FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  416223
Date:      2016-05-31
Time:      21:50:58Z
Committer: osa

List all Vulnerabilities, by package

VuXML entries as processed by FreshPorts
DateDecscriptionPort(s)
2016-05-31*

OpenSSL reports:

Memory corruption in the ASN.1 encoder

Padding oracle in AES-NI CBC MAC check

EVP_EncodeUpdate overflow

EVP_EncryptUpdate overflow

ASN.1 BIO excessive memory allocation

EBCDIC overread (OpenSSL only)

more...
libressl
libressl-devel
linux-c6-openssl
openssl
2016-05-31

Maxim Dounin reports:

A problem was identified in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while writing client request body to a temporary file.

more...
nginx
nginx-devel
2016-05-29

Open vSwitch reports:

Multiple versions of Open vSwitch are vulnerable to remote buffer overflow attacks, in which crafted MPLS packets could overflow the buffer reserved for MPLS labels in an OVS internal data structure. The MPLS packets that trigger the vulnerability and the potential for exploitation vary depending on version:

Open vSwitch 2.1.x and earlier are not vulnerable.

In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be exploited for arbitrary remote code execution.

In Open vSwitch 2.4.x, the MPLS buffer overflow does not obviously lead to a remote code execution exploit, but testing shows that it can allow a remote denial of service. See the mitigation section for details.

Open vSwitch 2.5.x is not vulnerable.

more...
openvswitch
2016-05-28

Google Chrome Releases reports:

42 security fixes in this release, including:

  • [590118] High CVE-2016-1672: Cross-origin bypass in extension bindings. Credit to Mariusz Mlynski.
  • [597532] High CVE-2016-1673: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
  • [598165] High CVE-2016-1674: Cross-origin bypass in extensions.i Credit to Mariusz Mlynski.
  • [600182] High CVE-2016-1675: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
  • [604901] High CVE-2016-1676: Cross-origin bypass in extension bindings. Credit to Rob Wu.
  • [602970] Medium CVE-2016-1677: Type confusion in V8. Credit to Guang Gong of Qihoo 360.
  • [595259] High CVE-2016-1678: Heap overflow in V8. Credit to Christian Holler.
  • [606390] High CVE-2016-1679: Heap use-after-free in V8 bindings. Credit to Rob Wu.
  • [589848] High CVE-2016-1680: Heap use-after-free in Skia. Credit to Atte Kettunen of OUSPG.
  • [613160] High CVE-2016-1681: Heap overflow in PDFium. Credit to Aleksandar Nikolic of Cisco Talos.
  • [579801] Medium CVE-2016-1682: CSP bypass for ServiceWorker. Credit to KingstonTime.
  • [583156] Medium CVE-2016-1683: Out-of-bounds access in libxslt. Credit to Nicolas Gregoire.
  • [583171] Medium CVE-2016-1684: Integer overflow in libxslt. Credit to Nicolas Gregoire.
  • [601362] Medium CVE-2016-1685: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB.
  • [603518] Medium CVE-2016-1686: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB.
  • [603748] Medium CVE-2016-1687: Information leak in extensions. Credit to Rob Wu.
  • [604897] Medium CVE-2016-1688: Out-of-bounds read in V8. Credit to Max Korenko.
  • [606185] Medium CVE-2016-1689: Heap buffer overflow in media. Credit to Atte Kettunen of OUSPG.
  • [608100] Medium CVE-2016-1690: Heap use-after-free in Autofill. Credit to Rob Wu.
  • [597926] Low CVE-2016-1691: Heap buffer-overflow in Skia. Credit to Atte Kettunen of OUSPG.
  • [598077] Low CVE-2016-1692: Limited cross-origin bypass in ServiceWorker. Credit to Til Jasper Ullrich.
  • [598752] Low CVE-2016-1693: HTTP Download of Software Removal Tool. Credit to Khalil Zhani.
  • [603682] Low CVE-2016-1694: HPKP pins removed on cache clearance. Credit to Ryan Lester and Bryant Zadegan.
  • [614767] CVE-2016-1695: Various fixes from internal audits, fuzzing and other initiatives.
more...
chromium
chromium-npapi
chromium-pulse
2016-05-28

Google Chrome Releases reports:

5 security fixes in this release, including:

  • [605766] High CVE-2016-1667: Same origin bypass in DOM. Credit to Mariusz Mlynski.
  • [605910] High CVE-2016-1668: Same origin bypass in Blink V8 bindings. Credit to Mariusz Mlynski.
  • [606115] High CVE-2016-1669: Buffer overflow in V8. Credit to Choongwoo Han.
  • [578882] Medium CVE-2016-1670: Race condition in loader. Credit to anonymous.
  • [586657] Medium CVE-2016-1671: Directory traversal using the file scheme on Android. Credit to Jann Horn.
more...
chromium
chromium-npapi
chromium-pulse
2016-05-28

The Cacti Group, Inc. reports:

Changelog

  • bug:0002667: Cacti SQL Injection Vulnerability
  • bug:0002673: CVE-2016-3659 - Cacti graph_view.php SQL Injection Vulnerability
  • bug:0002656: Authentication using web authentication as a user not in the cacti database allows complete access (regression)
more...
cacti
2016-05-28

The PHP Group reports:

  • Core:
    • Fixed bug #72114 (Integer underflow / arbitrary null write in fread/gzread). (CVE-2016-5096) (PHP 5.5/5.6 only)
    • Fixed bug #72135 (Integer Overflow in php_html_entities). (CVE-2016-5094) (PHP 5.5/5.6 only)
  • GD:
    • Fixed bug #72227 (imagescale out-of-bounds read). (CVE-2013-7456)
  • Intl:
    • Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (CVE-2016-5093)
  • Phar:
    • Fixed bug #71331 (Uninitialized pointer in phar_make_dirstream()). (CVE-2016-4343) (PHP 5.5 only)
more...
php55
php55-gd
php55-phar
php56
php56-gd
php70-gd
php70-intl
2016-05-28

Google Chrome Releases reports:

9 security fixes in this release, including:

  • [574802] High CVE-2016-1660: Out-of-bounds write in Blink. Credit to Atte Kettunen of OUSPG.
  • [601629] High CVE-2016-1661: Memory corruption in cross-process frames. Credit to Wadih Matar.
  • [603732] High CVE-2016-1662: Use-after-free in extensions. Credit to Rob Wu.
  • [603987] High CVE-2016-1663: Use-after-free in Blink's V8 bindings. Credit to anonymous.
  • [597322] Medium CVE-2016-1664: Address bar spoofing. Credit to Wadih Matar.
  • [606181] Medium CVE-2016-1665: Information leak in V8. Credit to HyungSeok Han.
  • [607652] CVE-2016-1666: Various fixes from internal audits, fuzzing and other initiatives.
more...
chromium
chromium-npapi
chromium-pulse
2016-05-26*

The phpmyadmin development team reports:

Description

Because user SQL queries are part of the URL, sensitive information made as part of a user query can be exposed by clicking on external links to attackers monitoring user GET query parameters or included in the webserver logs.

Severity

We consider this to be non-critical.

Description

A specially crafted attack could allow for special HTML characters to be passed as URL encoded values and displayed back as special characters in the page.

Severity

We consider this to be non-critical.

more...
phpmyadmin
2016-05-24

Mediawiki reports:

Security fixes:

T122056: Old tokens are remaining valid within a new session

T127114: Login throttle can be tricked using non-canonicalized usernames

T123653: Cross-domain policy regexp is too narrow

T123071: Incorrectly identifying http link in a's href attributes, due to m modifier in regex

T129506: MediaWiki:Gadget-popups.js isn't renderable

T125283: Users occasionally logged in as different users after SessionManager deployment

T103239: Patrol allows click catching and patrolling of any page

T122807: [tracking] Check php crypto primatives

T98313: Graphs can leak tokens, leading to CSRF

T130947: Diff generation should use PoolCounter

T133507: Careless use of $wgExternalLinkTarget is insecure

T132874: API action=move is not rate limited

more...
mediawiki123
mediawiki124
mediawiki125
mediawiki126
2016-05-20

Gustavo Grieco reports:

The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution.

more...
expat
2016-05-20

Jouni Malinen reports:

psk configuration parameter update allowing arbitrary data to be written (2016-1 - CVE-2016-4476/CVE-2016-4477).

more...
wpa_supplicant
2016-05-17

Bugzilla Security Advisory

A specially crafted bug summary could trigger XSS in dependency graphs. Due to an incorrect parsing of the image map generated by the dot script, a specially crafted bug summary could trigger XSS in dependency graphs.

more...
bugzilla44
bugzilla50
2016-05-14

Samuli Seppänen reports:

OpenVPN 2.3.11 [...] fixes two vulnerabilities: a port-share bug with DoS potential and a buffer overflow by user supplied data when using pam authentication.[...]

more...
openvpn
openvpn-polarssl
2016-05-13

ImageMagick reports:

Fix a buffer overflow in magick/drag.c/DrawStrokePolygon().

more...
ImageMagick
ImageMagick-nox11
ImageMagick7
ImageMagick7-nox11
2016-05-12

Jenkins Security Advisory:

Description

SECURITY-170 / CVE-2016-3721

Arbitrary build parameters are passed to build scripts as environment variables

SECURITY-243 / CVE-2016-3722

Malicious users with multiple user accounts can prevent other users from logging in

SECURITY-250 / CVE-2016-3723

Information on installed plugins exposed via API

SECURITY-266 / CVE-2016-3724

Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration

SECURITY-273 / CVE-2016-3725

Regular users can trigger download of update site metadata

SECURITY-276 / CVE-2016-3726

Open redirect to scheme-relative URLs

SECURITY-281 / CVE-2016-3727

Granting the permission to read node configurations allows access to overall system configuration

more...
jenkins
jenkins-lts
jenkins2
2016-05-10*

The libarchive project reports:

Heap-based buffer overflow in the zip_read_mac_metadata function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to execute arbitrary code via crafted entry-size values in a ZIP archive.

more...
libarchive
2016-05-10

Helen Hou-Sandi reports:

WordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.

more...
de-wordpress
ja-wordpress
ru-wordpress
wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
2016-05-10

MITRE reports:

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

more...
perl5
perl5.18
perl5.20
perl5.22
2016-05-09*

The squid development team reports:

Problem Description:
Due to incorrect data validation of intercepted HTTP Request messages Squid is vulnerable to clients bypassing the protection against CVE-2009-0801 related issues. This leads to cache poisoning.
Severity:
This problem is serious because it allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source.
Problem Description:
Due to incorrect input validation Squid is vulnerable to a header smuggling attack leading to cache poisoning and to bypass of same-origin security policy in Squid and some client browsers.
Severity:
This problem allows a client to smuggle Host header value past same-origin security protections to cause Squid operating as interception or reverse-proxy to contact the wrong origin server. Also poisoning any downstream cache which stores the response.
However, the cache poisoning is only possible if the caching agent (browser or explicit/forward proxy) is not following RFC 7230 processing guidelines and lets the smuggled value through.
Problem Description:
Due to incorrect pointer handling and reference counting Squid is vulnerable to a denial of service attack when processing ESI responses.
Severity:
These problems allow a remote server delivering certain ESI response syntax to trigger a denial of service for all clients accessing the Squid service.
Due to unrelated changes Squid-3.5 has become vulnerable to some regular ESI server responses also triggering one or more of these issues.
more...
squid
squid-devel
2016-05-07*

Openwall reports:

Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats. Any service which uses ImageMagick to process user supplied images and uses default delegates.xml / policy.xml, may be vulnerable to this issue.

It is possible to make ImageMagick perform a HTTP GET or FTP request

It is possible to delete files by using ImageMagick's 'ephemeral' pseudo protocol which deletes files after reading.

It is possible to move image files to file with any extension in any folder by using ImageMagick's 'msl' pseudo protocol. msl.txt and image.gif should exist in known location - /tmp/ for PoC (in real life it may be web service written in PHP, which allows to upload raw txt files and process images with ImageMagick).

It is possible to get content of the files from the server by using ImageMagick's 'label' pseudo protocol.

more...
ImageMagick
ImageMagick-nox11
ImageMagick7
ImageMagick7-nox11
2016-05-04

QuickFuzz reports:

A crash caused by stack exhaustion parsing a JSON was found.

more...
jansson
2016-05-03

The PHP Group reports:

  • BCMath:
    • Fixed bug #72093 (bcpowmod accepts negative scale and corrupts _one_ definition).
  • Exif:
    • Fixed bug #72094 (Out of bounds heap read access in exif header processing).
  • GD:
    • Fixed bug #71912 (libgd: signedness vulnerability). (CVE-2016-3074)
  • Intl:
    • Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with negative offset).
  • XML:
    • Fixed bug #72099 (xml_parse_into_struct segmentation fault).
more...
php55
php55-bcmath
php55-exif
php55-gd
php55-xml
php56
php56-bcmath
php56-exif
php56-gd
php56-xml
php70
php70-bcmath
php70-exif
php70-gd
php70-xml
2016-05-03

Martin Prpic, Red Hat Product Security Team, reports:

Denial of Service due to stack overflow in src/ber-decoder.c.

Integer overflow in the BER decoder src/ber-decoder.c.

Integer overflow in the DN decoder src/dn.c.

more...
libksba
2016-05-03

GitLab reports:

During an internal code review, we discovered a critical security flaw in the "impersonate" feature of GitLab. Added in GitLab 8.2, this feature was intended to allow an administrator to simulate being logged in as any other user.

A part of this feature was not properly secured and it was possible for any authenticated user, administrator or not, to "log in" as any other user, including administrators. Please see the issue for more details.

more...
gitlab
2016-05-02

Wireshark development team reports:

The following vulnerabilities have been fixed:

  • wnpa-sec-2016-19

    The NCP dissector could crash. (Bug 11591)

  • wnpa-sec-2016-20

    TShark could crash due to a packet reassembly bug. (Bug 11799)

  • wnpa-sec-2016-21

    The IEEE 802.11 dissector could crash. (Bug 11824, Bug 12187)

  • wnpa-sec-2016-22

    The PKTC dissector could crash. (Bug 12206)

  • wnpa-sec-2016-23

    The PKTC dissector could crash. (Bug 12242)

  • wnpa-sec-2016-24

    The IAX2 dissector could go into an infinite loop. (Bug 12260)

  • wnpa-sec-2016-25

    Wireshark and TShark could exhaust the stack. (Bug 12268)

  • wnpa-sec-2016-26

    The GSM CBCH dissector could crash. (Bug 12278)

  • wnpa-sec-2016-27

    MS-WSP dissector crash. (Bug 12341)

more...
tshark
tshark-lite
wireshark
wireshark-lite
wireshark-qt5
2016-05-01

Mercurial reports:

CVE-2016-3105: Arbitrary code execution when converting Git repos

more...
mercurial
2016-04-30

Oracle reports reports:

Critical Patch Update contains 31 new security fixes for Oracle MySQL 5.5.48, 5.6.29, 5.7.11 and earlier

more...
mariadb100-server
mariadb101-server
mariadb55-server
mysql55-server
mysql56-server
mysql57-server
percona-server
percona55-server
2016-04-28

Subversion project reports:

svnserve, the svn:// protocol server, can optionally use the Cyrus SASL library for authentication, integrity protection, and encryption. Due to a programming oversight, authentication against Cyrus SASL would permit the remote user to specify a realm string which is a prefix of the expected realm string.

Subversion's httpd servers are vulnerable to a remotely triggerable crash in the mod_authz_svn module. The crash can occur during an authorization check for a COPY or MOVE request with a specially crafted header value.

This allows remote attackers to cause a denial of service.

more...
subversion
subversion18
2016-04-28

Logstash developers report:

Passwords Printed in Log Files under Some Conditions

It was discovered that, in Logstash 2.1.0+, log messages generated by a stalled pipeline during shutdown will print plaintext contents of password fields. While investigating this issue we also discovered that debug logging has included this data for quite some time. Our latest releases fix both leaks. You will want to scrub old log files if this is of particular concern to you. This was fixed in issue #4965

more...
logstash
2016-04-27

Network Time Foundation reports:

NTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p7, released on Tuesday, 26 April 2016:

  • Bug 3020 / CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering. Reported by Matt Street and others of Cisco ASIG
  • Bug 3012 / CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY. Reported by Matthew Van Gundy of Cisco ASIG
  • Bug 3011 / CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
  • Bug 3010 / CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
  • Bug 3009 / CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
  • Bug 3008 / CVE-2016-2519: ctl_getitem() return value not always checked. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
  • Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos. Reported by Stephen Gray and Matthew Van Gundy of Cisco ASIG
  • Bug 2978 / CVE-2016-1548: Interleave-pivot - MITIGATION ONLY. Reported by Miroslav Lichvar of RedHat and separately by Jonathan Gardner of Cisco ASIG.
  • Bug 2952 / CVE-2015-7704: KoD fix: peer associations were broken by the fix for NtpBug2901, AKA: Symmetric active/passive mode is broken. Reported by Michael Tatarinov, NTP Project Developer Volunteer
  • Bug 2945 / Bug 2901 / CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks. Reported by Jonathan Gardner of Cisco ASIG
  • Bug 2879 / CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing. Reported independently by Loganaden Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
more...
ntp
ntp-devel
2016-04-26

Mozilla Foundation reports:

MFSA 2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)

MFSA 2016-42 Use-after-free and buffer overflow in Service Workers

MFSA 2016-44 Buffer overflow in libstagefright with CENC offsets

MFSA 2016-45 CSP not applied to pages sent with multipart/x-mixed-replace

MFSA 2016-46 Elevation of privilege with chrome.tabs.update API in web extensions

MFSA 2016-47 Write to invalid HashMap entry through JavaScript.watch()

MFSA 2016-48 Firefox Health Reports could accept events from untrusted domains

more...
firefox
firefox-esr
libxul
linux-firefox
linux-seamonkey
linux-thunderbird
seamonkey
thunderbird
2016-04-23

The phpMyFAQ team reports:

The vulnerability exists due to application does not properly verify origin of HTTP requests in "Interface Translation" functionality.: A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request, as if it was coming from the legitimate user, inject and execute arbitrary PHP code on the target system with privileges of the webserver.

more...
phpmyfaq
2016-04-21

GNU Libtasn1 NEWS reports:

Fixes to avoid an infinite recursion when decoding without the ASN1_DECODE_FLAG_STRICT_DER flag. Reported by Pascal Cuoq.

more...
libtasn1
2016-04-21

Squid security advisory 2016:5 reports:

Due to incorrect buffer management Squid cachemgr.cgi tool is vulnerable to a buffer overflow when processing remotely supplied inputs relayed to it from Squid.

This problem allows any client to seed the Squid manager reports with data that will cause a buffer overflow when processed by the cachemgr.cgi tool. However, this does require manual administrator actions to take place. Which greatly reduces the impact and possible uses.

Squid security advisory 2016:6 reports:

Due to buffer overflow issues Squid is vulnerable to a denial of service attack when processing ESI responses. Due to incorrect input validation Squid is vulnerable to public information disclosure of the server stack layout when processing ESI responses. Due to incorrect input validation and buffer overflow Squid is vulnerable to remote code execution when processing ESI responses.

These problems allow ESI components to be used to perform a denial of service attack on the Squid service and all other services on the same machine. Under certain build conditions these problems allow remote clients to view large sections of the server memory. However, the bugs are exploitable only if you have built and configured the ESI features to be used by a reverse-proxy and if the ESI components being processed by Squid can be controlled by an attacker.

more...
squid
2016-04-20

Ansible developers report:

CVE-2016-3096: do not use predictable paths in lxc_container

  • do not use a predictable filename for the LXC attach script
  • don't use predictable filenames for LXC attach script logging
  • don't set a predictable archive_path

this should prevent symlink attacks which could result in

  • data corruption
  • data leakage
  • privilege escalation
more...
ansible
ansible1
2016-04-20

MITRE reports:

The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 1.3.6rc2 does not properly handle the TLSDHParamFile directive, which might cause a weaker than intended Diffie-Hellman (DH) key to be used and consequently allow attackers to have unspecified impact via unknown vectors.

more...
proftpd
2016-04-19

Google Chrome Releases reports:

20 security fixes in this release, including:

  • [590275] High CVE-2016-1652: Universal XSS in extension bindings. Credit to anonymous.
  • [589792] High CVE-2016-1653: Out-of-bounds write in V8. Credit to Choongwoo Han.
  • [591785] Medium CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding. Credit to kdot working with HP's Zero Day Initiative.
  • [589512] Medium CVE-2016-1654: Uninitialized memory read in media. Credit to Atte Kettunen of OUSPG.
  • [582008] Medium CVE-2016-1655: Use-after-free related to extensions. Credit to Rob Wu.
  • [570750] Medium CVE-2016-1656: Android downloaded file path restriction bypass. Credit to Dzmitry Lukyanenko.
  • [567445] Medium CVE-2016-1657: Address bar spoofing. Credit to Luan Herrera.
  • [573317] Low CVE-2016-1658: Potential leak of sensitive information to malicious extensions. Credit to Antonio Sanso (@asanso) of Adobe.
  • [602697] CVE-2016-1659: Various fixes from internal audits, fuzzing and other initiatives.
more...
chromium
chromium-npapi
chromium-pulse
2016-04-19

Jouni Malinen reports:

wpa_supplicant unauthorized WNM Sleep Mode GTK control. (2015-6 - CVE-2015-5310)

EAP-pwd missing last fragment length validation. (2015-7 - CVE-2015-5315)

EAP-pwd peer error path failure on unexpected Confirm message. (2015-8 - CVE-2015-5316)

more...
wpa_supplicant
2016-04-17

MITRE reports:

The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products, does not validate the relationship between length fields and the amount of data, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a large length value of an option in a DHCPACK message.

more...
dhcpcd
2016-04-17

MITRE reports:

The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other products, misinterprets the return value of the snprintf function, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted message.

more...
dhcpcd
2016-04-15

The Asterisk project reports:

PJProject has a limit on the number of TCP connections that it can accept. Furthermore, PJProject does not close TCP connections it accepts. By default, this value is approximately 60.

An attacker can deplete the number of allowed TCP connections by opening TCP connections and sending no data to Asterisk.

If PJProject has been compiled in debug mode, then once the number of allowed TCP connections has been depleted, the next attempted TCP connection to Asterisk will crash due to an assertion in PJProject.

If PJProject has not been compiled in debug mode, then any further TCP connection attempts will be rejected. This makes Asterisk unable to process TCP SIP traffic.

Note that this only affects TCP/TLS, since UDP is connectionless.

more...
pjsip
pjsip-extsrtp
2016-04-15

The Asterisk project reports:

Asterisk may crash when processing an incoming REGISTER request if that REGISTER contains a Contact header with a lengthy URI.

This crash will only happen for requests that pass authentication. Unauthenticated REGISTER requests will not result in a crash occurring.

This vulnerability only affects Asterisk when using PJSIP as its SIP stack. The chan_sip module does not have this problem.

more...
asterisk13
2016-04-14

Jason Buberel reports:

Go has an infinite loop in several big integer routines that makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client authentication or the Go ssh server libraries are both exposed to this vulnerability.

more...
go
2016-04-13*

The Mozilla Project reports:

MFSA 2015-133 NSS and NSPR memory corruption issues

MFSA 2015-132 Mixed content WebSocket policy bypass through workers

MFSA 2015-131 Vulnerabilities found through code inspection

MFSA 2015-130 JavaScript garbage collection crash with Java applet

MFSA 2015-129 Certain escaped characters in host of Location-header are being treated as non-escaped

MFSA 2015-128 Memory corruption in libjar through zip files

MFSA 2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received

MFSA 2015-126 Crash when accessing HTML tables with accessibility tools on OS X

MFSA 2015-125 XSS attack through intents on Firefox for Android

MFSA 2015-124 Android intents can be used on Firefox for Android to open privileged files

MFSA 2015-123 Buffer overflow during image interactions in canvas

MFSA 2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy

MFSA 2015-121 Disabling scripts in Add-on SDK panels has no effect

MFSA 2015-120 Reading sensitive profile files through local HTML file on Android

MFSA 2015-119 Firefox for Android addressbar can be removed after fullscreen mode

MFSA 2015-118 CSP bypass due to permissive Reader mode whitelist

MFSA 2015-117 Information disclosure through NTLM authentication

MFSA 2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)

more...
firefox
firefox-esr
libxul
linux-c6-nspr
linux-firefox
linux-seamonkey
linux-thunderbird
nspr
nss
seamonkey
thunderbird
2016-04-12*

Samba team reports:

[CVE-2015-5370] Errors in Samba DCE-RPC code can lead to denial of service (crashes and high cpu consumption) and man in the middle attacks.

[CVE-2016-2110] The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags, especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL.

[CVE-2016-2111] When Samba is configured as Domain Controller it allows remote attackers to spoof the computer name of a secure channel's endpoints, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic.

[CVE-2016-2112] A man in the middle is able to downgrade LDAP connections to no integrity protection.

[CVE-2016-2113] Man in the middle attacks are possible for client triggered LDAP connections (with ldaps://) and ncacn_http connections (with https://).

[CVE-2016-2114] Due to a bug Samba doesn't enforce required smb signing, even if explicitly configured.

[CVE-2016-2115] The protection of DCERPC communication over ncacn_np (which is the default for most the file server related protocols) is inherited from the underlying SMB connection.

[CVE-2016-2118] a.k.a. BADLOCK. A man in the middle can intercept any DCERPC traffic between a client and a server in order to impersonate the client and get the same privileges as the authenticated user account. This is most problematic against active directory domain controllers.

more...
samba36
samba4
samba41
samba42
samba43
samba44
2016-04-03

The PHP Group reports:

  • Fileinfo:
    • Fixed bug #71527 (Buffer over-write in finfo_open with malformed magic file).
  • mbstring:
    • Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) in mbfl_strcut).
  • Phar:
    • Fixed bug #71860 (Invalid memory write in phar on filename with \0 in name).
  • SNMP:
    • Fixed bug #71704 (php_snmp_error() Format String Vulnerability).
  • Standard:
    • Fixed bug #71798 (Integer Overflow in php_raw_url_encode).
more...
php55
php55-fileinfo
php55-mbstring
php55-phar
php55-snmp
php56
php56-fileinfo
php56-mbstring
php56-phar
php56-snmp
php70
php70-fileinfo
php70-mbstring
php70-phar
php70-snmp
2016-04-03

Mitre reports:

The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the /((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/ pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

more...
pcre
2016-04-03

Marina Glancy reports:

  • MSA-16-0003: Incorrect capability check when displaying users emails in Participants list

  • MSA-16-0004: XSS from profile fields from external db

  • MSA-16-0005: Reflected XSS in mod_data advanced search

  • MSA-16-0006: Hidden courses are shown to students in Event Monitor

  • MSA-16-0007: Non-Editing Instructor role can edit exclude checkbox in Single View

  • MSA-16-0008: External function get_calendar_events return events that pertains to hidden activities

  • MSA-16-0009: CSRF in Assignment plugin management page

  • MSA-16-0010: Enumeration of category details possible without authentication

  • MSA-16-0011: Add no referrer to links with _blank target attribute

  • MSA-16-0012: External function mod_assign_save_submission does not check due dates

more...
moodle28
moodle29
moodle30
2016-04-03*

Stelios Tsampas reports:

A (remotely exploitable) heap overflow vulnerability was found in Kamailio v4.3.4.

more...
kamailio
2016-04-03

Djblets Release Notes reports:

A recently-discovered vulnerability in the datagrid templates allows an attacker to generate a URL to any datagrid page containing malicious code in a column sorting value. If the user visits that URL and then clicks that column, the code will execute.

The cause of the vulnerability was due to a template not escaping user-provided values.

more...
py27-djblets
py32-djblets
py33-djblets
py34-djblets
py35-djblets
2016-04-02

Squid security advisory 2016:3 reports:

Due to a buffer overrun Squid pinger binary is vulnerable to denial of service or information leak attack when processing ICMPv6 packets.

This bug also permits the server response to manipulate other ICMP and ICMPv6 queries processing to cause information leak.

This bug allows any remote server to perform a denial of service attack on the Squid service by crashing the pinger. This may affect Squid HTTP routing decisions. In some configurations, sub-optimal routing decisions may result in serious service degradation or even transaction failures.

If the system does not contain buffer-overrun protection leading to that crash this bug will instead allow attackers to leak arbitrary amounts of information from the heap into Squid log files. This is of higher importance than usual because the pinger process operates with root priviliges.

Squid security advisory 2016:4 reports:

Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses.

This problem allows a malicious client script and remote server delivering certain unusual HTTP response syntax to trigger a denial of service for all clients accessing the Squid service.

more...
squid
2016-03-31

The botan developers reports:

Excess memory allocation in BER decoder - The BER decoder would allocate a fairly arbitrary amount of memory in a length field, even if there was no chance the read request would succeed. This might cause the process to run out of memory or invoke the OOM killer.

Crash in BER decoder - The BER decoder would crash due to reading from offset 0 of an empty vector if it encountered a BIT STRING which did not contain any data at all. This can be used to easily crash applications reading untrusted ASN.1 data, but does not seem exploitable for code execution.

more...
botan110
2016-03-31

The botan developers reports:

Infinite loop in modular square root algorithm - The ressol function implements the Tonelli-Shanks algorithm for finding square roots could be sent into a nearly infinite loop due to a misplaced conditional check. This could occur if a composite modulus is provided, as this algorithm is only defined for primes. This function is exposed to attacker controlled input via the OS2ECP function during ECC point decompression.

Heap overflow on invalid ECC point - The PointGFp constructor did not check that the affine coordinate arguments were less than the prime, but then in curve multiplication assumed that both arguments if multiplied would fit into an integer twice the size of the prime.

The bigint_mul and bigint_sqr functions received the size of the output buffer, but only used it to dispatch to a faster algorithm in cases where there was sufficient output space to call an unrolled multiplication function.

The result is a heap overflow accessible via ECC point decoding, which accepted untrusted inputs. This is likely exploitable for remote code execution.

On systems which use the mlock pool allocator, it would allow an attacker to overwrite memory held in secure_vector objects. After this point the write will hit the guard page at the end of the mmapped region so it probably could not be used for code execution directly, but would allow overwriting adjacent key material.

more...
botan110
2016-03-31

PostgreSQL project reports:

Security Fixes for RLS, BRIN

This release closes security hole CVE-2016-2193 (https://access.redhat.com/security/cve/CVE-2016-2193), where a query plan might get reused for more than one ROLE in the same session. This could cause the wrong set of Row Level Security (RLS) policies to be used for the query.

The update also fixes CVE-2016-3065 (https://access.redhat.com/security/cve/CVE-2016-3065), a server crash bug triggered by using `pageinspect` with BRIN index pages. Since an attacker might be able to expose a few bytes of server memory, this crash is being treated as a security issue.

more...
postgresql95-contrib
postgresql95-server
2016-03-31

Adobe reports:

These updates resolve integer overflow vulnerabilities that could lead to code execution (CVE-2016-0963, CVE-2016-0993, CVE-2016-1010).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, CVE-2016-1000).

These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2016-1001).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, CVE-2016-1005).

more...
linux-c6-flashplugin
linux-c6_64-flashplugin
linux-f10-flashplugin
2016-03-29

Google Chrome Releases reports:

[589838] High CVE-2016-1643: Type confusion in Blink.

[590620] High CVE-2016-1644: Use-after-free in Blink.

[587227] High CVE-2016-1645: Out-of-bounds write in PDFium.

more...
chromium
chromium-npapi
chromium-pulse
2016-03-29

Google Chrome Releases reports:

[594574] High CVE-2016-1646: Out-of-bounds read in V8.

[590284] High CVE-2016-1647: Use-after-free in Navigation.

[590455] High CVE-2016-1648: Use-after-free in Extensions.

[597518] CVE-2016-1650: Various fixes from internal audits, fuzzing and other initiatives.

Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch

more...
chromium
chromium-npapi
chromium-pulse
2016-03-29

Mercurial reports:

CVE-2016-3630: Remote code execution in binary delta decoding

CVE-2016-3068: Arbitrary code execution with Git subrepos

CVE-2016-3069: Arbitrary code execution when converting Git repos

more...
mercurial
2016-03-28

ISC reports:

An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c.

more...
bind9-devel
bind910
bind98
bind99
FreeBSD
2016-03-28

ISC reports:

A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c

more...
bind9-devel
bind910
bind98
bind99
FreeBSD
2016-03-28

ISC reports:

A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure.

more...
bind9-devel
bind910
2016-03-27

SaltStack reports:

This issue affects all Salt versions prior to 2015.8.8/2015.5.10 when PAM external authentication is enabled. This issue involves passing an alternative PAM authentication service with a command that is sent to LocalClient, enabling the attacker to bypass the configured authentication service.

more...
py27-salt
py32-salt
py33-salt
py34-salt
py35-salt
2016-03-25

Michael Furman reports:

The web based administration console does not set the X-Frame-Options header in HTTP responses. This allows the console to be embedded in a frame or iframe which could then be used to cause a user to perform an unintended action in the console.

more...
activemq
2016-03-25

Alvaro Muatoz, Matthias Kaiser and Christian Schneider reports:

JMS Object messages depends on Java Serialization for marshaling/unmashaling of the message payload. There are a couple of places inside the broker where deserialization can occur, like web console or stomp object message transformation. As deserialization of untrusted data can leaed to security flaws as demonstrated in various reports, this leaves the broker vunerable to this attack vector. Additionally, applications that consume ObjectMessage type of messages can be vunerable as they deserlize objects on ObjectMessage.getObject() calls.

more...
activemq
2016-03-25

Vladimir Ivanov (Positive Technologies) reports:

Several instances of cross-site scripting vulnerabilities were identified to be present in the web based administration console as well as the ability to trigger a Java memory dump into an arbitrary folder. The root cause of these issues are improper user data output validation and incorrect permissions configured on Jolokia.

more...
activemq
2016-03-21*

Philip Hazel reports:

PCRE does not validate that handling the (*ACCEPT) verb will occur within the bounds of the cworkspace stack buffer, leading to a stack buffer overflow.

more...
pcre
pcre2
2016-03-19

Arun Suresh reports:

RPC traffic from clients, potentially including authentication credentials, may be intercepted by a malicious user with access to run tasks or containers on a cluster.

more...
hadoop2
2016-03-18

Debian reports:

integer overflow due to a loop which adds more to "len".

more...
git
git-gui
git-lite
git-subversion
2016-03-17

Debian reports:

"int" is the wrong data type for ... nlen assignment.

more...
git
2016-03-14

Jeremiah Senkpiel reports:

  • Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks.

  • Fix a defect that can cause memory corruption in certain very rare cases

  • Fix a defect that makes the CacheBleed Attack possible

more...
node
2016-03-14

Matt Johnson reports:

Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions

more...
dropbear
2016-03-14*

Mozilla Foundation reports:

Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts.

Security researcher James Clawson used the Address Sanitizer tool to discover an out-of-bounds write in the Graphite 2 library when loading a crafted Graphite font file. This results in a potentially exploitable crash.

more...
graphite2
linux-firefox
linux-seamonkey
linux-thunderbird
2016-03-14*

The OpenSSH project reports:

Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1).

Injection of xauth commands grants the ability to read arbitrary files under the authenticated user's privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth(1), which was not written with a hostile user in mind, as an attack surface.

Mitigation:

Set X11Forwarding=no in sshd_config. This is the default.

For authorized_keys that specify a "command" restriction, also set the "restrict" (available in OpenSSH >=7.2) or "no-x11-forwarding" restrictions.

more...
openssh-portable
2016-03-13

The PHP Group reports:

  • Core:
    • Fixed bug #71637 (Multiple Heap Overflow due to integer overflows in xml/filter_url/addcslashes).
  • SOAP:
    • Fixed bug #71610 (Type Confusion Vulnerability - SOAP / make_http_soap_request()).
more...
php70
php70-soap
2016-03-13

Martin Barbella reports:

JpGraph is an object oriented library for PHP that can be used to create various types of graphs which also contains support for client side image maps. The GetURLArguments function for the JpGraph's Graph class does not properly sanitize the names of get and post variables, leading to a cross site scripting vulnerability.

more...
jpgraph2
2016-03-13*

PHP reports:

  • Core:
    • Fixed bug #71039 (exec functions ignore length but look for NULL termination).
    • Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input).
    • Fixed bug #71459 (Integer overflow in iptcembed()).
  • PCRE:
    • Upgraded bundled PCRE library to 8.38.(CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)
  • Phar:
    • Fixed bug #71354 (Heap corruption in tar/zip/phar parser).
    • Fixed bug #71391 (NULL Pointer Dereference in phar_tar_setupmetadata()).
    • Fixed bug #71488 (Stack overflow when decompressing tar archives). (CVE-2016-2554)
  • WDDX:
    • Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization).
more...
php55
php55-phar
php55-wddx
php56
php56-phar
php56-wddx
2016-03-13

The PHP Group reports:

  • Phar:
    • Fixed bug #71498 (Out-of-Bound Read in phar_parse_zipfile()).
  • WDDX:
    • Fixed bug #71587 (Use-After-Free / Double-Free in WDDX Deserialize).
more...
php55-phar
php55-wddx
php56-phar
php56-wddx
2016-03-10

Donald Sharp reports:

A malicious BGP peer may execute arbitrary code in particularly configured remote bgpd hosts.

more...
quagga
2016-03-10

Hanno Bock reports:

The pidgin-otr plugin version 4.0.2 fixes a heap use after free error. The bug is triggered when a user tries to authenticate a buddy and happens in the function create_smp_dialog.

more...
pidgin-otr
2016-03-10

special reports:

By sending a nickname with some HTML tags in a contact request, an attacker could cause Ricochet to make network requests without Tor after the request is accepted, which would reveal the user's IP address.

more...
ricochet
2016-03-09*

X41 D-Sec reports:

A remote attacker may crash or execute arbitrary code in libotr by sending large OTR messages.

more...
libotr
libotr3
2016-03-08*

Google Chrome Releases reports:

[583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.

Mozilla Foundation reports:

Security researcher Luke Li reported a pointer underflow bug in the Brotli library's decompression that leads to a buffer overflow. This results in a potentially exploitable crash when triggered.

more...
brotli
chromium
chromium-npapi
chromium-pulse
firefox
firefox-esr
libbrotli
libxul
linux-firefox
linux-seamonkey
linux-thunderbird
seamonkey
thunderbird
2016-03-08*

Mozilla Foundation reports:

MFSA 2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)

MFSA 2016-17 Local file overwriting and potential privilege escalation through CSP reports

MFSA 2016-18 CSP reports fail to strip location information for embedded iframe pages

MFSA 2016-19 Linux video memory DOS with Intel drivers

MFSA 2016-20 Memory leak in libstagefright when deleting an array during MP4 processing

MFSA 2016-21 Displayed page address can be overridden

MFSA 2016-22 Service Worker Manager out-of-bounds read in Service Worker Manager

MFSA 2016-23 Use-after-free in HTML5 string parser

MFSA 2016-24 Use-after-free in SetBody

MFSA 2016-25 Use-after-free when using multiple WebRTC data channels

MFSA 2016-26 Memory corruption when modifying a file being read by FileReader

MFSA 2016-27 Use-after-free during XML transformations

MFSA 2016-28 Addressbar spoofing though history navigation and Location protocol property

MFSA 2016-29 Same-origin policy violation using perfomance.getEntries and history navigation with session restore

MFSA 2016-31 Memory corruption with malicious NPAPI plugin

MFSA 2016-32 WebRTC and LibVPX vulnerabilities found through code inspection

MFSA 2016-33 Use-after-free in GetStaticInstance in WebRTC

MFSA 2016-34 Out-of-bounds read in HTML parser following a failed allocation

more...
firefox
firefox-esr
libxul
linux-firefox
linux-seamonkey
linux-thunderbird
seamonkey
thunderbird
2016-03-08*

Google Chrome Releases reports:

6 security fixes in this release, including:

  • [546677] High CVE-2016-1622: Same-origin bypass in Extensions. Credit to anonymous.
  • [577105] High CVE-2016-1623: Same-origin bypass in DOM. Credit to Mariusz Mlynski.
  • [509313] Medium CVE-2016-1625: Navigation bypass in Chrome Instant. Credit to Jann Horn.
  • [571480] Medium CVE-2016-1626: Out-of-bounds read in PDFium. Credit to anonymous, working with HP's Zero Day Initiative.
  • [585517] CVE-2016-1627: Various fixes from internal audits, fuzzing and other initiatives.
more...
chromium
chromium-npapi
chromium-pulse
2016-03-08*

Mozilla Foundation reports:

MFSA 2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)

MFSA 2016-02 Out of Memory crash when parsing GIF format images

MFSA 2016-03 Buffer overflow in WebGL after out of memory allocation

MFSA 2016-04 Firefox allows for control characters to be set in cookie names

MFSA 2016-06 Missing delay following user click events in protocol handler dialog

MFSA 2016-09 Addressbar spoofing attacks

MFSA 2016-10 Unsafe memory manipulation found through code inspection

MFSA 2016-11 Application Reputation service disabled in Firefox 43

more...
firefox
firefox-esr
libxul
linux-firefox
linux-seamonkey
linux-thunderbird
seamonkey
thunderbird
2016-03-08

Mozilla Foundation reports:

Security researcher Hanno Böck reported that calculations with mp_div and mp_exptmod in Network Security Services (NSS) can produce wrong results in some circumstances. These functions are used within NSS for a variety of cryptographic division functions, leading to potential cryptographic weaknesses.

Mozilla developer Eric Rescorla reported that a failed allocation during DHE and ECDHE handshakes would lead to a use-after-free vulnerability.

more...
linux-c6-nss
linux-firefox
linux-seamonkey
nss
2016-03-08*

Talos reports:

  • An exploitable denial of service vulnerability exists in the font handling of Libgraphite. A specially crafted font can cause an out-of-bounds read potentially resulting in an information leak or denial of service.

  • A specially crafted font can cause a buffer overflow resulting in potential code execution.

  • An exploitable NULL pointer dereference exists in the bidirectional font handling functionality of Libgraphite. A specially crafted font can cause a NULL pointer dereference resulting in a crash.

more...
graphite2
linux-thunderbird
silgraphite
2016-03-08

Mozilla Foundation reports:

Security researcher Francis Gabriel reported a heap-based buffer overflow in the way the Network Security Services (NSS) libraries parsed certain ASN.1 structures. An attacker could create a specially-crafted certificate which, when parsed by NSS, would cause it to crash or execute arbitrary code with the permissions of the user.

Mozilla developer Tim Taubert used the Address Sanitizer tool and software fuzzing to discover a use-after-free vulnerability while processing DER encoded keys in the Network Security Services (NSS) libraries. The vulnerability overwrites the freed memory with zeroes.

more...
linux-c6-nss
linux-firefox
linux-seamonkey
linux-thunderbird
nss
2016-03-08

Tim Graham reports:

Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth

User enumeration through timing difference on password hasher work factor upgrade

more...
py27-django
py27-django-devel
py27-django18
py27-django19
py32-django
py32-django-devel
py32-django18
py32-django19
py33-django
py33-django-devel
py33-django18
py33-django19
py34-django
py34-django-devel
py34-django18
py34-django19
py35-django
py35-django-devel
py35-django18
py35-django19
2016-03-08*

Aaron Jorbin reports:

WordPress 4.4.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised. This was reported by Crtc4L.

more...
de-wordpress
ja-wordpress
ru-wordpress
wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
2016-03-08

Samuel Sidler reports:

WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.4.1 and earlier are affected by two security issues: a possible SSRF for certain local URIs, reported by Ronni Skansing; and an open redirection attack, reported by Shailesh Suthar.

more...
de-wordpress
ja-wordpress
ru-wordpress
wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
2016-03-07*

The Asterisk project reports:

AST-2016-001 - BEAST vulnerability in HTTP server

AST-2016-002 - File descriptor exhaustion in chan_sip

AST-2016-003 - Remote crash vulnerability when receiving UDPTL FAX data

more...
asterisk
asterisk11
asterisk13
2016-03-07

Simon G. Tatham reports:

Many versions of PSCP prior to 0.67 have a stack corruption vulnerability in their treatment of the 'sink' direction (i.e. downloading from server to client) of the old-style SCP protocol.

In order for this vulnerability to be exploited, the user must connect to a malicious server and attempt to download any file.[...] you can work around it in a vulnerable PSCP by using the -sftp option to force the use of the newer SFTP protocol, provided your server supports that protocol.

more...
putty
2016-03-06

Sebastien Delafond reports:

Jakub Palaczynski discovered that websvn, a web viewer for Subversion repositories, does not correctly sanitize user-supplied input, which allows a remote user to run reflected cross-site scripting attacks.

more...
websvn
2016-03-06

Ruby on Rails blog:

Rails 4.2.5.2, 4.1.14.2, and 3.2.22.2 have been released! These contain the following important security fixes, and it is recommended that users upgrade as soon as possible.

more...
rubygem-actionpack
rubygem-actionpack4
rubygem-actionview
rubygem-rails
rubygem-rails4
2016-03-06

Thijs Kinkhorst reports:

James Clawson reported:

"Arbitrary files with a known path can be accessed in websvn by committing a symlink to a repository and then downloading the file (using the download link).

An attacker must have write access to the repo, and the download option must have been enabled in the websvn config file."

more...
websvn
2016-03-05

Andreas Schneider reports:

libssh versions 0.1 and above have a bits/bytes confusion bug and generate the an anormaly short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. The resulting secret is 128 bits long, instead of the recommended sizes of 1024 and 2048 bits respectively. There are practical algorithms (Baby steps/Giant steps, Pollard?s rho) that can solve this problem in O(2^63) operations.

Both client and server are are vulnerable, pre-authentication. This vulnerability could be exploited by an eavesdropper with enough resources to decrypt or intercept SSH sessions. The bug was found during an internal code review by Aris Adamantiadis of the libssh team.

more...
libssh
2016-03-05

Google Chrome Releases reports:

[560011] High CVE-2016-1630: Same-origin bypass in Blink.

[569496] High CVE-2016-1631: Same-origin bypass in Pepper Plugin.

[549986] High CVE-2016-1632: Bad cast in Extensions.

[572537] High CVE-2016-1633: Use-after-free in Blink.

[559292] High CVE-2016-1634: Use-after-free in Blink.

[585268] High CVE-2016-1635: Use-after-free in Blink.

[584155] High CVE-2016-1636: SRI Validation Bypass.

[555544] Medium CVE-2016-1637: Information Leak in Skia.

[585282] Medium CVE-2016-1638: WebAPI Bypass.

[572224] Medium CVE-2016-1639: Use-after-free in WebRTC.

[550047] Medium CVE-2016-1640: Origin confusion in Extensions UI.

[583718] Medium CVE-2016-1641: Use-after-free in Favicon.

[591402] CVE-2016-1642: Various fixes from internal audits, fuzzing and other initiatives.

Multiple vulnerabilities in V8 fixed.

more...
chromium
chromium-npapi
chromium-pulse
2016-03-02

The Exim development team reports:

All installations having Exim set-uid root and using 'perl_startup' are vulnerable to a local privilege escalation. Any user who can start an instance of Exim (and this is normally any user) can gain root privileges. If you do not use 'perl_startup' you should be safe.

more...
exim
2016-03-02

The Cacti Group, Inc. reports:

Changelog

  • bug:0002652: CVE-2015-8604: SQL injection in graphs_new.php
  • bug:0002655: CVE-2015-8377: SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php
  • bug:0002656: Authentication using web authentication as a user not in the cacti database allows complete access
more...
cacti
2016-03-01

Wireshark development team reports:

The following vulnerabilities have been fixed:

  • wnpa-sec-2015-31

    NBAP dissector crashes. (Bug 11602, Bug 11835, Bug 11841)

  • wnpa-sec-2015-37

    NLM dissector crash.

  • wnpa-sec-2015-39

    BER dissector crash.

  • wnpa-sec-2015-40

    Zlib decompression crash. (Bug 11548)

  • wnpa-sec-2015-41

    SCTP dissector crash. (Bug 11767)

  • wnpa-sec-2015-42

    802.11 decryption crash. (Bug 11790, Bug 11826)

  • wnpa-sec-2015-43

    DIAMETER dissector crash. (Bug 11792)

  • wnpa-sec-2015-44

    VeriWave file parser crashes. (Bug 11789, Bug 11791)

  • wnpa-sec-2015-45

    RSVP dissector crash. (Bug 11793)

  • wnpa-sec-2015-46

    ANSI A and GSM A dissector crashes. (Bug 11797)

  • wnpa-sec-2015-47

    Ascend file parser crash. (Bug 11794)

  • wnpa-sec-2015-48

    NBAP dissector crash. (Bug 11815)

  • wnpa-sec-2015-49

    RSL dissector crash. (Bug 11829)

  • wnpa-sec-2015-50

    ZigBee ZCL dissector crash. (Bug 11830)

  • wnpa-sec-2015-51

    Sniffer file parser crash. (Bug 11827)

  • wnpa-sec-2015-52

    NWP dissector crash. (Bug 11726)

  • wnpa-sec-2015-53

    BT ATT dissector crash. (Bug 11817)

  • wnpa-sec-2015-54

    MP2T file parser crash. (Bug 11820)

  • wnpa-sec-2015-55

    MP2T file parser crash. (Bug 11821)

  • wnpa-sec-2015-56

    S7COMM dissector crash. (Bug 11823)

  • wnpa-sec-2015-57

    IPMI dissector crash. (Bug 11831)

  • wnpa-sec-2015-58

    TDS dissector crash. (Bug 11846)

  • wnpa-sec-2015-59

    PPI dissector crash. (Bug 11876)

  • wnpa-sec-2015-60

    MS-WSP dissector crash. (Bug 11931)

more...
tshark
tshark-lite
wireshark
wireshark-lite
wireshark-qt5
2016-03-01

Wireshark development team reports:

The following vulnerabilities have been fixed:

  • wnpa-sec-2016-02

    ASN.1 BER dissector crash. (Bug 11828) CVE-2016-2522

  • wnpa-sec-2016-03

    DNP dissector infinite loop. (Bug 11938) CVE-2016-2523

  • wnpa-sec-2016-04

    X.509AF dissector crash. (Bug 12002) CVE-2016-2524

  • wnpa-sec-2016-05

    HTTP/2 dissector crash. (Bug 12077) CVE-2016-2525

  • wnpa-sec-2016-06

    HiQnet dissector crash. (Bug 11983) CVE-2016-2526

  • wnpa-sec-2016-07

    3GPP TS 32.423 Trace file parser crash. (Bug 11982)

    CVE-2016-2527
  • wnpa-sec-2016-08

    LBMC dissector crash. (Bug 11984) CVE-2016-2528

  • wnpa-sec-2016-09

    iSeries file parser crash. (Bug 11985) CVE-2016-2529

  • wnpa-sec-2016-10

    RSL dissector crash. (Bug 11829) CVE-2016-2530 CVE-2016-2531

  • wnpa-sec-2016-11

    LLRP dissector crash. (Bug 12048) CVE-2016-2532

  • wnpa-sec-2016-12

    Ixia IxVeriWave file parser crash. (Bug 11795)

  • wnpa-sec-2016-13

    IEEE 802.11 dissector crash. (Bug 11818)

  • wnpa-sec-2016-14

    GSM A-bis OML dissector crash. (Bug 11825)

  • wnpa-sec-2016-15

    ASN.1 BER dissector crash. (Bug 12106)

  • wnpa-sec-2016-16

    SPICE dissector large loop. (Bug 12151)

  • wnpa-sec-2016-17

    NFS dissector crash.

  • wnpa-sec-2016-18

    ASN.1 BER dissector crash. (Bug 11822)

more...
tshark
tshark-lite
wireshark
wireshark-lite
wireshark-qt5
2016-03-01

The phpMyAdmin development team reports:

XSS vulnerability in SQL parser.

Using a crafted SQL query, it is possible to trigger an XSS attack through the SQL query page.

We consider this vulnerability to be non-critical.

Multiple XSS vulnerabilities.

By sending a specially crafted URL as part of the HOST header, it is possible to trigger an XSS attack.

A weakness was found that allows an XSS attack with Internet Explorer versions older than 8 and Safari on Windows using a specially crafted URL.

Using a crafted SQL query, it is possible to trigger an XSS attack through the SQL query page.

Using a crafted parameter value, it is possible to trigger an XSS attack in user accounts page.

Using a crafted parameter value, it is possible to trigger an XSS attack in zoom search page.

We consider this vulnerability to be non-critical.

Multiple XSS vulnerabilities.

With a crafted table/column name it is possible to trigger an XSS attack in the database normalization page.

With a crafted parameter it is possible to trigger an XSS attack in the database structure page.

With a crafted parameter it is possible to trigger an XSS attack in central columns page.

We consider this vulnerability to be non-critical.

Vulnerability allowing man-in-the-middle attack on API call to GitHub.

A vulnerability in the API call to GitHub can be exploited to perform a man-in-the-middle attack.

We consider this vulnerability to be serious.

more...
phpmyadmin
2016-02-28*

Mark Thomas reports:

  • CVE-2015-5345 Apache Tomcat Directory disclosure

  • CVE-2016-0706 Apache Tomcat Security Manager bypass

  • CVE-2016-0714 Apache Tomcat Security Manager Bypass

more...
tomcat6
tomcat7
tomcat8
2016-02-28

Marina Glancy reports:

  • MSA-16-0001: Two enrolment-related web services don't check course visibility

  • MSA-16-0002: XSS Vulnerability in course management search

more...
moodle28
moodle29
moodle30
2016-02-28*

Squid security advisory 2016:2 reports:

Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses.

These problems allow remote servers delivering certain unusual HTTP response syntax to trigger a denial of service for all clients accessing the Squid service.

HTTP responses containing malformed headers that trigger this issue are becoming common. We are not certain at this time if that is a sign of malware or just broken server scripting.

more...
squid
2016-02-28

Tim Graham reports:

User with "change" but not "add" permission can create objects for ModelAdmin?s with save_as=True

more...
py27-django-devel
py27-django19
py33-django-devel
py33-django19
py34-django-devel
py34-django19
py35-django-devel
py35-django19
2016-02-28

Mark Thomas reports:

  • CVE-2015-5346 Apache Tomcat Session fixation

  • CVE-2015-5351 Apache Tomcat CSRF token leak

  • CVE-2016-0763 Apache Tomcat Security Manager Bypass

more...
tomcat7
tomcat8
2016-02-28

The Xen Project reports:

The PV superpage functionality lacks certain validity checks on data being passed to the hypervisor by guests. This is the case for the page identifier (MFN) passed to MMUEXT_MARK_SUPER and MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as well as for various forms of page table updates.

Use of the feature, which is disabled by default, may have unknown effects, ranging from information leaks through Denial of Service to privilege escalation.

more...
xen-kernel
2016-02-28

The Xen Project reports:

While INVLPG does not cause a General Protection Fault when used on a non-canonical address, INVVPID in its "individual address" variant, which is used to back the intercepted INVLPG in certain cases, fails in such cases. Failure of INVVPID results in a hypervisor bug check.

A malicious guest can crash the host, leading to a Denial of Service.

more...
xen-kernel
2016-02-28

The Xen Project reports:

VMX refuses attempts to enter a guest with an instruction pointer which doesn't satisfy certain requirements. In particular, the instruction pointer needs to be canonical when entering a guest currently in 64-bit mode. This is the case even if the VM entry information specifies an exception to be injected immediately (in which case the bad instruction pointer would possibly never get used for other than pushing onto the exception handler's stack). Provided the guest OS allows user mode to map the virtual memory space immediately below the canonical/non-canonical address boundary, a non-canonical instruction pointer can result even from normal user mode execution. VM entry failure, however, is fatal to the guest.

Malicious HVM guest user mode code may be able to crash the guest.

more...
xen-kernel
2016-02-28

The Apache Software Foundation reports:

The Xerces-C XML parser mishandles certain kinds of malformed input documents, resulting in buffer overlows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution.

more...
xerces-c3
2016-02-26

Luke Farone reports:

Double-clicking a file in the user's media library with a specially-crafted path or filename allows for arbitrary code execution with the permissions of the user running Pitivi.

more...
pitivi
2016-02-26

Hans Jerry Illikainen reports:

A heap overflow may occur in the giffix utility included in giflib-5.1.1 when processing records of the type `IMAGE_DESC_RECORD_TYPE' due to the allocated size of `LineBuffer' equaling the value of the logical screen width, `GifFileIn->SWidth', while subsequently having `GifFileIn->Image.Width' bytes of data written to it.

more...
giflib
2016-02-25

Drupal Security Team reports:

  • File upload access bypass and denial of service (File module - Drupal 7 and 8 - Moderately Critical)

  • Brute force amplification attacks via XML-RPC (XML-RPC server - Drupal 6 and 7 - Moderately Critical)

  • Open redirect via path manipulation (Base system - Drupal 6, 7 and 8 - Moderately Critical)

  • Form API ignores access restrictions on submit buttons (Form API - Drupal 6 - Critical)

  • HTTP header injection using line breaks (Base system - Drupal 6 - Moderately Critical)

  • Open redirect via double-encoded 'destination' parameter (Base system - Drupal 6 - Moderately Critical)

  • Reflected file download vulnerability (System module - Drupal 6 and 7 - Moderately Critical)

  • Saving user accounts can sometimes grant the user all roles (User module - Drupal 6 and 7 - Less Critical)

  • Email address can be matched to an account (User module - Drupal 7 and 8 - Less Critical)

  • Session data truncation can lead to unserialization of user provided data (Base system - Drupal 6 - Less Critical)

more...
drupal6
drupal7
drupal8
2016-02-25

Jenkins Security Advisory:

Description

SECURITY-232 / CVE-2016-0788(Remote code execution vulnerability in remoting module)

A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins master process, which allowed arbitrary code execution.

SECURITY-238 / CVE-2016-0789(HTTP response splitting vulnerability)

An HTTP response splitting vulnerability in the CLI command documentation allowed attackers to craft Jenkins URLs that serve malicious content.

SECURITY-241 / CVE-2016-0790(Non-constant time comparison of API token)

The verification of user-provided API tokens with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid API tokens using brute-force methods.

SECURITY-245 / CVE-2016-0791(Non-constant time comparison of CSRF crumbs)

The verification of user-provided CSRF crumbs with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid CSRF crumbs using brute-force methods.

SECURITY-247 / CVE-2016-0792(Remote code execution through remote API)

Jenkins has several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution.

more...
jenkins
jenkins-lts
2016-02-24*

oCERT reports:

The library is affected by a double-free vulnerability in function jas_iccattrval_destroy() as well as a heap-based buffer overflow in function jp2_decode(). A specially crafted jp2 file can be used to trigger the vulnerabilities.

oCERT reports:

The library is affected by an off-by-one error in a buffer boundary check in jpc_dec_process_sot(), leading to a heap based buffer overflow, as well as multiple unrestricted stack memory use issues in jpc_qmfb.c, leading to stack overflow. A specially crafted jp2 file can be used to trigger the vulnerabilities.

oCERT reports:

Multiple off-by-one flaws, leading to heap-based buffer overflows, were found in the way JasPer decoded JPEG 2000 files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.

limingxing reports:

A vulnerability was found in the way the JasPer's jas_matrix_clip() function parses certain JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.

more...
jasper
2016-02-24*

Martin Prpic reports:

A double free flaw was found in the way JasPer's jasper_image_stop_load() function parsed certain JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.

Feist Josselin reports:

A new use-after-free was found in Jasper JPEG-200. The use-after-free appears in the function mif_process_cmpt of the src/libjasper/mif/mif_cod.c file.

more...
jasper
2016-02-21

libsrtp reports:

Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length. Credit goes to Randell Jesup and the Firefox team for reporting this issue.

more...
libsrtp
2016-02-21

Stian Soiland-Reyes reports:

This release fixes a remote code execution vulnerability that was identified in BeanShell by Alvaro Muñoz and Christian Schneider. The BeanShell team would like to thank them for their help and contributions to this fix!

An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source.

A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands.

This update fixes the vulnerability in BeanShell, but it is worth noting that applications doing such deserialization might still be insecure through other libraries. It is recommended that application developers take further measures such as using a restricted class loader when deserializing. See notes on Java serialization security XStream security and How to secure deserialization from untrusted input without using encryption or sealing.

more...
bsh
2016-02-18

Fabio Olive Leite reports:

A stack-based buffer overflow was found in libresolv when invoked from nss_dns, allowing specially crafted DNS responses to seize control of EIP in the DNS client. The buffer overflow occurs in the functions send_dg (send datagram) and send_vc (send TCP) for the NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC family, or in some cases AF_INET6 family. The use of AF_UNSPEC (or AF_INET6 in some cases) triggers the low-level resolver code to send out two parallel queries for A and AAAA. A mismanagement of the buffers used for those queries could result in the response of a query writing beyond the alloca allocated buffer created by __res_nquery.

more...
linux_base-c6
linux_base-c6_64
linux_base-f10
2016-02-18

Google Chrome Releases reports:

[583431] Critical CVE-2016-1629: Same-origin bypass in Blink and Sandbox escape in Chrome. Credit to anonymous.

more...
chromium
chromium-npapi
chromium-pulse
2016-02-18

Squid security advisory 2016:1 reports:

Due to incorrectly handling server errors Squid is vulnerable to a denial of service attack when connecting to TLS or SSL servers.

This problem allows any trusted client to perform a denial of service attack on the Squid service regardless of whether TLS or SSL is configured for use in the proxy.

Misconfigured client or server software may trigger this issue to perform a denial of service unintentionally.

However, the bug is exploitable only if Squid is built using the --with-openssl option.

The FreeBSD port does not use SSL by default and is not vulnerable in the default configuration.

more...
squid
2016-02-18*

Amos Jeffries, release manager of the Squid-3 series, reports:

Vulnerable versions are 3.5.0.1 to 3.5.8 (inclusive), which are built with OpenSSL and configured for "SSL-Bump" decryption.

Integer overflows can lead to invalid pointer math reading from random memory on some CPU architectures. In the best case this leads to wrong TLS extensiosn being used for the client, worst-case a crash of the proxy terminating all active transactions.

Incorrect message size checks and assumptions about the existence of TLS extensions in the SSL/TLS handshake message can lead to very high CPU consumption (up to and including 'infinite loop' behaviour).

The above can be triggered remotely. Though there is one layer of authorization applied before this processing to check that the client is allowed to use the proxy, that check is generally weak. MS Skype on Windows XP is known to trigger some of these.

The FreeBSD port does not use SSL by default and is not vulnerable in the default configuration.

more...
squid
2016-02-17

Jakub Vrana reports:

Fix XSS in indexes (non-MySQL only)

more...
adminer
2016-02-17

Jakub Vrana reports:

Fix XSS in login form

more...
adminer
2016-02-17

Jakub Vrana reports:

Fix XSS in alter table

more...
adminer
2016-02-17

Jakub Vrana reports:

Fix remote code execution in SQLite query

more...
adminer
2016-02-16

GnuPG reports:

Mitigate side-channel attack on ECDH with Weierstrass curves.

more...
libgcrypt
2016-02-16

Stepan Golosunov reports:

Buffer overflow was found and fixed in xdelta3 binary diff tool that allows arbitrary code execution from input files at least on some systems.

more...
xdelta3
2016-02-15

The Mozilla Foundation reports:

MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a service worker forges responses to those requests. For example, a forged crossdomain.xml could allow a malicious site to violate the same-origin policy using the Flash plugin.

more...
firefox
linux-firefox
2016-02-14*

OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable. Local attackers may be able to write arbitrary messages to logged-in users, including terminal escape sequences. Reported by Nikolay Edigaryev.

Fixed a privilege separation weakness related to PAM support. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate other users.

Fixed a use-after-free bug related to PAM support that was reachable by attackers who could compromise the pre-authentication process for remote code execution.

more...
openssh-portable
2016-02-14

The Horde Team reports:

Fixed XSS vulnerabilities in menu bar and form renderer.

more...
horde
pear-Horde_Core
2016-02-14*

Frank Denis reports:

Malformed packets could lead to denial of service or code execution.

more...
dnscrypt-proxy
2016-02-13

Nghttp2 reports:

Out of memory in nghttpd, nghttp, and libnghttp2_asio applications due to unlimited incoming HTTP header fields.

nghttpd, nghttp, and libnghttp2_asio applications do not limit the memory usage for the incoming HTTP header field. If peer sends specially crafted HTTP/2 HEADERS frames and CONTINUATION frames, they will crash with out of memory error.

Note that libnghttp2 itself is not affected by this vulnerability.

more...
nghttp2
2016-02-13*

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit(tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments.

A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the Qemu process instance resulting in DoS issue.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-02-13*

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the Human Monitor Interface(HMP) support is vulnerable to an OOB write issue. It occurs while processing 'sendkey' command in hmp_sendkey routine, if the command argument is longer than the 'keyname_buf' buffer size.

A user/process could use this flaw to crash the Qemu process instance resulting in DoS.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-02-13*

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to a memory leakage flaw. It occurs when a guest repeatedly tries to activate the vmxnet3 device.

A privileged guest user could use this flaw to leak host memory, resulting in DoS on the host.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-02-13*

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the SCSI MegaRAID SAS HBA emulation support is vulnerable to a stack buffer overflow issue. It occurs while processing the SCSI controller's CTRL_GET_INFO command. A privileged guest user could use this flaw to crash the Qemu process instance resulting in DoS.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-02-13*

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the i8255x (PRO100) emulation support is vulnerable to an infinite loop issue. It could occur while processing a chain of commands located in the Command Block List (CBL). Each Command Block(CB) points to the next command in the list. An infinite loop unfolds if the link to the next CB points to the same block or there is a closed loop in the chain.

A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the Qemu instance resulting in DoS.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-02-12

PostgreSQL project reports:

Security Fixes for Regular Expressions, PL/Java

  • CVE-2016-0773: This release closes security hole CVE-2016-0773, an issue with regular expression (regex) parsing. Prior code allowed users to pass in expressions which included out-of-range Unicode characters, triggering a backend crash. This issue is critical for PostgreSQL systems with untrusted users or which generate regexes based on user input.
  • CVE-2016-0766: The update also fixes CVE-2016-0766, a privilege escalation issue for users of PL/Java. Certain custom configuration settings (GUCS) for PL/Java will now be modifiable only by the database superuser
more...
postgresql91-server
postgresql92-server
postgresql93-server
postgresql94-server
postgresql95-server
2016-02-10

Adobe reports:

These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2016-0985).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-0971).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-0964, CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, CVE-2016-0968, CVE-2016-0969, CVE-2016-0970, CVE-2016-0972, CVE-2016-0976, CVE-2016-0977, CVE-2016-0978, CVE-2016-0979, CVE-2016-0980, CVE-2016-0981).

more...
linux-c6-flashplugin
linux-c6_64-flashplugin
linux-f10-flashplugin
2016-02-09

The Pillow maintainers report:

If a large value was passed into the new size for an image, it is possible to overflow an int32 value passed into malloc, leading the malloc?d buffer to be undersized. These allocations are followed by a loop that writes out of bounds. This can lead to corruption on the heap of the Python process with attacker controlled float data.

This issue was found by Ned Williamson.

more...
py27-pillow
py33-pillow
py34-pillow
py35-pillow
2016-02-09

J.C. Cleaver reports:

  • CVE-2016-2054: Buffer overflow in xymond handling of "config" command

  • CVE-2016-2055: Access to possibly confidential files in the Xymon configuration directory

  • CVE-2016-2056: Shell command injection in the "useradm" and "chpasswd" web applications

  • CVE-2016-2057: Incorrect permissions on IPC queues used by the xymond daemon can bypass IP access filtering

  • CVE-2016-2058: Javascript injection in "detailed status webpage" of monitoring items; XSS vulnerability via malformed acknowledgment messages

more...
xymon-server
2016-02-09

The Pillow maintainers report:

Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64 may overflow a buffer when reading a specially crafted tiff file.

Specifically, libtiff >= 4.0.0 changed the return type of TIFFScanlineSize from int32 to machine dependent int32|64. If the scanline is sized so that it overflows an int32, it may be interpreted as a negative number, which will then pass the size check in TiffDecode.c line 236. To do this, the logical scanline size has to be > 2gb, and for the test file, the allocated buffer size is 64k against a roughly 4gb scan line size. Any image data over 64k is written over the heap, causing a segfault.

This issue was found by security researcher FourOne.

more...
py27-pillow
py33-pillow
py34-pillow
py35-pillow
2016-02-09

The Pillow maintainers report:

In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error.

There is a memcpy error where x is added to a target buffer address. X is used in several internal temporary variable roles, but can take a value up to the width of the image. Im->image[y] is a set of row pointers to segments of memory that are the size of the row. At the max y, this will write the contents of the line off the end of the memory buffer, causing a segfault.

This issue was found by Alyssa Besseling at Atlassian.

more...
py27-imaging
py27-pillow
py33-pillow
py34-pillow
py35-pillow
2016-02-09

The Pillow maintainers report:

In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, PcdDecode.c has a buffer overflow error.

The state.buffer for PcdDecode.c is allocated based on a 3 bytes per pixel sizing, where PcdDecode.c wrote into the buffer assuming 4 bytes per pixel. This writes 768 bytes beyond the end of the buffer into other Python object storage. In some cases, this causes a segfault, in others an internal Python malloc error.

more...
py27-imaging
py27-pillow
py33-pillow
py34-pillow
py35-pillow
2016-02-06

FFmpeg security reports:

FFmpeg 2.8.6 fixes the following vulnerabilities: CVE-2016-2213

more...
ffmpeg
mencoder
mplayer
2016-02-05

Michael Catanzaro reports:

Shotwell has a serious security issue ("Shotwell does not verify TLS certificates"). Upstream is no longer active and I do not expect any further upstream releases unless someone from the community steps up to maintain it.

What is the impact of the issue? If you ever used any of the publish functionality (publish to Facebook, publish to Flickr, etc.), your passwords may have been stolen; changing them is not a bad idea.

What is the risk of the update? Regressions. The easiest way to validate TLS certificates was to upgrade WebKit; it seems to work but I don't have accounts with the online services it supports, so I don't know if photo publishing still works properly on all the services.

more...
shotwell
2016-02-05*

Samba team reports:

[CVE-2015-3223] Malicious request can cause Samba LDAP server to hang, spinning using CPU.

[CVE-2015-5330] Malicious request can cause Samba LDAP server to return uninitialized memory that should not be part of the reply.

[CVE-2015-5296] Requesting encryption should also request signing when setting up the connection to protect against man-in-the-middle attacks.

[CVE-2015-5299] A missing access control check in the VFS shadow_copy2 module could allow unauthorized users to access snapshots.

[CVE-2015-7540] Malicious request can cause Samba LDAP server to return crash.

[CVE-2015-8467] Samba can expose Windows DCs to MS15-096 Denial of service via the creation of multiple machine accounts(The Microsoft issue is CVE-2015-2535).

[CVE-2015-5252] Insufficient symlink verification could allow data access outside share path.

more...
ldb
samba36
samba4
samba41
samba42
samba43
2016-02-04

webkit reports:

The ScrollView::paint function in platform/scroll/ScrollView.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to spoof the UI by extending scrollbar painting into the parent frame.

more...
webkit-gtk2
webkit-gtk3
2016-02-04

Filippo Valsorda reports:

python-rsa is vulnerable to a straightforward variant of the Bleichenbacher'06 attack against RSA signature verification with low public exponent.

more...
py27-rsa
py32-rsa
py33-rsa
py34-rsa
py35-rsa
2016-02-03

SaltStack reports:

Improper handling of clear messages on the minion, which could result in executing commands not sent by the master.

more...
py27-salt
py32-salt
py33-salt
py34-salt
py35-salt
2016-02-02*

The cURL project reports:

libcurl will reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer.

more...
curl
linux-c6-curl
linux-c6_64-curl
linux-f10-curl
2016-02-02

Ruby on Rails blog:

Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, and 3.2.22.1 have been released! These contain important security fixes, and it is recommended that users upgrade as soon as possible.

more...
rubygem-actionpack
rubygem-actionpack4
rubygem-actionview
rubygem-activemodel4
rubygem-activerecord
rubygem-activerecord4
rubygem-rails
rubygem-rails-html-sanitizer
rubygem-rails4
2016-02-01

socat reports:

In the OpenSSL address implementation the hard coded 1024 bit DH p parameter was not prime. The effective cryptographic strength of a key exchange using these parameters was weaker than the one one could get by using a prime p. Moreover, since there is no indication of how these parameters were chosen, the existence of a trapdoor that makes possible for an eavesdropper to recover the shared secret from a key exchange that uses them cannot be ruled out.

more...
socat
2016-02-01

CENSUS S.A. reports:

GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are prone to an integer overflow vulnerability which leads to a buffer overflow and potentially to remote code execution.

GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are prone to an out-of-bounds read vulnerability due to missing checks.

more...
gdcm
2016-01-31*

OpenSSL project reports:

  1. BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
  2. Certificate verify crash with missing PSS parameter (CVE-2015-3194)
  3. X509_ATTRIBUTE memory leak (CVE-2015-3195)
  4. Race condition handling PSK identify hint (CVE-2015-3196)
  5. Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)
more...
linux-c6-openssl
mingw32-openssl
openssl
2016-01-31*

Daniel Veilland reports:

Enforce the reader to run in constant memory. One of the operation on the reader could resolve entities leading to the classic expansion issue. Make sure the buffer used for xmlreader operation is bounded. Introduce a new allocation type for the buffers for this effect.

more...
libxml2
linux-c6-libxml2
linux-f10-libxml2
2016-01-31*

Alan Coopersmith reports:

Ilja van Sprundel, a security researcher with IOActive, has discovered an issue in the parsing of BDF font files by libXfont. Additional testing by Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool uncovered two more issues in the parsing of BDF font files.

As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potential to allow unprivileged users to run code with the privileges of the X server (often root access).

more...
libXfont
linux-c6-xorg-libs
linux-f10-xorg-libs
2016-01-30

Maxim Dounin reports:

Several problems in nginx resolver were identified, which might allow an attacker to cause worker process crash, or might have potential other impact if the "resolver" directive is used in a configuration file.

more...
nginx
nginx-devel
2016-01-29

Owncloud reports:

  • Reflected XSS in OCS provider discovery (oC-SA-2016-001)

  • Information Exposure Through Directory Listing in the file scanner (oC-SA-2016-002)

  • Disclosure of files that begin with ".v" due to unchecked return value (oC-SA-2016-003)

more...
owncloud
2016-01-29

nghttp2 reports:

This release fixes heap-use-after-free bug in idle stream handling code. We strongly recommend to upgrade the older installation to this latest version as soon as possible.

more...
nghttp2
2016-01-29

TYPO3 Security Team reports:

It has been discovered that TYPO3 CMS is susceptible to Cross-Site Scripting and Cross-Site Flashing.

more...
typo3
typo3-lts
2016-01-29

Radicale reports:

The multifilesystem backend allows access to arbitrary files on all platforms.

Prevent regex injection in rights management.

more...
py27-radicale
py32-radicale
py33-radicale
py34-radicale
2016-01-28

OpenSSL project reports:

  1. Historically OpenSSL only ever generated DH parameters based on "safe" primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be "safe". Where an application is using DH configured with parameters based on primes that are not "safe" then an attacker could use this fact to find a peer's private DH exponent. This attack requires that the attacker complete multiple handshakes in which the peer uses the same private DH exponent. For example this could be used to discover a TLS server's private DH exponent if it's reusing the private DH exponent or it's using a static DH ciphersuite. OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk. (CVE-2016-0701)
  2. A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2. (CVE-2015-3197)
more...
mingw32-openssl
openssl
2016-01-28

The Prosody team reports:

Adopt key generation algorithm from XEP-0185, to prevent impersonation attacks (CVE-2016-0756)

more...
prosody
2016-01-28

The phpMyAdmin development team reports:

By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.

We consider these vulnerabilities to be non-critical.

This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server.

more...
phpmyadmin
2016-01-28

The phpMyAdmin development team reports:

The XSRF/CSRF token is generated with a weak algorithm using functions that do not return cryptographically secure values.

We consider this vulnerability to be non-critical.

more...
phpmyadmin
2016-01-28

The phpMyAdmin development team reports:

  • With a crafted table name it is possible to trigger an XSS attack in the database search page.
  • With a crafted SET value or a crafted search query, it is possible to trigger an XSS attacks in the zoom search page.
  • With a crafted hostname header, it is possible to trigger an XSS attacks in the home page.

We consider these vulnerabilities to be non-critical.

These vulnerabilities can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required pages.

more...
phpmyadmin
2016-01-28

The phpMyAdmin development team reports:

Password suggestion functionality uses Math.random() which does not provide cryptographically secure random numbers.

We consider this vulnerability to be non-critical.

more...
phpmyadmin
2016-01-28

The phpMyAdmin development team reports:

The comparison of the XSRF/CSRF token parameter with the value saved in the session is vulnerable to timing attacks. Moreover, the comparison could be bypassed if the XSRF/CSRF token matches a particular pattern.

We consider this vulnerability to be serious.

more...
phpmyadmin
2016-01-28

The phpMyAdmin development team reports:

By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.

We consider these vulnerabilities to be non-critical.

This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server.

more...
phpmyadmin
2016-01-28

The phpMyAdmin development team reports:

With a crafted table name it is possible to trigger an XSS attack in the database normalization page.

We consider this vulnerability to be non-critical.

This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required page.

more...
phpmyadmin
2016-01-28

The phpMyAdmin development team reports:

By calling a particular script that is part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.

We consider this vulnerability to be non-critical.

This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server.

more...
phpmyadmin
2016-01-28

The phpMyAdmin development team reports:

With a crafted SQL query, it is possible to trigger an XSS attack in the SQL editor.

We consider this vulnerability to be non-critical.

This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required pages.

more...
phpmyadmin
2016-01-26

MITRE reports:

sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by "/home/*/*/file.txt."

more...
sudo
2016-01-26

Privoxy Developers reports:

Fixed a memory leak when rejecting client connections due to the socket limit being reached (CID 66382). This affected Privoxy 3.0.21 when compiled with IPv6 support (on most platforms this is the default).

Fixed an immediate-use-after-free bug (CID 66394) and two additional unconfirmed use-after-free complaints made by Coverity scan (CID 66391, CID 66376).

MITRE reports:

Privoxy before 3.0.22 allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors.

more...
privoxy
2016-01-26

Privoxy Developers reports:

Prevent invalid reads in case of corrupt chunk-encoded content. CVE-2016-1982. Bug discovered with afl-fuzz and AddressSanitizer.

Remove empty Host headers in client requests. Previously they would result in invalid reads. CVE-2016-1983. Bug discovered with afl-fuzz and AddressSanitizer.

more...
privoxy
2016-01-26

Privoxy Developers reports:

Proxy authentication headers are removed unless the new directive enable-proxy-authentication-forwarding is used. Forwarding the headers potentially allows malicious sites to trick the user into providing them with login information. Reported by Chris John Riley.

more...
privoxy
2016-01-26

Privoxy Developers reports:

Fixed a DoS issue in case of client requests with incorrect chunk-encoded body. When compiled with assertions enabled (the default) they could previously cause Privoxy to abort(). Reported by Matthew Daley. CVE-2015-1380.

Fixed multiple segmentation faults and memory leaks in the pcrs code. This fix also increases the chances that an invalid pcrs command is rejected as such. Previously some invalid commands would be loaded without error. Note that Privoxy's pcrs sources (action and filter files) are considered trustworthy input and should not be writable by untrusted third-parties. CVE-2015-1381.

Fixed an 'invalid read' bug which could at least theoretically cause Privoxy to crash. So far, no crashes have been observed. CVE-2015-1382.

more...
privoxy
2016-01-22*

ISC reports:

Problems converting OPT resource records and ECS options to text format can cause BIND to terminate

more...
bind910
2016-01-22

Enlightenment reports:

GIF loader: Fix segv on images without colormap

Prevent division-by-zero crashes.

Fix segfault when opening input/queue/id:000007,src:000000,op:flip1,pos:51 with feh

more...
imlib2
2016-01-22

ISC reports:

Specific APL data could trigger an INSIST in apl_42.c

more...
bind910
bind99
2016-01-21

Google Chrome Releases reports:

This update includes 37 security fixes, including:

  • [497632] High CVE-2016-1612: Bad cast in V8.
  • [572871] High CVE-2016-1613: Use-after-free in PDFium.
  • [544691] Medium CVE-2016-1614: Information leak in Blink.
  • [468179] Medium CVE-2016-1615: Origin confusion in Omnibox.
  • [541415] Medium CVE-2016-1616: URL Spoofing.
  • [544765] Medium CVE-2016-1617: History sniffing with HSTS and CSP.
  • [552749] Medium CVE-2016-1618: Weak random number generator in Blink.
  • [557223] Medium CVE-2016-1619: Out-of-bounds read in PDFium.
  • [579625] CVE-2016-1620: Various fixes from internal audits, fuzzing and other initiatives.
  • Multiple vulnerabilities in V8 fixed at the tip of the 4.8 branch.
more...
chromium
chromium-npapi
chromium-pulse
2016-01-21

Network Time Foundation reports:

NTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016:

  • Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG.
  • Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass. Reported by Cisco ASIG.
  • Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. Reported by Cisco ASIG.
  • Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list. Reported by Cisco ASIG.
  • Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported by Cisco ASIG.
  • Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames. Reported by Cisco ASIG.
  • Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported by Cisco ASIG.
  • Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers. Reported by Cisco ASIG.
  • Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode. Reported by Cisco ASIG.

Additionally, mitigations are published for the following two issues:

  • Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks. Reported by Cisco ASIG.
  • Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. Reported by Cisco ASIG.
more...
ntp
ntp-devel
2016-01-20

Jason A. Donenfeld reports:

Reflected Cross Site Scripting and Header Injection in Mimetype Query String.

Stored Cross Site Scripting and Header Injection in Filename Parameter.

Integer Overflow resulting in Buffer Overflow.

more...
cgit
2016-01-19

DrWhax reports:

So in codeconv.c there is a function for japanese character set conversion called conv_jistoeuc(). There is no bounds checking on the output buffer, which is created on the stack with alloca() Bug can be triggered by sending an email to TAILS_luser@riseup.net or whatever. Since my C is completely rusty, you might be able to make a better judgement on the severity of this issue. Marking critical for now.

more...
claws-mail
2016-01-18*

Tomas Hoger reports:

A buffer overflow flaw was discovered in the libproxy's url::get_pac() used to download proxy.pac proxy auto-configuration file. A malicious host hosting proxy.pac, or a man in the middle attacker, could use this flaw to trigger a stack-based buffer overflow in an application using libproxy, if proxy configuration instructed it to download proxy.pac file from a remote HTTP server.

more...
libproxy
libproxy-gnome
libproxy-kde
libproxy-perl
libproxy-webkit
2016-01-18

Jason Buberel reports:

A security-related issue has been reported in Go's math/big package. The issue was introduced in Go 1.5. We recommend that all users upgrade to Go 1.5.3, which fixes the issue. Go programs must be recompiled with Go 1.5.3 in order to receive the fix.

The Go team would like to thank Nick Craig-Wood for identifying the issue.

This issue can affect RSA computations in crypto/rsa, which is used by crypto/tls. TLS servers on 32-bit systems could plausibly leak their RSA private key due to this issue. Other protocol implementations that create many RSA signatures could also be impacted in the same way.

Specifically, incorrect results in one part of the RSA Chinese Remainder computation can cause the result to be incorrect in such a way that it leaks one of the primes. While RSA blinding should prevent an attacker from crafting specific inputs that trigger the bug, on 32-bit systems the bug can be expected to occur at random around one in 2^26 times. Thus collecting around 64 million signatures (of known data) from an affected server should be enough to extract the private key used.

On 64-bit systems, the frequency of the bug is so low (less than one in 2^50) that it would be very difficult to exploit. Nonetheless, everyone is strongly encouraged to upgrade.

more...
go
2016-01-18

MITRE reports:

Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow.

Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive.

Libarchive issue tracker reports:

Using a crafted tar file bsdtar can perform an out-of-bounds memory read which will lead to a SEGFAULT. The issue exists when the executable skips data in the archive. The amount of data to skip is defined in byte offset [16-19] If ASLR is disabled, the issue can lead to an infinite loop.

more...
libarchive
2016-01-17

Arch Linux reports:

ffmpeg has a vulnerability in the current version that allows the attacker to create a specially crafted video file, downloading which will send files from a user PC to a remote attacker server. The attack does not even require the user to open that file ? for example, KDE Dolphin thumbnail generation is enough.

more...
ffmpeg
mencoder
mplayer
2016-01-15

Yakuzo OKU reports:

When redirect directive is used, this flaw allows a remote attacker to inject response headers into an HTTP redirect response.

more...
h2o
2016-01-15*

OpenSSH reports:

OpenSSH clients between versions 5.4 and 7.1 are vulnerable to information disclosure that may allow a malicious server to retrieve information including under some circumstances, user's private keys.

more...
openssh-portable
2016-01-14

The Prosody Team reports:

Fix path traversal vulnerability in mod_http_files (CVE-2016-1231)

Fix use of weak PRNG in generation of dialback secrets (CVE-2016-1232)

more...
prosody
2016-01-13

Elastic reports:

Fixes XSS vulnerability (CVE pending) - Thanks to Vladimir Ivanov for responsibly reporting.

more...
kibana4
kibana41
kibana42
kibana43
2016-01-12

ISC reports:

A badly formed packet with an invalid IPv4 UDP length field can cause a DHCP server, client, or relay program to terminate abnormally.

more...
isc-dhcp41-client
isc-dhcp41-relay
isc-dhcp41-server
isc-dhcp42-client
isc-dhcp42-relay
isc-dhcp42-server
isc-dhcp43-client
isc-dhcp43-relay
isc-dhcp43-server
2016-01-12

Ricardo Signes reports:

Beginning in PathTools 3.47 and/or perl 5.20.0, the File::Spec::canonpath() routine returned untained strings even if passed tainted input. This defect undermines the guarantee of taint propagation, which is sometimes used to ensure that unvalidated user input does not reach sensitive code.

This defect was found and reported by David Golden of MongoDB.

more...
p5-PathTools
2016-01-11

PHP reports:

  • Core:
    • Fixed bug #70755 (fpm_log.c memory leak and buffer overflow).
  • GD:
    • Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds).
  • SOAP:
    • Fixed bug #70900 (SoapClient systematic out of memory error).
  • Wddx
    • Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization).
    • Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability).
  • XMLRPC:
    • Fixed bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker()).
more...
php55
php55-gd
php55-wddx
php55-xmlrpc
php56
php56-gd
php56-soap
php56-wddx
php56-xmlrpc
2016-01-09

NVD reports:

The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.

more...
py27-pygments
py32-pygments
py33-pygments
py34-pygments
py35-pygments
2016-01-08

Network Time Foundation reports:

NTF's NTP Project has been notified of the following 1 medium-severity vulnerability that is fixed in ntp-4.2.8p5, released on Thursday, 7 January 2016:

NtpBug2956: Small-step/Big-step CVE-2015-5300

more...
ntp
ntp-devel
2016-01-08*

ocert reports:

The dcraw tool, as well as several other projects re-using its code, suffers from an integer overflow condition which lead to a buffer overflow.

The vulnerability concerns the 'len' variable, parsed without validation from opened images, used in the ljpeg_start() function.

A maliciously crafted raw image file can be used to trigger the vulnerability, causing a Denial of Service condition.

more...
cinepaint
darktable
dcraw
dcraw-m
exact-image
flphoto
freeimage
kodi
libraw
lightzone
netpbm
opengtl
rawstudio
ufraw
2016-01-08

Colin Walters reports:

  • Integer overflow in the authentication_agent_new_cookie function in PolicyKit (aka polkit) before 0.113 allows local users to gain privileges by creating a large number of connections, which triggers the issuance of a duplicate cookie value.

  • The authentication_agent_new function in polkitbackend/polkitbackendinteractiveauthority.c in PolicyKit (aka polkit) before 0.113 allows local users to cause a denial of service (NULL pointer dereference and polkitd daemon crash) by calling RegisterAuthenticationAgent with an invalid object path.

  • The polkit_backend_action_pool_init function in polkitbackend/polkitbackendactionpool.c in PolicyKit (aka polkit) before 0.113 might allow local users to gain privileges via duplicate action IDs in action descriptions.

  • PolicyKit (aka polkit) before 0.113 allows local users to cause a denial of service (memory corruption and polkitd daemon crash) and possibly gain privileges via unspecified vectors, related to "javascript rule evaluation."

more...
polkit
2016-01-08*

Oracle reports:

This Critical Patch Update contains 25 new security fixes for Oracle Java SE. 24 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

more...
openjdk7
openjdk7-jre
openjdk8
openjdk8-jre
2016-01-08

Michael Samuel reports:

librsync before 1.0.0 uses a truncated MD4 checksum to match blocks, which makes it easier for remote attackers to modify transmitted data via a birthday attack.

more...
librsync
2016-01-08

Nico Golde reports:

heap overflow via malformed dhcp responses later in print_option (via dhcp_envoption1) due to incorrect option length values. Exploitation is non-trivial, but I'd love to be proven wrong.

invalid read/crash via malformed dhcp responses. not exploitable beyond DoS as far as I can judge.

more...
dhcpcd
2016-01-08*

US-CERT/NIST reports:

The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) and possibly have other unspecified impact via a crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable.

US-CERT/NIST reports:

Heap-based buffer overflow in the pe_print_edata function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a truncated export table in a PE file.

US-CERT/NIST reports:

Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file.

more...
cross-binutils
m6811-binutils
x86_64-pc-mingw32-binutils
2016-01-07

ARM Limited reports:

MD5 handshake signatures in TLS 1.2 are vulnerable to the SLOTH attack on TLS 1.2 server authentication. They have been disabled by default. Other attacks from the SLOTH paper do not apply to any version of mbed TLS or PolarSSL.

more...
mbedtls
polarssl13
2016-01-06*

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the AMD PC-Net II Ethernet Controller support is vulnerable to a heap buffer overflow flaw. While receiving packets in the loopback mode, it appends CRC code to the receive buffer. If the data size given is same as the receive buffer size, the appended CRC code overwrites 4 bytes beyond this 's->buffer' array.

A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the Qemu instance resulting in DoS or potentially execute arbitrary code with privileges of the Qemu process on the host.

The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets from a remote host(non-loopback mode), fails to validate the received data size, thus resulting in a buffer overflow issue. It could potentially lead to arbitrary code execution on the host, with privileges of the Qemu process. It requires the guest NIC to have larger MTU limit.

A remote user could use this flaw to crash the guest instance resulting in DoS or potentially execute arbitrary code on a remote host with privileges of the Qemu process.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
xen-tools
2016-01-06

The Xen Project reports:

When constructing a guest which is configured to use a PV bootloader which runs as a userspace process in the toolstack domain (e.g. pygrub) libxl creates a mapping of the files to be used as kernel and initial ramdisk when building the guest domain.

However if building the domain subsequently fails these mappings would not be released leading to a leak of virtual address space in the calling process, as well as preventing the recovery of the temporary disk files containing the kernel and initial ramdisk.

For toolstacks which manage multiple domains within the same process, an attacker who is able to repeatedly start a suitable domain (or many such domains) can cause an out-of-memory condition in the toolstack process, leading to a denial of service.

Under the same circumstances an attacker can also cause files to accumulate on the toolstack domain filesystem (usually under /var in dom0) used to temporarily store the kernel and initial ramdisk, perhaps leading to a denial of service against arbitrary other services using that filesystem.

more...
xen-tools
2016-01-06

The Xen Project reports:

Single memory accesses in source code can be translated to multiple ones in machine code by the compiler, requiring special caution when accessing shared memory. Such precaution was missing from the hypervisor code inspecting the state of I/O requests sent to the device model for assistance.

Due to the offending field being a bitfield, it is however believed that there is no issue in practice, since compilers, at least when optimizing (which is always the case for non-debug builds), should find it more expensive to extract the bit field value twice than to keep the calculated value in a register.

This vulnerability is exposed to malicious device models. In conventional Xen systems this means the qemu which service an HVM domain. On such systems this vulnerability can only be exploited if the attacker has gained control of the device model qemu via another vulnerability.

Privilege escalation, host crash (Denial of Service), and leaked information all cannot be excluded.

more...
xen-kernel
2016-01-06

The Xen Project reports:

Error handling in the operation may involve handing back pages to the domain. This operation may fail when in parallel the domain gets torn down. So far this failure unconditionally resulted in the host being brought down due to an internal error being assumed. This is CVE-2015-8339.

Furthermore error handling so far wrongly included the release of a lock. That lock, however, was either not acquired or already released on all paths leading to the error handling sequence. This is CVE-2015-8340.

A malicious guest administrator may be able to deny service by crashing the host or causing a deadlock.

more...
xen-kernel
2016-01-06

The Xen Project reports:

When XSAVE/XRSTOR are not in use by Xen to manage guest extended register state, the initial values in the FPU stack and XMM registers seen by the guest upon first use are those left there by the previous user of those registers.

A malicious domain may be able to leverage this to obtain sensitive information such as cryptographic keys from another domain.

more...
xen-kernel
2016-01-05*

ISC Support reports:

ISC Kea may terminate unexpectedly (crash) while handling a malformed client packet. Related defects in the kea-dhcp4 and kea-dhcp6 servers can cause the server to crash during option processing if a client sends a malformed packet. An attacker sending a crafted malformed packet can cause an ISC Kea server providing DHCP services to IPv4 or IPv6 clients to exit unexpectedly.

  • The kea-dhcp4 server is vulnerable only in versions 0.9.2 and 1.0.0-beta, and furthermore only when logging at debug level 40 or higher. Servers running kea-dhcp4 versions 0.9.1 or lower, and servers which are not logging or are logging at debug level 39 or below are not vulnerable.

  • The kea-dhcp6 server is vulnerable only in versions 0.9.2 and 1.0.0-beta, and furthermore only when logging at debug level 45 or higher. Servers running kea-dhcp6 versions 0.9.1 or lower, and servers which are not logging or are logging at debug level 44 or below are not vulnerable.

more...
kea
2016-01-05

zzf of Alibaba discovered an out-of-bounds vulnerability in the code processing the LogLUV and CIE Lab image format files. An attacker could create a specially-crafted TIFF file that could cause libtiff to crash.

more...
tiff
2016-01-05

NVD reports:

SQL injection vulnerability in include/top_graph_header.php in Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary SQL commands via the rra_id parameter in a properties action to graph.php.

more...
cacti
2016-01-05

LMX of Qihoo 360 Codesafe Team discovered an out-of-bounds read in tif_getimage.c. An attacker could create a specially-crafted TIFF file that could cause libtiff to crash.

more...
tiff
2016-01-04

Gustavo Grieco reports:

Two issues were found in unzip 6.0:

* A heap overflow triggered by unzipping a file with password (e.g unzip -p -P x sigsegv.zip).

* A denegation of service with a file that never finishes unzipping (e.g. unzip sigxcpu.zip).

more...
unzip
2016-01-03

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the Q35 chipset based pc system emulator is vulnerable to a heap based buffer overflow. It occurs during VM guest migration, as more(16 bytes) data is moved into allocated (8 bytes) memory area.

A privileged guest user could use this issue to corrupt the VM guest image, potentially leading to a DoS. This issue affects q35 machine types.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-03

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the PCI MSI-X support is vulnerable to null pointer dereference issue. It occurs when the controller attempts to write to the pending bit array(PBA) memory region. Because the MSI-X MMIO support did not define the .write method.

A privileges used inside guest could use this flaw to crash the Qemu process resulting in DoS issue.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-03

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the USB EHCI emulation support is vulnerable to an infinite loop issue. It occurs during communication between host controller interface(EHCI) and a respective device driver. These two communicate via a isochronous transfer descriptor list(iTD) and an infinite loop unfolds if there is a closed loop in this list.

A privileges user inside guest could use this flaw to consume excessive CPU cycles & resources on the host.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-03

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the VNC display driver support is vulnerable to an arithmetic exception flaw. It occurs on the VNC server side while processing the 'SetPixelFormat' messages from a client.

A privileged remote client could use this flaw to crash the guest resulting in DoS.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-03

ACME Updates reports:

mini_httpd 1.21 and earlier allows remote attackers to obtain sensitive information from process memory via an HTTP request with a long protocol string, which triggers an incorrect response size calculation and an out-of-bounds read.

(rene) ACME, the author, claims that the vulnerability is fixed *after* version 1.22, released on 2015-12-28

more...
mini_httpd
2016-01-02

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing transmit descriptor data when sending a network packet.

A privileged user inside guest could use this flaw to crash the Qemu instance resulting in DoS.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-02

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the Virtual Network Device(virtio-net) support is vulnerable to a DoS issue. It could occur while receiving large packets over the tuntap/macvtap interfaces and when guest's virtio-net driver did not support big/mergeable receive buffers.

An attacker on the local network could use this flaw to disable guest's networking by sending a large number of jumbo frames to the guest, exhausting all receive buffers and thus leading to a DoS situation.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-02

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the NE2000 NIC emulation support is vulnerable to an infinite loop issue. It could occur when receiving packets over the network.

A privileged user inside guest could use this flaw to crash the Qemu instance resulting in DoS.

Qemu emulator built with the NE2000 NIC emulation support is vulnerable to a heap buffer overflow issue. It could occur when receiving packets over the network.

A privileged user inside guest could use this flaw to crash the Qemu instance or potentially execute arbitrary code on the host.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-02

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the VNC display driver is vulnerable to an infinite loop issue. It could occur while processing a CLIENT_CUT_TEXT message with specially crafted payload message.

A privileged guest user could use this flaw to crash the Qemu process on the host, resulting in DoS.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-02

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the IDE disk and CD/DVD-ROM emulation support is vulnerable to a divide by zero issue. It could occur while executing an IDE command WIN_READ_NATIVE_MAX to determine the maximum size of a drive.

A privileged user inside guest could use this flaw to crash the Qemu instance resulting in DoS.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-01

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the virtio-serial vmchannel support is vulnerable to a buffer overflow issue. It could occur while exchanging virtio control messages between guest and the host.

A malicious guest could use this flaw to corrupt few bytes of Qemu memory area, potentially crashing the Qemu process.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-01

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the VNC display driver support is vulnerable to a buffer overflow flaw leading to a heap memory corruption issue. It could occur while refreshing the server display surface via routine vnc_refresh_server_surface().

A privileged guest user could use this flaw to corrupt the heap memory and crash the Qemu process instance OR potentially use it to execute arbitrary code on the host.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-01

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the SCSI device emulation support is vulnerable to a stack buffer overflow issue. It could occur while parsing SCSI command descriptor block with an invalid operation code.

A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the Qemu instance resulting in DoS.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-01

Petr Matousek of Red Hat Inc. reports:

Due converting PIO to the new memory read/write api we no longer provide separate I/O region lenghts for read and write operations. As a result, reading from PIT Mode/Command register will end with accessing pit->channels with invalid index and potentially cause memory corruption and/or minor information leak.

A privileged guest user in a guest with QEMU PIT emulation enabled could potentially (tough unlikely) use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.

Please note that by default QEMU/KVM guests use in-kernel (KVM) PIT emulation and are thus not vulnerable to this issue.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2015-12-31

NCC Group reports:

An attacker who can cause a carefully-chosen string to be converted to a floating-point number can cause a crash and potentially induce arbitrary code execution.

more...
mono
2015-12-29

Adobe reports:

These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2015-8644).

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2015-8651).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-8634, CVE-2015-8635, CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, CVE-2015-8650).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-8459, CVE-2015-8460, CVE-2015-8636, CVE-2015-8645).

more...
linux-c6-flashplugin
linux-c6_64-flashplugin
linux-f10-flashplugin
2015-12-29*

Inspircd reports:

This release fixes the issues discovered since 2.0.18, containing multiple important stability and correctness related improvements, including a fix for a bug which allowed malformed DNS records to cause netsplits on a network.

more...
inspircd
2015-12-28

The Mozilla Project reports:

Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services (NSS) where MD5 signatures in the server signature within the TLS 1.2 ServerKeyExchange message are still accepted. This is an issue since NSS has officially disallowed the accepting MD5 as a hash algorithm in signatures since 2011. This issues exposes NSS based clients such as Firefox to theoretical collision-based forgery attacks.

more...
linux-c6-nss
linux-firefox
linux-seamonkey
linux-thunderbird
nss
2015-12-28

NVD reports:

The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg before 2.8.4 does not validate the number of decomposition levels before proceeding with Discrete Wavelet Transform decoding, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data.

The ff_get_buffer function in libavcodec/utils.c in FFmpeg before 2.8.4 preserves width and height values after a failure, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted .mov file.

more...
avidemux
avidemux2
avidemux26
ffmpeg
ffmpeg-011
ffmpeg-devel
ffmpeg0
ffmpeg1
ffmpeg2
ffmpeg23
ffmpeg24
ffmpeg25
ffmpeg26
gstreamer-ffmpeg
handbrake
kodi
libav
mencoder
mplayer
mythtv
mythtv-frontend
plexhometheater
2015-12-28*

NVD reports:

The update_dimensions function in libavcodec/vp8.c in FFmpeg through 2.8.1, as used in Google Chrome before 46.0.2490.71 and other products, relies on a coefficient-partition count during multi-threaded operation, which allows remote attackers to cause a denial of service (race condition and memory corruption) or possibly have unspecified other impact via a crafted WebM file.

The ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg before 2.8.2 omits certain width and height checks, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted MJPEG data.

The ff_hevc_parse_sps function in libavcodec/hevc_ps.c in FFmpeg before 2.8.2 does not validate the Chroma Format Indicator, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted High Efficiency Video Coding (HEVC) data.

The decode_uncompressed function in libavcodec/faxcompr.c in FFmpeg before 2.8.2 does not validate uncompressed runs, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted CCITT FAX data.

The init_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2.8.2 does not enforce minimum-value and maximum-value constraints on tile coordinates, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data.

The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not enforce uniqueness of the SIZ marker in a JPEG 2000 image, which allows remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via a crafted image with two or more of these markers.

Integer overflow in the ff_ivi_init_planes function in libavcodec/ivi.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 allows remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via crafted image dimensions in Indeo Video Interactive data.

The smka_decode_frame function in libavcodec/smacker.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not verify that the data size is consistent with the number of channels, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Smacker data.

more...
avidemux
avidemux2
avidemux26
ffmpeg
ffmpeg-011
ffmpeg-devel
ffmpeg0
ffmpeg1
ffmpeg2
ffmpeg23
ffmpeg24
ffmpeg25
ffmpeg26
gstreamer-ffmpeg
handbrake
kodi
libav
mencoder
mplayer
mythtv
mythtv-frontend
plexhometheater
2015-12-26

The phpMyAdmin development team reports:

By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.

We consider these vulnerabilities to be non-critical.

This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server.

more...
phpMyAdmin
2015-12-25

Salvatore Bonaccorso reports:

Hanno Boeck discovered a stack-based buffer overflow in the dpkg-deb component of dpkg, the Debian package management system. This flaw could potentially lead to arbitrary code execution if a user or an automated system were tricked into processing a specially crafted Debian binary package (.deb) in the old style Debian binary package format.

more...
dpkg
2015-12-24*

Tim Graham reports:

If an application allows users to specify an unvalidated format for dates and passes this format to the date filter, e.g. {{ last_updated|date:user_date_format }}, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".

more...
py27-django
py27-django-devel
py27-django17
py27-django18
py32-django
py32-django-devel
py32-django17
py32-django18
py33-django
py33-django-devel
py33-django17
py33-django18
py34-django
py34-django-devel
py34-django17
py34-django18
2015-12-24*

MediaWiki reports:

Internal review discovered that Special:DeletedContributions did not properly protect the IP of autoblocked users. This fix makes the functionality of Special:DeletedContributions consistent with Special:Contributions and Special:BlockList.

Internal review discovered that watchlist anti-csrf tokens were not being compared in constant time, which could allow various timing attacks. This could allow an attacker to modify a user's watchlist via csrf

John Menerick reported that MediaWiki's thumb.php failed to sanitize various error messages, resulting in xss.

more...
mediawiki123
mediawiki124
mediawiki125
2015-12-24*

MediaWiki reports:

Wikipedia user RobinHood70 reported two issues in the chunked upload API. The API failed to correctly stop adding new chunks to the upload when the reported size was exceeded (T91203), allowing a malicious users to upload add an infinite number of chunks for a single file upload. Additionally, a malicious user could upload chunks of 1 byte for very large files, potentially creating a very large number of files on the server's filesystem (T91205).

Internal review discovered that it is not possible to throttle file uploads.

Internal review discovered a missing authorization check when removing suppression from a revision. This allowed users with the 'viewsuppressed' user right but not the appropriate 'suppressrevision' user right to unsuppress revisions.

Richard Stanway from teamliquid.net reported that thumbnails of PNG files generated with ImageMagick contained the local file path in the image metadata.

more...
mediawiki123
mediawiki124
mediawiki125
2015-12-24

Mantis reports:

CVE-2015-5059: documentation in private projects can be seen by every user

more...
mantis
2015-12-24

MediaWiki reports:

(T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error.

(T119309) SECURITY: Use hash_compare() for edit token comparison.

(T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads.

(T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength.

(T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued.

(T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki.

more...
mediawiki123
mediawiki124
mediawiki125
mediawiki126
2015-12-23

Ruby developer reports:

There is an unsafe tainted string vulnerability in Fiddle and DL. This issue was originally reported and fixed with CVE-2009-5147 in DL, but reappeared after DL was reimplemented using Fiddle and libffi.

And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not fixed at other branches, then rubies which bundled DL except Ruby 1.9.1 are still vulnerable.

more...
ruby
2015-12-23

Bugzilla Security Advisory

During the generation of a dependency graph, the code for the HTML image map is generated locally if a local dot installation is used. With escaped HTML characters in a bug summary, it is possible to inject unfiltered HTML code in the map file which the CreateImagemap function generates. This could be used for a cross-site scripting attack.

If an external HTML page contains a