FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  420626
Date:      2016-08-22
Time:      17:20:59Z
Committer: kwm

List all Vulnerabilities, by package

VuXML entries as processed by FreshPorts
DateDecscriptionPort(s)
2016-08-22*

Ricardo Signes reports:

Beginning in PathTools 3.47 and/or perl 5.20.0, the File::Spec::canonpath() routine returned untained strings even if passed tainted input. This defect undermines the guarantee of taint propagation, which is sometimes used to ensure that unvalidated user input does not reach sensitive code.

This defect was found and reported by David Golden of MongoDB.

more...
p5-PathTools
perl5
perl5-devel
perl5.20
perl5.22
2016-08-22*

Jakub Wilk reports:

XSLoader tries to load code from a subdirectory in the cwd when called inside a string eval

more...
p5-XSLoader
perl
perl5
perl5-devel
perl5.18
perl5.20
perl5.22
perl5.24
2016-08-22*

Perl developers report:

In order to prevent an algorithmic complexity attack against its hashing mechanism, perl will sometimes recalculate keys and redistribute the contents of a hash. This mechanism has made perl robust against attacks that have been demonstrated against other systems.

Research by Yves Orton has recently uncovered a flaw in the rehashing code which can result in pathological behavior. This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys.

Because using user-provided strings as hash keys is a very common operation, we urge users of perl to update their perl executable as soon as possible.

more...
perl
perl-threaded
2016-08-22*

Sawyer X reports:

Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

more...
perl
perl5
perl5-devel
perl5.18
perl5.20
perl5.22
perl5.24
2016-08-22*

MITRE reports:

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

more...
perl
perl5
perl5.18
perl5.20
perl5.22
2016-08-22

Felix Riemann reports:

CVE-2016-6855 out-of-bounds write in eog 3.10.2.

more...
eog
2016-08-21

Debian security team reports:

Tobias Stoeckmann discovered that cache files are insufficiently validated in fontconfig, a generic font configuration library. An attacker can trigger arbitrary free() calls, which in turn allows double free attacks and therefore arbitrary code execution. In combination with setuid binaries using crafted cache files, this could allow privilege escalation.

more...
fontconfig
2016-08-19*

These packages have reached End of Life status and/or have been removed from the Ports Tree. They may contain undocumented security issues. Please take caution and find alternative software as soon as possible.

more...
apache13
apache20
apache21
mysql40-client
mysql40-server
mysql41-client
mysql41-server
mysql50-client
mysql50-server
mysql51-client
mysql51-server
perl
perl5
perl5.12
perl5.14
perl5.16
php4
php5
php52
php53
php54
postgresql7-client
postgresql7-server
postgresql71-client
postgresql71-server
postgresql72-client
postgresql72-server
postgresql73-client
postgresql73-server
postgresql74-client
postgresql74-server
postgresql80-client
postgresql80-server
postgresql81-client
postgresql81-server
postgresql82-client
postgresql82-server
postgresql83-client
postgresql83-server
postgresql84-client
postgresql84-server
postgresql90-client
postgresql90-server
python15
python20
python21
python22
python23
python24
python25
python26
python30
python31
python32
ruby
ruby_static
tomcat41
tomcat55
unifi2
unifi3
2016-08-18*

Werner Koch reports:

There was a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions.

more...
gnupg1
libgcrypt
2016-08-17

The phpmyadmin development team reports:

Summary

Weakness with cookie encryption

Description

A pair of vulnerabilities were found affecting the way cookies are stored.

  • The decryption of the username/password is vulnerable to a padding oracle attack. The can allow an attacker who has access to a user's browser cookie file to decrypt the username and password.
  • A vulnerability was found where the same initialization vector (IV) is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the but the attacker can not directly decode these values from the cookie as it is still hashed.

Severity

We consider this to be critical.

Summary

Multiple XSS vulnerabilities

Description

Multiple vulnerabilities have been discovered in the following areas of phpMyAdmin:

  • Zoom search: Specially crafted column content can be used to trigger an XSS attack
  • GIS editor: Certain fields in the graphical GIS editor at not properly escaped and can be used to trigger an XSS attack
  • Relation view
  • The following Transformations:
    • Formatted
    • Imagelink
    • JPEG: Upload
    • RegexValidation
    • JPEG inline
    • PNG inline
    • transformation wrapper
  • XML export
  • MediaWiki export
  • Designer
  • When the MySQL server is running with a specially-crafted log_bin directive
  • Database tab
  • Replication feature
  • Database search

Severity

We consider these vulnerabilities to be of moderate severity.

Summary

Multiple XSS vulnerabilities

Description

XSS vulnerabilities were discovered in:

  • The database privilege check
  • The "Remove partitioning" functionality

Specially crafted database names can trigger the XSS attack.

Severity

We consider these vulnerabilities to be of moderate severity.

Summary

PHP code injection

Description

A vulnerability was found where a specially crafted database name could be used to run arbitrary PHP commands through the array export feature

Severity

We consider these vulnerabilities to be of moderate severity.

Summary

Full path disclosure

Description

A full path disclosure vulnerability was discovered where a user can trigger a particular error in the export mechanism to discover the full path of phpMyAdmin on the disk.

Severity

We consider this vulnerability to be non-critical.

Summary

SQL injection attack

Description

A vulnerability was reported where a specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality.

Severity

We consider this vulnerability to be serious

Summary

Local file exposure

Description

A vulnerability was discovered where a user can exploit the LOAD LOCAL INFILE functionality to expose files on the server to the database system.

Severity

We consider this vulnerability to be serious.

Summary

Local file exposure through symlinks with UploadDir

Description

A vulnerability was found where a user can specially craft a symlink on disk, to a file which phpMyAdmin is permitted to read but the user is not, which phpMyAdmin will then expose to the user.

Severity

We consider this vulnerability to be serious, however due to the mitigation factors the default state is not vulnerable.

Mitigation factor

1) The installation must be run with UploadDir configured (not the default) 2) The user must be able to create a symlink in the UploadDir 3) The user running the phpMyAdmin application must be able to read the file

Summary

Path traversal with SaveDir and UploadDir

Description

A vulnerability was reported with the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially-crafted user name can be used to circumvent restrictions to traverse the file system.

Severity

We consider this vulnerability to be serious, however due to the mitigation factors the default state is not vulnerable.

Mitigation factor

1) A system must be configured with the %u username replacement, such as `$cfg['SaveDir'] = 'SaveDir_%u';` 2) The user must be able to create a specially-crafted MySQL user, including the `/.` sequence of characters, such as `/../../`

Summary

Multiple XSS vulnerabilities

Description

Multiple XSS vulnerabilities were found in the following areas:

  • Navigation pane and database/table hiding feature. A specially-crafted database name can be used to trigger an XSS attack.
  • The "Tracking" feature. A specially-crafted query can be used to trigger an XSS attack.
  • GIS visualization feature.

Severity

We consider this vulnerability to be non-critical.

Summary

SQL injection attack

Description

A vulnerability was discovered in the following features where a user can execute an SQL injection attack against the account of the control user: User group Designer

Severity

We consider this vulnerability to be serious.

Mitigation factor

The server must have a control user account created in MySQL and configured in phpMyAdmin; installations without a control user are not vulnerable.

Summary

SQL injection attack

Description

A vulnerability was reported where a specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality.

Severity

We consider this vulnerability to be serious

Summary

Denial of service (DOS) attack in transformation feature

Description

A vulnerability was found in the transformation feature allowing a user to trigger a denial-of-service (DOS) attack against the server.

Severity

We consider this vulnerability to be non-critical

Summary

SQL injection attack as control user

Description

A vulnerability was discovered in the user interface preference feature where a user can execute an SQL injection attack against the account of the control user.

Severity

We consider this vulnerability to be serious.

Mitigation factor

The server must have a control user account created in MySQL and configured in phpMyAdmin; installations without a control user are not vulnerable.

Summary

Unvalidated data passed to unserialize()

Description

A vulnerability was reported where some data is passed to the PHP unserialize() function without verification that it's valid serialized data.

Due to how the PHP function operates,

Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this.

Therefore, a malicious user may be able to manipulate the stored data in a way to exploit this weakness.

Severity

We consider this vulnerability to be moderately severe.

Summary

DOS attack with forced persistent connections

Description

A vulnerability was discovered where an unauthenticated user is able to execute a denial-of-service (DOS) attack by forcing persistent connections when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true;.

Severity

We consider this vulnerability to be critical, although note that phpMyAdmin is not vulnerable by default.

Summary

Denial of service (DOS) attack by for loops

Description

A vulnerability has been reported where a malicious authorized user can cause a denial-of-service (DOS) attack on a server by passing large values to a loop.

Severity

We consider this issue to be of moderate severity.

Summary

IPv6 and proxy server IP-based authentication rule circumvention

Description

A vulnerability was discovered where, under certain circumstances, it may be possible to circumvent the phpMyAdmin IP-based authentication rules.

When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules.

Severity

We consider this vulnerability to be serious

Mitigation factor

* The phpMyAdmin installation must be running with IP-based allow/deny rules * The phpMyAdmin installation must be running behind a proxy server (or proxy servers) where the proxy server is "allowed" and the attacker is "denied" * The connection between the proxy server and phpMyAdmin must be via IPv6

Summary

Detect if user is logged in

Description

A vulnerability was reported where an attacker can determine whether a user is logged in to phpMyAdmin.

The user's session, username, and password are not compromised by this vulnerability.

Severity

We consider this vulnerability to be non-critical.

Summary

Bypass URL redirect protection

Description

A vulnerability was discovered where an attacker could redirect a user to a malicious web page.

Severity

We consider this to be of moderate severity

Summary

Referrer leak in url.php

Description

A vulnerability was discovered where an attacker can determine the phpMyAdmin host location through the file url.php.

Severity

We consider this to be of moderate severity.

Summary

Reflected File Download attack

Description

A vulnerability was discovered where an attacker may be able to trigger a user to download a specially crafted malicious SVG file.

Severity

We consider this issue to be of moderate severity.

Summary

ArbitraryServerRegexp bypass

Description

A vulnerability was reported with the $cfg['ArbitraryServerRegexp'] configuration directive. An attacker could reuse certain cookie values in a way of bypassing the servers defined by ArbitraryServerRegexp.

Severity

We consider this vulnerability to be critical.

Mitigation factor

Only servers using `$cfg['ArbitraryServerRegexp']` are vulnerable to this attack.

Summary

Denial of service (DOS) attack by changing password to a very long string

Description

An authenticated user can trigger a denial-of-service (DOS) attack by entering a very long password at the change password dialog.

Severity

We consider this vulnerability to be serious.

Summary

Remote code execution vulnerability when run as CGI

Description

A vulnerability was discovered where a user can execute a remote code execution attack against a server when phpMyAdmin is being run as a CGI application. Under certain server configurations, a user can pass a query string which is executed as a command-line argument by the file generator_plugin.sh.

Severity

We consider this vulnerability to be critical.

Mitigation factor

The file `/libraries/plugins/transformations/generator_plugin.sh` may be removed. Under certain server configurations, it may be sufficient to remove execute permissions for this file.

Summary

Denial of service (DOS) attack with dbase extension

Description

A flaw was discovered where, under certain conditions, phpMyAdmin may not delete temporary files during the import of ESRI files.

Severity

We consider this vulnerability to be non-critical.

Mitigation factor

This vulnerability only exists when PHP is running with the dbase extension, which is not shipped by default, not available in most Linux distributions, and doesn't compile with PHP7.

Summary

Remote code execution vulnerability when PHP is running with dbase extension

Description

A vulnerability was discovered where phpMyAdmin can be used to trigger a remote code execution attack against certain PHP installations.

Severity

We consider this vulnerability to be critical.

Mitigation factor

This vulnerability only exists when PHP is running with the dbase extension, which is not shipped by default, not available in most Linux distributions, and doesn't compile with PHP7.

more...
phpmyadmin
2016-08-15

Puppet reports:

Puppet Enterprise previously included a puppet-agent MCollective plugin that allowed you to pass the `--server` argument to MCollective. This insecure argument enabled remote code execution via connection to an untrusted host. The puppet-agent MCollective version included in PE 2016.2.1, this option is disabled by default.

more...
mcollective-puppet-agent
2016-08-14

Hanz Jenson audit report:

I found 10 vulnerabilities. Some of these are critical and allow remote code execution. For the average user, that means that these vulnerabilities can be exploited by a malicious attacker in order to take over any Teamspeak server, not only becoming serveradmin, but getting a shell on the affected machine.

more...
teamspeak3-server
2016-08-11

Problem Description:

Due to insufficient validation of the SCTP stream ID, which serves as an array index, a local unprivileged attacker can read or write 16-bits of kernel memory.

Impact:

An unprivileged process can read or modify 16-bits of memory which belongs to the kernel. This smay lead to exposure of sensitive information or allow privilege escalation.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

The input validation of received SCTP RE_CONFIG chunks is insufficient, and can result in a NULL pointer deference later.

Impact:

A remote attacker who can send a malformed SCTP packet to a FreeBSD system that serves SCTP can cause a kernel panic, resulting in a Denial of Service.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

An integer overflow in computing the size of IGMPv3 data buffer can result in a buffer which is too small for the requested operation.

Impact:

An attacker who can send specifically crafted IGMP packets could cause a denial of service situation by causing the kernel to crash.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

The default permission set by bsdinstall(8) installer when configuring full disk encrypted ZFS is too open.

Impact:

A local attacker may be able to get a copy of the geli(8) provider's keyfile which is located at a fixed location.

more...
FreeBSD
2016-08-11

Problem Description:

The Neighbor Discover Protocol allows a local router to advertise a suggested Current Hop Limit value of a link, which will replace Current Hop Limit on an interface connected to the link on the FreeBSD system.

Impact:

When the Current Hop Limit (similar to IPv4's TTL) is small, IPv6 packets may get dropped before they reached their destinations.

By sending specifically crafted Router Advertisement packets, an attacker on the local network can cause the FreeBSD system to lose the ability to communicate with another IPv6 node on a different network.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

TCP connections transitioning to the LAST_ACK state can become permanently stuck due to mishandling of protocol state in certain situations, which in turn can lead to accumulated consumption and eventual exhaustion of system resources, such as mbufs and sockets.

Impact:

An attacker who can repeatedly establish TCP connections to a victim system (for instance, a Web server) could create many TCP connections that are stuck in LAST_ACK state and cause resource exhaustion, resulting in a denial of service condition. This may also happen in normal operation where no intentional attack is conducted, but an attacker who can send specifically crafted packets can trigger this more reliably.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to run commands in addition to the desired SCCS or RCS commands.

Impact:

This issue could be exploited to execute arbitrary commands as the user invoking patch(1) against a specically crafted patch file, which could be leveraged to obtain elevated privileges.

more...
FreeBSD
2016-08-11

Problem Description:

There is a mistake with the introduction of VNET, which converted the global limit on the number of segments that could belong to reassembly queues into a per-VNET limit. Because mbufs are allocated from a global pool, in the presence of a sufficient number of VNETs, the total number of mbufs attached to reassembly queues can grow to the total number of mbufs in the system, at which point all network traffic would cease.

Impact:

An attacker who can establish concurrent TCP connections across a sufficient number of VNETs and manipulate the inbound packet streams such that the maximum number of mbufs are enqueued on each reassembly queue can cause mbuf cluster exhaustion on the target system, resulting in a Denial of Service condition.

As the default per-VNET limit on the number of segments that can belong to reassembly queues is 1/16 of the total number of mbuf clusters in the system, only systems that have 16 or more VNET instances are vulnerable.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to pass certain ed(1) scripts to the ed(1) editor, which would run commands.

Impact:

This issue could be exploited to execute arbitrary commands as the user invoking patch(1) against a specically crafted patch file, which could be leveraged to obtain elevated privileges.

more...
FreeBSD
2016-08-11

Problem Description:

The input path in routed(8) will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network.

Impact:

Upon receipt of a query from a source which is not on a directly connected network, routed(8) will trigger an assertion and terminate. The affected system's routing table will no longer be updated. If the affected system is a router, its routes will eventually expire from other routers' routing tables, and its networks will no longer be reachable unless they are also connected to another router.

more...
FreeBSD
2016-08-11

Problem Description:

Multiple integer overflows have been discovered in the XML_GetBuffer() function in the expat library.

Impact:

The integer overflows may be exploited by using specifically crafted XML data and lead to infinite loop, or a heap buffer overflow, which results in a Denial of Service condition, or enables remote attackers to execute arbitrary code.

more...
FreeBSD
2016-08-11

Problem Description:

If the kernel-mode IRET instruction generates an #SS or #NP exception, but the exception handler does not properly ensure that the right GS register base for kernel is reloaded, the userland GS segment may be used in the context of the kernel exception handler.

Impact:

By causing an IRET with #SS or #NP exceptions, a local attacker can cause the kernel to use an arbitrary GS base, which may allow escalated privileges or panic the system.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

In rpcbind(8), netbuf structures are copied directly, which would result in two netbuf structures that reference to one shared address buffer. When one of the two netbuf structures is freed, access to the other netbuf structure would result in an undefined result that may crash the rpcbind(8) daemon.

Impact:

A remote attacker who can send specifically crafted packets to the rpcbind(8) daemon can cause it to crash, resulting in a denial of service condition.

more...
FreeBSD
2016-08-11

Problem Description:

The bsnmpd(8) daemon is prone to a stack-based buffer-overflow when it has received a specifically crafted GETBULK PDU request.

Impact:

This issue could be exploited to execute arbitrary code in the context of the service daemon, or crash the service daemon, causing a denial-of-service.

more...
FreeBSD
2016-08-11

Problem Description:

The kernel holds a lock over the source directory vnode while trying to convert the target directory file handle to a vnode, which needs to be returned with the lock held, too. This order may be in violation of normal lock order, which in conjunction with other threads that grab locks in the right order, constitutes a deadlock condition because no thread can proceed.

Impact:

An attacker on a trusted client could cause the NFS server become deadlocked, resulting in a denial of service.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

The default devfs rulesets are not loaded on boot, even when jails are used. Device nodes will be created in the jail with their normal default access permissions, while most of them should be hidden and inaccessible.

Impact:

Jailed processes can get access to restricted resources on the host system. For jailed processes running with superuser privileges this implies access to all devices on the system. This level of access could lead to information leakage and privilege escalation.

more...
FreeBSD
2016-08-11

Problem Description:

FreeBSD may add a reassemble queue entry on the stack into the segment list when the reassembly queue reaches its limit. The memory from the stack is undefined after the function returns. Subsequent iterations of the reassembly function will attempt to access this entry.

Impact:

An attacker who can send a series of specifically crafted packets with a connection could cause a denial of service situation by causing the kernel to crash.

Additionally, because the undefined on stack memory may be overwritten by other kernel threads, while extremely difficult, it may be possible for an attacker to construct a carefully crafted attack to obtain portion of kernel memory via a connected socket. This may result in the disclosure of sensitive information such as login credentials, etc. before or even without crashing the system.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

There is a programming error in sendmail(8) that prevented open file descriptors have close-on-exec properly set. Consequently a subprocess will be able to access all open files that the parent process have open.

Impact:

A local user who can execute their own program for mail delivery will be able to interfere with an open SMTP connection.

more...
FreeBSD
2016-08-11

Problem Description:

Due to an overlooked merge to -STABLE branches, the size for page fault kernel trace entries was set incorrectly.

Impact:

A user who can enable kernel process tracing could end up reading the contents of kernel memory.

Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

The OpenPAM library searches for policy definitions in several locations. While doing so, the absence of a policy file is a soft failure (handled by searching in the next location) while the presence of an invalid file is a hard failure (handled by returning an error to the caller).

The policy parser returns the same error code (ENOENT) when a syntactically valid policy references a non-existent module as when the requested policy file does not exist. The search loop regards this as a soft failure and looks for the next similarly-named policy, without discarding the partially-loaded configuration.

A similar issue can arise if a policy contains an include directive that refers to a non-existent policy.

Impact:

If a module is removed, or the name of a module is misspelled in the policy file, the PAM library will proceed with a partially loaded configuration. Depending on the exact circumstances, this may result in a fail-open scenario where users are allowed to log in without a password, or with an incorrect password.

In particular, if a policy references a module installed by a package or port, and that package or port is being reinstalled or upgraded, there is a brief window of time during which the module is absent and policies that use it may fail open. This can be especially damaging to Internet-facing SSH servers, which are regularly subjected to brute-force scans.

more...
FreeBSD
2016-08-11

Problem Description:

A NULL pointer dereference in the initialization code of the HZ module and an out of bounds array access in the initialization code of the VIQR module make iconv_open(3) calls involving HZ or VIQR result in an application crash.

Impact:

Services where an attacker can control the arguments of an iconv_open(3) call can be caused to crash resulting in a denial-of-service. For example, an email encoded in HZ may cause an email delivery service to crash if it converts emails to a more generic encoding like UTF-8 before applying filtering rules.

more...
FreeBSD
2016-08-11

Problem Description:

A specifically crafted Composite Document File (CDF) file can trigger an out-of-bounds read or an invalid pointer dereference. [CVE-2012-1571]

A flaw in regular expression in the awk script detector makes use of multiple wildcards with unlimited repetitions. [CVE-2013-7345]

A malicious input file could trigger infinite recursion in libmagic(3). [CVE-2014-1943]

A specifically crafted Portable Executable (PE) can trigger out-of-bounds read. [CVE-2014-2270]

Impact:

An attacker who can cause file(1) or any other applications using the libmagic(3) library to be run on a maliciously constructed input can the application to crash or consume excessive CPU resources, resulting in a denial-of-service.

more...
FreeBSD
2016-08-11

Problem Description:

Buffer between control message header and data may not be completely initialized before being copied to userland. [CVE-2014-3952]

Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO, have implicit padding that may not be completely initialized before being copied to userland. In addition, three SCTP notifications, SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR and SCTP_AUTHENTICATION_EVENT, have padding in the returning data structure that may not be completely initialized before being copied to userland. [CVE-2014-3953]

Impact:

An unprivileged local process may be able to retrieve portion of kernel memory.

For the generic control message, the process may be able to retrieve a maximum of 4 bytes of kernel memory.

For SCTP, the process may be able to retrieve 2 bytes of kernel memory for all three control messages, plus 92 bytes for SCTP_SNDRCV and 76 bytes for SCTP_EXTRCV. If the local process is permitted to receive SCTP notification, a maximum of 112 bytes of kernel memory may be returned to userland.

This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

When a segment with the SYN flag for an already existing connection arrives, the TCP stack tears down the connection, bypassing a check that the sequence number in the segment is in the expected window.

Impact:

An attacker who has the ability to spoof IP traffic can tear down a TCP connection by sending only 2 packets, if they know both TCP port numbers. In case one of the two port numbers is unknown, a successful attack requires less than 2**17 packets spoofed, which can be generated within less than a second on a decent connection to the Internet.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

Due to a missing length check in the code that handles DNS parameters, a malformed router advertisement message can result in a stack buffer overflow in rtsold(8).

Impact:

Receipt of a router advertisement message with a malformed DNSSL option, for instance from a compromised host on the same network, can cause rtsold(8) to crash.

While it is theoretically possible to inject code into rtsold(8) through malformed router advertisement messages, it is normally compiled with stack protection enabled, rendering such an attack extremely difficult.

When rtsold(8) crashes, the existing DNS configuration will remain in force, and the kernel will continue to receive and process periodic router advertisements.

more...
FreeBSD
2016-08-11

Problem Description:

The input path in routed(8) will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network.

Impact:

Upon receipt of a query from a source which is not on a directly connected network, routed(8) will trigger an assertion and terminate. The affected system's routing table will no longer be updated. If the affected system is a router, its routes will eventually expire from other routers' routing tables, and its networks will no longer be reachable unless they are also connected to another router.

more...
FreeBSD
2016-08-11

Problem Description:

The namei facility will leak a small amount of kernel memory every time a sandboxed process looks up a nonexistent path name.

Impact:

A remote attacker that can cause a sandboxed process (for instance, a web server) to look up a large number of nonexistent path names can cause memory exhaustion.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

Although OpenSSH is not multithreaded, when OpenSSH is compiled with Kerberos support, the Heimdal libraries bring in the POSIX thread library as a dependency. Due to incorrect library ordering while linking sshd(8), symbols in the C library which are shadowed by the POSIX thread library may not be resolved correctly at run time.

Note that this problem is specific to the FreeBSD build system and does not affect other operating systems or the version of OpenSSH available from the FreeBSD ports tree.

Impact:

An incorrectly linked sshd(8) child process may deadlock while handling an incoming connection. The connection may then time out or be interrupted by the client, leaving the deadlocked sshd(8) child process behind. Eventually, the sshd(8) parent process stops accepting new connections.

An attacker may take advantage of this by repeatedly connecting and then dropping the connection after having begun, but not completed, the authentication process.

more...
FreeBSD
2016-08-11

Problem Description:

When setlogin(2) is called while setting up a new login session, the login name is copied into an uninitialized stack buffer, which is then copied into a buffer of the same size in the session structure. The getlogin(2) system call returns the entire buffer rather than just the portion occupied by the login name associated with the session.

Impact:

An unprivileged user can access this memory by calling getlogin(2) and reading beyond the terminating NUL character of the resulting string. Up to 16 (FreeBSD 8) or 32 (FreeBSD 9 and 10) bytes of kernel memory may be leaked in this manner for each invocation of setlogin(2).

This memory may contain sensitive information, such as portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

A malicious HTTP server could cause ftp(1) to execute arbitrary commands.

Impact:

When operating on HTTP URIs, the ftp(1) client follows HTTP redirects, and uses the part of the path after the last '/' from the last resource it accesses as the output filename if '-o' is not specified.

If the output file name provided by the server begins with a pipe ('|'), the output is passed to popen(3), which might be used to execute arbitrary commands on the ftp(1) client machine.

more...
FreeBSD
2016-08-11

Problem Description:

A programming error in the standard I/O library's __sflush() function could erroneously adjust the buffered stream's internal state even when no write actually occurred in the case when write(2) system call returns an error.

Impact:

The accounting mismatch would accumulate, if the caller does not check for stream status and will eventually lead to a heap buffer overflow.

Such overflows may lead to data corruption or the execution of arbitrary code at the privilege level of the calling program.

more...
FreeBSD
2016-08-11

Problem Description:

A lack of proper input checks in the ICMPv6 processing in the SCTP stack can lead to either a failed kernel assertion or to a NULL pointer dereference. In either case, a kernel panic will follow.

Impact:

A remote, unauthenticated attacker can reliably trigger a kernel panic in a vulnerable system running IPv6. Any kernel compiled with both IPv6 and SCTP support is vulnerable. There is no requirement to have an SCTP socket open.

IPv4 ICMP processing is not impacted by this vulnerability.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

A programming error in the handling of Linux futex robust lists may result in incorrect memory locations being accessed.

Impact:

It is possible for a local attacker to read portions of kernel memory, which may result in a privilege escalation.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

A programming error in the Linux compatibility layer setgroups(2) system call can lead to an unexpected results, such as overwriting random kernel memory contents.

Impact:

It is possible for a local attacker to overwrite portions of kernel memory, which may result in a privilege escalation or cause a system panic.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

A programming error in processing a TCP connection with both TCP_MD5SIG and TCP_NOOPT socket options may lead to kernel crash.

Impact:

A local attacker can crash the kernel, resulting in a denial-of-service.

A remote attack is theoretically possible, if server has a listening socket with TCP_NOOPT set, and server is either out of SYN cache entries, or SYN cache is disabled by configuration.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

The SNMP protocol supports an authentication model called USM, which relies on a shared secret. The default permission of the snmpd.configiguration file, /etc/snmpd.config, is weak and does not provide adequate protection against local unprivileged users.

Impact:

A local user may be able to read the shared secret, if configured and used by the system administrator.

more...
FreeBSD
2016-08-11

Problem Description:

A programming error in the Linux compatibility layer could cause the issetugid(2) system call to return incorrect information.

Impact:

If an application relies on output of the issetugid(2) system call and that information is incorrect, this could lead to a privilege escalation.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP3) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN. [CVE-2016-0800]

A double free bug was discovered when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources. This scenario is considered rare. [CVE-2016-0705]

The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory management semantics; the returned pointer was sometimes newly allocated, and sometimes owned by the callee. The calling code has no way of distinguishing these two cases. [CVE-2016-0798]

In the BN_hex2bn function, the number of hex digits is calculated using an int value |i|. Later |bn_expand| is called with a value of |i * 4|. For large values of |i| this can result in |bn_expand| not allocating any memory because |i * 4| is negative. This can leave the internal BIGNUM data field as NULL leading to a subsequent NULL pointer dereference. For very large values of |i|, the calculation |i * 4| could be a positive value smaller than |i|. In this case memory is allocated to the internal BIGNUM data field, but it is insufficiently sized leading to heap corruption. A similar issue exists in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with very large untrusted hex/dec data. This is anticipated to be a rare occurrence. [CVE-2016-0797]

The internal |fmtstr| function used in processing a "%s" formatted string in the BIO_*printf functions could overflow while calculating the length of a string and cause an out-of-bounds read when printing very long strings. [CVE-2016-0799]

A side-channel attack was found which makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA keys. [CVE-2016-0702]

s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If clear-key bytes are present for these ciphers, they displace encrypted-key bytes. [CVE-2016-0703]

s2_srvr.c overwrites the wrong bytes in the master key when applying Bleichenbacher protection for export cipher suites. [CVE-2016-0704]

Impact:

Servers that have SSLv2 protocol enabled are vulnerable to the "DROWN" attack which allows a remote attacker to fast attack many recorded TLS connections made to the server, even when the client did not make any SSLv2 connections themselves.

An attacker who can supply malformed DSA private keys to OpenSSL applications may be able to cause memory corruption which would lead to a Denial of Service condition. [CVE-2016-0705]

An attacker connecting with an invalid username can cause memory leak, which could eventually lead to a Denial of Service condition. [CVE-2016-0798]

An attacker who can inject malformed data into an application may be able to cause memory corruption which would lead to a Denial of Service condition. [CVE-2016-0797, CVE-2016-0799]

A local attacker who has control of code in a thread running on the same hyper-threaded core as the victim thread which is performing decryptions could recover RSA keys. [CVE-2016-0702]

An eavesdropper who can intercept SSLv2 handshake can conduct an efficient divide-and-conquer key recovery attack and use the server as an oracle to determine the SSLv2 master-key, using only 16 connections to the server and negligible computation. [CVE-2016-0703]

An attacker can use the Bleichenbacher oracle, which enables more efficient variant of the DROWN attack. [CVE-2016-0704]

more...
FreeBSD
2016-08-11

Problem Description:

A special combination of sysarch(2) arguments, specify a request to uninstall a set of descriptors from the LDT. The start descriptor is cleared and the number of descriptors are provided. Due to invalid use of a signed intermediate value in the bounds checking during argument validity verification, unbound zero'ing of the process LDT and adjacent memory can be initiated from usermode.

Impact:

This vulnerability could cause the kernel to panic. In addition it is possible to perform a local Denial of Service against the system by unprivileged processes.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

Incorrect signedness comparison in the ioctl(2) handler allows a malicious local user to overwrite a portion of the kernel memory.

Impact:

A local user may crash the kernel, read a portion of kernel memory and execute arbitrary code in kernel context. The result of executing an arbitrary kernel code is privilege escalation.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

Incorrect argument handling in the socket code allows malicious local user to overwrite large portion of the kernel memory.

Impact:

Malicious local user may crash kernel or execute arbitrary code in the kernel, potentially gaining superuser privileges.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

The implementation of the TIOCGSERIAL ioctl(2) does not clear the output struct before copying it out to userland.

The implementation of the Linux sysinfo() system call does not clear the output struct before copying it out to userland.

Impact:

An unprivileged user can read a portion of uninitialised kernel stack data, which may contain sensitive information, such as the stack guard, portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

The implementation of historic stat(2) system call does not clear the output struct before copying it out to userland.

Impact:

An unprivileged user can read a portion of uninitialised kernel stack data, which may contain sensitive information, such as the stack guard, portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges.

more...
FreeBSD-kernel
2016-08-11

Problem Description:

Multiple vulnerabilities have been discovered in the NTP suite:

The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that could cause ntpd to crash. [CVE-2016-4957, Reported by Nicolas Edet of Cisco]

An attacker who knows the origin timestamp and can send a spoofed packet containing a CRYPTO-NAK to an ephemeral peer target before any other response is sent can demobilize that association. [CVE-2016-4953, Reported by Miroslav Lichvar of Red Hat]

An attacker who is able to spoof packets with correct origin timestamps from enough servers before the expected response packets arrive at the target machine can affect some peer variables and, for example, cause a false leap indication to be set. [CVE-2016-4954, Reported by Jakub Prokes of Red Hat]

An attacker who is able to spoof a packet with a correct origin timestamp before the expected response packet arrives at the target machine can send a CRYPTO_NAK or a bad MAC and cause the association's peer variables to be cleared. If this can be done often enough, it will prevent that association from working. [CVE-2016-4955, Reported by Miroslav Lichvar of Red Hat]

The fix for NtpBug2978 does not cover broadcast associations, so broadcast clients can be triggered to flip into interleave mode. [CVE-2016-4956, Reported by Miroslav Lichvar of Red Hat.]

Impact:

Malicious remote attackers may be able to break time synchronization, or cause the ntpd(8) daemon to crash.

more...
FreeBSD
2016-08-11

Problem Description:

The implementation of bspatch does not check for a negative value on numbers of bytes read from the diff and extra streams, allowing an attacker who can control the patch file to write at arbitrary locations in the heap.

This issue was first discovered by The Chromium Project and reported independently by Lu Tung-Pin to the FreeBSD project.

Impact:

An attacker who can control the patch file can cause a crash or run arbitrary code under the credentials of the user who runs bspatch, in many cases, root.

more...
FreeBSD
2016-08-11*

lukemftpd(8) is an enhanced BSD FTP server produced within the NetBSD project. The sources for lukemftpd are shipped with some versions of FreeBSD, however it is not built or installed by default. The build system option WANT_LUKEMFTPD must be set to build and install lukemftpd. [NOTE: An exception is FreeBSD 4.7-RELEASE, wherein lukemftpd was installed, but not enabled, by default.]

Przemyslaw Frasunek discovered several vulnerabilities in lukemftpd arising from races in the out-of-band signal handling code used to implement the ABOR command. As a result of these races, the internal state of the FTP server may be manipulated in unexpected ways.

A remote attacker may be able to cause FTP commands to be executed with the privileges of the running lukemftpd process. This may be a low-privilege `ftp' user if the `-r' command line option is specified, or it may be superuser privileges if `-r' is *not* specified.

more...
FreeBSD
lukemftpd
tnftpd
2016-08-11

PostgreSQL project reports:

Security Fixes nested CASE expressions + database and role names with embedded special characters

  • CVE-2016-5423: certain nested CASE expressions can cause the server to crash.
  • CVE-2016-5424: database and role names with embedded special characters can allow code injection during administrative operations like pg_dumpall.
more...
postgresql91-server
postgresql92-server
postgresql93-server
postgresql94-server
postgresql95-server
2016-08-11*

Chad Loder has discovered vulnerabilities in tcpdump's ISAKMP protocol handler. During an audit to repair these issues, Bill Fenner discovered some related problems.

These vulnerabilities may be used by an attacker to crash a running `tcpdump' process. They can only be triggered if the `-v' command line option is being used.

NOTE: the racoon ISAKMP/IKE daemon incorporates the ISAKMP protocol handler from tcpdump, and so is also affected by this issue.

more...
FreeBSD
racoon
tcpdump
2016-08-10

ISC reports:

DNS protocols were designed with the assumption that a certain amount of trust could be presumed between the operators of primary and secondary servers for a given zone. However, in current practice some organizations have scenarios which require them to accept zone data from sources that are not fully trusted (for example: providers of secondary name service). A party who is allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS updates) can overwhelm the server which is accepting data by intentionally or accidentally exhausting that server's memory.

more...
bind9-devel
bind910
bind911
bind99
knot
knot1
knot2
nsd
powerdns
2016-08-09*

OpenSSL reports:

Memory corruption in the ASN.1 encoder

Padding oracle in AES-NI CBC MAC check

EVP_EncodeUpdate overflow

EVP_EncryptUpdate overflow

ASN.1 BIO excessive memory allocation

EBCDIC overread (OpenSSL only)

more...
FreeBSD
libressl
libressl-devel
linux-c6-openssl
openssl
2016-08-09*

The OpenSSL Project reports:

A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. Implementations of OpenSSL that have been compiled with OPENSSL_NO_SRTP defined are not affected. [CVE-2014-3513].

When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack. [CVE-2014-3567].

OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade.

Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE [CVE-2014-3566].

When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. [CVE-2014-3568].

more...
FreeBSD
linux-c6-openssl
mingw32-openssl
openssl
2016-08-09*

Problem Description

When verifying a PKCS#1 v1.5 signature, OpenSSL ignores any bytes which follow the cryptographic hash being signed. In a valid signature there will be no such bytes.

Impact

OpenSSL will incorrectly report some invalid signatures as valid. When an RSA public exponent of 3 is used, or more generally when a small public exponent is used with a relatively large modulus (e.g., a public exponent of 17 with a 4096-bit modulus), an attacker can construct a signature which OpenSSL will accept as a valid PKCS#1 v1.5 signature.

Workaround

No workaround is available.

more...
FreeBSD
openssl
2016-08-09

Problem Description:

An integer overflow in computing the size of a temporary buffer can result in a buffer which is too small for the requested operation.

Impact:

An unprivileged process can read or write pages of memory which belong to the kernel. These may lead to exposure of sensitive information or allow privilege escalation.

more...
FreeBSD-kernel
2016-08-09*

Applications that use SSL_MODE_RELEASE_BUFFERS, such as nginx, are prone to a race condition which may allow a remote attacker to inject random data into other connections.

more...
FreeBSD
mingw32-openssl
openssl
2016-08-09*

Problem Description:

The NFS client subsystem fails to correctly validate the length of a parameter provided by the user when a filesystem is mounted.

more...
FreeBSD
2016-08-09*

Problem Description:

Several problems have been found in OpenSSL:

  • During the parsing of certain invalid ASN1 structures an error condition is mishandled, possibly resulting in an infinite loop.
  • A buffer overflow exists in the SSL_get_shared_ciphers function.
  • A NULL pointer may be dereferenced in the SSL version 2 client code.

In addition, many applications using OpenSSL do not perform any validation of the lengths of public keys being used.

Impact:

Servers which parse ASN1 data from untrusted sources may be vulnerable to a denial of service attack.

An attacker accessing a server which uses SSL version 2 may be able to execute arbitrary code with the privileges of that server.

A malicious SSL server can cause clients connecting using SSL version 2 to crash.

Applications which perform public key operations using untrusted keys may be vulnerable to a denial of service attack.

Workaround:

No workaround is available, but not all of the vulnerabilities mentioned affect all applications.

more...
FreeBSD
openssl
2016-08-09*

Unbound developer reports:

The resolver can be tricked into following an endless series of delegations, this consumes a lot of resources.

more...
FreeBSD
unbound
2016-08-09*

Problem Description

Multiple programming errors have been found in gzip which can be triggered when gzip is decompressing files. These errors include insufficient bounds checks in buffer use, a NULL pointer dereference, and a potential infinite loop.

Impact

The insufficient bounds checks in buffer use can cause gzip to crash, and may permit the execution of arbitrary code. The NULL pointer deference can cause gzip to crash. The infinite loop can cause a Denial-of-Service situation where gzip uses all available CPU time.

Workaround

No workaround is available.

more...
FreeBSD
gzip
2016-08-09*

A flaw in a library used by BIND allows an attacker to deliberately cause excessive memory consumption by the named(8) process. This affects both recursive and authoritative servers.

more...
FreeBSD
2016-08-09*

Problem Description:

When decompressing data, the run-length encoded values are not adequately sanity-checked, allowing for an integer overflow.

more...
FreeBSD
2016-08-09*

OpenBSD and David Ramos reports:

Applications that use SSL_MODE_RELEASE_BUFFERS, such as nginx/apache, are prone to a race condition which may allow a remote attacker to crash the current service.

more...
FreeBSD
openssl
2016-08-09*

Problem Description

Two problems have been discovered relating to the extraction of bzip2-compressed files. First, a carefully constructed invalid bzip2 archive can cause bzip2 to enter an infinite loop. Second, when creating a new file, bzip2 closes the file before setting its permissions.

Impact

The first problem can cause bzip2 to extract a bzip2 archive to an infinitely large file. If bzip2 is used in automated processing of untrusted files this could be exploited by an attacker to create an denial-of-service situation by exhausting disk space or by consuming all available cpu time.

The second problem can allow a local attacker to change the permissions of local files owned by the user executing bzip2 providing that they have write access to the directory in which the file is being extracted.

Workaround

Do not uncompress bzip2 archives from untrusted sources and do not uncompress files in directories where untrusted users have write access.

more...
bzip2
FreeBSD
2016-08-09*

ISC reports:

A BIND 9 DNS server set up to be a caching resolver is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache a response. This can cause the BIND 9 DNS server (named process) to crash.

more...
bind9-sdb-ldap
bind9-sdb-postgresql
bind96
bind97
bind98
FreeBSD
2016-08-09*

Problem Description

On "7th generation" and "8th generation" processors manufactured by AMD, including the AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, and Sempron, the fxsave and fxrstor instructions do not save and restore the FOP, FIP, and FDP registers unless the exception summary bit (ES) in the x87 status word is set to 1, indicating that an unmasked x87 exception has occurred.

This behaviour is consistent with documentation provided by AMD, but is different from processors from other vendors, which save and restore the FOP, FIP, and FDP registers regardless of the value of the ES bit. As a result of this discrepancy remaining unnoticed until now, the FreeBSD kernel does not restore the contents of the FOP, FIP, and FDP registers between context switches.

Impact

On affected processors, a local attacker can monitor the execution path of a process which uses floating-point operations. This may allow an attacker to steal cryptographic keys or other sensitive information.

Workaround

No workaround is available, but systems which do not use AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, or Sempron processors are not vulnerable.

more...
FreeBSD
2016-08-09*

Problem Description

There is no mechanism for preventing IPv6 routing headers from being used to route packets over the same link(s) many times.

Impact

An attacker can "amplify" a denial of service attack against a link between two vulnerable hosts; that is, by sending a small volume of traffic the attacker can consume a much larger amount of bandwidth between the two vulnerable hosts.

An attacker can use vulnerable hosts to "concentrate" a denial of service attack against a victim host or network; that is, a set of packets sent over a period of 30 seconds or more could be constructed such that they all arrive at the victim within a period of 1 second or less over a period of 30 seconds or more could be constructed such that they all arrive at the victim within a period of 1 second or less.

Other attacks may also be possible.

Workaround

No workaround is available.

more...
FreeBSD
2016-08-09

Piwik reports:

We have identified and fixed several XSS security issues in this release.

more...
piwik
2016-08-09*

OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable. Local attackers may be able to write arbitrary messages to logged-in users, including terminal escape sequences. Reported by Nikolay Edigaryev.

Fixed a privilege separation weakness related to PAM support. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate other users.

Fixed a use-after-free bug related to PAM support that was reachable by attackers who could compromise the pre-authentication process for remote code execution.

more...
FreeBSD
openssh-portable
2016-08-09*

Problem Description:

An un-checked return value in the BGP dissector code can result in an integer overflow. This value is used in subsequent buffer management operations, resulting in a stack based buffer overflow under certain circumstances.

Impact:

By crafting malicious BGP packets, an attacker could exploit this vulnerability to execute code or crash the tcpdump process on the target system. This code would be executed in the context of the user running tcpdump(1). It should be noted that tcpdump(1) requires privileges in order to open live network interfaces.

Workaround:

No workaround is available.

more...
FreeBSD
tcpdump
2016-08-09*

Problem Description:

In case of an incoming ICMPv6 'Packet Too Big Message', there is an insufficient check on the proposed new MTU for a path to the destination.

Impact:

When the kernel is configured to process IPv6 packets and has active IPv6 TCP sockets, a specifically crafted ICMPv6 'Packet Too Big Message' could cause the TCP stack of the kernel to panic.

Workaround:

Systems without INET6 / IPv6 support are not vulnerable and neither are systems which do not listen on any IPv6 TCP sockets and have no active IPv6 connections.

Filter ICMPv6 'Packet Too Big Messages' using a firewall, but this will at the same time break PMTU support for IPv6 connections.

more...
FreeBSD
2016-08-09*

OpenSSL project reports:

  1. Historically OpenSSL only ever generated DH parameters based on "safe" primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be "safe". Where an application is using DH configured with parameters based on primes that are not "safe" then an attacker could use this fact to find a peer's private DH exponent. This attack requires that the attacker complete multiple handshakes in which the peer uses the same private DH exponent. For example this could be used to discover a TLS server's private DH exponent if it's reusing the private DH exponent or it's using a static DH ciphersuite. OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk. (CVE-2016-0701)
  2. A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2. (CVE-2015-3197)
more...
FreeBSD
mingw32-openssl
openssl
2016-08-09*

Problem description:

GLOB_LIMIT is supposed to limit the number of paths to prevent against memory or CPU attacks. The implementation however is insufficient.

more...
FreeBSD
2016-08-09*

Problem Description:

A type * (ANY) query response containing multiple RRsets can trigger an assertion failure.

Certain recursive queries can cause the nameserver to crash by using memory which has already been freed.

Impact:

A remote attacker sending a type * (ANY) query to an authoritative DNS server for a DNSSEC signed zone can cause the named(8) daemon to exit, resulting in a Denial of Service.

A remote attacker sending recursive queries can cause the nameserver to crash, resulting in a Denial of Service.

Workaround:

There is no workaround available, but systems which are not authoritative servers for DNSSEC signed zones are not affected by the first issue; and systems which do not permit untrusted users to perform recursive DNS resolution are not affected by the second issue. Note that the default configuration for named(8) in FreeBSD allows local access only (which on many systems is equivalent to refusing access to untrusted users).

more...
FreeBSD
named
2016-08-09*

ntp.org reports:

Unrestricted access to the monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013

Use noquery to your default restrictions to block all status queries.

Use disable monitor to disable the ``ntpdc -c monlist'' command while still allowing other status queries.

more...
FreeBSD
ntp
2016-08-09*

Problem Description:

When named(8) is operating as a recursive DNS server or sending NOTIFY requests to slave DNS servers, named(8) uses a predictable query id.

Impact:

An attacker who can see the query id for some request(s) sent by named(8) is likely to be able to perform DNS cache poisoning by predicting the query id for other request(s).

Workaround:

No workaround is available.

more...
FreeBSD
named
2016-08-09*

Problem Description

Two problems have been discovered in the FreeBSD TCP stack.

First, when a TCP packets containing a timestamp is received, inadequate checking of sequence numbers is performed, allowing an attacker to artificially increase the internal "recent" timestamp for a connection.

Second, a TCP packet with the SYN flag set is accepted for established connections, allowing an attacker to overwrite certain TCP options.

Impact

Using either of the two problems an attacker with knowledge of the local and remote IP and port numbers associated with a connection can cause a denial of service situation by stalling the TCP connection. The stalled TCP connection my be closed after some time by the other host.

Workaround

In some cases it may be possible to defend against these attacks by blocking the attack packets using a firewall. Packets used to effect either of these attacks would have spoofed source IP addresses.

more...
FreeBSD
2016-08-09*

Problem Description:

The SSL version 3 and TLS protocols support session renegotiation without cryptographically tying the new session parameters to the old parameters.

more...
FreeBSD
2016-08-09*

Problem Description:

Symlinks created using the "GNUTYPE_NAMES" tar extension can be absolute due to lack of proper sanity checks.

Impact:

If an attacker can get a user to extract a specially crafted tar archive the attacker can overwrite arbitrary files with the permissions of the user running gtar. If file system permissions allow it, this may allow the attacker to overwrite important system file (if gtar is being run as root), or important user configuration files such as .tcshrc or .bashrc, which would allow the attacker to run arbitrary commands.

Workaround:

Use "bsdtar", which is the default tar implementation in FreeBSD 5.3 and higher. For FreeBSD 4.x, bsdtar is available in the FreeBSD Ports Collection as ports/archivers/libarchive.

more...
FreeBSD
2016-08-09*

Problem Description:

In multiple situations the host's jail rc.d(8) script does not check if a path inside the jail file system structure is a symbolic link before using the path. In particular this is the case when writing the output from the jail start-up to /var/log/console.log and when mounting and unmounting file systems inside the jail directory structure.

Impact:

Due to the lack of handling of potential symbolic links the host's jail rc.d(8) script is vulnerable to "symlink attacks". By replacing /var/log/console.log inside the jail with a symbolic link it is possible for the superuser (root) inside the jail to overwrite files on the host system outside the jail with arbitrary content. This in turn can be used to execute arbitrary commands with non-jailed superuser privileges.

Similarly, by changing directory mount points inside the jail file system structure into symbolic links, it may be possible for a jailed attacker to mount file systems which were meant to be mounted inside the jail at arbitrary points in the host file system structure, or to unmount arbitrary file systems on the host system.

NOTE WELL: The above vulnerabilities occur only when a jail is being started or stopped using the host's jail rc.d(8) script; once started (and until stopped), running jails cannot exploit this.

Workaround:

If the sysctl(8) variable security.jail.chflags_allowed is set to 0 (the default), setting the "sunlnk" system flag on /var, /var/log, /var/log/console.log, and all file system mount points and their parent directories inside the jail(s) will ensure that the console log file and mount points are not replaced by symbolic links. If this is done while jails are running, the administrator must check that an attacker has not replaced any directories with symlinks after setting the "sunlnk" flag.

more...
FreeBSD
2016-08-09*

Problem Description:

If ntpd receives a mode 7 (MODE_PRIVATE) request or error response from a source address not listed in either a 'restrict ... noquery' or a 'restrict ... ignore' section it will log the even and send a mode 7 error response.

more...
FreeBSD
2016-08-09*

OpenSSL project reports:

  1. BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
  2. Certificate verify crash with missing PSS parameter (CVE-2015-3194)
  3. X509_ATTRIBUTE memory leak (CVE-2015-3195)
  4. Race condition handling PSK identify hint (CVE-2015-3196)
  5. Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)
more...
FreeBSD
linux-c6-openssl
mingw32-openssl
openssl
2016-08-09*

Problem Description:

As is commonly the case, the IPv6 and ATM network layer ioctl request handlers are written in such a way that an unrecognized request is passed on unmodified to the link layer, which will either handle it or return an error code.

Network interface drivers, however, assume that the SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK requests have been handled at the network layer, and therefore do not perform input validation or verify the caller's credentials. Typical link-layer actions for these requests may include marking the interface as "up" and resetting the underlying hardware.

Impact:

An unprivileged user with the ability to run arbitrary code can cause any network interface in the system to perform the link layer actions associated with a SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR or SIOCSIFNETMASK ioctl request; or trigger a kernel panic by passing a specially crafted address structure which causes a network interface driver to dereference an invalid pointer.

Although this has not been confirmed, the possibility that an attacker may be able to execute arbitrary code in kernel context can not be ruled out.

more...
FreeBSD
2016-08-09*

OpenSSL project reports:

DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)

DTLS memory leak in dtls1_buffer_record (CVE-2015-0206)

no-ssl3 configuration sets method to NULL (CVE-2014-3569)

ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)

RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)

DH client certificates accepted without verification [Server] (CVE-2015-0205)

Certificate fingerprints can be modified (CVE-2014-8275)

Bignum squaring may produce incorrect results (CVE-2014-3570)

more...
FreeBSD
linux-c6-openssl
mingw32-openssl
openssl
2016-08-09*

Network Time Foundation reports:

NTF's NTP Project has been notified of the following 1 medium-severity vulnerability that is fixed in ntp-4.2.8p5, released on Thursday, 7 January 2016:

NtpBug2956: Small-step/Big-step CVE-2015-5300

more...
FreeBSD
ntp
ntp-devel
2016-08-09*

Problem Description:

Due to the interaction between devfs and VFS, a race condition exists where the kernel might dereference a NULL pointer.

Impact:

Successful exploitation of the race condition can lead to local kernel privilege escalation, kernel data corruption and/or crash.

To exploit this vulnerability, an attacker must be able to run code with user privileges on the target system.

Workaround:

An errata note, FreeBSD-EN-09:05.null has been released simultaneously to this advisory, and contains a kernel patch implementing a workaround for a more broad class of vulnerabilities. However, prior to those changes, no workaround is available.

more...
FreeBSD
2016-08-09*

Network Time Foundation reports:

NTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016:

  • Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG.
  • Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass. Reported by Cisco ASIG.
  • Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. Reported by Cisco ASIG.
  • Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list. Reported by Cisco ASIG.
  • Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported by Cisco ASIG.
  • Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames. Reported by Cisco ASIG.
  • Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported by Cisco ASIG.
  • Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers. Reported by Cisco ASIG.
  • Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode. Reported by Cisco ASIG.

Additionally, mitigations are published for the following two issues:

  • Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks. Reported by Cisco ASIG.
  • Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. Reported by Cisco ASIG.
more...
FreeBSD
ntp
ntp-devel
2016-08-09*

Problem description:

A logic bug in pf's IP fragment cache may result in a packet fragment being inserted twice, violating a kernel invariant.

Impact:

By sending carefully crafted sequence of IP packet fragments, a remote attacker can cause a system running pf with a ruleset containing a 'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash.

Workaround:

Do not use 'scrub fragment crop' or 'scrub fragment drop-ovl' rules on systems running pf. In most cases, such rules can be replaced by 'scrub fragment reassemble' rules; see the pf.conf(5) manual page for more details.

Systems which do not use pf, or use pf but do not use the aforementioned rules, are not affected by this issue.

more...
FreeBSD
2016-08-09*

Problem Description:

When the arc4random(9) random number generator is initialized, there may be inadequate entropy to meet the needs of kernel systems which rely on arc4random(9); and it may take up to 5 minutes before arc4random(9) is reseeded with secure entropy from the Yarrow random number generator.

Impact:

All security-related kernel subsystems that rely on a quality random number generator are subject to a wide range of possible attacks for the 300 seconds after boot or until 64k of random data is consumed. The list includes:

* GEOM ELI providers with onetime keys. When a provider is configured in a way so that it gets attached at the same time during boot (e.g. it uses the rc subsystem to initialize) it might be possible for an attacker to recover the encrypted data.

* GEOM shsec providers. The GEOM shsec subsytem is used to split a shared secret between two providers so that it can be recovered when both of them are present. This is done by writing the random sequence to one of providers while appending the result of the random sequence on the other host to the original data. If the provider was created within the first 300 seconds after booting, it might be possible for an attacker to extract the original data with access to only one of the two providers between which the secret data is split.

* System processes started early after boot may receive predictable IDs.

* The 802.11 network stack uses arc4random(9) to generate initial vectors (IV) for WEP encryption when operating in client mode and WEP authentication challenges when operating in hostap mode, which may be insecure.

* The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality random number generator to produce unpredictable IP packet identifiers, initial TCP sequence numbers and outgoing port numbers. During the first 300 seconds after booting, it may be easier for an attacker to execute IP session hijacking, OS fingerprinting, idle scanning, or in some cases DNS cache poisoning and blind TCP data injection attacks.

* The kernel RPC code uses arc4random(9) to retrieve transaction identifiers, which might make RPC clients vulnerable to hijacking attacks.

Workaround:

No workaround is available for affected systems.

more...
FreeBSD
2016-08-09*

ISC reports:

When configured to perform DNSSEC validation, named can crash when encountering a rare set of conditions in the managed trust anchors.

more...
bind910
bind910-base
bind99
bind99-base
FreeBSD
2016-08-09*

OpenSSL development team reports:

Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]:

  • Fix for TLS record tampering bug [CVE-2013-4353]
  • Fix for TLS version checking bug [CVE-2013-6449]
  • Fix for DTLS retransmission bug [CVE-2013-6450]
more...
openssl
2016-08-09*

It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks.

more...
FreeBSD
openssh-portable
2016-08-09*

Problem Description:

In the FW_GCROM ioctl, a signed integer comparison is used instead of an unsigned integer comparison when computing the length of a buffer to be copied from the kernel into the calling application.

Impact:

A user in the "operator" group can read the contents of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password.

Workaround:

No workaround is available, but systems without IEEE 1394 ("FireWire") interfaces are not vulnerable. (Note that systems with IEEE 1394 interfaces are affected regardless of whether any devices are attached.)

Note also that FreeBSD does not have any non-root users in the "operator" group by default; systems on which no users have been added to this group are therefore also not vulnerable.

more...
FreeBSD
2016-08-09*

Problem description:

A part of the NFS server code charged with handling incoming RPC messages via TCP had an error which, when the server received a message with a zero-length payload, would cause a NULL pointer dereference which results in a kernel panic. The kernel will only process the RPC messages if a userland nfsd daemon is running.

Impact:

The NULL pointer deference allows a remote attacker capable of sending RPC messages to an affected FreeBSD system to crash the FreeBSD system.

Workaround:

  1. Disable the NFS server: set the nfs_server_enable variable to "NO" in /etc/rc.conf, and reboot.

    Alternatively, if there are no active NFS clients (as listed by the showmount(8) utility), simply killing the mountd and nfsd processes should suffice.

  2. Add firewall rules to block RPC traffic to the NFS server from untrusted hosts.

more...
FreeBSD
2016-08-09*

Problem Description:

The BIND DNS implementation does not randomize the UDP source port when doing remote queries, and the query id alone does not provide adequate randomization.

Impact:

The lack of source port randomization reduces the amount of data the attacker needs to guess in order to successfully execute a DNS cache poisoning attack. This allows the attacker to influence or control the results of DNS queries being returned to users from target systems.

Workaround:

Limiting the group of machines that can do recursive queries on the DNS server will make it more difficult, but not impossible, for this vulnerability to be exploited.

To limit the machines able to perform recursive queries, add an ACL in named.conf and limit recursion like the following:

acl example-acl {
   192.0.2.0/24;
};
options {
	recursion yes;
	allow-recursion { example-acl; };
};
more...
FreeBSD
2016-08-09*

A flaw in the OpenSSL handling of OCSP response verification could be exploited to cause a denial of service attack.

OpenSSL has a weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS. The weakness could reveal plaintext in a timing attack.

more...
FreeBSD
2016-08-09*

Problem description:

Because OpenSSH and OpenPAM have conflicting designs (one is event- driven while the other is callback-driven), it is necessary for OpenSSH to fork a child process to handle calls to the PAM framework. However, if the unprivileged child terminates while PAM authentication is under way, the parent process incorrectly believes that the PAM child also terminated. The parent process then terminates, and the PAM child is left behind.

Due to the way OpenSSH performs internal accounting, these orphaned PAM children are counted as pending connections by the master OpenSSH server process. Once a certain number of orphans has accumulated, the master decides that it is overloaded and stops accepting client connections.

Impact:

By repeatedly connecting to a vulnerable server, waiting for a password prompt, and closing the connection, an attacker can cause OpenSSH to stop accepting client connections until the system restarts or an administrator manually kills the orphaned PAM processes.

Workaround:

The following command will show a list of orphaned PAM processes:

# pgrep -lf 'sshd.*\[pam\]'

The following command will kill orphaned PAM processes:

# pkill -f 'sshd.*\[pam\]'

To prevent OpenSSH from leaving orphaned PAM processes behind, perform one of the following:

  1. Disable PAM authentication in OpenSSH. Users will still be able to log in using their Unix password, OPIE or SSH keys.

    To do this, execute the following commands as root:

    # echo 'UsePAM no' >>/etc/ssh/sshd_config
    # echo 'PasswordAuthentication yes' >>/etc/ssh/sshd_config
    # /etc/rc.d/sshd restart
  2. If disabling PAM is not an option - if, for instance, you use RADIUS authentication, or store user passwords in an SQL database - you may instead disable privilege separation. However, this may leave OpenSSH vulnerable to hitherto unknown bugs, and should be considered a last resort.

    To do this, execute the following commands as root:

    # echo 'UsePrivilegeSeparation no' >>/etc/ssh/sshd_config
    # /etc/rc.d/sshd restart
more...
FreeBSD
2016-08-09*

Problem Description

IPv6 routers may allow "on-link" IPv6 nodes to create and update the router's neighbor cache and forwarding information. A malicious IPv6 node sharing a common router but on a different physical segment from another node may be able to spoof Neighbor Discovery messages, allowing it to update router information for the victim node.

Impact:

An attacker on a different physical network connected to the same IPv6 router as another node could redirect IPv6 traffic intended for that node. This could lead to denial of service or improper access to private network traffic.

Workaround:

Firewall packet filters can be used to filter incoming Neighbor Solicitation messages but may interfere with normal IPv6 operation if not configured carefully.

Reverse path forwarding checks could be used to make gateways, such as routers or firewalls, drop Neighbor Solicitation messages from nodes with unexpected source addresses on a particular interface.

IPv6 router administrators are encouraged to read RFC 3756 for further discussion of Neighbor Discovery security implications.

more...
FreeBSD
2016-08-09*

Problem Description:

If a General Protection Fault happens on a FreeBSD/amd64 system while it is returning from an interrupt, trap or system call, the swapgs CPU instruction may be called one extra time when it should not resulting in userland and kernel state being mixed.

Impact:

A local attacker can by causing a General Protection Fault while the kernel is returning from an interrupt, trap or system call while manipulating stack frames and, run arbitrary code with kernel privileges.

The vulnerability can be used to gain kernel / supervisor privilege. This can for example be used by normal users to gain root privileges, to break out of jails, or bypass Mandatory Access Control (MAC) restrictions.

Workaround:

No workaround is available, but only systems running the 64 bit FreeBSD/amd64 kernels are vulnerable.

Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386 kernel are not vulnerable.

more...
FreeBSD
2016-08-09*

Problem Description:

When downloading updates to FreeBSD via 'freebsd-update fetch' or 'freebsd-update upgrade', the freebsd-update(8) utility copies currently installed files into its working directory (/var/db/freebsd-update by default) both for the purpose of merging changes to configuration files and in order to be able to roll back installed updates.

The default working directory used by freebsd-update(8) is normally created during the installation of FreeBSD with permissions which allow all local users to see its contents, and freebsd-update(8) does not take any steps to restrict access to files stored in said directory.

more...
FreeBSD
2016-08-09*

ISC reports:

An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit.

more...
bind910
bind910-base
bind99
bind99-base
FreeBSD
2016-08-09*

Problem Description:

A programming error in the OPIE library could allow an off-by-one buffer overflow to write a single zero byte beyond the end of an on-stack buffer.

more...
FreeBSD
2016-08-09*

ISC reports:

A specially crafted query that includes malformed rdata can cause named to terminate with an assertion failure while rejecting the malformed query.

more...
bind98
bind98-base
bind99
bind99-base
FreeBSD
2016-08-09*

Problem Description:

The read-only flag is not correctly copied when a mbuf buffer reference is duplicated. When the sendfile(2) system call is used to transmit data over the loopback interface, this can result in the backing pages for the transmitted file being modified, causing data corruption.

more...
FreeBSD
2016-08-09*

Problem description:

A buffer allocated from the kernel stack may not be completely initialized before being copied to userland. [CVE-2006-0379]

A logic error in computing a buffer length may allow too much data to be copied into userland. [CVE-2006-0380]

Impact:

Portions of kernel memory may be disclosed to local users. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password.

Workaround:

No workaround is available.

more...
FreeBSD
2016-08-09*

MITRE reports:

Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow.

Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive.

Libarchive issue tracker reports:

Using a crafted tar file bsdtar can perform an out-of-bounds memory read which will lead to a SEGFAULT. The issue exists when the executable skips data in the archive. The amount of data to skip is defined in byte offset [16-19] If ASLR is disabled, the issue can lead to an infinite loop.

more...
FreeBSD
libarchive
2016-08-09*

Problem Description:

Various user defined input such as mount points, devices, and mount options are prepared and passed as arguments to nmount(2) into the kernel. Under certain error conditions, user defined data will be copied into a stack allocated buffer stored in the kernel without sufficient bounds checking.

Impact:

If the system is configured to allow unprivileged users to mount file systems, it is possible for a local adversary to exploit this vulnerability and execute code in the context of the kernel.

Workaround:

It is possible to work around this issue by allowing only privileged users to mount file systems by running the following sysctl(8) command:

# sysctl vfs.usermount=0
more...
FreeBSD
2016-08-09*

The OpenSSL team reports:

  • Missing DHE man-in-the-middle protection (Logjam) (CVE-2015-4000)
  • Malformed ECParameters causes infinite loop (CVE-2015-1788)
  • Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
  • iPKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
  • CMS verify infinite loop with unknown hash function (CVE-2015-1792)
  • Race condition handling NewSessionTicket (CVE-2015-1791)
  • Invalid free in DTLS (CVE-2014-8176)
more...
FreeBSD
libressl
linux-c6-openssl
mingw32-openssl
openssl
2016-08-09*

The OpenSSL Project reports:

A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. [CVE-2014-3508]

The issue affects OpenSSL clients and allows a malicious server to crash the client with a null pointer dereference (read) by specifying an SRP ciphersuite even though it was not properly negotiated with the client. [CVE-2014-5139]

If a multithreaded client connects to a malicious server using a resumed session and the server sends an ec point format extension it could write up to 255 bytes to freed memory. [CVE-2014-3509]

An attacker can force an error condition which causes openssl to crash whilst processing DTLS packets due to memory being freed twice. This can be exploited through a Denial of Service attack. [CVE-2014-3505]

An attacker can force openssl to consume large amounts of memory whilst processing DTLS handshake messages. This can be exploited through a Denial of Service attack. [CVE-2014-3506]

By sending carefully crafted DTLS packets an attacker could cause openssl to leak memory. This can be exploited through a Denial of Service attack. [CVE-2014-3507]

OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. A malicious server can crash the client with a null pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and sending carefully crafted handshake messages. [CVE-2014-3510]

A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate TLS 1.0 instead of higher protocol versions when the ClientHello message is badly fragmented. This allows a man-in-the-middle attacker to force a downgrade to TLS 1.0 even if both the server and the client support a higher protocol version, by modifying the client's TLS records. [CVE-2014-3511]

A malicious client or server can send invalid SRP parameters and overrun an internal buffer. Only applications which are explicitly set up for SRP use are affected. [CVE-2014-3512]

more...
FreeBSD
mingw32-openssl
openssl
2016-08-09*

Problem Description:

When writing data into a buffer in the file_printf function, the length of the unused portion of the buffer is not correctly tracked, resulting in a buffer overflow when processing certain files.

Impact:

An attacker who can cause file(1) to be run on a maliciously constructed input can cause file(1) to crash. It may be possible for such an attacker to execute arbitrary code with the privileges of the user running file(1).

The above also applies to any other applications using the libmagic(3) library.

Workaround:

No workaround is available, but systems where file(1) and other libmagic(3)-using applications are never run on untrusted input are not vulnerable.

more...
file
FreeBSD
2016-08-09*

Problem Description

A race condition exists in the pipe close() code relating to kqueues, causing use-after-free for kernel memory, which may lead to an exploitable NULL pointer vulnerability in the kernel, kernel memory corruption, and other unpredictable results.

Impact:

Successful exploitation of the race condition can lead to local kernel privilege escalation, kernel data corruption and/or crash.

To exploit this vulnerability, an attacker must be able to run code on the target system.

Workaround

An errata notice, FreeBSD-EN-09:05.null has been released simultaneously to this advisory, and contains a kernel patch implementing a workaround for a more broad class of vulnerabilities. However, prior to those changes, no workaround is available.

more...
FreeBSD
2016-08-09*

Problem Description:

When replaying setattr transaction, the replay code would set the attributes with certain insecure defaults, when the logged transaction did not touch these attributes.

more...
FreeBSD
2016-08-09*

OpenSSL project reports:

  • Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204). OpenSSL only.
  • Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
  • ASN.1 structure reuse memory corruption (CVE-2015-0287)
  • PKCS7 NULL pointer dereferences (CVE-2015-0289)
  • Base64 decode (CVE-2015-0292). OpenSSL only.
  • DoS via reachable assert in SSLv2 servers (CVE-2015-0293). OpenSSL only.
  • Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
  • X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)
more...
FreeBSD
libressl
linux-c6-openssl
mingw32-openssl
openssl
2016-08-09*

ISC reports:

Named is potentially vulnerable to the OpenSSL vulnerabilty described in CVE-2015-3193.

Incorrect reference counting could result in an INSIST failure if a socket error occurred while performing a lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]

Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. This flaw is disclosed in CVE-2015-8000. [RT #40987]

more...
bind9-devel
bind910
bind99
FreeBSD
2016-08-09*

ISC reports:

We have today posted updated versions of 9.9.6 and 9.10.1 to address a significant security vulnerability in DNS resolution. The flaw was discovered by Florian Maury of ANSSI, and applies to any recursive resolver that does not support a limit on the number of recursions. [CERTFR-2014-AVI-512], [USCERT VU#264212]

A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and on the number of queries that it will send before terminating a recursive query (default 50). The recursion depth limit is configured via the max-recursion-depth option, and the query limit via the max-recursion-queries option. For more information, see the security advisory at https://kb.isc.org/article/AA-01216/. [CVE-2014-8500] [RT #37580]

In addition, we have also corrected a potential security vulnerability in the GeoIP feature in the 9.10.1 release only. For more information on this issue, see the security advisory at https://kb.isc.org/article/AA-01217. [CVE-2014-8680]

more...
bind96
bind96-base
bind98
bind98-base
bind99
bind99-base
FreeBSD
2016-08-09*

Due to insufficient permission checks in the virtual memory system, a tracing process (such as a debugger) may be able to modify portions of the traced process's address space to which the traced process itself does not have write access.

more...
FreeBSD
2016-08-09*

Problem Description:

When running setuid programs rtld will normally remove potentially dangerous environment variables. Due to recent changes in FreeBSD environment variable handling code, a corrupt environment may result in attempts to unset environment variables failing.

more...
FreeBSD
2016-08-09*

Network Time Foundation reports:

NTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p7, released on Tuesday, 26 April 2016:

  • Bug 3020 / CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering. Reported by Matt Street and others of Cisco ASIG
  • Bug 3012 / CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY. Reported by Matthew Van Gundy of Cisco ASIG
  • Bug 3011 / CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
  • Bug 3010 / CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
  • Bug 3009 / CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
  • Bug 3008 / CVE-2016-2519: ctl_getitem() return value not always checked. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
  • Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos. Reported by Stephen Gray and Matthew Van Gundy of Cisco ASIG
  • Bug 2978 / CVE-2016-1548: Interleave-pivot - MITIGATION ONLY. Reported by Miroslav Lichvar of RedHat and separately by Jonathan Gardner of Cisco ASIG.
  • Bug 2952 / CVE-2015-7704: KoD fix: peer associations were broken by the fix for NtpBug2901, AKA: Symmetric active/passive mode is broken. Reported by Michael Tatarinov, NTP Project Developer Volunteer
  • Bug 2945 / Bug 2901 / CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks. Reported by Jonathan Gardner of Cisco ASIG
  • Bug 2879 / CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing. Reported independently by Loganaden Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
more...
FreeBSD
ntp
ntp-devel
2016-08-09*

ISC reports:

Specific APL data could trigger an INSIST in apl_42.c

more...
bind910
bind99
FreeBSD
2016-08-09*

Problem Description:

The nullfs(5) implementation of the VOP_LINK(9) VFS operation does not check whether the source and target of the link are both in the same nullfs instance. It is therefore possible to create a hardlink from a location in one nullfs instance to a file in another, as long as the underlying (source) filesystem is the same.

Impact:

If multiple nullfs views into the same filesystem are mounted in different locations, a user with read access to one of these views and write access to another will be able to create a hard link from the latter to a file in the former, even though they are, from the user's perspective, different filesystems. The user may thereby gain write access to files which are nominally on a read-only filesystem.

more...
FreeBSD
2016-08-09*

ntp.org reports:

NTF's NTP Project has been notified of the following 13 low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p4, released on Wednesday, 21 October 2015:

  • Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric association authentication bypass via crypto-NAK (Cisco ASIG)
  • Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (IDA)
  • Bug 2921 CVE-2015-7854 Password Length Memory Corruption Vulnerability. (Cisco TALOS)
  • Bug 2920 CVE-2015-7853 Invalid length data provided by a custom refclock driver could cause a buffer overflow. (Cisco TALOS)
  • Bug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability. (Cisco TALOS)
  • Bug 2918 CVE-2015-7851 saveconfig Directory Traversal Vulnerability. (OpenVMS) (Cisco TALOS)
  • Bug 2917 CVE-2015-7850 remote config logfile-keyfile. (Cisco TALOS)
  • Bug 2916 CVE-2015-7849 trusted key use-after-free. (Cisco TALOS)
  • Bug 2913 CVE-2015-7848 mode 7 loop counter underrun. (Cisco TALOS)
  • Bug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. (Tenable)
  • Bug 2902 : CVE-2015-7703 configuration directives "pidfile" and "driftfile" should only be allowed locally. (RedHat)
  • Bug 2901 : CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field. (Boston University)
  • Bug 2899 : CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks. (Tenable)

The only generally-exploitable bug in the above list is the crypto-NAK bug, which has a CVSS2 score of 6.4.

Additionally, three bugs that have already been fixed in ntp-4.2.8 but were not fixed in ntp-4.2.6 as it was EOL'd have a security component, but are all below 1.8 CVSS score, so we're reporting them here:

  • Bug 2382 : Peer precision < -31 gives division by zero
  • Bug 1774 : Segfaults if cryptostats enabled when built without OpenSSL
  • Bug 1593 : ntpd abort in free() with logconfig syntax error
more...
FreeBSD
ntp
ntp-devel
2016-08-09*

Problem Description:

Some function pointers for netgraph and bluetooth sockets are not properly initialized.

Impact:

A local user can cause the FreeBSD kernel to execute arbitrary code. This could be used by an attacker directly; or it could be used to gain root privilege or to escape from a jail.

Workaround:

No workaround is available, but systems without local untrusted users are not vulnerable. Furthermore, systems are not vulnerable if they have neither the ng_socket nor ng_bluetooth kernel modules loaded or compiled into the kernel.

Systems with the security.jail.socket_unixiproute_only sysctl set to 1 (the default) are only vulnerable if they have local untrusted users outside of jails.

If the command

# kldstat -v | grep ng_

produces no output, the system is not vulnerable.

more...
FreeBSD
2016-08-09*

ISC reports:

An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c.

more...
bind9-devel
bind910
bind98
bind99
FreeBSD
2016-08-09*

ISC reports:

A very uncommon combination of zone data has been found that triggers a bug in BIND, with the result that named will exit with a "REQUIRE" failure in name.c when validating the data returned in answer to a recursive query.

A recursive resolver that is performing DNSSEC validation can be deliberately terminated by any attacker who can cause a query to be performed against a maliciously constructed zone. This will result in a denial of service to clients who rely on that resolver.

more...
bind910
bind910-base
bind99
bind99-base
FreeBSD
2016-08-09*

ISC reports:

Because of a defect in handling queries for NSEC3-signed zones, BIND can crash with an "INSIST" failure in name.c when processing queries possessing certain properties. By exploiting this defect an attacker deliberately constructing a query with the right properties could achieve denial of service against an authoritative nameserver serving NSEC3-signed zones.

more...
bind96
bind96-base
bind98
bind98-base
bind99
bind99-base
FreeBSD
2016-08-09*

ISC reports:

A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c

more...
bind9-devel
bind910
bind98
bind99
FreeBSD
2016-08-09*

Problem description:

The firewall maintains a pointer to layer 4 header information in the event that it needs to send a TCP reset or ICMP error message to discard packets. Due to incorrect handling of IP fragments, this pointer fails to get initialized.

Impact:

An attacker can cause the firewall to crash by sending ICMP IP fragments to or through firewalls which match any reset, reject or unreach actions.

Workaround:

Change any reset, reject or unreach actions to deny. It should be noted that this will result in packets being silently discarded.

more...
FreeBSD
2016-08-09*

Problem description:

An integer overflow in the handling of corrupt IEEE 802.11 beacon or probe response frames when scanning for existing wireless networks can result in the frame overflowing a buffer.

Impact:

An attacker able broadcast a carefully crafted beacon or probe response frame may be able to execute arbitrary code within the context of the FreeBSD kernel on any system scanning for wireless networks.

Workaround:

No workaround is available, but systems without IEEE 802.11 hardware or drivers loaded are not vulnerable.

more...
FreeBSD
2016-08-09

Problem Description:

When initializing the SCTP state cookie being sent in INIT-ACK chunks, a buffer allocated from the kernel stack is not completely initialized.

Impact:

Fragments of kernel memory may be included in SCTP packets and transmitted over the network. For each SCTP session, there are two separate instances in which a 4-byte fragment may be transmitted.

This memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password.

more...
FreeBSD-kernel
2016-08-09*

Problem description:

When insufficient memory is available to handle an incoming selective acknowledgement, the TCP/IP stack may enter an infinite loop.

Impact:

By opening a TCP connection and sending a carefully crafted series of packets, an attacker may be able to cause a denial of service.

Workaround:

On FreeBSD 5.4, the net.inet.tcp.sack.enable sysctl can be used to disable the use of SACK:

# sysctl net.inet.tcp.sack.enable=0

No workaround is available for FreeBSD 5.3.

more...
FreeBSD
2016-08-09*

OpenSSH reports:

OpenSSH clients between versions 5.4 and 7.1 are vulnerable to information disclosure that may allow a malicious server to retrieve information including under some circumstances, user's private keys.

more...
FreeBSD
openssh-portable
2016-08-09*

The OpenSSH project reports:

Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1).

Injection of xauth commands grants the ability to read arbitrary files under the authenticated user's privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth(1), which was not written with a hostile user in mind, as an attack surface.

Mitigation:

Set X11Forwarding=no in sshd_config. This is the default.

For authorized_keys that specify a "command" restriction, also set the "restrict" (available in OpenSSH >=7.2) or "no-x11-forwarding" restrictions.

more...
FreeBSD
openssh-portable
2016-08-09*

Problem Description:

If a client requests DNSSEC records with the Checking Disabled (CD) flag set, BIND may cache the unvalidated responses. These responses may later be returned to another client that has not set the CD flag.

more...
FreeBSD
2016-08-09

Problem Description:

The kernel incorrectly uses client supplied credentials instead of the one configured in exports(5) when filling out the anonymous credential for a NFS export, when -network or -host restrictions are used at the same time.

Impact:

The remote client may supply privileged credentials (e.g. the root user) when accessing a file under the NFS share, which will bypass the normal access checks.

more...
FreeBSD-kernel
2016-08-09*

Insufficient input validation in the NFS server allows an attacker to cause the underlying file system to treat a regular file as a directory.

more...
FreeBSD
2016-08-09*

Problem Description:

The ftpd(8) server splits long commands into several requests. This may result in the server executing a command which is hidden inside another very long command.

Impact:

This could, with a specifically crafted command, be used in a cross-site request forgery attack.

FreeBSD systems running ftpd(8) server could act as a point of privilege escalation in an attack against users using web browser to access trusted FTP sites.

Workaround:

No workaround is available, but systems not running FTP servers are not vulnerable. Systems not running the FreeBSD ftp(8) server are not affected, but users of other ftp daemons are advised to take care since several other ftp daemons are known to have related bugs.

more...
FreeBSD
2016-08-09*

ISC reports:

Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c. It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately malformed key.

more...
bind910
bind910-base
bind99
bind99-base
FreeBSD
2016-08-09*

Problem Description

For a recursive DNS server, a remote attacker sending enough recursive queries for the replies to arrive after all the interested clients have left the recursion queue will trigger an INSIST failure in the named(8) daemon. Also for a recursive DNS server, an assertion failure can occur when processing a query whose reply will contain more than one SIG(covered) RRset.

For an authoritative DNS server serving a RFC 2535 DNSSEC zone which is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g. a zone apex), named(8) will trigger an assertion failure when it tries to construct the response.

Impact

An attacker who can perform recursive lookups on a DNS server and is able to send a sufficiently large number of recursive queries, or is able to get the DNS server to return more than one SIG(covered) RRsets can stop the functionality of the DNS service.

An attacker querying an authoritative DNS server serving a RFC 2535 DNSSEC zone may be able to crash the DNS server.

Workaround

A possible workaround is to only allow trusted clients to perform recursive queries.

more...
bind9
FreeBSD
2016-08-09*

Problem Description:

The jail(8) utility does not change the current working directory while imprisoning. The current working directory can be accessed by its descendants.

more...
FreeBSD
2016-08-08*

Oracle reports:

The quarterly Critical Patch Update contains 22 new security fixes for Oracle MySQL 5.5.49, 5.6.30, 5.7.13 and earlier

more...
mariadb100-server
mariadb101-server
mariadb55-server
mysql55-server
mysql56-server
mysql57-server
percona55-server
percona56-server
2016-08-06

Marina Glancy reports:

  • MSA-16-0019: Glossary search displays entries without checking user permissions to view them

  • MSA-16-0020: Text injection in email headers

  • MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course

more...
moodle28
moodle29
moodle30
moodle31
2016-08-06

Wireshark development team reports:

The following vulnerabilities have been fixed:

  • wnpa-sec-2016-41

    PacketBB crash. (Bug 12577)

  • wnpa-sec-2016-42

    WSP infinite loop. (Bug 12594)

  • wnpa-sec-2016-44

    RLC long loop. (Bug 12660)

  • wnpa-sec-2016-45

    LDSS dissector crash. (Bug 12662)

  • wnpa-sec-2016-46

    RLC dissector crash. (Bug 12664)

  • wnpa-sec-2016-47

    OpenFlow long loop. (Bug 12659)

  • wnpa-sec-2016-48

    MMSE, WAP, WBXML, and WSP infinite loop. (Bug 12661)

  • wnpa-sec-2016-49

    WBXML crash. (Bug 12663)

more...
tshark
tshark-lite
wireshark
wireshark-lite
wireshark-qt5
2016-08-06

ISC reports:

A query name which is too long can cause a segmentation fault in lwresd.

more...
bind9-devel
bind910
bind911
bind99
2016-08-05

The collectd Project reports:

Emilien Gaspar has identified a heap overflow in collectd's network plugin which can be triggered remotely and is potentially exploitable.

more...
collectd5
2016-08-04

Pierre Joye reports:

  • fix php bug 72339, Integer Overflow in _gd2GetHeader (CVE-2016-5766)

  • gd: Buffer over-read issue when parsing crafted TGA file (CVE-2016-6132)

  • Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207)

  • fix php bug 72494, invalid color index not handled, can lead to crash ( CVE-2016-6128)

more...
gd
2016-08-04

Curl security team reports:

CVE-2016-5419 - TLS session resumption client cert bypass

CVE-2016-5420 - Re-using connections with wrong client cert

CVE-2016-5421 - use of connection struct after free

more...
curl
2016-08-03

Lighttpd Project reports:

Security fixes for Lighttpd:

  • security: encode quoting chars in HTML and XML

  • security: ensure gid != 0 if server.username is set, but not server.groupname

  • security: disable stat_cache if server.follow-symlink = ?disable?

  • security: httpoxy defense: do not emit HTTP_PROXY to CGI env

more...
lighttpd
2016-08-02

The Xen Project reports:

The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only Access/Dirty bits). The bits considered safe were too broad, and not actually safe.

A malicous PV guest administrator can escalate their privilege to that of the host.

more...
xen-kernel
2016-08-02

The Xen Project reports:

Supervisor Mode Access Prevention is a hardware feature designed to make an Operating System more robust, by raising a pagefault rather than accidentally following a pointer into userspace. However, legitimate accesses into userspace require whitelisting, and the exception delivery mechanism for 32bit PV guests wasn't whitelisted.

A malicious 32-bit PV guest kernel can trigger a safety check, crashing the hypervisor and causing a denial of service to other VMs on the host.

more...
xen-kernel
2016-08-02

The Xen Project reports:

A guest can submit virtio requests without bothering to wait for completion and is therefore not bound by virtqueue size...

A malicious guest administrator can cause unbounded memory allocation in QEMU, which can cause an Out-of-Memory condition in the domain running qemu. Thus, a malicious guest administrator can cause a denial of service affecting the whole host.

more...
xen-tools
2016-07-31

Simon Josefsson reports:

libidn: Fix out-of-bounds stack read in idna_to_ascii_4i.

idn: Solve out-of-bounds-read when reading one zero byte as input. Also replaced fgets with getline.

libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8. It was always documented to only accept UTF-8 data, but now it doesn't crash when presented with such data.

more...
libidn
2016-07-26*

Major changes in krb5 1.14.3 and krb5 1.13.6:

Fix a rare KDC denial of service vulnerability when anonymous client principals are restricted to obtaining TGTs only [CVE-2016-3120] .

more...
krb5-113
krb5-114
2016-07-26

PHP reports:

  • Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns)

  • Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()).

  • Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access).

  • Fixed bug #72519 (imagegif/output out-of-bounds access).

  • Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener).

  • Fixed bug #72533 (locale_accept_from_http out-of-bounds access).

  • Fixed bug #72541 (size_t overflow lead to heap corruption).

  • Fixed bug #72551, bug #72552 (Incorrect casting from size_t to int lead to heap overflow in mdecrypt_generic).

  • Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).

  • Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications).

  • Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).

  • Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).

  • Fixed bug #72613 (Inadequate error handling in bzread()).

  • Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).

more...
php55
php55-bz2
php55-exif
php55-gd
php55-odbc
php55-snmp
php55-xmlrpc
php55-zip
php56
php56-bz2
php56-exif
php56-gd
php56-odbc
php56-snmp
php56-xmlrpc
php56-zip
php70
php70-bz2
php70-curl
php70-exif
php70-gd
php70-mcrypt
php70-odbc
php70-snmp
php70-xmlrpc
php70-zip
2016-07-26

Apache reports:

The Xerces-C XML parser fails to successfully parse a DTD that is deeply nested, and this causes a stack overflow, which makes a denial of service attack against many applications possible by an unauthenticated attacker.

Also, CVE-2016-2099: Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier allows context-dependent attackers to have unspecified impact via an invalid character in an XML document.

more...
xerces-c3
2016-07-22

Google Chrome Releases reports:

48 security fixes in this release, including:

  • [610600] High CVE-2016-1706: Sandbox escape in PPAPI. Credit to Pinkie Pie xisigr of Tencent's Xuanwu Lab
  • [613949] High CVE-2016-1708: Use-after-free in Extensions. Credit to Adam Varsan
  • [614934] High CVE-2016-1709: Heap-buffer-overflow in sfntly. Credit to ChenQin of Topsec Security Team
  • [616907] High CVE-2016-1710: Same-origin bypass in Blink. Credit to Mariusz Mlynski
  • [617495] High CVE-2016-1711: Same-origin bypass in Blink. Credit to Mariusz Mlynski
  • [618237] High CVE-2016-5127: Use-after-free in Blink. Credit to cloudfuzzer
  • [619166] High CVE-2016-5128: Same-origin bypass in V8. Credit to Anonymous
  • [620553] High CVE-2016-5129: Memory corruption in V8. Credit to Jeonghoon Shin
  • [623319] High CVE-2016-5130: URL spoofing. Credit to Wadih Matar
  • [623378] High CVE-2016-5131: Use-after-free in libxml. Credit to Nick Wellnhofer
  • [607543] Medium CVE-2016-5132: Limited same-origin bypass in Service Workers. Credit to Ben Kelly
  • [613626] Medium CVE-2016-5133: Origin confusion in proxy authentication. Credit to Patch Eudor
  • [593759] Medium CVE-2016-5134: URL leakage via PAC script. Credit to Paul Stone
  • [605451] Medium CVE-2016-5135: Content-Security-Policy bypass. Credit to kingxwy
  • [625393] Medium CVE-2016-5136: Use after free in extensions. Credit to Rob Wu
  • [625945] Medium CVE-2016-5137: History sniffing with HSTS and CSP. Credit to Xiaoyin Liu
  • [629852] CVE-2016-1705: Various fixes from internal audits, fuzzing and other initiatives.
more...
chromium
chromium-npapi
chromium-pulse
2016-07-21

The Apache OpenOffice Project reports:

An OpenDocument Presentation .ODP or Presentation Template .OTP file can contain invalid presentation elements that lead to memory corruption when the document is loaded in Apache OpenOffice Impress. The defect may cause the document to appear as corrupted and OpenOffice may crash in a recovery-stuck mode requiring manual intervention. A crafted exploitation of the defect can allow an attacker to cause denial of service (memory corruption and application crash) and possible execution of arbitrary code.

more...
apache-openoffice
apache-openoffice-devel
2016-07-19

The GIMP team reports:

A Use-after-free vulnerability was found in the xcf_load_image function.

more...
gimp-app
2016-07-18

TYPO3 reports:

Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. The missing access check inevitably leads to information disclosure or remote code execution, depending on the action that an attacker is able to execute.

more...
typo3
typo3-lts
2016-07-16

ATutor reports:

Security Fixes: Added a new layer of security over all php superglobals, fixed several XSS, CSRF, and SQL injection vulnerabilities.

more...
atutor
2016-07-16*

Drupal Security Team reports:

  • Saving user accounts can sometimes grant the user all roles (User module - Drupal 7 - Moderately Critical)

  • Views can allow unauthorized users to see Statistics information (Views module - Drupal 8 - Less Critical)

more...
drupal7
drupal8
2016-07-16

Adobe reports:

These updates resolve a race condition vulnerability that could lead to information disclosure (CVE-2016-4247).

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-4223, CVE-2016-4224, CVE-2016-4225).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-4173, CVE-2016-4174, CVE-2016-4222, CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, CVE-2016-4230, CVE-2016-4231, CVE-2016-4248).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-4249).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4172, CVE-2016-4175, CVE-2016-4179, CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183, CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187, CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217, CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221, CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236, CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240, CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244, CVE-2016-4245, CVE-2016-4246).

These updates resolve a memory leak vulnerability (CVE-2016-4232).

These updates resolve stack corruption vulnerabilities that could lead to code execution (CVE-2016-4176, CVE-2016-4177).

These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2016-4178).

more...
linux-c6-flashplugin
linux-c6_64-flashplugin
linux-f10-flashplugin
2016-07-16

ATutor reports:

Security Fixes: A number of minor XSS vulnerabilities discovered in the previous version of ATutor have been corrected.

more...
atutor
2016-07-15

Mathias Svensson reports:

potential buffer write overrun in PixarLogDecode() on corrupted/unexpected images

more...
tiff
2016-07-15

Talos reports:

An exploitable Use After Free vulnerability exists in the RTF parser LibreOffice. A specially crafted file can cause a use after free resulting in a possible arbitrary code execution. To exploit the vulnerability a malicious file needs to be opened by the user via vulnerable application.

more...
libreoffice
2016-07-15

Aladdin Mubaied reports:

Buffer-overflow in gif2tiff utility

more...
tiff
2016-07-15*

Jochen Wiedmann reports:

A malicious client can send file upload requests that cause the HTTP server using the Apache Commons Fileupload library to become unresponsive, preventing the server from servicing other requests.

more...
apache-struts
tomcat6
tomcat7
tomcat8
2016-07-15

Cisco Talos reports:

An exploitable heap overflow vulnerability exists in the NArchive::NHfs::CHandler::ExtractZlibFile method functionality of 7zip that can lead to arbitrary code execution.

more...
p7zip
2016-07-15

Cisco Talos reports:

An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format (UDF) files.

Central to 7-Zip?s processing of UDF files is the CInArchive::ReadFileItem method. Because volumes can have more than one partition map, their objects are kept in an object vector. To start looking for an item, this method tries to reference the proper object using the partition map?s object vector and the "PartitionRef" field from the Long Allocation Descriptor. Lack of checking whether the "PartitionRef" field is bigger than the available amount of partition map objects causes a read out-of-bounds and can lead, in some circumstances, to arbitrary code execution.

more...
p7zip
2016-07-13

Samba team reports:

A man in the middle attack can disable client signing over SMB2/3, even if enforced by configuration parameters.

more...
samba4
samba41
samba42
samba43
samba44
2016-07-08

RubySec reports:

ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack in the specific scenario where there was a signature that referenced at the same time 2 elements (but past the scheme validator process since 1 of the element was inside the encrypted assertion).

ruby-saml users must update to 1.3.0, which implements 3 extra validations to mitigate this kind of attack.

more...
rubygem-ruby-saml
2016-07-07

Mitre reports:

The onReadyRead function in core/coreauthhandler.cpp in Quassel before 0.12.4 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via invalid handshake data.

more...
quassel
2016-07-06*

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit(tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments.

A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the Qemu process instance resulting in DoS issue.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-07-06*

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the Q35 chipset based pc system emulator is vulnerable to a heap based buffer overflow. It occurs during VM guest migration, as more(16 bytes) data is moved into allocated (8 bytes) memory area.

A privileged guest user could use this issue to corrupt the VM guest image, potentially leading to a DoS. This issue affects q35 machine types.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-07-06*

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the Human Monitor Interface(HMP) support is vulnerable to an OOB write issue. It occurs while processing 'sendkey' command in hmp_sendkey routine, if the command argument is longer than the 'keyname_buf' buffer size.

A user/process could use this flaw to crash the Qemu process instance resulting in DoS.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-07-06*

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to a memory leakage flaw. It occurs when a guest repeatedly tries to activate the vmxnet3 device.

A privileged guest user could use this flaw to leak host memory, resulting in DoS on the host.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-07-06*

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the SCSI MegaRAID SAS HBA emulation support is vulnerable to a stack buffer overflow issue. It occurs while processing the SCSI controller's CTRL_GET_INFO command. A privileged guest user could use this flaw to crash the Qemu process instance resulting in DoS.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-07-06*

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the i8255x (PRO100) emulation support is vulnerable to an infinite loop issue. It could occur while processing a chain of commands located in the Command Block List (CBL). Each Command Block(CB) points to the next command in the list. An infinite loop unfolds if the link to the next CB points to the same block or there is a closed loop in the chain.

A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the Qemu instance resulting in DoS.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-07-05

Apache Software Foundation reports:

The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509 client certificate correctly when experimental module for the HTTP/2 protocol is used to access a resource.

The net result is that a resource that should require a valid client certificate in order to get access can be accessed without that credential.

more...
apache24
2016-07-04

Wireshark development team reports:

The following vulnerabilities have been fixed:

  • wnpa-sec-2016-29

    The SPOOLS dissector could go into an infinite loop. Discovered by the CESG.

  • wnpa-sec-2016-30

    The IEEE 802.11 dissector could crash. (Bug 11585)

  • wnpa-sec-2016-31

    The IEEE 802.11 dissector could crash. Discovered by Mateusz Jurczyk. (Bug 12175)

  • wnpa-sec-2016-32

    The UMTS FP dissector could crash. (Bug 12191)

  • wnpa-sec-2016-33

    Some USB dissectors could crash. Discovered by Mateusz Jurczyk. (Bug 12356)

  • wnpa-sec-2016-34

    The Toshiba file parser could crash. Discovered by iDefense Labs. (Bug 12394)

  • wnpa-sec-2016-35

    The CoSine file parser could crash. Discovered by iDefense Labs. (Bug 12395)

  • wnpa-sec-2016-36

    The NetScreen file parser could crash. Discovered by iDefense Labs. (Bug 12396)

  • wnpa-sec-2016-37

    The Ethernet dissector could crash. (Bug 12440)

more...
tshark
tshark-lite
wireshark
wireshark-lite
wireshark-qt5
2016-07-04*

Wireshark development team reports:

The following vulnerabilities have been fixed:

  • wnpa-sec-2016-02

    ASN.1 BER dissector crash. (Bug 11828) CVE-2016-2522

  • wnpa-sec-2016-03

    DNP dissector infinite loop. (Bug 11938) CVE-2016-2523

  • wnpa-sec-2016-04

    X.509AF dissector crash. (Bug 12002) CVE-2016-2524

  • wnpa-sec-2016-05

    HTTP/2 dissector crash. (Bug 12077) CVE-2016-2525

  • wnpa-sec-2016-06

    HiQnet dissector crash. (Bug 11983) CVE-2016-2526

  • wnpa-sec-2016-07

    3GPP TS 32.423 Trace file parser crash. (Bug 11982)

    CVE-2016-2527
  • wnpa-sec-2016-08

    LBMC dissector crash. (Bug 11984) CVE-2016-2528

  • wnpa-sec-2016-09

    iSeries file parser crash. (Bug 11985) CVE-2016-2529

  • wnpa-sec-2016-10

    RSL dissector crash. (Bug 11829) CVE-2016-2530 CVE-2016-2531

  • wnpa-sec-2016-11

    LLRP dissector crash. (Bug 12048) CVE-2016-2532

  • wnpa-sec-2016-12

    Ixia IxVeriWave file parser crash. (Bug 11795)

  • wnpa-sec-2016-13

    IEEE 802.11 dissector crash. (Bug 11818)

  • wnpa-sec-2016-14

    GSM A-bis OML dissector crash. (Bug 11825)

  • wnpa-sec-2016-15

    ASN.1 BER dissector crash. (Bug 12106)

  • wnpa-sec-2016-16

    SPICE dissector large loop. (Bug 12151)

  • wnpa-sec-2016-17

    NFS dissector crash.

  • wnpa-sec-2016-18

    ASN.1 BER dissector crash. (Bug 11822)

more...
tshark
tshark-lite
wireshark
wireshark-lite
wireshark-qt5
2016-07-04*

Wireshark development team reports:

The following vulnerabilities have been fixed:

  • wnpa-sec-2016-19

    The NCP dissector could crash. (Bug 11591)

  • wnpa-sec-2016-20

    TShark could crash due to a packet reassembly bug. (Bug 11799)

  • wnpa-sec-2016-21

    The IEEE 802.11 dissector could crash. (Bug 11824, Bug 12187)

  • wnpa-sec-2016-22

    The PKTC dissector could crash. (Bug 12206)

  • wnpa-sec-2016-23

    The PKTC dissector could crash. (Bug 12242)

  • wnpa-sec-2016-24

    The IAX2 dissector could go into an infinite loop. (Bug 12260)

  • wnpa-sec-2016-25

    Wireshark and TShark could exhaust the stack. (Bug 12268)

  • wnpa-sec-2016-26

    The GSM CBCH dissector could crash. (Bug 12278)

  • wnpa-sec-2016-27

    MS-WSP dissector crash. (Bug 12341)

more...
tshark
tshark-lite
wireshark
wireshark-lite
wireshark-qt5
2016-07-04*

Guido Vranken reports:

HTTP header injection in urrlib2/urllib/httplib/http.client with newlines in header values, where newlines have a semantic consequence of denoting the start of an additional header line.

more...
python27
python33
python34
python35
2016-07-04

The Xen Project reports:

In the x86 shadow pagetable code, the guest frame number of a superpage mapping is stored in a 32-bit field. If a shadowed guest can cause a superpage mapping of a guest-physical address at or above 2^44 to be shadowed, the top bits of the address will be lost, causing an assertion failure or NULL dereference later on, in code that removes the shadow.

A HVM guest using shadow pagetables can cause the host to crash.

A PV guest using shadow pagetables (i.e. being migrated) with PV superpages enabled (which is not the default) can crash the host, or corrupt hypervisor memory, and so a privilege escalation cannot be ruled out.

more...
xen-kernel
2016-07-04

The Xen Project reports:

Various parts of libxl device-handling code inappropriately use information from (partially) guest controlled areas of xenstore.

A malicious guest administrator can cause denial of service by resource exhaustion.

A malicious guest administrator can confuse and/or deny service to management facilities.

A malicious guest administrator of a guest configured with channel devices may be able to escalate their privilege to that of the backend domain (i.e., normally, to that of the host).

more...
xen-tools
2016-07-04

The Xen Project reports:

The Page Size (PS) page table entry bit exists at all page table levels other than L1. Its meaning is reserved in L4, and conditionally reserved in L3 and L2 (depending on hardware capabilities). The software page table walker in the hypervisor, however, so far ignored that bit in L4 and (on respective hardware) L3 entries, resulting in pages to be treated as page tables which the guest OS may not have designated as such. If the page in question is writable by an unprivileged user, then that user will be able to map arbitrary guest memory.

On vulnerable OSes, guest user mode code may be able to establish mappings of arbitrary memory inside the guest, allowing it to elevate its privileges inside the guest.

more...
xen-kernel
2016-07-04

The Xen Project reports:

libxl's device-handling code freely uses and trusts information from the backend directories in xenstore.

A malicious driver domain can deny service to management tools.

more...
xen-tools
2016-07-04

The Xen Project reports:

Qemu VGA module allows banked access to video memory using the window at 0xa00000 and it supports different access modes with different address calculations.

Qemu VGA module allows guest to edit certain registers in 'vbe' and 'vga' modes.

A privileged guest user could use CVE-2016-3710 to exceed the bank address window and write beyond the said memory area, potentially leading to arbitrary code execution with privileges of the Qemu process. If the system is not using stubdomains, this will be in domain 0.

A privileged guest user could use CVE-2016-3712 to cause potential integer overflow or OOB read access issues in Qemu, resulting in a DoS of the guest itself. More dangerous effect, such as data leakage or code execution, are not known but cannot be ruled out.

more...
xen-tools
2016-07-04

The Xen Project reports:

When the libxl toolstack launches qemu for HVM guests, it pipes the output of stderr to a file in /var/log/xen. This output is not rate-limited in any way. The guest can easily cause qemu to print messages to stderr, causing this file to become arbitrarily large.

The disk containing the logfile can be exausted, possibly causing a denial-of-service (DoS).

more...
xen-tools
2016-07-03

KoreLogic security reports:

Affected versions of SQLite reject potential tempdir locations if they are not readable, falling back to '.'. Thus, SQLite will favor e.g. using cwd for tempfiles on such a system, even if cwd is an unsafe location. Notably, SQLite also checks the permissions of '.', but ignores the results of that check.

more...
sqlite3
2016-07-03

Marina Glancy reports:

  • MSA-16-0013: Users are able to change profile fields that were locked by the administrator.

  • MSA-16-0015: Information disclosure of hidden forum names and sub-names.

  • MSA-16-0016: User can view badges of other users without proper permissions.

  • MSA-16-0017: Course idnumber not protected from teacher restore.

  • MSA-16-0018: CSRF in script marking forum posts as read.

more...
moodle28
moodle29
moodle30
2016-07-03

Red Hat reports:

A vulnerability in smtplib allowing MITM attacker to perform a startTLS stripping attack. smtplib does not seem to raise an exception when the remote end (smtp server) is capable of negotiating starttls but fails to respond with 220 (ok) to an explicit call of SMTP.starttls(). This may allow a malicious MITM to perform a startTLS stripping attack if the client code does not explicitly check the response code for startTLS.

more...
python27
python33
python34
python35
2016-07-03

Sushanth Sowmyan reports:

Some partition-level operations exist that do not explicitly also authorize privileges of the parent table. This can lead to issues when the parent table would have denied the operation, but no denial occurs because the partition-level privilege is not checked by the authorization framework, which defines authorization entities only from the table level upwards.

more...
hive
2016-07-03

Eric Lippmann reports:

Possibility of remote code execution via the remote command transport.

more...
icingaweb2
2016-07-03*

Open vSwitch reports:

Multiple versions of Open vSwitch are vulnerable to remote buffer overflow attacks, in which crafted MPLS packets could overflow the buffer reserved for MPLS labels in an OVS internal data structure. The MPLS packets that trigger the vulnerability and the potential for exploitation vary depending on version:

Open vSwitch 2.1.x and earlier are not vulnerable.

In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be exploited for arbitrary remote code execution.

In Open vSwitch 2.4.x, the MPLS buffer overflow does not obviously lead to a remote code execution exploit, but testing shows that it can allow a remote denial of service. See the mitigation section for details.

Open vSwitch 2.5.x is not vulnerable.

more...
openvswitch
2016-07-01

The phpMYAdmin development team reports:

Summary

BBCode injection vulnerability

Description

A vulnerability was discovered that allows an BBCode injection to setup script in case it's not accessed on https.

Severity

We consider this to be non-critical.

Summary

Cookie attribute injection attack

Description

A vulnerability was found where, under some circumstances, an attacker can inject arbitrary values in the browser cookies.

Severity

We consider this to be non-critical.

Summary

SQL injection attack

Description

A vulnerability was discovered that allows an SQL injection attack to run arbitrary commands as the control user.

Severity

We consider this vulnerability to be serious

Summary

XSS on table structure page

Description

An XSS vulnerability was discovered on the table structure page

Severity

We consider this to be a serious vulnerability

Summary

Multiple XSS vulnerabilities

Description

  • An XSS vulnerability was discovered on the user privileges page.
  • An XSS vulnerability was discovered in the error console.
  • An XSS vulnerability was discovered in the central columns feature.
  • An XSS vulnerability was discovered in the query bookmarks feature.
  • An XSS vulnerability was discovered in the user groups feature.

Severity

We consider this to be a serious vulnerability

Summary

DOS attack

Description

A Denial Of Service (DOS) attack was discovered in the way phpMyAdmin loads some JavaScript files.

Severity

We consider this to be of moderate severity

Summary

Multiple full path disclosure vulnerabilities

Description

This PMASA contains information on multiple full-path disclosure vulnerabilities reported in phpMyAdmin.

By specially crafting requests in the following areas, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.

  1. Setup script
  2. Example OpenID authentication script

Severity

We consider these vulnerabilities to be non-critical.

Summary

XSS through FPD

Description

With a specially crafted request, it is possible to trigger an XSS attack through the example OpenID authentication script.

Severity

We do not consider this vulnerability to be secure due to the non-standard required PHP setting for html_errors.

Summary

XSS in partition range functionality

Description

A vulnerability was reported allowing a specially crafted table parameters to cause an XSS attack through the table structure page.

Severity

We consider this vulnerability to be severe.

Summary

Multiple XSS vulnerabilities

Description

  • A vulnerability was reported allowing a specially crafted table name to cause an XSS attack through the functionality to check database privileges.
    • This XSS doesn't exist in some translations due to different quotes being used there (eg. Czech).
  • A vulnerability was reported allowing a specifically-configured MySQL server to execute an XSS attack. This particular attack requires configuring the MySQL server log_bin directive with the payload.
  • Several XSS vulnerabilities were found with the Transformation feature
  • Several XSS vulnerabilities were found in AJAX error handling
  • Several XSS vulnerabilities were found in the Designer feature
  • An XSS vulnerability was found in the charts feature
  • An XSS vulnerability was found in the zoom search feature

Severity

We consider these attacks to be of moderate severity.

Summary

Unsafe handling of preg_replace parameters

Description

In some versions of PHP, it's possible for an attacker to pass parameters to the preg_replace() function which can allow the execution of arbitrary PHP code. This code is not properly sanitized in phpMyAdmin as part of the table search and replace feature.

Severity

We consider this vulnerability to be of moderate severity.

Summary

Referrer leak in transformations

Description

A vulnerability was reported where a specially crafted Transformation could be used to leak information including the authentication token. This could be used to direct a CSRF attack against a user.

Furthermore, the CSP code used in version 4.0.x is outdated and has been updated to more modern standards.

Severity

We consider this to be of moderate severity

more...
phpmyadmin
2016-06-30

Brandon Perry reports:

The parse_chunk_header function in libtorrent before 1.1.1 allows remote attackers to cause a denial of service (crash) via a crafted (1) HTTP response or possibly a (2) UPnP broadcast.

more...
libtorrent-rasterbar
2016-06-30

Mitre reports:

OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.

more...
openssl
2016-06-30*

reports:

Dnsmasq before 2.76 allows remote servers to cause a denial of service (crash) via a reply with an empty DNS address that has an (1) A or (2) AAAA record defined locally.

more...
dnsmasq
dnsmasq-devel
2016-06-30

HAproxy reports:

HAproxy 1.6.x before 1.6.6, when a deny comes from a reqdeny rule, allows remote attackers to cause a denial of service (uninitialized memory access and crash) or possibly have unspecified other impact via unknown vectors.

more...
haproxy
2016-06-30

Adam Maris reports:

It was found that original patch for issues CVE-2015-1283 and CVE-2015-2716 used overflow checks that could be optimized out by some compilers applying certain optimization settings, which can cause the vulnerability to remain even after applying the patch.

more...
expat2
2016-06-26

Mark Thomas reports:

CVE-2016-3092 is a denial of service vulnerability that has been corrected in the Apache Commons FileUpload component. It occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file. This caused the file upload process to take several orders of magnitude longer than if the boundary length was the typical tens of bytes.

more...
tomcat7
tomcat8
2016-06-25

The PHP Group reports:

  • Core:
    • Fixed bug #72268 (Integer Overflow in nl2br())
    • Fixed bug #72275 (Integer Overflow in json_encode()/ json_decode()/ json_utf8_to_utf16())
    • Fixed bug #72400 (Integer Overflow in addcslashes/ addslashes)
    • Fixed bug #72403 (Integer Overflow in Length of String-typed ZVAL)
  • GD:
    • Fixed bug #66387 (Stack overflow with imagefilltoborder) (CVE-2015-8874)
    • Fixed bug #72298 (pass2_no_dither out-of-bounds access)
    • Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in heap overflow) (CVE-2016-5766)
    • Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert)
    • Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow) (CVE-2016-5767)
  • mbstring:
    • Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free) (CVE-2016-5768)
  • mcrypt:
    • Fixed bug #72455 (Heap Overflow due to integer overflows) (CVE-2016-5769)
  • Phar:
    • Fixed bug #72321 (invalid free in phar_extract_file()). (PHP 5.6/7.0 only)
  • SPL:
    • Fixed bug #72262 (int/size_t confusion in SplFileObject::fread) (CVE-2016-5770)
    • Fixed bug #72433 (Use After Free Vulnerability in PHP's GC algorithm and unserialize) (CVE-2016-5771)
  • WDDX:
    • Fixed bug #72340 (Double Free Courruption in wddx_deserialize) (CVE-2016-5772)
  • zip:
    • Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize). (CVE-2016-5773)
more...
php55
php55-gd
php55-mbstring
php55-wddx
php55-zip
php56
php56-gd
php56-mbstring
php56-phar
php56-wddx
php56-zip
php70
php70-gd
php70-mbstring
php70-phar
php70-wddx
php70-zip
2016-06-25

Adam Silverstein reports:

WordPress 4.5.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.5.2 and earlier are affected by several security issues: redirect bypass in the customizer, reported by Yassine Aboukir; two different XSS problems via attachment names, reported by Jouko Pynnönenand Divyesh Prajapati; revision history information disclosure, reported independently by John Blackbourn from the WordPress security team and by Dan Moen from the Wordfence Research Team; oEmbed denial of service reported by Jennifer Dodd from Automattic; unauthorized category removal from a post, reported by David Herrera from Alley Interactive; password change via stolen cookie, reported by Michael Adams from the WordPress security team; and some less secure sanitize_file_name edge cases reported by Peter Westwood of the WordPress security team.

more...
de-wordpress
ja-wordpress
ru-wordpress
wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
2016-06-23

Piwik reports:

iThe Piwik Security team is grateful for the responsible disclosures by our security researchers: Egidio Romano (granted a critical security bounty), James Kettle and Pawe? Bartunek (XSS) and Emanuel Bronshtein (limited XSS).

more...
piwik
2016-06-23

Hanno Bock and Cisco Talos report:

  • Out of bounds heap read in RAR parser

  • Signed integer overflow in ISO parser

  • TALOS-2016-0152 [CVE-2016-4300]: 7-Zip read_SubStreamsInfo Integer Overflow

  • TALOS-2016-0153 [CVE-2016-4301]: mtree parse_device Stack Based Buffer Overflow

  • TALOS-2016-0154 [CVE-2016-4302]: Libarchive Rar RestartModel Heap Overflow

more...
libarchive
2016-06-21

Giuseppe Scrivano reports:

On a server redirect from HTTP to a FTP resource, wget would trust the HTTP server and uses the name in the redirected URL as the destination filename.

more...
wget
2016-06-20

Google reports:

  • [583156] Medium CVE-2016-1683: Out-of-bounds access in libxslt. Credit to Nicolas Gregoire.
  • [583171] Medium CVE-2016-1684: Integer overflow in libxslt. Credit to Nicolas Gregoire.
more...
libxslt
2016-06-20*

Google Chrome Releases reports:

42 security fixes in this release, including:

  • [590118] High CVE-2016-1672: Cross-origin bypass in extension bindings. Credit to Mariusz Mlynski.
  • [597532] High CVE-2016-1673: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
  • [598165] High CVE-2016-1674: Cross-origin bypass in extensions.i Credit to Mariusz Mlynski.
  • [600182] High CVE-2016-1675: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
  • [604901] High CVE-2016-1676: Cross-origin bypass in extension bindings. Credit to Rob Wu.
  • [602970] Medium CVE-2016-1677: Type confusion in V8. Credit to Guang Gong of Qihoo 360.
  • [595259] High CVE-2016-1678: Heap overflow in V8. Credit to Christian Holler.
  • [606390] High CVE-2016-1679: Heap use-after-free in V8 bindings. Credit to Rob Wu.
  • [589848] High CVE-2016-1680: Heap use-after-free in Skia. Credit to Atte Kettunen of OUSPG.
  • [613160] High CVE-2016-1681: Heap overflow in PDFium. Credit to Aleksandar Nikolic of Cisco Talos.
  • [579801] Medium CVE-2016-1682: CSP bypass for ServiceWorker. Credit to KingstonTime.
  • [601362] Medium CVE-2016-1685: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB.
  • [603518] Medium CVE-2016-1686: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB.
  • [603748] Medium CVE-2016-1687: Information leak in extensions. Credit to Rob Wu.
  • [604897] Medium CVE-2016-1688: Out-of-bounds read in V8. Credit to Max Korenko.
  • [606185] Medium CVE-2016-1689: Heap buffer overflow in media. Credit to Atte Kettunen of OUSPG.
  • [608100] Medium CVE-2016-1690: Heap use-after-free in Autofill. Credit to Rob Wu.
  • [597926] Low CVE-2016-1691: Heap buffer-overflow in Skia. Credit to Atte Kettunen of OUSPG.
  • [598077] Low CVE-2016-1692: Limited cross-origin bypass in ServiceWorker. Credit to Til Jasper Ullrich.
  • [598752] Low CVE-2016-1693: HTTP Download of Software Removal Tool. Credit to Khalil Zhani.
  • [603682] Low CVE-2016-1694: HPKP pins removed on cache clearance. Credit to Ryan Lester and Bryant Zadegan.
  • [614767] CVE-2016-1695: Various fixes from internal audits, fuzzing and other initiatives.
more...
chromium
chromium-npapi
chromium-pulse
2016-06-19

Adobe reports:

These updates harden a mitigation against JIT spraying attacks that could be used to bypass memory layout randomization mitigations (CVE-2016-1006).

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-1015, CVE-2016-1019).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, CVE-2016-1017, CVE-2016-1031).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, CVE-2016-1033).

These updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2016-1018).

These updates resolve a security bypass vulnerability (CVE-2016-1030).

These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-1014).

more...
linux-c6-flashplugin
linux-c6_64-flashplugin
linux-f10-flashplugin
2016-06-19

Adobe reports:

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-1105, CVE-2016-4117).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110, CVE-2016-4121).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-1101).

These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2016-1103).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161, CVE-2016-4162, CVE-2016-4163).

These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4116).

more...
linux-c6-flashplugin
linux-c6_64-flashplugin
linux-f10-flashplugin
2016-06-19

Adobe reports:

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-4144, CVE-2016-4149).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-4142, CVE-2016-4143, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148).

These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2016-4135, CVE-2016-4136, CVE-2016-4138).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4137, CVE-2016-4141, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171).

These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4140).

These updates resolve a vulnerability that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2016-4139).

more...
linux-c6-flashplugin
linux-c6_64-flashplugin
linux-f10-flashplugin
2016-06-19*

The OpenSSL team reports:

Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key.

more...
libressl
libressl-devel
openssl
openssl-devel
2016-06-17

Python reports:

Possible integer overflow and heap corruption in zipimporter.get_data()

more...
python27
python33
python34
python35
2016-06-17

Google Chrome Releases reports:

3 security fixes in this release, including:

  • [620742] CVE-2016-1704: Various fixes from internal audits, fuzzing and other initiatives.
more...
chromium
chromium-npapi
chromium-pulse
2016-06-14

Jack Lloyd reports:

Botan 1.10.13 has been released backporting some side channel protections for ECDSA signatures (CVE-2016-2849) and PKCS #1 RSA decryption (CVE-2015-7827).

more...
botan110
2016-06-14

MITRE reports:

The Miller-Rabin primality check in Botan before 1.10.8 and 1.11.x before 1.11.9 improperly uses a single random base, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a DH group.

more...
botan110
2016-06-11

The VLC project reports:

Fix out-of-bound write in adpcm QT IMA codec (CVE-2016-5108)

more...
vlc
vlc-qt4
2016-06-10*

Mozilla Foundation reports:

Mozilla has updated the version of Network Security Services (NSS) library used in Firefox to NSS 3.23. This addresses four moderate rated networking security issues reported by Mozilla engineers Tyson Smith and Jed Davis.

more...
linux-c6-nss
linux-seamonkey
nss
2016-06-10

Roundcube reports:

Fix XSS issue in href attribute on area tag (#5240).

more...
roundcube
2016-06-09

Sebastian Pipping reports:

CVE-2012-6702 -- Resolve troublesome internal call to srand that was introduced with Expat 2.1.0 when addressing CVE-2012-0876 (issue #496)

CVE-2016-5300 -- Use more entropy for hash initialization than the original fix to CVE-2012-0876.

more...
expat
linux-c6-expat
linux-f10-expat
2016-06-08

ESnet reports:

A malicious process can connect to an iperf3 server and, by sending a malformed message on the control channel, corrupt the server process's heap area. This can lead to a crash (and a denial of service), or theoretically a remote code execution as the user running the iperf3 server. A malicious iperf3 server could potentially mount a similar attack on an iperf3 client.

more...
iperf3
2016-06-07

Mozilla Foundation reports:

MFSA 2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)

MFSA 2016-50 Buffer overflow parsing HTML5 fragments

MFSA 2016-51 Use-after-free deleting tables from a contenteditable document

MFSA 2016-52 Addressbar spoofing though the SELECT element

MFSA 2016-54 Partial same-origin-policy through setting location.host through data URI

MFSA 2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction

MFSA 2016-57 Incorrect icon displayed on permissions notifications

MFSA 2016-58 Entering fullscreen and persistent pointerlock without user permission

MFSA 2016-59 Information disclosure of disabled plugins through CSS pseudo-classes

MFSA 2016-60 Java applets bypass CSP protections

more...
firefox
firefox-esr
libxul
linux-firefox
linux-seamonkey
linux-thunderbird
seamonkey
thunderbird
2016-06-07

gnutls.org reports:

Setuid programs using GnuTLS 3.4.12 could potentially allow an attacker to overwrite and corrupt arbitrary files in the filesystem.

more...
gnutls
2016-06-06

Google Chrome Releases reports:

15 security fixes in this release, including:

  • 601073] High CVE-2016-1696: Cross-origin bypass in Extension bindings. Credit to anonymous.
  • [613266] High CVE-2016-1697: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
  • [603725] Medium CVE-2016-1698: Information leak in Extension bindings. Credit to Rob Wu.
  • [607939] Medium CVE-2016-1699: Parameter sanitization failure in DevTools. Credit to Gregory Panakkal.
  • [608104] Medium CVE-2016-1700: Use-after-free in Extensions. Credit to Rob Wu.
  • [608101] Medium CVE-2016-1701: Use-after-free in Autofill. Credit to Rob Wu.
  • [609260] Medium CVE-2016-1702: Out-of-bounds read in Skia. Credit to cloudfuzzer.
  • [616539] CVE-2016-1703: Various fixes from internal audits, fuzzing and other initiatives.
more...
chromium
chromium-npapi
chromium-pulse
2016-06-05

Mitre reports:

Cross-site scripting (XSS) vulnerability in the cgierror function in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message.

more...
ikiwiki
2016-06-05

The OpenAFS development team reports:

Avoid a potential denial of service issue, by fixing a bug in pioctl logic that allowed a local user to overrun a kernel buffer with a single NUL byte.

more...
openafs
2016-06-05*

Maxim Dounin reports:

A problem was identified in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while writing client request body to a temporary file.

more...
nginx
nginx-devel
2016-06-05*

Gustavo Grieco reports:

The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution.

more...
expat
linux-c6-expat
linux-f10-expat
2016-06-05

The OpenAFS development team reports:

Foreign users can bypass access controls to create groups as system:administrators, including in the user namespace and the system: namespace.

The contents of uninitialized memory are sent on the wire when clients perform certain RPCs. Depending on the RPC, the information leaked may come from kernel memory or userspace.

more...
openafs
2016-06-01

Tim Newsha reports:

When H2O tries to disconnect a premature HTTP/2 connection, it calls free(3) to release memory allocated for the connection and immediately after then touches the memory. No malloc-related operation is performed by the same thread between the time it calls free and the time the memory is touched. Fixed by Frederik Deweerdt.

more...
h2o
2016-05-28

Google Chrome Releases reports:

5 security fixes in this release, including:

  • [605766] High CVE-2016-1667: Same origin bypass in DOM. Credit to Mariusz Mlynski.
  • [605910] High CVE-2016-1668: Same origin bypass in Blink V8 bindings. Credit to Mariusz Mlynski.
  • [606115] High CVE-2016-1669: Buffer overflow in V8. Credit to Choongwoo Han.
  • [578882] Medium CVE-2016-1670: Race condition in loader. Credit to anonymous.
  • [586657] Medium CVE-2016-1671: Directory traversal using the file scheme on Android. Credit to Jann Horn.
more...
chromium
chromium-npapi
chromium-pulse
2016-05-28

The Cacti Group, Inc. reports:

Changelog

  • bug:0002667: Cacti SQL Injection Vulnerability
  • bug:0002673: CVE-2016-3659 - Cacti graph_view.php SQL Injection Vulnerability
  • bug:0002656: Authentication using web authentication as a user not in the cacti database allows complete access (regression)
more...
cacti
2016-05-28

The PHP Group reports:

  • Core:
    • Fixed bug #72114 (Integer underflow / arbitrary null write in fread/gzread). (CVE-2016-5096) (PHP 5.5/5.6 only)
    • Fixed bug #72135 (Integer Overflow in php_html_entities). (CVE-2016-5094) (PHP 5.5/5.6 only)
  • GD:
    • Fixed bug #72227 (imagescale out-of-bounds read). (CVE-2013-7456)
  • Intl:
    • Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (CVE-2016-5093)
  • Phar:
    • Fixed bug #71331 (Uninitialized pointer in phar_make_dirstream()). (CVE-2016-4343) (PHP 5.5 only)
more...
php55
php55-gd
php55-phar
php56
php56-gd
php70-gd
php70-intl
2016-05-28

Google Chrome Releases reports:

9 security fixes in this release, including:

  • [574802] High CVE-2016-1660: Out-of-bounds write in Blink. Credit to Atte Kettunen of OUSPG.
  • [601629] High CVE-2016-1661: Memory corruption in cross-process frames. Credit to Wadih Matar.
  • [603732] High CVE-2016-1662: Use-after-free in extensions. Credit to Rob Wu.
  • [603987] High CVE-2016-1663: Use-after-free in Blink's V8 bindings. Credit to anonymous.
  • [597322] Medium CVE-2016-1664: Address bar spoofing. Credit to Wadih Matar.
  • [606181] Medium CVE-2016-1665: Information leak in V8. Credit to HyungSeok Han.
  • [607652] CVE-2016-1666: Various fixes from internal audits, fuzzing and other initiatives.
more...
chromium
chromium-npapi
chromium-pulse
2016-05-26*

The phpmyadmin development team reports:

Description

Because user SQL queries are part of the URL, sensitive information made as part of a user query can be exposed by clicking on external links to attackers monitoring user GET query parameters or included in the webserver logs.

Severity

We consider this to be non-critical.

Description

A specially crafted attack could allow for special HTML characters to be passed as URL encoded values and displayed back as special characters in the page.

Severity

We consider this to be non-critical.

more...
phpmyadmin
2016-05-24

Mediawiki reports:

Security fixes:

T122056: Old tokens are remaining valid within a new session

T127114: Login throttle can be tricked using non-canonicalized usernames

T123653: Cross-domain policy regexp is too narrow

T123071: Incorrectly identifying http link in a's href attributes, due to m modifier in regex

T129506: MediaWiki:Gadget-popups.js isn't renderable

T125283: Users occasionally logged in as different users after SessionManager deployment

T103239: Patrol allows click catching and patrolling of any page

T122807: [tracking] Check php crypto primatives

T98313: Graphs can leak tokens, leading to CSRF

T130947: Diff generation should use PoolCounter

T133507: Careless use of $wgExternalLinkTarget is insecure

T132874: API action=move is not rate limited

more...
mediawiki123
mediawiki124
mediawiki125
mediawiki126
2016-05-20

Jouni Malinen reports:

psk configuration parameter update allowing arbitrary data to be written (2016-1 - CVE-2016-4476/CVE-2016-4477).

more...
wpa_supplicant
2016-05-17

Bugzilla Security Advisory

A specially crafted bug summary could trigger XSS in dependency graphs. Due to an incorrect parsing of the image map generated by the dot script, a specially crafted bug summary could trigger XSS in dependency graphs.

more...
bugzilla44
bugzilla50
2016-05-14

Samuli Seppänen reports:

OpenVPN 2.3.11 [...] fixes two vulnerabilities: a port-share bug with DoS potential and a buffer overflow by user supplied data when using pam authentication.[...]

more...
openvpn
openvpn-polarssl
2016-05-13

ImageMagick reports:

Fix a buffer overflow in magick/drag.c/DrawStrokePolygon().

more...
ImageMagick
ImageMagick-nox11
ImageMagick7
ImageMagick7-nox11
2016-05-12

Jenkins Security Advisory:

Description

SECURITY-170 / CVE-2016-3721

Arbitrary build parameters are passed to build scripts as environment variables

SECURITY-243 / CVE-2016-3722

Malicious users with multiple user accounts can prevent other users from logging in

SECURITY-250 / CVE-2016-3723

Information on installed plugins exposed via API

SECURITY-266 / CVE-2016-3724

Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration

SECURITY-273 / CVE-2016-3725

Regular users can trigger download of update site metadata

SECURITY-276 / CVE-2016-3726

Open redirect to scheme-relative URLs

SECURITY-281 / CVE-2016-3727

Granting the permission to read node configurations allows access to overall system configuration

more...
jenkins
jenkins-lts
jenkins2
2016-05-10*

The libarchive project reports:

Heap-based buffer overflow in the zip_read_mac_metadata function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to execute arbitrary code via crafted entry-size values in a ZIP archive.

more...
libarchive
2016-05-10

Helen Hou-Sandi reports:

WordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.

more...
de-wordpress
ja-wordpress
ru-wordpress
wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
2016-05-09*

The squid development team reports:

Problem Description:
Due to incorrect data validation of intercepted HTTP Request messages Squid is vulnerable to clients bypassing the protection against CVE-2009-0801 related issues. This leads to cache poisoning.
Severity:
This problem is serious because it allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source.
Problem Description:
Due to incorrect input validation Squid is vulnerable to a header smuggling attack leading to cache poisoning and to bypass of same-origin security policy in Squid and some client browsers.
Severity:
This problem allows a client to smuggle Host header value past same-origin security protections to cause Squid operating as interception or reverse-proxy to contact the wrong origin server. Also poisoning any downstream cache which stores the response.
However, the cache poisoning is only possible if the caching agent (browser or explicit/forward proxy) is not following RFC 7230 processing guidelines and lets the smuggled value through.
Problem Description:
Due to incorrect pointer handling and reference counting Squid is vulnerable to a denial of service attack when processing ESI responses.
Severity:
These problems allow a remote server delivering certain ESI response syntax to trigger a denial of service for all clients accessing the Squid service.
Due to unrelated changes Squid-3.5 has become vulnerable to some regular ESI server responses also triggering one or more of these issues.
more...
squid
squid-devel
2016-05-07*

Openwall reports:

Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats. Any service which uses ImageMagick to process user supplied images and uses default delegates.xml / policy.xml, may be vulnerable to this issue.

It is possible to make ImageMagick perform a HTTP GET or FTP request

It is possible to delete files by using ImageMagick's 'ephemeral' pseudo protocol which deletes files after reading.

It is possible to move image files to file with any extension in any folder by using ImageMagick's 'msl' pseudo protocol. msl.txt and image.gif should exist in known location - /tmp/ for PoC (in real life it may be web service written in PHP, which allows to upload raw txt files and process images with ImageMagick).

It is possible to get content of the files from the server by using ImageMagick's 'label' pseudo protocol.

more...
ImageMagick
ImageMagick-nox11
ImageMagick7
ImageMagick7-nox11
2016-05-04

QuickFuzz reports:

A crash caused by stack exhaustion parsing a JSON was found.

more...
jansson
2016-05-03

The PHP Group reports:

  • BCMath:
    • Fixed bug #72093 (bcpowmod accepts negative scale and corrupts _one_ definition).
  • Exif:
    • Fixed bug #72094 (Out of bounds heap read access in exif header processing).
  • GD:
    • Fixed bug #71912 (libgd: signedness vulnerability). (CVE-2016-3074)
  • Intl:
    • Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with negative offset).
  • XML:
    • Fixed bug #72099 (xml_parse_into_struct segmentation fault).
more...
php55
php55-bcmath
php55-exif
php55-gd
php55-xml
php56
php56-bcmath
php56-exif
php56-gd
php56-xml
php70
php70-bcmath
php70-exif
php70-gd
php70-xml
2016-05-03

Martin Prpic, Red Hat Product Security Team, reports:

Denial of Service due to stack overflow in src/ber-decoder.c.

Integer overflow in the BER decoder src/ber-decoder.c.

Integer overflow in the DN decoder src/dn.c.

more...
libksba
2016-05-03

GitLab reports:

During an internal code review, we discovered a critical security flaw in the "impersonate" feature of GitLab. Added in GitLab 8.2, this feature was intended to allow an administrator to simulate being logged in as any other user.

A part of this feature was not properly secured and it was possible for any authenticated user, administrator or not, to "log in" as any other user, including administrators. Please see the issue for more details.

more...
gitlab
2016-05-01

Mercurial reports:

CVE-2016-3105: Arbitrary code execution when converting Git repos

more...
mercurial
2016-04-30

Oracle reports reports:

Critical Patch Update contains 31 new security fixes for Oracle MySQL 5.5.48, 5.6.29, 5.7.11 and earlier

more...
mariadb100-server
mariadb101-server
mariadb55-server
mysql55-server
mysql56-server
mysql57-server
percona-server
percona55-server
2016-04-28

Subversion project reports:

svnserve, the svn:// protocol server, can optionally use the Cyrus SASL library for authentication, integrity protection, and encryption. Due to a programming oversight, authentication against Cyrus SASL would permit the remote user to specify a realm string which is a prefix of the expected realm string.

Subversion's httpd servers are vulnerable to a remotely triggerable crash in the mod_authz_svn module. The crash can occur during an authorization check for a COPY or MOVE request with a specially crafted header value.

This allows remote attackers to cause a denial of service.

more...
subversion
subversion18
2016-04-28

Logstash developers report:

Passwords Printed in Log Files under Some Conditions

It was discovered that, in Logstash 2.1.0+, log messages generated by a stalled pipeline during shutdown will print plaintext contents of password fields. While investigating this issue we also discovered that debug logging has included this data for quite some time. Our latest releases fix both leaks. You will want to scrub old log files if this is of particular concern to you. This was fixed in issue #4965

more...
logstash
2016-04-26

Mozilla Foundation reports:

MFSA 2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)

MFSA 2016-42 Use-after-free and buffer overflow in Service Workers

MFSA 2016-44 Buffer overflow in libstagefright with CENC offsets

MFSA 2016-45 CSP not applied to pages sent with multipart/x-mixed-replace

MFSA 2016-46 Elevation of privilege with chrome.tabs.update API in web extensions

MFSA 2016-47 Write to invalid HashMap entry through JavaScript.watch()

MFSA 2016-48 Firefox Health Reports could accept events from untrusted domains

more...
firefox
firefox-esr
libxul
linux-firefox
linux-seamonkey
linux-thunderbird
seamonkey
thunderbird
2016-04-23

The phpMyFAQ team reports:

The vulnerability exists due to application does not properly verify origin of HTTP requests in "Interface Translation" functionality.: A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request, as if it was coming from the legitimate user, inject and execute arbitrary PHP code on the target system with privileges of the webserver.

more...
phpmyfaq
2016-04-21

GNU Libtasn1 NEWS reports:

Fixes to avoid an infinite recursion when decoding without the ASN1_DECODE_FLAG_STRICT_DER flag. Reported by Pascal Cuoq.

more...
libtasn1
2016-04-21

Squid security advisory 2016:5 reports:

Due to incorrect buffer management Squid cachemgr.cgi tool is vulnerable to a buffer overflow when processing remotely supplied inputs relayed to it from Squid.

This problem allows any client to seed the Squid manager reports with data that will cause a buffer overflow when processed by the cachemgr.cgi tool. However, this does require manual administrator actions to take place. Which greatly reduces the impact and possible uses.

Squid security advisory 2016:6 reports:

Due to buffer overflow issues Squid is vulnerable to a denial of service attack when processing ESI responses. Due to incorrect input validation Squid is vulnerable to public information disclosure of the server stack layout when processing ESI responses. Due to incorrect input validation and buffer overflow Squid is vulnerable to remote code execution when processing ESI responses.

These problems allow ESI components to be used to perform a denial of service attack on the Squid service and all other services on the same machine. Under certain build conditions these problems allow remote clients to view large sections of the server memory. However, the bugs are exploitable only if you have built and configured the ESI features to be used by a reverse-proxy and if the ESI components being processed by Squid can be controlled by an attacker.

more...
squid
2016-04-20

Ansible developers report:

CVE-2016-3096: do not use predictable paths in lxc_container

  • do not use a predictable filename for the LXC attach script
  • don't use predictable filenames for LXC attach script logging
  • don't set a predictable archive_path

this should prevent symlink attacks which could result in

  • data corruption
  • data leakage
  • privilege escalation
more...
ansible
ansible1
2016-04-20

MITRE reports:

The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 1.3.6rc2 does not properly handle the TLSDHParamFile directive, which might cause a weaker than intended Diffie-Hellman (DH) key to be used and consequently allow attackers to have unspecified impact via unknown vectors.

more...
proftpd
2016-04-19

Google Chrome Releases reports:

20 security fixes in this release, including:

  • [590275] High CVE-2016-1652: Universal XSS in extension bindings. Credit to anonymous.
  • [589792] High CVE-2016-1653: Out-of-bounds write in V8. Credit to Choongwoo Han.
  • [591785] Medium CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding. Credit to kdot working with HP's Zero Day Initiative.
  • [589512] Medium CVE-2016-1654: Uninitialized memory read in media. Credit to Atte Kettunen of OUSPG.
  • [582008] Medium CVE-2016-1655: Use-after-free related to extensions. Credit to Rob Wu.
  • [570750] Medium CVE-2016-1656: Android downloaded file path restriction bypass. Credit to Dzmitry Lukyanenko.
  • [567445] Medium CVE-2016-1657: Address bar spoofing. Credit to Luan Herrera.
  • [573317] Low CVE-2016-1658: Potential leak of sensitive information to malicious extensions. Credit to Antonio Sanso (@asanso) of Adobe.
  • [602697] CVE-2016-1659: Various fixes from internal audits, fuzzing and other initiatives.
more...
chromium
chromium-npapi
chromium-pulse
2016-04-19

Jouni Malinen reports:

wpa_supplicant unauthorized WNM Sleep Mode GTK control. (2015-6 - CVE-2015-5310)

EAP-pwd missing last fragment length validation. (2015-7 - CVE-2015-5315)

EAP-pwd peer error path failure on unexpected Confirm message. (2015-8 - CVE-2015-5316)

more...
wpa_supplicant
2016-04-17

MITRE reports:

The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products, does not validate the relationship between length fields and the amount of data, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a large length value of an option in a DHCPACK message.

more...
dhcpcd
2016-04-17

MITRE reports:

The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other products, misinterprets the return value of the snprintf function, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted message.

more...
dhcpcd
2016-04-15

The Asterisk project reports:

PJProject has a limit on the number of TCP connections that it can accept. Furthermore, PJProject does not close TCP connections it accepts. By default, this value is approximately 60.

An attacker can deplete the number of allowed TCP connections by opening TCP connections and sending no data to Asterisk.

If PJProject has been compiled in debug mode, then once the number of allowed TCP connections has been depleted, the next attempted TCP connection to Asterisk will crash due to an assertion in PJProject.

If PJProject has not been compiled in debug mode, then any further TCP connection attempts will be rejected. This makes Asterisk unable to process TCP SIP traffic.

Note that this only affects TCP/TLS, since UDP is connectionless.

more...
pjsip
pjsip-extsrtp
2016-04-15

The Asterisk project reports:

Asterisk may crash when processing an incoming REGISTER request if that REGISTER contains a Contact header with a lengthy URI.

This crash will only happen for requests that pass authentication. Unauthenticated REGISTER requests will not result in a crash occurring.

This vulnerability only affects Asterisk when using PJSIP as its SIP stack. The chan_sip module does not have this problem.

more...
asterisk13
2016-04-14

Jason Buberel reports:

Go has an infinite loop in several big integer routines that makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client authentication or the Go ssh server libraries are both exposed to this vulnerability.

more...
go
2016-04-13*

The Mozilla Project reports:

MFSA 2015-133 NSS and NSPR memory corruption issues

MFSA 2015-132 Mixed content WebSocket policy bypass through workers

MFSA 2015-131 Vulnerabilities found through code inspection

MFSA 2015-130 JavaScript garbage collection crash with Java applet

MFSA 2015-129 Certain escaped characters in host of Location-header are being treated as non-escaped

MFSA 2015-128 Memory corruption in libjar through zip files

MFSA 2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received

MFSA 2015-126 Crash when accessing HTML tables with accessibility tools on OS X

MFSA 2015-125 XSS attack through intents on Firefox for Android

MFSA 2015-124 Android intents can be used on Firefox for Android to open privileged files

MFSA 2015-123 Buffer overflow during image interactions in canvas

MFSA 2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy

MFSA 2015-121 Disabling scripts in Add-on SDK panels has no effect

MFSA 2015-120 Reading sensitive profile files through local HTML file on Android

MFSA 2015-119 Firefox for Android addressbar can be removed after fullscreen mode

MFSA 2015-118 CSP bypass due to permissive Reader mode whitelist

MFSA 2015-117 Information disclosure through NTLM authentication

MFSA 2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)

more...
firefox
firefox-esr
libxul
linux-c6-nspr
linux-firefox
linux-seamonkey
linux-thunderbird
nspr
nss
seamonkey
thunderbird
2016-04-12*

Samba team reports:

[CVE-2015-5370] Errors in Samba DCE-RPC code can lead to denial of service (crashes and high cpu consumption) and man in the middle attacks.

[CVE-2016-2110] The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags, especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL.

[CVE-2016-2111] When Samba is configured as Domain Controller it allows remote attackers to spoof the computer name of a secure channel's endpoints, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic.

[CVE-2016-2112] A man in the middle is able to downgrade LDAP connections to no integrity protection.

[CVE-2016-2113] Man in the middle attacks are possible for client triggered LDAP connections (with ldaps://) and ncacn_http connections (with https://).

[CVE-2016-2114] Due to a bug Samba doesn't enforce required smb signing, even if explicitly configured.

[CVE-2016-2115] The protection of DCERPC communication over ncacn_np (which is the default for most the file server related protocols) is inherited from the underlying SMB connection.

[CVE-2016-2118] a.k.a. BADLOCK. A man in the middle can intercept any DCERPC traffic between a client and a server in order to impersonate the client and get the same privileges as the authenticated user account. This is most problematic against active directory domain controllers.

more...
samba36
samba4
samba41
samba42
samba43
samba44
2016-04-03

The PHP Group reports:

  • Fileinfo:
    • Fixed bug #71527 (Buffer over-write in finfo_open with malformed magic file).
  • mbstring:
    • Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) in mbfl_strcut).
  • Phar:
    • Fixed bug #71860 (Invalid memory write in phar on filename with \0 in name).
  • SNMP:
    • Fixed bug #71704 (php_snmp_error() Format String Vulnerability).
  • Standard:
    • Fixed bug #71798 (Integer Overflow in php_raw_url_encode).
more...
php55
php55-fileinfo
php55-mbstring
php55-phar
php55-snmp
php56
php56-fileinfo
php56-mbstring
php56-phar
php56-snmp
php70
php70-fileinfo
php70-mbstring
php70-phar
php70-snmp
2016-04-03

Mitre reports:

The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the /((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/ pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

more...
pcre
2016-04-03

Marina Glancy reports:

  • MSA-16-0003: Incorrect capability check when displaying users emails in Participants list

  • MSA-16-0004: XSS from profile fields from external db

  • MSA-16-0005: Reflected XSS in mod_data advanced search

  • MSA-16-0006: Hidden courses are shown to students in Event Monitor

  • MSA-16-0007: Non-Editing Instructor role can edit exclude checkbox in Single View

  • MSA-16-0008: External function get_calendar_events return events that pertains to hidden activities

  • MSA-16-0009: CSRF in Assignment plugin management page

  • MSA-16-0010: Enumeration of category details possible without authentication

  • MSA-16-0011: Add no referrer to links with _blank target attribute

  • MSA-16-0012: External function mod_assign_save_submission does not check due dates

more...
moodle28
moodle29
moodle30
2016-04-03*

Stelios Tsampas reports:

A (remotely exploitable) heap overflow vulnerability was found in Kamailio v4.3.4.

more...
kamailio
2016-04-03

Djblets Release Notes reports:

A recently-discovered vulnerability in the datagrid templates allows an attacker to generate a URL to any datagrid page containing malicious code in a column sorting value. If the user visits that URL and then clicks that column, the code will execute.

The cause of the vulnerability was due to a template not escaping user-provided values.

more...
py27-djblets
py32-djblets
py33-djblets
py34-djblets
py35-djblets
2016-04-02

Squid security advisory 2016:3 reports:

Due to a buffer overrun Squid pinger binary is vulnerable to denial of service or information leak attack when processing ICMPv6 packets.

This bug also permits the server response to manipulate other ICMP and ICMPv6 queries processing to cause information leak.

This bug allows any remote server to perform a denial of service attack on the Squid service by crashing the pinger. This may affect Squid HTTP routing decisions. In some configurations, sub-optimal routing decisions may result in serious service degradation or even transaction failures.

If the system does not contain buffer-overrun protection leading to that crash this bug will instead allow attackers to leak arbitrary amounts of information from the heap into Squid log files. This is of higher importance than usual because the pinger process operates with root priviliges.

Squid security advisory 2016:4 reports:

Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses.

This problem allows a malicious client script and remote server delivering certain unusual HTTP response syntax to trigger a denial of service for all clients accessing the Squid service.

more...
squid
2016-03-31

The botan developers reports:

Excess memory allocation in BER decoder - The BER decoder would allocate a fairly arbitrary amount of memory in a length field, even if there was no chance the read request would succeed. This might cause the process to run out of memory or invoke the OOM killer.

Crash in BER decoder - The BER decoder would crash due to reading from offset 0 of an empty vector if it encountered a BIT STRING which did not contain any data at all. This can be used to easily crash applications reading untrusted ASN.1 data, but does not seem exploitable for code execution.

more...
botan110
2016-03-31

The botan developers reports:

Infinite loop in modular square root algorithm - The ressol function implements the Tonelli-Shanks algorithm for finding square roots could be sent into a nearly infinite loop due to a misplaced conditional check. This could occur if a composite modulus is provided, as this algorithm is only defined for primes. This function is exposed to attacker controlled input via the OS2ECP function during ECC point decompression.

Heap overflow on invalid ECC point - The PointGFp constructor did not check that the affine coordinate arguments were less than the prime, but then in curve multiplication assumed that both arguments if multiplied would fit into an integer twice the size of the prime.

The bigint_mul and bigint_sqr functions received the size of the output buffer, but only used it to dispatch to a faster algorithm in cases where there was sufficient output space to call an unrolled multiplication function.

The result is a heap overflow accessible via ECC point decoding, which accepted untrusted inputs. This is likely exploitable for remote code execution.

On systems which use the mlock pool allocator, it would allow an attacker to overwrite memory held in secure_vector objects. After this point the write will hit the guard page at the end of the mmapped region so it probably could not be used for code execution directly, but would allow overwriting adjacent key material.

more...
botan110
2016-03-31

PostgreSQL project reports:

Security Fixes for RLS, BRIN

This release closes security hole CVE-2016-2193 (https://access.redhat.com/security/cve/CVE-2016-2193), where a query plan might get reused for more than one ROLE in the same session. This could cause the wrong set of Row Level Security (RLS) policies to be used for the query.

The update also fixes CVE-2016-3065 (https://access.redhat.com/security/cve/CVE-2016-3065), a server crash bug triggered by using `pageinspect` with BRIN index pages. Since an attacker might be able to expose a few bytes of server memory, this crash is being treated as a security issue.

more...
postgresql95-contrib
postgresql95-server
2016-03-31

Adobe reports:

These updates resolve integer overflow vulnerabilities that could lead to code execution (CVE-2016-0963, CVE-2016-0993, CVE-2016-1010).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, CVE-2016-1000).

These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2016-1001).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, CVE-2016-1005).

more...
linux-c6-flashplugin
linux-c6_64-flashplugin
linux-f10-flashplugin
2016-03-29

Google Chrome Releases reports:

[589838] High CVE-2016-1643: Type confusion in Blink.

[590620] High CVE-2016-1644: Use-after-free in Blink.

[587227] High CVE-2016-1645: Out-of-bounds write in PDFium.

more...
chromium
chromium-npapi
chromium-pulse
2016-03-29

Google Chrome Releases reports:

[594574] High CVE-2016-1646: Out-of-bounds read in V8.

[590284] High CVE-2016-1647: Use-after-free in Navigation.

[590455] High CVE-2016-1648: Use-after-free in Extensions.

[597518] CVE-2016-1650: Various fixes from internal audits, fuzzing and other initiatives.

Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch

more...
chromium
chromium-npapi
chromium-pulse
2016-03-29

Mercurial reports:

CVE-2016-3630: Remote code execution in binary delta decoding

CVE-2016-3068: Arbitrary code execution with Git subrepos

CVE-2016-3069: Arbitrary code execution when converting Git repos

more...
mercurial
2016-03-28

ISC reports:

A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure.

more...
bind9-devel
bind910
2016-03-27

SaltStack reports:

This issue affects all Salt versions prior to 2015.8.8/2015.5.10 when PAM external authentication is enabled. This issue involves passing an alternative PAM authentication service with a command that is sent to LocalClient, enabling the attacker to bypass the configured authentication service.

more...
py27-salt
py32-salt
py33-salt
py34-salt
py35-salt
2016-03-25

Michael Furman reports:

The web based administration console does not set the X-Frame-Options header in HTTP responses. This allows the console to be embedded in a frame or iframe which could then be used to cause a user to perform an unintended action in the console.

more...
activemq
2016-03-25

Alvaro Muatoz, Matthias Kaiser and Christian Schneider reports:

JMS Object messages depends on Java Serialization for marshaling/unmashaling of the message payload. There are a couple of places inside the broker where deserialization can occur, like web console or stomp object message transformation. As deserialization of untrusted data can leaed to security flaws as demonstrated in various reports, this leaves the broker vunerable to this attack vector. Additionally, applications that consume ObjectMessage type of messages can be vunerable as they deserlize objects on ObjectMessage.getObject() calls.

more...
activemq
2016-03-25

Vladimir Ivanov (Positive Technologies) reports:

Several instances of cross-site scripting vulnerabilities were identified to be present in the web based administration console as well as the ability to trigger a Java memory dump into an arbitrary folder. The root cause of these issues are improper user data output validation and incorrect permissions configured on Jolokia.

more...
activemq
2016-03-21*

Philip Hazel reports:

PCRE does not validate that handling the (*ACCEPT) verb will occur within the bounds of the cworkspace stack buffer, leading to a stack buffer overflow.

more...
pcre
pcre2
2016-03-19

Arun Suresh reports:

RPC traffic from clients, potentially including authentication credentials, may be intercepted by a malicious user with access to run tasks or containers on a cluster.

more...
hadoop2
2016-03-18

Debian reports:

integer overflow due to a loop which adds more to "len".

more...
git
git-gui
git-lite
git-subversion
2016-03-17

Debian reports:

"int" is the wrong data type for ... nlen assignment.

more...
git
2016-03-14

Jeremiah Senkpiel reports:

  • Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks.

  • Fix a defect that can cause memory corruption in certain very rare cases

  • Fix a defect that makes the CacheBleed Attack possible

more...
node
2016-03-14

Matt Johnson reports:

Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions

more...
dropbear
2016-03-14*

Mozilla Foundation reports:

Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts.

Security researcher James Clawson used the Address Sanitizer tool to discover an out-of-bounds write in the Graphite 2 library when loading a crafted Graphite font file. This results in a potentially exploitable crash.

more...
graphite2
linux-firefox
linux-seamonkey
linux-thunderbird
2016-03-13

The PHP Group reports:

  • Core:
    • Fixed bug #71637 (Multiple Heap Overflow due to integer overflows in xml/filter_url/addcslashes).
  • SOAP:
    • Fixed bug #71610 (Type Confusion Vulnerability - SOAP / make_http_soap_request()).
more...
php70
php70-soap
2016-03-13

Martin Barbella reports:

JpGraph is an object oriented library for PHP that can be used to create various types of graphs which also contains support for client side image maps. The GetURLArguments function for the JpGraph's Graph class does not properly sanitize the names of get and post variables, leading to a cross site scripting vulnerability.

more...
jpgraph2
2016-03-13*

PHP reports:

  • Core:
    • Fixed bug #71039 (exec functions ignore length but look for NULL termination).
    • Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input).
    • Fixed bug #71459 (Integer overflow in iptcembed()).
  • PCRE:
    • Upgraded bundled PCRE library to 8.38.(CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)
  • Phar:
    • Fixed bug #71354 (Heap corruption in tar/zip/phar parser).
    • Fixed bug #71391 (NULL Pointer Dereference in phar_tar_setupmetadata()).
    • Fixed bug #71488 (Stack overflow when decompressing tar archives). (CVE-2016-2554)
  • WDDX:
    • Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization).
more...
php55
php55-phar
php55-wddx
php56
php56-phar
php56-wddx
2016-03-13

The PHP Group reports:

  • Phar:
    • Fixed bug #71498 (Out-of-Bound Read in phar_parse_zipfile()).
  • WDDX:
    • Fixed bug #71587 (Use-After-Free / Double-Free in WDDX Deserialize).
more...
php55-phar
php55-wddx
php56-phar
php56-wddx
2016-03-10

Donald Sharp reports:

A malicious BGP peer may execute arbitrary code in particularly configured remote bgpd hosts.

more...
quagga
2016-03-10

Hanno Bock reports:

The pidgin-otr plugin version 4.0.2 fixes a heap use after free error. The bug is triggered when a user tries to authenticate a buddy and happens in the function create_smp_dialog.

more...
pidgin-otr
2016-03-10

special reports:

By sending a nickname with some HTML tags in a contact request, an attacker could cause Ricochet to make network requests without Tor after the request is accepted, which would reveal the user's IP address.

more...
ricochet
2016-03-09*

X41 D-Sec reports:

A remote attacker may crash or execute arbitrary code in libotr by sending large OTR messages.

more...
libotr
libotr3
2016-03-08*

Google Chrome Releases reports:

[583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.

Mozilla Foundation reports:

Security researcher Luke Li reported a pointer underflow bug in the Brotli library's decompression that leads to a buffer overflow. This results in a potentially exploitable crash when triggered.

more...
brotli
chromium
chromium-npapi
chromium-pulse
firefox
firefox-esr
libbrotli
libxul
linux-firefox
linux-seamonkey
linux-thunderbird
seamonkey
thunderbird
2016-03-08*

Mozilla Foundation reports:

MFSA 2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)

MFSA 2016-17 Local file overwriting and potential privilege escalation through CSP reports

MFSA 2016-18 CSP reports fail to strip location information for embedded iframe pages

MFSA 2016-19 Linux video memory DOS with Intel drivers

MFSA 2016-20 Memory leak in libstagefright when deleting an array during MP4 processing

MFSA 2016-21 Displayed page address can be overridden

MFSA 2016-22 Service Worker Manager out-of-bounds read in Service Worker Manager

MFSA 2016-23 Use-after-free in HTML5 string parser

MFSA 2016-24 Use-after-free in SetBody

MFSA 2016-25 Use-after-free when using multiple WebRTC data channels

MFSA 2016-26 Memory corruption when modifying a file being read by FileReader

MFSA 2016-27 Use-after-free during XML transformations

MFSA 2016-28 Addressbar spoofing though history navigation and Location protocol property

MFSA 2016-29 Same-origin policy violation using perfomance.getEntries and history navigation with session restore

MFSA 2016-31 Memory corruption with malicious NPAPI plugin

MFSA 2016-32 WebRTC and LibVPX vulnerabilities found through code inspection

MFSA 2016-33 Use-after-free in GetStaticInstance in WebRTC

MFSA 2016-34 Out-of-bounds read in HTML parser following a failed allocation

more...
firefox
firefox-esr
libxul
linux-firefox
linux-seamonkey
linux-thunderbird
seamonkey
thunderbird
2016-03-08*

Google Chrome Releases reports:

6 security fixes in this release, including:

  • [546677] High CVE-2016-1622: Same-origin bypass in Extensions. Credit to anonymous.
  • [577105] High CVE-2016-1623: Same-origin bypass in DOM. Credit to Mariusz Mlynski.
  • [509313] Medium CVE-2016-1625: Navigation bypass in Chrome Instant. Credit to Jann Horn.
  • [571480] Medium CVE-2016-1626: Out-of-bounds read in PDFium. Credit to anonymous, working with HP's Zero Day Initiative.
  • [585517] CVE-2016-1627: Various fixes from internal audits, fuzzing and other initiatives.
more...
chromium
chromium-npapi
chromium-pulse
2016-03-08*

Mozilla Foundation reports:

MFSA 2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)

MFSA 2016-02 Out of Memory crash when parsing GIF format images

MFSA 2016-03 Buffer overflow in WebGL after out of memory allocation

MFSA 2016-04 Firefox allows for control characters to be set in cookie names

MFSA 2016-06 Missing delay following user click events in protocol handler dialog

MFSA 2016-09 Addressbar spoofing attacks

MFSA 2016-10 Unsafe memory manipulation found through code inspection

MFSA 2016-11 Application Reputation service disabled in Firefox 43

more...
firefox
firefox-esr
libxul
linux-firefox
linux-seamonkey
linux-thunderbird
seamonkey
thunderbird
2016-03-08

Mozilla Foundation reports:

Security researcher Hanno Böck reported that calculations with mp_div and mp_exptmod in Network Security Services (NSS) can produce wrong results in some circumstances. These functions are used within NSS for a variety of cryptographic division functions, leading to potential cryptographic weaknesses.

Mozilla developer Eric Rescorla reported that a failed allocation during DHE and ECDHE handshakes would lead to a use-after-free vulnerability.

more...
linux-c6-nss
linux-firefox
linux-seamonkey
nss
2016-03-08*

Talos reports:

  • An exploitable denial of service vulnerability exists in the font handling of Libgraphite. A specially crafted font can cause an out-of-bounds read potentially resulting in an information leak or denial of service.

  • A specially crafted font can cause a buffer overflow resulting in potential code execution.

  • An exploitable NULL pointer dereference exists in the bidirectional font handling functionality of Libgraphite. A specially crafted font can cause a NULL pointer dereference resulting in a crash.

more...
graphite2
linux-thunderbird
silgraphite
2016-03-08

Mozilla Foundation reports:

Security researcher Francis Gabriel reported a heap-based buffer overflow in the way the Network Security Services (NSS) libraries parsed certain ASN.1 structures. An attacker could create a specially-crafted certificate which, when parsed by NSS, would cause it to crash or execute arbitrary code with the permissions of the user.

Mozilla developer Tim Taubert used the Address Sanitizer tool and software fuzzing to discover a use-after-free vulnerability while processing DER encoded keys in the Network Security Services (NSS) libraries. The vulnerability overwrites the freed memory with zeroes.

more...
linux-c6-nss
linux-firefox
linux-seamonkey
linux-thunderbird
nss
2016-03-08

Tim Graham reports:

Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth

User enumeration through timing difference on password hasher work factor upgrade

more...
py27-django
py27-django-devel
py27-django18
py27-django19
py32-django
py32-django-devel
py32-django18
py32-django19
py33-django
py33-django-devel
py33-django18
py33-django19
py34-django
py34-django-devel
py34-django18
py34-django19
py35-django
py35-django-devel
py35-django18
py35-django19
2016-03-08*

Aaron Jorbin reports:

WordPress 4.4.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised. This was reported by Crtc4L.

more...
de-wordpress
ja-wordpress
ru-wordpress
wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
2016-03-08

Samuel Sidler reports:

WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.4.1 and earlier are affected by two security issues: a possible SSRF for certain local URIs, reported by Ronni Skansing; and an open redirection attack, reported by Shailesh Suthar.

more...
de-wordpress
ja-wordpress
ru-wordpress
wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
2016-03-07*

The Asterisk project reports:

AST-2016-001 - BEAST vulnerability in HTTP server

AST-2016-002 - File descriptor exhaustion in chan_sip

AST-2016-003 - Remote crash vulnerability when receiving UDPTL FAX data

more...
asterisk
asterisk11
asterisk13
2016-03-07

Simon G. Tatham reports:

Many versions of PSCP prior to 0.67 have a stack corruption vulnerability in their treatment of the 'sink' direction (i.e. downloading from server to client) of the old-style SCP protocol.

In order for this vulnerability to be exploited, the user must connect to a malicious server and attempt to download any file.[...] you can work around it in a vulnerable PSCP by using the -sftp option to force the use of the newer SFTP protocol, provided your server supports that protocol.

more...
putty
2016-03-06

Sebastien Delafond reports:

Jakub Palaczynski discovered that websvn, a web viewer for Subversion repositories, does not correctly sanitize user-supplied input, which allows a remote user to run reflected cross-site scripting attacks.

more...
websvn
2016-03-06

Ruby on Rails blog:

Rails 4.2.5.2, 4.1.14.2, and 3.2.22.2 have been released! These contain the following important security fixes, and it is recommended that users upgrade as soon as possible.

more...
rubygem-actionpack
rubygem-actionpack4
rubygem-actionview
rubygem-rails
rubygem-rails4
2016-03-06

Thijs Kinkhorst reports:

James Clawson reported:

"Arbitrary files with a known path can be accessed in websvn by committing a symlink to a repository and then downloading the file (using the download link).

An attacker must have write access to the repo, and the download option must have been enabled in the websvn config file."

more...
websvn
2016-03-05

Andreas Schneider reports:

libssh versions 0.1 and above have a bits/bytes confusion bug and generate the an anormaly short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. The resulting secret is 128 bits long, instead of the recommended sizes of 1024 and 2048 bits respectively. There are practical algorithms (Baby steps/Giant steps, Pollard?s rho) that can solve this problem in O(2^63) operations.

Both client and server are are vulnerable, pre-authentication. This vulnerability could be exploited by an eavesdropper with enough resources to decrypt or intercept SSH sessions. The bug was found during an internal code review by Aris Adamantiadis of the libssh team.

more...
libssh
2016-03-05

Google Chrome Releases reports:

[560011] High CVE-2016-1630: Same-origin bypass in Blink.

[569496] High CVE-2016-1631: Same-origin bypass in Pepper Plugin.

[549986] High CVE-2016-1632: Bad cast in Extensions.

[572537] High CVE-2016-1633: Use-after-free in Blink.

[559292] High CVE-2016-1634: Use-after-free in Blink.

[585268] High CVE-2016-1635: Use-after-free in Blink.

[584155] High CVE-2016-1636: SRI Validation Bypass.

[555544] Medium CVE-2016-1637: Information Leak in Skia.

[585282] Medium CVE-2016-1638: WebAPI Bypass.

[572224] Medium CVE-2016-1639: Use-after-free in WebRTC.

[550047] Medium CVE-2016-1640: Origin confusion in Extensions UI.

[583718] Medium CVE-2016-1641: Use-after-free in Favicon.

[591402] CVE-2016-1642: Various fixes from internal audits, fuzzing and other initiatives.

Multiple vulnerabilities in V8 fixed.

more...
chromium
chromium-npapi
chromium-pulse
2016-03-02

The Exim development team reports:

All installations having Exim set-uid root and using 'perl_startup' are vulnerable to a local privilege escalation. Any user who can start an instance of Exim (and this is normally any user) can gain root privileges. If you do not use 'perl_startup' you should be safe.

more...
exim
2016-03-02

The Cacti Group, Inc. reports:

Changelog

  • bug:0002652: CVE-2015-8604: SQL injection in graphs_new.php
  • bug:0002655: CVE-2015-8377: SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php
  • bug:0002656: Authentication using web authentication as a user not in the cacti database allows complete access
more...
cacti
2016-03-01

Wireshark development team reports:

The following vulnerabilities have been fixed:

  • wnpa-sec-2015-31

    NBAP dissector crashes. (Bug 11602, Bug 11835, Bug 11841)

  • wnpa-sec-2015-37

    NLM dissector crash.

  • wnpa-sec-2015-39

    BER dissector crash.

  • wnpa-sec-2015-40

    Zlib decompression crash. (Bug 11548)

  • wnpa-sec-2015-41

    SCTP dissector crash. (Bug 11767)

  • wnpa-sec-2015-42

    802.11 decryption crash. (Bug 11790, Bug 11826)

  • wnpa-sec-2015-43

    DIAMETER dissector crash. (Bug 11792)

  • wnpa-sec-2015-44

    VeriWave file parser crashes. (Bug 11789, Bug 11791)

  • wnpa-sec-2015-45

    RSVP dissector crash. (Bug 11793)

  • wnpa-sec-2015-46

    ANSI A and GSM A dissector crashes. (Bug 11797)

  • wnpa-sec-2015-47

    Ascend file parser crash. (Bug 11794)

  • wnpa-sec-2015-48

    NBAP dissector crash. (Bug 11815)

  • wnpa-sec-2015-49

    RSL dissector crash. (Bug 11829)

  • wnpa-sec-2015-50

    ZigBee ZCL dissector crash. (Bug 11830)

  • wnpa-sec-2015-51

    Sniffer file parser crash. (Bug 11827)

  • wnpa-sec-2015-52

    NWP dissector crash. (Bug 11726)

  • wnpa-sec-2015-53

    BT ATT dissector crash. (Bug 11817)

  • wnpa-sec-2015-54

    MP2T file parser crash. (Bug 11820)

  • wnpa-sec-2015-55

    MP2T file parser crash. (Bug 11821)

  • wnpa-sec-2015-56

    S7COMM dissector crash. (Bug 11823)

  • wnpa-sec-2015-57

    IPMI dissector crash. (Bug 11831)

  • wnpa-sec-2015-58

    TDS dissector crash. (Bug 11846)

  • wnpa-sec-2015-59

    PPI dissector crash. (Bug 11876)

  • wnpa-sec-2015-60

    MS-WSP dissector crash. (Bug 11931)

more...
tshark
tshark-lite
wireshark
wireshark-lite
wireshark-qt5
2016-03-01

The phpMyAdmin development team reports:

XSS vulnerability in SQL parser.

Using a crafted SQL query, it is possible to trigger an XSS attack through the SQL query page.

We consider this vulnerability to be non-critical.

Multiple XSS vulnerabilities.

By sending a specially crafted URL as part of the HOST header, it is possible to trigger an XSS attack.

A weakness was found that allows an XSS attack with Internet Explorer versions older than 8 and Safari on Windows using a specially crafted URL.

Using a crafted SQL query, it is possible to trigger an XSS attack through the SQL query page.

Using a crafted parameter value, it is possible to trigger an XSS attack in user accounts page.

Using a crafted parameter value, it is possible to trigger an XSS attack in zoom search page.

We consider this vulnerability to be non-critical.

Multiple XSS vulnerabilities.

With a crafted table/column name it is possible to trigger an XSS attack in the database normalization page.

With a crafted parameter it is possible to trigger an XSS attack in the database structure page.

With a crafted parameter it is possible to trigger an XSS attack in central columns page.

We consider this vulnerability to be non-critical.

Vulnerability allowing man-in-the-middle attack on API call to GitHub.

A vulnerability in the API call to GitHub can be exploited to perform a man-in-the-middle attack.

We consider this vulnerability to be serious.

more...
phpmyadmin
2016-02-28*

Mark Thomas reports:

  • CVE-2015-5345 Apache Tomcat Directory disclosure

  • CVE-2016-0706 Apache Tomcat Security Manager bypass

  • CVE-2016-0714 Apache Tomcat Security Manager Bypass

more...
tomcat6
tomcat7
tomcat8
2016-02-28

Marina Glancy reports:

  • MSA-16-0001: Two enrolment-related web services don't check course visibility

  • MSA-16-0002: XSS Vulnerability in course management search

more...
moodle28
moodle29
moodle30
2016-02-28*

Squid security advisory 2016:2 reports:

Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses.

These problems allow remote servers delivering certain unusual HTTP response syntax to trigger a denial of service for all clients accessing the Squid service.

HTTP responses containing malformed headers that trigger this issue are becoming common. We are not certain at this time if that is a sign of malware or just broken server scripting.

more...
squid
2016-02-28

Tim Graham reports:

User with "change" but not "add" permission can create objects for ModelAdmin?s with save_as=True

more...
py27-django-devel
py27-django19
py33-django-devel
py33-django19
py34-django-devel
py34-django19
py35-django-devel
py35-django19
2016-02-28

Mark Thomas reports:

  • CVE-2015-5346 Apache Tomcat Session fixation

  • CVE-2015-5351 Apache Tomcat CSRF token leak

  • CVE-2016-0763 Apache Tomcat Security Manager Bypass

more...
tomcat7
tomcat8
2016-02-28

The Xen Project reports:

The PV superpage functionality lacks certain validity checks on data being passed to the hypervisor by guests. This is the case for the page identifier (MFN) passed to MMUEXT_MARK_SUPER and MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as well as for various forms of page table updates.

Use of the feature, which is disabled by default, may have unknown effects, ranging from information leaks through Denial of Service to privilege escalation.

more...
xen-kernel
2016-02-28

The Xen Project reports:

While INVLPG does not cause a General Protection Fault when used on a non-canonical address, INVVPID in its "individual address" variant, which is used to back the intercepted INVLPG in certain cases, fails in such cases. Failure of INVVPID results in a hypervisor bug check.

A malicious guest can crash the host, leading to a Denial of Service.

more...
xen-kernel
2016-02-28

The Xen Project reports:

VMX refuses attempts to enter a guest with an instruction pointer which doesn't satisfy certain requirements. In particular, the instruction pointer needs to be canonical when entering a guest currently in 64-bit mode. This is the case even if the VM entry information specifies an exception to be injected immediately (in which case the bad instruction pointer would possibly never get used for other than pushing onto the exception handler's stack). Provided the guest OS allows user mode to map the virtual memory space immediately below the canonical/non-canonical address boundary, a non-canonical instruction pointer can result even from normal user mode execution. VM entry failure, however, is fatal to the guest.

Malicious HVM guest user mode code may be able to crash the guest.

more...
xen-kernel
2016-02-28

The Apache Software Foundation reports:

The Xerces-C XML parser mishandles certain kinds of malformed input documents, resulting in buffer overlows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution.

more...
xerces-c3
2016-02-26

Luke Farone reports:

Double-clicking a file in the user's media library with a specially-crafted path or filename allows for arbitrary code execution with the permissions of the user running Pitivi.

more...
pitivi
2016-02-26

Hans Jerry Illikainen reports:

A heap overflow may occur in the giffix utility included in giflib-5.1.1 when processing records of the type `IMAGE_DESC_RECORD_TYPE' due to the allocated size of `LineBuffer' equaling the value of the logical screen width, `GifFileIn->SWidth', while subsequently having `GifFileIn->Image.Width' bytes of data written to it.

more...
giflib
2016-02-25

Drupal Security Team reports:

  • File upload access bypass and denial of service (File module - Drupal 7 and 8 - Moderately Critical)

  • Brute force amplification attacks via XML-RPC (XML-RPC server - Drupal 6 and 7 - Moderately Critical)

  • Open redirect via path manipulation (Base system - Drupal 6, 7 and 8 - Moderately Critical)

  • Form API ignores access restrictions on submit buttons (Form API - Drupal 6 - Critical)

  • HTTP header injection using line breaks (Base system - Drupal 6 - Moderately Critical)

  • Open redirect via double-encoded 'destination' parameter (Base system - Drupal 6 - Moderately Critical)

  • Reflected file download vulnerability (System module - Drupal 6 and 7 - Moderately Critical)

  • Saving user accounts can sometimes grant the user all roles (User module - Drupal 6 and 7 - Less Critical)

  • Email address can be matched to an account (User module - Drupal 7 and 8 - Less Critical)

  • Session data truncation can lead to unserialization of user provided data (Base system - Drupal 6 - Less Critical)

more...
drupal6
drupal7
drupal8
2016-02-25

Jenkins Security Advisory:

Description

SECURITY-232 / CVE-2016-0788(Remote code execution vulnerability in remoting module)

A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins master process, which allowed arbitrary code execution.

SECURITY-238 / CVE-2016-0789(HTTP response splitting vulnerability)

An HTTP response splitting vulnerability in the CLI command documentation allowed attackers to craft Jenkins URLs that serve malicious content.

SECURITY-241 / CVE-2016-0790(Non-constant time comparison of API token)

The verification of user-provided API tokens with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid API tokens using brute-force methods.

SECURITY-245 / CVE-2016-0791(Non-constant time comparison of CSRF crumbs)

The verification of user-provided CSRF crumbs with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid CSRF crumbs using brute-force methods.

SECURITY-247 / CVE-2016-0792(Remote code execution through remote API)

Jenkins has several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution.

more...
jenkins
jenkins-lts
2016-02-24*

oCERT reports:

The library is affected by a double-free vulnerability in function jas_iccattrval_destroy() as well as a heap-based buffer overflow in function jp2_decode(). A specially crafted jp2 file can be used to trigger the vulnerabilities.

oCERT reports:

The library is affected by an off-by-one error in a buffer boundary check in jpc_dec_process_sot(), leading to a heap based buffer overflow, as well as multiple unrestricted stack memory use issues in jpc_qmfb.c, leading to stack overflow. A specially crafted jp2 file can be used to trigger the vulnerabilities.

oCERT reports:

Multiple off-by-one flaws, leading to heap-based buffer overflows, were found in the way JasPer decoded JPEG 2000 files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.

limingxing reports:

A vulnerability was found in the way the JasPer's jas_matrix_clip() function parses certain JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.

more...
jasper
2016-02-24*

Martin Prpic reports:

A double free flaw was found in the way JasPer's jasper_image_stop_load() function parsed certain JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.

Feist Josselin reports:

A new use-after-free was found in Jasper JPEG-200. The use-after-free appears in the function mif_process_cmpt of the src/libjasper/mif/mif_cod.c file.

more...
jasper
2016-02-21

libsrtp reports:

Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length. Credit goes to Randell Jesup and the Firefox team for reporting this issue.

more...
libsrtp
2016-02-21

Stian Soiland-Reyes reports:

This release fixes a remote code execution vulnerability that was identified in BeanShell by Alvaro Muñoz and Christian Schneider. The BeanShell team would like to thank them for their help and contributions to this fix!

An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source.

A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands.

This update fixes the vulnerability in BeanShell, but it is worth noting that applications doing such deserialization might still be insecure through other libraries. It is recommended that application developers take further measures such as using a restricted class loader when deserializing. See notes on Java serialization security XStream security and How to secure deserialization from untrusted input without using encryption or sealing.

more...
bsh
2016-02-18

Fabio Olive Leite reports:

A stack-based buffer overflow was found in libresolv when invoked from nss_dns, allowing specially crafted DNS responses to seize control of EIP in the DNS client. The buffer overflow occurs in the functions send_dg (send datagram) and send_vc (send TCP) for the NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC family, or in some cases AF_INET6 family. The use of AF_UNSPEC (or AF_INET6 in some cases) triggers the low-level resolver code to send out two parallel queries for A and AAAA. A mismanagement of the buffers used for those queries could result in the response of a query writing beyond the alloca allocated buffer created by __res_nquery.

more...
linux_base-c6
linux_base-c6_64
linux_base-f10
2016-02-18

Google Chrome Releases reports:

[583431] Critical CVE-2016-1629: Same-origin bypass in Blink and Sandbox escape in Chrome. Credit to anonymous.

more...
chromium
chromium-npapi
chromium-pulse
2016-02-18

Squid security advisory 2016:1 reports:

Due to incorrectly handling server errors Squid is vulnerable to a denial of service attack when connecting to TLS or SSL servers.

This problem allows any trusted client to perform a denial of service attack on the Squid service regardless of whether TLS or SSL is configured for use in the proxy.

Misconfigured client or server software may trigger this issue to perform a denial of service unintentionally.

However, the bug is exploitable only if Squid is built using the --with-openssl option.

The FreeBSD port does not use SSL by default and is not vulnerable in the default configuration.

more...
squid
2016-02-18*

Amos Jeffries, release manager of the Squid-3 series, reports:

Vulnerable versions are 3.5.0.1 to 3.5.8 (inclusive), which are built with OpenSSL and configured for "SSL-Bump" decryption.

Integer overflows can lead to invalid pointer math reading from random memory on some CPU architectures. In the best case this leads to wrong TLS extensiosn being used for the client, worst-case a crash of the proxy terminating all active transactions.

Incorrect message size checks and assumptions about the existence of TLS extensions in the SSL/TLS handshake message can lead to very high CPU consumption (up to and including 'infinite loop' behaviour).

The above can be triggered remotely. Though there is one layer of authorization applied before this processing to check that the client is allowed to use the proxy, that check is generally weak. MS Skype on Windows XP is known to trigger some of these.

The FreeBSD port does not use SSL by default and is not vulnerable in the default configuration.

more...
squid
2016-02-17

Jakub Vrana reports:

Fix XSS in indexes (non-MySQL only)

more...
adminer
2016-02-17

Jakub Vrana reports:

Fix XSS in login form

more...
adminer
2016-02-17

Jakub Vrana reports:

Fix XSS in alter table

more...
adminer
2016-02-17

Jakub Vrana reports:

Fix remote code execution in SQLite query

more...
adminer
2016-02-16

GnuPG reports:

Mitigate side-channel attack on ECDH with Weierstrass curves.

more...
libgcrypt
2016-02-16

Stepan Golosunov reports:

Buffer overflow was found and fixed in xdelta3 binary diff tool that allows arbitrary code execution from input files at least on some systems.

more...
xdelta3
2016-02-15

The Mozilla Foundation reports:

MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a service worker forges responses to those requests. For example, a forged crossdomain.xml could allow a malicious site to violate the same-origin policy using the Flash plugin.

more...
firefox
linux-firefox
2016-02-14

The Horde Team reports:

Fixed XSS vulnerabilities in menu bar and form renderer.

more...
horde
pear-Horde_Core
2016-02-14*

Frank Denis reports:

Malformed packets could lead to denial of service or code execution.

more...
dnscrypt-proxy
2016-02-13

Nghttp2 reports:

Out of memory in nghttpd, nghttp, and libnghttp2_asio applications due to unlimited incoming HTTP header fields.

nghttpd, nghttp, and libnghttp2_asio applications do not limit the memory usage for the incoming HTTP header field. If peer sends specially crafted HTTP/2 HEADERS frames and CONTINUATION frames, they will crash with out of memory error.

Note that libnghttp2 itself is not affected by this vulnerability.

more...
nghttp2
2016-02-12

PostgreSQL project reports:

Security Fixes for Regular Expressions, PL/Java

  • CVE-2016-0773: This release closes security hole CVE-2016-0773, an issue with regular expression (regex) parsing. Prior code allowed users to pass in expressions which included out-of-range Unicode characters, triggering a backend crash. This issue is critical for PostgreSQL systems with untrusted users or which generate regexes based on user input.
  • CVE-2016-0766: The update also fixes CVE-2016-0766, a privilege escalation issue for users of PL/Java. Certain custom configuration settings (GUCS) for PL/Java will now be modifiable only by the database superuser
more...
postgresql91-server
postgresql92-server
postgresql93-server
postgresql94-server
postgresql95-server
2016-02-10

Adobe reports:

These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2016-0985).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-0971).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-0964, CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, CVE-2016-0968, CVE-2016-0969, CVE-2016-0970, CVE-2016-0972, CVE-2016-0976, CVE-2016-0977, CVE-2016-0978, CVE-2016-0979, CVE-2016-0980, CVE-2016-0981).

more...
linux-c6-flashplugin
linux-c6_64-flashplugin
linux-f10-flashplugin
2016-02-09

The Pillow maintainers report:

If a large value was passed into the new size for an image, it is possible to overflow an int32 value passed into malloc, leading the malloc?d buffer to be undersized. These allocations are followed by a loop that writes out of bounds. This can lead to corruption on the heap of the Python process with attacker controlled float data.

This issue was found by Ned Williamson.

more...
py27-pillow
py33-pillow
py34-pillow
py35-pillow
2016-02-09

J.C. Cleaver reports:

  • CVE-2016-2054: Buffer overflow in xymond handling of "config" command

  • CVE-2016-2055: Access to possibly confidential files in the Xymon configuration directory

  • CVE-2016-2056: Shell command injection in the "useradm" and "chpasswd" web applications

  • CVE-2016-2057: Incorrect permissions on IPC queues used by the xymond daemon can bypass IP access filtering

  • CVE-2016-2058: Javascript injection in "detailed status webpage" of monitoring items; XSS vulnerability via malformed acknowledgment messages

more...
xymon-server
2016-02-09

The Pillow maintainers report:

Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64 may overflow a buffer when reading a specially crafted tiff file.

Specifically, libtiff >= 4.0.0 changed the return type of TIFFScanlineSize from int32 to machine dependent int32|64. If the scanline is sized so that it overflows an int32, it may be interpreted as a negative number, which will then pass the size check in TiffDecode.c line 236. To do this, the logical scanline size has to be > 2gb, and for the test file, the allocated buffer size is 64k against a roughly 4gb scan line size. Any image data over 64k is written over the heap, causing a segfault.

This issue was found by security researcher FourOne.

more...
py27-pillow
py33-pillow
py34-pillow
py35-pillow
2016-02-09

The Pillow maintainers report:

In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error.

There is a memcpy error where x is added to a target buffer address. X is used in several internal temporary variable roles, but can take a value up to the width of the image. Im->image[y] is a set of row pointers to segments of memory that are the size of the row. At the max y, this will write the contents of the line off the end of the memory buffer, causing a segfault.

This issue was found by Alyssa Besseling at Atlassian.

more...
py27-imaging
py27-pillow
py33-pillow
py34-pillow
py35-pillow
2016-02-09

The Pillow maintainers report:

In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, PcdDecode.c has a buffer overflow error.

The state.buffer for PcdDecode.c is allocated based on a 3 bytes per pixel sizing, where PcdDecode.c wrote into the buffer assuming 4 bytes per pixel. This writes 768 bytes beyond the end of the buffer into other Python object storage. In some cases, this causes a segfault, in others an internal Python malloc error.

more...
py27-imaging
py27-pillow
py33-pillow
py34-pillow
py35-pillow
2016-02-06

FFmpeg security reports:

FFmpeg 2.8.6 fixes the following vulnerabilities: CVE-2016-2213

more...
ffmpeg
mencoder
mplayer
2016-02-05

Michael Catanzaro reports:

Shotwell has a serious security issue ("Shotwell does not verify TLS certificates"). Upstream is no longer active and I do not expect any further upstream releases unless someone from the community steps up to maintain it.

What is the impact of the issue? If you ever used any of the publish functionality (publish to Facebook, publish to Flickr, etc.), your passwords may have been stolen; changing them is not a bad idea.

What is the risk of the update? Regressions. The easiest way to validate TLS certificates was to upgrade WebKit; it seems to work but I don't have accounts with the online services it supports, so I don't know if photo publishing still works properly on all the services.

more...
shotwell
2016-02-05*

Samba team reports:

[CVE-2015-3223] Malicious request can cause Samba LDAP server to hang, spinning using CPU.

[CVE-2015-5330] Malicious request can cause Samba LDAP server to return uninitialized memory that should not be part of the reply.

[CVE-2015-5296] Requesting encryption should also request signing when setting up the connection to protect against man-in-the-middle attacks.

[CVE-2015-5299] A missing access control check in the VFS shadow_copy2 module could allow unauthorized users to access snapshots.

[CVE-2015-7540] Malicious request can cause Samba LDAP server to return crash.

[CVE-2015-8467] Samba can expose Windows DCs to MS15-096 Denial of service via the creation of multiple machine accounts(The Microsoft issue is CVE-2015-2535).

[CVE-2015-5252] Insufficient symlink verification could allow data access outside share path.

more...
ldb
samba36
samba4
samba41
samba42
samba43
2016-02-04

webkit reports:

The ScrollView::paint function in platform/scroll/ScrollView.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to spoof the UI by extending scrollbar painting into the parent frame.

more...
webkit-gtk2
webkit-gtk3
2016-02-04

Filippo Valsorda reports:

python-rsa is vulnerable to a straightforward variant of the Bleichenbacher'06 attack against RSA signature verification with low public exponent.

more...
py27-rsa
py32-rsa
py33-rsa
py34-rsa
py35-rsa
2016-02-03

SaltStack reports:

Improper handling of clear messages on the minion, which could result in executing commands not sent by the master.

more...
py27-salt
py32-salt
py33-salt
py34-salt
py35-salt
2016-02-02*

The cURL project reports:

libcurl will reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer.

more...
curl
linux-c6-curl
linux-c6_64-curl
linux-f10-curl
2016-02-02

Ruby on Rails blog:

Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, and 3.2.22.1 have been released! These contain important security fixes, and it is recommended that users upgrade as soon as possible.

more...
rubygem-actionpack
rubygem-actionpack4
rubygem-actionview
rubygem-activemodel4
rubygem-activerecord
rubygem-activerecord4
rubygem-rails
rubygem-rails-html-sanitizer
rubygem-rails4
2016-02-01

socat reports:

In the OpenSSL address implementation the hard coded 1024 bit DH p parameter was not prime. The effective cryptographic strength of a key exchange using these parameters was weaker than the one one could get by using a prime p. Moreover, since there is no indication of how these parameters were chosen, the existence of a trapdoor that makes possible for an eavesdropper to recover the shared secret from a key exchange that uses them cannot be ruled out.

more...
socat
2016-02-01

CENSUS S.A. reports:

GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are prone to an integer overflow vulnerability which leads to a buffer overflow and potentially to remote code execution.

GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are prone to an out-of-bounds read vulnerability due to missing checks.

more...
gdcm
2016-01-31*

Daniel Veilland reports:

Enforce the reader to run in constant memory. One of the operation on the reader could resolve entities leading to the classic expansion issue. Make sure the buffer used for xmlreader operation is bounded. Introduce a new allocation type for the buffers for this effect.

more...
libxml2
linux-c6-libxml2
linux-f10-libxml2
2016-01-31*

Alan Coopersmith reports:

Ilja van Sprundel, a security researcher with IOActive, has discovered an issue in the parsing of BDF font files by libXfont. Additional testing by Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool uncovered two more issues in the parsing of BDF font files.

As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potential to allow unprivileged users to run code with the privileges of the X server (often root access).

more...
libXfont
linux-c6-xorg-libs
linux-f10-xorg-libs
2016-01-30

Maxim Dounin reports:

Several problems in nginx resolver were identified, which might allow an attacker to cause worker process crash, or might have potential other impact if the "resolver" directive is used in a configuration file.

more...
nginx
nginx-devel
2016-01-29

Owncloud reports:

  • Reflected XSS in OCS provider discovery (oC-SA-2016-001)

  • Information Exposure Through Directory Listing in the file scanner (oC-SA-2016-002)

  • Disclosure of files that begin with ".v" due to unchecked return value (oC-SA-2016-003)

more...
owncloud
2016-01-29

nghttp2 reports:

This release fixes heap-use-after-free bug in idle stream handling code. We strongly recommend to upgrade the older installation to this latest version as soon as possible.

more...
nghttp2
2016-01-29

TYPO3 Security Team reports:

It has been discovered that TYPO3 CMS is susceptible to Cross-Site Scripting and Cross-Site Flashing.

more...
typo3
typo3-lts
2016-01-29

Radicale reports:

The multifilesystem backend allows access to arbitrary files on all platforms.

Prevent regex injection in rights management.

more...
py27-radicale
py32-radicale
py33-radicale
py34-radicale
2016-01-28

The Prosody team reports:

Adopt key generation algorithm from XEP-0185, to prevent impersonation attacks (CVE-2016-0756)

more...
prosody
2016-01-28

The phpMyAdmin development team reports:

By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.

We consider these vulnerabilities to be non-critical.

This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server.

more...
phpmyadmin
2016-01-28

The phpMyAdmin development team reports:

The XSRF/CSRF token is generated with a weak algorithm using functions that do not return cryptographically secure values.

We consider this vulnerability to be non-critical.

more...
phpmyadmin
2016-01-28

The phpMyAdmin development team reports:

  • With a crafted table name it is possible to trigger an XSS attack in the database search page.
  • With a crafted SET value or a crafted search query, it is possible to trigger an XSS attacks in the zoom search page.
  • With a crafted hostname header, it is possible to trigger an XSS attacks in the home page.

We consider these vulnerabilities to be non-critical.

These vulnerabilities can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required pages.

more...
phpmyadmin
2016-01-28

The phpMyAdmin development team reports:

Password suggestion functionality uses Math.random() which does not provide cryptographically secure random numbers.

We consider this vulnerability to be non-critical.

more...
phpmyadmin
2016-01-28

The phpMyAdmin development team reports:

The comparison of the XSRF/CSRF token parameter with the value saved in the session is vulnerable to timing attacks. Moreover, the comparison could be bypassed if the XSRF/CSRF token matches a particular pattern.

We consider this vulnerability to be serious.

more...
phpmyadmin
2016-01-28

The phpMyAdmin development team reports:

By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.

We consider these vulnerabilities to be non-critical.

This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server.

more...
phpmyadmin
2016-01-28

The phpMyAdmin development team reports:

With a crafted table name it is possible to trigger an XSS attack in the database normalization page.

We consider this vulnerability to be non-critical.

This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required page.

more...
phpmyadmin
2016-01-28

The phpMyAdmin development team reports:

By calling a particular script that is part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.

We consider this vulnerability to be non-critical.

This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server.

more...
phpmyadmin
2016-01-28

The phpMyAdmin development team reports:

With a crafted SQL query, it is possible to trigger an XSS attack in the SQL editor.

We consider this vulnerability to be non-critical.

This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required pages.

more...
phpmyadmin
2016-01-26

MITRE reports:

sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by "/home/*/*/file.txt."

more...
sudo
2016-01-26

Privoxy Developers reports:

Fixed a memory leak when rejecting client connections due to the socket limit being reached (CID 66382). This affected Privoxy 3.0.21 when compiled with IPv6 support (on most platforms this is the default).

Fixed an immediate-use-after-free bug (CID 66394) and two additional unconfirmed use-after-free complaints made by Coverity scan (CID 66391, CID 66376).

MITRE reports:

Privoxy before 3.0.22 allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors.

more...
privoxy
2016-01-26

Privoxy Developers reports:

Prevent invalid reads in case of corrupt chunk-encoded content. CVE-2016-1982. Bug discovered with afl-fuzz and AddressSanitizer.

Remove empty Host headers in client requests. Previously they would result in invalid reads. CVE-2016-1983. Bug discovered with afl-fuzz and AddressSanitizer.

more...
privoxy
2016-01-26

Privoxy Developers reports:

Proxy authentication headers are removed unless the new directive enable-proxy-authentication-forwarding is used. Forwarding the headers potentially allows malicious sites to trick the user into providing them with login information. Reported by Chris John Riley.

more...
privoxy
2016-01-26

Privoxy Developers reports:

Fixed a DoS issue in case of client requests with incorrect chunk-encoded body. When compiled with assertions enabled (the default) they could previously cause Privoxy to abort(). Reported by Matthew Daley. CVE-2015-1380.

Fixed multiple segmentation faults and memory leaks in the pcrs code. This fix also increases the chances that an invalid pcrs command is rejected as such. Previously some invalid commands would be loaded without error. Note that Privoxy's pcrs sources (action and filter files) are considered trustworthy input and should not be writable by untrusted third-parties. CVE-2015-1381.

Fixed an 'invalid read' bug which could at least theoretically cause Privoxy to crash. So far, no crashes have been observed. CVE-2015-1382.

more...
privoxy
2016-01-22*

ISC reports:

Problems converting OPT resource records and ECS options to text format can cause BIND to terminate

more...
bind910
2016-01-22

Enlightenment reports:

GIF loader: Fix segv on images without colormap

Prevent division-by-zero crashes.

Fix segfault when opening input/queue/id:000007,src:000000,op:flip1,pos:51 with feh

more...
imlib2
2016-01-21

Google Chrome Releases reports:

This update includes 37 security fixes, including:

  • [497632] High CVE-2016-1612: Bad cast in V8.
  • [572871] High CVE-2016-1613: Use-after-free in PDFium.
  • [544691] Medium CVE-2016-1614: Information leak in Blink.
  • [468179] Medium CVE-2016-1615: Origin confusion in Omnibox.
  • [541415] Medium CVE-2016-1616: URL Spoofing.
  • [544765] Medium CVE-2016-1617: History sniffing with HSTS and CSP.
  • [552749] Medium CVE-2016-1618: Weak random number generator in Blink.
  • [557223] Medium CVE-2016-1619: Out-of-bounds read in PDFium.
  • [579625] CVE-2016-1620: Various fixes from internal audits, fuzzing and other initiatives.
  • Multiple vulnerabilities in V8 fixed at the tip of the 4.8 branch.
more...
chromium
chromium-npapi
chromium-pulse
2016-01-20

Jason A. Donenfeld reports:

Reflected Cross Site Scripting and Header Injection in Mimetype Query String.

Stored Cross Site Scripting and Header Injection in Filename Parameter.

Integer Overflow resulting in Buffer Overflow.

more...
cgit
2016-01-19

DrWhax reports:

So in codeconv.c there is a function for japanese character set conversion called conv_jistoeuc(). There is no bounds checking on the output buffer, which is created on the stack with alloca() Bug can be triggered by sending an email to TAILS_luser@riseup.net or whatever. Since my C is completely rusty, you might be able to make a better judgement on the severity of this issue. Marking critical for now.

more...
claws-mail
2016-01-18*

Tomas Hoger reports:

A buffer overflow flaw was discovered in the libproxy's url::get_pac() used to download proxy.pac proxy auto-configuration file. A malicious host hosting proxy.pac, or a man in the middle attacker, could use this flaw to trigger a stack-based buffer overflow in an application using libproxy, if proxy configuration instructed it to download proxy.pac file from a remote HTTP server.

more...
libproxy
libproxy-gnome
libproxy-kde
libproxy-perl
libproxy-webkit
2016-01-18

Jason Buberel reports:

A security-related issue has been reported in Go's math/big package. The issue was introduced in Go 1.5. We recommend that all users upgrade to Go 1.5.3, which fixes the issue. Go programs must be recompiled with Go 1.5.3 in order to receive the fix.

The Go team would like to thank Nick Craig-Wood for identifying the issue.

This issue can affect RSA computations in crypto/rsa, which is used by crypto/tls. TLS servers on 32-bit systems could plausibly leak their RSA private key due to this issue. Other protocol implementations that create many RSA signatures could also be impacted in the same way.

Specifically, incorrect results in one part of the RSA Chinese Remainder computation can cause the result to be incorrect in such a way that it leaks one of the primes. While RSA blinding should prevent an attacker from crafting specific inputs that trigger the bug, on 32-bit systems the bug can be expected to occur at random around one in 2^26 times. Thus collecting around 64 million signatures (of known data) from an affected server should be enough to extract the private key used.

On 64-bit systems, the frequency of the bug is so low (less than one in 2^50) that it would be very difficult to exploit. Nonetheless, everyone is strongly encouraged to upgrade.

more...
go
2016-01-17

Arch Linux reports:

ffmpeg has a vulnerability in the current version that allows the attacker to create a specially crafted video file, downloading which will send files from a user PC to a remote attacker server. The attack does not even require the user to open that file ? for example, KDE Dolphin thumbnail generation is enough.

more...
ffmpeg
mencoder
mplayer
2016-01-15

Yakuzo OKU reports:

When redirect directive is used, this flaw allows a remote attacker to inject response headers into an HTTP redirect response.

more...
h2o
2016-01-14

The Prosody Team reports:

Fix path traversal vulnerability in mod_http_files (CVE-2016-1231)

Fix use of weak PRNG in generation of dialback secrets (CVE-2016-1232)

more...
prosody
2016-01-13

Elastic reports:

Fixes XSS vulnerability (CVE pending) - Thanks to Vladimir Ivanov for responsibly reporting.

more...
kibana4
kibana41
kibana42
kibana43
2016-01-12

ISC reports:

A badly formed packet with an invalid IPv4 UDP length field can cause a DHCP server, client, or relay program to terminate abnormally.

more...
isc-dhcp41-client
isc-dhcp41-relay
isc-dhcp41-server
isc-dhcp42-client
isc-dhcp42-relay
isc-dhcp42-server
isc-dhcp43-client
isc-dhcp43-relay
isc-dhcp43-server
2016-01-11

PHP reports:

  • Core:
    • Fixed bug #70755 (fpm_log.c memory leak and buffer overflow).
  • GD:
    • Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds).
  • SOAP:
    • Fixed bug #70900 (SoapClient systematic out of memory error).
  • Wddx
    • Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization).
    • Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability).
  • XMLRPC:
    • Fixed bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker()).
more...
php55
php55-gd
php55-wddx
php55-xmlrpc
php56
php56-gd
php56-soap
php56-wddx
php56-xmlrpc
2016-01-09

NVD reports:

The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.

more...
py27-pygments
py32-pygments
py33-pygments
py34-pygments
py35-pygments
2016-01-08*

ocert reports:

The dcraw tool, as well as several other projects re-using its code, suffers from an integer overflow condition which lead to a buffer overflow.

The vulnerability concerns the 'len' variable, parsed without validation from opened images, used in the ljpeg_start() function.

A maliciously crafted raw image file can be used to trigger the vulnerability, causing a Denial of Service condition.

more...
cinepaint
darktable
dcraw
dcraw-m
exact-image
flphoto
freeimage
kodi
libraw
lightzone
netpbm
opengtl
rawstudio
ufraw
2016-01-08

Colin Walters reports:

  • Integer overflow in the authentication_agent_new_cookie function in PolicyKit (aka polkit) before 0.113 allows local users to gain privileges by creating a large number of connections, which triggers the issuance of a duplicate cookie value.

  • The authentication_agent_new function in polkitbackend/polkitbackendinteractiveauthority.c in PolicyKit (aka polkit) before 0.113 allows local users to cause a denial of service (NULL pointer dereference and polkitd daemon crash) by calling RegisterAuthenticationAgent with an invalid object path.

  • The polkit_backend_action_pool_init function in polkitbackend/polkitbackendactionpool.c in PolicyKit (aka polkit) before 0.113 might allow local users to gain privileges via duplicate action IDs in action descriptions.

  • PolicyKit (aka polkit) before 0.113 allows local users to cause a denial of service (memory corruption and polkitd daemon crash) and possibly gain privileges via unspecified vectors, related to "javascript rule evaluation."

more...
polkit
2016-01-08*

Oracle reports:

This Critical Patch Update contains 25 new security fixes for Oracle Java SE. 24 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

more...
openjdk7
openjdk7-jre
openjdk8
openjdk8-jre
2016-01-08

Michael Samuel reports:

librsync before 1.0.0 uses a truncated MD4 checksum to match blocks, which makes it easier for remote attackers to modify transmitted data via a birthday attack.

more...
librsync
2016-01-08

Nico Golde reports:

heap overflow via malformed dhcp responses later in print_option (via dhcp_envoption1) due to incorrect option length values. Exploitation is non-trivial, but I'd love to be proven wrong.

invalid read/crash via malformed dhcp responses. not exploitable beyond DoS as far as I can judge.

more...
dhcpcd
2016-01-08*

US-CERT/NIST reports:

The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) and possibly have other unspecified impact via a crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable.

US-CERT/NIST reports:

Heap-based buffer overflow in the pe_print_edata function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a truncated export table in a PE file.

US-CERT/NIST reports:

Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file.

more...
cross-binutils
m6811-binutils
x86_64-pc-mingw32-binutils
2016-01-07

ARM Limited reports:

MD5 handshake signatures in TLS 1.2 are vulnerable to the SLOTH attack on TLS 1.2 server authentication. They have been disabled by default. Other attacks from the SLOTH paper do not apply to any version of mbed TLS or PolarSSL.

more...
mbedtls
polarssl13
2016-01-06*

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the AMD PC-Net II Ethernet Controller support is vulnerable to a heap buffer overflow flaw. While receiving packets in the loopback mode, it appends CRC code to the receive buffer. If the data size given is same as the receive buffer size, the appended CRC code overwrites 4 bytes beyond this 's->buffer' array.

A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the Qemu instance resulting in DoS or potentially execute arbitrary code with privileges of the Qemu process on the host.

The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets from a remote host(non-loopback mode), fails to validate the received data size, thus resulting in a buffer overflow issue. It could potentially lead to arbitrary code execution on the host, with privileges of the Qemu process. It requires the guest NIC to have larger MTU limit.

A remote user could use this flaw to crash the guest instance resulting in DoS or potentially execute arbitrary code on a remote host with privileges of the Qemu process.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
xen-tools
2016-01-06

The Xen Project reports:

When constructing a guest which is configured to use a PV bootloader which runs as a userspace process in the toolstack domain (e.g. pygrub) libxl creates a mapping of the files to be used as kernel and initial ramdisk when building the guest domain.

However if building the domain subsequently fails these mappings would not be released leading to a leak of virtual address space in the calling process, as well as preventing the recovery of the temporary disk files containing the kernel and initial ramdisk.

For toolstacks which manage multiple domains within the same process, an attacker who is able to repeatedly start a suitable domain (or many such domains) can cause an out-of-memory condition in the toolstack process, leading to a denial of service.

Under the same circumstances an attacker can also cause files to accumulate on the toolstack domain filesystem (usually under /var in dom0) used to temporarily store the kernel and initial ramdisk, perhaps leading to a denial of service against arbitrary other services using that filesystem.

more...
xen-tools
2016-01-06

The Xen Project reports:

Single memory accesses in source code can be translated to multiple ones in machine code by the compiler, requiring special caution when accessing shared memory. Such precaution was missing from the hypervisor code inspecting the state of I/O requests sent to the device model for assistance.

Due to the offending field being a bitfield, it is however believed that there is no issue in practice, since compilers, at least when optimizing (which is always the case for non-debug builds), should find it more expensive to extract the bit field value twice than to keep the calculated value in a register.

This vulnerability is exposed to malicious device models. In conventional Xen systems this means the qemu which service an HVM domain. On such systems this vulnerability can only be exploited if the attacker has gained control of the device model qemu via another vulnerability.

Privilege escalation, host crash (Denial of Service), and leaked information all cannot be excluded.

more...
xen-kernel
2016-01-06

The Xen Project reports:

Error handling in the operation may involve handing back pages to the domain. This operation may fail when in parallel the domain gets torn down. So far this failure unconditionally resulted in the host being brought down due to an internal error being assumed. This is CVE-2015-8339.

Furthermore error handling so far wrongly included the release of a lock. That lock, however, was either not acquired or already released on all paths leading to the error handling sequence. This is CVE-2015-8340.

A malicious guest administrator may be able to deny service by crashing the host or causing a deadlock.

more...
xen-kernel
2016-01-06

The Xen Project reports:

When XSAVE/XRSTOR are not in use by Xen to manage guest extended register state, the initial values in the FPU stack and XMM registers seen by the guest upon first use are those left there by the previous user of those registers.

A malicious domain may be able to leverage this to obtain sensitive information such as cryptographic keys from another domain.

more...
xen-kernel
2016-01-05*

ISC Support reports:

ISC Kea may terminate unexpectedly (crash) while handling a malformed client packet. Related defects in the kea-dhcp4 and kea-dhcp6 servers can cause the server to crash during option processing if a client sends a malformed packet. An attacker sending a crafted malformed packet can cause an ISC Kea server providing DHCP services to IPv4 or IPv6 clients to exit unexpectedly.

  • The kea-dhcp4 server is vulnerable only in versions 0.9.2 and 1.0.0-beta, and furthermore only when logging at debug level 40 or higher. Servers running kea-dhcp4 versions 0.9.1 or lower, and servers which are not logging or are logging at debug level 39 or below are not vulnerable.

  • The kea-dhcp6 server is vulnerable only in versions 0.9.2 and 1.0.0-beta, and furthermore only when logging at debug level 45 or higher. Servers running kea-dhcp6 versions 0.9.1 or lower, and servers which are not logging or are logging at debug level 44 or below are not vulnerable.

more...
kea
2016-01-05

zzf of Alibaba discovered an out-of-bounds vulnerability in the code processing the LogLUV and CIE Lab image format files. An attacker could create a specially-crafted TIFF file that could cause libtiff to crash.

more...
tiff
2016-01-05

NVD reports:

SQL injection vulnerability in include/top_graph_header.php in Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary SQL commands via the rra_id parameter in a properties action to graph.php.

more...
cacti
2016-01-05

LMX of Qihoo 360 Codesafe Team discovered an out-of-bounds read in tif_getimage.c. An attacker could create a specially-crafted TIFF file that could cause libtiff to crash.

more...
tiff
2016-01-04

Gustavo Grieco reports:

Two issues were found in unzip 6.0:

* A heap overflow triggered by unzipping a file with password (e.g unzip -p -P x sigsegv.zip).

* A denegation of service with a file that never finishes unzipping (e.g. unzip sigxcpu.zip).

more...
unzip
2016-01-03

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the PCI MSI-X support is vulnerable to null pointer dereference issue. It occurs when the controller attempts to write to the pending bit array(PBA) memory region. Because the MSI-X MMIO support did not define the .write method.

A privileges used inside guest could use this flaw to crash the Qemu process resulting in DoS issue.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-03

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the USB EHCI emulation support is vulnerable to an infinite loop issue. It occurs during communication between host controller interface(EHCI) and a respective device driver. These two communicate via a isochronous transfer descriptor list(iTD) and an infinite loop unfolds if there is a closed loop in this list.

A privileges user inside guest could use this flaw to consume excessive CPU cycles & resources on the host.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-03

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the VNC display driver support is vulnerable to an arithmetic exception flaw. It occurs on the VNC server side while processing the 'SetPixelFormat' messages from a client.

A privileged remote client could use this flaw to crash the guest resulting in DoS.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-03

ACME Updates reports:

mini_httpd 1.21 and earlier allows remote attackers to obtain sensitive information from process memory via an HTTP request with a long protocol string, which triggers an incorrect response size calculation and an out-of-bounds read.

(rene) ACME, the author, claims that the vulnerability is fixed *after* version 1.22, released on 2015-12-28

more...
mini_httpd
2016-01-02

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing transmit descriptor data when sending a network packet.

A privileged user inside guest could use this flaw to crash the Qemu instance resulting in DoS.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-02

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the Virtual Network Device(virtio-net) support is vulnerable to a DoS issue. It could occur while receiving large packets over the tuntap/macvtap interfaces and when guest's virtio-net driver did not support big/mergeable receive buffers.

An attacker on the local network could use this flaw to disable guest's networking by sending a large number of jumbo frames to the guest, exhausting all receive buffers and thus leading to a DoS situation.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-02

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the NE2000 NIC emulation support is vulnerable to an infinite loop issue. It could occur when receiving packets over the network.

A privileged user inside guest could use this flaw to crash the Qemu instance resulting in DoS.

Qemu emulator built with the NE2000 NIC emulation support is vulnerable to a heap buffer overflow issue. It could occur when receiving packets over the network.

A privileged user inside guest could use this flaw to crash the Qemu instance or potentially execute arbitrary code on the host.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-02

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the VNC display driver is vulnerable to an infinite loop issue. It could occur while processing a CLIENT_CUT_TEXT message with specially crafted payload message.

A privileged guest user could use this flaw to crash the Qemu process on the host, resulting in DoS.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-02

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the IDE disk and CD/DVD-ROM emulation support is vulnerable to a divide by zero issue. It could occur while executing an IDE command WIN_READ_NATIVE_MAX to determine the maximum size of a drive.

A privileged user inside guest could use this flaw to crash the Qemu instance resulting in DoS.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-01

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the virtio-serial vmchannel support is vulnerable to a buffer overflow issue. It could occur while exchanging virtio control messages between guest and the host.

A malicious guest could use this flaw to corrupt few bytes of Qemu memory area, potentially crashing the Qemu process.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-01

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the VNC display driver support is vulnerable to a buffer overflow flaw leading to a heap memory corruption issue. It could occur while refreshing the server display surface via routine vnc_refresh_server_surface().

A privileged guest user could use this flaw to corrupt the heap memory and crash the Qemu process instance OR potentially use it to execute arbitrary code on the host.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-01

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the SCSI device emulation support is vulnerable to a stack buffer overflow issue. It could occur while parsing SCSI command descriptor block with an invalid operation code.

A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the Qemu instance resulting in DoS.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2016-01-01

Petr Matousek of Red Hat Inc. reports:

Due converting PIO to the new memory read/write api we no longer provide separate I/O region lenghts for read and write operations. As a result, reading from PIT Mode/Command register will end with accessing pit->channels with invalid index and potentially cause memory corruption and/or minor information leak.

A privileged guest user in a guest with QEMU PIT emulation enabled could potentially (tough unlikely) use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.

Please note that by default QEMU/KVM guests use in-kernel (KVM) PIT emulation and are thus not vulnerable to this issue.

more...
qemu
qemu-devel
qemu-sbruno
qemu-user-static
2015-12-31

NCC Group reports:

An attacker who can cause a carefully-chosen string to be converted to a floating-point number can cause a crash and potentially induce arbitrary code execution.

more...
mono
2015-12-29

Adobe reports:

These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2015-8644).

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2015-8651).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-8634, CVE-2015-8635, CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, CVE-2015-8650).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-8459, CVE-2015-8460, CVE-2015-8636, CVE-2015-8645).

more...
linux-c6-flashplugin
linux-c6_64-flashplugin
linux-f10-flashplugin
2015-12-29*

Inspircd reports:

This release fixes the issues discovered since 2.0.18, containing multiple important stability and correctness related improvements, including a fix for a bug which allowed malformed DNS records to cause netsplits on a network.

more...
inspircd
2015-12-28

The Mozilla Project reports:

Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services (NSS) where MD5 signatures in the server signature within the TLS 1.2 ServerKeyExchange message are still accepted. This is an issue since NSS has officially disallowed the accepting MD5 as a hash algorithm in signatures since 2011. This issues exposes NSS based clients such as Firefox to theoretical collision-based forgery attacks.

more...
linux-c6-nss
linux-firefox
linux-seamonkey
linux-thunderbird
nss
2015-12-28

NVD reports:

The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg before 2.8.4 does not validate the number of decomposition levels before proceeding with Discrete Wavelet Transform decoding, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data.

The ff_get_buffer function in libavcodec/utils.c in FFmpeg before 2.8.4 preserves width and height values after a failure, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted .mov file.

more...
avidemux
avidemux2
avidemux26
ffmpeg
ffmpeg-011
ffmpeg-devel
ffmpeg0
ffmpeg1
ffmpeg2
ffmpeg23
ffmpeg24
ffmpeg25
ffmpeg26
gstreamer-ffmpeg
handbrake
kodi
libav
mencoder
mplayer
mythtv
mythtv-frontend
plexhometheater
2015-12-28*

NVD reports:

The update_dimensions function in libavcodec/vp8.c in FFmpeg through 2.8.1, as used in Google Chrome before 46.0.2490.71 and other products, relies on a coefficient-partition count during multi-threaded operation, which allows remote attackers to cause a denial of service (race condition and memory corruption) or possibly have unspecified other impact via a crafted WebM file.

The ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg before 2.8.2 omits certain width and height checks, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted MJPEG data.

The ff_hevc_parse_sps function in libavcodec/hevc_ps.c in FFmpeg before 2.8.2 does not validate the Chroma Format Indicator, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted High Efficiency Video Coding (HEVC) data.

The decode_uncompressed function in libavcodec/faxcompr.c in FFmpeg before 2.8.2 does not validate uncompressed runs, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted CCITT FAX data.

The init_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2.8.2 does not enforce minimum-value and maximum-value constraints on tile coordinates, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data.

The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not enforce uniqueness of the SIZ marker in a JPEG 2000 image, which allows remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via a crafted image with two or more of these markers.

Integer overflow in the ff_ivi_init_planes function in libavcodec/ivi.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 allows remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via crafted image dimensions in Indeo Video Interactive data.

The smka_decode_frame function in libavcodec/smacker.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not verify that the data size is consistent with the number of channels, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Smacker data.

more...
avidemux
avidemux2
avidemux26
ffmpeg
ffmpeg-011
ffmpeg-devel
ffmpeg0
ffmpeg1
ffmpeg2
ffmpeg23
ffmpeg24
ffmpeg25
ffmpeg26
gstreamer-ffmpeg
handbrake
kodi
libav
mencoder
mplayer
mythtv
mythtv-frontend
plexhometheater
2015-12-26

The phpMyAdmin development team reports:

By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.

We consider these vulnerabilities to be non-critical.

This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server.

more...
phpMyAdmin
2015-12-25

Salvatore Bonaccorso reports:

Hanno Boeck discovered a stack-based buffer overflow in the dpkg-deb component of dpkg, the Debian package management system. This flaw could potentially lead to arbitrary code execution if a user or an automated system were tricked into processing a specially crafted Debian binary package (.deb) in the old style Debian binary package format.

more...
dpkg
2015-12-24*

Tim Graham reports:

If an application allows users to specify an unvalidated format for dates and passes this format to the date filter, e.g. {{ last_updated|date:user_date_format }}, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".

more...
py27-django
py27-django-devel
py27-django17
py27-django18
py32-django
py32-django-devel
py32-django17
py32-django18
py33-django
py33-django-devel
py33-django17
py33-django18
py34-django
py34-django-devel
py34-django17
py34-django18
2015-12-24*

MediaWiki reports:

Internal review discovered that Special:DeletedContributions did not properly protect the IP of autoblocked users. This fix makes the functionality of Special:DeletedContributions consistent with Special:Contributions and Special:BlockList.

Internal review discovered that watchlist anti-csrf tokens were not being compared in constant time, which could allow various timing attacks. This could allow an attacker to modify a user's watchlist via csrf

John Menerick reported that MediaWiki's thumb.php failed to sanitize various error messages, resulting in xss.

more...
mediawiki123
mediawiki124
mediawiki125
2015-12-24*

MediaWiki reports:

Wikipedia user RobinHood70 reported two issues in the chunked upload API. The API failed to correctly stop adding new chunks to the upload when the reported size was exceeded (T91203), allowing a malicious users to upload add an infinite number of chunks for a single file upload. Additionally, a malicious user could upload chunks of 1 byte for very large files, potentially creating a very large number of files on the server's filesystem (T91205).

Internal review discovered that it is not possible to throttle file uploads.

Internal review discovered a missing authorization check when removing suppression from a revision. This allowed users with the 'viewsuppressed' user right but not the appropriate 'suppressrevision' user right to unsuppress revisions.

Richard Stanway from teamliquid.net reported that thumbnails of PNG files generated with ImageMagick contained the local file path in the image metadata.

more...
mediawiki123
mediawiki124
mediawiki125
2015-12-24

Mantis reports:

CVE-2015-5059: documentation in private projects can be seen by every user

more...
mantis
2015-12-24

MediaWiki reports:

(T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error.

(T119309) SECURITY: Use hash_compare() for edit token comparison.

(T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads.

(T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength.

(T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued.

(T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki.

more...
mediawiki123
mediawiki124
mediawiki125
mediawiki126
2015-12-23

Ruby developer reports:

There is an unsafe tainted string vulnerability in Fiddle and DL. This issue was originally reported and fixed with CVE-2009-5147 in DL, but reappeared after DL was reimplemented using Fiddle and libffi.

And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not fixed at other branches, then rubies which bundled DL except Ruby 1.9.1 are still vulnerable.

more...
ruby
2015-12-23

Bugzilla Security Advisory

During the generation of a dependency graph, the code for the HTML image map is generated locally if a local dot installation is used. With escaped HTML characters in a bug summary, it is possible to inject unfiltered HTML code in the map file which the CreateImagemap function generates. This could be used for a cross-site scripting attack.

If an external HTML page contains a