Oracle reports:

MySQL Multiple Flaws Let Remote Authenticated Users Access and Modify Data, Remote and Local Users Deny Service, and Local Users Access Data and Gain Elevated Privileges

• A local user can exploit a flaw in the Replication component to gain elevated privileges [CVE-2018-2755].
• A remote authenticated user can exploit a flaw in the GIS Extension component to cause denial of service conditions [CVE-2018-2805].
• A remote authenticated user can exploit a flaw in the InnoDB component to cause denial of service conditions [CVE-2018-2782, CVE-2018-2784, CVE-2018-2819].
• A remote authenticated user can exploit a flaw in the Security Privileges component to cause denial of service conditions [CVE-2018-2758, CVE-2018-2818].
• A remote authenticated user can exploit a flaw in the DDL component to cause denial of service conditions [CVE-2018-2817].
• A remote authenticated user can exploit a flaw in the Optimizer component to cause denial of service conditions [CVE-2018-2775, CVE-2018-2778, CVE-2018-2779, CVE-2018-2780, CVE-2018-2781, CVE-2018-2816].
• A remote user can exploit a flaw in the Client programs component to cause denial of service conditions [CVE-2018-2761, CVE-2018-2773].
• A remote authenticated user can exploit a flaw in the InnoDB component to partially modify data and cause denial of service conditions [CVE-2018-2786, CVE-2018-2787].
• A remote authenticated user can exploit a flaw in the Optimizer component to partially modify data and cause denial of service conditions [CVE-2018-2812].
• A local user can exploit a flaw in the Cluster ndbcluster/plugin component to cause denial of service conditions [CVE-2018-2877].
• A remote authenticated user can exploit a flaw in the InnoDB component to cause denial of service conditions [CVE-2018-2759, CVE-2018-2766, CVE-2018-2777, CVE-2018-2810].
• A remote authenticated user can exploit a flaw in the DML component to cause denial of service conditions [CVE-2018-2839].
• A remote authenticated user can exploit a flaw in the Performance Schema component to cause denial of service conditions [CVE-2018-2846].
• A remote authenticated user can exploit a flaw in the Pluggable Auth component to cause denial of service conditions [CVE-2018-2769].
• A remote authenticated user can exploit a flaw in the Group Replication GCS component to cause denial of service conditions [CVE-2018-2776].
• A local user can exploit a flaw in the Connection component to cause denial of service conditions [CVE-2018-2762].
• A remote authenticated user can exploit a flaw in the Locking component to cause denial of service conditions [CVE-2018-2771].
• A remote authenticated user can exploit a flaw in the DDL component to partially access data [CVE-2018-2813].

wordpress developers reports:

Don't treat localhost as same host by default.

Use safe redirects when redirecting the login page if SSL is forced.

Make sure the version string is correctly escaped for use in generator tags.

The Drupal security team reports:

CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).

The phpMyAdmin development team reports:

Summary

CSRF vulnerability allowing arbitrary SQL execution

Description

By deceiving a user to click on a crafted URL, it is possible for an attacker to execute arbitrary SQL commands.

Severity

We consider this vulnerability to be critical.

The OpenSSL project reports:

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key.

Drupal Security Team reports:

CVE-2018-7600: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

perldelta:

CVE-2018-6797: heap-buffer-overflow (WRITE of size 1) in S_regatom (regcomp.c)

A crafted regular expression could cause a heap buffer write overflow, with control over the bytes written. [perl #132227]

CVE-2018-6798: Heap-buffer-overflow in Perl__byte_dump_string (utf8.c)

Matching a crafted locale dependent regular expression could cause a heap buffer read overflow and potentially information disclosure. [perl #132063]

CVE-2018-6913: heap-buffer-overflow in S_pack_rec

pack() could cause a heap buffer write overflow with a large item count. [perl #131844]

TALOS reports:

An exploitable out-of-bounds write vulnerability exists in the XMP image handling functionality of the FreeImage library.

Robert Foggia via NetBSD GNATS reports:

The ipsec-tools racoon daemon contains a remotely exploitable computational complexity attack when parsing and storing isakmp fragments. The implementation permits a remote attacker to exhaust computational resources on the remote endpoint by repeatedly sending isakmp fragment packets in a particular order such that the worst-case computational complexity is realized in the algorithm utilized to determine if reassembly of the fragments can take place.

nghttp2 blog:

If ALTSVC frame is received by libnghttp2 and it is larger than it can accept, the pointer field which points to ALTSVC frame payload is left NULL. Later libnghttp2 attempts to access another field through the pointer, and gets segmentation fault.

ALTSVC frame is defined by RFC 7838.

The largest frame size libnghttp2 accept is by default 16384 bytes.

Receiving ALTSVC frame is disabled by default. Application has to enable it explicitly by calling nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC).

Transmission of ALTSVC is always enabled, and it does not cause this vulnerability.

ALTSVC frame is expected to be sent by server, and received by client as defined in RFC 7838.

Client and server are both affected by this vulnerability if the reception of ALTSVC frame is enabled. As written earlier, it is useless to enable reception of ALTSVC frame on server side. So, server is generally safe unless application accidentally enabled the reception of ALTSVC frame.

Upstream reports:

This update primarily fixes a recently discovered IMAP-cmd-injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846.

Jenkins developers report:

The Jenkins CLI sent different error responses for commands with view and agent arguments depending on the existence of the specified views or agents to unauthorized users. This allowed attackers to determine whether views or agents with specified names exist.

The Jenkins CLI now returns the same error messages to unauthorized users independent of the existence of specified view or agent names

Some JavaScript confirmation dialogs included the item name in an unsafe manner, resulting in a possible cross-site scripting vulnerability exploitable by users with permission to create or configure items.

JavaScript confirmation dialogs that include the item name now properly escape it, so it can be safely displayed.

Adobe reports:

• This update resolves a use-after-free vulnerability that could lead to remote code execution (CVE-2018-4932).
• This update resolves out-of-boubds read vulnerabilities that could lead to information disclosure (CVE-2018-4933, CVE-2018-4934).
• This update resolves out-of-boubds write vulnerabilities that could lead to remote code execution (CVE-2018-4935, CVE-2018-4937).
• This update resolves a heap overflow vulnerability that could lead to information disclosure (CVE-2018-4936).

GitLab reports:

SSRF in services and web hooks

There were multiple server-side request forgery issues in the Services feature. An attacker could make requests to servers within the same network of the GitLab instance. This could lead to information disclosure, authentication bypass, or potentially code execution. This issue has been assigned CVE-2018-8801.

Gitlab Auth0 integration issue

There was an issue with the GitLab omniauth-auth0 configuration which resulted in the Auth0 integration signing in the wrong users.

GitLab reports:

Confidential issue comments in Slack, Mattermost, and webhook integrations.

Persistent XSS in milestones data-milestone-id.

Persistent XSS in filename of merge request.

Problem Description:

Insufficient validation of user-provided font parameters can result in an integer overflow, leading to the use of arbitrary kernel memory as glyph data. Characters that reference this data can be displayed on the screen, effectively disclosing kernel memory.

Impact:

Unprivileged users may be able to access privileged kernel data.

Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password.

Problem Description:

The length field of the option header does not count the size of the option header itself. This causes a problem when the length is zero, the count is then incremented by zero, which causes an infinite loop.

In addition there are pointer/offset mistakes in the handling of IPv4 options.

Impact:

A remote attacker who is able to send an arbitrary packet, could cause the remote target machine to crash.

The Mozilla Foundation reports:

CVE-2018-5148: Use-after-free in compositor

A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash.

The Mozilla Foundation reports:

CVE-2018-5146: Out of bounds memory write in libvorbis

An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest.

CVE-2018-5147: Out of bounds memory write in libtremor

The libtremor library has the same flaw as CVE-2018-5146. This library is used by Firefox in place of libvorbis on Android and ARM platforms.

moodle reports:

Unauthenticated users can trigger custom messages to admin via paypal enrol script.

Suspended users with OAuth 2 authentication method can still log in to the site.

Ruby news:

CVE-2017-17742: HTTP response splitting in WEBrick

If a script accepts an external input and outputs it without modification as a part of HTTP responses, an attacker can use newline characters to deceive the clients that the HTTP response header is stopped at there, and can inject fake HTTP responses after the newline characters to show malicious contents to the clients.

CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir

Dir.mktmpdir method introduced by tmpdir library accepts the prefix and the suffix of the directory which is created as the first parameter. The prefix can contain relative directory specifiers "../", so this method can be used to target any directory. So, if a script accepts an external input as the prefix, and the targeted directory has inappropriate permissions or the ruby process has inappropriate privileges, the attacker can create a directory or a file at any directory.

CVE-2018-8777: DoS by large request in WEBrick

If an attacker sends a large request which contains huge HTTP headers, WEBrick try to process it on memory, so the request causes the out-of-memory DoS attack.

CVE-2018-8778: Buffer under-read in String#unpack

String#unpack receives format specifiers as its parameter, and can be specified the position of parsing the data by the specifier @. If a big number is passed with @, the number is treated as the negative value, and out-of-buffer read is occurred. So, if a script accepts an external input as the argument of String#unpack, the attacker can read data on heaps.

CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket

UNIXServer.open accepts the path of the socket to be created at the first parameter. If the path contains NUL (\0) bytes, this method recognize that the path is completed before the NUL bytes. So, if a script accepts an external input as the argument of this method, the attacker can make the socket file in the unintentional path. And, UNIXSocket.open also accepts the path of the socket to be created at the first parameter without checking NUL bytes like UNIXServer.open. So, if a script accepts an external input as the argument of this method, the attacker can accepts the socket file in the unintentional path.

CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir

Dir.open, Dir.new, Dir.entries and Dir.empty? accept the path of the target directory as their parameter. If the parameter contains NUL (\0) bytes, these methods recognize that the path is completed before the NUL bytes. So, if a script accepts an external input as the argument of these methods, the attacker can make the unintentional directory traversal.

The Webkit gtk team reports:

Please reference CVE/URL list for details

The WebKit team reports many vulnerabilities.

Please reference the CVE/URL list for details.

Node.js reports:

Node.js Inspector DNS rebinding vulnerability (CVE-2018-7160)

Node.js 6.x and later include a debugger protocol (also known as "inspector") that can be activated by the --inspect and related command line flags. This debugger service was vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution.

'path' module regular expression denial of service (CVE-2018-7158)

The 'path' module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x.

Spaces in HTTP Content-Length header values are ignored (CVE-2018-7159)

The HTTP parser in all current versions of Node.js ignores spaces in the Content-Length header, allowing input such as Content-Length: 1 2 to be interpreted as having a value of 12. The HTTP specification does not allow for spaces in the Content-Length value and the Node.js HTTP parser has been brought into line on this particular difference.

Google Chrome Releases reports:

1 security fix in this release, including:

• [823553] Various fixes from internal audits, fuzzing and other initiatives

The OpenSSL project reports:

• Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739)
  
  Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe.
• rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
  
  There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation).

The Apache httpd reports:

Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled (CVE-2017-15710)

mod_session: CGI-like applications that intend to read from mod_session's 'SessionEnv ON' could be fooled into reading user-supplied data instead. (CVE-2018-1283)

mod_cache_socache: Fix request headers parsing to avoid a possible crash with specially crafted input data. (CVE-2018-1303)

core: Possible crash with excessively long HTTP request headers. Impractical to exploit with a production build and production LogLevel. (CVE-2018-1301)

core: Configure the regular expression engine to match '$' to the end of the input string only, excluding matching the end of any embedded newline characters. Behavior can be changed with new directive 'RegexDefaultOptions'. (CVE-2017-15715)

mod_auth_digest: Fix generation of nonce values to prevent replay attacks across servers using a common Digest domain. This change may cause problems if used with round robin load balancers. (CVE-2018-1312)

mod_http2: Potential crash w/ mod_http2. (CVE-2018-1302)

NVD reports:

The decode_ihdr_chunk function in libavcodec/pngdec.c in FFmpeg before 2.7.2 does not enforce uniqueness of the IHDR (aka image header) chunk in a PNG image, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted image with two or more of these chunks.

Multiple integer underflows in the ff_mjpeg_decode_frame function in libavcodec/mjpegdec.c in FFmpeg before 2.7.2 allow remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted MJPEG data.

The ff_sbr_apply function in libavcodec/aacsbr.c in FFmpeg before 2.7.2 does not check for a matching AAC frame syntax element before proceeding with Spectral Band Replication calculations, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted AAC data.

The ff_mpv_common_init function in libavcodec/mpegvideo.c in FFmpeg before 2.7.2 does not properly maintain the encoding context, which allows remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via crafted MPEG data.

The destroy_buffers function in libavcodec/sanm.c in FFmpeg before 2.7.2 does not properly maintain height and width values in the video context, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via crafted LucasArts Smush video data.

The allocate_buffers function in libavcodec/alac.c in FFmpeg before 2.7.2 does not initialize certain context data, which allows remote attackers to cause a denial of service (segmentation violation) or possibly have unspecified other impact via crafted Apple Lossless Audio Codec (ALAC) data.

The sws_init_context function in libswscale/utils.c in FFmpeg before 2.7.2 does not initialize certain pixbuf data structures, which allows remote attackers to cause a denial of service (segmentation violation) or possibly have unspecified other impact via crafted video data.

The ff_frame_thread_init function in libavcodec/pthread_frame.c in FFmpeg before 2.7.2 mishandles certain memory-allocation failures, which allows remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via a crafted file, as demonstrated by an AVI file.

The ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c in FFmpeg before 2.7.2 does not initialize certain structure members, which allows remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via crafted (1) RV30 or (2) RV40 RealVideo data.

NVD reports:

The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg before 2.8.4 does not validate the number of decomposition levels before proceeding with Discrete Wavelet Transform decoding, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data.

The ff_get_buffer function in libavcodec/utils.c in FFmpeg before 2.8.4 preserves width and height values after a failure, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted .mov file.

FFmpeg security reports:

FFmpeg 3.2.4 fixes the following vulnerabilities: CVE-2017-5024, CVE-2017-5025

NVD reports:

The msrle_decode_pal4 function in msrledec.c in Libav before 10.7 and 11.x before 11.4 and FFmpeg before 2.0.7, 2.2.x before 2.2.15, 2.4.x before 2.4.8, 2.5.x before 2.5.6, and 2.6.x before 2.6.2 allows remote attackers to have unspecified impact via a crafted image, related to a pixel pointer, which triggers an out-of-bounds array access.

NVD reports:

The update_dimensions function in libavcodec/vp8.c in FFmpeg through 2.8.1, as used in Google Chrome before 46.0.2490.71 and other products, relies on a coefficient-partition count during multi-threaded operation, which allows remote attackers to cause a denial of service (race condition and memory corruption) or possibly have unspecified other impact via a crafted WebM file.

The ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg before 2.8.2 omits certain width and height checks, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted MJPEG data.

The ff_hevc_parse_sps function in libavcodec/hevc_ps.c in FFmpeg before 2.8.2 does not validate the Chroma Format Indicator, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted High Efficiency Video Coding (HEVC) data.

The decode_uncompressed function in libavcodec/faxcompr.c in FFmpeg before 2.8.2 does not validate uncompressed runs, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted CCITT FAX data.

The init_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2.8.2 does not enforce minimum-value and maximum-value constraints on tile coordinates, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data.

The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not enforce uniqueness of the SIZ marker in a JPEG 2000 image, which allows remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via a crafted image with two or more of these markers.

Integer overflow in the ff_ivi_init_planes function in libavcodec/ivi.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 allows remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via crafted image dimensions in Indeo Video Interactive data.

The smka_decode_frame function in libavcodec/smacker.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not verify that the data size is consistent with the number of channels, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Smacker data.

NVD reports:

Use-after-free vulnerability in the ff_h264_free_tables function in libavcodec/h264.c in FFmpeg before 2.3.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted H.264 data in an MP4 file, as demonstrated by an HTML VIDEO element that references H.264 data.

FFmpeg security reports:

Multiple vulnerabilities have been fixed in FFmpeg 3.3.4. Please refer to the CVE list for details.

OSS-Security list:

There is a possible XSS vulnerability in rails-html-sanitizer. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications.

This issue is similar to CVE-2018-8048 in Loofah.

mybb Team reports:

Medium risk: Tasks Local File Inclusion

Medium risk: Forum Password Check Bypass

Low risk: Admin Permissions Group Title XSS

Low risk: Attachment types file extension XSS

Low risk: Moderator Tools XSS

Low risk: Security Questions XSS

Low risk: Settings Management XSS

Low risk: Templates Set Name XSS

Low risk: Usergroup Promotions XSS

Low risk: Warning Types XSS

MITRE reports:

SQLite databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.

Sanitize release:

Fixed an HTML injection vulnerability that could allow XSS.

When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements.

Sanitize now performs additional escaping on affected attributes to prevent this.

GitHub issue:

This issue has been created for public disclosure of an XSS / code injection vulnerability that was responsibly reported by the Shopify Application Security Team.

Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

MITRE reports:

In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.

Florian Grunow reports:

An attacker able to exploit this vulnerability can extract files of the server the application is running on. This may include configuration files, log files and additionally all files that are readable for all users on the system. This issue is post-authentication. That means an attacker would need valid credentials for the application to log in or needs to exploit an additional vulnerability of which we are not aware of at this point of time.

An attacker would also be able to delete files on the system, if the user running the application has the rights to do so.

Does this issue affect me?

Likely yes, if you are using Squirrelmail. We checked the latest development version, which is 1.5.2-svn and the latest version available for download at this point of time, 1.4.22. Both contain the vulnerable code.

SchedMD reports:

Several issues were discovered with incomplete sanitization of user-provided text strings, which could potentially lead to SQL injection attacks against SlurmDBD itself. Such exploits could lead to a loss of accounting data, or escalation of user privileges on the cluster.

NVD reports:

Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uninitialized memory in the function vorbis_analysis_headerout() in info.c when vi->channels<=0, a similar issue to Mozilla bug 550184.

In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis().

Mozilla Foundation reports:

CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList

CVE-2018-5128: Use-after-free manipulating editor selection ranges

CVE-2018-5129: Out-of-bounds write with malformed IPC messages

CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption

CVE-2018-5131: Fetch API improperly returns cached copies of no-store/no-cache resources

CVE-2018-5132: WebExtension Find API can search privileged pages

CVE-2018-5133: Value of the app.support.baseURL preference is not properly sanitized

CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content restrictions

CVE-2018-5135: WebExtension browserAction can inject scripts into unintended contexts

CVE-2018-5136: Same-origin policy violation with data: URL shared workers

CVE-2018-5137: Script content can access legacy extension non-contentaccessible resources

CVE-2018-5138: Android Custom Tab address spoofing through long domain names

CVE-2018-5140: Moz-icon images accessible to web content through moz-icon: protocol

CVE-2018-5141: DOS attack through notifications Push API

CVE-2018-5142: Media Capture and Streams API permissions display incorrect origin with data: and blob: URLs

CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into addressbar

CVE-2018-5126: Memory safety bugs fixed in Firefox 59

CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7

Theodore Y. Ts'o reports:

Fixed some potential buffer overrun bugs in the blkid library and in the fsck program.

Problem Description:

A number of issues relating to speculative execution were found last year and publicly announced January 3rd. Two of these, known as Meltdown and Spectre V2, are addressed here.

CVE-2017-5754 (Meltdown) - ------------------------

This issue relies on an affected CPU speculatively executing instructions beyond a faulting instruction. When this happens, changes to architectural state are not committed, but observable changes may be left in micro- architectural state (for example, cache). This may be used to infer privileged data.

CVE-2017-5715 (Spectre V2) - --------------------------

Spectre V2 uses branch target injection to speculatively execute kernel code at an address under the control of an attacker.

Impact:

An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser).

Network Time Foundation reports:

The NTP Project at Network Time Foundation is releasing ntp-4.2.8p11.

This release addresses five security issues in ntpd:

• LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil vulnerability: ephemeral association attack
• INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak
• LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated ephemeral associations
• LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric mode cannot recover from bad state
• LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909: Unauthenticated packet can reset authenticated interleaved association

one security issue in ntpq:

• MEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909: ntpq:decodearr() can write beyond its buffer limit

and provides over 33 bugfixes and 32 other improvements.

Problem Description:

Due to a lack of strict checking, an attacker from a trusted host can send a specially constructed IP packet that may lead to a system crash.

Additionally, a use-after-free vulnerability in the AH handling code could cause unpredictable results.

Impact:

Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results.

Adobe reports:

• This update resolves a use-after-free vulnerability that could lead to remote code execution (CVE-2018-4919).
• This update resolves a type confusion vulnerability that could lead to remote code execution (CVE-2018-4920).

The samba project reports:

Missing null pointer checks may crash the external print server process.

On a Samba 4 AD DC any authenticated user can change other user's passwords over LDAP, including the passwords of administrative users and service accounts.

Simon Butcher reports:

• When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet can be used to selectively corrupt 6 bytes on the peer's heap, potentially leading to a crash or remote code execution. This can be triggered remotely from either side in both TLS and DTLS.
• When RSASSA-PSS signature verification is enabled, sending a maliciously constructed certificate chain can be used to cause a buffer overflow on the peer's stack, potentially leading to crash or remote code execution. This can be triggered remotely from either side in both TLS and DTLS.

Google Chrome Releases reports:

45 security fixes in this release:

• [758848] High CVE-2017-11215: Use after free in Flash. Reported by JieZeng of Tencent Zhanlu Lab on 2017-08-25
• [758863] High CVE-2017-11225: Use after free in Flash. Reported by JieZeng of Tencent Zhanlu Lab on 2017-08-25
• [780919] High CVE-2018-6060: Use after free in Blink. Reported by Omair on 2017-11-02
• [794091] High CVE-2018-6061: Race condition in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2017-12-12
• [780104] High CVE-2018-6062: Heap buffer overflow in Skia. Reported by Anonymous on 2017-10-31
• [789959] High CVE-2018-6057: Incorrect permissions on shared memory. Reported by Gal Beniamini of Google Project Zero on 2017-11-30
• [792900] High CVE-2018-6063: Incorrect permissions on shared memory. Reported by Gal Beniamini of Google Project Zero on 2017-12-07
• [798644] High CVE-2018-6064: Type confusion in V8. Reported by lokihardt of Google Project Zero on 2018-01-03
• [808192] High CVE-2018-6065: Integer overflow in V8. Reported by Mark Brand of Google Project Zero on 2018-02-01
• [799477] Medium CVE-2018-6066: Same Origin Bypass via canvas. Reported by Masato Kinugawa on 2018-01-05
• [779428] Medium CVE-2018-6067: Buffer overflow in Skia. Reported by Ned Williamson on 2017-10-30
• [779428] Medium CVE-2018-6067: Buffer overflow in Skia. Reported by Ned Williamson on 2017-10-30
• [799918] Medium CVE-2018-6069: Stack buffer overflow in Skia. Reported by Wanglu and Yangkang(@dnpushme) of Qihoo360 Qex Team on 2018-01-08
• [668645] Medium CVE-2018-6070: CSP bypass through extensions. Reported by Rob Wu on 2016-11-25
• [777318] Medium CVE-2018-6071: Heap bufffer overflow in Skia. Reported by Anonymous on 2017-10-23
• [791048] Medium CVE-2018-6072: Integer overflow in PDFium. Reported by Atte Kettunen of OUSPG on 2017-12-01
• [804118] Medium CVE-2018-6073: Heap bufffer overflow in WebGL. Reported by Omair on 2018-01-20
• [809759] Medium CVE-2018-6074: Mark-of-the-Web bypass. Reported by Abdulrahman Alqabandi (@qab) on 2018-02-06
• [608669] Medium CVE-2018-6075: Overly permissive cross origin downloads. Reported by Inti De Ceukelaire (intigriti.com) on 2016-05-03
• [758523] Medium CVE-2018-6076: Incorrect handling of URL fragment identifiers in Blink. Reported by Mateusz Krzeszowiec on 2017-08-24
• [778506] Medium CVE-2018-6077: Timing attack using SVG filters. Reported by Khalil Zhani on 2017-10-26
• [793628] Medium CVE-2018-6078: URL Spoof in OmniBox. Reported by Khalil Zhani on 2017-12-10
• [788448] Medium CVE-2018-6079: Information disclosure via texture data in WebGL. Reported by Ivars Atteka on 2017-11-24
• [792028] Medium CVE-2018-6080: Information disclosure in IPC call. Reported by Gal Beniamini of Google Project Zero on 2017-12-05
• [797525] Low CVE-2018-6081: XSS in interstitials. Reported by Rob Wu on 2017-12-24
• [767354] Low CVE-2018-6082: Circumvention of port blocking. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-09-21
• [771709] Low CVE-2018-6083: Incorrect processing of AppManifests. Reported by Jun Kokatsu (@shhnjk) on 2017-10-04

wireshark developers reports:

wnpa-sec-2018-05. IEEE 802.11 dissector crash. (CVE-2018-7335)

wnpa-sec-2018-06. Large or infinite loops in multiple dissectors. (CVE-2018-7321 through CVE-2018-7333)

wnpa-sec-2018-07. UMTS MAC dissector crash. (CVE-2018-7334)

wnpa-sec-2018-08. DOCSIS dissector crash. (CVE-2018-7337)

wnpa-sec-2018-09. FCP dissector crash. (CVE-2018-7336)

wnpa-sec-2018-10. SIGCOMP dissector crash. (CVE-2018-7320)

wnpa-sec-2018-11. Pcapng file parser crash.

wnpa-sec-2018-12. IPMI dissector crash.

wnpa-sec-2018-13. SIGCOMP dissector crash.

wnpa-sec-2018-14. NBAP dissector crash.

ISC reports:

Failure to properly bounds check a buffer used for processing DHCP options allows a malicious server (or an entity masquerading as a server) to cause a buffer overflow (and resulting crash) in dhclient by sending a response containing a specially constructed options section.

A malicious client which is allowed to send very large amounts of traffic (billions of packets) to a DHCP server can eventually overflow a 32-bit reference counter, potentially causing dhcpd to crash.

Laurent Delosieres, Secunia Research at Flexera Software reports:

Secunia Research has discovered a vulnerability in libsndfile, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an error in the "aiff_read_chanmap()" function (src/aiff.c), which can be exploited to cause an out-of-bounds read memory access via a specially crafted AIFF file. The vulnerability is confirmed in version 1.0.28. Other versions may also be affected.

Agostino Sarubbo, Gentoo reports:

CVE-2017-8361 (Medium): The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file.

CVE-2017-8362 (Medium): The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file.

CVE-2017-8363 (Medium): The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file.

CVE-2017-8365 (Medium): The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file.

manxorist on Github reports:

CVE-2017-12562 (High): Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in libsndfile through 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.

Xin-Jiang on Github reports:

CVE-2017-14634 (Medium): In libsndfile 1.0.28, a divide-by-zero error exists in the function double64_init() in double64.c, which may lead to DoS when playing a crafted audio file.

Xin-Jiang on Github reports:

CVE-2017-14245 (Medium): An out of bounds read in the function d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values.

CVE-2017-14246 (Medium): An out of bounds read in the function d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values.

my123px on Github reports:

CVE-2017-17456 (Medium): The function d2alaw_array() in alaw.c of libsndfile 1.0.29pre1 may lead to a remote DoS attack (SEGV on unknown address 0x000000000000), a different vulnerability than CVE-2017-14245.

CVE-2017-17457 (Medium): The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 may lead to a remote DoS attack (SEGV on unknown address 0x000000000000), a different vulnerability than CVE-2017-14246.

The PostgreSQL project reports:

• CVE-2018-1058: Uncontrolled search path element in pg_dump and other client applications

Shibboleth consortium reports:

Shibboleth SP software vulnerable to additional data forgery flaws

The XML processing performed by the Service Provider software has been found to be vulnerable to new flaws similar in nature to the one addressed in an advisory last month.

These bugs involve the use of other XML constructs rather than entity references, and therefore required additional mitigation once discovered. As with the previous issue, this flaw allows for changes to an XML document that do not break a digital signature but can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information.

As before, the use of XML Encryption is a significant mitigation, but we have not dismissed the possibility that attacks on the Response "envelope" may be possible, in both the original and this new case. No actual attacks of this nature are known, so deployers should prioritize patching systems that expect to handle unencrypted SAML assertions.

An updated version of XMLTooling-C (V1.6.4) is available that protects against these new attacks, and should help prevent similar vulnerabilities in the future.

Unlike the previous case, these bugs are NOT prevented by any existing Xerces-C parser version on any platform and cannot be addressed by any means other than the updated XMLTooling-C library.

The Service Provider software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type Definition (DTD) processing.

Through addition/manipulation of a DTD, it's possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information.

While newer versions of the xerces-c3 parser are configured by the SP into disallowing the use of a DTD via an environment variable, this feature is not present in the xerces-c3 parser before version 3.1.4, so an additional fix is being provided now that an actual DTD exploit has been identified. Xerces-c3-3.1.4 was committed to the ports tree already on 2016-07-26.

Google Chrome Releases reports:

Several security fixes in this release, including:

• [780450] High CVE-2018-6031: Use after free in PDFium. Reported by Anonymous on 2017-11-01
• [787103] High CVE-2018-6032: Same origin bypass in Shared Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-20
• [793620] High CVE-2018-6033: Race when opening downloaded files. Reported by Juho Nurminen on 2017-12-09
• [784183] Medium CVE-2018-6034: Integer overflow in Blink. Reported by Tobias Klein (www.trapkit.de) on 2017-11-12
• [797500] Medium CVE-2018-6035: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
• [797500] Medium CVE-2018-6035: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
• [753645] Medium CVE-2018-6037: Insufficient user gesture requirements in autofill. Reported by Paul Stone of Context Information Security on 2017-08-09
• [774174] Medium CVE-2018-6038: Heap buffer overflow in WebGL. Reported by cloudfuzzer on 2017-10-12
• [775527] Medium CVE-2018-6039: XSS in DevTools. Reported by Juho Nurminen on 2017-10-17
• [778658] Medium CVE-2018-6040: Content security policy bypass. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-26
• [760342] Medium CVE-2018-6041: URL spoof in Navigation. Reported by Luan Herrera on 2017-08-29
• [773930] Medium CVE-2018-6042: URL spoof in OmniBox. Reported by Khalil Zhani on 2017-10-12
• [785809] Medium CVE-2018-6043: Insufficient escaping with external URL handlers. Reported by 0x09AL on 2017-11-16
• [797497] Medium CVE-2018-6045: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
• [798163] Medium CVE-2018-6046: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-31
• [799847] Medium CVE-2018-6047: Cross origin URL leak in WebGL. Reported by Masato Kinugawa on 2018-01-08
• [763194] Low CVE-2018-6048: Referrer policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-09-08
• [771848] Low CVE-2017-15420: URL spoofing in Omnibox. Reported by Drew Springall (@_aaspring_) on 2017-10-05
• [774438] Low CVE-2018-6049: UI spoof in Permissions. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-13
• [774842] Low CVE-2018-6050: URL spoof in OmniBox. Reported by Jonathan Kew on 2017-10-15
• [441275] Low CVE-2018-6051: Referrer leak in XSS Auditor. Reported by Antonio Sanso (@asanso) on 2014-12-11
• [615608] Low CVE-2018-6052: Incomplete no-referrer policy implementation. Reported by Tanner Emek on 2016-05-28
• [758169] Low CVE-2018-6053: Leak of page thumbnails in New Tab Page. Reported by Asset Kabdenov on 2017-08-23
• [797511] Low CVE-2018-6054: Use after free in WebUI. Reported by Rob Wu on 2017-12-24

Google Chrome Releases reports:

1 security fix in this release:

• [806388] High CVE-2018-6056: Incorrect derived class instantiation in V8. Reported by lokihardt of Google Project Zero on 2018-01-26

Drupal Security Team reports:

CVE-2017-6926: Comment reply form allows access to restricted content

CVE-2017-6927: JavaScript cross-site scripting prevention is incomplete

CVE-2017-6928: Private file access bypass - Moderately Critical

CVE-2017-6929: jQuery vulnerability with untrusted domains - Moderately Critical

CVE-2017-6930: Language fallback can be incorrect on multilingual sites with node access restrictions

CVE-2017-6931: Settings Tray access bypass

CVE-2017-6932: External link injection on 404 pages when linking to the current page

Hank Leininger reports:

Bugs in Git, Subversion, and Mercurial were just announced and patched which allowed arbitrary local command execution if a malicious name was used for the remote server, such as starting with - to pass options to the ssh client: git clone ssh://-oProxyCommand=some-command... CVS has a similar problem with the -d option:

Tested vanilla CVS 1.12.13, and Gentoo CVS 1.12.12-r11.

LibreOffice reports:

LibreOffice Calc supports a WEBSERVICE function to obtain data by URL. Vulnerable versions of LibreOffice allow WEBSERVICE to take a local file URL (e.g file://) which can be used to inject local files into the spreadsheet without warning the user. Subsequent formulas can operate on that inserted data and construct a remote URL whose path leaks the local data to a remote attacker.

In later versions of LibreOffice without this flaw, WEBSERVICE has now been limited to accessing http and https URLs along with bringing WEBSERVICE URLs under LibreOffice Calc's link management infrastructure.

Note: This vulnerability has been identified upstream as CVE-2018-1055, but NVD/Mitre are advising it's a reservation duplicate of CVE-2018-6871 which should be used instead.

The Apache Software Foundation reports:

Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Louis Dion-Marcil reports:

Due to incorrect pointer handling Squid is vulnerable to denial of service attack when processing ESI responses.

This problem allows a remote server delivering certain ESI response syntax to trigger a denial of service for all clients accessing the Squid service.

Due to unrelated changes Squid-3.5 has become vulnerable to some regular ESI server responses also triggering this issue.

This problem is limited to the Squid custom ESI parser. Squid built to use libxml2 or libexpat XML parsers do not have this problem.

Due to incorrect pointer handling Squid is vulnerable to denial of service attack when processing ESI responses or downloading intermediate CA certificates.

This problem allows a remote client delivering certain HTTP requests in conjunction with certain trusted server responses to trigger a denial of service for all clients accessing the Squid service.

The phpMyAdmin team reports:

Summary

Self XSS in central columns feature

Description

A self-cross site scripting (XSS) vulnerability has been reported relating to the central columns feature.

Severity

We consider this vulnerability to be of moderate severity.

Mitigation factor

A valid token must be used in the attack

Irssi reports:

Use after free when server is disconnected during netsplits. Found by Joseph Bisch.

Use after free when SASL messages are received in unexpected order. Found by Joseph Bisch.

Null pointer dereference when an ?empty? nick has been observed by Irssi. Found by Joseph Bisch.

When the number of windows exceed the available space, Irssi would crash due to Null pointer dereference. Found by Joseph Bisch.

Certain nick names could result in out of bounds access when printing theme strings. Found by Oss-Fuzz.

The Asterisk project reports:

AST-2018-004 - When processing a SUBSCRIBE request the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed despite having a fixed limit of 32. If more than 32 Accept headers were present the code would write outside of its memory and cause a crash.

AST-2018-005 - A crash occurs when a number of authenticated INVITE messages are sent over TCP or TLS and then the connection is suddenly closed. This issue leads to a segmentation fault.

The Asterisk project reports:

AST-2018-002 - By crafting an SDP message with an invalid media format description Asterisk crashes when using the pjsip channel driver because pjproject's sdp parsing algorithm fails to catch the invalid media format description.

AST-2018-003 - By crafting an SDP message body with an invalid fmtp attribute Asterisk crashes when using the pjsip channel driver because pjproject's fmtp retrieval function fails to check if fmtp value is empty (set empty if previously parsed as invalid).

GitLab reports:

SnippetFinder information disclosure

The GitLab SnippetFinder component contained an information disclosure which allowed access to snippets restricted to Only team members or configured as disabled. The issue is now resolved in the latest version.

LDAP API authorization issue

An LDAP API endpoint contained an authorization vulnerability which unintentionally disclosed bulk LDAP groups data. This issue is now fixed in the latest release.

Persistent XSS mermaid markdown

The mermaid markdown feature contained a persistent XSS issue that is now resolved in the latest release.

Insecure direct object reference Todo API

The Todo API was vulnerable to an insecure direct object reference issue which resulted in an information disclosure of confidential data.

GitHub import access control issue

An improper access control weakness issue was discovered in the GitHub import feature. The issue allowed an attacker to create projects under other accounts which they shouldn't have access to. The issue is now resolved in the latest version.

Protected variables information disclosure

The CI jobs protected tag feature contained a vulnerability which resulted in an information disclosure of protected variables. The issue is now resolved in the latest release.

Strongswan Release Notes reports:

Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that was caused by insufficient input validation. One of the configurable parameters in algorithm identifier structures for RSASSA-PSS signatures is the mask generation function (MGF). Only MGF1 is currently specified for this purpose. However, this in turn takes itself a parameter that specifies the underlying hash function. strongSwan's parser did not correctly handle the case of this parameter being absent, causing an undefined data read. his vulnerability has been registered as CVE-2018-6459.

Upstream commit:

Vulnerabilities existed in cookie handling.

Philippe Antoine of Catena cyber:

This is a security release that fixes an integer overflow in code generated by binpac. This issue can be used by remote attackers to crash Bro (i.e. a DoS attack). There also is a possibility this can be exploited in other ways. (CVE pending.)

Bugzilla Security Advisory

A CSRF vulnerability in report.cgi would allow a third-party site to extract confidential information from a bug the victim had access to.

Frank Meier:

Bro before Bro v2.5.2 is vulnerable to an out of bounds write in the ContentLine analyzer allowing remote attackers to cause a denial of service (crash) and possibly other exploitation.

Consul developers report:

A flaw was found in the embedded DNS library used in consul which may allow a denial of service attack. Consul was updated to include the fixed version.

Secunia Research reports:

CVE-2018-5800: An off-by-one error within the "LibRaw::kodak_ycbcr_load_raw()" function (internal/dcraw_common.cpp) can be exploited to cause a heap-based buffer overflow and subsequently cause a crash.

CVE-2017-5801: An error within the "LibRaw::unpack()" function (src/libraw_cxx.cpp) can be exploited to trigger a NULL pointer dereference.

CVE-2017-5802: An error within the "kodak_radc_load_raw()" function (internal/dcraw_common.cpp) related to the "buf" variable can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash.

Secunia Research reports:

CVE-2017-16909: An error related to the "LibRaw::panasonic_load_raw()" function (dcraw_common.cpp) can be exploited to cause a heap-based buffer overflow and subsequently cause a crash via a specially crafted TIFF image.

CVE-2017-16910: An error within the "LibRaw::xtrans_interpolate()" function (internal/dcraw_common.cpp) can be exploited to cause an invalid read memory access.

Quagga reports:

The Quagga BGP daemon, bgpd, does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid. Arbitrary data from the bgpd process may be sent over the network to a peer and/or it may crash.

The Quagga BGP daemon, bgpd, can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes.

The Quagga BGP daemon, bgpd, can overrun internal BGP code-to-string conversion tables used for debug by 1 pointer value, based on input.

The Quagga BGP daemon, bgpd, can enter an infinite loop if sent an invalid OPEN message by a configured peer.

Bitmessage developers report:

A remote code execution vulnerability has been spotted in use against some users running PyBitmessage v0.6.2. The cause was identified and a fix has been added and released as 0.6.3.2. (Will be updated if/when CVE will be available.)

Jenkins developers report:

Jenkins did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to.

Mitre reports:

bchunk 1.2.0 and 1.2.1 vulnerable to a heap-based buffer overflow and crash when processing a malformed CUE (.cue) file.

Mitre reports:

bchunk 1.2.0 and 1.2.1 is vulnerable to an "Access violation near NULL on destination operand" and crash when processing a malformed CUE (.cue) file.

Mitre reports:

bchunk 1.2.0 and 1.2.1 is vulnerable to a heap-based buffer overflow (with a resultant invalid free) and crash when processing a malformed CUE (.cue) file.

Uwsgi developers report:

It was discovered that the uwsgi_expand_path function in utils.c in Unbit uWSGI, an application container server, has a stack-based buffer overflow via a large directory length that can cause a denial-of-service (application crash) or stack corruption.

Python issue:

There is a possible integer overflow in PyString_DecodeEscape function of the file stringobject.c, which can be abused to gain a heap overflow, possibly leading to arbitrary code execution.

mpv developers report:

mpv through 0.28.0 allows remote attackers to execute arbitrary code via a crafted web site, because it reads HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=file= URL signifies that the product should call dlopen on a shared object file located at an arbitrary local pathname. The issue exists because the product does not consider that youtube-dl can provide a potentially unsafe URL.

MITRE reports:

JSONRPC vulnerability

Exim developers report:

There is a buffer overflow in base64d(), if some pre-conditions are met. Using a handcrafted message, remote code execution seems to be possible.

MITRE reports:

Heap-based buffer overflow in the NCompress::NShrink::CDecoder::CodeReal method in 7-Zip before 18.00 and p7zip allows remote attackers to cause a denial of service (out-of-bounds write) or potentially execute arbitrary code via a crafted ZIP archive.

MITRE reports:

Insufficient exception handling in the method NCompress::NRar3::CDecoder::Code of 7-Zip before 18.00 and p7zip can lead to multiple memory corruptions within the PPMd code, alows remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive.

X-cela reports:

Calls into build_benocde that use %zu could crash on 64 bit machines due to the size change of size_t. Someone can force READ_ENC_IA to fail allowing an internal_error to be thrown and bring down the client.

Mark Sapiro reports:

An XSS vulnerability in the user options CGI could allow a crafted URL to execute arbitrary javascript in a user's browser. A related issue could expose information on a user's options page without requiring login.

The PostgreSQL project reports:

• CVE-2018-1052: Fix the processing of partition keys containing multiple expressions (only for PostgreSQL-10.x)
• CVE-2018-1053: Ensure that all temporary files made with "pg_upgrade" are non-world-readable

Adobe reports:

• This update resolves use-after-free vulnerabilities that could lead to remote code execution (CVE-2018-4877, CVE-2018-4878).

Alessio Santoru reports:

Buffer overflow in htpasswd.

MITRE reports:

Improper parsing allows command injection via shell metacharacters in a JSON configuration request received via 127.0.0.1 UDP traffic.

Pale Moon reports:

CVE-2018-5102: Use-after-free in HTML media elements

CVE-2018-5122: Potential integer overflow in DoCrypt

Tatsuya Kinoshita reports:

CVE-2018-6196 * table.c: Prevent negative indent value in feed_table_block_tag().

CVE-2018-6197 * form.c: Prevent invalid columnPos() call in formUpdateBuffer().

CVE-2018-6198 * config.h.dist, config.h.in, configure, configure.ac, main.c, rc.c: Make temporary directory safely when ~/.w3m is unwritable.

Django release notes:

CVE-2018-6188: Information leakage in AuthenticationForm

A regression in Django 1.11.8 made AuthenticationForm run its confirm_login_allowed() method even if an incorrect password is entered. This can leak information about a user, depending on what messages confirm_login_allowed() raises. If confirm_login_allowed() isn't overridden, an attacker enter an arbitrary username and see if that user has been set to is_active=False. If confirm_login_allowed() is overridden, more sensitive details could be leaked.

This issue is fixed with the caveat that AuthenticationForm can no longer raise the "This account is inactive." error if the authentication backend rejects inactive users (the default authentication backend, ModelBackend, has done that since Django 1.10). This issue will be revisited for Django 2.1 as a fix to address the caveat will likely be too invasive for inclusion in older versions.

Pedro Sampaio reports:

A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. A abort of SASL authentication results in a memory leak in Dovecot auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.

The Mozilla Foundation reports:

Mozilla developer Johann Hofmann reported that unsanitized output in the browser UI can lead to arbitrary code execution.

Mozilla Foundation reports:

CVE-2018-5091: Use-after-free with DTMF timers

CVE-2018-5092: Use-after-free in Web Workers

CVE-2018-5093: Buffer overflow in WebAssembly during Memory/Table resizing

CVE-2018-5094: Buffer overflow in WebAssembly with garbage collection on uninitialized memory

CVE-2018-5095: Integer overflow in Skia library during edge builder allocation

CVE-2018-5097: Use-after-free when source document is manipulated during XSLT

CVE-2018-5098: Use-after-free while manipulating form input elements

CVE-2018-5099: Use-after-free with widget listener

CVE-2018-5100: Use-after-free when IsPotentiallyScrollable arguments are freed from memory

CVE-2018-5101: Use-after-free with floating first-letter style elements

CVE-2018-5102: Use-after-free in HTML media elements

CVE-2018-5103: Use-after-free during mouse event handling

CVE-2018-5104: Use-after-free during font face manipulation

CVE-2018-5105: WebExtensions can save and execute files on local file system without user prompts

CVE-2018-5106: Developer Tools can expose style editor information cross-origin through service worker

CVE-2018-5107: Printing process will follow symlinks for local file access

CVE-2018-5108: Manually entered blob URL can be accessed by subsequent private browsing tabs

CVE-2018-5109: Audio capture prompts and starts with incorrect origin attribution

CVE-2018-5110: Cursor can be made invisible on OS X

CVE-2018-5111: URL spoofing in addressbar through drag and drop

CVE-2018-5112: Extension development tools panel can open a non-relative URL in the panel

CVE-2018-5113: WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow

CVE-2018-5114: The old value of a cookie changed to HttpOnly remains accessible to scripts

CVE-2018-5115: Background network requests can open HTTP authentication in unrelated foreground tabs

CVE-2018-5116: WebExtension ActiveTab permission allows cross-origin frame content access

CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right

CVE-2018-5118: Activity Stream images can attempt to load local content through file:

CVE-2018-5119: Reader view will load cross-origin content in violation of CORS headers

CVE-2018-5121: OS X Tibetan characters render incompletely in the addressbar

CVE-2018-5122: Potential integer overflow in DoCrypt

CVE-2018-5090: Memory safety bugs fixed in Firefox 58

CVE-2018-5089: Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6

Debian Security Advisory reports:

Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code.

Mozilla reports:

During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the handshake transcript can exceed the space available in the current buffer, causing the allocation of a new buffer. This leaves a pointer pointing to the old, freed buffer, resulting in a use-after-free when handshake hashes are then calculated afterwards. This can result in a potentially exploitable crash.

Upstream reports:

A stack-based buffer overflow within GNOME gcab through 0.7.4 can be exploited by malicious attackers to cause a crash or, potentially, execute arbitrary code via a crafted .cab file.

The cURL project reports:

libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.

ClamAV project reports:

Join us as we welcome ClamAV 0.99.3 to the family!.

This release is a security release and is recommended for all ClamAV users.

CVE-2017-12374 ClamAV UAF (use-after-free) Vulnerabilities

CVE-2017-12375 ClamAV Buffer Overflow Vulnerability

CVE-2017-12376 ClamAV Buffer Overflow in handle_pdfname Vulnerability

CVE-2017-12377 ClamAV Mew Packet Heap Overflow Vulnerability

CVE-2017-12378 ClamAV Buffer Over Read Vulnerability

CVE-2017-12379 ClamAV Buffer Overflow in messageAddArgument Vulnerability

CVE-2017-12380 ClamAV Null Dereference Vulnerability

Google Chrome Releases reports:

37 security fixes in this release, including:

• [778505] Critical CVE-2017-15407: Out of bounds write in QUIC. Reported by Ned Williamson on 2017-10-26
• [762374] High CVE-2017-15408: Heap buffer overflow in PDFium. Reported by Ke Liu of Tencent's Xuanwu LAB on 2017-09-06
• [763972] High CVE-2017-15409: Out of bounds write in Skia. Reported by Anonymous on 2017-09-11
• [765921] High CVE-2017-15410: Use after free in PDFium. Reported by Luat Nguyen of KeenLab, Tencent on 2017-09-16
• [770148] High CVE-2017-15411: Use after free in PDFium. Reported by Luat Nguyen of KeenLab, Tencent on 2017-09-29
• [727039] High CVE-2017-15412: Use after free in libXML. Reported by Nick Wellnhofer on 2017-05-27
• [766666] High CVE-2017-15413: Type confusion in WebAssembly. Reported by Gaurav Dewan of Adobe Systems India Pvt. Ltd. on 2017-09-19
• [765512] Medium CVE-2017-15415: Pointer information disclosure in IPC call. Reported by Viktor Brange of Microsoft Offensive Security Research Team on 2017-09-15
• [779314] Medium CVE-2017-15416: Out of bounds read in Blink. Reported by Ned Williamson on 2017-10-28
• [699028] Medium CVE-2017-15417: Cross origin information disclosure in Skia. Reported by Max May on 2017-03-07
• [765858] Medium CVE-2017-15418: Use of uninitialized value in Skia. Reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-09-15
• [780312] Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink. Reported by Jun Kokatsu on 2017-10-31
• [777419] Medium CVE-2017-15420: URL spoofing in Omnibox. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-23
• [774382] Medium CVE-2017-15422: Integer overflow in ICU. Reported by Yuan Deng of Ant-financial Light-Year Security Lab on 2017-10-13
• [780484] Medium CVE-2017-15430: Unsafe navigation in Chromecast Plugin. Reported by jinmo123 on 2017-01-11
• [778101] Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL. Reported by Greg Hudson on 2017-10-25
• [756226] Low CVE-2017-15424: URL Spoof in Omnibox. Reported by Khalil Zhani on 2017-08-16
• [756456] Low CVE-2017-15425: URL Spoof in Omnibox. Reported by xisigr of Tencent's Xuanwu Lab on 2017-08-17
• [757735] Low CVE-2017-15426: URL Spoof in Omnibox. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-08-18
• [768910] Low CVE-2017-15427: Insufficient blocking of Javascript in Omnibox. Reported by Junaid Farhan on 2017-09-26
• [792099] Various fixes from internal audits, fuzzing and other initiatives

PowerDNS Security Advisory reports:

An issue has been found in the DNSSEC validation component of PowerDNS Recursor, allowing an ancestor delegation NSEC or NSEC3 record to be used to wrongfully prove the non-existence of a RR below the owner name of that record. This would allow an attacker in position of man-in-the-middle to send a NXDOMAIN answer for a name that does exist.

Google Chrome Releases reports:

2 security fixes in this release, including:

• [770452] High CVE-2017-15396: Stack overflow in V8. Reported by Yuan Deng of Ant-financial Light-Year Security Lab on 2017-09-30
• [770450] Medium CVE-2017-15406: Stack overflow in V8. Reported by Yuan Deng of Ant-financial Light-Year Security Lab on 2017-09-30

Google Chrome Releases reports:

1 security fix in this release, including:

• [782145] High CVE-2017-15428: Out of bounds read in V8. Reported by Zhao Qixun of Qihoo 360 Vulcan Team on 2017-11-07

Google Chrome Releases reports:

2 security fixes in this release, including:

• [788453] High CVE-2017-15429: UXSS in V8. Reported by Anonymous on 2017-11-24
• [794792] Various fixes from internal audits, fuzzing and other initiatives

Unbound reports:

We discovered a vulnerability in the processing of wildcard synthesized NSEC records. While synthesis of NSEC records is allowed by RFC4592, these synthesized owner names should not be used in the NSEC processing. This does, however, happen in Unbound 1.6.7 and earlier versions.

phpbb developers reports:

Password updater working with PostgreSQL - The cron for updating legacy password hashes was running invalid queries on PostgreSQL.

Deleting orphaned attachments w/ large number of orphaned attachments - Orphaned attachment deletion was improved to be able to delete them when a large number of orphaned attachments exist.

Multiple bugfixes for retrieving image size - Multiple issues with retrieving the image size of JPEGs and temporary files were resolved.

Issues with updating from phpBB 3.0.6 - Inconsistencies in the way parent modules were treated caused issues with updating from older phpBB 3.0 versions.

Forum / topic icon blurriness - Fixed issues with forum and topic icons looking blurry on some browsers.

wordpress developers reports:

JavaScript errors that prevented saving posts in Firefox have been fixed.

The previous taxonomy-agnostic behavior of get_category_link() and category_description() was restored.

Switching themes will now attempt to restore previous widget assignments, even when there are no sidebars to map.

Oracle reports:

Not all vulnerabilities are relevant for all flavors/versions of the servers and clients

• Vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. GIS: CVE-2018-2573, DDL CVE-2018-2622, Optimizer: CVE-2018-2640, CVE-2018-2665, CVE-2018-2668, Security:Privileges: CVE-2018-2703, Partition: CVE-2018-2562.
• Vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. InnoDB: CVE-2018-2565, CVE-2018-2612 DML: CVE-2018-2576, CVE-2018-2646, Stored Procedure: CVE-2018-2583, Performance Schema: CVE-2018-2590, Partition: CVE-2018-2591, Optimizer: CVE-2018-2600, CVE-2018-2667, Security:Privileges: CVE-2018-2696, Replication: CVE-2018-2647.
• Vulnerability allows a low or high privileged attacker with network access via multiple protocols to compromise MySQL Server with unauthorized creation, deletion, modification or access to data/ critical data. InnoDB: CVE-2018-2612, Performance Schema: CVE-2018-2645, Replication: CVE-2018-2647, Partition: CVE-2018-2562.

GitLab developers report:

Today we are releasing versions 10.3.4, 10.2.6, and 10.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain a number of important security fixes, including two that prevent remote code execution, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

Google Project Zero reports:

The transmission bittorrent client uses a client/server architecture, the user interface is the client which communicates to the worker daemon using JSON RPC requests.

As with all HTTP RPC schemes like this, any website can send requests to the daemon listening on localhost with XMLHttpRequest(), but the theory is they will be ignored because clients must prove they can read and set a specific header, X-Transmission-Session-Id. Unfortunately, this design doesn't work because of an attack called "DNS rebinding". Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost.

Exploitation is simple, you could set script-torrent-done-enabled and run any command, or set download-dir to /home/user/ and then upload a torrent for .bashrc.

Shibboleth consortium reports:

Shibboleth SP software vulnerable to forged user attribute data

The Service Provider software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type Definition (DTD) processing.

Through addition/manipulation of a DTD, it's possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information.

While newer versions of the xerces-c3 parser are configured by the SP into disallowing the use of a DTD via an environment variable, this feature is not present in the xerces-c3 parser before version 3.1.4, so an additional fix is being provided now that an actual DTD exploit has been identified. Xerces-c3-3.1.4 was committed to the ports tree already on 2016-07-26.

Adobe reports:

• This update resolves an out-of-bounds read vulnerability that could lead to information disclosure (CVE-2018-4871).

Mitre reports:

Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.

Irssi reports:

When the channel topic is set without specifying a sender, Irssi may dereference NULL pointer. Found by Joseph Bisch.

When using incomplete escape codes, Irssi may access data beyond the end of the string. Found by Joseph Bisch.

A calculation error in the completion code could cause a heap buffer overflow when completing certain strings. Found by Joseph Bisch.

When using an incomplete variable argument, Irssi may access data beyond the end of the string. Found by Joseph Bisch.

Mozilla Foundation reports:

Jann Horn of Google Project Zero Security reported that speculative execution performed by modern CPUs could leak information through a timing side-channel attack. Microsoft Vulnerability Research extended this attack to browser JavaScript engines and demonstrated that code on a malicious web page could read data from other web sites (violating the same-origin policy) or private data from the browser itself.

Since this new class of attacks involves measuring precise time intervals, as a parti al, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. The precision of performance.now() has been reduced from 5?s to 20?s, and the SharedArrayBuffer feature has been disabled because it can be used to construct a high-resolution timer.

the PHP project reports:

• A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer (CVE-2017-9224).
• A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of '\700' would produce an invalid code point value larger than 0xff in next_state_val(), resulting in an out-of-bounds write memory corruption (CVE-2017-9226).
• A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg->dmin in forward_search_range() could result in an invalid pointer dereference, as an out-of-bounds read from a stack buffer (CVE-2017-9227).
• A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption (CVE-2017-9228).
• A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition (CVE-2017-9228).

Jeriko One reports:

The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon.

The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions.

The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xname follows" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions.

Irssi reports:

When installing themes with unterminated colour formatting sequences, Irssi may access data beyond the end of the string.

While waiting for the channel synchronisation, Irssi may incorrectly fail to remove destroyed channels from the query list, resulting in use after free conditions when updating the state later on.

Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference.

Overlong nicks or targets may result in a NULL pointer dereference while splitting the message.

In certain cases Irssi may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string.

MITRE reports:

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session.

OTRS reports:

An attacker who is logged into OTRS as an agent can request special URLs from OTRS which can lead to the execution of shell commands with the permissions of the web server user.

An attacker who is logged into OTRS as a customer can use the ticket search form to disclose internal article information of their customer tickets.

An attacker who is logged into OTRS as an agent can manipulate form parameters and execute arbitrary shell commands with the permissions of the OTRS or web server user.

An attacker can send a specially prepared email to an OTRS system. If this system has cookie support disabled, and a logged in agent clicks a link in this email, the session information could be leaked to external systems, allowing the attacker to take over the agent?s session.

The Legion of the Bouncy Castle reports:

Release: 1.59

CVE-2017-13098 ("ROBOT"), a Bleichenbacher oracle in TLS when RSA key exchange is negotiated. This potentially affected BCJSSE servers and any other TLS servers configured to use JCE for the underlying crypto - note the two TLS implementations using the BC lightweight APIs are not affected by this.

Mozilla Foundation reports:

CVE-2017-7845: Buffer overflow when drawing and validating elements with ANGLE library using Direct 3D 9

CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin

CVE-2017-7847: Local path string can be leaked from RSS feed

CVE-2017-7848: RSS Feed vulnerable to new line Injection

CVE-2017-7829: Mailsploit part 1: From address with encoded null character is cut off in message header display

The Asterisk project reports:

A select set of SIP messages create a dialog in Asterisk. Those SIP messages must contain a contact header. For those messages, if the header was not present and using the PJSIP channel driver, it would cause Asterisk to crash. The severity of this vulnerability is somewhat mitigated if authentication is enabled. If authentication is enabled a user would have to first be authorized before reaching the crash point.

The phpMyAdmin team reports:

Description

By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc.

Severity

We consider this vulnerability to be critical.

The MariaDB project reports:

Fixes for the following security vulnerabilities: CVE-2017-15365

Oracle reports:

Please reference CVE/URL list for details

Phusion reports:

The cPanel Security Team discovered a vulnerability in Passenger that allows users to list the contents of arbitrary files on the system. CVE-2017-16355 has been assigned to this issue.

the freedesktop.org project reports:

A non-privileged X client can instruct X server running under root to open any file by creating own directory with "fonts.dir", "fonts.alias" or any font file being a symbolic link to any other file in the system. X server will then open it. This can be issue with special files such as /dev/watchdog.

The freedesktop.org project reports:

If a pattern contains '?' character, any character in the string is skipped, even if it is '\0'. The rest of the matching then reads invalid memory.

Without the checks a malformed PCF file can cause the library to make atom from random heap memory that was behind the `strings` buffer. This may crash the process or leak information.

The freedesktop.org project reports:

It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments.

The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes 4 bytes. Properly chosen values allow an overflow which in turn will lead to less allocated memory than needed for subsequent reads.

The signedness bug is triggered by reading the length of a comment as unsigned int, but casting it to int when calling the function XcursorCommentCreate. Turning length into a negative value allows the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following addition of sizeof (XcursorComment) + 1 makes it possible to allocate less memory than needed for subsequent reads.

MITRE reports:

gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.

The Jenkins project reports:

A race condition during Jenkins startup could result in the wrong order of execution of commands during initialization.

On Jenkins 2.81 and newer, including LTS 2.89.1, this could in rare cases (we estimate less than 20% of new instances) result in failure to initialize the setup wizard on the first startup.

There is a very short window of time after startup during which Jenkins may no longer show the "Please wait while Jenkins is getting ready to work" message, but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

The Torproject.org reports:

• TROVE-2017-009: Replay-cache ineffective for v2 onion services
• TROVE-2017-010: Remote DoS attack against directory authorities
• TROVE-2017-011: An attacker can make Tor ask for a password
• TROVE-2017-012: Relays can pick themselves in a circuit path
• TROVE-2017-013: Use-after-free in onion service v2

Node.js reports:

Data Confidentiality/Integrity Vulnerability - CVE-2017-15896

Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.

Uninitialized buffer vulnerability - CVE-2017-15897

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.

Also included in OpenSSL update - CVE 2017-3738

Note that CVE 2017-3738 of OpenSSL-1.0.2 affected Node but it was low severity.

Etienne Stalmans from the Heroku product security team reports:

There is a command injection vulnerability in Net::FTP bundled with Ruby.

Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the pipe character "|", the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.

GitLab reports:

User without access to private Wiki can see it on the project page

Matthias Burtscher reported that it was possible for a user to see a private Wiki on the project page without having the corresponding permission.

E-mail address disclosure through member search fields

Hugo Geoffroy reported via HackerOne that it was possible to find out the full e-mail address of any user by brute-forcing the member search field.

Groups API leaks private projects

An internal code review discovered that users were able to list private projects they had no access to by using the Groups API.

Cross-Site Scripting (XSS) possible by editing a comment

Sylvain Heiniger reported via HackerOne that it was possible for arbitrary JavaScript code to be executed when editing a comment.

Issue API allows any user to create a new issue even when issues are restricted or disabled

Mohammad Hasbini reported that any user could create a new issues in a project even when issues were disabled or restricted to team members in the project settings.

The Asterisk project reports:

If a compound RTCP packet is received containing more than one report (for example a Receiver Report and a Sender Report) the RTCP stack will incorrectly store report information outside of allocated memory potentially causing a crash.

libxml2 developers report:

The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.

A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.

libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.

libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.

libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.

The Asterisk project reports:

No size checking is done when setting the user field for Party B on a CDR. Thus, it is possible for someone to use an arbitrarily large string and write past the end of the user field storage buffer. The earlier AST-2017-001 advisory for the CDR user field overflow was for the Party A buffer.

The Asterisk project reports:

A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed. This then leads to file descriptors and RTP ports being leaked as well.

The Asterisk project reports:

If the chan_skinny (AKA SCCP protocol) channel driver is flooded with certain requests it can cause the asterisk process to use excessive amounts of virtual memory eventually causing asterisk to stop processing requests of any kind.

The cURL project reports:

• NTLM buffer overflow via integer overflow (CVE-2017-8816)
  
  libcurl contains a buffer overrun flaw in the NTLM authentication code. The internal function Curl_ntlm_core_mk_ntlmv2_hash sums up the lengths of the user name + password (= SUM) and multiplies the sum by two (= SIZE) to figure out how large storage to allocate from the heap.
• FTP wildcard out of bounds read (CVE-2017-8817)
  
  libcurl contains a read out of bounds flaw in the FTP wildcard function. libcurl's FTP wildcard matching feature, which is enabled with the CURLOPT_WILDCARDMATCH option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect the end of the pattern string if it ends with an open bracket ([) but instead it will continue reading the heap beyond the end of the URL buffer that holds the wildcard.
• SSL out of buffer access (CVE-2017-8818)
  
  libcurl contains an out boundary access flaw in SSL related code. When allocating memory for a connection (the internal struct called connectdata), a certain amount of memory is allocated at the end of the struct to be used for SSL related structs. Those structs are used by the particular SSL library libcurl is built to use. The application can also tell libcurl which specific SSL library to use if it was built to support more than one.

wireshark developers reports:

wnpa-sec-2017-47: The IWARP_MPA dissector could crash. (CVE-2017-17084)

wnpa-sec-2017-48: The NetBIOS dissector could crash. Discovered by Kamil Frankowicz. (CVE-2017-17083)

wnpa-sec-2017-49: The CIP Safety dissector could crash. (CVE-2017-17085)

Problem Description:

Invoking SSL_read()/SSL_write() while in an error state causes data to be passed without being decrypted/encrypted directly from the SSL/TLS record layer.

In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. [CVE-2017-3737]

There is an overflow bug in the x86_64 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). [CVE-2017-3738] This bug only affects FreeBSD 11.x.

Impact:

Applications with incorrect error handling may inappropriately pass unencrypted data. [CVE-2017-3737]

Mishandling of carry propagation will produce incorrect output, and make it easier for a remote attacker to obtain sensitive private-key information. No EC algorithms are affected and analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely.

Attacks against DH1024 are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. [CVE-2017-3738]

MITRE reports:

A remote attacker could use a flaw to cause formail to crash, resulting in a denial of service or data loss.

The OpenSSL project reports:

• Read/write after SSL object in error state (CVE-2017-3737)
  
  OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer.
• rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
  
  There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701.

Problem Description:

A vulnerability was found in how a number of implementations can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys.

Impact:

Such reinstallation of the encryption key can result in two different types of vulnerabilities: disabling replay protection and significantly reducing the security of encryption to the point of allowing frames to be decrypted or some parts of the keys to be determined by an attacker depending on which cipher is used.

Problem Description:

Not all information in the struct ptrace_lwpinfo is relevant for the state of any thread, and the kernel does not fill the irrelevant bytes or short strings. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information of the kernel stack of the thread is possible from the debugger.

Impact:

Some bytes from the kernel stack of the thread using ptrace(PT_LWPINFO) call can be observed in userspace.

Problem Description:

Named paths are globally scoped, meaning a process located in one jail can read and modify the content of POSIX shared memory objects created by a process in another jail or the host system.

Impact:

A malicious user that has access to a jailed system is able to abuse shared memory by injecting malicious content in the shared memory region. This memory region might be executed by applications trusting the shared memory, like Squid.

This issue could lead to a Denial of Service or local privilege escalation.

Problem Description:

The kernel does not properly clear the memory of the kld_file_stat structure before filling the data. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information from the kernel stack is possible.

Impact:

Some bytes from the kernel stack can be observed in userspace.

Problem Description:

If an X.509 certificate has a malformed IPAddressFamily extension, OpenSSL could do a one-byte buffer overread. [CVE-2017-3735]

There is a carry propagating bug in the x86_64 Montgomery squaring procedure. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen. [CVE-2017-3736] This bug only affects FreeBSD 11.x.

Impact:

Application using OpenSSL may display erroneous certificate in text format. [CVE-2017-3735]

Mishandling of carry propagation will produce incorrect output, and make it easier for a remote attacker to obtain sensitive private-key information. No EC algorithms are affected, analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely.

Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. [CVE-2017-3736]

Mozilla Foundation reports:

CVE-2017-7843: Web worker in Private Browsing mode can write IndexedDB data

CVE-2017-7844: Visited history information leak through SVG image

Varnish reports:

A wrong if statement in the varnishd source code means that synthetic objects in stevedores which over-allocate, may leak up to page size of data from a malloc(3) memory allocation.

mybb Team reports:

High risk: Language file headers RCE

Low risk: Language Pack Properties XSS

wordpress developers reports:

Use a properly generated hash for the newbloguser key instead of a determinate substring.

Add escaping to the language attributes used on html elements.

Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.

Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.

Exim developers team reports:

The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.

BorgBackup reports:

Incorrect implementation of access controls allows remote users to override repository restrictions in Borg servers. A user able to access a remote Borg SSH server is able to circumvent access controls post-authentication. Affected releases: 1.1.0, 1.1.1, 1.1.2. Releases 1.0.x are NOT affected.

xrdp reports:

The scp_v0s_accept function in the session manager uses an untrusted integer as a write length, which allows local users to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted input stream.

Pale Moon reports:

CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers

CVE-2017-7835: Mixed content blocking incorrectly applies with redirects

CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags

Exim team reports:

The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.

myBB Team reports:

High risk: Installer RCE on configuration file write

High risk: Language file headers RCE

Medium risk: Installer XSS

Medium risk: Mod CP Edit Profile XSS

Low risk: Insufficient moderator permission check in delayed moderation tools

Low risk: Announcements HTML filter bypass

Low risk: Language Pack Properties XSS.

SaltStack reports:

Directory traversal vulnerability in minion id validation in SaltStack. Allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. Credit for discovering the security flaw goes to: Julian Brost (julian@0x4a42.net). NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791.

Remote Denial of Service with a specially crafted authentication request. Credit for discovering the security flaw goes to: Julian Brost (julian@0x4a42.net)

The CodeIgniter changelog reports:

Security: Fixed a potential object injection in Cache Library 'apc' driver when save() is used with $raw = TRUE.

FRR reports:

BGP Mishandled attribute length on Error

A vulnerability exists in the BGP daemon of FRR where a malformed BGP UPDATE packet can leak information from the BGP daemon and cause a denial of service by crashing the daemon.

cacti reports:

Changelog

issue#1057: CVE-2017-16641 - Potential vulnerability in RRDtool functions

issue#1066: CVE-2017-16660 in remote_agent.php logging function

issue#1066: CVE-2017-16661 in view log file

issue#1071: CVE-2017-16785 in global_session.php Reflection XSS

mediawiki reports:

security fixes:

T128209: Reflected File Download from api.php. Reported by Abdullah Hussam.

T165846: BotPasswords doesn't throttle login attempts.

T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password.

T178451: XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping.

T176247: It's possible to mangle HTML via raw message parameter expansion.

T125163: id attribute on headlines allow raw.

T124404: language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition.

T119158: Language converter: unsafe attribute injection via glossary rules.

T180488: api.log contains passwords in plaintext wasn't correctly fixed.

T180231: composer.json has require-dev versions of PHPUnit with known security issues. Reported by Tom Hutchison.

Adobe reports:

• These updates resolve out-of-bounds read vulnerabilities that could lead to remote code execution (CVE-2017-3112, CVE-2017-3114, CVE-2017-11213).
• These updates resolve use after free vulnerabilities that could lead to remote code execution (CVE-2017-11215, CVE-2017-11225).

The Asterisk project reports:

By carefully crafting invalid values in the Cseq and the Via header port, pjprojects packet parsing code can create strings larger than the buffer allocated to hold them. This will usually cause Asterisk to crash immediately. The packets do not have to be authenticated.

The Internet2 community reports:

The Shibboleth Service Provider software includes a MetadataProvider plugin with the plugin type "Dynamic" to obtain metadata on demand from a query server, in place of the more typical mode of downloading aggregates separately containing all of the metadata to load.

All the plugin types rely on MetadataFilter plugins to perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments.

Due to a coding error, the "Dynamic" plugin fails to configure itself with the filters provided to it and thus omits whatever checks they are intended to perform, which will typically leave deployments vulnerable to active attacks involving the substitution of metadata if the network path to the query service is compromised.

The PHP project reports:

The PHP development team announces the immediate availability of PHP 5.6.32. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

The PHP development team announces the immediate availability of PHP 7.0.25. This is a security release. Several security bugs were fixed in this release. All PHP 7.0 users are encouraged to upgrade to this version.

The PHP development team announces the immediate availability of PHP 7.1.11. This is a bugfix release, with several bug fixes included. All PHP 7.1 users are encouraged to upgrade to this version.

Mozilla Foundation reports:

CVE-2017-7828: Use-after-free of PressShell while restyling layout

CVE-2017-7830: Cross-origin URL information leak through Resource Timing API

CVE-2017-7831: Information disclosure of exposed properties on JavaScript proxy objects

CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers

CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker characters

CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections

CVE-2017-7835: Mixed content blocking incorrectly applies with redirects

CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and OS X

CVE-2017-7837: SVG loaded as can use meta tags to set cookies

CVE-2017-7838: Failure of individual decoding of labels in international domain names triggers punycode display of entire IDN

CVE-2017-7839: Control characters before javascript: URLs defeats self-XSS prevention mechanism

CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags

CVE-2017-7842: Referrer Policy is not always respected for elements

CVE-2017-7827: Memory safety bugs fixed in Firefox 57

CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5

NVD reports:

Stored cross-site scripting (XSS) vulnerability in "geminabox" (Gem in a Box) before 0.13.10 allows attackers to inject arbitrary web script via the "homepage" value of a ".gemspec" file, related to views/gem.erb and views/index.erb.

KDE reports:

Konversation has support for colors in IRC messages. Any malicious user connected to the same IRC network can send a carefully crafted message that will crash the Konversation user client.

Google Chrome Releases reports:

2 security fixes in this release, including:

• [777728] Critical CVE-2017-15398: Stack buffer overflow in QUIC. Reported by Ned Williamson on 2017-10-24
• [776677] High CVE-2017-15399: Use after free in V8. Reported by Zhao Qixun of Qihoo 360 Vulcan Team on 2017-10-20

Jenkins developers report:

Jenkins stores metadata related to people, which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping. This potentially resulted in a number of problems.

Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

The PostgreSQL project reports:

• CVE-2017-15098: Memory disclosure in JSON functions
• CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges

The OpenSSL project reports:

bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)

Severity: Moderate

There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline.

Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)

Severity: Low

This issue was previously announced in security advisory https://www.openssl.org/news/secadv/20170828.txt, but the fix has not previously been included in a release due to its low severity.

wordpress developers reports:

WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we've added hardening to prevent plugins and themes from accidentally causing a vulnerability.

wireshark developers reports:

In Wireshark 2.4.0 to 2.4.1, the DOCSIS dissector could go into an infinite loop. This was addressed in plugins/docsis/packet-docsis.c by adding decrements.

In Wireshark 2.4.0 to 2.4.1, the RTSP dissector could crash. This was addressed in epan/dissectors/packet-rtsp.c by correcting the scope of a variable.

In Wireshark 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, and 2.0.0 to 2.0.15, the DMP dissector could crash. This was addressed in epan/dissectors/packet-dmp.c by validating a string length.

In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the BT ATT dissector could crash. This was addressed in epan/dissectors/packet-btatt.c by considering a case where not all of the BTATT packets have the same encapsulation level.

In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the MBIM dissector could crash or exhaust system memory. This was addressed in epan/dissectors/packet-mbim.c by changing the memory-allocation approach.

Antti Levomäki, Christian Jalio, Joonas Pihlaja:

Wget contains two vulnerabilities, a stack overflow and a heap overflow, in the handling of HTTP chunked encoding. By convincing a user to download a specific link over HTTP, an attacker may be able to execute arbitrary code with the privileges of the user.

Antti Levomäki, Christian Jalio, Joonas Pihlaja:

Wget contains two vulnerabilities, a stack overflow and a heap overflow, in the handling of HTTP chunked encoding. By convincing a user to download a specific link over HTTP, an attacker may be able to execute arbitrary code with the privileges of the user.

The Apache Openofffice project reports:

CVE-2017-3157: Arbitrary file disclosure in Calc and Writer

By exploiting the way OpenOffice renders embedded objects, an attacker could craft a document that allows reading in a file from the user's filesystem. Information could be retrieved by the attacker by, e.g., using hidden sections to store the information, tricking the user into saving the document and convincing the user to sent the document back to the attacker.

The vulnerability is mitigated by the need for the attacker to know the precise file path in the target system, and the need to trick the user into saving the document and sending it back.

CVE-2017-9806: Out-of-Bounds Write in Writer's WW8Fonts Constructor

A vulnerability in the OpenOffice Writer DOC file parser, and specifically in the WW8Fonts Constructor, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution.

CVE-2017-12607: Out-of-Bounds Write in Impress' PPT Filter

A vulnerability in OpenOffice's PPT file parser, and specifically in PPTStyleSheet, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution.

CVE-2017-12608: Out-of-Bounds Write in Writer's ImportOldFormatStyles

A vulnerability in OpenOffice Writer DOC file parser, and specifically in ImportOldFormatStyles, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution.

GitLab reports:

Cross-Site Scripting (XSS) vulnerability in the Markdown sanitization filter

Yasin Soliman via HackerOne reported a Cross-Site Scripting (XSS) vulnerability in the GitLab markdown sanitization filter. The sanitization filter was not properly stripping invalid characters from URL schemes and was therefore vulnerable to persistent XSS attacks anywhere Markdown was supported.

Cross-Site Scripting (XSS) vulnerability in search bar

Josh Unger reported a Cross-Site Scripting (XSS) vulnerability in the issue search bar. Usernames were not being properly HTML escaped inside the author filter would could allow arbitrary script execution.

Open redirect in repository git redirects

Eric Rafaloff via HackerOne reported that GitLab was vulnerable to an open redirect vulnerability when redirecting requests for repository names that include the git extension. GitLab was not properly removing dangerous parameters from the params field before redirecting which could allow an attacker to redirect users to arbitrary hosts.

Username changes could leave repositories behind

An internal code review discovered that a bug in the code that moves repositories during a username change could potentially leave behind projects, allowing an attacker who knows the previous username to potentially steal the contents of repositories on instances that are not configured with hashed namespaces.

Node.js reports:

Node.js was susceptible to a remote DoS attack due to a change that came in as part of zlib v1.2.9. In zlib v1.2.9 8 became an invalid value for the windowBits parameter and Node's zlib module will crash or throw an exception (depending on the version)

The cURL project reports:

libcurl contains a buffer overrun flaw in the IMAP handler.

An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function.

libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.

Google Chrome Releases reports:

35 security fixes in this release, including:

• [762930] High CVE-2017-5124: UXSS with MHTML. Reported by Anonymous on 2017-09-07
• [749147] High CVE-2017-5125: Heap overflow in Skia. Reported by Anonymous on 2017-07-26
• [760455] High CVE-2017-5126: Use after free in PDFium. Reported by Luat Nguyen on KeenLab, Tencent on 2017-08-30
• [765384] High CVE-2017-5127: Use after free in PDFium. Reported by Luat Nguyen on KeenLab, Tencent on 2017-09-14
• [765469] High CVE-2017-5128: Heap overflow in WebGL. Reported by Omair on 2017-09-14
• [765495] High CVE-2017-5129: Use after free in WebAudio. Reported by Omair on 2017-09-15
• [718858] High CVE-2017-5132: Incorrect stack manipulation in WebAssembly. Reported by Gaurav Dewan of Adobe Systems India Pvt. Ltd. on 2017-05-05
• [722079] High CVE-2017-5130: Heap overflow in libxml2. Reported by Pranjal Jumde on 2017-05-14
• [744109] Medium CVE-2017-5131: Out of bounds write in Skia. Reported by Anonymous on 2017-07-16
• [762106] Medium CVE-2017-5133: Out of bounds write in Skia. Reported by Aleksandar Nikolic of Cisco Talos on 2017-09-05
• [752003] Medium CVE-2017-15386: UI spoofing in Blink. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-08-03
• [756040] Medium CVE-2017-15387: Content security bypass. Reported by Jun Kokatsu on 2017-08-16
• [756563] Medium CVE-2017-15388: Out of bounds read in Skia. Reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-08-17
• [739621] Medium CVE-2017-15389: URL spoofing in Omnibox. Reported by xisigr of Tencent's Xuanwu Lab on 2017-07-06
• [750239] Medium CVE-2017-15390: URL spoofing in Omnibox. Reported by Haosheng Wang on 2017-07-28
• [598265] Low CVE-2017-15391: Extension limitation bypass in Extensions. Reported by Joao Lucas Melo Brasio on 2016-03-28
• [714401] Low CVE-2017-15392: Incorrect registry key handling in PlatformIntegration. Reported by Xiaoyin Liu on 2017-04-22
• [732751] Low CVE-2017-15393: Referrer leak in Devtools. Reported by Svyat Mitin on 2017-06-13
• [745580] Low CVE-2017-15394: URL spoofing in extensions UI. Reported by Sam on 2017-07-18
• [759457] Low CVE-2017-15395: Null pointer dereference in ImageCapture. Reported by Johannes Bergman on 2017-08-28
• [775550] Various fixes from internal audits, fuzzing and other initiatives

Several vulnerabilities: symlink directory traversal, absolute path directory traversal and buffer overflow were discovered in the arj archiver.

cacti developers report:

The file include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page.

MIT reports:

CVE-2017-11368:

In MIT krb5 1.7 and later, an authenticated attacker can cause an assertion failure in krb5kdc by sending an invalid S4U2Self or S4U2Proxy request.

CVE-2017-11462:

RFC 2744 permits a GSS-API implementation to delete an existing security context on a second or subsequent call to gss_init_sec_context() or gss_accept_sec_context() if the call results in an error. This API behavior has been found to be dangerous, leading to the possibility of memory errors in some callers. For safety, GSS-API implementations should instead preserve existing security contexts on error until the caller deletes them.

All versions of MIT krb5 prior to this change may delete acceptor contexts on error. Versions 1.13.4 through 1.13.7, 1.14.1 through 1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts on error.

Frederik Deweerdt reports:

Multiple Denial-of-Service vulnerabilities exist in h2o workers - see references for full details.

CVE-2017-10868: Worker processes may crash when receiving a request with invalid framing.

CVE-2017-10869: The stack may overflow when proxying huge requests.

Adobe reports:

• This update resolves a type confusion vulnerability that could lead to remote code execution (CVE-2017-11292).

xorg-server developers reports:

In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events.

Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server before 2017-06-19 allowed authenticated malicious users to access potentially privileged data from the X server.

mercurial developers reports:

Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository

Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.

wpa_supplicant developers report:

A vulnerability was found in how a number of implementations can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys.

Solr developers report:

Lucene XML parser does not explicitly prohibit doctype declaration and expansion of external entities which leads to arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions.

Solr "RunExecutableListener" class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API with add-listener command.

Cisco TALOS reports:

An exploitable heap based buffer overflow vulnerability exists in the read_biff_next_record function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.

An exploitable heap-based buffer overflow vulnerability exists in the read_legacy_biff function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.

jenkins developers report:

A total of 11 issues are reported, please see reference URL for details.

Adam Jackson reports:

One regression fix since 1.19.4 (mea culpa), and fixes for CVEs 2017-12176 through 2017-12187.

The Xen project reports multiple vulnerabilities.

osip developers reports:

In libosip2 in GNU oSIP 4.1.0 and 5.0.0, a malformed SIP message can lead to a heap buffer overflow in the msg_osip_body_parse() function defined in osipparser2/osip_message_parse.c, resulting in a remote DoS.

Python reports:

Multiple vulnerabilities have been fixed in Python 2.7.14. Please refer to the CVE list for details.

ncurses developers reports:

There are multiple illegal address access issues and an infinite loop issue. Please refer to the CVE list for details.

node developers report:

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.

oss-security mailing list:

There is a possible unsafe object desrialization vulnerability in RubyGems. It is possible for YAML deserialization of gem specifications to bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

libtiff developers report:

There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.

There is a reachable assertion abort in the function TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.

zookeeper developers report:

Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.

Alan Coopersmith reports:

X.Org thanks Michal Srb of SuSE for finding these issues and bringing them to our attention, Julien Cristau of Debian for getting the fixes integrated, and Adam Jackson of Red Hat for publishing the release.

tomcat developers reports:

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

The cURL project reports:

FTP PWD response parser out of bounds read

libcurl may read outside of a heap allocated buffer when doing FTP.

When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the PWD command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses.

Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path.

A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault.

Mozilla Foundation reports:

CVE-2017-7793: Use-after-free with Fetch API

CVE-2017-7817: Firefox for Android address bar spoofing through fullscreen mode

CVE-2017-7818: Use-after-free during ARIA array manipulation

CVE-2017-7819: Use-after-free while resizing images in design mode

CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE

CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes

CVE-2017-7812: Drag and drop of malicious page content to the tab bar can open locally stored files

CVE-2017-7814: Blob and data URLs bypass phishing and malware protection warnings

CVE-2017-7813: Integer truncation in the JavaScript parser

CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode characters as spaces

CVE-2017-7815: Spoofing attack with modal dialogs on non-e10s installations

CVE-2017-7816: WebExtensions can load about: URLs in extension UI

CVE-2017-7821: WebExtensions can download and open non-executable files without user interaction

CVE-2017-7823: CSP sandbox directive did not create a unique origin

CVE-2017-7822: WebCrypto allows AES-GCM with 0-length IV

CVE-2017-7820: Xray wrapper bypass with new tab and web console

CVE-2017-7811: Memory safety bugs fixed in Firefox 56

CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4

Problem Description:

There is a programming error in the Heimdal implementation that used an unauthenticated, plain-text version of the KDC-REP service name found in a ticket.

Impact:

An attacker who has control of the network between a client and the service it talks to will be able to impersonate the service, allowing a successful man-in-the-middle (MITM) attack that circumvents the mutual authentication.

Problem Description:

There is no limit on the password length.

Impact:

A remote attacker may be able to cause an affected SSH server to use excessive amount of CPU by sending very long passwords, when PasswordAuthentication is enabled by the system administrator.

Google Project Zero reports:

• CVE-2017-14491: Heap based overflow (2 bytes). Before 2.76 and this commit overflow was unrestricted.
• CVE-2017-14492: Heap based overflow.
• CVE-2017-14493: Stack Based overflow.
• CVE-2017-14494: Information Leak
• CVE-2017-14495: Lack of free()
• CVE-2017-14496: Invalid boundary checks. Integer underflow leading to a huge memcpy.
• CVE-2017-13704: Crash on large DNS query

phpmyfaq developers report:

Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the Questions field in an "Add New FAQ" action.

Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the "Title of your FAQ" field in the Configuration Module.

wordpress developers report:

Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL.

Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name.

Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.

Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name.

Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename.

Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.

Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.

libraw developers report:

In LibRaw through 0.18.4, an out of bounds read flaw related to kodak_65000_load_raw has been reported in dcraw/dcraw.c and internal/dcraw_common.cpp. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash.

sam2p developers report:

In sam2p 0.49.3, a heap-based buffer overflow exists in the pcxLoadImage24 function of the file in_pcx.cpp.

In sam2p 0.49.3, the in_xpm_reader function in in_xpm.cpp has an integer signedness error, leading to a crash when writing to an out-of-bounds array element.

In sam2p 0.49.3, an integer overflow exists in the pcxLoadImage24 function of the file in_pcx.cpp, leading to an invalid write operation.

In sam2p 0.49.3, the pcxLoadRaster function in in_pcx.cpp has an integer signedness error leading to a heap-based buffer overflow.

Because of an integer overflow in sam2p 0.49.3, a loop executes 0xffffffff times, ending with an invalid read of size 1 in the Image::Indexed::sortPal function in image.cpp. However, this also causes memory corruption because of an attempted write to the invalid d[0xfffffffe] array element.

In sam2p 0.49.3, there is an invalid read of size 2 in the parse_rgb function in in_xpm.cpp. However, this can also cause a write to an illegal address.

Gem in a box XSS vulenrability - CVE-2017-14506:

Malicious attacker create GEM file with crafted homepage value (gem.homepage in .gemspec file) includes XSS payload.

The attacker access geminabox system and uploads the gem file (or uses CSRF/SSRF attack to do so).

From now on, any user access Geminabox web server, executes the malicious XSS payload, that will delete any gems on the server, and won't let users use the geminabox anymore. (make victim's browser crash or redirect them to other hosts).

Steffan Karger reports:

The bounds check in read_key() was performed after using the value, instead of before. If 'key-method 1' is used, this allowed an attacker to send a malformed packet to trigger a stack buffer overflow. [...]

Note that 'key-method 1' has been replaced by 'key method 2' as the default in OpenVPN 2.0 (released on 2005-04-17), and explicitly deprecated in 2.4 and marked for removal in 2.5. This should limit the amount of users impacted by this issue.

Talos developers report:

An exploitable buffer overflow vulnerability exists in the tag parsing functionality of LibOFX 0.9.11. A specially crafted OFX file can cause a write out of bounds resulting in a buffer overflow on the stack. An attacker can construct a malicious OFX file to trigger this vulnerability.

libzip developers report:

The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0 mishandles EOCD records, which allows remote attackers to cause a denial of service (memory allocation failure in _zip_cdir_grow in zip_dirent.c) via a crafted ZIP archive.

mongodb developers report:

In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c.

MITRE reports:

The ReadCAPTIONImage function in coders/caption.c in ImageMagick allows remote attackers to cause a denial of service (infinite loop) via a crafted font file.

sugarcrm developers report:

An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as demonstrated by a backslash character at the end of a bean_id to modules/Emails/DetailView.php. An attacker could exploit these vulnerabilities by sending a crafted SQL request to the affected areas. An exploit could allow the attacker to modify the SQL database. Proper SQL escaping has been added to prevent such exploits.

An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a query string. Proper input validation has been added to mitigate this issue.

An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along.

libraw developers report:

A Stack-based Buffer Overflow was discovered in xtrans_interpolate in internal/dcraw_common.cpp in LibRaw before 0.18.3. It could allow a remote denial of service or code execution attack.

PHP developers report:

The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information.

libgd developers report:

Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors.

Talos reports:

An exploitable buffer overflow vulnerability exists in the tag parsing functionality of Ledger-CLI 3.1.1. A specially crafted journal file can cause an integer underflow resulting in code execution. An attacker can construct a malicious journal file to trigger this vulnerability.

An exploitable use-after-free vulnerability exists in the account parsing component of the Ledger-CLI 3.1.1. A specially crafted ledger file can cause a use-after-free vulnerability resulting in arbitrary code execution. An attacker can convince a user to load a journal file to trigger this vulnerability.

libraw developers report:

LibRaw before 0.18.4 has a heap-based Buffer Overflow in the processCanonCameraInfo function via a crafted file.

tcpdump developers report:

Too many issues to detail, see CVE references for details.

ansible developers report:

Ansible versions 2.2.3 and earlier are vulnerable to an information disclosure flaw due to the interaction of call back plugins and the no_log directive where the information may not be sanitized properly.

Gentoo developers report:

DeleteBitBuffer in libbitbuf/bitbuffer.c in mp4tools aacplusenc 0.17.5 allows remote attackers to cause a denial of service (invalid memory write, SEGV on unknown address 0x000000000030, and application crash) or possibly have unspecified other impact via a crafted .wav file, aka a NULL pointer dereference.

WeeChat reports:

security problem: a crash can happen in logger plugin when converting date/time specifiers in file mask.

SO-AND-SO reports:

CVE-2017-12814: $ENV{$key} stack buffer overflow on Windows

A possible stack buffer overflow in the %ENV code on Windows has been fixed by removing the buffer completely since it was superfluous anyway.

CVE-2017-12837: Heap buffer overflow in regular expression compiler

Compiling certain regular expression patterns with the case-insensitive modifier could cause a heap buffer overflow and crash perl. This has now been fixed.

CVE-2017-12883: Buffer over-read in regular expression parser

For certain types of syntax error in a regular expression pattern, the error message could either contain the contents of a random, possibly large, chunk of memory, or could crash perl. This has now been fixed.

Google Chrome releases reports:

3 security fixes in this release, including:

• [765433] High CVE-2017-5121: Out-of-bounds access in V8. Reported by Jordan Rabet, Microsoft Offensive Security Research and Microsoft ChakraCore team on 2017-09-14
• [752423] High CVE-2017-5122: Out-of-bounds access in V8. Reported by Choongwoo Han of Naver Corporation on 2017-08-04
• [767508] Various fixes from internal audits, fuzzing and other initiatives

Mozilla Foundation reports:

Please reference CVE/URL list for details

Mozilla Foundation reports:

Please reference CVE/URL list for details

The Fuzzing Project reports:

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

Google reports:

A heap-buffer overflow (sometimes a crash) can arise when running a SQL request on malformed sqlite3 databases.

Ruby blog:

CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf

If a malicious format string which contains a precious specifier (*) is passed and a huge minus value is also passed to the specifier, buffer underrun may be caused. In such situation, the result may contains heap, or the Ruby interpreter may crash.

CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick

When using the Basic authentication of WEBrick, clients can pass an arbitrary string as the user name. WEBrick outputs the passed user name intact to its log, then an attacker can inject malicious escape sequences to the log and dangerous control characters may be executed on a victim?s terminal emulator.

This vulnerability is similar to a vulnerability already fixed, but it had not been fixed in the Basic authentication.

CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode

If a malicious string is passed to the decode method of OpenSSL::ASN1, buffer underrun may be caused and the Ruby interpreter may crash.

CVE-2017-14064: Heap exposure vulnerability in generating JSON

The generate method of JSON module optionally accepts an instance of JSON::Ext::Generator::State class. If a malicious instance is passed, the result may include contents of heap.

The Asterisk project reports:

This is a follow up advisory to AST-2017-005.

Insufficient RTCP packet validation could allow reading stale buffer contents and when combined with the "nat" and "symmetric_rtp" options allow redirecting where Asterisk sends the next RTCP report.

The RTP stream qualification to learn the source address of media always accepted the first RTP packet as the new source and allowed what AST-2017-005 was mitigating. The intent was to qualify a series of packets before accepting the new source address.

The RTP/RTCP stack will now validate RTCP packets before processing them.

GitLab reports:

Please reference CVE/URL list for details

Paul Eggert reports:

Charles A. Roelli has found a security flaw in the enriched mode in GNU Emacs.

When Emacs renders MIME text/enriched data (Internet RFC 1896), it is vulnerable to arbitrary code execution. Since Emacs-based mail clients decode "Content-Type: text/enriched", this code is exploitable remotely. This bug affects GNU Emacs versions 19.29 through 25.2.

Adobe reports:

• These updates resolve memory corruption vulnerabilities that could lead to remote code execution (CVE-2017-11281, CVE-2017-11282).

Cyrus IMAP 3.0.4 Release Notes states:

Fixed Issue #2132: Broken "Other Users" behaviour

Django blog:

In older versions, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with DEBUG = True (which makes this page accessible) in your production settings.

Google Chrome releases reports:

22 security fixes in this release, including:

• [737023] High CVE-2017-5111: Use after free in PDFium. Reported by Luat Nguyen on KeenLab, Tencent on 2017-06-27
• [740603] High CVE-2017-5112: Heap buffer overflow in WebGL. Reported by Tobias Klein on 2017-07-10
• [747043] High CVE-2017-5113: Heap buffer overflow in Skia. Reported by Anonymous on 2017-07-20
• [752829] High CVE-2017-5114: Memory lifecycle issue in PDFium. Reported by Ke Liu of Tencent's Xuanwu LAB on 2017-08-07
• [744584] High CVE-2017-5115: Type confusion in V8. Reported by Marco Giovannini on 2017-07-17
• [759624] High CVE-2017-5116: Type confusion in V8. Reported by Anonymous on 2017-08-28
• [739190] Medium CVE-2017-5117: Use of uninitialized value in Skia. Reported by Tobias Klein on 2017-07-04
• [747847] Medium CVE-2017-5118: Bypass of Content Security Policy in Blink. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-07-24
• [725127] Medium CVE-2017-5119: Use of uninitialized value in Skia. Reported by Anonymous on 2017-05-22
• [718676] Low CVE-2017-5120: Potential HTTPS downgrade during redirect navigation. Reported by Xiaoyin Liu on 2017-05-05
• [762099] Various fixes from internal audits, fuzzing and other initiatives

TALOS reports:

• An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality.

• An exploitable heap-overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality.

The Asterisk project reports:

AST-2017-005 - A change was made to the strict RTP support in the RTP stack to better tolerate late media when a reinvite occurs. When combined with the symmetric RTP support this introduced an avenue where media could be hijacked. Instead of only learning a new address when expected the new code allowed a new source address to be learned at all times.

AST-2017-006 - The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.

The Asterisk project reports:

A carefully crafted URI in a From, To or Contact header could cause Asterisk to crash.

GnuPG reports:

Mitigate a local side-channel attack on Curve25519 dubbed "May the Fourth Be With You".

CVE Details reports:

• There is an Integer overflow in the hash_int function of the libpspp library in GNU PSPP 0.10.5-pre2 (CVE-2017-10791).
• There is a NULL Pointer Dereference in the function ll_insert() of the libpspp library in GNU PSPP 0.10.5-pre2 (CVE-2017-10792).
• There is an illegal address access in the function output_hex() in data/data-out.c of the libpspp library in GNU PSPP 0.11.0 that will lead to remote denial of service (CVE-2017-12958).
• There is a reachable assertion abort in the function dict_add_mrset() in data/dictionary.c of the libpspp library in GNU PSPP 0.11.0 that will lead to a remote denial of service attack (CVE-2017-12959).
• There is a reachable assertion abort in the function dict_rename_var() in data/dictionary.c of the libpspp library in GNU PSPP 0.11.0 that will lead to remote denial of service (CVE-2017-12960).
• There is an assertion abort in the function parse_attributes() in data/sys-file-reader.c of the libpspp library in GNU PSPP 0.11.0 that will lead to remote denial of service (CVE-2017-12961).

Official blog of RubyGems reports:

The following vulnerabilities have been reported: a DNS request hijacking vulnerability, an ANSI escape sequence vulnerability, a DoS vulnerability in the query command, and a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files.

chbi reports:

an authenticated standard user could reset the password of another user (including admin) by altering form data.

Poppler developers report:

Poppler is prone to a stack-based buffer-overflow vulnerability.

Successful exploits may allow attackers to crash the affected application, resulting in denial-of-service condition. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed.

PHPMailer reports:

Fix XSS vulnerability in one of the code examples, CVE-2017-11503. The code_generator.phps example did not filter user input prior to output. This file is distributed with a .phps extension, so it it not normally executable unless it is explicitly renamed, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project.

PowerDNS Security Advisory reports:

The first issue can lead to a denial of service on 32-bit if a backend sends crafted answers, and the second to an alteration of dnsdist's ACL if the API is enabled, writable and an authenticated user is tricked into visiting a crafted website.

SaltStack reports:

Correct a flaw in minion id validation which could allow certain minions to authenticate to a master despite not having the correct credentials. To exploit the vulnerability, an attacker must create a salt-minion with an ID containing characters that will cause a directory traversal. Credit for discovering the security flaw goes to: Vernhk@qq.com

SquirrelMail developers report:

SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server.

Tobias Mueller reports:

libsoup is susceptible to a stack based buffer overflow attack when using chunked encoding. Regardless of libsoup being used as a server or client.

Drupal Security Team:

CVE-2017-6923: Views - Access Bypass - Moderately Critical

CVE-2017-6924: REST API can bypass comment approval - Access Bypass - Moderately Critica

CVE-2017-6925: Entity access bypass for entities that do not have UUIDs or have protected revisions - Access Bypass - Critical

mitre reports:

An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability.

GitLab reports:

Please reference CVE/URL list for details

mnaberez reports:

supervisord can be configured to run an HTTP server on a TCP socket and/or a Unix domain socket. The HTTP server is how supervisorctl communicates with supervisord. If an HTTP server has been enabled, it will always serve both HTML pages and an XML-RPC interface. A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root.

This vulnerability can only be exploited by an authenticated client or if supervisord has been configured to run an HTTP server without authentication. If authentication has not been enabled, supervisord will log a message at the critical level every time it starts.

Guido Vranken reports:

Multiple vulnerabilities found via fuzzing: FR-GV-201 (v2,v3) Read / write overflow in make_secret() FR-GV-202 (v2) Write overflow in rad_coalesce() FR-GV-203 (v2) DHCP - Memory leak in decode_tlv() FR-GV-204 (v2) DHCP - Memory leak in fr_dhcp_decode() FR-GV-205 (v2) DHCP - Buffer over-read in fr_dhcp_decode_options() FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63 FR-GV-207 (v2) Zero-length malloc in data2vp() FR-GV-301 (v3) Write overflow in data2vp_wimax() FR-GV-302 (v3) Infinite loop and memory exhaustion with 'concat' attributes FR-GV-303 (v3) DHCP - Infinite read in dhcp_attr2vp() FR-GV-304 (v3) DHCP - Buffer over-read in fr_dhcp_decode_suboptions() FR-GV-305 (v3) Decode 'signed' attributes correctly FR-AD-001 (v2,v3) Use strncmp() instead of memcmp() for string data FR-AD-002 (v3) String lifetime issues in rlm_python FR-AD-003 (v3) Incorrect statement length passed into sqlite3_prepare

Mercurial Release Notes:

CVE-2017-1000115

Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.

CVE-2017-1000116

Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks on clients by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed.

Oracle reports:

Please reference CVE/URL list for details

subversion team reports:

A Subversion client sometimes connects to URLs provided by the repository. This happens in two primary cases: during 'checkout', 'export', 'update', and 'switch', when the tree being downloaded contains svn:externals properties; and when using 'svnsync sync' with one URL argument.

A maliciously constructed svn+ssh:// URL would cause Subversion clients to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server.

The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.

An exploit has been tested.

GitLab reports:

Remote Command Execution in git client

An external code review performed by Recurity-Labs identified a remote command execution vulnerability in git that could be exploited via the "Repo by URL" import option in GitLab. The command line git client was not properly escaping command line arguments in URLs using the SSH protocol before invoking the SSH client. A specially crafted URL could be used to execute arbitrary shell commands on the GitLab server.

To fully patch this vulnerability two fixes were needed. The Omnibus versions of GitLab contain a patched git client. For source users who may still be running an older version of git, GitLab now also blocks import URLs containing invalid host and usernames.

This issue has been assigned CVE-2017-12426.

Improper sanitization of GitLab export files on import

GitLab versions 8.13.3, 8.12.8, 8.11.10, 8.10.13, and 8.9.12 contained a patch for a critical directory traversal vulnerability in the GitLab export feature that could be exploited by including symlinks in the export file and then re-importing it to a GitLab instance. This vulnerability was patched by checking for and removing symlinks in these files on import.

Recurity-Labs also determined that this fix did not properly remove symlinks for hidden files. Though not as dangerous as the original vulnerability hidden file symlinks could still be used to steal copies of git repositories belonging to other users if the path to the git repository was known by the attacker. An updated fix has been included in these releases that properly removes all symlinks.

This import option was not made available to non-admin users until GitLab 8.13.0.

Adobe reports:

• These updates resolve security bypass vulnerability that could lead to information disclosure (CVE-2017-3085).
• These updates resolve type confusion vulnerability that could lead to remote code execution (CVE-2017-3106).

The PostgreSQL project reports:

• CVE-2017-7546: Empty password accepted in some authentication methods
• CVE-2017-7547: The "pg_user_mappings" catalog view discloses passwords to users lacking server privileges
• CVE-2017-7548: lo_put() function ignores ACLs

Mark Thomas reports:

CVE-2016-3092 is a denial of service vulnerability that has been corrected in the Apache Commons FileUpload component. It occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file. This caused the file upload process to take several orders of magnitude longer than if the boundary length was the typical tens of bytes.

The cURL project reports:

• FILE buffer read out of bounds
• TFTP sends more than buffer size
• URL globbing out of bounds read

Apache Axis2 reports:

The commons-fileupload dependency has been updated to a version that fixes CVE-2016-1000031 (AXIS2-5853).

Mozilla Foundation reports:

Please reference CVE/URL list for details

phk reports:

A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert.

Google Chrome releases reports:

40 security fixes in this release

Please reference CVE/URL list for details

kimiizhang reports:

Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers.

NVD reports:

ProFTPD ... controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link.

SecurityFocus reports:

JabberD is prone to an authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may lead to further attacks.

Senrio reports:

Genivia gSOAP is prone to a stack-based buffer-overflow vulnerability because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized buffer.

A remote attacker may exploit this issue to execute arbitrary code in the context of the affected device. Failed attempts will likely cause a denial-of-service condition.

marcinguy reports:

After sending this payload, collectd seems to be entering endless while() loop in packet_parse consuming high CPU resources, possibly crash/gets killed after a while.

strongSwan security team reports:

• RSA public keys passed to the gmp plugin aren't validated sufficiently before attempting signature verification, so that invalid input might lead to a floating point exception. [CVE-2017-9022]
• ASN.1 CHOICE types are not correctly handled by the ASN.1 parser when parsing X.509 certificates with extensions that use such types. This could lead to infinite looping of the thread parsing a specifically crafted certificate.

kimiizhang reports:

Cross-site scripting (XSS) vulnerability in link.php in Cacti

1.1.12 allows remote anonymous users to inject arbitrary web

script or HTML via the id parameter.

GNOME reports:

The comic book backend in evince 3.24.0 (and earlier) is vulnerable to a command injection bug that can be used to execute arbitrary commands when a CBT file is opened.

The same vulnerability affects atril, the Evince fork.

The Apache httpd project reports:

important: Read after free in mod_http2 (CVE-2017-9789)

When under stress, closing many connections, the HTTP/2 handling code would sometimes access memory after it has been freed, resulting in potentially erratic behaviour.

important: Uninitialized memory reflection in mod_auth_digest (CVE-2017-9788)

The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by mod_auth_digest.

Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault.

Adobe reports:

• These updates resolve security bypass vulnerability that could lead to information disclosure (CVE-2017-3080).
• These updates resolve memory corruption vulnerability that could lead to remote code execution (CVE-2017-3099).
• These updates resolve memory corruption vulnerability that could lead to memory address disclosure (CVE-2017-3100).

Updates are now available for all active Node.js release lines as well as the 7.x line. These include the fix for the high severity vulnerability identified in the initial announcement, one additional lower priority Node.js vulnerability in the 4.x release line, as well as some lower priority fixes for Node.js dependencies across the current release lines.

Constant Hashtable Seeds (CVE pending)

Node.js was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup. Thanks to Jann Horn of Google Project Zero for reporting this vulnerability.

This is a high severity vulnerability and applies to all active release lines (4.x, 6.x, 8.x) as well as the 7.x line.

http.get with numeric authorization options creates uninitialized buffers

Application code that allows the auth field of the options object used with http.get() to be set to a number can result in an uninitialized buffer being created/used as the authentication string.

This is a low severity defect and only applies to the 4.x release line.

The samba project reports:

A MITM attacker may impersonate a trusted server and thus gain elevated access to the domain by returning malicious replication or authorization data.

Maxim Dounin reports:

A security issue was identified in nginx range filter. A specially crafted request might result in an integer overflow and incorrect processing of ranges, potentially resulting in sensitive information leak (CVE-2017-7529).

irssi reports:

When receiving messages with invalid time stamps, Irssi would try to dereference a NULL pointer.

While updating the internal nick list, Irssi may incorrectly use the GHashTable interface and free the nick while updating it. This will then result in use-after-free conditions on each access of the hash table.

The CodeIgniter changelog reports:

Form Validation Library rule valid_email could be bypassed if idn_to_ascii() is available.

Drupal Security Team Reports:

CVE-2017-6920: PECL YAML parser unsafe object handling.

CVE-2017-6921: File REST resource does not properly validate

CVE-2017-6922: Files uploaded by anonymous users into a private file system can be accessed by other anonymous users.

Matt Johnston reports:

Fix double-free in server TCP listener cleanup A double-free in the server could be triggered by an authenticated user if dropbear is running with -a (Allow connections to forwarded ports from any host) This could potentially allow arbitrary code execution as root by an authenticated user.

Fix information disclosure with ~/.ssh/authorized_keys symlink. Dropbear parsed authorized_keys as root, even if it were a symlink. The fix is to switch to user permissions when opening authorized_keys.

The smarty project reports:

bugfix {math} shell injection vulnerability

The Tor Project reports:

Tor 0.3.0.9 fixes a path selection bug that would allow a client to use a guard that was in the same network family as a chosen exit relay. This is a security regression; all clients running earlier versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or 0.3.1.4-alpha.

GitLab reports:

Please reference CVE/URL list for details

GnuPG reports:

Mitigate a flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster".

Michael J Rubinsky reports:

The second vulnerability (CVE-2017-9773) is a DOS vulnerability. This only affects Horde installations that do not have a configured image handling backend, and thus use the "Null" image driver. It is exploitable by a logged in user clicking on a maliciously crafted URL.

Qualsys reports:

Exim supports the use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time.

Samuli Seppänen reports:

In May/June 2017 Guido Vranken threw a fuzzer at OpenVPN 2.4.2. In the process he found several vulnerabilities and reported them to the OpenVPN project. [...] The first releases to have these fixes are OpenVPN 2.4.3 and 2.3.17.

This is a list of fixed important vulnerabilities:

• Remotely-triggerable ASSERT() on malformed IPv6 packet
• Pre-authentication remote crash/information disclosure for clients
• Potential double-free in --x509-alt-username
• Remote-triggerable memory leaks
• Post-authentication remote DoS when using the --x509-track option
• Null-pointer dereference in establish_http_proxy_passthru()

Michael J Rubinsky reports:

The fist vulnerability (CVE-2017-9774) is a Remote Code Execution vulnerability and is exploitable by a logged in user sending a maliciously crafted GET request to the Horde server.

The Apache httpd project reports:

• ap_get_basic_auth_pw() Authentication Bypass (CVE-2017-3167):
  
  Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.
• mod_ssl Null Pointer Dereference (CVE-2017-3169):
  
  mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.
• mod_http2 Null Pointer Dereference (CVE-2017-7659):
  
  A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process.
• ap_find_token() Buffer Overread (CVE-2017-7668):
  
  The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value.
• mod_mime Buffer Overread (CVE-2017-7679):
  
  mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.

Google Chrome releases reports:

5 security fixes in this release, including:

• [725032] High CVE-2017-5087: Sandbox Escape in IndexedDB. Reported by Ned Williamson on 2017-05-22
• [729991] High CVE-2017-5088: Out of bounds read in V8. Reported by Xiling Gong of Tencent Security Platform Department on 2017-06-06
• [714196] Medium CVE-2017-5089: Domain spoofing in Omnibox. Reported by Michal Bentkowski on 2017-04-21
• [732498] Various fixes from internal audits, fuzzing and other initiatives

BestPractical reports:

Please reference CVE/URL list for details

cURL security advisory:

When libcurl is given either

1. a file: URL that doesn't use two slashes following the colon, or

2. is told that file is the default scheme to use for URLs without scheme

... and the given path starts with a drive letter and libcurl is built for Windows or DOS, then libcurl would copy the path with a wrong offset, so that the end of the given path would write beyond the malloc buffer. Up to seven bytes too much.

We are not aware of any exploit of this flaw.

Adobe reports:

• These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2017-3075, CVE-2017-3081, CVE-2017-3083, CVE-2017-3084).
• These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2017-3076, CVE-2017-3077, CVE-2017-3078, CVE-2017-3079, CVE-2017-3082).

Roundcube reports:

Roundcube Webmail allows arbitrary password resets by authenticated users. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

Joseph Bisch reports:

When receiving a DCC message without source nick/host, Irssi would attempt to dereference a NULL pointer.

When receiving certain incorrectly quoted DCC files, Irssi would try to find the terminating quote one byte before the allocated memory.

The GnuTLS project reports:

It was found using the TLS fuzzer tools that decoding a status response TLS extension with valid contents could lead to a crash due to a null pointer dereference. The issue affects GnuTLS server applications.

Google Chrome releases reports:

30 security fixes in this release

Please reference CVE/URL list for details

RedHat security team reports:

An input validation flaw was found in Ansible, where it fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, result in code execution.

Stefan Winter reports:

The TLS session cache in FreeRADIUS before 3.0.14 fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass authentication via PEAP or TTLS.

The duo security team reports:

An untrusted user may be able to set the http_proxy variable to an invalid address. If this happens, this will trigger the configured 'failmode' behavior, which defaults to safe. Safe mode causes the authentication to report a success.

Viktor Dukhovni reports:

Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm to not be added to the transit path of issued tickets. This may, in some cases, enable bypass of capath policy in Heimdal versions 1.5 through 7.2. Note, this may break sites that rely on the bug. With the bug some incomplete [capaths] worked, that should not have. These may now break authentication in some cross-realm configurations. (CVE-2017-6594)

GitLab reports:

Information Disclosure in Issue and Merge Request Trackers

During an internal code review a critical vulnerability in the GitLab Issue and Merge Request trackers was discovered. This vulnerability could allow a user with access to assign ownership of an issue or merge request to another user to disclose that user's private token, email token, email address, and encrypted OTP secret. Reporter-level access to a GitLab project is required to exploit this flaw.

SSRF when importing a project from a Repo by URL

GitLab instances that have enabled project imports using "Repo by URL" were vulnerable to Server-Side Request Forgery attacks. By specifying a project import URL of localhost an attacker could target services that are bound to the local interface of the server. These services often do not require authentication. Depending on the service an attacker might be able craft an attack using the project import request URL.

Links in Environments tab vulnerable to tabnabbing

edio via HackerOne reported that user-configured Environment links include target=_blank but do not also include rel: noopener noreferrer. Anyone clicking on these links may therefore be subjected to tabnabbing attacks where a link back to the requesting page is maintained and can be manipulated by the target server.

Accounts with email set to "Do not show on profile" have addresses exposed in public atom feed

Several GitLab users reported that even with "Do not show on profile" configured for their email addresses those addresses were still being leaked in Atom feeds if they commented on a public project.

GitLab reports:

Please reference CVE/URL list for details

Please reference CVE/URL list for details

Problem Description:

A vulnerability was discovered in the NTP server's parsing of configuration directives. [CVE-2017-6464]

A vulnerability was found in NTP, in the parsing of packets from the DPTS Clock. [CVE-2017-6462]

A vulnerability was discovered in the NTP server's parsing of configuration directives. [CVE-2017-6463]

A vulnerability was found in NTP, affecting the origin timestamp check function. [CVE-2016-9042]

Impact:

A remote, authenticated attacker could cause ntpd to crash by sending a crafted message. [CVE-2017-6463, CVE-2017-6464]

A malicious device could send crafted messages, causing ntpd to crash. [CVE-2017-6462]

An attacker able to spoof messages from all of the configured peers could send crafted packets to ntpd, causing later replies from those peers to be discarded, resulting in denial of service. [CVE-2016-9042]

Problem Description:

ipfilter(4), capable of stateful packet inspection, using the "keep state" or "keep frags" rule options, will not only maintain the state of connections, such as TCP streams or UDP communication, it also maintains the state of fragmented packets. When a packet fragments are received they are cached in a hash table (and linked list). When a fragment is received it is compared with fragments already cached in the hash table for a match. If it does not match the new entry is used to create a new entry in the hash table. If on the other hand it does match, unfortunately the wrong entry is freed, the entry in the hash table. This results in use after free panic (and for a brief moment prior to the panic a memory leak due to the wrong entry being freed).

Impact:

Carefully feeding fragments that are allowed to pass by an ipfilter(4) firewall can be used to cause a panic followed by reboot loop denial of service attack.

The OpenSSL project reports:

• Truncated packet could crash via OOB read (CVE-2017-3731)
• Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)
• BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
• Montgomery multiplication may produce incorrect results (CVE-2016-7055)

Check Point research team reports:

Remote code execution via crafted subtitles

Brandon Perry reports:

[There] is a zip file of EXR images that cause segmentation faults in the OpenEXR library (tested against 2.2.0).

• CVE-2017-9110 In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash.
• CVE-2017-9111 In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h could cause the application to crash or execute arbitrary code.
• CVE-2017-9112 In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash.
• CVE-2017-9113 In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp could cause the application to crash or execute arbitrary code.
• CVE-2017-9114 In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ImfFastHuf.cpp could cause the application to crash.
• CVE-2017-9115 In OpenEXR 2.2.0, an invalid write of size 2 in the = operator function in half.h could cause the application to crash or execute arbitrary code.
• CVE-2017-9116 In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function in ImfZip.cpp could cause the application to crash.

The samba project reports:

Remote code execution from a writable share.

All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

NVIDIA Unix security team reports:

NVIDIA GPU Display Driver contains vulnerabilities in the kernel mode layer handler where not correctly validated user input, NULL pointer dereference, and incorrect access control may lead to denial of service or potential escalation of privileges.

Tintinweb reports:

An integer signedness error was found in miniupnp's miniwget allowing an unauthenticated remote entity typically located on the local network segment to trigger a heap corruption or an access violation in miniupnp's http response parser when processing a specially crafted chunked-encoded response to a request for the xml root description url.

WordPress versions 4.7.4 and earlier are affected by six security issues

• Insufficient redirect validation in the HTTP class.
• Improper handling of post meta data values in the XML-RPC API.
• Lack of capability checks for post meta data in the XML-RPC API.
• A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog.
• A cross-site scripting (XSS) vulnerability was discovered related to the Customizer.

The Asterisk project reports:

A remote crash can be triggered by sending a SIP packet to Asterisk with a specially crafted CSeq header and a Via header with no branch parameter. The issue is that the PJSIP RFC 2543 transaction key generation algorithm does not allocate a large enough buffer. By overrunning the buffer, the memory allocation table becomes corrupted, leading to an eventual crash.

The multi-part body parser in PJSIP contains a logical error that can make certain multi-part body parts attempt to read memory from outside the allowed boundaries. A specially-crafted packet can trigger these invalid reads and potentially induce a crash.

This issues is in PJSIP, and so the issue can be fixed without performing an upgrade of Asterisk at all. However, we are releasing a new version of Asterisk with the bundled PJProject updated to include the fix.

If you are running Asterisk with chan_sip, this issue does not affect you.

The Asterisk project reports:

A remote memory exhaustion can be triggered by sending an SCCP packet to Asterisk system with "chan_skinny" enabled that is larger than the length of the SCCP header but smaller than the packet length specified in the header. The loop that reads the rest of the packet doesn't detect that the call to read() returned end-of-file before the expected number of bytes and continues infinitely. The "partial data" message logging in that tight loop causes Asterisk to exhaust all available memory.

GitLab reports:

The import/export feature did not properly check for symbolic links in user-provided archives and therefore it was possible for an authenticated user to retrieve the contents of any file accessible to the GitLab service account. This included sensitive files such as those that contain secret tokens used by the GitLab service to authenticate users.

JSST reports:

Inadequate filtering of request data leads to a SQL Injection vulnerability.

Werner Lemberg reports:

CVE-2017-8105, CVE-2017-8287: Older FreeType versions have out-of-bounds writes caused by heap-based buffer overflows related to Type 1 fonts.

Samuli Seppänen reports:

OpenVPN v2.4.0 was audited for security vulnerabilities independently by Quarkslabs (funded by OSTIF) and Cryptography Engineering (funded by Private Internet Access) between December 2016 and April 2017. The primary findings were two remote denial-of-service vulnerabilities. Fixes to them have been backported to v2.3.15.

An authenticated client can do the 'three way handshake' (P_HARD_RESET, P_HARD_RESET, P_CONTROL), where the P_CONTROL packet is the first that is allowed to carry payload. If that payload is too big, the OpenVPN server process will stop running due to an ASSERT() exception. That is also the reason why servers using tls-auth/tls-crypt are protected against this attack - the P_CONTROL packet is only accepted if it contains the session ID we specified, with a valid HMAC (challenge-response). (CVE-2017-7478)

An authenticated client can cause the server's the packet-id counter to roll over, which would lead the server process to hit an ASSERT() and stop running. To make the server hit the ASSERT(), the client must first cause the server to send it 2^32 packets (at least 196 GB).

The PostgreSQL project reports:

Security Fixes nested CASE expressions + database and role names with embedded special characters

• CVE-2017-7484: selectivity estimators bypass SELECT privilege checks.
• CVE-2017-7485: libpq ignores PGREQUIRESSL environment variable
• CVE-2017-7486: pg_user_mappings view discloses foreign server passwords. This applies to new databases, see the release notes for the procedure to apply the fix to an existing database.

Albert Astals Cid reports:

KAuth contains a logic flaw in which the service invoking dbus is not properly checked. This allows spoofing the identity of the caller and with some carefully crafted calls can lead to gaining root from an unprivileged account.

rwhitworth reports:

I was using American Fuzzy Lop (afl-fuzz) to fuzz input to the mime-parse test program. Is fixing these crashes something you're interested in? The input files can be found here: https://github.com/rwhitworth/libetpan-fuzz/. The files can be executed as ./mime-parse id_filename to cause seg faults.

NVD reports:

International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function.

International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function.

Google Chrome Releases reports:

1 security fix in this release:

• [679306] High CVE-2017-5068: Race condition in WebRTC. Credit to Philipp Hancke

Timo Sirainen reports:

passdb/userdb dict: Don't double-expand %variables in keys. If dict was used as the authentication passdb, using specially crafted %variables in the username could be used to cause DoS.

Jakub Jirutka reports:

LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx.

Jenkins Security Advisory:

Description

SECURITY-412 through SECURITY-420 / CVE-2017-1000356

CSRF: Multiple vulnerabilities

SECURITY-429 / CVE-2017-1000353

CLI: Unauthenticated remote code execution

SECURITY-466 / CVE-2017-1000354

CLI: Login command allowed impersonating any Jenkins user

SECURITY-503 / CVE-2017-1000355

XStream: Java crash when trying to instantiate void/Void

The CodeIgniter changelog reports:

Fixed a header injection vulnerability in common function set_status_header() under Apache (thanks to Guillermo Caminer from Flowgate).

Fixed byte-safety issues in Encrypt Library (DEPRECATED) when mbstring.func_overload is enabled.

Fixed byte-safety issues in Encryption Library when mbstring.func_overload is enabled.

Fixed byte-safety issues in compatibility functions password_hash(), hash_pbkdf2() when mbstring.func_overload is enabled.

Updated Encrypt Library (DEPRECATED) to call mcrypt_create_iv() with MCRYPT_DEV_URANDOM.

ISC reports:

DNS protocols were designed with the assumption that a certain amount of trust could be presumed between the operators of primary and secondary servers for a given zone. However, in current practice some organizations have scenarios which require them to accept zone data from sources that are not fully trusted (for example: providers of secondary name service). A party who is allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS updates) can overwhelm the server which is accepting data by intentionally or accidentally exhausting that server's memory.

Common Vulnerabilities and Exposures:

WeeChat before 1.7.1 allows a remote crash by sending a filename via DCC to the IRC plugin. This occurs in the irc_ctcp_dcc_filename_without_quotes function during quote removal, with a buffer overflow.

Drupal Security Team Reports:

CVE-2017-6919: Access bypass

Google Chrome Releases reports:

29 security fixes in this release, including:

• [695826] High CVE-2017-5057: Type confusion in PDFium. Credit to Guang Gong of Alpha Team, Qihoo 360
• [694382] High CVE-2017-5058: Heap use after free in Print Preview. Credit to Khalil Zhani
• [684684] High CVE-2017-5059: Type confusion in Blink. Credit to SkyLined working with Trend Micro's Zero Day Initiative
• [683314] Medium CVE-2017-5060: URL spoofing in Omnibox. Credit to Xudong Zheng
• [672847] Medium CVE-2017-5061: URL spoofing in Omnibox. Credit to Haosheng Wang (@gnehsoah)
• [702896] Medium CVE-2017-5062: Use after free in Chrome Apps. Credit to anonymous
• [700836] Medium CVE-2017-5063: Heap overflow in Skia. Credit to Sweetchip
• [693974] Medium CVE-2017-5064: Use after free in Blink. Credit to Wadih Matar
• [704560] Medium CVE-2017-5065: Incorrect UI in Blink. Credit to Khalil Zhani
• [690821] Medium CVE-2017-5066: Incorrect signature handing in Networking. Credit to Prof. Zhenhua Duan, Prof. Cong Tian, and Ph.D candidate Chu Chen (ICTT, Xidian University)
• [648117] Medium CVE-2017-5067: URL spoofing in Omnibox. Credit to Khalil Zhani
• [691726] Low CVE-2017-5069: Cross-origin bypass in Blink. Credit to Michael Reizelman
• [713205] Various fixes from internal audits, fuzzing and other initiatives

NVD reports:

Please reference CVE/URL list for details

cURL security advisory:

libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate).

libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster.

This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.

NVD reports:

In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file.

In libsndfile before 1.0.28, an error in the "header_read()" function (common.c) when handling ID3 tags can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file.

In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with write memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585.

In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with read memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585.

Mozilla Foundation reports:

An out-of-bounds write in the Graphite 2 library triggered with a maliciously crafted Graphite font. This results in a potentially exploitable crash. This issue was fixed in the Graphite 2 library as well as Mozilla products.

NVD reports:

In libsamplerate before 0.1.9, a buffer over-read occurs in the calc_output_single function in src_sinc.c via a crafted audio file.

Mozilla Foundation reports:

An out-of-bounds write during Base64 decoding operation in the Network Security Services (NSS) library due to insufficient memory being allocated to the buffer. This results in a potentially exploitable crash. The NSS library has been updated to fix this issue to address this issue and Firefox 53 has been updated with NSS version 3.29.5.

A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox 53 has been updated with NSS version 3.29.5.

Debian Security reports:

CVE-2016-10195: The name_parse function in evdns.c in libevent before 2.1.6-beta allows remote attackers to have unspecified impact via vectors involving the label_len variable, which triggers an out-of-bounds stack read.

CVE-2016-10196: Stack-based buffer overflow in the evutil_parse_sockaddr_port function in evutil.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (segmentation fault) via vectors involving a long string in brackets in the ip_as_string argument.

CVE-2016-10197: The search_make_new function in evdns.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (out-of-bounds read) via an empty hostname.

Oracle reports:

This Critical Patch Update contains 39 new security fixes for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

ISC reports:

A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate.

An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met.

Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order.

named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc.

A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string.

The content auto-download of id Tech 3 can be used to deliver maliciously crafted content, that triggers downloading of further content and loading and executing it as native code with user credentials. This affects ioquake3, ioUrbanTerror, OpenArena, the original Quake 3 Arena and other forks.

The cURL project reports:

There were two bugs in curl's parser for the command line option --write-out (or -w for short) that would skip the end of string zero byte if the string ended in a % (percent) or \ (backslash), and it would read beyond that buffer in the heap memory and it could then potentially output pieces of that memory to the terminal or the target file etc..

This flaw only exists in the command line tool.

We are not aware of any exploit of this flaw.

The Xen Project reports:

The XSA-29 fix introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays.

A malicious or buggy 64-bit PV guest may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks.

NVIDIA Unix security team reports:

NVIDIA GPU Display Driver contains vulnerabilities in the kernel mode layer handler where multiple integer overflows, improper access control, and improper validation of a user input may cause a denial of service or potential escalation of privileges.

The Asterisk project reports:

No size checking is done when setting the user field on a CDR. Thus, it is possible for someone to use an arbitrarily large string and write past the end of the user field storage buffer. This allows the possibility of remote code injection.

Django team reports:

These release addresses two security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

• Open redirect and possible XSS attack via user-supplied numeric redirect URLs
• Open redirect vulnerability in django.views.static.serve()

The Xen Project reports:

Unprivileged guests may be able to stall progress of the control domain or driver domain, possibly leading to a Denial of Service (DoS) of the entire host.

Google Chrome Releases reports:

5 security fixes in this release, including:

• [698622] Critical CVE-2017-5055: Use after free in printing. Credit to Wadih Matar
• [699166] High CVE-2017-5054: Heap buffer overflow in V8. Credit to Nicolas Trippar of Zimperium zLabs
• [662767] High CVE-2017-5052: Bad cast in Blink. Credit to JeongHoon Shin
• [705445] High CVE-2017-5056: Use after free in Blink. Credit to anonymous
• [702058] High CVE-2017-5053: Out of bounds memory access in V8. Credit to Team Sniper (Keen Lab and PC Mgr) reported through ZDI (ZDI-CAN-4587)

The phpMyAdmin team reports:

Summary

Bypass $cfg['Servers'][$i]['AllowNoPassword']

Description

A vulnerability was discovered where the restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions. This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default).

This behavior depends on the PHP version used (it seems PHP 5 is affected, while PHP 7.0 is not).

Severity

We consider this vulnerability to be of moderate severity.

Mitigation factor

Set a password for all users.

Samba team reports:

A time-of-check, time-of-use race condition can allow clients to access non-exported parts of the file system via symlinks.

The Xen Project reports:

A privileged user within the guest VM can cause a heap overflow in the device model process, potentially escalating their privileges to that of the device model process.

Jouni Malinen reports:

psk configuration parameter update allowing arbitrary data to be written (2016-1 - CVE-2016-4476/CVE-2016-4477).

Jouni Malinen reports:

wpa_supplicant unauthorized WNM Sleep Mode GTK control. (2015-6 - CVE-2015-5310)

EAP-pwd missing last fragment length validation. (2015-7 - CVE-2015-5315)

EAP-pwd peer error path failure on unexpected Confirm message. (2015-8 - CVE-2015-5316)

The irssi project reports:

Use after free while producing list of netjoins (CWE-416). This issue was found and reported to us by APic. This issue usually leads to segmentation faults. Targeted code execution should be difficult.

The Apache Software Foundation reports:

Important: Remote Code Execution CVE-2016-8735

Important: Information Disclosure CVE-2016-6816

The Apache Software Foundation reports:

When using the NIO connector with sendfile and HTTPS enabled, if a client breaks the connection while reading the response an infinite loop is entered leading to a denial of service.

Mark Thomas reports:

• CVE-2015-5345 Apache Tomcat Directory disclosure

• CVE-2016-0706 Apache Tomcat Security Manager bypass

• CVE-2016-0714 Apache Tomcat Security Manager Bypass

Apache Software Foundation reports:

Low: Denial of Service CVE-2014-0230

When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection.

Moderate: Security Manager bypass CVE-2014-7810

Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section.

The Apache Software Foundation reports:

Low: Unrestricted Access to Global Resources CVE-2016-6797

Low: Security Manager Bypass CVE-2016-6796

Low: System Property Disclosure CVE-2016-6794

Low: Security Manager Bypass CVE-2016-5018

Low: Timing Attack CVE-2016-0762

The Mozilla Foundation reports:

An integer overflow in createImageBitmap() was reported through the Pwn2Own contest. The fix for this vulnerability disables the experimental extensions to the createImageBitmap API. This function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer.

Openwall reports:

C client library for MySQL (libmysqlclient.so) has use-after-free defect which can cause crash of applications using that MySQL client.

Tomcat Security Team reports:

Tomcat does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

An integer overflow, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.

An integer overflow in parseChunkHeader allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.

The Apache Software Foundation reports:

The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request.

Marina Glancy reports:

In addition to a number of bug fixes and small improvements, security vulnerabilities have been discovered and fixed. We highly recommend that you upgrade your sites as soon as possible. Upgrading should be very straightforward. As per our usual policy, admins of all registered Moodle sites will be notified of security issue details directly via email and we'll publish details more widely in a week.

The Apache Software Foundation reports:

Important: Information Disclosure CVE-2016-8745

The Apache Software Foundation reports:

When using FORM authentication it was possible to bypass the security constraint checks in the FORM authenticator by appending "/j_security_check" to the end of the URL if some other component (such as the Single-Sign-On valve) had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate().

Marina Glancy reports:

• MSA-17-0001: System file inclusion when adding own preset file in Boost theme

• MSA-17-0002: Incorrect sanitation of attributes in forums

• MSA-17-0003: PHPMailer vulnerability in no-reply address

• MSA-17-0004: XSS in assignment submission page

.

Drupal Security Team reports:

CVE-2017-6377: Editor module incorrectly checks access to inline private files

CVE-2017-6379: Some admin paths were not protected with a CSRF token

CVE-2017-6381: Remote code execution

Adobe reports:

• These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2017-2997).
• These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2017-2998, CVE-2017-2999).
• These updates resolve a random number generator vulnerability used for constant blinding that could lead to information disclosure (CVE-2017-3000).
• These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2017-3001, CVE-2017-3002, CVE-2017-3003).

Simon G. Tatham reports:

Many versions of PuTTY prior to 0.68 have a heap-corrupting integer overflow bug in the ssh_agent_channel_data function which processes messages sent by remote SSH clients to a forwarded agent connection. [...]

This bug is only exploitable at all if you have enabled SSH agent forwarding, which is turned off by default. Moreover, an attacker able to exploit this bug would have to have already be able to connect to the Unix-domain socket representing the forwarded agent connection. Since any attacker with that capability would necessarily already be able to generate signatures with your agent's stored private keys, you should in normal circumstances be defended against this vulnerability by the same precautions you and your operating system were already taking to prevent untrusted people from accessing your SSH agent.

Oracle reports:

No further details have been provided in the Critical Patch Update

The Legion of the Bouncy Castle reports:

Release: 1.56

2.1.4 Security Related Changes and CVE's Addressed by this Release: (multiple)

Google Chrome Releases reports:

36 security fixes in this release

Please reference CVE/URL list for details

Janos Follath reports:

• If a malicious peer supplies a certificate with a specially crafted secp224k1 public key, then an attacker can cause the server or client to attempt to free block of memory held on stack. Depending on the platform, this could result in a Denial of Service (client crash) or potentially could be exploited to allow remote code execution with the same privileges as the host application.
• If the client and the server both support MD5 and the client can be tricked to authenticate to a malicious server, then the malicious server can impersonate the client. To launch this man in the middle attack, the adversary has to compute a chosen-prefix MD5 collision in real time. This is very expensive computationally, but can be practical. Depending on the platform, this could result in a Denial of Service (client crash) or potentially could be exploited to allow remote code execution with the same privileges as the host application.
• A bug in the logic of the parsing of a PEM encoded Certificate Revocation List in mbedtls_x509_crl_parse() can result in an infinite loop. In versions before 1.3.10 the same bug results in an infinite recursion stack overflow that usually crashes the application. Methods and means of acquiring the CRLs is not part of the TLS handshake and in the strict TLS setting this vulnerability cannot be triggered remotely. The vulnerability cannot be triggered unless the application explicitly calls mbedtls_x509_crl_parse() or mbedtls_x509_crl_parse_file()on a PEM formatted CRL of untrusted origin. In which case the vulnerability can be exploited to launch a denial of service attack against the application.

Albert Aastals Cid reports:

A maliciously crafted command line for kdesu can result in the user only seeing part of the commands that will actually get executed as super user.

Albert Aastals Cid reports:

A directory traversal issue was found in KTNEF which can be exploited by tricking a user into opening a malicious winmail.dat file. The issue allows to write files with the permission of the user opening the winmail.dat file during extraction.

Albert Astals Cid reports:

Using a malicious PAC file, and then using exfiltration methods in the PAC function FindProxyForURL() enables the attacker to expose full https URLs.

This is a security issue since https URLs may contain sensitive information in the URL authentication part (user:password@host), and in the path and the query (e.g. access tokens).

This attack can be carried out remotely (over the LAN) since proxy settings allow "Detect Proxy Configuration Automatically". This setting uses WPAD to retrieve the PAC file, and an attacker who has access to the victim's LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP) and inject his/her own malicious PAC instead of the legitimate one.

WordPress versions 4.7.2 and earlier are affected by six security issues.

• Cross-site scripting (XSS) via media file metadata.
• Control characters can trick redirect URL validation.
• Unintended files can be deleted by administrators using the plugin deletion functionality.
• Cross-site scripting (XSS) via video URL in YouTube embeds.
• Cross-site scripting (XSS) via taxonomy term names.
• Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.

Mozilla Foundation reports:

Please reference CVE/URL list for details

Mitre reports:

ikiwiki 3.20161219 does not properly check if a revision changes the access permissions for a page on sites with the git and recentchanges plugins and the CGI interface enabled, which allows remote attackers to revert certain changes by leveraging permissions to change the page before the revision was made.

When CGI::FormBuilder->field("foo") is called in list context (and in particular in the arguments to a subroutine that takes named arguments), it can return zero or more values for foo from the CGI request, rather than the expected single value. This breaks the usual Perl parsing convention for named arguments, similar to CVE-2014-1572 in Bugzilla (which was caused by a similar API design issue in CGI.pm).

The CodeIgniter changelog reports:

Fixed an XSS vulnerability in Security Library method xss_clean().

Fixed a possible file inclusion vulnerability in Loader Library method vars().

Fixed a possible remote code execution vulnerability in the Email Library when ?mail? or ?sendmail? are used (thanks to Paul Buonopane from NamePros).

Added protection against timing side-channel attacks in Security Library method csrf_verify().

Added protection against BREACH attacks targeting the CSRF token field generated by Form Helper function form_open().

ikiwiki reports:

The ikiwiki maintainers discovered further flaws similar to CVE-2016-9646 in the passwordauth plugin's use of CGI::FormBuilder, with a more serious impact:

An attacker who can log in to a site with a password can log in as a different and potentially more privileged user.

An attacker who can create a new account can set arbitrary fields in the user database for that account

Peter Bex reports:

A buffer overflow error was found in the POSIX unit's procedures process-execute and process-spawn.

Additionally, a memory leak existed in this code, which would be triggered when an error is raised during argument and environment processing.

Irregex versions before 0.9.6 contain a resource exhaustion vulnerability: when compiling deeply nested regexes containing the "+" operator due to exponential expansion behaviour.

potrace reports:

CVE-2016-8685: invalid memory access in findnext

CVE-2016-8686: memory allocation failure

The MPD project reports:

httpd: fix two buffer overflows in IcyMetaData length calculation

Problem Description:

Due to improper handling of alert packets, OpenSSL would consume an excessive amount of CPU time processing undefined alert messages.

Impact:

A remote attacker who can initiate handshakes with an OpenSSL based server can cause the server to consume a lot of computation power with very little bandwidth usage, and may be able to use this technique in a leveraged Denial of Service attack.

The cURL project reports:

SSL_VERIFYSTATUS ignored

curl and libcurl support "OCSP stapling", also known as the TLS Certificate Status Request extension (using the CURLOPT_SSL_VERIFYSTATUS option). When telling curl to use this feature, it uses that TLS extension to ask for a fresh proof of the server's certificate's validity. If the server doesn't support the extension, or fails to provide said proof, curl is expected to return an error.

Due to a coding mistake, the code that checks for a test success or failure, ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. Contrary to how it used to function and contrary to how this feature is documented to work.

This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality.

The Xen Project reports:

In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo fails to check whether the specified memory region is safe. A malicious guest administrator can cause an out of bounds memory write, very likely exploitable as a privilege escalation.

Alan Somers reports:

The web site used by this port, http://fbsdmon.org, has been taken over by cybersquatters. That means that users are sending their system info to an unknown party.

Debian Security Team reports:

Andrew Bartlett of Catalyst reported a defect affecting certain applications using the Libevent evbuffer API. This defect leaves applications which pass insanely large inputs to evbuffers open to a possible heap overflow or infinite loop. In order to exploit this flaw, an attacker needs to be able to find a way to provoke the program into trying to make a buffer chunk larger than what will fit into a single size_t or off_t.

David Bryant reports:

global buffer overread in read_code / read_words.c

heap out of bounds read in WriteCaffHeader / caff.c

heap out of bounds read in unreorder_channels / wvunpack.c

heap oob read in read_new_config_info / open_utils.c

Ximin Luo reports:

[v67] introduced a security hole where diffoscope may write to arbitrary locations on disk depending on the contents of an untrusted archive.

The OpenSSL project reports:

Severity: High

During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected.

This issue does not affect OpenSSL version 1.0.2.

ifread.c in gif2png, as used in OptiPNG before 0.7.6, allows remote attackers to cause a denial of service (uninitialized memory read) via a crafted GIF file.

The bmp_read_rows function in pngxtern/pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (invalid memory write and crash) via a series of delta escapes in a crafted BMP image.

Heap-based buffer overflow in the bmp_read_rows function in pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (out-of-bounds read or write access and crash) or possibly execute arbitrary code via a crafted image file.

Off-by-one error in the bmp_rle4_fread function in pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (out-of-bounds read or write access and crash) or possibly execute arbitrary code via a crafted image file, which triggers a heap-based buffer overflow.

Daniel P. Berrange reports:

CVE-2017-5884 - fix bounds checking for RRE, hextile and copyrect encodings

CVE-2017-5885 - fix color map index bounds checking.

The Xen Project reports:

When doing bitblt copy backwards, qemu should negate the blit width. This avoids an oob access before the start of video memory.

A malicious guest administrator can cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation.

The cURL project reports:

libcurl will reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer.

libtiff project reports:

Multiple flaws have been discovered in libtiff library and utilities.

wdollman reports:

The value of the view_type parameter on the view_all_bug_page.php page is not encoded before being displayed on the page.

Mortiz Bunkus reports:

Multiple invalid memory accesses vulnerabilities.

Ludovic Courtès reports:

The REPL server is vulnerable to the HTTP inter-protocol attack

The ?mkdir? procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the process? umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions.

Jens Georg reports:

I have just released Shotwell 0.24.5 and 0.25.4 which turn on HTTPS encryption all over the publishing plugins.

Users using Tumblr and Yandex.Fotki publishing are strongly advised to change their passwords and reauthenticate Shotwell to those services after upgrade.

Users of Picasa and Youtube publishing are strongly advised to reauthenticate (Log out and back in) Shotwell to those services after upgrade.

Jenkins Security Advisory:

Please reference CVE/URL list for details

Aaron D. Campbell reports:

WordPress versions 4.7.1 and earlier are affected by three security issues:

• The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it.
• WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we?ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.
• A cross-site scripting (XSS) vulnerability was discovered in the posts list table.
• An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint.

Peter Haag reports:

A remote attacker with access to the web interface to execute arbitrary commands on the host operating system.

Google Chrome Releases reports:

51 security fixes in this release

Please reference CVE/URL list for details

The phpMyAdmin development team reports:

Open redirect

php-gettext code execution

DOS vulnerability in table editing

CSS injection in themes

Cookie attribute injection attack

SSRF in replication

DOS in replication status

Mozilla Foundation reports:

Please reference CVE/URL list for details

Intel Corporation reports:

A security vulnerability in the Intel(R) Ethernet Controller X710 and Intel(R) Ethernet Controller XL710 family of products (Fortville) has been found in the Non-Volatile Flash Memory (NVM) image.

The PHP project reports:

The PHP development team announces the immediate availability of PHP 7.0.15. This is a security release. Several security bugs were fixed in this release.

The PHP development team announces the immediate availability of PHP 5.6.30. This is a security release. Several security bugs were fixed in this release.

Choongwoo Han reports:

An exploitable crash exists in the wrestool utility on 64-bit systems where the result of subtracting two pointers exceeds the size of int.

PowerDNS reports:

2016-02: Crafted queries can cause abnormal CPU usage

2016-03: Denial of service via the web server

2016-04: Insufficient validation of TSIG signatures

2016-05: Crafted zone record can cause a denial of service

Irssi reports:

Five vulnerabilities have been located in Irssi

• A NULL pointer dereference in the nickcmp function found by Joseph Bisch. (CWE-690)
• Use after free when receiving invalid nick message (Issue #466, CWE-146)
• Out of bounds read in certain incomplete control codes found by Joseph Bisch. (CWE-126)
• Out of bounds read in certain incomplete character sequences found by Hanno Böck and independently by J. Bisch. (CWE-126)
• Out of bounds read when Printing the value '%['. Found by Hanno Böck. (CWE-126)

These issues may result in denial of service (remote crash).

The Apache Groovy project reports:

When an application with Groovy on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. This is similar to CVE-2015-3253 but this exploit involves extra wrapping of objects and catching of exceptions which are now safe guarded against.

Pivotal.io reports:

MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.

Aaron D. Campbell reports:

WordPress versions 4.7 and earlier are affected by eight security issues...

Oracle reports:

Local security vulnerability in 'Server: Packaging' sub component.

The MySQL project reports:

• CVE-2016-3492: Remote security vulnerability in 'Server: Optimizer' sub component.
• CVE-2016-5616, CVE-2016-6663: Race condition allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table.
• CVE-2016-5617, CVE-2016-6664: mysqld_safe, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.
• CVE-2016-5624: Remote security vulnerability in 'Server: DML' sub component.
• CVE-2016-5626: Remote security vulnerability in 'Server: GIS' sub component.
• CVE-2016-5629: Remote security vulnerability in 'Server: Federated' sub component.
• CVE-2016-8283: Remote security vulnerability in 'Server: Types' sub component.

Problem Description:

The ssh-agent(1) agent supports loading a PKCS#11 module from outside a trusted whitelist. An attacker can request loading of a PKCS#11 module across forwarded agent-socket. [CVE-2016-10009]

When privilege separation is disabled, forwarded Unix domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. [CVE-2016-10010]

Impact:

A remote attacker who have control of a forwarded agent-socket on a remote system and have the ability to write files on the system running ssh-agent(1) agent can run arbitrary code under the same user credential. Because the attacker must already have some control on both systems, it is relatively hard to exploit this vulnerability in a practical attack. [CVE-2016-10009]

When privilege separation is disabled (on FreeBSD, privilege separation is enabled by default and has to be explicitly disabled), an authenticated attacker can potentially gain root privileges on systems running OpenSSH server. [CVE-2016-10010]

SecurityFocus reports:

PHPMailer is prone to an local information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks.

Computest reports:

Computest found and exploited several issues that allow a compromised host to execute commands on the Ansible controller and thus gain access to other hosts controlled by that controller.

ISC reports:

A malformed query response received by a recursive server in response to a query of RTYPE ANY could trigger an assertion failure while named is attempting to add the RRs in the query response to the cache.

Depending on the type of query and the EDNS options in the query they receive, DNSSEC-enabled authoritative servers are expected to include RRSIG and other RRsets in their responses to recursive servers. DNSSEC-validating servers will also make specific queries for DS and other RRsets. Whether DNSSEC-validating or not, an error in processing malformed query responses that contain DNSSEC-related RRsets that are inconsistent with other RRsets in the same query response can trigger an assertion failure. Although the combination of properties which triggers the assertion should not occur in normal traffic, it is potentially possible for the assertion to be triggered deliberately by an attacker sending a specially-constructed answer.

An unusually-formed answer containing a DS resource record could trigger an assertion failure. While the combination of properties which triggers the assertion should not occur in normal traffic, it is potentially possible for the assertion to be triggered deliberately by an attacker sending a specially-constructed answer having the required properties.

An error in handling certain queries can cause an assertion failure when a server is using the nxdomain-redirect feature to cover a zone for which it is also providing authoritative service. A vulnerable server could be intentionally stopped by an attacker if it was using a configuration that met the criteria for the vulnerability and if the attacker could cause it to accept a query that possessed the required attributes.

Adobe reports:

These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2017-2938).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2017-2932, CVE-2017-2936, CVE-2017-2937).

These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2017-2927, CVE-2017-2933, CVE-2017-2934, CVE-2017-2935).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2017-2925, CVE-2017-2926, CVE-2017-2928, CVE-2017-2930, CVE-2017-2931).

Cesar Pereida Garcia reports:

The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versions and forks is vulnerable to timing attacks when signing with the standardized elliptic curve P-256 despite featuring constant-time curve operations and modular inversion. A software defect omits setting the BN_FLG_CONSTTIME flag for nonces, failing to take a secure code path in the BN_mod_inverse method and therefore resulting in a cache-timing attack vulnerability.

A malicious user with local access can recover ECDSA P-256 private keys.

Peter Wu on Openwall mailing-list reports:

The issue allows a local attacker to cause a Denial of Service, but can potentially result in Privilege Escalation since the daemon is running as root. while any local user can connect to the Unix socket. Fixed by patch which is released with hpcsc-lite 1.8.20.

Oracle reports:

Lynx is vulnerable to POODLE by still supporting vulnerable version of SSL. Lynx is also vulnerable to URL attacks by incorrectly parsing hostnames ending with an '?'.

The GnuTLS project reports:

• It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted OpenPGP certificate could lead to heap and stack overflows. (GNUTLS-SA-2017-2)
• It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted X.509 certificate with Proxy Certificate Information extension present could lead to a double free. (GNUTLS-SA-2017-1)

libvnc server reports:

Two unrelated buffer overflows can be used by a malicious server to overwrite parts of the heap and crash the client (or possibly execute arbitrary code).

Christian Rebischke reports:

libdwarf is vulnerable to multiple issues including arbitrary code execution, information disclosure and denial of service.

Talos Security reports:

• CVE-2016-4330 (TALOS-2016-0176) - HDF5 Group libhdf5 H5T_ARRAY Code Execution Vulnerability

• CVE-2016-4331 (TALOS-2016-0177) - HDF5 Group libhdf5 H5Z_NBIT Code Execution Vulnerability

• CVE-2016-4332 (TALOS-2016-0178) - HDF5 Group libhdf5 Shareable Message Type Code Execution Vulnerability

• CVE-2016-4333 (TALOS-2016-0179) - HDF5 Group libhdf5 H5T_COMPOUND Code Execution Vulnerability

Thomas Waldmann reports:

• fix XSS in AttachFile view (multifile related) CVE-2016-7148

• fix XSS in GUI editor's attachment dialogue CVE-2016-7146

• fix XSS in GUI editor's link dialogue CVE-2016-9119

Multiple remote code execution and denial of service conditions present.

The CodeIgniter changelog reports:

Fixed a number of new vulnerabilities in Security Library method xss_clean().

The CodeIgniter changelog reports:

Fixed an SQL injection in the ?odbc? database driver.

Updated set_realpath() Path Helper function to filter-out php:// wrapper inputs.

These packages have reached End of Life status and/or have been removed from the Ports Tree. They may contain undocumented security issues. Please take caution and find alternative software as soon as possible.

Check Point reports:

... discovered 3 fresh and previously unknown vulnerabilities (CVE-2016-7479, CVE-2016-7480, CVE-2016-7478) in the PHP 7 unserialize mechanism.

The first two vulnerabilities allow attackers to take full control over servers, allowing them to do anything they want with the website, from spreading malware to defacing it or stealing customer data.

The last vulnerability generates a Denial of Service attack which basically hangs the website, exhausts its memory consumption, and shuts it down.

The PHP security team issued fixes for two of the vulnerabilities on the 13th of October and 1st of December.

The PHP project reports:

• Use After Free Vulnerability in unserialize() (CVE-2016-9936)
• Invalid read when wddx decodes empty boolean element (CVE-2016-9935)

Kazuho Oku reports:

A use-after-free vulnerability exists in H2O up to and including version 2.0.4 / 2.1.0-beta3 that can be used by a remote attacker to mount DoS attacks and / or information theft.

Legal Hackers reports:

An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.

To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.

The first patch of the vulnerability CVE-2016-10033 was incomplete. This advisory demonstrates the bypass of the patch. The bypass allows to carry out Remote Code Execution on all current versions (including 5.2.19).

Matthew Garett reports:

Reported this to upstream 8 months ago without response, so: libupnp's default behaviour allows anyone to write to your filesystem. Seriously. Find a device running a libupnp based server (Shodan says there's rather a lot), and POST a file to /testfile. Then GET /testfile ... and yeah if the server is running as root (it is) and is using / as the web root (probably not, but maybe) this gives full host fs access.

Scott Tenaglia reports:

There is a heap buffer overflow vulnerability in the create_url_list function in upnp/src/gena/gena_device.c.

Legal Hackers reports:

An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.

To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.

Samba team reports:

[CVE-2016-2123] Authenticated users can supply malicious dnsRecord attributes on DNS objects and trigger a controlled memory corruption.

[CVE-2016-2125] Samba client code always requests a forwardable ticket when using Kerberos authentication. This means the target server, which must be in the current or trusted domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to fully impersonate the authenticated user or service.

[CVE-2016-2126] A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum. A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions.

The Exim project reports:

Exim leaks the private DKIM signing key to the log files. Additionally, if the build option EXPERIMENTAL_DSN_INFO=yes is used, the key material is included in the bounce message.

Project curl Security Advisory:

libcurl's (new) internal function that returns a good 32bit random value was implemented poorly and overwrote the pointer instead of writing the value into the buffer the pointer pointed to.

This random value is used to generate nonces for Digest and NTLM authentication, for generating boundary strings in HTTP formposts and more. Having a weak or virtually non-existent random there makes these operations vulnerable.

This function is brand new in 7.52.0 and is the result of an overhaul to make sure libcurl uses strong random as much as possible - provided by the backend TLS crypto libraries when present. The faulty function was introduced in this commit.

We are not aware of any exploit of this flaw.

Squid security advisory 2016:10 reports:

Due to incorrect comparison of request headers Squid can deliver responses containing private data to clients it should not have reached.

This problem allows a remote attacker to discover private and sensitive information about another clients browsing session. Potentially including credentials which allow access to further sensitive resources. This problem only affects Squid configured to use the Collapsed Forwarding feature. It is of particular importance for HTTPS reverse-proxy sites with Collapsed Forwarding.

Squid security advisory 2016:11 reports:

Due to incorrect HTTP conditional request handling Squid can deliver responses containing private data to clients it should not have reached.

This problem allows a remote attacker to discover private and sensitive information about another clients browsing session. Potentially including credentials which allow access to further sensitive resources..

Mitre reports:

vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.

The Xen Project reports:

Certain PV guest kernel operations (page table writes in particular) need emulation, and use Xen's general x86 instruction emulator. This allows a malicious guest kernel which asynchronously modifies its instruction stream to effect the clearing of EFLAGS.IF from the state used to return to guest context.

A malicious guest kernel administrator can cause a host hang or crash, resulting in a Denial of Service.

The cURL project reports:

printf floating point buffer overflow

libcurl's implementation of the printf() functions triggers a buffer overflow when doing a large floating point output. The bug occurs when the conversion outputs more than 255 bytes.

The JSST and the Joomla! Security Center report:

[20161201] - Core - Elevated Privileges

Incorrect use of unfiltered data stored to the session on a form validation failure allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.

[20161202] - Core - Shell Upload

Inadequate filesystem checks allowed files with alternative PHP file extensions to be uploaded.

[20161203] - Core - Information Disclosure

Inadequate ACL checks in the Beez3 com_content article layout override enables a user to view restricted content.

Apache Software Foundation reports:

Please reference CVE/URL list for details

The JSST and the Joomla! Security Center report:

[20161001] - Core - Account Creation

Inadequate checks allows for users to register on a site when registration has been disabled.

[20161002] - Core - Elevated Privilege

Incorrect use of unfiltered data allows for users to register on a site with elevated privileges.

[20161003] - Core - Account Modifications

Incorrect use of unfiltered data allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.

The JSST and the Joomla! Security Center report:

[20151201] - Core - Remote Code Execution Vulnerability

Browser information is not filtered properly while saving the session values into the database which leads to a Remote Code Execution vulnerability.

[20151202] - Core - CSRF Hardening

Add additional CSRF hardening in com_templates.

[20151203] - Core - Directory Traversal

Failure to properly sanitize input data from the XML install file located within an extension's package archive allows for directory traversal.

[20151204] - Core - Directory Traversal

Inadequate filtering of request data leads to a Directory Traversal vulnerability.

The JSST and the Joomla! Security Center report:

[20151206] - Core - Session Hardening

The Joomla Security Strike team has been following up on the critical security vulnerability patched last week. Since the recent update it has become clear that the root cause is a bug in PHP itself. This was fixed by PHP in September of 2015 with the releases of PHP 5.4.45, 5.5.29, 5.6.13 (Note that this is fixed in all versions of PHP 7 and has been back-ported in some specific Linux LTS versions of PHP 5.3). This fixes the bug across all supported PHP versions.

[20151207] - Core - SQL Injection

Inadequate filtering of request data leads to a SQL Injection vulnerability.

Netsparker reports:

Proof of Concept URL for XSS in Pligg CMS:

Page: groups.php

Parameter Name: keyword

Parameter Type: GET

Attack Pattern: http://example.com/pligg-cms-2.0.2/groups.php?view=search&keyword='+alert(0x000D82)+'

For more information on cross-site scripting vulnerabilities read the article Cross-site Scripting (XSS).

The JSST and the Joomla! Security Center report:

[20160801] - Core - ACL Violation

Inadequate ACL checks in com_content provide potential read access to data which should be access restricted to users with edit_own level.

[20160802] - Core - XSS Vulnerability

Inadequate escaping leads to XSS vulnerability in mail component.

[20160803] - Core - CSRF

Add additional CSRF hardening in com_joomlaupdate.

Problem Description:

Multiple vulnerabilities have been discovered in the NTP suite:

CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy of Cisco ASIG.

CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS vector. Reported by Matthew Van Gundy of Cisco ASIG.

CVE-2016-7427: Broadcast Mode Replay Prevention DoS. Reported by Matthew Van Gundy of Cisco ASIG.

CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS. Reported by Matthew Van Gundy of Cisco ASIG.

CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass. Reported by Sharon Goldberg and Aanchal Malhotra of Boston University.

CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal(). Reported by Magnus Stubman.

CVE-2016-7426: Client rate limiting and server responses. Reported by Miroslav Lichvar of Red Hat.

CVE-2016-7433: Reboot sync calculation problem. Reported independently by Brian Utterback of Oracle, and by Sharon Goldberg and Aanchal Malhotra of Boston University.

Impact:

A remote attacker who can send a specially crafted packet to cause a NULL pointer dereference that will crash ntpd, resulting in a Denial of Service. [CVE-2016-9311]

An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. If, against long-standing BCP recommendations, "restrict default noquery ..." is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring by an attacker from remote. [CVE-2016-9310]

An attacker with access to the NTP broadcast domain can periodically inject specially crafted broadcast mode NTP packets into the broadcast domain which, while being logged by ntpd, can cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers. [CVE-2016-7427]

An attacker with access to the NTP broadcast domain can send specially crafted broadcast mode NTP packets to the broadcast domain which, while being logged by ntpd, will cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers. [CVE-2016-7428]

Origin timestamp problems were fixed in ntp 4.2.8p6. However, subsequent timestamp validation checks introduced a regression in the handling of some Zero origin timestamp checks. [CVE-2016-7431]

If ntpd is configured to allow mrulist query requests from a server that sends a crafted malicious packet, ntpd will crash on receipt of that crafted malicious mrulist query packet. [CVE-2016-7434]

An attacker who knows the sources (e.g., from an IPv4 refid in server response) and knows the system is (mis)configured in this way can periodically send packets with spoofed source address to keep the rate limiting activated and prevent ntpd from accepting valid responses from its sources. [CVE-2016-7426]

Ntp Bug 2085 described a condition where the root delay was included twice, causing the jitter value to be higher than expected. Due to a misinterpretation of a small-print variable in The Book, the fix for this problem was incorrect, resulting in a root distance that did not include the peer dispersion. The calculations and formulas have been reviewed and reconciled, and the code has been updated accordingly. [CVE-2016-7433]

The OpenSSL team reports:

Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key.

The Xen Project reports:

The typical behaviour of singlestepping exceptions is determined at the start of the instruction, with a #DB trap being raised at the end of the instruction. SYSCALL (and SYSRET, although we don't implement it) behave differently because the typical behaviour allows userspace to escalate its privilege. (This difference in behaviour seems to be undocumented.) Xen wrongly raised the exception based on the flags at the start of the instruction.

Guest userspace which can invoke the instruction emulator can use this flaw to escalate its privilege to that of the guest kernel.

The Mozilla Foundation reports:

A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.

Mitre reports:

modules/chanserv/flags.c in Atheme before 7.2.7 allows remote attackers to modify the Anope FLAGS behavior by registering and dropping the (1) LIST, (2) CLEAR, or (3) MODIFY keyword nicks.

Buffer overflow in the xmlrpc_char_encode function in modules/transport/xmlrpc/xmlrpclib.c in Atheme before 7.2.7 allows remote attackers to cause a denial of service via vectors related to XMLRPC response encoding.

The Roundcube project reports

steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.

Mozilla Foundation reports:

CVE-2016-9894: Buffer overflow in SkiaGL

CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements

CVE-2016-9895: CSP bypass using marquee tag

CVE-2016-9896: Use-after-free with WebVR

CVE-2016-9897: Memory corruption in libGLES

CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees

CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs

CVE-2016-9904: Cross-origin information leak in shared atoms

CVE-2016-9901: Data from Pocket server improperly sanitized before execution

CVE-2016-9902: Pocket extension does not validate the origin of events

CVE-2016-9903: XSS injection vulnerability in add-ons SDK

CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1

CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6

Jeremy Felt reports:

WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.

The Xen Project reports:

The x86 instruction CMPXCHG8B is supposed to ignore legacy operand size overrides; it only honors the REX.W override (making it CMPXCHG16B). So, the operand size is always 8 or 16. When support for CMPXCHG16B emulation was added to the instruction emulator, this restriction on the set of possible operand sizes was relied on in some parts of the emulation; but a wrong, fully general, operand size value was used for other parts of the emulation. As a result, if a guest uses a supposedly-ignored operand size prefix, a small amount of hypervisor stack data is leaked to the guests: a 96 bit leak to guests running in 64-bit mode; or, a 32 bit leak to other guests.

A malicious unprivileged guest may be able to obtain sensitive information from the host.

The PHP project reports:

This is a security release. Several security bugs were fixed in this release.

The Asterisk project reports:

If an SDP offer or answer is received with the Opus codec and with the format parameters separated using a space the code responsible for parsing will recursively call itself until it crashes. This occurs as the code does not properly handle spaces separating the parameters. This does NOT require the endpoint to have Opus configured in Asterisk. This also does not require the endpoint to be authenticated. If guest is enabled for chan_sip or anonymous in chan_pjsip an SDP offer or answer is still processed and the crash occurs.

The Asterisk project reports:

The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace.

This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication.

If you do not use a proxy for authentication, then this issue does not affect you.

If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you.

If you use chan_pjsip instead of chan_sip, then this issue does not affect you.

Problem Description:

A specially crafted argument can trigger a static buffer overflow in the library, with possibility to rewrite following static buffers that belong to other library functions.

Impact:

Due to very limited use of the function in the existing applications, and limited length of the overflow, exploitation of the vulnerability does not seem feasible. None of the utilities and daemons in the base system are known to be vulnerable. However, careful review of third party software that may use the function was not performed.

Daniel P. Berrange reports:

The VNC server websockets decoder will read and buffer data from websockets clients until it sees the end of the HTTP headers, as indicated by \r\n\r\n. In theory this allows a malicious to trick QEMU into consuming an arbitrary amount of RAM.

mod_http2 reports:

The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply limitations on request headers correctly when experimental module for the HTTP/2 protocol is used to access a resource.

The net result is that a the server allocates too much memory instead of denying the request. This can lead to memory exhaustion of the server by a properly crafted request.

Problem Description:

An unexpected sequence of memory allocation failures combined with insufficient error checking could result in the construction and execution of an argument sequence that was not intended.

Impact:

An attacker who controls the sequence of memory allocation failures and success may cause login(1) to run without authentication and may be able to cause misbehavior of login(1) replacements.

No practical way of controlling these memory allocation failures is known at this time.

Alex Gaynor reports:

Fixed a bug where ``HKDF`` would return an empty byte-string if used with a ``length`` less than ``algorithm.digest_size``.

Problem Description:

The bounds checking of accesses to guest memory greater than 4GB by device emulations is subject to integer overflow.

Impact:

For a bhyve virtual machine with more than 3GB of guest memory configured, a malicious guest could craft device descriptors that could give it access to the heap of the bhyve process. Since the bhyve process is running as root, this may allow guests to obtain full control of the hosts they're running on.

Multiple sources report:

CVE-2015-2141: The InvertibleRWFunction::CalculateInverse function in rw.cpp in libcrypt++ 5.6.2 does not properly blind private key operations for the Rabin-Williams digital signature algorithm, which allows remote attackers to obtain private keys via a timing attack. Fixed in 5.6.3.

CVE-2016-3995: Incorrect implementation of Rijndael timing attack countermeasure. Fixed in 5.6.4.

CVE-2016-7420: Library built without -DNDEBUG could egress sensitive information to the filesystem via a core dump if an assert was triggered. Fixed in 5.6.5.

Google Chrome Releases reports:

36 security fixes in this release

Please reference CVE/URL list for details

Bastien Roucaries reports:

Imagemagick before 3cbfb163cff9e5b8cdeace8312e9bfee810ed02b suffer from a heap overflow in WaveletDenoiseImage(). This problem is easily trigerrable from a Perl script.

The Xen Project reports:

On real hardware, a 32-bit PAE guest must leave the USER and RW bit clear in L3 pagetable entries, but the pagetable walk behaves as if they were set. (The L3 entries are cached in processor registers, and don't actually form part of the pagewalk.)

When running a 32-bit PV guest on a 64-bit Xen, Xen must always OR in the USER and RW bits for L3 updates for the guest to observe architectural behaviour. This is unsafe in combination with recursive pagetables.

As there is no way to construct an L3 recursive pagetable in native 32-bit PAE mode, disallow this option in 32-bit PV guests.

A malicious 32-bit PV guest administrator can escalate their privilege to that of the host.

The Xen Project reports:

When emulating HVM instructions, Xen uses a small i-cache for fetches from guest memory. The code that handles cache misses does not check if the address from which it fetched lies within the cache before blindly writing to it. As such it is possible for the guest to overwrite hypervisor memory.

It is currently believed that the only way to trigger this bug is to use the way that Xen currently incorrectly wraps CS:IP in 16 bit modes. The included patch prevents such wrapping.

A malicious HVM guest administrator can escalate their privilege to that of the host.

The Xen Project reports:

x86 HVM guests running with shadow paging use a subset of the x86 emulator to handle the guest writing to its own pagetables. There are situations a guest can provoke which result in exceeding the space allocated for internal state.

A malicious HVM guest administrator can cause Xen to fail a bug check, causing a denial of service to the host.

The Xen Project reports:

When the EVTCHNOP_init_control operation is called with a bad guest frame number, it takes an error path which frees a control structure without also clearing the corresponding pointer. Certain subsequent operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control), upon finding the non-NULL pointer, continue operation assuming it points to allocated memory.

A malicious guest administrator can crash the host, leading to a DoS. Arbitrary code execution (and therefore privilege escalation), and information leaks, cannot be excluded.

The Xen Project reports:

Instructions touching FPU, MMX, or XMM registers are required to raise a Device Not Available Exception (#NM) when either CR0.EM or CR0.TS are set. (Their AVX or AVX-512 extensions would consider only CR0.TS.) While during normal operation this is ensured by the hardware, if a guest modifies instructions while the hypervisor is preparing to emulate them, the #NM delivery could be missed.

Guest code in one task may thus (unintentionally or maliciously) read or modify register state belonging to another task in the same VM.

A malicious unprivileged guest user may be able to obtain or corrupt sensitive information (including cryptographic material) in other programs in the same guest.

The Xen Project reports:

The Xen x86 emulator erroneously failed to consider the unusability of segments when performing memory accesses.

The intended behaviour is as follows: The user data segment (%ds, %es, %fs and %gs) selectors may be NULL in 32-bit to prevent access. In 64-bit, NULL has a special meaning for user segments, and there is no way of preventing access. However, in both 32-bit and 64-bit, a NULL LDT system segment is intended to prevent access.

On Intel hardware, loading a NULL selector zeros the base as well as most attributes, but sets the limit field to its largest possible value. On AMD hardware, loading a NULL selector zeros the attributes, leaving the stale base and limit intact.

Xen may erroneously permit the access using unexpected base/limit values.

Ability to exploit this vulnerability on Intel is easy, but on AMD depends in a complicated way on how the guest kernel manages LDTs.

An unprivileged guest user program may be able to elevate its privilege to that of the guest operating system.

The Xen Project reports:

LDTR, just like TR, is purely a protected mode facility. Hence even when switching to a VM86 mode task, LDTR loading needs to follow protected mode semantics. This was violated by the code.

On SVM (AMD hardware): a malicious unprivileged guest process can escalate its privilege to that of the guest operating system.

On both SVM and VMX (Intel hardware): a malicious unprivileged guest process can crash the guest.

The Xen Project reports:

Both writes to the FS and GS register base MSRs as well as the WRFSBASE and WRGSBASE instructions require their input values to be canonical, or a #GP fault will be raised. When the use of those instructions by the hypervisor was enabled, the previous guard against #GP faults (having recovery code attached) was accidentally removed.

A malicious guest administrator can crash the host, leading to a DoS.

The Xen Project reports:

Along with their main kernel binary, unprivileged guests may arrange to have their Xen environment load (kernel) symbol tables for their use. The ELF image metadata created for this purpose has a few unused bytes when the symbol table binary is in 32-bit ELF format. These unused bytes were not properly cleared during symbol table loading.

A malicious unprivileged guest may be able to obtain sensitive information from the host.

The information leak is small and not under the control of the guest, so effectively exploiting this vulnerability is probably difficult.

The Xen Project reports:

The x86 instructions BT, BTC, BTR, and BTS, when used with a destination memory operand and a source register rather than an immediate operand, access a memory location offset from that specified by the memory operand as specified by the high bits of the register source.

A malicious guest can modify arbitrary memory, allowing for arbitrary code execution (and therefore privilege escalation affecting the whole host), a crash of the host (leading to a DoS), or information leaks. The vulnerability is sometimes exploitable by unprivileged guest user processes.

The Xen Project reports:

The compiler can emit optimizations in qemu which can lead to double fetch vulnerabilities. Specifically data on the rings shared between qemu and the hypervisor (which the guest under control can obtain mappings of) can be fetched twice (during which time the guest can alter the contents) possibly leading to arbitrary code execution in qemu.

Malicious administrators can exploit this vulnerability to take over the qemu process, elevating its privilege to that of the qemu process.

In a system not using a device model stub domain (or other techniques for deprivileging qemu), malicious guest administrators can thus elevate their privilege to that of the host.

The Xen Project reports:

pygrub, the boot loader emulator, fails to quote (or sanity check) its results when reporting them to its caller.

A malicious guest administrator can obtain the contents of sensitive host files (an information leak). Additionally, a malicious guest administrator can cause files on the host to be removed, causing a denial of service. In some unusual host configurations, ability to remove certain files may be usable for privilege escalation.

Pillow reports:

Pillow prior to 3.3.2 may experience integer overflow errors in map.c when reading specially crafted image files. This may lead to memory disclosure or corruption.

Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check for negative image sizes in ImagingNew in Storage.c. A negative image size can lead to a smaller allocation than expected, leading to arbi trary writes.

Multiple sources report:

CVE-2016-9298: heap overflow in WaveletDenoiseImage(), fixed in ImageMagick7-7.0.3.6, discovered 2016-10-31

CVE-2016-8866: memory allocation failure in AcquireMagickMemory (incomplete previous fix for CVE-2016-8862), not fixed yet with the release of this announcement, re-discovered 2016-10-13.

CVE-2016-8862: memory allocation failure in AcquireMagickMemory, initially partially fixed in ImageMagick7-7.0.3.3, discovered 2016-09-14.

Wireshark project reports:

Wireshark project is releasing Wireshark 2.2.2, which addresses:

• wnpa-sec-2016-58: Profinet I/O long loop - CVE-2016-9372
• wnpa-sec-2016-59: AllJoyn crash - CVE-2016-9374
• wnpa-sec-2016-60: OpenFlow crash - CVE-2016-9376
• wnpa-sec-2016-61: DCERPC crash - CVE-2016-9373
• wnpa-sec-2016-62: DTN infinite loop - CVE-2016-9375

Dawid Golunski reports:

GNU wget in version 1.17 and earlier, when used in mirroring/recursive mode, is affected by a Race Condition vulnerability that might allow remote attackers to bypass intended wget access list restrictions specified with -A parameter.

MITRE reports:

A null pointer dereference bug affects the 16.02 and many old versions of p7zip. A lack of null pointer check for the variable folders.PackPositions in function CInArchive::ReadAndDecodePackedStreams, as used in the 7z.so library and in 7z applications, will cause a crash and a denial of service when decoding malformed 7z files.

Gustavo Grieco reports:

The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution.

Werner Koch reports:

There was a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions.

Adam Maris reports:

It was found that original patch for issues CVE-2015-1283 and CVE-2015-2716 used overflow checks that could be optimized out by some compilers applying certain optimization settings, which can cause the vulnerability to remain even after applying the patch.

Mitre reports:

The HTBoundary_put_block function in HTBound.c for W3C libwww (w3c-libwww) allows remote servers to cause a denial of service (segmentation fault) via a crafted multipart/byteranges MIME message that triggers an out-of-bounds read.

The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.

The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.

The Apache Software Foundation reports:

The mod_dontdothat module of subversion and subversion clients using http(s):// are vulnerable to a denial-of-service attack, caused by exponential XML entity expansion. The attack targets XML parsers causing targeted process to consume excessive amounts of resources. The attack is also known as the "billions of laughs attack."

The Mozilla Foundation reports:

Redirection from an HTTP connection to a data: URL assigns the referring site's origin to the data: URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them.

The Drupal development team reports:

Inconsistent name for term access query (Less critical - Drupal 7 and Drupal 8)

Drupal provides a mechanism to alter database SELECT queries before they are executed. Contributed and custom modules may use this mechanism to restrict access to certain entities by implementing hook_query_alter() or hook_query_TAG_alter() in order to add additional conditions. Queries can be distinguished by means of query tags. As the documentation on EntityFieldQuery::addTag() suggests, access-tags on entity queries normally follow the form ENTITY_TYPE_access (e.g. node_access). However, the taxonomy module's access query tag predated this system and used term_access as the query tag instead of taxonomy_term_access.

As a result, before this security release modules wishing to restrict access to taxonomy terms may have implemented an unsupported tag, or needed to look for both tags (term_access and taxonomy_term_access) in order to be compatible with queries generated both by Drupal core as well as those generated by contributed modules like Entity Reference. Otherwise information on taxonomy terms might have been disclosed to unprivileged users.

Incorrect cache context on password reset page (Less critical - Drupal 8)

The user password reset form does not specify a proper cache context, which can lead to cache poisoning and unwanted content on the page.

Confirmation forms allow external URLs to be injected (Moderately critical - Drupal 7)

Under certain circumstances, malicious users could construct a URL to a confirmation form that would trick users into being redirected to a 3rd party website after interacting with the form, thereby exposing the users to potential social engineering attacks.

Denial of service via transliterate mechanism (Moderately critical - Drupal 8)

A specially crafted URL can cause a denial of service via the transliterate mechanism.