary code if a file with a specially crafted
modeline is opened.
Certain PV guest kernel operations (page table writes in
particular) need emulation, and use Xen's general x86 instruction
emulator. This allows a malicious guest kernel which asynchronously
modifies its instruction stream to effect the clearing of EFLAGS.IF
from the state used to return to guest context.
A malicious guest kernel administrator can cause a host hang or
crash, resulting in a Denial of Service.
libcurl's implementation of the printf() functions triggers a
buffer overflow when doing a large floating point output. The bug
occurs when the conversion outputs more than 255 bytes.
Incorrect use of unfiltered data stored to the session on a form
validation failure allows for existing user accounts to be modified;
to include resetting their username, password, and user group
assignments.
[20161202] - Core - Shell Upload
Inadequate filesystem checks allowed files with alternative PHP
file extensions to be uploaded.
[20161203] - Core - Information Disclosure
Inadequate ACL checks in the Beez3 com_content article layout
override enables a user to view restricted content.
Inadequate checks allows for users to register on a site when
registration has been disabled.
[20161002] - Core - Elevated Privilege
Incorrect use of unfiltered data allows for users to register on a
site with elevated privileges.
[20161003] - Core - Account Modifications
Incorrect use of unfiltered data allows for existing user accounts
to be modified; to include resetting their username, password, and
user group assignments.
The Joomla Security Strike team has been following up on the
critical security vulnerability patched last week. Since the recent
update it has become clear that the root cause is a bug in PHP
itself. This was fixed by PHP in September of 2015 with the releases
of PHP 5.4.45, 5.5.29, 5.6.13 (Note that this is fixed in all
versions of PHP 7 and has been back-ported in some specific Linux
LTS versions of PHP 5.3). This fixes the bug across all supported
PHP versions.
[20151207] - Core - SQL Injection
Inadequate filtering of request data leads to a SQL Injection
vulnerability.
Multiple vulnerabilities have been discovered in the NTP
suite:
CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy
of Cisco ASIG.
CVE-2016-9310: Mode 6 unauthenticated trap information
disclosure and DDoS vector. Reported by Matthew Van Gundy
of Cisco ASIG.
CVE-2016-7427: Broadcast Mode Replay Prevention DoS.
Reported by Matthew Van Gundy of Cisco ASIG.
CVE-2016-7428: Broadcast Mode Poll Interval Enforcement
DoS. Reported by Matthew Van Gundy of Cisco ASIG.
CVE-2016-7431: Regression: 010-origin: Zero Origin
Timestamp Bypass. Reported by Sharon Goldberg and Aanchal
Malhotra of Boston University.
CVE-2016-7434: Null pointer dereference in
_IO_str_init_static_internal(). Reported by Magnus Stubman.
CVE-2016-7426: Client rate limiting and server responses.
Reported by Miroslav Lichvar of Red Hat.
CVE-2016-7433: Reboot sync calculation problem. Reported
independently by Brian Utterback of Oracle, and by Sharon
Goldberg and Aanchal Malhotra of Boston University.
Impact:
A remote attacker who can send a specially crafted packet
to cause a NULL pointer dereference that will crash ntpd,
resulting in a Denial of Service. [CVE-2016-9311]
An exploitable configuration modification vulnerability
exists in the control mode (mode 6) functionality of ntpd.
If, against long-standing BCP recommendations, "restrict
default noquery ..." is not specified, a specially crafted
control mode packet can set ntpd traps, providing information
disclosure and DDoS amplification, and unset ntpd traps,
disabling legitimate monitoring by an attacker from remote.
[CVE-2016-9310]
An attacker with access to the NTP broadcast domain can
periodically inject specially crafted broadcast mode NTP
packets into the broadcast domain which, while being logged
by ntpd, can cause ntpd to reject broadcast mode packets
from legitimate NTP broadcast servers. [CVE-2016-7427]
An attacker with access to the NTP broadcast domain can
send specially crafted broadcast mode NTP packets to the
broadcast domain which, while being logged by ntpd, will
cause ntpd to reject broadcast mode packets from legitimate
NTP broadcast servers. [CVE-2016-7428]
Origin timestamp problems were fixed in ntp 4.2.8p6.
However, subsequent timestamp validation checks introduced
a regression in the handling of some Zero origin timestamp
checks. [CVE-2016-7431]
If ntpd is configured to allow mrulist query requests
from a server that sends a crafted malicious packet, ntpd
will crash on receipt of that crafted malicious mrulist
query packet. [CVE-2016-7434]
An attacker who knows the sources (e.g., from an IPv4
refid in server response) and knows the system is (mis)configured
in this way can periodically send packets with spoofed
source address to keep the rate limiting activated and
prevent ntpd from accepting valid responses from its sources.
[CVE-2016-7426]
Ntp Bug 2085 described a condition where the root delay
was included twice, causing the jitter value to be higher
than expected. Due to a misinterpretation of a small-print
variable in The Book, the fix for this problem was incorrect,
resulting in a root distance that did not include the peer
dispersion. The calculations and formulas have been reviewed
and reconciled, and the code has been updated accordingly.
[CVE-2016-7433]
Operations in the DSA signing algorithm should run in constant time
in order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.
The typical behaviour of singlestepping exceptions is determined at
the start of the instruction, with a #DB trap being raised at the
end of the instruction. SYSCALL (and SYSRET, although we don't
implement it) behave differently because the typical behaviour
allows userspace to escalate its privilege. (This difference in
behaviour seems to be undocumented.) Xen wrongly raised the
exception based on the flags at the start of the instruction.
Guest userspace which can invoke the instruction emulator can use
this flaw to escalate its privilege to that of the guest kernel.
A use-after-free vulnerability in SVG Animation has been
discovered. An exploit built on this vulnerability has been
discovered in the wild targeting Firefox and Tor Browser
users on Windows.
modules/chanserv/flags.c in Atheme before 7.2.7 allows remote
attackers to modify the Anope FLAGS behavior by registering and
dropping the (1) LIST, (2) CLEAR, or (3) MODIFY keyword nicks.
Buffer overflow in the xmlrpc_char_encode function in
modules/transport/xmlrpc/xmlrpclib.c in Atheme before 7.2.7 allows
remote attackers to cause a denial of service via vectors related
to XMLRPC response encoding.
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before
1.2.3, when no SMTP server is configured and the sendmail program is
enabled, does not properly restrict the use of custom envelope-from
addresses on the sendmail command line, which allows remote
authenticated users to execute arbitrary code via a modified HTTP
request that sends a crafted e-mail message.
WordPress versions 4.6 and earlier are affected by two security
issues: a cross-site scripting vulnerability via image filename,
reported by SumOfPwn researcher Cengiz Han Sahin; and a path
traversal vulnerability in the upgrade package uploader, reported
by Dominik Schilling from the WordPress security team.
The x86 instruction CMPXCHG8B is supposed to ignore legacy operand
size overrides; it only honors the REX.W override (making it
CMPXCHG16B). So, the operand size is always 8 or 16. When support
for CMPXCHG16B emulation was added to the instruction emulator,
this restriction on the set of possible operand sizes was relied on
in some parts of the emulation; but a wrong, fully general, operand
size value was used for other parts of the emulation. As a result,
if a guest uses a supposedly-ignored operand size prefix, a small
amount of hypervisor stack data is leaked to the guests: a 96 bit
leak to guests running in 64-bit mode; or, a 32 bit leak to other
guests.
A malicious unprivileged guest may be able to obtain sensitive
information from the host.
If an SDP offer or answer is received with the Opus
codec and with the format parameters separated using a
space the code responsible for parsing will recursively
call itself until it crashes. This occurs as the code
does not properly handle spaces separating the parameters.
This does NOT require the endpoint to have Opus configured
in Asterisk. This also does not require the endpoint to
be authenticated. If guest is enabled for chan_sip or
anonymous in chan_pjsip an SDP offer or answer is still
processed and the crash occurs.
The chan_sip channel driver has a liberal definition
for whitespace when attempting to strip the content between
a SIP header name and a colon character. Rather than
following RFC 3261 and stripping only spaces and horizontal
tabs, Asterisk treats any non-printable ASCII character
as if it were whitespace.
This mostly does not pose a problem until Asterisk is
placed in tandem with an authenticating SIP proxy. In
such a case, a crafty combination of valid and invalid
To headers can cause a proxy to allow an INVITE request
into Asterisk without authentication since it believes
the request is an in-dialog request. However, because of
the bug described above, the request will look like an
out-of-dialog request to Asterisk. Asterisk will then
process the request as a new call. The result is that
Asterisk can process calls from unvetted sources without
any authentication.
If you do not use a proxy for authentication, then
this issue does not affect you.
If your proxy is dialog-aware (meaning that the proxy
keeps track of what dialogs are currently valid), then
this issue does not affect you.
If you use chan_pjsip instead of chan_sip, then this
issue does not affect you.
A specially crafted argument can trigger a static buffer
overflow in the library, with possibility to rewrite following
static buffers that belong to other library functions.
Impact:
Due to very limited use of the function in the existing
applications, and limited length of the overflow, exploitation
of the vulnerability does not seem feasible. None of the
utilities and daemons in the base system are known to be
vulnerable. However, careful review of third party software
that may use the function was not performed.
The VNC server websockets decoder will read and buffer data
from websockets clients until it sees the end of the HTTP headers,
as indicated by \r\n\r\n. In theory this allows a malicious to
trick QEMU into consuming an arbitrary amount of RAM.
The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply
limitations on request headers correctly when experimental module
for the HTTP/2 protocol is used to access a resource.
The net result is that a the server allocates too much memory
instead of denying the request. This can lead to memory exhaustion
of the server by a properly crafted request.
An unexpected sequence of memory allocation failures
combined with insufficient error checking could result in
the construction and execution of an argument sequence that
was not intended.
Impact:
An attacker who controls the sequence of memory allocation
failures and success may cause login(1) to run without
authentication and may be able to cause misbehavior of
login(1) replacements.
No practical way of controlling these memory allocation
failures is known at this time.
The bounds checking of accesses to guest memory greater
than 4GB by device emulations is subject to integer
overflow.
Impact:
For a bhyve virtual machine with more than 3GB of guest
memory configured, a malicious guest could craft device
descriptors that could give it access to the heap of the
bhyve process. Since the bhyve process is running as root,
this may allow guests to obtain full control of the hosts
they're running on.
CVE-2015-2141: The InvertibleRWFunction::CalculateInverse function
in rw.cpp in libcrypt++ 5.6.2 does not properly blind private key
operations for the Rabin-Williams digital signature algorithm, which
allows remote attackers to obtain private keys via a timing attack.
Fixed in 5.6.3.
CVE-2016-3995: Incorrect implementation of Rijndael timing attack
countermeasure. Fixed in 5.6.4.
CVE-2016-7420: Library built without -DNDEBUG could egress sensitive
information to the filesystem via a core dump if an assert was triggered.
Fixed in 5.6.5.
Imagemagick before 3cbfb163cff9e5b8cdeace8312e9bfee810ed02b
suffer from a heap overflow in WaveletDenoiseImage(). This problem is
easily trigerrable from a Perl script.
On real hardware, a 32-bit PAE guest must leave the USER and RW bit
clear in L3 pagetable entries, but the pagetable walk behaves as if
they were set. (The L3 entries are cached in processor registers,
and don't actually form part of the pagewalk.)
When running a 32-bit PV guest on a 64-bit Xen, Xen must always OR
in the USER and RW bits for L3 updates for the guest to observe
architectural behaviour. This is unsafe in combination with
recursive pagetables.
As there is no way to construct an L3 recursive pagetable in native
32-bit PAE mode, disallow this option in 32-bit PV guests.
A malicious 32-bit PV guest administrator can escalate their
privilege to that of the host.
When emulating HVM instructions, Xen uses a small i-cache for
fetches from guest memory. The code that handles cache misses does
not check if the address from which it fetched lies within the cache
before blindly writing to it. As such it is possible for the guest
to overwrite hypervisor memory.
It is currently believed that the only way to trigger this bug is
to use the way that Xen currently incorrectly wraps CS:IP in 16 bit
modes. The included patch prevents such wrapping.
A malicious HVM guest administrator can escalate their privilege to
that of the host.
x86 HVM guests running with shadow paging use a subset of the x86
emulator to handle the guest writing to its own pagetables. There
are situations a guest can provoke which result in exceeding the
space allocated for internal state.
A malicious HVM guest administrator can cause Xen to fail a bug
check, causing a denial of service to the host.
When the EVTCHNOP_init_control operation is called with a bad guest
frame number, it takes an error path which frees a control structure
without also clearing the corresponding pointer. Certain subsequent
operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control),
upon finding the non-NULL pointer, continue operation assuming it
points to allocated memory.
A malicious guest administrator can crash the host, leading to a
DoS. Arbitrary code execution (and therefore privilege escalation),
and information leaks, cannot be excluded.
Instructions touching FPU, MMX, or XMM registers are required to
raise a Device Not Available Exception (#NM) when either CR0.EM or
CR0.TS are set. (Their AVX or AVX-512 extensions would consider only
CR0.TS.) While during normal operation this is ensured by the
hardware, if a guest modifies instructions while the hypervisor is
preparing to emulate them, the #NM delivery could be missed.
Guest code in one task may thus (unintentionally or maliciously)
read or modify register state belonging to another task in the same
VM.
A malicious unprivileged guest user may be able to obtain or
corrupt sensitive information (including cryptographic material) in
other programs in the same guest.
The Xen x86 emulator erroneously failed to consider the unusability
of segments when performing memory accesses.
The intended behaviour is as follows: The user data segment (%ds,
%es, %fs and %gs) selectors may be NULL in 32-bit to prevent access.
In 64-bit, NULL has a special meaning for user segments, and there
is no way of preventing access. However, in both 32-bit and 64-bit,
a NULL LDT system segment is intended to prevent access.
On Intel hardware, loading a NULL selector zeros the base as well
as most attributes, but sets the limit field to its largest possible
value. On AMD hardware, loading a NULL selector zeros the attributes,
leaving the stale base and limit intact.
Xen may erroneously permit the access using unexpected base/limit
values.
Ability to exploit this vulnerability on Intel is easy, but on AMD
depends in a complicated way on how the guest kernel manages LDTs.
An unprivileged guest user program may be able to elevate its
privilege to that of the guest operating system.
LDTR, just like TR, is purely a protected mode facility. Hence even
when switching to a VM86 mode task, LDTR loading needs to follow
protected mode semantics. This was violated by the code.
On SVM (AMD hardware): a malicious unprivileged guest process can
escalate its privilege to that of the guest operating system.
On both SVM and VMX (Intel hardware): a malicious unprivileged
guest process can crash the guest.
Both writes to the FS and GS register base MSRs as well as the
WRFSBASE and WRGSBASE instructions require their input values to be
canonical, or a #GP fault will be raised. When the use of those
instructions by the hypervisor was enabled, the previous guard
against #GP faults (having recovery code attached) was accidentally
removed.
A malicious guest administrator can crash the host, leading to a
DoS.
Along with their main kernel binary, unprivileged guests may
arrange to have their Xen environment load (kernel) symbol tables
for their use. The ELF image metadata created for this purpose has a
few unused bytes when the symbol table binary is in 32-bit ELF
format. These unused bytes were not properly cleared during symbol
table loading.
A malicious unprivileged guest may be able to obtain sensitive
information from the host.
The information leak is small and not under the control of the
guest, so effectively exploiting this vulnerability is probably
difficult.
The x86 instructions BT, BTC, BTR, and BTS, when used with a
destination memory operand and a source register rather than an
immediate operand, access a memory location offset from that
specified by the memory operand as specified by the high bits of
the register source.
A malicious guest can modify arbitrary memory, allowing for
arbitrary code execution (and therefore privilege escalation
affecting the whole host), a crash of the host (leading to a DoS),
or information leaks. The vulnerability is sometimes exploitable
by unprivileged guest user processes.
The compiler can emit optimizations in qemu which can lead to
double fetch vulnerabilities. Specifically data on the rings shared
between qemu and the hypervisor (which the guest under control can
obtain mappings of) can be fetched twice (during which time the
guest can alter the contents) possibly leading to arbitrary code
execution in qemu.
Malicious administrators can exploit this vulnerability to take
over the qemu process, elevating its privilege to that of the qemu
process.
In a system not using a device model stub domain (or other
techniques for deprivileging qemu), malicious guest administrators
can thus elevate their privilege to that of the host.
pygrub, the boot loader emulator, fails to quote (or sanity check)
its results when reporting them to its caller.
A malicious guest administrator can obtain the contents of
sensitive host files (an information leak). Additionally, a
malicious guest administrator can cause files on the host to be
removed, causing a denial of service. In some unusual host
configurations, ability to remove certain files may be usable for
privilege escalation.
Pillow prior to 3.3.2 may experience integer overflow
errors in map.c when reading specially crafted image files. This may
lead to memory disclosure or corruption.
Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check
for negative image sizes in ImagingNew in Storage.c. A negative image
size can lead to a smaller allocation than expected, leading to arbi
trary writes.
CVE-2016-9298: heap overflow in WaveletDenoiseImage(), fixed in ImageMagick7-7.0.3.6, discovered 2016-10-31
CVE-2016-8866: memory allocation failure in AcquireMagickMemory (incomplete previous fix for CVE-2016-8862), not fixed yet with the release of this announcement, re-discovered 2016-10-13.
CVE-2016-8862: memory allocation failure in AcquireMagickMemory, initially partially fixed in ImageMagick7-7.0.3.3, discovered 2016-09-14.
GNU wget in version 1.17 and earlier, when used in
mirroring/recursive mode, is affected by a Race Condition
vulnerability that might allow remote attackers to bypass intended
wget access list restrictions specified with -A parameter.
A null pointer dereference bug affects the 16.02 and many old
versions of p7zip. A lack of null pointer check for the variable
folders.PackPositions in function
CInArchive::ReadAndDecodePackedStreams, as used in
the 7z.so library and in 7z applications, will cause a crash and a
denial of service when decoding malformed 7z files.
The Expat XML parser mishandles certain kinds of malformed input
documents, resulting in buffer overflows during processing and error
reporting. The overflows can manifest as a segmentation fault or as
memory corruption during a parse operation. The bugs allow for a
denial of service attack in many applications by an unauthenticated
attacker, and could conceivably result in remote code execution.
There was a bug in the mixing functions of Libgcrypt's random
number generator: An attacker who obtains 4640 bits from the RNG can
trivially predict the next 160 bits of output. This bug exists since
1998 in all GnuPG and Libgcrypt versions.
It was found that original patch for issues CVE-2015-1283
and CVE-2015-2716 used overflow checks that could be optimized out by
some compilers applying certain optimization settings, which can cause
the vulnerability to remain even after applying the patch.
The HTBoundary_put_block function in HTBound.c for W3C libwww
(w3c-libwww) allows remote servers to cause a denial of service
(segmentation fault) via a crafted multipart/byteranges MIME message
that triggers an out-of-bounds read.
The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
as used in the XML-Twig module for Perl, allows context-dependent
attackers to cause a denial of service (application crash) via an XML
document with malformed UTF-8 sequences that trigger a buffer
over-read, related to the doProlog function in lib/xmlparse.c, a
different vulnerability than CVE-2009-2625 and CVE-2009-3720.
The updatePosition function in lib/xmltok_impl.c in libexpat in
Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other
software, allows context-dependent attackers to cause a denial of
service (application crash) via an XML document with crafted UTF-8
sequences that trigger a buffer over-read, a different vulnerability
than CVE-2009-2625.
The mod_dontdothat module of subversion and subversion clients using
http(s):// are vulnerable to a denial-of-service attack, caused by
exponential XML entity expansion. The attack targets XML parsers
causing targeted process to consume excessive amounts of resources.
The attack is also known as the "billions of laughs attack."
Redirection from an HTTP connection to a data: URL
assigns the referring site's origin to the data: URL in some
circumstances. This can result in same-origin violations
against a domain if it loads resources from malicious
sites. Cross-origin setting of cookies has been demonstrated
without the ability to read them.
Inconsistent name for term access query (Less critical - Drupal
7 and Drupal 8)
Drupal provides a mechanism to alter database SELECT queries before
they are executed. Contributed and custom modules may use this
mechanism to restrict access to certain entities by implementing
hook_query_alter() or hook_query_TAG_alter() in order to add
additional conditions. Queries can be distinguished by means of
query tags. As the documentation on EntityFieldQuery::addTag()
suggests, access-tags on entity queries normally follow the form
ENTITY_TYPE_access (e.g. node_access). However, the taxonomy
module's access query tag predated this system and used term_access
as the query tag instead of taxonomy_term_access.
As a result, before this security release modules wishing to
restrict access to taxonomy terms may have implemented an
unsupported tag, or needed to look for both tags (term_access and
taxonomy_term_access) in order to be compatible with queries
generated both by Drupal core as well as those generated by
contributed modules like Entity Reference. Otherwise information
on taxonomy terms might have been disclosed to unprivileged users.
The user password reset form does not specify a proper cache
context, which can lead to cache poisoning and unwanted content on
the page.
Confirmation forms allow external URLs to be injected (Moderately
critical - Drupal 7)
Under certain circumstances, malicious users could construct a URL
to a confirmation form that would trick users into being redirected
to a 3rd party website after interacting with the form, thereby
exposing the users to potential social engineering attacks.
Denial of service via transliterate mechanism (Moderately critical
- Drupal 8)
A specially crafted URL can cause a denial of service via the
transliterate mechanism.
RCE Bugs discovered in MySQL and its variants like MariaDB.
It works by manipulating my.cnf files and using --malloc-lib.
The bug seems fixed in MySQL 5.7.15 by Oracle
Mozilla has updated the version of Network Security
Services (NSS) library used in Firefox to NSS 3.23. This
addresses four moderate rated networking security issues
reported by Mozilla engineers Tyson Smith and Jed Davis.
An unauthenticated remote code execution vulnerability allowed
attackers to transfer a serialized Java object to the Jenkins CLI,
making Jenkins connect to an attacker-controlled LDAP server, which
in turn can send a serialized payload leading to code execution,
bypassing existing protection mechanisms.
ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)
Severity: High
TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS
attack by corrupting larger payloads. This can result in an OpenSSL crash. This
issue is not considered to be exploitable beyond a DoS.
CMS Null dereference (CVE-2016-7053)
Severity: Medium
Applications parsing invalid CMS structures can crash with a NULL pointer
dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type
in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure
callback if an attempt is made to free certain invalid encodings. Only CHOICE
structures using a callback which do not handle NULL value are affected.
Montgomery multiplication may produce incorrect results (CVE-2016-7055)i
Severity: Low
There is a carry propagating bug in the Broadwell-specific Montgomery
multiplication procedure that handles input lengths divisible by, but
longer than 256 bits.
These updates resolve type confusion vulnerabilities that
could lead to code execution (CVE-2016-7860, CVE-2016-7861,
CVE-2016-7865).
These updates resolve use-after-free vulnerabilities that
could lead to code execution (CVE-2016-7857, CVE-2016-7858,
CVE-2016-7859, CVE-2016-7862, CVE-2016-7863, CVE-2016-7864).
A defect in BIND's handling of responses containing
a DNAME answer can cause a resolver to exit after
encountering an assertion failure in db.c or
resolver.c
When processing the SSH_MSG_KEXINIT message, the server
could allocate up to a few hundreds of megabytes of memory
per each connection, before any authentication take place.
Impact:
A remote attacker may be able to cause a SSH server to
allocate an excessive amount of memory. Note that the default
MaxStartups setting on FreeBSD will limit the effectiveness
of this attack.
Today the Django team released Django 1.10.3, Django 1.9.11,
and 1.8.16. These releases addresses two security issues
detailed below. We encourage all users of Django to upgrade
as soon as possible.
User with hardcoded password created when running tests on Oracle
Multiple integer overflow vulnerabilities exist within Memcached
that could be exploited to achieve remote code execution on the
targeted system. These vulnerabilities manifest in various Memcached
functions that are used in inserting, appending, prepending, or
modifying key-value data pairs. Systems which also have Memcached
compiled with support for SASL authentication are also vulnerable to
a third flaw due to how Memcached handles SASL authentication
commands.
An attacker could exploit these vulnerabilities by sending a
specifically crafted Memcached command to the targeted server.
Additionally, these vulnerabilities could also be exploited to leak
sensitive process information which an attacker could use to bypass
common exploitation mitigations, such as ASLR, and can be triggered
multiple times. This enables reliable exploitation which makes these
vulnerabilities severe.
Node.js v6.9.0 LTS contains the following security fixes, specific to v6.x:
Disable auto-loading of openssl.cnf: Don't automatically attempt to load an OpenSSL
configuration file, from the OPENSSL_CONF environment variable or from the default
location for the current platform. Always triggering a configuration file load attempt
may allow an attacker to load compromised OpenSSL configuration into a Node.js process
if they are able to place a file in a default location.
Patched V8 arbitrary memory read (CVE-2016-5172): The V8 parser mishandled scopes,
potentially allowing an attacker to obtain sensitive information from arbitrary memory
locations via crafted JavaScript code. This vulnerability would require an attacker to
be able to execute arbitrary JavaScript code in a Node.js process.
Create a unique v8_inspector WebSocket address: Generate a UUID for each execution of
the inspector. This provides additional security to prevent unauthorized clients from
connecting to the Node.js process via the v8_inspector port when running with --inspect.
Since the debugging protocol allows extensive access to the internals of a running process,
and the execution of arbitrary code, it is important to limit connections to authorized
tools only. Note that the v8_inspector protocol in Node.js is still considered an
experimental feature. Vulnerability originally reported by Jann Horn.
All of these vulnerabilities are considered low-severity for Node.js users, however,
users of Node.js v6.x should upgrade at their earliest convenience.
A flaw exists in sudo's noexec functionality that may allow
a user with sudo privileges to run additional commands even when the
NOEXEC tag has been applied to a command that uses the wordexp()
function.
Apache Axis2 1.7.4 is a maintenance release that includes fixes for
several issues, including the following security issues:
Session fixation (AXIS2-4739) and XSS (AXIS2-5683) vulnerabilities
affecting the admin console.
A dependency on an Apache HttpClient version affected by known security
vulnerabilities (CVE-2012-6153 and CVE-2014-3577); see AXIS2-5757.
Adobe has released security updates for Adobe Flash Player for
Windows, Macintosh, Linux and Chrome OS. These updates address a
critical vulnerability that could potentially allow an attacker to
take control of the affected system.
Adobe is aware of a report that an exploit for CVE-2016-7855
exists in the wild, and is being used in limited, targeted attacks
against users running Windows versions 7, 8.1 and 10.
Node.js has released new versions containing the following security fix:
The following releases all contain fixes for CVE-2016-5180 "ares_create_query single
byte out of buffer write": Node.js v0.10.48 (Maintenance), Node.js v0.12.17 (Maintenance),
Node.js v4.6.1 (LTS "Argon")
While this is not a critical update, all users of these release lines should upgrade at
their earliest convenience.
A special combination of sysarch(2) arguments, specify
a request to uninstall a set of descriptors from the LDT.
The start descriptor is cleared and the number of descriptors
are provided. Due to lack of sufficient bounds checking
during argument validity verification, unbound zero'ing of
the process LDT and adjacent memory can be initiated from
usermode.
Impact:
This vulnerability could cause the kernel to panic. In
addition it is possible to perform a local Denial of Service
against the system by unprivileged processes.
An unchecked array reference in the VGA device emulation
code could potentially allow guests access to the heap of
the bhyve process. Since the bhyve process is running as
root, this may allow guests to obtain full control of the
hosts they are running on.
Impact:
For bhyve virtual machines with the "fbuf" framebuffer
device configured, if exploited, a malicious guest could
obtain full access to not just the host system, but to other
virtual machines running on the system.
Adobe has released security updates for Adobe Flash Player for
Windows, Macintosh, Linux and ChromeOS. These updates address
critical vulnerabilities that could potentially allow an attacker
to take control of the affected system.
These updates resolve a type confusion vulnerability that could
lead to code execution (CVE-2016-6992).
These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-6981, CVE-2016-6987).
These updates resolve a security bypass vulnerability
(CVE-2016-4286).
These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2016-4273, CVE-2016-6982,
CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986,
CVE-2016-6989, CVE-2016-6990).
Apache Axis2 1.7.3 is a security release that contains a fix
for CVE-2010-3981. That security vulnerability affects the admin console
that is part of the Axis2 Web application and was originally reported
for SAP BusinessObjects (which includes a version of Axis2). That report
didnât mention Axis2 at all and the Axis2 project only recently became
aware (thanks to Devesh Bhatt and Nishant Agarwala) that the issue
affects Apache Axis2 as well.
Various memory handling problems and cases of missing or
incomplete input sanitizing may result in denial of service or the
execution of arbitrary code if malformed SIXEL, PDB, MAP, SGI, TIFF and
CALS files are processed.
Heap-based buffer overflow in the pdf_load_mesh_params
function in pdf/pdf-shade.c in MuPDF allows remote attackers to cause a
denial of service (crash) or execute arbitrary code via a large decode
array.
Use-after-free vulnerability in the pdf_load_xref function in
pdf/pdf-xref.c in MuPDF allows remote attackers to cause a denial of
service (crash) via a crafted PDF file.
Unspecified vulnerability in the Oracle VM VirtualBox
component in Oracle Virtualization VirtualBox prior to 4.0.34, 4.1.42,
4.2.34, 4.3.32, and 5.0.8, when using a Windows guest, allows local
users to affect availability via unknown vectors related to Core.
Unspecified vulnerability in the Oracle VM VirtualBox
component in Oracle Virtualization VirtualBox before 4.0.34, 4.1.42,
4.2.34, 4.3.32, and 5.0.8, when a VM has the Remote Display feature
(RDP) enabled, allows remote attackers to affect availability via
unknown vectors related to Core.
These packages have reached End of Life status and/or have
been removed from the Ports Tree. They may contain undocumented
security issues. Please take caution and find alternative
software as soon as possible.
The exposure exploits the way OLE previews are generated to
embed arbitrary file data into a specially crafted document when it is
opened. Data exposure is possible if the updated document is distributed
to other parties.
File Roller 3.5.4 through 3.20.2 was affected by a path
traversal bug that could result in deleted files if a user
were tricked into opening a malicious archive.
Prevent a class of security bugs caused by treating the contents
of a buffer chunk as if they were a NUL-terminated string. At least
one such bug seems to be present in all currently used versions of
Tor, and would allow an attacker to remotely crash most Tor
instances, especially those compiled with extra compiler hardening.
With this defense in place, such bugs can't crash Tor, though we
should still fix them as they occur. Closes ticket 20384
(TROVE-2016-10-001).
A Heap Buffer Overflow (Out-of-Bounds Write) issue was found in
function opj_dwt_interleave_v of dwt.c. This vulnerability allows
remote attackers to execute arbitrary code on vulnerable installations
of OpenJPEG.
An integer overflow issue exists in function opj_pi_create_decode of
pi.c. It can lead to Out-Of-Bounds Read and Out-Of-Bounds Write in
function opj_pi_next_cprl of pi.c (function opj_pi_next_lrcp,
opj_pi_next_rlcp, opj_pi_next_rpcl, opj_pi_next_pcrl may also be
vulnerable). This vulnerability allows remote attackers to execute
arbitrary code on vulnerable installations of OpenJPEG.
The redis-cli history file (in linenoise) is created with the
default OS umask value which makes it world readable in most systems
and could potentially expose authentication credentials to other
users.
Flaws in libarchive's handling of symlinks and hard links
allow overwriting files outside the extraction directory,
or permission changes to a directory outside the extraction
directory.
Impact:
An attacker who can control freebsd-update's or portsnap's
input to tar(1) can change file content or permissions on
files outside of the update tool's working sandbox.
Tobias Stoeckmann from the OpenBSD project has discovered a
number of issues in the way various X client libraries handle
the responses they receive from servers, and has worked with
X.Org's security team to analyze, confirm, and fix these issues.
These issue come in addition to the ones discovered by Ilja van
Sprundel in 2013.
Most of these issues stem from the client libraries trusting
the server to send correct protocol data, and not verifying
that the values will not overflow or cause other damage. Most
of the time X clients and servers are run by the same user, with
the server more privileged than the clients, so this is not a
problem, but there are scenarios in which a privileged client
can be connected to an unprivileged server, for instance,
connecting a setuid X client (such as a screen lock program)
to a virtual X server (such as Xvfb or Xephyr) which the user
has modified to return invalid data, potentially allowing the
user to escalate their privileges.
Testing by ISC has uncovered a critical error condition
which can occur when a nameserver is constructing a
response. A defect in the rendering of messages into
packets can cause named to exit with an assertion
failure in buffer.c while constructing a response
to a query that meets certain criteria.
The implementation of bspatch is susceptible to integer
overflows with carefully crafted input, potentially allowing
an attacker who can control the patch file to write at
arbitrary locations in the heap. This issue was partially
addressed in FreeBSD-SA-16:25.bspatch, but some possible
integer overflows remained.
Impact:
An attacker who can control the patch file can cause a
crash or run arbitrary code under the credentials of the
user who runs bspatch, in many cases, root.
Flaws in portsnap's verification of downloaded tar files
allows additional files to be included without causing the
verification to fail. Portsnap may then use or execute these
files.
Impact:
An attacker who can conduct man in the middle attack on
the network at the time when portsnap is run can cause
portsnap to execute arbitrary commands under the credentials
of the user who runs portsnap, typically root.
most of the bugs fixed on 2016-09-06 and 2016-09-07 for
issue #1780 are potentially exploitable. The scenario is arbitrary
code execution with specially-crafted files.
An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection.
If specific usernames including "%" symbols can be created on a system
(validated by getpwnam()) then an attacker could run arbitrary code as root
when connecting to Dropbear server.
A dbclient user who can control username or host arguments could potentially
run arbitrary code as the dbclient user. This could be a problem if scripts
or webpages pass untrusted input to the dbclient program.
dropbearconvert import of OpenSSH keys could run arbitrary code as
the local dropbearconvert user when parsing malicious key files.
dbclient could run arbitrary code as the local dbclient user if
particular -m or -c arguments are provided. This could be an issue where
dbclient is used in scripts.
dbclient or dropbear server could expose process memory to the
running user if compiled with DEBUG_TRACE and running with -v
The four libcurl functions curl_escape(), curl_easy_escape(),
curl_unescape and curl_easy_unescape perform string URL percent
escaping and unescaping. They accept custom string length inputs
in signed integer arguments.
The provided string length arguments were not properly checked
and due to arithmetic in the functions, passing in the length
0xffffffff (2^32-1 or UINT_MAX or even just -1) would end up
causing an allocation of zero bytes of heap memory that curl
would attempt to write gigabytes of data into.
RCE Bugs discovered in MySQL and its variants like MariaDB.
It works by manipulating my.cnf files and using --malloc-lib.
The bug seems fixed in MySQL 5.7.15 by Oracle
An independent research has revealed multiple severe MySQL
vulnerabilities. This advisory focuses on a critical
vulnerability with a CVEID of CVE-2016-6662 which can allow
attackers to (remotely) inject malicious settings into MySQL
configuration files (my.cnf) leading to critical
consequences.
Stefan Bühler discovered an issue that affects validation
of certificates using OCSP responses, which can falsely report a
certificate as valid under certain circumstances.
The overlap dialing feature in chan_sip allows chan_sip
to report to a device that the number that has been dialed
is incomplete and more digits are required. If this
functionality is used with a device that has performed
username/password authentication RTP resources are leaked.
This occurs because the code fails to release the old RTP
resources before allocating new ones in this scenario.
If all resources are used then RTP port exhaustion will
occur and no RTP sessions are able to be set up.
If overlap dialing support is not needed the "allowoverlap"
option can be set to no. This will stop any usage of the
scenario which causes the resource exhaustion.
Asterisk can be crashed remotely by sending an ACK to
it from an endpoint username that Asterisk does not
recognize. Most SIP request types result in an "artificial"
endpoint being looked up, but ACKs bypass this lookup.
The resulting NULL pointer results in a crash when
attempting to determine if ACLs should be applied.
This issue was introduced in the Asterisk 13.10 release
and only affects that release.
This issue only affects users using the PJSIP stack
with Asterisk. Those users that use chan_sip are
unaffected.
A serious vulnerability exists in when using m_sasl in
combination with any services that support SASL EXTERNAL.
To be vulnerable you must have m_sasl loaded, and have services which
support SASL EXTERNAL authentication.
We may have to set lifetime for input forms because of recent
activities on cross-site request forgery (CSRF). The form lifetime
is successfully deployed in frameworks like web.py or plone etc.
Proposed branch lp:~tkikuchi/mailman/form-lifetime implement
lifetime in admin, admindb, options and edithtml interfaces.
[...]
The web admin interface has been hardened against CSRF attacks by
adding a hidden, encrypted token with a time stamp to form submissions
and not accepting authentication by cookie if the token is missing,
invalid or older than the new mm_cfg.py setting FORM_LIFETIME which
defaults to one hour. Posthumous thanks go to Tokio Kikuchi for this implementation [...].
zzf of Alibaba discovered an out-of-bounds vulnerability in the code
processing the LogLUV and CIE Lab image format files. An attacker
could create a specially-crafted TIFF file that could cause libtiff
to crash.
LMX of Qihoo 360 Codesafe Team discovered an out-of-bounds read in
tif_getimage.c. An attacker could create a specially-crafted TIFF
file that could cause libtiff to crash.
Security researcher Francis Gabriel reported a heap-based
buffer overflow in the way the Network Security Services
(NSS) libraries parsed certain ASN.1 structures. An attacker
could create a specially-crafted certificate which, when
parsed by NSS, would cause it to crash or execute arbitrary
code with the permissions of the user.
Mozilla developer Tim Taubert used the Address Sanitizer
tool and software fuzzing to discover a use-after-free
vulnerability while processing DER encoded keys in the
Network Security Services (NSS) libraries. The vulnerability
overwrites the freed memory with zeroes.
* sshd(8): Mitigate timing differences in password authentication
that could be used to discern valid from invalid account names
when long passwords were sent and particular password hashing
algorithms are in use on the server. CVE-2016-6210, reported by
EddieEzra.Harari at verint.com
* sshd(8): (portable only) Ignore PAM environment vars when
UseLogin=yes. If PAM is configured to read user-specified
environment variables and UseLogin=yes in sshd_config, then a
hostile local user may attack /bin/login via LD_PRELOAD or
similar environment variables set via PAM. CVE-2015-8325,
found by Shayan Sadigh.
CSRF protection has been extended to the user options page. This
was actually fixed by Tokio Kikuchi as part of the fix for LP:
#775294 and intended for Mailman 2.1.15, but that fix wasn't
completely merged at the time. The full fix also addresses the
admindb, and edithtml pages as well as the user options page and the
previously fixed admin pages. Thanks to Nishant Agarwala for reporting the issue.
A maliciously crafted archive (.zip or .tar.bz2) with "../" in the
file paths could be offered for download via the KNewStuff
framework (e.g. on www.kde-look.org), and upon extraction would
install files anywhere in the user's home directory.
Beginning in PathTools 3.47 and/or perl 5.20.0, the
File::Spec::canonpath() routine returned untained strings even if
passed tainted input. This defect undermines the guarantee of taint
propagation, which is sometimes used to ensure that unvalidated
user input does not reach sensitive code.
This defect was found and reported by David Golden of MongoDB.
In order to prevent an algorithmic complexity attack
against its hashing mechanism, perl will sometimes
recalculate keys and redistribute the contents of a hash.
This mechanism has made perl robust against attacks that
have been demonstrated against other systems.
Research by Yves Orton has recently uncovered a flaw in
the rehashing code which can result in pathological
behavior. This flaw could be exploited to carry out a
denial of service attack against code that uses arbitrary
user input as hash keys.
Because using user-provided strings as hash keys is a
very common operation, we urge users of perl to update their
perl executable as soon as possible.
Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do
not properly remove . (period) characters from the end of the includes
directory array, which might allow local users to gain privileges via a
Trojan horse module under the current working directory.
Tobias Stoeckmann discovered that cache files are insufficiently
validated in fontconfig, a generic font configuration library. An
attacker can trigger arbitrary free() calls, which in turn allows
double free attacks and therefore arbitrary code execution. In
combination with setuid binaries using crafted cache files, this
could allow privilege escalation.
There is a possible XSS vulnerability in Action View. Text declared as "HTML
safe" will not have quotes escaped when used as attribute values in tag
helpers. This vulnerability has been assigned the CVE identifier
CVE-2016-6316.
There is a vulnerability when Active Record is used in conjunction with JSON
parameter parsing. This vulnerability has been assigned the CVE identifier
CVE-2016-6317. This vulnerability is similar to CVE-2012-2660, CVE-2012-2694
and CVE-2013-0155.
Puppet Enterprise previously included a puppet-agent MCollective plugin that allowed you to pass the `--server` argument to MCollective. This insecure argument enabled remote code execution via connection to an untrusted host. The puppet-agent MCollective version included in PE 2016.2.1, this option is disabled by default.
I found 10 vulnerabilities. Some of these are critical and allow remote code
execution. For the average user, that means that these vulnerabilities can be
exploited by a malicious attacker in order to take over any Teamspeak server,
not only becoming serveradmin, but getting a shell on the affected machine.
Due to insufficient validation of the SCTP stream ID,
which serves as an array index, a local unprivileged attacker
can read or write 16-bits of kernel memory.
Impact:
An unprivileged process can read or modify 16-bits of
memory which belongs to the kernel. This may lead to
exposure of sensitive information or allow privilege
escalation.
The input validation of received SCTP RE_CONFIG chunks
is insufficient, and can result in a NULL pointer deference
later.
Impact:
A remote attacker who can send a malformed SCTP packet
to a FreeBSD system that serves SCTP can cause a kernel
panic, resulting in a Denial of Service.
The Neighbor Discover Protocol allows a local router to
advertise a suggested Current Hop Limit value of a link,
which will replace Current Hop Limit on an interface connected
to the link on the FreeBSD system.
Impact:
When the Current Hop Limit (similar to IPv4's TTL) is
small, IPv6 packets may get dropped before they reached
their destinations.
By sending specifically crafted Router Advertisement
packets, an attacker on the local network can cause the
FreeBSD system to lose the ability to communicate with
another IPv6 node on a different network.
TCP connections transitioning to the LAST_ACK state can
become permanently stuck due to mishandling of protocol
state in certain situations, which in turn can lead to
accumulated consumption and eventual exhaustion of system
resources, such as mbufs and sockets.
Impact:
An attacker who can repeatedly establish TCP connections
to a victim system (for instance, a Web server) could create
many TCP connections that are stuck in LAST_ACK state and
cause resource exhaustion, resulting in a denial of service
condition. This may also happen in normal operation where
no intentional attack is conducted, but an attacker who can
send specifically crafted packets can trigger this more
reliably.
Due to insufficient sanitization of the input patch
stream, it is possible for a patch file to cause patch(1)
to run commands in addition to the desired SCCS or RCS
commands.
Impact:
This issue could be exploited to execute arbitrary
commands as the user invoking patch(1) against a specially
crafted patch file, which could be leveraged to obtain
elevated privileges.
There is a mistake with the introduction of VNET, which
converted the global limit on the number of segments that
could belong to reassembly queues into a per-VNET limit.
Because mbufs are allocated from a global pool, in the
presence of a sufficient number of VNETs, the total number
of mbufs attached to reassembly queues can grow to the total
number of mbufs in the system, at which point all network
traffic would cease.
Impact:
An attacker who can establish concurrent TCP connections
across a sufficient number of VNETs and manipulate the
inbound packet streams such that the maximum number of mbufs
are enqueued on each reassembly queue can cause mbuf cluster
exhaustion on the target system, resulting in a Denial of
Service condition.
As the default per-VNET limit on the number of segments
that can belong to reassembly queues is 1/16 of the total
number of mbuf clusters in the system, only systems that
have 16 or more VNET instances are vulnerable.
Due to insufficient sanitization of the input patch
stream, it is possible for a patch file to cause patch(1)
to pass certain ed(1) scripts to the ed(1) editor, which
would run commands.
Impact:
This issue could be exploited to execute arbitrary
commands as the user invoking patch(1) against a specially
crafted patch file, which could be leveraged to obtain
elevated privileges.
The input path in routed(8) will accept queries from any
source and attempt to answer them. However, the output path
assumes that the destination address for the response is
on a directly connected network.
Impact:
Upon receipt of a query from a source which is not on a
directly connected network, routed(8) will trigger an
assertion and terminate. The affected system's routing table
will no longer be updated. If the affected system is a
router, its routes will eventually expire from other routers'
routing tables, and its networks will no longer be reachable
unless they are also connected to another router.
Multiple integer overflows have been discovered in the
XML_GetBuffer() function in the expat library.
Impact:
The integer overflows may be exploited by using specifically
crafted XML data and lead to infinite loop, or a heap buffer
overflow, which results in a Denial of Service condition,
or enables remote attackers to execute arbitrary code.
If the kernel-mode IRET instruction generates an #SS or
#NP exception, but the exception handler does not properly
ensure that the right GS register base for kernel is reloaded,
the userland GS segment may be used in the context of the
kernel exception handler.
Impact:
By causing an IRET with #SS or #NP exceptions, a local
attacker can cause the kernel to use an arbitrary GS base,
which may allow escalated privileges or panic the system.
In rpcbind(8), netbuf structures are copied directly,
which would result in two netbuf structures that reference
to one shared address buffer. When one of the two netbuf
structures is freed, access to the other netbuf structure
would result in an undefined result that may crash the
rpcbind(8) daemon.
Impact:
A remote attacker who can send specifically crafted
packets to the rpcbind(8) daemon can cause it to crash,
resulting in a denial of service condition.
The bsnmpd(8) daemon is prone to a stack-based
buffer-overflow when it has received a specifically crafted
GETBULK PDU request.
Impact:
This issue could be exploited to execute arbitrary code in
the context of the service daemon, or crash the service daemon, causing
a denial-of-service.
The kernel holds a lock over the source directory vnode
while trying to convert the target directory file handle
to a vnode, which needs to be returned with the lock held,
too. This order may be in violation of normal lock order,
which in conjunction with other threads that grab locks in
the right order, constitutes a deadlock condition because
no thread can proceed.
Impact:
An attacker on a trusted client could cause the NFS
server become deadlocked, resulting in a denial of service.
The default devfs rulesets are not loaded on boot, even
when jails are used. Device nodes will be created in the
jail with their normal default access permissions, while
most of them should be hidden and inaccessible.
Impact:
Jailed processes can get access to restricted resources
on the host system. For jailed processes running with
superuser privileges this implies access to all devices on
the system. This level of access could lead to information
leakage and privilege escalation.
FreeBSD may add a reassemble queue entry on the stack
into the segment list when the reassembly queue reaches its
limit. The memory from the stack is undefined after the
function returns. Subsequent iterations of the reassembly
function will attempt to access this entry.
Impact:
An attacker who can send a series of specifically crafted
packets with a connection could cause a denial of service
situation by causing the kernel to crash.
Additionally, because the undefined on stack memory may
be overwritten by other kernel threads, while extremely
difficult, it may be possible for an attacker to construct
a carefully crafted attack to obtain portion of kernel
memory via a connected socket. This may result in the
disclosure of sensitive information such as login credentials,
etc. before or even without crashing the system.
There is a programming error in sendmail(8) that prevented
open file descriptors have close-on-exec properly set.
Consequently a subprocess will be able to access all open
files that the parent process have open.
Impact:
A local user who can execute their own program for mail
delivery will be able to interfere with an open SMTP
connection.
Due to an overlooked merge to -STABLE branches, the size
for page fault kernel trace entries was set incorrectly.
Impact:
A user who can enable kernel process tracing could end
up reading the contents of kernel memory.
Such memory might contain sensitive information, such
as portions of the file cache or terminal buffers. This
information might be directly useful, or it might be leveraged
to obtain elevated privileges in some way; for example, a
terminal buffer might include a user-entered password.
The OpenPAM library searches for policy definitions in
several locations. While doing so, the absence of a policy
file is a soft failure (handled by searching in the next
location) while the presence of an invalid file is a hard
failure (handled by returning an error to the caller).
The policy parser returns the same error code (ENOENT)
when a syntactically valid policy references a non-existent
module as when the requested policy file does not exist.
The search loop regards this as a soft failure and looks
for the next similarly-named policy, without discarding the
partially-loaded configuration.
A similar issue can arise if a policy contains an include
directive that refers to a non-existent policy.
Impact:
If a module is removed, or the name of a module is
misspelled in the policy file, the PAM library will proceed
with a partially loaded configuration. Depending on the
exact circumstances, this may result in a fail-open scenario
where users are allowed to log in without a password, or
with an incorrect password.
In particular, if a policy references a module installed
by a package or port, and that package or port is being
reinstalled or upgraded, there is a brief window of time
during which the module is absent and policies that use it
may fail open. This can be especially damaging to Internet-facing
SSH servers, which are regularly subjected to brute-force
scans.
A NULL pointer dereference in the initialization code
of the HZ module and an out of bounds array access in the
initialization code of the VIQR module make iconv_open(3)
calls involving HZ or VIQR result in an application crash.
Impact:
Services where an attacker can control the arguments of
an iconv_open(3) call can be caused to crash resulting in
a denial-of-service. For example, an email encoded in HZ
may cause an email delivery service to crash if it converts
emails to a more generic encoding like UTF-8 before applying
filtering rules.
A specifically crafted Composite Document File (CDF)
file can trigger an out-of-bounds read or an invalid pointer
dereference. [CVE-2012-1571]
A flaw in regular expression in the awk script detector
makes use of multiple wildcards with unlimited repetitions.
[CVE-2013-7345]
A malicious input file could trigger infinite recursion
in libmagic(3). [CVE-2014-1943]
A specifically crafted Portable Executable (PE) can
trigger out-of-bounds read. [CVE-2014-2270]
Impact:
An attacker who can cause file(1) or any other applications
using the libmagic(3) library to be run on a maliciously
constructed input can the application to crash or consume
excessive CPU resources, resulting in a denial-of-service.
Buffer between control message header and data may not
be completely initialized before being copied to userland.
[CVE-2014-3952]
Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO,
have implicit padding that may not be completely initialized
before being copied to userland. In addition, three SCTP
notifications, SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR and
SCTP_AUTHENTICATION_EVENT, have padding in the returning
data structure that may not be completely initialized before
being copied to userland. [CVE-2014-3953]
Impact:
An unprivileged local process may be able to retrieve
portion of kernel memory.
For the generic control message, the process may be able
to retrieve a maximum of 4 bytes of kernel memory.
For SCTP, the process may be able to retrieve 2 bytes
of kernel memory for all three control messages, plus 92
bytes for SCTP_SNDRCV and 76 bytes for SCTP_EXTRCV. If the
local process is permitted to receive SCTP notification, a
maximum of 112 bytes of kernel memory may be returned to
userland.
This information might be directly useful, or it might
be leveraged to obtain elevated privileges in some way. For
example, a terminal buffer might include a user-entered
password.
When a segment with the SYN flag for an already existing
connection arrives, the TCP stack tears down the connection,
bypassing a check that the sequence number in the segment
is in the expected window.
Impact:
An attacker who has the ability to spoof IP traffic can
tear down a TCP connection by sending only 2 packets, if
they know both TCP port numbers. In case one of the two
port numbers is unknown, a successful attack requires less
than 2**17 packets spoofed, which can be generated within
less than a second on a decent connection to the Internet.
Due to a missing length check in the code that handles
DNS parameters, a malformed router advertisement message
can result in a stack buffer overflow in rtsold(8).
Impact:
Receipt of a router advertisement message with a malformed
DNSSL option, for instance from a compromised host on the
same network, can cause rtsold(8) to crash.
While it is theoretically possible to inject code into
rtsold(8) through malformed router advertisement messages,
it is normally compiled with stack protection enabled,
rendering such an attack extremely difficult.
When rtsold(8) crashes, the existing DNS configuration
will remain in force, and the kernel will continue to receive
and process periodic router advertisements.
The input path in routed(8) will accept queries from any
source and attempt to answer them. However, the output path
assumes that the destination address for the response is
on a directly connected network.
Impact:
Upon receipt of a query from a source which is not on a
directly connected network, routed(8) will trigger an
assertion and terminate. The affected system's routing table
will no longer be updated. If the affected system is a
router, its routes will eventually expire from other routers'
routing tables, and its networks will no longer be reachable
unless they are also connected to another router.
The namei facility will leak a small amount of kernel
memory every time a sandboxed process looks up a nonexistent
path name.
Impact:
A remote attacker that can cause a sandboxed process
(for instance, a web server) to look up a large number of
nonexistent path names can cause memory exhaustion.
Although OpenSSH is not multithreaded, when OpenSSH is
compiled with Kerberos support, the Heimdal libraries bring
in the POSIX thread library as a dependency. Due to incorrect
library ordering while linking sshd(8), symbols in the C
library which are shadowed by the POSIX thread library may
not be resolved correctly at run time.
Note that this problem is specific to the FreeBSD build
system and does not affect other operating systems or the
version of OpenSSH available from the FreeBSD ports tree.
Impact:
An incorrectly linked sshd(8) child process may deadlock
while handling an incoming connection. The connection may
then time out or be interrupted by the client, leaving the
deadlocked sshd(8) child process behind. Eventually, the
sshd(8) parent process stops accepting new connections.
An attacker may take advantage of this by repeatedly
connecting and then dropping the connection after having
begun, but not completed, the authentication process.
When setlogin(2) is called while setting up a new login
session, the login name is copied into an uninitialized
stack buffer, which is then copied into a buffer of the
same size in the session structure. The getlogin(2) system
call returns the entire buffer rather than just the portion
occupied by the login name associated with the session.
Impact:
An unprivileged user can access this memory by calling
getlogin(2) and reading beyond the terminating NUL character
of the resulting string. Up to 16 (FreeBSD 8) or 32 (FreeBSD
9 and 10) bytes of kernel memory may be leaked in this
manner for each invocation of setlogin(2).
This memory may contain sensitive information, such as
portions of the file cache or terminal buffers, which an
attacker might leverage to obtain elevated privileges.
A malicious HTTP server could cause ftp(1) to execute
arbitrary commands.
Impact:
When operating on HTTP URIs, the ftp(1) client follows
HTTP redirects, and uses the part of the path after the
last '/' from the last resource it accesses as the output
filename if '-o' is not specified.
If the output file name provided by the server begins
with a pipe ('|'), the output is passed to popen(3), which
might be used to execute arbitrary commands on the ftp(1)
client machine.
A programming error in the standard I/O library's
__sflush() function could erroneously adjust the buffered
stream's internal state even when no write actually occurred
in the case when write(2) system call returns an error.
Impact:
The accounting mismatch would accumulate, if the caller
does not check for stream status and will eventually lead
to a heap buffer overflow.
Such overflows may lead to data corruption or the execution
of arbitrary code at the privilege level of the calling
program.
A lack of proper input checks in the ICMPv6 processing
in the SCTP stack can lead to either a failed kernel assertion
or to a NULL pointer dereference. In either case, a kernel
panic will follow.
Impact:
A remote, unauthenticated attacker can reliably trigger
a kernel panic in a vulnerable system running IPv6. Any
kernel compiled with both IPv6 and SCTP support is vulnerable.
There is no requirement to have an SCTP socket open.
IPv4 ICMP processing is not impacted by this vulnerability.
A programming error in the Linux compatibility layer
setgroups(2) system call can lead to an unexpected results,
such as overwriting random kernel memory contents.
Impact:
It is possible for a local attacker to overwrite portions
of kernel memory, which may result in a privilege escalation
or cause a system panic.
A programming error in processing a TCP connection with
both TCP_MD5SIG and TCP_NOOPT socket options may lead to
kernel crash.
Impact:
A local attacker can crash the kernel, resulting in a
denial-of-service.
A remote attack is theoretically possible, if server has
a listening socket with TCP_NOOPT set, and server is either
out of SYN cache entries, or SYN cache is disabled by
configuration.
The SNMP protocol supports an authentication model called
USM, which relies on a shared secret. The default permission
of the snmpd configuration file, /etc/snmpd.config, is
weak and does not provide adequate protection against local
unprivileged users.
Impact:
A local user may be able to read the shared secret, if
configured and used by the system administrator.
A cross-protocol attack was discovered that could lead
to decryption of TLS sessions by using a server supporting
SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA
padding oracle. Note that traffic between clients and
non-vulnerable servers can be decrypted provided another
server supporting SSLv2 and EXPORT ciphers (even with a
different protocol such as SMTP, IMAP or POP3) shares the
RSA keys of the non-vulnerable server. This vulnerability
is known as DROWN. [CVE-2016-0800]
A double free bug was discovered when OpenSSL parses
malformed DSA private keys and could lead to a DoS attack
or memory corruption for applications that receive DSA
private keys from untrusted sources. This scenario is
considered rare. [CVE-2016-0705]
The SRP user database lookup method SRP_VBASE_get_by_user
had confusing memory management semantics; the returned
pointer was sometimes newly allocated, and sometimes owned
by the callee. The calling code has no way of distinguishing
these two cases. [CVE-2016-0798]
In the BN_hex2bn function, the number of hex digits is
calculated using an int value |i|. Later |bn_expand| is
called with a value of |i * 4|. For large values of |i|
this can result in |bn_expand| not allocating any memory
because |i * 4| is negative. This can leave the internal
BIGNUM data field as NULL leading to a subsequent NULL
pointer dereference. For very large values of |i|, the
calculation |i * 4| could be a positive value smaller than
|i|. In this case memory is allocated to the internal BIGNUM
data field, but it is insufficiently sized leading to heap
corruption. A similar issue exists in BN_dec2bn. This could
have security consequences if BN_hex2bn/BN_dec2bn is ever
called by user applications with very large untrusted hex/dec
data. This is anticipated to be a rare occurrence.
[CVE-2016-0797]
The internal |fmtstr| function used in processing a "%s"
formatted string in the BIO_*printf functions could overflow
while calculating the length of a string and cause an
out-of-bounds read when printing very long strings.
[CVE-2016-0799]
A side-channel attack was found which makes use of
cache-bank conflicts on the Intel Sandy-Bridge microarchitecture
which could lead to the recovery of RSA keys. [CVE-2016-0702]
s2_srvr.c did not enforce that clear-key-length is 0 for
non-export ciphers. If clear-key bytes are present for these
ciphers, they displace encrypted-key bytes. [CVE-2016-0703]
s2_srvr.c overwrites the wrong bytes in the master key
when applying Bleichenbacher protection for export cipher
suites. [CVE-2016-0704]
Impact:
Servers that have SSLv2 protocol enabled are vulnerable
to the "DROWN" attack which allows a remote attacker to
fast attack many recorded TLS connections made to the server,
even when the client did not make any SSLv2 connections
themselves.
An attacker who can supply malformed DSA private keys
to OpenSSL applications may be able to cause memory corruption
which would lead to a Denial of Service condition.
[CVE-2016-0705]
An attacker connecting with an invalid username can cause
memory leak, which could eventually lead to a Denial of
Service condition. [CVE-2016-0798]
An attacker who can inject malformed data into an
application may be able to cause memory corruption which
would lead to a Denial of Service condition. [CVE-2016-0797,
CVE-2016-0799]
A local attacker who has control of code in a thread
running on the same hyper-threaded core as the victim thread
which is performing decryptions could recover RSA keys.
[CVE-2016-0702]
An eavesdropper who can intercept SSLv2 handshake can
conduct an efficient divide-and-conquer key recovery attack
and use the server as an oracle to determine the SSLv2
master-key, using only 16 connections to the server and
negligible computation. [CVE-2016-0703]
An attacker can use the Bleichenbacher oracle, which
enables more efficient variant of the DROWN attack.
[CVE-2016-0704]
Incorrect signedness comparison in the ioctl(2) handler
allows a malicious local user to overwrite a portion of the
kernel memory.
Impact:
A local user may crash the kernel, read a portion of
kernel memory and execute arbitrary code in kernel context.
The result of executing an arbitrary kernel code is privilege
escalation.
The implementation of the TIOCGSERIAL ioctl(2) does not
clear the output struct before copying it out to userland.
The implementation of the Linux sysinfo() system call
does not clear the output struct before copying it out to
userland.
Impact:
An unprivileged user can read a portion of uninitialised
kernel stack data, which may contain sensitive information,
such as the stack guard, portions of the file cache or
terminal buffers, which an attacker might leverage to obtain
elevated privileges.
The implementation of historic stat(2) system call does
not clear the output struct before copying it out to
userland.
Impact:
An unprivileged user can read a portion of uninitialised
kernel stack data, which may contain sensitive information,
such as the stack guard, portions of the file cache or
terminal buffers, which an attacker might leverage to obtain
elevated privileges.
Multiple vulnerabilities have been discovered in the NTP
suite:
The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
could cause ntpd to crash. [CVE-2016-4957, Reported by
Nicolas Edet of Cisco]
An attacker who knows the origin timestamp and can send
a spoofed packet containing a CRYPTO-NAK to an ephemeral
peer target before any other response is sent can demobilize
that association. [CVE-2016-4953, Reported by Miroslav
Lichvar of Red Hat]
An attacker who is able to spoof packets with correct
origin timestamps from enough servers before the expected
response packets arrive at the target machine can affect
some peer variables and, for example, cause a false leap
indication to be set. [CVE-2016-4954, Reported by Jakub
Prokes of Red Hat]
An attacker who is able to spoof a packet with a correct
origin timestamp before the expected response packet arrives
at the target machine can send a CRYPTO_NAK or a bad MAC
and cause the association's peer variables to be cleared.
If this can be done often enough, it will prevent that
association from working. [CVE-2016-4955, Reported by
Miroslav Lichvar of Red Hat]
The fix for NtpBug2978 does not cover broadcast associations,
so broadcast clients can be triggered to flip into interleave
mode. [CVE-2016-4956, Reported by Miroslav Lichvar of Red
Hat.]
Impact:
Malicious remote attackers may be able to break time
synchronization, or cause the ntpd(8) daemon to crash.
The implementation of bspatch does not check for a
negative value on numbers of bytes read from the diff and
extra streams, allowing an attacker who can control the
patch file to write at arbitrary locations in the heap.
This issue was first discovered by The Chromium Project
and reported independently by Lu Tung-Pin to the FreeBSD
project.
Impact:
An attacker who can control the patch file can cause a
crash or run arbitrary code under the credentials of the
user who runs bspatch, in many cases, root.
lukemftpd(8) is an enhanced BSD FTP server produced
within the NetBSD project. The sources for lukemftpd are
shipped with some versions of FreeBSD, however it is not
built or installed by default. The build system option
WANT_LUKEMFTPD must be set to build and install lukemftpd.
[NOTE: An exception is FreeBSD 4.7-RELEASE,
wherein lukemftpd was installed, but not enabled, by
default.]
Przemyslaw Frasunek discovered several vulnerabilities
in lukemftpd arising from races in the out-of-band signal
handling code used to implement the ABOR command. As a
result of these races, the internal state of the FTP server
may be manipulated in unexpected ways.
A remote attacker may be able to cause FTP commands to
be executed with the privileges of the running lukemftpd
process. This may be a low-privilege `ftp' user if the `-r'
command line option is specified, or it may be superuser
privileges if `-r' is *not* specified.
Chad Loder has discovered vulnerabilities in tcpdump's
ISAKMP protocol handler. During an audit to repair these
issues, Bill Fenner discovered some related problems.
These vulnerabilities may be used by an attacker to crash a
running `tcpdump' process. They can only be triggered if
the `-v' command line option is being used.
NOTE: the racoon ISAKMP/IKE daemon incorporates the ISAKMP
protocol handler from tcpdump, and so is also affected by
this issue.
A flaw in the DTLS SRTP extension parsing code allows an
attacker, who sends a carefully crafted handshake message,
to cause OpenSSL to fail to free up to 64k of memory causing
a memory leak. This could be exploited in a Denial Of Service
attack. This issue affects OpenSSL 1.0.1 server implementations
for both SSL/TLS and DTLS regardless of whether SRTP is used
or configured. Implementations of OpenSSL that have been
compiled with OPENSSL_NO_SRTP defined are not affected.
[CVE-2014-3513].
When an OpenSSL SSL/TLS/DTLS server receives a session
ticket the integrity of that ticket is first verified.
In the event of a session ticket integrity check failing,
OpenSSL will fail to free memory causing a memory leak.
By sending a large number of invalid session tickets an
attacker could exploit this issue in a Denial Of Service
attack. [CVE-2014-3567].
OpenSSL has added support for TLS_FALLBACK_SCSV to allow
applications to block the ability for a MITM attacker to
force a protocol downgrade.
Some client applications (such as browsers) will reconnect
using a downgraded protocol to work around interoperability
bugs in older servers. This could be exploited by an active
man-in-the-middle to downgrade connections to SSL 3.0 even
if both sides of the connection support higher protocols.
SSL 3.0 contains a number of weaknesses including POODLE
[CVE-2014-3566].
When OpenSSL is configured with "no-ssl3" as a build option,
servers could accept and complete a SSL 3.0 handshake, and
clients could be configured to send them. [CVE-2014-3568].
When verifying a PKCS#1 v1.5 signature, OpenSSL ignores any
bytes which follow the cryptographic hash being signed. In
a valid signature there will be no such bytes.
Impact
OpenSSL will incorrectly report some invalid signatures as
valid. When an RSA public exponent of 3 is used, or more
generally when a small public exponent is used with a
relatively large modulus (e.g., a public exponent of 17 with
a 4096-bit modulus), an attacker can construct a signature
which OpenSSL will accept as a valid PKCS#1 v1.5 signature.
An integer overflow in computing the size of a temporary
buffer can result in a buffer which is too small for the requested
operation.
Impact:
An unprivileged process can read or write pages of memory
which belong to the kernel. These may lead to exposure of sensitive
information or allow privilege escalation.
Applications that use SSL_MODE_RELEASE_BUFFERS, such as nginx, are
prone to a race condition which may allow a remote attacker to
inject random data into other connections.
Multiple programming errors have been found in gzip which
can be triggered when gzip is decompressing files. These
errors include insufficient bounds checks in buffer use, a
NULL pointer dereference, and a potential infinite loop.
Impact
The insufficient bounds checks in buffer use can cause gzip
to crash, and may permit the execution of arbitrary code.
The NULL pointer deference can cause gzip to crash. The
infinite loop can cause a Denial-of-Service situation where
gzip uses all available CPU time.
A flaw in a library used by BIND allows an
attacker to deliberately cause excessive memory
consumption by the named(8) process. This
affects both recursive and authoritative
servers.
Applications that use SSL_MODE_RELEASE_BUFFERS, such as nginx/apache,
are prone to a race condition which may allow a remote attacker to
crash the current service.
Two problems have been discovered relating to the
extraction of bzip2-compressed files. First, a carefully
constructed invalid bzip2 archive can cause bzip2 to enter
an infinite loop. Second, when creating a new file, bzip2
closes the file before setting its permissions.
Impact
The first problem can cause bzip2 to extract a bzip2
archive to an infinitely large file. If bzip2 is used in
automated processing of untrusted files this could be
exploited by an attacker to create an denial-of-service
situation by exhausting disk space or by consuming all
available cpu time.
The second problem can allow a local attacker to change the
permissions of local files owned by the user executing bzip2
providing that they have write access to the directory in
which the file is being extracted.
Workaround
Do not uncompress bzip2 archives from untrusted sources and
do not uncompress files in directories where untrusted users
have write access.
A BIND 9 DNS server set up to be a caching resolver is
vulnerable to a user querying a domain with very large resource
record sets (RRSets) when trying to negatively cache a response.
This can cause the BIND 9 DNS server (named process) to crash.
On "7th generation" and "8th generation" processors
manufactured by AMD, including the AMD Athlon, Duron, Athlon
MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, and
Sempron, the fxsave and fxrstor instructions do not save and
restore the FOP, FIP, and FDP registers unless the exception
summary bit (ES) in the x87 status word is set to 1,
indicating that an unmasked x87 exception has occurred.
This behaviour is consistent with documentation provided by
AMD, but is different from processors from other vendors,
which save and restore the FOP, FIP, and FDP registers
regardless of the value of the ES bit. As a result of this
discrepancy remaining unnoticed until now, the FreeBSD kernel
does not restore the contents of the FOP, FIP, and FDP
registers between context switches.
Impact
On affected processors, a local attacker can monitor the
execution path of a process which uses floating-point
operations. This may allow an attacker to steal
cryptographic keys or other sensitive information.
Workaround
No workaround is available, but systems which do not use AMD
Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX,
Opteron, Turion, or Sempron processors are not vulnerable.
There is no mechanism for preventing IPv6 routing headers
from being used to route packets over the same link(s) many
times.
Impact
An attacker can "amplify" a denial of service attack against
a link between two vulnerable hosts; that is, by sending a
small volume of traffic the attacker can consume a much larger
amount of bandwidth between the two vulnerable hosts.
An attacker can use vulnerable hosts to "concentrate" a
denial of service attack against a victim host or network;
that is, a set of packets sent over a period of 30 seconds
or more could be constructed such that they all arrive at
the victim within a period of 1 second or less over a
period of 30 seconds or more could be constructed such that
they all arrive at the victim within a period of 1 second or
less.
OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable.
Local attackers may be able to write arbitrary messages to
logged-in users, including terminal escape sequences. Reported
by Nikolay Edigaryev.
Fixed a privilege separation
weakness related to PAM support. Attackers who could successfully
compromise the pre-authentication process for remote code
execution and who had valid credentials on the host could
impersonate other users.
Fixed a use-after-free bug
related to PAM support that was reachable by attackers who could
compromise the pre-authentication process for remote code
execution.
An un-checked return value in the BGP dissector code can
result in an integer overflow. This value is used in
subsequent buffer management operations, resulting in a stack
based buffer overflow under certain circumstances.
Impact:
By crafting malicious BGP packets, an attacker could exploit
this vulnerability to execute code or crash the tcpdump
process on the target system. This code would be executed in
the context of the user running tcpdump(1). It should be
noted that tcpdump(1) requires privileges in order to open live
network interfaces.
In case of an incoming ICMPv6 'Packet Too Big Message', there
is an insufficient check on the proposed new MTU for a path to
the destination.
Impact:
When the kernel is configured to process IPv6 packets and has
active IPv6 TCP sockets, a specifically crafted ICMPv6 'Packet
Too Big Message' could cause the TCP stack of the kernel to
panic.
Workaround:
Systems without INET6 / IPv6 support are not vulnerable and
neither are systems which do not listen on any IPv6 TCP sockets
and have no active IPv6 connections.
Filter ICMPv6 'Packet Too Big Messages' using a firewall, but
this will at the same time break PMTU support for IPv6
connections.
Historically OpenSSL only ever generated DH parameters based on "safe"
primes. More recently (in version 1.0.2) support was provided for
generating X9.42 style parameter files such as those required for RFC 5114
support. The primes used in such files may not be "safe". Where an
application is using DH configured with parameters based on primes that are
not "safe" then an attacker could use this fact to find a peer's private
DH exponent. This attack requires that the attacker complete multiple
handshakes in which the peer uses the same private DH exponent. For example
this could be used to discover a TLS server's private DH exponent if it's
reusing the private DH exponent or it's using a static DH ciphersuite.
OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
TLS. It is not on by default. If the option is not set then the server
reuses the same private DH exponent for the life of the server process and
would be vulnerable to this attack. It is believed that many popular
applications do set this option and would therefore not be at risk.
(CVE-2016-0701)
A malicious client can negotiate SSLv2 ciphers that have been disabled on
the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
been disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2.
(CVE-2015-3197)
A type * (ANY) query response containing multiple RRsets can
trigger an assertion failure.
Certain recursive queries can cause the nameserver to crash
by using memory which has already been freed.
Impact:
A remote attacker sending a type * (ANY) query to an
authoritative DNS server for a DNSSEC signed zone can cause
the named(8) daemon to exit, resulting in a Denial of
Service.
A remote attacker sending recursive queries can cause the
nameserver to crash, resulting in a Denial of Service.
Workaround:
There is no workaround available, but systems which are not
authoritative servers for DNSSEC signed zones are not
affected by the first issue; and systems which do not permit
untrusted users to perform recursive DNS resolution are not
affected by the second issue. Note that the default
configuration for named(8) in FreeBSD allows local access
only (which on many systems is equivalent to refusing access
to untrusted users).
Unrestricted access to the monlist feature in
ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote
attackers to cause a denial of service (traffic
amplification) via forged (1) REQ_MON_GETLIST or (2)
REQ_MON_GETLIST_1 requests, as exploited in the wild in
December 2013
Use noquery to your default restrictions to block all
status queries.
Use disable monitor to disable the ``ntpdc -c monlist''
command while still allowing other status queries.
When named(8) is operating as a recursive DNS server or
sending NOTIFY requests to slave DNS servers, named(8)
uses a predictable query id.
Impact:
An attacker who can see the query id for some request(s)
sent by named(8) is likely to be able to perform DNS cache
poisoning by predicting the query id for other request(s).
Two problems have been discovered in the FreeBSD TCP stack.
First, when a TCP packets containing a timestamp is
received, inadequate checking of sequence numbers is
performed, allowing an attacker to artificially increase the
internal "recent" timestamp for a connection.
Second, a TCP packet with the SYN flag set is accepted for
established connections, allowing an attacker to overwrite
certain TCP options.
Impact
Using either of the two problems an attacker with knowledge
of the local and remote IP and port numbers associated with
a connection can cause a denial of service situation by
stalling the TCP connection. The stalled TCP connection my
be closed after some time by the other host.
Workaround
In some cases it may be possible to defend against these
attacks by blocking the attack packets using a firewall.
Packets used to effect either of these attacks would have
spoofed source IP addresses.
Symlinks created using the "GNUTYPE_NAMES" tar extension can
be absolute due to lack of proper sanity checks.
Impact:
If an attacker can get a user to extract a specially crafted
tar archive the attacker can overwrite arbitrary files with
the permissions of the user running gtar. If file system
permissions allow it, this may allow the attacker to overwrite
important system file (if gtar is being run as root), or
important user configuration files such as .tcshrc or .bashrc,
which would allow the attacker to run arbitrary commands.
Workaround:
Use "bsdtar", which is the default tar implementation in
FreeBSD 5.3 and higher. For FreeBSD 4.x, bsdtar is available
in the FreeBSD Ports Collection as
ports/archivers/libarchive.
In multiple situations the host's jail rc.d(8) script does
not check if a path inside the jail file system structure is
a symbolic link before using the path. In particular this is
the case when writing the output from the jail start-up to
/var/log/console.log and when mounting and unmounting file
systems inside the jail directory structure.
Impact:
Due to the lack of handling of potential symbolic links the
host's jail rc.d(8) script is vulnerable to "symlink
attacks". By replacing /var/log/console.log inside the jail
with a symbolic link it is possible for the superuser (root)
inside the jail to overwrite files on the host system outside
the jail with arbitrary content. This in turn can be used to
execute arbitrary commands with non-jailed superuser
privileges.
Similarly, by changing directory mount points inside the
jail file system structure into symbolic links, it may be
possible for a jailed attacker to mount file systems which
were meant to be mounted inside the jail at arbitrary points
in the host file system structure, or to unmount arbitrary
file systems on the host system.
NOTE WELL: The above vulnerabilities occur only when a jail
is being started or stopped using the host's jail rc.d(8)
script; once started (and until stopped), running jails
cannot exploit this.
Workaround:
If the sysctl(8) variable security.jail.chflags_allowed is
set to 0 (the default), setting the "sunlnk" system flag on
/var, /var/log, /var/log/console.log, and all file system
mount points and their parent directories inside the jail(s)
will ensure that the console log file and mount points are
not replaced by symbolic links. If this is done while jails
are running, the administrator must check that an attacker
has not replaced any directories with symlinks after setting
the "sunlnk" flag.
If ntpd receives a mode 7 (MODE_PRIVATE) request or error response
from a source address not listed in either a 'restrict ... noquery'
or a 'restrict ... ignore' section it will log the even and send a
mode 7 error response.
As is commonly the case, the IPv6 and ATM network layer
ioctl request handlers are written in such a way that an
unrecognized request is passed on unmodified to the link
layer, which will either handle it or return an error
code.
Network interface drivers, however, assume that the
SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and
SIOCSIFNETMASK requests have been handled at the network
layer, and therefore do not perform input validation or
verify the caller's credentials. Typical link-layer actions
for these requests may include marking the interface as "up"
and resetting the underlying hardware.
Impact:
An unprivileged user with the ability to run arbitrary code
can cause any network interface in the system to perform the
link layer actions associated with a SIOCSIFADDR,
SIOCSIFBRDADDR, SIOCSIFDSTADDR or SIOCSIFNETMASK ioctl
request; or trigger a kernel panic by passing a specially
crafted address structure which causes a network interface
driver to dereference an invalid pointer.
Although this has not been confirmed, the possibility that
an attacker may be able to execute arbitrary code in kernel
context cannot be ruled out.
NTF's NTP Project has been notified of the following
1 medium-severity vulnerability that is fixed in
ntp-4.2.8p5, released on Thursday, 7 January 2016:
Due to the interaction between devfs and VFS, a race condition
exists where the kernel might dereference a NULL pointer.
Impact:
Successful exploitation of the race condition can lead to local
kernel privilege escalation, kernel data corruption and/or
crash.
To exploit this vulnerability, an attacker must be able to run
code with user privileges on the target system.
Workaround:
An errata note, FreeBSD-EN-09:05.null has been released
simultaneously to this advisory, and contains a kernel patch
implementing a workaround for a more broad class of
vulnerabilities. However, prior to those changes, no workaround
is available.
NTF's NTP Project has been notified of the following low-
and medium-severity vulnerabilities that are fixed in
ntp-4.2.8p6, released on Tuesday, 19 January 2016:
Bug 2948 / CVE-2015-8158: Potential Infinite Loop
in ntpq. Reported by Cisco ASIG.
Bug 2945 / CVE-2015-8138: origin: Zero Origin
Timestamp Bypass. Reported by Cisco ASIG.
Bug 2942 / CVE-2015-7979: Off-path Denial of
Service (DoS) attack on authenticated broadcast
mode. Reported by Cisco ASIG.
Bug 2940 / CVE-2015-7978: Stack exhaustion in
recursive traversal of restriction list.
Reported by Cisco ASIG.
A logic bug in pf's IP fragment cache may result in a packet
fragment being inserted twice, violating a kernel
invariant.
Impact:
By sending carefully crafted sequence of IP packet fragments,
a remote attacker can cause a system running pf with a ruleset
containing a 'scrub fragment crop' or 'scrub fragment
drop-ovl' rule to crash.
Workaround:
Do not use 'scrub fragment crop' or 'scrub fragment drop-ovl'
rules on systems running pf. In most cases, such rules can be
replaced by 'scrub fragment reassemble' rules; see the
pf.conf(5) manual page for more details.
Systems which do not use pf, or use pf but do not use the
aforementioned rules, are not affected by this issue.
When the arc4random(9) random number generator is
initialized, there may be inadequate entropy to meet the
needs of kernel systems which rely on arc4random(9); and it
may take up to 5 minutes before arc4random(9) is reseeded
with secure entropy from the Yarrow random number generator.
Impact:
All security-related kernel subsystems that rely on a
quality random number generator are subject to a wide range of
possible attacks for the 300 seconds after boot or until 64k
of random data is consumed. The list includes:
* GEOM ELI providers with onetime keys. When a provider is
configured in a way so that it gets attached at the same time
during boot (e.g. it uses the rc subsystem to initialize) it
might be possible for an attacker to recover the encrypted
data.
* GEOM shsec providers. The GEOM shsec subsytem is used to
split a shared secret between two providers so that it can be
recovered when both of them are present. This is done by
writing the random sequence to one of providers while
appending the result of the random sequence on the other host
to the original data. If the provider was created within the
first 300 seconds after booting, it might be possible for an
attacker to extract the original data with access to only one
of the two providers between which the secret data is split.
* System processes started early after boot may receive
predictable IDs.
* The 802.11 network stack uses arc4random(9) to generate
initial vectors (IV) for WEP encryption when operating in
client mode and WEP authentication challenges when operating
in hostap mode, which may be insecure.
* The IPv4, IPv6 and TCP/UDP protocol implementations rely
on a quality random number generator to produce unpredictable
IP packet identifiers, initial TCP sequence numbers and
outgoing port numbers. During the first 300 seconds after
booting, it may be easier for an attacker to execute IP
session hijacking, OS fingerprinting, idle scanning, or in
some cases DNS cache poisoning and blind TCP data injection
attacks.
* The kernel RPC code uses arc4random(9) to retrieve
transaction identifiers, which might make RPC clients
vulnerable to hijacking attacks.
It was discovered that the OpenSSH sshd daemon did not check the
list of keyboard-interactive authentication methods for duplicates.
A remote attacker could use this flaw to bypass the MaxAuthTries
limit, making it easier to perform password guessing attacks.
In the FW_GCROM ioctl, a signed integer comparison is used
instead of an unsigned integer comparison when computing the
length of a buffer to be copied from the kernel into the
calling application.
Impact:
A user in the "operator" group can read the contents of
kernel memory. Such memory might contain sensitive
information, such as portions of the file cache or terminal
buffers. This information might be directly useful, or it
might be leveraged to obtain elevated privileges in some way;
for example, a terminal buffer might include a user-entered
password.
Workaround:
No workaround is available, but systems without IEEE 1394
("FireWire") interfaces are not vulnerable. (Note that
systems with IEEE 1394 interfaces are affected regardless of
whether any devices are attached.)
Note also that FreeBSD does not have any non-root users in
the "operator" group by default; systems on which no users
have been added to this group are therefore also not
vulnerable.
A part of the NFS server code charged with handling incoming
RPC messages via TCP had an error which, when the server
received a message with a zero-length payload, would cause a
NULL pointer dereference which results in a kernel panic. The
kernel will only process the RPC messages if a userland nfsd
daemon is running.
Impact:
The NULL pointer deference allows a remote attacker capable
of sending RPC messages to an affected FreeBSD system to crash
the FreeBSD system.
Workaround:
Disable the NFS server: set the nfs_server_enable
variable to "NO" in /etc/rc.conf, and reboot.
Alternatively, if there are no active NFS clients (as
listed by the showmount(8) utility), simply killing the
mountd and nfsd processes should suffice.
Add firewall rules to block RPC traffic to the NFS server
from untrusted hosts.
The BIND DNS implementation does not randomize the UDP source
port when doing remote queries, and the query id alone does
not provide adequate randomization.
Impact:
The lack of source port randomization reduces the amount of
data the attacker needs to guess in order to successfully
execute a DNS cache poisoning attack. This allows the
attacker to influence or control the results of DNS queries
being returned to users from target systems.
Workaround:
Limiting the group of machines that can do recursive queries
on the DNS server will make it more difficult, but not
impossible, for this vulnerability to be exploited.
To limit the machines able to perform recursive queries, add an ACL in
named.conf and limit recursion like the following:
Because OpenSSH and OpenPAM have conflicting designs (one is event-
driven while the other is callback-driven), it is necessary for
OpenSSH to fork a child process to handle calls to the PAM framework.
However, if the unprivileged child terminates while PAM authentication
is under way, the parent process incorrectly believes that the PAM
child also terminated. The parent process then terminates, and the
PAM child is left behind.
Due to the way OpenSSH performs internal accounting, these orphaned
PAM children are counted as pending connections by the master OpenSSH
server process. Once a certain number of orphans has accumulated, the
master decides that it is overloaded and stops accepting client
connections.
Impact:
By repeatedly connecting to a vulnerable server, waiting for
a password prompt, and closing the connection, an attacker can
cause OpenSSH to stop accepting client connections until the
system restarts or an administrator manually kills the orphaned
PAM processes.
Workaround:
The following command will show a list of orphaned PAM
processes:
# pgrep -lf 'sshd.*\[pam\]'
The following command will kill orphaned PAM processes:
# pkill -f 'sshd.*\[pam\]'
To prevent OpenSSH from leaving orphaned PAM processes behind,
perform one of the following:
Disable PAM authentication in OpenSSH. Users will still
be able to log in using their Unix password, OPIE or SSH
keys.
To do this, execute the following commands as root:
If disabling PAM is not an option - if, for instance, you use
RADIUS authentication, or store user passwords in an SQL database
- you may instead disable privilege separation. However, this may
leave OpenSSH vulnerable to hitherto unknown bugs, and should be
considered a last resort.
To do this, execute the following commands as root:
IPv6 routers may allow "on-link" IPv6 nodes to create and
update the router's neighbor cache and forwarding
information. A malicious IPv6 node sharing a common router
but on a different physical segment from another node may be
able to spoof Neighbor Discovery messages, allowing it to
update router information for the victim node.
Impact:
An attacker on a different physical network connected to the
same IPv6 router as another node could redirect IPv6 traffic
intended for that node. This could lead to denial of service
or improper access to private network traffic.
Workaround:
Firewall packet filters can be used to filter incoming
Neighbor Solicitation messages but may interfere with normal
IPv6 operation if not configured carefully.
Reverse path forwarding checks could be used to make
gateways, such as routers or firewalls, drop Neighbor
Solicitation messages from nodes with unexpected source
addresses on a particular interface.
IPv6 router administrators are encouraged to read RFC 3756
for further discussion of Neighbor Discovery security
implications.
If a General Protection Fault happens on a FreeBSD/amd64
system while it is returning from an interrupt, trap or
system call, the swapgs CPU instruction may be called one
extra time when it should not resulting in userland and
kernel state being mixed.
Impact:
A local attacker can by causing a General Protection Fault
while the kernel is returning from an interrupt, trap or
system call while manipulating stack frames and, run
arbitrary code with kernel privileges.
The vulnerability can be used to gain kernel / supervisor
privilege. This can for example be used by normal users to
gain root privileges, to break out of jails, or bypass
Mandatory Access Control (MAC) restrictions.
Workaround:
No workaround is available, but only systems running the 64
bit FreeBSD/amd64 kernels are vulnerable.
Systems with 64 bit capable CPUs, but running the 32 bit
FreeBSD/i386 kernel are not vulnerable.
When downloading updates to FreeBSD via 'freebsd-update fetch' or
'freebsd-update upgrade', the freebsd-update(8) utility copies
currently installed files into its working directory
(/var/db/freebsd-update by default) both for the purpose of merging
changes to configuration files and in order to be able to roll back
installed updates.
The default working directory used by freebsd-update(8) is normally
created during the installation of FreeBSD with permissions which
allow all local users to see its contents, and freebsd-update(8) does
not take any steps to restrict access to files stored in said
directory.
An error in the handling of TKEY queries can be exploited
by an attacker for use as a denial-of-service vector, as a constructed
packet can use the defect to trigger a REQUIRE assertion failure,
causing BIND to exit.
The read-only flag is not correctly copied when a mbuf buffer
reference is duplicated. When the sendfile(2) system call is used to
transmit data over the loopback interface, this can result in the
backing pages for the transmitted file being modified, causing data
corruption.
A buffer allocated from the kernel stack may not be completely
initialized before being copied to userland. [CVE-2006-0379]
A logic error in computing a buffer length may allow too much
data to be copied into userland. [CVE-2006-0380]
Impact:
Portions of kernel memory may be disclosed to local users.
Such memory might contain sensitive information, such as
portions of the file cache or terminal buffers. This
information might be directly useful, or it might be
leveraged to obtain elevated privileges in some way. For
example, a terminal buffer might include a user-entered
password.
Integer signedness error in the archive_write_zip_data function in
archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when
running on 64-bit machines, allows context-dependent attackers to
cause a denial of service (crash) via unspecified vectors, which
triggers an improper conversion between unsigned and signed types,
leading to a buffer overflow.
Absolute path traversal vulnerability in bsdcpio in libarchive
3.1.2 and earlier allows remote attackers to write to arbitrary
files via a full pathname in an archive.
Libarchive issue tracker reports:
Using a crafted tar file bsdtar can perform an out-of-bounds memory
read which will lead to a SEGFAULT. The issue exists when the
executable skips data in the archive. The amount of data to skip is
defined in byte offset [16-19] If ASLR is disabled, the issue can
lead to an infinite loop.
Various user defined input such as mount points, devices, and
mount options are prepared and passed as arguments to
nmount(2) into the kernel. Under certain error conditions,
user defined data will be copied into a stack allocated buffer
stored in the kernel without sufficient bounds checking.
Impact:
If the system is configured to allow unprivileged users to
mount file systems, it is possible for a local adversary to
exploit this vulnerability and execute code in the context of
the kernel.
Workaround:
It is possible to work around this issue by allowing only
privileged users to mount file systems by running the
following sysctl(8) command:
A flaw in OBJ_obj2txt may cause pretty printing functions
such as X509_name_oneline, X509_name_print_ex et al. to leak
some information from the stack. [CVE-2014-3508]
The issue affects OpenSSL clients and allows a malicious
server to crash the client with a null pointer dereference
(read) by specifying an SRP ciphersuite even though it was
not properly negotiated with the client. [CVE-2014-5139]
If a multithreaded client connects to a malicious server
using a resumed session and the server sends an ec point
format extension it could write up to 255 bytes to freed
memory. [CVE-2014-3509]
An attacker can force an error condition which causes
openssl to crash whilst processing DTLS packets due to
memory being freed twice. This can be exploited through
a Denial of Service attack. [CVE-2014-3505]
An attacker can force openssl to consume large amounts
of memory whilst processing DTLS handshake messages.
This can be exploited through a Denial of Service
attack. [CVE-2014-3506]
By sending carefully crafted DTLS packets an attacker
could cause openssl to leak memory. This can be exploited
through a Denial of Service attack. [CVE-2014-3507]
OpenSSL DTLS clients enabling anonymous (EC)DH
ciphersuites are subject to a denial of service attack.
A malicious server can crash the client with a null pointer
dereference (read) by specifying an anonymous (EC)DH
ciphersuite and sending carefully crafted handshake
messages. [CVE-2014-3510]
A flaw in the OpenSSL SSL/TLS server code causes the
server to negotiate TLS 1.0 instead of higher protocol
versions when the ClientHello message is badly
fragmented. This allows a man-in-the-middle attacker
to force a downgrade to TLS 1.0 even if both the server
and the client support a higher protocol version, by
modifying the client's TLS records. [CVE-2014-3511]
A malicious client or server can send invalid SRP
parameters and overrun an internal buffer. Only
applications which are explicitly set up for SRP
use are affected. [CVE-2014-3512]
When writing data into a buffer in the file_printf function,
the length of the unused portion of the buffer is not
correctly tracked, resulting in a buffer overflow when
processing certain files.
Impact:
An attacker who can cause file(1) to be run on a maliciously
constructed input can cause file(1) to crash. It may be
possible for such an attacker to execute arbitrary code with
the privileges of the user running file(1).
The above also applies to any other applications using the
libmagic(3) library.
Workaround:
No workaround is available, but systems where file(1) and
other libmagic(3)-using applications are never run on
untrusted input are not vulnerable.
A race condition exists in the pipe close() code relating
to kqueues, causing use-after-free for kernel memory, which
may lead to an exploitable NULL pointer vulnerability in the
kernel, kernel memory corruption, and other unpredictable
results.
Impact:
Successful exploitation of the race condition can lead to
local kernel privilege escalation, kernel data corruption
and/or crash.
To exploit this vulnerability, an attacker must be able to
run code on the target system.
Workaround
An errata notice, FreeBSD-EN-09:05.null has been released
simultaneously to this advisory, and contains a kernel patch
implementing a workaround for a more broad class of
vulnerabilities. However, prior to those changes, no
workaround is available.
When replaying setattr transaction, the replay code would set the
attributes with certain insecure defaults, when the logged
transaction did not touch these attributes.
Named is potentially vulnerable to the OpenSSL vulnerability described in CVE-2015-3193.
Incorrect reference counting could result in an INSIST
failure if a socket error occurred while performing a lookup. This flaw
is disclosed in CVE-2015-8461. [RT#40945]
Insufficient testing when parsing a message allowed records
with an incorrect class to be be accepted, triggering a REQUIRE failure
when those records were subsequently cached. This flaw is disclosed in
CVE-2015-8000. [RT #40987]
We have today posted updated versions of 9.9.6 and 9.10.1
to address a significant security vulnerability in DNS
resolution. The flaw was discovered by Florian Maury of
ANSSI, and applies to any recursive resolver that does not
support a limit on the number of recursions. [CERTFR-2014-AVI-512],
[USCERT VU#264212]
A flaw in delegation handling could be exploited to put named
into an infinite loop, in which each lookup of a name server
triggered additional lookups of more name servers. This has
been addressed by placing limits on the number of levels of
recursion named will allow (default 7), and on the number of
queries that it will send before terminating a recursive query
(default 50). The recursion depth limit is configured via the
max-recursion-depth option, and the query limit via the
max-recursion-queries option. For more information, see the
security advisory at https://kb.isc.org/article/AA-01216/.
[CVE-2014-8500]
[RT #37580]
In addition, we have also corrected a potential security
vulnerability in the GeoIP feature in the 9.10.1 release only.
For more information on this issue, see the security advisory
at https://kb.isc.org/article/AA-01217.
[CVE-2014-8680]
Due to insufficient permission checks in the virtual memory
system, a tracing process (such as a debugger) may be able to
modify portions of the traced process's address space to which
the traced process itself does not have write access.
When running setuid programs rtld will normally remove potentially
dangerous environment variables. Due to recent changes in FreeBSD
environment variable handling code, a corrupt environment may
result in attempts to unset environment variables failing.
NTF's NTP Project has been notified of the following low-
and medium-severity vulnerabilities that are fixed in
ntp-4.2.8p7, released on Tuesday, 26 April 2016:
Bug 3020 / CVE-2016-1551: Refclock impersonation
vulnerability, AKA: refclock-peering. Reported by
Matt Street and others of Cisco ASIG
Bug 3012 / CVE-2016-1549: Sybil vulnerability:
ephemeral association attack, AKA: ntp-sybil -
MITIGATION ONLY. Reported by Matthew Van Gundy
of Cisco ASIG
Bug 3011 / CVE-2016-2516: Duplicate IPs on
unconfig directives will cause an assertion botch.
Reported by Yihan Lian of the Cloud Security Team,
Qihoo 360
Bug 3010 / CVE-2016-2517: Remote configuration
trustedkey/requestkey values are not properly
validated. Reported by Yihan Lian of the Cloud
Security Team, Qihoo 360
Bug 3009 / CVE-2016-2518: Crafted addpeer with
hmode > 7 causes array wraparound with MATCH_ASSOC.
Reported by Yihan Lian of the Cloud Security Team,
Qihoo 360
Bug 3008 / CVE-2016-2519: ctl_getitem() return
value not always checked. Reported by Yihan Lian
of the Cloud Security Team, Qihoo 360
Bug 3007 / CVE-2016-1547: Validate crypto-NAKs,
AKA: nak-dos. Reported by Stephen Gray and
Matthew Van Gundy of Cisco ASIG
Bug 2978 / CVE-2016-1548: Interleave-pivot -
MITIGATION ONLY. Reported by Miroslav Lichvar of
RedHat and separately by Jonathan Gardner of
Cisco ASIG.
Bug 2952 / CVE-2015-7704: KoD fix: peer
associations were broken by the fix for
NtpBug2901, AKA: Symmetric active/passive mode
is broken. Reported by Michael Tatarinov,
NTP Project Developer Volunteer
Bug 2945 / Bug 2901 / CVE-2015-8138: Zero
Origin Timestamp Bypass, AKA: Additional KoD Checks.
Reported by Jonathan Gardner of Cisco ASIG
Bug 2879 / CVE-2016-1550: Improve NTP security
against buffer comparison timing attacks,
authdecrypt-timing, AKA: authdecrypt-timing.
Reported independently by Loganaden Velvindron,
and Matthew Van Gundy and Stephen Gray of
Cisco ASIG.
The nullfs(5) implementation of the VOP_LINK(9) VFS
operation does not check whether the source and target of
the link are both in the same nullfs instance. It is
therefore possible to create a hardlink from a location in
one nullfs instance to a file in another, as long as the
underlying (source) filesystem is the same.
Impact:
If multiple nullfs views into the same filesystem are
mounted in different locations, a user with read access to
one of these views and write access to another will be able
to create a hard link from the latter to a file in the
former, even though they are, from the user's perspective,
different filesystems. The user may thereby gain write
access to files which are nominally on a read-only
filesystem.
NTF's NTP Project has been notified of the following 13 low-
and medium-severity vulnerabilities that are fixed in
ntp-4.2.8p4, released on Wednesday, 21 October 2015:
Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric
association authentication bypass via crypto-NAK
(Cisco ASIG)
Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch
instead of returning FAIL on some bogus values (IDA)
The only generally-exploitable bug in the above list is the
crypto-NAK bug, which has a CVSS2 score of 6.4.
Additionally, three bugs that have already been fixed in
ntp-4.2.8 but were not fixed in ntp-4.2.6 as it was EOL'd
have a security component, but are all below 1.8 CVSS score,
so we're reporting them here:
Bug 2382 : Peer precision < -31 gives division by zero
Bug 1774 : Segfaults if cryptostats enabled when built
without OpenSSL
Bug 1593 : ntpd abort in free() with logconfig syntax error
Some function pointers for netgraph and bluetooth sockets are
not properly initialized.
Impact:
A local user can cause the FreeBSD kernel to execute
arbitrary code. This could be used by an attacker directly;
or it could be used to gain root privilege or to escape from
a jail.
Workaround:
No workaround is available, but systems without local
untrusted users are not vulnerable. Furthermore, systems are
not vulnerable if they have neither the ng_socket nor
ng_bluetooth kernel modules loaded or compiled into the
kernel.
Systems with the security.jail.socket_unixiproute_only
sysctl set to 1 (the default) are only vulnerable if they have
local untrusted users outside of jails.
A very uncommon combination of zone data has been found
that triggers a bug in BIND, with the result that named
will exit with a "REQUIRE" failure in name.c when validating
the data returned in answer to a recursive query.
A recursive resolver that is performing DNSSEC validation
can be deliberately terminated by any attacker who can
cause a query to be performed against a maliciously
constructed zone. This will result in a denial of
service to clients who rely on that resolver.
Because of a defect in handling queries for NSEC3-signed zones,
BIND can crash with an "INSIST" failure in name.c when processing
queries possessing certain properties. By exploiting this defect
an attacker deliberately constructing a query with the right
properties could achieve denial of service against an authoritative
nameserver serving NSEC3-signed zones.
The firewall maintains a pointer to layer 4 header
information in the event that it needs to send a TCP reset
or ICMP error message to discard packets. Due to incorrect
handling of IP fragments, this pointer fails to get
initialized.
Impact:
An attacker can cause the firewall to crash by sending ICMP
IP fragments to or through firewalls which match any reset,
reject or unreach actions.
Workaround:
Change any reset, reject or unreach actions to deny. It
should be noted that this will result in packets being
silently discarded.
An integer overflow in the handling of corrupt IEEE 802.11
beacon or probe response frames when scanning for existing
wireless networks can result in the frame overflowing a
buffer.
Impact:
An attacker able broadcast a carefully crafted beacon or
probe response frame may be able to execute arbitrary code
within the context of the FreeBSD kernel on any system
scanning for wireless networks.
Workaround:
No workaround is available, but systems without IEEE 802.11
hardware or drivers loaded are not vulnerable.
When initializing the SCTP state cookie being sent in INIT-ACK chunks,
a buffer allocated from the kernel stack is not completely initialized.
Impact:
Fragments of kernel memory may be included in SCTP packets and
transmitted over the network. For each SCTP session, there are two
separate instances in which a 4-byte fragment may be transmitted.
This memory might contain sensitive information, such as portions of the
file cache or terminal buffers. This information might be directly
useful, or it might be leveraged to obtain elevated privileges in
some way. For example, a terminal buffer might include a user-entered
password.
OpenSSH clients between versions 5.4 and 7.1 are vulnerable to
information disclosure that may allow a malicious server to retrieve
information including under some circumstances, user's private keys.
Missing sanitisation of untrusted input allows an
authenticated user who is able to request X11 forwarding
to inject commands to xauth(1).
Injection of xauth commands grants the ability to read
arbitrary files under the authenticated user's privilege,
Other xauth commands allow limited information leakage,
file overwrite, port probing and generally expose xauth(1),
which was not written with a hostile user in mind, as an
attack surface.
Mitigation:
Set X11Forwarding=no in sshd_config. This is the default.
For authorized_keys that specify a "command" restriction,
also set the "restrict" (available in OpenSSH >=7.2) or
"no-x11-forwarding" restrictions.
If a client requests DNSSEC records with the Checking Disabled (CD)
flag set, BIND may cache the unvalidated responses. These responses
may later be returned to another client that has not set the CD
flag.
The kernel incorrectly uses client supplied credentials
instead of the one configured in exports(5) when filling out the
anonymous credential for a NFS export, when -network or -host
restrictions are used at the same time.
Impact:
The remote client may supply privileged credentials (e.g. the
root user) when accessing a file under the NFS share, which will bypass
the normal access checks.
The ftpd(8) server splits long commands into several
requests. This may result in the server executing a command
which is hidden inside another very long command.
Impact:
This could, with a specifically crafted command, be used in a
cross-site request forgery attack.
FreeBSD systems running ftpd(8) server could act as a point
of privilege escalation in an attack against users using web
browser to access trusted FTP sites.
Workaround:
No workaround is available, but systems not running FTP
servers are not vulnerable. Systems not running the FreeBSD
ftp(8) server are not affected, but users of other ftp
daemons are advised to take care since several other ftp
daemons are known to have related bugs.
Parsing a malformed DNSSEC key can cause a validating
resolver to exit due to a failed assertion in buffer.c. It is possible
for a remote attacker to deliberately trigger this condition, for
example by using a query which requires a response from a zone
containing a deliberately malformed key.
For a recursive DNS server, a remote attacker sending enough
recursive queries for the replies to arrive after all the
interested clients have left the recursion queue will trigger
an INSIST failure in the named(8) daemon. Also for a
recursive DNS server, an assertion failure can occur when
processing a query whose reply will contain more than one
SIG(covered) RRset.
For an authoritative DNS server serving a RFC 2535 DNSSEC
zone which is queried for the SIG records where there are
multiple SIG(covered) RRsets (e.g. a zone apex), named(8)
will trigger an assertion failure when it tries to construct
the response.
Impact
An attacker who can perform recursive lookups on a DNS server
and is able to send a sufficiently large number of recursive
queries, or is able to get the DNS server to return more than
one SIG(covered) RRsets can stop the functionality of the DNS
service.
An attacker querying an authoritative DNS server serving a
RFC 2535 DNSSEC zone may be able to crash the DNS server.
Workaround
A possible workaround is to only allow trusted clients to
perform recursive queries.
The PV pagetable code has fast-paths for making updates to
pre-existing pagetable entries, to skip expensive re-validation
in safe cases (e.g. clearing only Access/Dirty bits). The bits
considered safe were too broad, and not actually safe.
A malicious PV guest administrator can escalate their privilege to
that of the host.
Supervisor Mode Access Prevention is a hardware feature designed
to make an Operating System more robust, by raising a pagefault
rather than accidentally following a pointer into userspace.
However, legitimate accesses into userspace require whitelisting,
and the exception delivery mechanism for 32bit PV guests wasn't
whitelisted.
A malicious 32-bit PV guest kernel can trigger a safety check,
crashing the hypervisor and causing a denial of service to other
VMs on the host.
A guest can submit virtio requests without bothering to wait for
completion and is therefore not bound by virtqueue size...
A malicious guest administrator can cause unbounded memory
allocation in QEMU, which can cause an Out-of-Memory condition
in the domain running qemu. Thus, a malicious guest administrator
can cause a denial of service affecting the whole host.
libidn: Fix out-of-bounds stack read in idna_to_ascii_4i.
idn: Solve out-of-bounds-read when reading one zero byte as input.
Also replaced fgets with getline.
libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8. It was
always documented to only accept UTF-8 data, but now it doesn't
crash when presented with such data.
The Xerces-C XML parser fails to successfully parse a
DTD that is deeply nested, and this causes a stack overflow, which
makes a denial of service attack against many applications possible
by an unauthenticated attacker.
Also, CVE-2016-2099: Use-after-free vulnerability in
validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier
allows context-dependent attackers to have unspecified impact via an
invalid character in an XML document.
An OpenDocument Presentation .ODP or Presentation Template
.OTP file can contain invalid presentation elements that lead
to memory corruption when the document is loaded in Apache
OpenOffice Impress. The defect may cause the document to appear
as corrupted and OpenOffice may crash in a recovery-stuck mode
requiring manual intervention. A crafted exploitation of the
defect can allow an attacker to cause denial of service
(memory corruption and application crash) and possible
execution of arbitrary code.
Extbase request handling fails to implement a proper access check for
requested controller/ action combinations, which makes it possible for an
attacker to execute arbitrary Extbase actions by crafting a special request. To
successfully exploit this vulnerability, an attacker must have access to at
least one Extbase plugin or module action in a TYPO3 installation. The missing
access check inevitably leads to information disclosure or remote code
execution, depending on the action that an attacker is able to execute.
These updates resolve a race condition vulnerability that could
lead to information disclosure (CVE-2016-4247).
These updates resolve type confusion vulnerabilities that could
lead to code execution (CVE-2016-4223, CVE-2016-4224,
CVE-2016-4225).
These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-4173, CVE-2016-4174, CVE-2016-4222,
CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229,
CVE-2016-4230, CVE-2016-4231, CVE-2016-4248).
These updates resolve a heap buffer overflow vulnerability that
could lead to code execution (CVE-2016-4249).
These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2016-4172, CVE-2016-4175, CVE-2016-4179,
CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183,
CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187,
CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217,
CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221,
CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236,
CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240,
CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244,
CVE-2016-4245, CVE-2016-4246).
These updates resolve a memory leak vulnerability (CVE-2016-4232).
These updates resolve stack corruption vulnerabilities that could
lead to code execution (CVE-2016-4176, CVE-2016-4177).
These updates resolve a security bypass vulnerability that could
lead to information disclosure (CVE-2016-4178).
An exploitable Use After Free vulnerability exists in the
RTF parser LibreOffice. A specially crafted file can cause a use after
free resulting in a possible arbitrary code execution. To exploit the
vulnerability a malicious file needs to be opened by the user via
vulnerable application.
An exploitable heap overflow vulnerability exists in the
NArchive::NHfs::CHandler::ExtractZlibFile method functionality of
7zip that can lead to arbitrary code execution.
An out-of-bounds read vulnerability exists in the way 7-Zip
handles Universal Disk Format (UDF) files.
Central to 7-Zipâs processing of UDF files is the
CInArchive::ReadFileItem method. Because volumes can have more than
one partition map, their objects are kept in an object vector. To
start looking for an item, this method tries to reference the proper
object using the partition mapâs object vector and the "PartitionRef"
field from the Long Allocation Descriptor. Lack of checking whether
the "PartitionRef" field is bigger than the available amount of
partition map objects causes a read out-of-bounds and can lead, in
some circumstances, to arbitrary code execution.
ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack
in the specific scenario where there was a signature that referenced at the same
time 2 elements (but past the scheme validator process since 1 of the element was
inside the encrypted assertion).
ruby-saml users must update to 1.3.0, which implements 3 extra validations to
mitigate this kind of attack.
The onReadyRead function in core/coreauthhandler.cpp in Quassel
before 0.12.4 allows remote attackers to cause a denial of service
(NULL pointer dereference and crash) via invalid handshake data.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the Rocker switch emulation support is
vulnerable to an off-by-one error. It happens while processing
transmit(tx) descriptors in 'tx_consume' routine, if a descriptor
was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments.
A privileged user inside guest could use this flaw to cause memory
leakage on the host or crash the Qemu process instance resulting in
DoS issue.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the Q35 chipset based pc system emulator
is vulnerable to a heap based buffer overflow. It occurs during VM
guest migration, as more(16 bytes) data is moved into allocated
(8 bytes) memory area.
A privileged guest user could use this issue to corrupt the VM
guest image, potentially leading to a DoS. This issue affects q35
machine types.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the Human Monitor Interface(HMP) support
is vulnerable to an OOB write issue. It occurs while processing
'sendkey' command in hmp_sendkey routine, if the command argument is
longer than the 'keyname_buf' buffer size.
A user/process could use this flaw to crash the Qemu process
instance resulting in DoS.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator
support is vulnerable to a memory leakage flaw. It occurs when a
guest repeatedly tries to activate the vmxnet3 device.
A privileged guest user could use this flaw to leak host memory,
resulting in DoS on the host.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the SCSI MegaRAID SAS HBA emulation
support is vulnerable to a stack buffer overflow issue. It occurs
while processing the SCSI controller's CTRL_GET_INFO command. A
privileged guest user could use this flaw to crash the Qemu process
instance resulting in DoS.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the i8255x (PRO100) emulation support is
vulnerable to an infinite loop issue. It could occur while
processing a chain of commands located in the Command Block List
(CBL). Each Command Block(CB) points to the next command in the
list. An infinite loop unfolds if the link to the next CB points
to the same block or there is a closed loop in the chain.
A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw
to crash the Qemu instance resulting in DoS.
The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509
client certificate correctly when experimental module for the HTTP/2
protocol is used to access a resource.
The net result is that a resource that should require a valid client
certificate in order to get access can be accessed without that credential.
HTTP header injection in urrlib2/urllib/httplib/http.client with
newlines in header values, where newlines have a semantic consequence of
denoting the start of an additional header line.
In the x86 shadow pagetable code, the guest frame number of a
superpage mapping is stored in a 32-bit field. If a shadowed guest
can cause a superpage mapping of a guest-physical address at or
above 2^44 to be shadowed, the top bits of the address will be lost,
causing an assertion failure or NULL dereference later on, in code
that removes the shadow.
A HVM guest using shadow pagetables can cause the host to crash.
A PV guest using shadow pagetables (i.e. being migrated) with PV
superpages enabled (which is not the default) can crash the host, or
corrupt hypervisor memory, and so a privilege escalation cannot be
ruled out.
Various parts of libxl device-handling code inappropriately use
information from (partially) guest controlled areas of xenstore.
A malicious guest administrator can cause denial of service by
resource exhaustion.
A malicious guest administrator can confuse and/or deny service to
management facilities.
A malicious guest administrator of a guest configured with channel
devices may be able to escalate their privilege to that of the
backend domain (i.e., normally, to that of the host).
The Page Size (PS) page table entry bit exists at all page table
levels other than L1. Its meaning is reserved in L4, and
conditionally reserved in L3 and L2 (depending on hardware
capabilities). The software page table walker in the hypervisor,
however, so far ignored that bit in L4 and (on respective hardware)
L3 entries, resulting in pages to be treated as page tables which
the guest OS may not have designated as such. If the page in
question is writable by an unprivileged user, then that user will
be able to map arbitrary guest memory.
On vulnerable OSes, guest user mode code may be able to establish
mappings of arbitrary memory inside the guest, allowing it to
elevate its privileges inside the guest.
Qemu VGA module allows banked access to video memory using the
window at 0xa00000 and it supports different access modes with
different address calculations.
Qemu VGA module allows guest to edit certain registers in 'vbe'
and 'vga' modes.
A privileged guest user could use CVE-2016-3710 to exceed the bank
address window and write beyond the said memory area, potentially
leading to arbitrary code execution with privileges of the Qemu
process. If the system is not using stubdomains, this will be in
domain 0.
A privileged guest user could use CVE-2016-3712 to cause potential
integer overflow or OOB read access issues in Qemu, resulting in a DoS
of the guest itself. More dangerous effect, such as data leakage or
code execution, are not known but cannot be ruled out.
When the libxl toolstack launches qemu for HVM guests, it pipes the
output of stderr to a file in /var/log/xen. This output is not
rate-limited in any way. The guest can easily cause qemu to print
messages to stderr, causing this file to become arbitrarily large.
The disk containing the logfile can be exhausted, possibly causing a
denial-of-service (DoS).
Affected versions of SQLite reject potential tempdir locations if
they are not readable, falling back to '.'. Thus, SQLite will favor
e.g. using cwd for tempfiles on such a system, even if cwd is an
unsafe location. Notably, SQLite also checks the permissions of
'.', but ignores the results of that check.
A vulnerability in smtplib allowing MITM attacker to perform a
startTLS stripping attack. smtplib does not seem to raise an exception
when the remote end (smtp server) is capable of negotiating starttls but
fails to respond with 220 (ok) to an explicit call of SMTP.starttls().
This may allow a malicious MITM to perform a startTLS stripping attack
if the client code does not explicitly check the response code for startTLS.
Some partition-level operations exist that do not explicitly also
authorize privileges of the parent table. This can lead to issues when
the parent table would have denied the operation, but no denial occurs
because the partition-level privilege is not checked by the
authorization framework, which defines authorization entities only
from the table level upwards.
Multiple versions of Open vSwitch are vulnerable to remote buffer
overflow attacks, in which crafted MPLS packets could overflow the
buffer reserved for MPLS labels in an OVS internal data structure.
The MPLS packets that trigger the vulnerability and the potential for
exploitation vary depending on version:
Open vSwitch 2.1.x and earlier are not vulnerable.
In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be
exploited for arbitrary remote code execution.
In Open vSwitch 2.4.x, the MPLS buffer overflow does not obviously lead
to a remote code execution exploit, but testing shows that it can allow a
remote denial of service. See the mitigation section for details.
The parse_chunk_header function in libtorrent before 1.1.1
allows remote attackers to cause a denial of service (crash) via a
crafted (1) HTTP response or possibly a (2) UPnP broadcast.
OpenSSL through 1.0.2h incorrectly uses pointer arithmetic
for heap-buffer boundary checks, which might allow remote attackers to
cause a denial of service (integer overflow and application crash) or
possibly have unspecified other impact by leveraging unexpected malloc
behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.
Dnsmasq before 2.76 allows remote servers to cause a denial
of service (crash) via a reply with an empty DNS address that has an (1)
A or (2) AAAA record defined locally.
HAproxy 1.6.x before 1.6.6, when a deny comes from a
reqdeny rule, allows remote attackers to cause a denial of service
(uninitialized memory access and crash) or possibly have unspecified
other impact via unknown vectors.
WordPress 4.5.3 is now available. This is a security release for
all previous versions and we strongly encourage you to update your
sites immediately.
WordPress versions 4.5.2 and earlier are affected by several
security issues: redirect bypass in the customizer, reported by
Yassine Aboukir; two different XSS problems via attachment names,
reported by Jouko Pynnönenand Divyesh Prajapati; revision history
information disclosure, reported independently by John Blackbourn
from the WordPress security team and by Dan Moen from the Wordfence
Research Team; oEmbed denial of service reported by Jennifer Dodd
from Automattic; unauthorized category removal from a post, reported
by David Herrera from Alley Interactive; password change via stolen
cookie, reported by Michael Adams from the WordPress security team;
and some less secure sanitize_file_name edge cases reported by Peter
Westwood of the WordPress security team.
The Piwik Security team is grateful for the responsible
disclosures by our security researchers: Egidio Romano (granted a
critical security bounty), James Kettle and PaweÅ Bartunek (XSS) and
Emanuel Bronshtein (limited XSS).
On a server redirect from HTTP to a FTP resource, wget would trust the
HTTP server and uses the name in the redirected URL as the destination
filename.
These updates harden a mitigation against JIT spraying attacks that
could be used to bypass memory layout randomization mitigations
(CVE-2016-1006).
These updates resolve type confusion vulnerabilities that could
lead to code execution (CVE-2016-1015, CVE-2016-1019).
These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016,
CVE-2016-1017, CVE-2016-1031).
These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021,
CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025,
CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029,
CVE-2016-1032, CVE-2016-1033).
These updates resolve a stack overflow vulnerability that could
lead to code execution (CVE-2016-1018).
These updates resolve a security bypass vulnerability
(CVE-2016-1030).
These updates resolve a vulnerability in the directory search path
used to find resources that could lead to code execution
(CVE-2016-1014).
These updates resolve type confusion vulnerabilities that could
lead to code execution (CVE-2016-1105, CVE-2016-4117).
These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107,
CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108,
CVE-2016-4110, CVE-2016-4121).
These updates resolve a heap buffer overflow vulnerability that
could lead to code execution (CVE-2016-1101).
These updates resolve a buffer overflow vulnerability that could
lead to code execution (CVE-2016-1103).
These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099,
CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109,
CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114,
CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161,
CVE-2016-4162, CVE-2016-4163).
These updates resolve a vulnerability in the directory search path
used to find resources that could lead to code execution
(CVE-2016-4116).
These updates resolve type confusion vulnerabilities that could
lead to code execution (CVE-2016-4144, CVE-2016-4149).
These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-4142, CVE-2016-4143, CVE-2016-4145,
CVE-2016-4146, CVE-2016-4147, CVE-2016-4148).
These updates resolve heap buffer overflow vulnerabilities that
could lead to code execution (CVE-2016-4135, CVE-2016-4136,
CVE-2016-4138).
These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124,
CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129,
CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133,
CVE-2016-4134, CVE-2016-4137, CVE-2016-4141, CVE-2016-4150,
CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154,
CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171).
These updates resolve a vulnerability in the directory search path
used to find resources that could lead to code execution
(CVE-2016-4140).
These updates resolve a vulnerability that could be exploited to
bypass the same-origin-policy and lead to information disclosure
(CVE-2016-4139).
Botan 1.10.13 has been released backporting some side channel
protections for ECDSA signatures (CVE-2016-2849) and PKCS #1 RSA
decryption (CVE-2015-7827).
The Miller-Rabin primality check in Botan before 1.10.8 and 1.11.x
before 1.11.9 improperly uses a single random base, which makes it
easier for remote attackers to defeat cryptographic protection
mechanisms via a DH group.
A malicious process can connect to an iperf3 server and,
by sending a malformed message on the control channel,
corrupt the server process's heap area. This can lead to a
crash (and a denial of service), or theoretically a remote
code execution as the user running the iperf3 server. A
malicious iperf3 server could potentially mount a similar
attack on an iperf3 client.
Cross-site scripting (XSS) vulnerability in the cgierror function
in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers
to inject arbitrary web script or HTML via unspecified vectors
involving an error message.
Avoid a potential denial of service issue, by fixing a bug in
pioctl logic that allowed a local user to overrun a kernel buffer
with a single NUL byte.
A problem was identified in nginx code responsible for saving
client request body to a temporary file. A specially crafted
request might result in worker process crash due to a NULL
pointer dereference while writing client request body to a
temporary file.
Foreign users can bypass access controls to create groups as
system:administrators, including in the user namespace and the
system: namespace.
The contents of uninitialized memory are sent on the wire when
clients perform certain RPCs. Depending on the RPC, the information
leaked may come from kernel memory or userspace.
When H2O tries to disconnect a premature HTTP/2 connection, it
calls free(3) to release memory allocated for the connection and
immediately after then touches the memory. No malloc-related
operation is performed by the same thread between the time it calls
free and the time the memory is touched. Fixed by Frederik
Deweerdt.
Because user SQL queries are part of the URL, sensitive
information made as part of a user query can be exposed by
clicking on external links to attackers monitoring user GET
query parameters or included in the webserver logs.
Severity
We consider this to be non-critical.
Description
A specially crafted attack could allow for special HTML
characters to be passed as URL encoded values and displayed
back as special characters in the page.
A specially crafted bug summary could trigger XSS in dependency graphs.
Due to an incorrect parsing of the image map generated by the dot script,
a specially crafted bug summary could trigger XSS in dependency graphs.
OpenVPN 2.3.11 [...] fixes two vulnerabilities: a port-share bug
with DoS potential and a buffer overflow by user supplied data when
using pam authentication.[...]
Heap-based buffer overflow in the zip_read_mac_metadata function
in archive_read_support_format_zip.c in libarchive before 3.2.0
allows remote attackers to execute arbitrary code via crafted
entry-size values in a ZIP archive.
WordPress 4.5.2 is now available. This is a security release for
all previous versions and we strongly encourage you to update your
sites immediately.
WordPress versions 4.5.1 and earlier are affected by a SOME
vulnerability through Plupload, the third-party library WordPress
uses for uploading files. WordPress versions 4.2 through 4.5.1 are
vulnerable to reflected XSS using specially crafted URIs through
MediaElement.js, the third-party library used for media players.
MediaElement.js and Plupload have also released updates fixing
these issues.
Insufficient filtering for filename passed to delegate's command
allows remote code execution during conversion of several file
formats. Any service which uses ImageMagick to process user
supplied images and uses default delegates.xml / policy.xml,
may be vulnerable to this issue.
It is possible to make ImageMagick perform a HTTP GET or FTP
request
It is possible to delete files by using ImageMagick's 'ephemeral'
pseudo protocol which deletes files after reading.
It is possible to move image files to file with any extension
in any folder by using ImageMagick's 'msl' pseudo protocol.
msl.txt and image.gif should exist in known location - /tmp/
for PoC (in real life it may be web service written in PHP,
which allows to upload raw txt files and process images with
ImageMagick).
It is possible to get content of the files from the server
by using ImageMagick's 'label' pseudo protocol.
During an internal code review, we discovered a critical security
flaw in the "impersonate" feature of GitLab. Added in GitLab 8.2,
this feature was intended to allow an administrator to simulate
being logged in as any other user.
A part of this feature was not properly secured and it was possible
for any authenticated user, administrator or not, to "log in" as any
other user, including administrators. Please see the issue for more
details.
svnserve, the svn:// protocol server, can optionally use the Cyrus
SASL library for authentication, integrity protection, and encryption.
Due to a programming oversight, authentication against Cyrus SASL
would permit the remote user to specify a realm string which is
a prefix of the expected realm string.
Subversion's httpd servers are vulnerable to a remotely triggerable crash
in the mod_authz_svn module. The crash can occur during an authorization
check for a COPY or MOVE request with a specially crafted header value.
This allows remote attackers to cause a denial of service.
Passwords Printed in Log Files under Some Conditions
It was discovered that, in Logstash 2.1.0+, log messages
generated by a stalled pipeline during shutdown will print
plaintext contents of password fields. While investigating
this issue we also discovered that debug logging has
included this data for quite some time. Our latest releases
fix both leaks. You will want to scrub old log files if this
is of particular concern to you. This was fixed in issue
#4965
The vulnerability exists due to application does not properly
verify origin of HTTP requests in "Interface Translation"
functionality.: A remote unauthenticated attacker can create
a specially crafted malicious web page with CSRF exploit, trick
a logged-in administrator to visit the page, spoof the HTTP
request, as if it was coming from the legitimate user, inject
and execute arbitrary PHP code on the target system with privileges
of the webserver.
Due to incorrect buffer management Squid cachemgr.cgi tool is
vulnerable to a buffer overflow when processing remotely supplied
inputs relayed to it from Squid.
This problem allows any client to seed the Squid manager reports
with data that will cause a buffer overflow when processed by the
cachemgr.cgi tool. However, this does require manual administrator
actions to take place. Which greatly reduces the impact and
possible uses.
Squid security advisory 2016:6 reports:
Due to buffer overflow issues Squid is vulnerable to a denial of
service attack when processing ESI responses. Due to incorrect input
validation Squid is vulnerable to public information disclosure of
the server stack layout when processing ESI responses. Due to
incorrect input validation and buffer overflow Squid is vulnerable
to remote code execution when processing ESI responses.
These problems allow ESI components to be used to perform a denial
of service attack on the Squid service and all other services on the
same machine. Under certain build conditions these problems allow
remote clients to view large sections of the server memory. However,
the bugs are exploitable only if you have built and configured the
ESI features to be used by a reverse-proxy and if the ESI components
being processed by Squid can be controlled by an attacker.
The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before
1.3.6rc2 does not properly handle the TLSDHParamFile directive, which
might cause a weaker than intended Diffie-Hellman (DH) key to be used
and consequently allow attackers to have unspecified impact via
unknown vectors.
The get_option function in dhcp.c in dhcpcd before 6.2.0, as used
in dhcpcd 5.x in Android before 5.1 and other products, does not
validate the relationship between length fields and the amount of
data, which allows remote DHCP servers to execute arbitrary code or
cause a denial of service (memory corruption) via a large length
value of an option in a DHCPACK message.
The print_option function in dhcp-common.c in dhcpcd through 6.9.1,
as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other
products, misinterprets the return value of the snprintf function,
which allows remote DHCP servers to execute arbitrary code or cause
a denial of service (memory corruption) via a crafted message.
PJProject has a limit on the number of TCP connections
that it can accept. Furthermore, PJProject does not close
TCP connections it accepts. By default, this value is
approximately 60.
An attacker can deplete the number of allowed TCP
connections by opening TCP connections and sending no
data to Asterisk.
If PJProject has been compiled in debug mode, then
once the number of allowed TCP connections has been
depleted, the next attempted TCP connection to Asterisk
will crash due to an assertion in PJProject.
If PJProject has not been compiled in debug mode, then
any further TCP connection attempts will be rejected.
This makes Asterisk unable to process TCP SIP traffic.
Note that this only affects TCP/TLS, since UDP is
connectionless.
Go has an infinite loop in several big integer routines that makes
Go programs vulnerable to remote denial of service attacks. Programs
using HTTPS client authentication or the Go ssh server libraries are
both exposed to this vulnerability.
[CVE-2015-5370] Errors in Samba DCE-RPC code can lead to denial of service
(crashes and high cpu consumption) and man in the middle attacks.
[CVE-2016-2110] The feature negotiation of NTLMSSP is not downgrade protected.
A man in the middle is able to clear even required flags, especially
NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL.
[CVE-2016-2111] When Samba is configured as Domain Controller it allows remote
attackers to spoof the computer name of a secure channel's endpoints, and obtain
sensitive session information, by running a crafted application and leveraging
the ability to sniff network traffic.
[CVE-2016-2112] A man in the middle is able to downgrade LDAP connections
to no integrity protection.
[CVE-2016-2113] Man in the middle attacks are possible for client triggered LDAP
connections (with ldaps://) and ncacn_http connections (with https://).
[CVE-2016-2114] Due to a bug Samba doesn't enforce required smb signing, even if explicitly configured.
[CVE-2016-2115] The protection of DCERPC communication over ncacn_np (which is
the default for most the file server related protocols) is inherited from the underlying SMB connection.
[CVE-2016-2118] a.k.a. BADLOCK. A man in the middle can intercept any DCERPC traffic
between a client and a server in order to impersonate the client and get the same privileges
as the authenticated user account. This is most problematic against active directory domain controllers.
The pcre_compile2 function in pcre_compile.c in PCRE 8.38
mishandles the /((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/
pattern and related patterns with named subgroups, which allows
remote attackers to cause a denial of service (heap-based buffer
overflow) or possibly have unspecified other impact via a crafted
regular expression, as demonstrated by a JavaScript RegExp object
encountered by Konqueror.
A recently-discovered vulnerability in the datagrid templates allows an
attacker to generate a URL to any datagrid page containing malicious code
in a column sorting value. If the user visits that URL and then clicks
that column, the code will execute.
The cause of the vulnerability was due to a template not escaping
user-provided values.
Due to a buffer overrun Squid pinger binary is vulnerable to
denial of service or information leak attack when processing
ICMPv6 packets.
This bug also permits the server response to manipulate other
ICMP and ICMPv6 queries processing to cause information leak.
This bug allows any remote server to perform a denial of service
attack on the Squid service by crashing the pinger. This may
affect Squid HTTP routing decisions. In some configurations,
sub-optimal routing decisions may result in serious service
degradation or even transaction failures.
If the system does not contain buffer-overrun protection leading
to that crash this bug will instead allow attackers to leak
arbitrary amounts of information from the heap into Squid log
files. This is of higher importance than usual because the pinger
process operates with root priviliges.
Squid security advisory 2016:4 reports:
Due to incorrect bounds checking Squid is vulnerable to a denial
of service attack when processing HTTP responses.
This problem allows a malicious client script and remote server
delivering certain unusual HTTP response syntax to trigger a
denial of service for all clients accessing the Squid service.
Excess memory allocation in BER decoder - The BER decoder would allocate a fairly arbitrary amount of memory in a length field, even if there was no chance the read request would succeed. This might cause the process to run out of memory or invoke the OOM killer.
Crash in BER decoder - The BER decoder would crash due to reading from offset 0 of an empty vector if it encountered a BIT STRING which did not contain any data at all. This can be used to easily crash applications reading untrusted ASN.1 data, but does not seem exploitable for code execution.
Infinite loop in modular square root algorithm - The ressol function implements the Tonelli-Shanks algorithm for finding square roots could be sent into a nearly infinite loop due to a misplaced conditional check. This could occur if a composite modulus is provided, as this algorithm is only defined for primes. This function is exposed to attacker controlled input via the OS2ECP function during ECC point decompression.
Heap overflow on invalid ECC point - The PointGFp constructor did not check that the affine coordinate arguments were less than the prime, but then in curve multiplication assumed that both arguments if multiplied would fit into an integer twice the size of the prime.
The bigint_mul and bigint_sqr functions received the size of the output buffer, but only used it to dispatch to a faster algorithm in cases where there was sufficient output space to call an unrolled multiplication function.
The result is a heap overflow accessible via ECC point decoding, which accepted untrusted inputs. This is likely exploitable for remote code execution.
On systems which use the mlock pool allocator, it would allow an attacker to overwrite memory held in secure_vector objects. After this point the write will hit the guard page at the end of the mmapped region so it probably could not be used for code execution directly, but would allow overwriting adjacent key material.
This release closes security hole CVE-2016-2193
(https://access.redhat.com/security/cve/CVE-2016-2193), where a query
plan might get reused for more than one ROLE in the same session.
This could cause the wrong set of Row Level Security (RLS) policies to
be used for the query.
The update also fixes CVE-2016-3065
(https://access.redhat.com/security/cve/CVE-2016-3065), a server crash
bug triggered by using `pageinspect` with BRIN index pages. Since an
attacker might be able to expose a few bytes of server memory, this
crash is being treated as a security issue.
These updates resolve integer overflow vulnerabilities that
could lead to code execution (CVE-2016-0963, CVE-2016-0993,
CVE-2016-1010).
These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-0987, CVE-2016-0988,
CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995,
CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999,
CVE-2016-1000).
These updates resolve a heap overflow vulnerability that could
lead to code execution (CVE-2016-1001).
These updates resolve memory corruption vulnerabilities that
could lead to code execution (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992,
CVE-2016-1002, CVE-2016-1005).
This issue affects all Salt versions prior to 2015.8.8/2015.5.10
when PAM external authentication is enabled. This issue involves
passing an alternative PAM authentication service with a command
that is sent to LocalClient, enabling the attacker to bypass the
configured authentication service.
The web based administration console does not set the
X-Frame-Options header in HTTP responses. This allows the console to be embedded
in a frame or iframe which could then be used to cause a user to perform an
unintended action in the console.
Alvaro Muatoz, Matthias Kaiser and Christian Schneider reports:
JMS Object messages depends on Java Serialization for
marshaling/unmashaling of the message payload. There are a couple of places
inside the broker where deserialization can occur, like web console or stomp
object message transformation. As deserialization of untrusted data can lead to
security flaws as demonstrated in various reports, this leaves the broker
vulnerable to this attack vector. Additionally, applications that consume
ObjectMessage type of messages can be vulnerable as they deserialize objects on
ObjectMessage.getObject() calls.
Several instances of cross-site scripting vulnerabilities were
identified to be present in the web based administration console as well as the
ability to trigger a Java memory dump into an arbitrary folder. The root cause
of these issues are improper user data output validation and incorrect
permissions configured on Jolokia.
PCRE does not validate that handling the (*ACCEPT) verb
will occur within the bounds of the cworkspace stack buffer, leading to
a stack buffer overflow.
RPC traffic from clients, potentially including authentication
credentials, may be intercepted by a malicious user with access to
run tasks or containers on a cluster.
Security researcher Holger Fuhrmannek and Mozilla
security engineer Tyson Smith reported a number of security
vulnerabilities in the Graphite 2 library affecting version
1.3.5.
The issue reported by Holger Fuhrmannek is a mechanism to
induce stack corruption with a malicious graphite font. This
leads to a potentially exploitable crash when the font is
loaded.
Tyson Smith used the Address Sanitizer tool in concert with
a custom software fuzzer to find a series of uninitialized
memory, out-of-bounds read, and out-of-bounds write errors
when working with fuzzed graphite fonts.
Security researcher James Clawson used the Address
Sanitizer tool to discover an out-of-bounds write in the
Graphite 2 library when loading a crafted Graphite font
file. This results in a potentially exploitable crash.
JpGraph is an object oriented library for PHP that can be used to create
various types of graphs which also contains support for client side
image maps.
The GetURLArguments function for the JpGraph's Graph class does not
properly sanitize the names of get and post variables, leading to a
cross site scripting vulnerability.
The pidgin-otr plugin version 4.0.2 fixes a heap use after
free error.
The bug is triggered when a user tries to authenticate a buddy and
happens in the function create_smp_dialog.
By sending a nickname with some HTML tags in a contact
request, an attacker could cause Ricochet to make network requests
without Tor after the request is accepted, which would reveal the user's
IP address.
[583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.
Mozilla Foundation reports:
Security researcher Luke Li reported a pointer underflow
bug in the Brotli library's decompression that leads to a
buffer overflow. This results in a potentially exploitable
crash when triggered.
Security researcher Hanno Böck reported that calculations
with mp_div and mp_exptmod in Network Security Services
(NSS) can produce wrong results in some circumstances. These
functions are used within NSS for a variety of cryptographic
division functions, leading to potential cryptographic
weaknesses.
Mozilla developer Eric Rescorla reported that a failed
allocation during DHE and ECDHE handshakes would lead to a
use-after-free vulnerability.
An exploitable denial of service vulnerability exists
in the font handling of Libgraphite. A specially crafted font can cause
an out-of-bounds read potentially resulting in an information leak or
denial of service.
A specially crafted font can cause a buffer overflow
resulting in potential code execution.
An exploitable NULL pointer dereference exists in the
bidirectional font handling functionality of Libgraphite. A specially
crafted font can cause a NULL pointer dereference resulting in a
crash.
WordPress 4.4.1 is now available. This is a security release for
all previous versions and we strongly encourage you to update your
sites immediately.
WordPress versions 4.4 and earlier are affected by a cross-site
scripting vulnerability that could allow a site to be compromised.
This was reported by Crtc4L.
WordPress 4.4.2 is now available. This is a security release for
all previous versions and we strongly encourage you to update your
sites immediately.
WordPress versions 4.4.1 and earlier are affected by two security
issues: a possible SSRF for certain local URIs, reported by Ronni
Skansing; and an open redirection attack, reported by Shailesh
Suthar.
Many versions of PSCP prior to 0.67 have a stack corruption
vulnerability in their treatment of the 'sink' direction (i.e.
downloading from server to client) of the old-style SCP protocol.
In order for this vulnerability to be exploited, the user must
connect to a malicious server and attempt to download any file.[...]
you can work around it in a vulnerable PSCP by using the -sftp
option to force the use of the newer SFTP protocol, provided your
server supports that protocol.
Jakub Palaczynski discovered that websvn, a web viewer for
Subversion repositories, does not correctly sanitize user-supplied
input, which allows a remote user to run reflected cross-site
scripting attacks.
Rails 4.2.5.2, 4.1.14.2, and 3.2.22.2 have been released! These
contain the following important security fixes, and it is
recommended that users upgrade as soon as possible.
"Arbitrary files with a known path can be accessed in websvn by
committing a symlink to a repository and then downloading the file
(using the download link).
An attacker must have write access to the repo, and the download
option must have been enabled in the websvn config file."
libssh versions 0.1 and above have a bits/bytes confusion bug and
generate an abnormally short ephemeral secret for the
diffie-hellman-group1 and diffie-hellman-group14 key exchange
methods. The resulting secret is 128 bits long, instead of the
recommended sizes of 1024 and 2048 bits respectively. There are
practical algorithms (Baby steps/Giant steps, Pollardâs rho) that can
solve this problem in O(2^63) operations.
Both client and server are are vulnerable, pre-authentication.
This vulnerability could be exploited by an eavesdropper with enough
resources to decrypt or intercept SSH sessions. The bug was found
during an internal code review by Aris Adamantiadis of the libssh
team.
All installations having Exim set-uid root and using 'perl_startup' are
vulnerable to a local privilege escalation. Any user who can start an
instance of Exim (and this is normally any user) can gain root
privileges. If you do not use 'perl_startup' you should be safe.
Due to incorrect bounds checking Squid is vulnerable to a denial
of service attack when processing HTTP responses.
These problems allow remote servers delivering certain unusual
HTTP response syntax to trigger a denial of service for all
clients accessing the Squid service.
HTTP responses containing malformed headers that trigger this
issue are becoming common. We are not certain at this time if
that is a sign of malware or just broken server scripting.
The PV superpage functionality lacks certain validity checks on
data being passed to the hypervisor by guests. This is the case
for the page identifier (MFN) passed to MMUEXT_MARK_SUPER and
MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as
well as for various forms of page table updates.
Use of the feature, which is disabled by default, may have unknown
effects, ranging from information leaks through Denial of Service to
privilege escalation.
While INVLPG does not cause a General Protection Fault when used on
a non-canonical address, INVVPID in its "individual address"
variant, which is used to back the intercepted INVLPG in certain
cases, fails in such cases. Failure of INVVPID results in a
hypervisor bug check.
A malicious guest can crash the host, leading to a Denial of
Service.
VMX refuses attempts to enter a guest with an instruction pointer
which doesn't satisfy certain requirements. In particular, the
instruction pointer needs to be canonical when entering a guest
currently in 64-bit mode. This is the case even if the VM entry
information specifies an exception to be injected immediately (in
which case the bad instruction pointer would possibly never get used
for other than pushing onto the exception handler's stack).
Provided the guest OS allows user mode to map the virtual memory
space immediately below the canonical/non-canonical address
boundary, a non-canonical instruction pointer can result even from
normal user mode execution. VM entry failure, however, is fatal to
the guest.
Malicious HVM guest user mode code may be able to crash the
guest.
The Xerces-C XML parser mishandles certain kinds of malformed input
documents, resulting in buffer overflows during processing and error
reporting. The overflows can manifest as a segmentation fault or as
memory corruption during a parse operation. The bugs allow for a
denial of service attack in many applications by an unauthenticated
attacker, and could conceivably result in remote code execution.
Double-clicking a file in the user's media library with a
specially-crafted path or filename allows for arbitrary code execution
with the permissions of the user running Pitivi.
A heap overflow may occur in the giffix utility included in
giflib-5.1.1 when processing records of the type
`IMAGE_DESC_RECORD_TYPE' due to the allocated size of `LineBuffer'
equaling the value of the logical screen width, `GifFileIn->SWidth',
while subsequently having `GifFileIn->Image.Width' bytes of data written
to it.
SECURITY-232 / CVE-2016-0788(Remote code execution vulnerability in remoting module)
A vulnerability in the Jenkins remoting module allowed
unauthenticated remote attackers to open a JRMP listener on the
server hosting the Jenkins master process, which allowed arbitrary
code execution.
An HTTP response splitting vulnerability in the CLI command
documentation allowed attackers to craft Jenkins URLs that serve
malicious content.
SECURITY-241 / CVE-2016-0790(Non-constant time comparison of API token)
The verification of user-provided API tokens with the expected
value did not use a constant-time comparison algorithm, potentially
allowing attackers to use statistical methods to determine valid
API tokens using brute-force methods.
SECURITY-245 / CVE-2016-0791(Non-constant time comparison of CSRF crumbs)
The verification of user-provided CSRF crumbs with the expected
value did not use a constant-time comparison algorithm, potentially
allowing attackers to use statistical methods to determine valid
CSRF crumbs using brute-force methods.
SECURITY-247 / CVE-2016-0792(Remote code execution through remote API)
Jenkins has several API endpoints that allow low-privilege users
to POST XML files that then get deserialized by Jenkins.
Maliciously crafted XML files sent to these API endpoints could
result in arbitrary code execution.
The library is affected by a double-free vulnerability in function
jas_iccattrval_destroy()
as well as a heap-based buffer overflow in function jp2_decode().
A specially crafted jp2 file can be used to trigger the vulnerabilities.
oCERT reports:
The library is affected by an off-by-one error in a buffer boundary check
in jpc_dec_process_sot(), leading to a heap based buffer overflow, as well
as multiple unrestricted stack memory use issues in jpc_qmfb.c, leading to
stack overflow.
A specially crafted jp2 file can be used to trigger the vulnerabilities.
oCERT reports:
Multiple off-by-one flaws, leading to heap-based buffer overflows, were
found in the way JasPer decoded JPEG 2000 files. A specially crafted file
could cause an application using JasPer to crash or,
possibly, execute arbitrary code.
limingxing reports:
A vulnerability was found in the way the JasPer's jas_matrix_clip()
function parses certain JPEG 2000 image files. A specially crafted file
could cause an application using JasPer to crash.
A double free flaw was found in the way JasPer's
jasper_image_stop_load() function parsed certain JPEG 2000 image files.
A specially crafted file could cause an application using JasPer to
crash.
Feist Josselin reports:
A new use-after-free was found in Jasper JPEG-200. The
use-after-free appears in the function mif_process_cmpt of the
src/libjasper/mif/mif_cod.c file.
Prevent potential DoS attack due to lack of bounds checking on RTP
header CSRC count and extension header length. Credit goes to
Randell Jesup and the Firefox team for reporting this issue.
This release fixes a remote code execution vulnerability that was
identified in BeanShell by Alvaro Muñoz and Christian Schneider.
The BeanShell team would like to thank them for their help and
contributions to this fix!
An application that includes BeanShell on the classpath may be
vulnerable if another part of the application uses Java
serialization or XStream to deserialize data from an untrusted
source.
A vulnerable application could be exploited for remote code
execution, including executing arbitrary shell commands.
This update fixes the vulnerability in BeanShell, but it is worth
noting that applications doing such deserialization might still be
insecure through other libraries. It is recommended that application
developers take further measures such as using a restricted class
loader when deserializing. See notes on Java serialization security
XStream security and How to secure deserialization from untrusted
input without using encryption or sealing.
A stack-based buffer overflow was found in libresolv when invoked
from nss_dns, allowing specially crafted DNS responses to seize
control of EIP in the DNS client. The buffer overflow occurs in the
functions send_dg (send datagram) and send_vc (send TCP) for the
NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
family, or in some cases AF_INET6 family. The use of AF_UNSPEC (or
AF_INET6 in some cases) triggers the low-level resolver code to
send out two parallel queries for A and AAAA. A mismanagement of
the buffers used for those queries could result in the response of
a query writing beyond the alloca allocated buffer created by
__res_nquery.
Due to incorrectly handling server errors Squid is vulnerable to a
denial of service attack when connecting to TLS or SSL servers.
This problem allows any trusted client to perform a denial of
service attack on the Squid service regardless of whether TLS or
SSL is configured for use in the proxy.
Misconfigured client or server software may trigger this issue
to perform a denial of service unintentionally.
However, the bug is exploitable only if Squid is built using the
--with-openssl option.
The FreeBSD port does not use SSL by default and is not vulnerable
in the default configuration.
Amos Jeffries, release manager of the Squid-3 series, reports:
Vulnerable versions are 3.5.0.1 to 3.5.8 (inclusive), which are
built with OpenSSL and configured for "SSL-Bump" decryption.
Integer overflows can lead to invalid pointer math reading from
random memory on some CPU architectures. In the best case this leads
to wrong TLS extensions being used for the client, worst-case a
crash of the proxy terminating all active transactions.
Incorrect message size checks and assumptions about the existence
of TLS extensions in the SSL/TLS handshake message can lead to very
high CPU consumption (up to and including 'infinite loop'
behaviour).
The above can be triggered remotely. Though there is one layer of
authorization applied before this processing to check that the
client is allowed to use the proxy, that check is generally weak. MS
Skype on Windows XP is known to trigger some of these.
The FreeBSD port does not use SSL by default and is not vulnerable
in the default configuration.
MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept
responses to plugin network requests made through the browser. Plugins which
make security decisions based on the content of network requests can have these
decisions subverted if a service worker forges responses to those requests. For
example, a forged crossdomain.xml could allow a malicious site to violate the
same-origin policy using the Flash plugin.
Out of memory in nghttpd, nghttp, and libnghttp2_asio applications
due to unlimited incoming HTTP header fields.
nghttpd, nghttp, and libnghttp2_asio applications do not limit the memory usage
for the incoming HTTP header field. If peer sends specially crafted HTTP/2
HEADERS frames and CONTINUATION frames, they will crash with out of memory
error.
Note that libnghttp2 itself is not affected by this vulnerability.
CVE-2016-0773: This release closes security hole CVE-2016-0773,
an issue with regular expression (regex) parsing. Prior code allowed
users to pass in expressions which included out-of-range Unicode
characters, triggering a backend crash. This issue is critical for
PostgreSQL systems with untrusted users or which generate regexes
based on user input.
CVE-2016-0766: The update also fixes CVE-2016-0766, a privilege
escalation issue for users of PL/Java. Certain custom configuration
settings (GUCS) for PL/Java will now be modifiable only by the
database superuser
These updates resolve a type confusion vulnerability that
could lead to code execution (CVE-2016-0985).
These updates resolve use-after-free vulnerabilities that
could lead to code execution (CVE-2016-0973, CVE-2016-0974,
CVE-2016-0975, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984).
These updates resolve a heap buffer overflow vulnerability
that could lead to code execution (CVE-2016-0971).
These updates resolve memory corruption vulnerabilities
that could lead to code execution (CVE-2016-0964,
CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, CVE-2016-0968,
CVE-2016-0969, CVE-2016-0970, CVE-2016-0972, CVE-2016-0976,
CVE-2016-0977, CVE-2016-0978, CVE-2016-0979, CVE-2016-0980,
CVE-2016-0981).
If a large value was passed into the new size for an image, it is
possible to overflow an int32 value passed into malloc, leading the
mallocâd buffer to be undersized. These allocations are followed by
a loop that writes out of bounds. This can lead to corruption on
the heap of the Python process with attacker controlled float
data.
Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on
x64 may overflow a buffer when reading a specially crafted tiff
file.
Specifically, libtiff >= 4.0.0 changed the return type of
TIFFScanlineSize from int32 to machine dependent int32|64. If the
scanline is sized so that it overflows an int32, it may be
interpreted as a negative number, which will then pass the size check
in TiffDecode.c line 236. To do this, the logical scanline size has
to be > 2gb, and for the test file, the allocated buffer size is 64k
against a roughly 4gb scan line size. Any image data over 64k is
written over the heap, causing a segfault.
This issue was found by security researcher FourOne.
In all versions of Pillow, dating back at least to the last PIL
1.1.7 release, FliDecode.c has a buffer overflow error.
There is a memcpy error where x is added to a target buffer
address. X is used in several internal temporary variable roles,
but can take a value up to the width of the image. Im->image[y]
is a set of row pointers to segments of memory that are the size of
the row. At the max y, this will write the contents of the line off
the end of the memory buffer, causing a segfault.
This issue was found by Alyssa Besseling at Atlassian.
In all versions of Pillow, dating back at least to the last PIL
1.1.7 release, PcdDecode.c has a buffer overflow error.
The state.buffer for PcdDecode.c is allocated based on a 3 bytes
per pixel sizing, where PcdDecode.c wrote into the buffer assuming
4 bytes per pixel. This writes 768 bytes beyond the end of the
buffer into other Python object storage. In some cases, this causes
a segfault, in others an internal Python malloc error.
Shotwell has a serious security issue ("Shotwell does not
verify TLS certificates"). Upstream is no longer active and
I do not expect any further upstream releases unless someone
from the community steps up to maintain it.
What is the impact of the issue? If you ever used any of
the publish functionality (publish to Facebook, publish to
Flickr, etc.), your passwords may have been stolen; changing
them is not a bad idea.
What is the risk of the update? Regressions. The easiest
way to validate TLS certificates was to upgrade WebKit; it
seems to work but I don't have accounts with the online
services it supports, so I don't know if photo publishing
still works properly on all the services.
[CVE-2015-3223] Malicious request can cause Samba LDAP server to hang, spinning using CPU.
[CVE-2015-5330] Malicious request can cause Samba LDAP server
to return uninitialized memory that should not be part of the reply.
[CVE-2015-5296] Requesting encryption should also request
signing when setting up the connection to protect against man-in-the-middle attacks.
[CVE-2015-5299] A missing access control check in the VFS
shadow_copy2 module could allow unauthorized users to access snapshots.
[CVE-2015-7540] Malicious request can cause Samba LDAP server to return crash.
[CVE-2015-8467] Samba can expose Windows DCs to MS15-096
Denial of service via the creation of multiple machine accounts(The Microsoft issue is CVE-2015-2535).
[CVE-2015-5252] Insufficient symlink verification could allow data access outside share path.
The ScrollView::paint function in platform/scroll/ScrollView.cpp
in Blink, as used in Google Chrome before 35.0.1916.114, allows
remote attackers to spoof the UI by extending scrollbar painting
into the parent frame.
Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, and 3.2.22.1 have been
released! These contain important security fixes, and it is
recommended that users upgrade as soon as possible.
In the OpenSSL address implementation the hard coded 1024
bit DH p parameter was not prime. The effective cryptographic strength
of a key exchange using these parameters was weaker than the one one
could get by using a prime p. Moreover, since there is no indication of
how these parameters were chosen, the existence of a trapdoor that makes
possible for an eavesdropper to recover the shared secret from a key
exchange that uses them cannot be ruled out.
GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are
prone to an integer overflow vulnerability which leads to a buffer
overflow and potentially to remote code execution.
GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are
prone to an out-of-bounds read vulnerability due to missing checks.
Enforce the reader to run in constant memory. One of the
operation on the reader could resolve entities leading to
the classic expansion issue. Make sure the buffer used for
xmlreader operation is bounded. Introduce a new allocation
type for the buffers for this effect.
Ilja van Sprundel, a security researcher with IOActive, has
discovered an issue in the parsing of BDF font files by libXfont.
Additional testing by Alan Coopersmith and William Robinet with
the American Fuzzy Lop (afl) tool uncovered two more issues in
the parsing of BDF font files.
As libXfont is used by the X server to read font files, and an
unprivileged user with access to the X server can tell the X
server to read a given font file from a path of their choosing,
these vulnerabilities have the potential to allow unprivileged
users to run code with the privileges of the X server
(often root access).
Several problems in nginx resolver were identified, which
might allow an attacker to cause worker process crash, or might have
potential other impact if the "resolver" directive
is used in a configuration file.
This release fixes heap-use-after-free bug in idle stream
handling code. We strongly recommend to upgrade the older installation
to this latest version as soon as possible.
By calling some scripts that are part of phpMyAdmin in an
unexpected way, it is possible to trigger phpMyAdmin to
display a PHP error message which contains the full path of
the directory where phpMyAdmin is installed.
We consider these vulnerabilities to be non-critical.
This path disclosure is possible on servers where the
recommended setting of the PHP configuration directive
display_errors is set to on, which is against the
recommendations given in the PHP manual for a production
server.
With a crafted table name it is possible to trigger
an XSS attack in the database search page.
With a crafted SET value or a crafted search query, it
is possible to trigger an XSS attacks in the zoom search
page.
With a crafted hostname header, it is possible to
trigger an XSS attacks in the home page.
We consider these vulnerabilities to be non-critical.
These vulnerabilities can be triggered only by someone
who is logged in to phpMyAdmin, as the usual token
protection prevents non-logged-in users from accessing the
required pages.
The comparison of the XSRF/CSRF token parameter with the
value saved in the session is vulnerable to timing
attacks. Moreover, the comparison could be bypassed if the
XSRF/CSRF token matches a particular pattern.
By calling some scripts that are part of phpMyAdmin in an
unexpected way, it is possible to trigger phpMyAdmin to
display a PHP error message which contains the full path of
the directory where phpMyAdmin is installed.
We consider these vulnerabilities to be non-critical.
This path disclosure is possible on servers where the
recommended setting of the PHP configuration directive
display_errors is set to on, which is against the
recommendations given in the PHP manual for a production
server.
With a crafted table name it is possible to trigger an
XSS attack in the database normalization page.
We consider this vulnerability to be non-critical.
This vulnerability can be triggered only by someone who is
logged in to phpMyAdmin, as the usual token protection
prevents non-logged-in users from accessing the required page.
By calling a particular script that is part of phpMyAdmin
in an unexpected way, it is possible to trigger phpMyAdmin
to display a PHP error message which contains the full path
of the directory where phpMyAdmin is installed.
We consider this vulnerability to be non-critical.
This path disclosure is possible on servers where the
recommended setting of the PHP configuration directive
display_errors is set to on, which is against the
recommendations given in the PHP manual for a production
server.
With a crafted SQL query, it is possible to trigger an
XSS attack in the SQL editor.
We consider this vulnerability to be non-critical.
This vulnerability can be triggered only by someone who is
logged in to phpMyAdmin, as the usual token protection
prevents non-logged-in users from accessing the required
pages.
sudoedit in Sudo before 1.8.15 allows local users to gain
privileges via a symlink attack on a file whose full path is defined
using multiple wildcards in /etc/sudoers, as demonstrated by
"/home/*/*/file.txt."
Fixed a memory leak when rejecting client connections due to the
socket limit being reached (CID 66382). This affected Privoxy 3.0.21
when compiled with IPv6 support (on most platforms this is the
default).
Fixed an immediate-use-after-free bug (CID 66394) and two
additional unconfirmed use-after-free complaints made by Coverity
scan (CID 66391, CID 66376).
MITRE reports:
Privoxy before 3.0.22 allows remote attackers to cause a denial
of service (file descriptor consumption) via unspecified vectors.
Prevent invalid reads in case of corrupt chunk-encoded content.
CVE-2016-1982. Bug discovered with afl-fuzz and AddressSanitizer.
Remove empty Host headers in client requests. Previously they
would result in invalid reads. CVE-2016-1983. Bug discovered with
afl-fuzz and AddressSanitizer.
Proxy authentication headers are removed unless the new directive
enable-proxy-authentication-forwarding is used. Forwarding the
headers potentially allows malicious sites to trick the user into
providing them with login information. Reported by Chris John Riley.
Fixed a DoS issue in case of client requests with incorrect
chunk-encoded body. When compiled with assertions enabled (the
default) they could previously cause Privoxy to abort(). Reported
by Matthew Daley. CVE-2015-1380.
Fixed multiple segmentation faults and memory leaks in the pcrs
code. This fix also increases the chances that an invalid pcrs
command is rejected as such. Previously some invalid commands would
be loaded without error. Note that Privoxy's pcrs sources (action
and filter files) are considered trustworthy input and should not be
writable by untrusted third-parties. CVE-2015-1381.
Fixed an 'invalid read' bug which could at least theoretically
cause Privoxy to crash. So far, no crashes have been observed.
CVE-2015-1382.
So in codeconv.c there is a function for Japanese character set
conversion called conv_jistoeuc(). There is no bounds checking on
the output buffer, which is created on the stack with alloca()
Bug can be triggered by sending an email to TAILS_luser@riseup.net
or whatever.
Since my C is completely rusty, you might be able to make a better
judgment on the severity of this issue. Marking critical for now.
A buffer overflow flaw was discovered in the libproxy's
url::get_pac() used to download proxy.pac proxy auto-configuration
file. A malicious host hosting proxy.pac, or a man in the middle
attacker, could use this flaw to trigger a stack-based buffer
overflow in an application using libproxy, if proxy configuration
instructed it to download proxy.pac file from a remote HTTP
server.
A security-related issue has been reported in Go's math/big
package. The issue was introduced in Go 1.5. We recommend that all
users upgrade to Go 1.5.3, which fixes the issue. Go programs must
be recompiled with Go 1.5.3 in order to receive the fix.
The Go team would like to thank Nick Craig-Wood for identifying the
issue.
This issue can affect RSA computations in crypto/rsa, which is used
by crypto/tls. TLS servers on 32-bit systems could plausibly leak
their RSA private key due to this issue. Other protocol
implementations that create many RSA signatures could also be
impacted in the same way.
Specifically, incorrect results in one part of the RSA Chinese
Remainder computation can cause the result to be incorrect in such a
way that it leaks one of the primes. While RSA blinding should
prevent an attacker from crafting specific inputs that trigger the
bug, on 32-bit systems the bug can be expected to occur at random
around one in 2^26 times. Thus collecting around 64 million
signatures (of known data) from an affected server should be enough
to extract the private key used.
On 64-bit systems, the frequency of the bug is so low (less than
one in 2^50) that it would be very difficult to exploit.
Nonetheless, everyone is strongly encouraged to upgrade.
ffmpeg has a vulnerability in the current version that allows the
attacker to create a specially crafted video file, downloading which
will send files from a user PC to a remote attacker server. The
attack does not even require the user to open that file â for
example, KDE Dolphin thumbnail generation is enough.
The FontManager._get_nix_font_path function in formatters/img.py
in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute
arbitrary commands via shell metacharacters in a font name.
Integer overflow in the
authentication_agent_new_cookie function in PolicyKit (aka polkit)
before 0.113 allows local users to gain privileges by creating a large
number of connections, which triggers the issuance of a duplicate cookie
value.
The authentication_agent_new function in
polkitbackend/polkitbackendinteractiveauthority.c in PolicyKit (aka
polkit) before 0.113 allows local users to cause a denial of service
(NULL pointer dereference and polkitd daemon crash) by calling
RegisterAuthenticationAgent with an invalid object path.
The polkit_backend_action_pool_init function in
polkitbackend/polkitbackendactionpool.c in PolicyKit (aka polkit) before
0.113 might allow local users to gain privileges via duplicate action
IDs in action descriptions.
PolicyKit (aka polkit) before 0.113 allows local
users to cause a denial of service (memory corruption and polkitd daemon
crash) and possibly gain privileges via unspecified vectors, related to
"javascript rule evaluation."
This Critical Patch Update contains 25 new security fixes
for Oracle Java SE. 24 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a
network without the need for a username and password.
librsync before 1.0.0 uses a truncated MD4 checksum to
match blocks, which makes it easier for remote attackers to modify
transmitted data via a birthday attack.
heap overflow via malformed dhcp responses later in print_option
(via dhcp_envoption1) due to incorrect option length values.
Exploitation is non-trivial, but I'd love to be proven wrong.
invalid read/crash via malformed dhcp responses. not exploitable
beyond DoS as far as I can judge.
The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU
binutils 2.24 and earlier allows remote attackers to cause a
denial of service (out-of-bounds write) and possibly have other
unspecified impact via a crafted NumberOfRvaAndSizes field in the
AOUT header in a PE executable.
US-CERT/NIST reports:
Heap-based buffer overflow in the pe_print_edata function in
bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote
attackers to cause a denial of service (crash) and possibly have
other unspecified impact via a truncated export table in a PE
file.
US-CERT/NIST reports:
Stack-based buffer overflow in the ihex_scan function in
bfd/ihex.c in GNU binutils 2.24 and earlier allows remote
attackers to cause a denial of service (crash) and possibly have
other unspecified impact via a crafted ihex file.
MD5 handshake signatures in TLS 1.2 are vulnerable to the SLOTH attack
on TLS 1.2 server authentication. They have been disabled by default.
Other attacks from the SLOTH paper do not apply to any version of mbed
TLS or PolarSSL.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the AMD PC-Net II Ethernet Controller
support is vulnerable to a heap buffer overflow flaw. While
receiving packets in the loopback mode, it appends CRC code to the
receive buffer. If the data size given is same as the receive buffer
size, the appended CRC code overwrites 4 bytes beyond this
's->buffer' array.
A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw
to crash the Qemu instance resulting in DoS or potentially execute
arbitrary code with privileges of the Qemu process on the host.
The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets
from a remote host(non-loopback mode), fails to validate the
received data size, thus resulting in a buffer overflow issue. It
could potentially lead to arbitrary code execution on the host, with
privileges of the Qemu process. It requires the guest NIC to have
larger MTU limit.
A remote user could use this flaw to crash the guest instance
resulting in DoS or potentially execute arbitrary code on a remote
host with privileges of the Qemu process.
When constructing a guest which is configured to use a PV
bootloader which runs as a userspace process in the toolstack domain
(e.g. pygrub) libxl creates a mapping of the files to be used as
kernel and initial ramdisk when building the guest domain.
However if building the domain subsequently fails these mappings
would not be released leading to a leak of virtual address space in
the calling process, as well as preventing the recovery of the
temporary disk files containing the kernel and initial ramdisk.
For toolstacks which manage multiple domains within the same
process, an attacker who is able to repeatedly start a suitable
domain (or many such domains) can cause an out-of-memory condition in the
toolstack process, leading to a denial of service.
Under the same circumstances an attacker can also cause files to
accumulate on the toolstack domain filesystem (usually under /var in
dom0) used to temporarily store the kernel and initial ramdisk,
perhaps leading to a denial of service against arbitrary other
services using that filesystem.
Single memory accesses in source code can be translated to multiple
ones in machine code by the compiler, requiring special caution when
accessing shared memory. Such precaution was missing from the
hypervisor code inspecting the state of I/O requests sent to the
device model for assistance.
Due to the offending field being a bitfield, it is however believed
that there is no issue in practice, since compilers, at least when
optimizing (which is always the case for non-debug builds), should find
it more expensive to extract the bit field value twice than to keep the
calculated value in a register.
This vulnerability is exposed to malicious device models. In
conventional Xen systems this means the qemu which service an HVM
domain. On such systems this vulnerability can only be exploited if
the attacker has gained control of the device model qemu via another
vulnerability.
Privilege escalation, host crash (Denial of Service), and leaked
information all cannot be excluded.
Error handling in the operation may involve handing back pages to
the domain. This operation may fail when in parallel the domain gets
torn down. So far this failure unconditionally resulted in the host
being brought down due to an internal error being assumed. This is
CVE-2015-8339.
Furthermore error handling so far wrongly included the release of a
lock. That lock, however, was either not acquired or already released
on all paths leading to the error handling sequence. This is
CVE-2015-8340.
A malicious guest administrator may be able to deny service by
crashing the host or causing a deadlock.
When XSAVE/XRSTOR are not in use by Xen to manage guest extended
register state, the initial values in the FPU stack and XMM
registers seen by the guest upon first use are those left there by
the previous user of those registers.
A malicious domain may be able to leverage this to obtain sensitive
information such as cryptographic keys from another domain.
Florian Weimer of Redhat discovered that an optimization in
RSA signature validation can result in disclosure of the
server's private key under certain fault conditions.
Sebastian Ramacher identified an error in wolfSSL's implementation
of the server side of the DTLS handshake, which could be abused
for DDoS amplification or a DoS on the DTLS server itself.
ISC Kea may terminate unexpectedly (crash) while handling
a malformed client packet. Related defects in the kea-dhcp4
and kea-dhcp6 servers can cause the server to crash during
option processing if a client sends a malformed packet.
An attacker sending a crafted malformed packet can cause
an ISC Kea server providing DHCP services to IPv4 or IPv6
clients to exit unexpectedly.
The kea-dhcp4 server is vulnerable only in versions
0.9.2 and 1.0.0-beta, and furthermore only when logging
at debug level 40 or higher. Servers running kea-dhcp4
versions 0.9.1 or lower, and servers which are not
logging or are logging at debug level 39 or below are
not vulnerable.
The kea-dhcp6 server is vulnerable only in versions
0.9.2 and 1.0.0-beta, and furthermore only when
logging at debug level 45 or higher. Servers running
kea-dhcp6 versions 0.9.1 or lower, and servers
which are not logging or are logging at debug level 44
or below are not vulnerable.
SQL injection vulnerability in include/top_graph_header.php in
Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary
SQL commands via the rra_id parameter in a properties action to
graph.php.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the PCI MSI-X support is vulnerable to
null pointer dereference issue. It occurs when the controller
attempts to write to the pending bit array(PBA) memory region.
Because the MSI-X MMIO support did not define the .write method.
A privileges used inside guest could use this flaw to crash the
Qemu process resulting in DoS issue.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the USB EHCI emulation support is
vulnerable to an infinite loop issue. It occurs during communication
between host controller interface(EHCI) and a respective device
driver. These two communicate via a isochronous transfer descriptor
list(iTD) and an infinite loop unfolds if there is a closed loop in
this list.
A privileges user inside guest could use this flaw to consume
excessive CPU cycles & resources on the host.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the VNC display driver support is
vulnerable to an arithmetic exception flaw. It occurs on the VNC
server side while processing the 'SetPixelFormat' messages from a
client.
A privileged remote client could use this flaw to crash the guest
resulting in DoS.
mini_httpd 1.21 and earlier allows remote attackers to obtain
sensitive information from process memory via an HTTP request with
a long protocol string, which triggers an incorrect response size
calculation and an out-of-bounds read.
(rene) ACME, the author, claims that the vulnerability is fixed
*after* version 1.22, released on 2015-12-28
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the e1000 NIC emulation support is
vulnerable to an infinite loop issue. It could occur while
processing transmit descriptor data when sending a network packet.
A privileged user inside guest could use this flaw to crash the
Qemu instance resulting in DoS.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the Virtual Network Device(virtio-net)
support is vulnerable to a DoS issue. It could occur while receiving
large packets over the tuntap/macvtap interfaces and when guest's
virtio-net driver did not support big/mergeable receive buffers.
An attacker on the local network could use this flaw to disable
guest's networking by sending a large number of jumbo frames to the
guest, exhausting all receive buffers and thus leading to a DoS
situation.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the NE2000 NIC emulation support is
vulnerable to an infinite loop issue. It could occur when receiving
packets over the network.
A privileged user inside guest could use this flaw to crash the
Qemu instance resulting in DoS.
Qemu emulator built with the NE2000 NIC emulation support is
vulnerable to a heap buffer overflow issue. It could occur when
receiving packets over the network.
A privileged user inside guest could use this flaw to crash the
Qemu instance or potentially execute arbitrary code on the host.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the VNC display driver is vulnerable to an
infinite loop issue. It could occur while processing a
CLIENT_CUT_TEXT message with specially crafted payload message.
A privileged guest user could use this flaw to crash the Qemu
process on the host, resulting in DoS.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the IDE disk and CD/DVD-ROM emulation
support is vulnerable to a divide by zero issue. It could occur
while executing an IDE command WIN_READ_NATIVE_MAX to determine
the maximum size of a drive.
A privileged user inside guest could use this flaw to crash the
Qemu instance resulting in DoS.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the virtio-serial vmchannel support is
vulnerable to a buffer overflow issue. It could occur while
exchanging virtio control messages between guest and the host.
A malicious guest could use this flaw to corrupt few bytes of Qemu
memory area, potentially crashing the Qemu process.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the VNC display driver support is
vulnerable to a buffer overflow flaw leading to a heap memory
corruption issue. It could occur while refreshing the server
display surface via routine vnc_refresh_server_surface().
A privileged guest user could use this flaw to corrupt the heap
memory and crash the Qemu process instance OR potentially use it
to execute arbitrary code on the host.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the SCSI device emulation support is
vulnerable to a stack buffer overflow issue. It could occur while
parsing SCSI command descriptor block with an invalid operation
code.
A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw
to crash the Qemu instance resulting in DoS.
Due converting PIO to the new memory read/write api we no longer
provide separate I/O region lenghts for read and write operations.
As a result, reading from PIT Mode/Command register will end with
accessing pit->channels with invalid index and potentially cause
memory corruption and/or minor information leak.
A privileged guest user in a guest with QEMU PIT emulation enabled
could potentially (tough unlikely) use this flaw to execute
arbitrary code on the host with the privileges of the hosting QEMU
process.
Please note that by default QEMU/KVM guests use in-kernel (KVM) PIT
emulation and are thus not vulnerable to this issue.
An attacker who can cause a carefully-chosen string to be
converted to a floating-point number can cause a crash and potentially
induce arbitrary code execution.
These updates resolve a type confusion vulnerability that
could lead to code execution (CVE-2015-8644).
These updates resolve an integer overflow vulnerability
that could lead to code execution (CVE-2015-8651).
These updates resolve use-after-free vulnerabilities that
could lead to code execution (CVE-2015-8634, CVE-2015-8635,
CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641,
CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647,
CVE-2015-8648, CVE-2015-8649, CVE-2015-8650).
These updates resolve memory corruption vulnerabilities
that could lead to code execution (CVE-2015-8459,
CVE-2015-8460, CVE-2015-8636, CVE-2015-8645).
This release fixes the issues discovered since 2.0.18,
containing multiple important stability and correctness related
improvements, including a fix for a bug which allowed malformed DNS
records to cause netsplits on a network.
Security researcher Karthikeyan Bhargavan reported an
issue in Network Security Services (NSS) where MD5
signatures in the server signature within the TLS 1.2
ServerKeyExchange message are still accepted. This is an
issue since NSS has officially disallowed the accepting MD5
as a hash algorithm in signatures since 2011. This issues
exposes NSS based clients such as Firefox to theoretical
collision-based forgery attacks.
By calling some scripts that are part of phpMyAdmin in an
unexpected way, it is possible to trigger phpMyAdmin to
display a PHP error message which contains the full path of
the directory where phpMyAdmin is installed.
We consider these vulnerabilities to be non-critical.
This path disclosure is possible on servers where the
recommended setting of the PHP configuration directive
display_errors is set to on, which is against the
recommendations given in the PHP manual for a production
server.
Hanno Boeck discovered a stack-based buffer overflow in the
dpkg-deb component of dpkg, the Debian package management system.
This flaw could potentially lead to arbitrary code execution if a
user or an automated system were tricked into processing a specially
crafted Debian binary package (.deb) in the old style Debian binary
package format.
If an application allows users to specify an unvalidated
format for dates and passes this format to the date filter, e.g. {{
last_updated|date:user_date_format }}, then a malicious user could
obtain any secret in the application's settings by specifying a settings
key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".
Internal review discovered that Special:DeletedContributions did
not properly protect the IP of autoblocked users. This fix makes
the functionality of Special:DeletedContributions consistent with
Special:Contributions and Special:BlockList.
Internal review discovered that watchlist anti-csrf tokens were not
being compared in constant time, which could allow various timing
attacks. This could allow an attacker to modify a user's watchlist
via csrf
John Menerick reported that MediaWiki's thumb.php failed to sanitize
various error messages, resulting in xss.
Wikipedia user RobinHood70 reported two issues in the chunked
upload API. The API failed to correctly stop adding new chunks to
the upload when the reported size was exceeded (T91203), allowing
a malicious users to upload add an infinite number of chunks for a
single file upload. Additionally, a malicious user could upload
chunks of 1 byte for very large files, potentially creating a very
large number of files on the server's filesystem (T91205).
Internal review discovered that it is not possible to throttle file
uploads.
Internal review discovered a missing authorization check when
removing suppression from a revision. This allowed users with the
'viewsuppressed' user right but not the appropriate
'suppressrevision' user right to unsuppress revisions.
Richard Stanway from teamliquid.net reported that thumbnails of PNG
files generated with ImageMagick contained the local file path in
the image metadata.
(T117899) SECURITY: $wgArticlePath can no longer be set to relative
paths that do not begin with a slash. This enabled trivial XSS
attacks. Configuration values such as "http://my.wiki.com/wiki/$1"
are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is
not and will now throw an error.
(T119309) SECURITY: Use hash_compare() for edit token comparison.
(T118032) SECURITY: Don't allow cURL to interpret POST parameters
starting with '@' as file uploads.
(T115522) SECURITY: Passwords generated by User::randomPassword()
can no longer be shorter than $wgMinimalPasswordLength.
(T97897) SECURITY: Improve IP parsing and trimming. Previous
behavior could result in improper blocks being issued.
(T109724) SECURITY: Special:MyPage, Special:MyTalk,
Special:MyContributions and related pages no longer use HTTP
redirects and are now redirected by MediaWiki.
There is an unsafe tainted string vulnerability in Fiddle and DL.
This issue was originally reported and fixed with CVE-2009-5147 in
DL, but reappeared after DL was reimplemented using Fiddle and
libffi.
And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not
fixed at other branches, then rubies which bundled DL except Ruby
1.9.1 are still vulnerable.
During the generation of a dependency graph, the code for
the HTML image map is generated locally if a local dot
installation is used. With escaped HTML characters in a bug
summary, it is possible to inject unfiltered HTML code in
the map file which the CreateImagemap function generates.
This could be used for a cross-site scripting attack.