MySQL Multiple Flaws Let Remote Authenticated Users Access and
Modify Data, Remote and Local Users Deny Service, and Local Users
Access Data and Gain Elevated Privileges
A local user can exploit a flaw in the Replication component
to gain elevated privileges [CVE-2018-2755].
A remote authenticated user can exploit a flaw in the GIS
Extension component to cause denial of service conditions
[CVE-2018-2805].
A remote authenticated user can exploit a flaw in the InnoDB
component to cause denial of service conditions [CVE-2018-2782,
CVE-2018-2784, CVE-2018-2819].
A remote authenticated user can exploit a flaw in the Security
Privileges component to cause denial of service conditions
[CVE-2018-2758, CVE-2018-2818].
A remote authenticated user can exploit a flaw in the DDL
component to cause denial of service conditions
[CVE-2018-2817].
A remote authenticated user can exploit a flaw in the Optimizer
component to cause denial of service conditions [CVE-2018-2775,
CVE-2018-2778, CVE-2018-2779, CVE-2018-2780, CVE-2018-2781,
CVE-2018-2816].
A remote user can exploit a flaw in the Client programs
component to cause denial of service conditions [CVE-2018-2761,
CVE-2018-2773].
A remote authenticated user can exploit a flaw in the InnoDB
component to partially modify data and cause denial of service
conditions [CVE-2018-2786, CVE-2018-2787].
A remote authenticated user can exploit a flaw in the Optimizer
component to partially modify data and cause denial of service
conditions [CVE-2018-2812].
A local user can exploit a flaw in the Cluster ndbcluster/plugin
component to cause denial of service conditions [CVE-2018-2877].
A remote authenticated user can exploit a flaw in the InnoDB
component to cause denial of service conditions [CVE-2018-2759,
CVE-2018-2766, CVE-2018-2777, CVE-2018-2810].
A remote authenticated user can exploit a flaw in the DML
component to cause denial of service conditions [CVE-2018-2839].
A remote authenticated user can exploit a flaw in the
Performance Schema component to cause denial of service conditions
[CVE-2018-2846].
A remote authenticated user can exploit a flaw in the Pluggable
Auth component to cause denial of service conditions
[CVE-2018-2769].
A remote authenticated user can exploit a flaw in the Group
Replication GCS component to cause denial of service conditions
[CVE-2018-2776].
A local user can exploit a flaw in the Connection component to
cause denial of service conditions [CVE-2018-2762].
A remote authenticated user can exploit a flaw in the Locking
component to cause denial of service conditions [CVE-2018-2771].
A remote authenticated user can exploit a flaw in the DDL
component to partially access data [CVE-2018-2813].
CKEditor, a third-party JavaScript library included in Drupal
core, has fixed a cross-site scripting (XSS) vulnerability. The
vulnerability stemmed from the fact that it was possible to execute
XSS inside CKEditor when using the image2 plugin (which Drupal 8
core also uses).
The OpenSSL RSA Key generation algorithm has been shown to be
vulnerable to a cache timing side channel attack. An attacker
with sufficient access to mount cache timing attacks during the
RSA key generation process could recover the private key.
CVE-2018-7600: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6,
and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because
of an issue affecting multiple subsystems with default or common module configurations.
The ipsec-tools racoon daemon contains a remotely exploitable computational
complexity attack when parsing and storing isakmp fragments. The implementation
permits a remote attacker to exhaust computational resources on the remote endpoint
by repeatedly sending isakmp fragment packets in a particular order such that
the worst-case computational complexity is realized in the algorithm utilized
to determine if reassembly of the fragments can take place.
If ALTSVC frame is received by libnghttp2 and it is larger than it can
accept, the pointer field which points to ALTSVC frame payload is left
NULL. Later libnghttp2 attempts to access another field through the
pointer, and gets segmentation fault.
ALTSVC frame is defined by RFC 7838.
The largest frame size libnghttp2 accept is by default 16384 bytes.
Receiving ALTSVC frame is disabled by default. Application has to
enable it explicitly by calling
nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC).
Transmission of ALTSVC is always enabled, and it does not cause this
vulnerability.
ALTSVC frame is expected to be sent by server, and received by client
as defined in RFC 7838.
Client and server are both affected by this vulnerability if the
reception of ALTSVC frame is enabled. As written earlier, it is useless
to enable reception of ALTSVC frame on server side. So, server is
generally safe unless application accidentally enabled the reception of
ALTSVC frame.
This update primarily fixes a recently discovered IMAP-cmd-injection
vulnerability caused by insufficient input validation within
the archive plugin.
Details about the vulnerability are published under CVE-2018-9846.
The Jenkins CLI sent different error responses for commands with
view and agent arguments depending on the existence of the specified
views or agents to unauthorized users. This allowed attackers to
determine whether views or agents with specified names exist.
The Jenkins CLI now returns the same error messages to unauthorized
users independent of the existence of specified view or agent
names
Some JavaScript confirmation dialogs included the item name in an
unsafe manner, resulting in a possible cross-site scripting
vulnerability exploitable by users with permission to create or
configure items.
JavaScript confirmation dialogs that include the item name now
properly escape it, so it can be safely displayed.
There were multiple server-side request forgery issues in the Services feature.
An attacker could make requests to servers within the same network of the GitLab
instance. This could lead to information disclosure, authentication bypass, or
potentially code execution. This issue has been assigned
CVE-2018-8801.
Gitlab Auth0 integration issue
There was an issue with the GitLab omniauth-auth0 configuration
which resulted in the Auth0 integration signing in the wrong users.
Insufficient validation of user-provided font parameters
can result in an integer overflow, leading to the use of
arbitrary kernel memory as glyph data. Characters that
reference this data can be displayed on the screen, effectively
disclosing kernel memory.
Impact:
Unprivileged users may be able to access privileged
kernel data.
Such memory might contain sensitive information, such
as portions of the file cache or terminal buffers. This
information might be directly useful, or it might be leveraged
to obtain elevated privileges in some way; for example, a
terminal buffer might include a user-entered password.
The length field of the option header does not count the
size of the option header itself. This causes a problem
when the length is zero, the count is then incremented by
zero, which causes an infinite loop.
In addition there are pointer/offset mistakes in the
handling of IPv4 options.
Impact:
A remote attacker who is able to send an arbitrary packet,
could cause the remote target machine to crash.
A use-after-free vulnerability can occur in the
compositor during certain graphics operations when a raw
pointer is used instead of a reference counted one. This
results in a potentially exploitable crash.
CVE-2017-17742: HTTP response splitting in WEBrick
If a script accepts an external input and outputs it without
modification as a part of HTTP responses, an attacker can use newline
characters to deceive the clients that the HTTP response header is
stopped at there, and can inject fake HTTP responses after the newline
characters to show malicious contents to the clients.
CVE-2018-6914: Unintentional file and directory creation with
directory traversal in tempfile and tmpdir
Dir.mktmpdir method introduced by tmpdir library accepts the prefix
and the suffix of the directory which is created as the first parameter.
The prefix can contain relative directory specifiers "../", so this
method can be used to target any directory. So, if a script accepts an
external input as the prefix, and the targeted directory has
inappropriate permissions or the ruby process has inappropriate
privileges, the attacker can create a directory or a file at any
directory.
CVE-2018-8777: DoS by large request in WEBrick
If an attacker sends a large request which contains huge HTTP headers,
WEBrick try to process it on memory, so the request causes the
out-of-memory DoS attack.
CVE-2018-8778: Buffer under-read in String#unpack
String#unpack receives format specifiers as its parameter, and can
be specified the position of parsing the data by the specifier @. If a
big number is passed with @, the number is treated as the negative
value, and out-of-buffer read is occurred. So, if a script accepts an
external input as the argument of String#unpack, the attacker can read
data on heaps.
CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
UNIXServer.open accepts the path of the socket to be created at the
first parameter. If the path contains NUL (\0) bytes, this method
recognize that the path is completed before the NUL bytes. So, if a
script accepts an external input as the argument of this method, the
attacker can make the socket file in the unintentional path. And,
UNIXSocket.open also accepts the path of the socket to be created at
the first parameter without checking NUL bytes like UNIXServer.open.
So, if a script accepts an external input as the argument of this
method, the attacker can accepts the socket file in the unintentional
path.
CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte
in Dir
Dir.open, Dir.new, Dir.entries and Dir.empty? accept the path of the
target directory as their parameter. If the parameter contains NUL (\0)
bytes, these methods recognize that the path is completed before the
NUL bytes. So, if a script accepts an external input as the argument of
these methods, the attacker can make the unintentional directory
traversal.
Node.js Inspector DNS rebinding vulnerability (CVE-2018-7160)
Node.js 6.x and later include a debugger protocol (also known as "inspector") that can be activated by the --inspect and related command line flags. This debugger service was vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution.
'path' module regular expression denial of service (CVE-2018-7158)
The 'path' module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x.
Spaces in HTTP Content-Length header values are ignored (CVE-2018-7159)
The HTTP parser in all current versions of Node.js ignores spaces in the Content-Length header, allowing input such as Content-Length: 1 2 to be interpreted as having a value of 12. The HTTP specification does not allow for spaces in the Content-Length value and the Node.js HTTP parser has been brought into line on this particular difference.
Constructed ASN.1 types with a recursive definition could
exceed the stack (CVE-2018-0739)
Constructed ASN.1 types with a recursive definition (such as can be
found in PKCS7) could eventually exceed the stack given malicious input
with excessive recursion. This could result in a Denial Of Service
attack. There are no such structures used within SSL/TLS that come from
untrusted sources so this is considered safe.
rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
There is an overflow bug in the AVX2 Montgomery multiplication
procedure used in exponentiation with 1024-bit moduli. This only
affects processors that support the AVX2 but not ADX extensions
like Intel Haswell (4th generation).
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig
enabled (CVE-2017-15710)
mod_session: CGI-like applications that intend to read from
mod_session's 'SessionEnv ON' could be fooled into reading
user-supplied data instead. (CVE-2018-1283)
mod_cache_socache: Fix request headers parsing to avoid a possible
crash with specially crafted input data. (CVE-2018-1303)
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production
LogLevel. (CVE-2018-1301)
core: Configure the regular expression engine to match '$' to the
end of the input string only, excluding matching the end of any
embedded newline characters. Behavior can be changed with new
directive 'RegexDefaultOptions'. (CVE-2017-15715)
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers.
(CVE-2018-1312)
The decode_ihdr_chunk function in libavcodec/pngdec.c in
FFmpeg before 2.7.2 does not enforce uniqueness of the IHDR
(aka image header) chunk in a PNG image, which allows remote
attackers to cause a denial of service (out-of-bounds array
access) or possibly have unspecified other impact via a
crafted image with two or more of these chunks.
Multiple integer underflows in the ff_mjpeg_decode_frame
function in libavcodec/mjpegdec.c in FFmpeg before 2.7.2
allow remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified
other impact via crafted MJPEG data.
The ff_sbr_apply function in libavcodec/aacsbr.c in
FFmpeg before 2.7.2 does not check for a matching AAC frame
syntax element before proceeding with Spectral Band
Replication calculations, which allows remote attackers to
cause a denial of service (out-of-bounds array access) or
possibly have unspecified other impact via crafted AAC
data.
The ff_mpv_common_init function in libavcodec/mpegvideo.c
in FFmpeg before 2.7.2 does not properly maintain the
encoding context, which allows remote attackers to cause a
denial of service (invalid pointer access) or possibly have
unspecified other impact via crafted MPEG data.
The destroy_buffers function in libavcodec/sanm.c in
FFmpeg before 2.7.2 does not properly maintain height and
width values in the video context, which allows remote
attackers to cause a denial of service (segmentation
violation and application crash) or possibly have
unspecified other impact via crafted LucasArts Smush video
data.
The allocate_buffers function in libavcodec/alac.c in
FFmpeg before 2.7.2 does not initialize certain context
data, which allows remote attackers to cause a denial of
service (segmentation violation) or possibly have
unspecified other impact via crafted Apple Lossless Audio
Codec (ALAC) data.
The sws_init_context function in libswscale/utils.c in
FFmpeg before 2.7.2 does not initialize certain pixbuf data
structures, which allows remote attackers to cause a denial
of service (segmentation violation) or possibly have
unspecified other impact via crafted video data.
The ff_frame_thread_init function in
libavcodec/pthread_frame.c in FFmpeg before 2.7.2 mishandles
certain memory-allocation failures, which allows remote
attackers to cause a denial of service (invalid pointer
access) or possibly have unspecified other impact via a
crafted file, as demonstrated by an AVI file.
The ff_rv34_decode_init_thread_copy function in
libavcodec/rv34.c in FFmpeg before 2.7.2 does not initialize
certain structure members, which allows remote attackers to
cause a denial of service (invalid pointer access) or
possibly have unspecified other impact via crafted (1) RV30
or (2) RV40 RealVideo data.
The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in
FFmpeg before 2.8.4 does not validate the number of
decomposition levels before proceeding with Discrete Wavelet
Transform decoding, which allows remote attackers to cause a
denial of service (out-of-bounds array access) or possibly
have unspecified other impact via crafted JPEG 2000
data.
The ff_get_buffer function in libavcodec/utils.c in
FFmpeg before 2.8.4 preserves width and height values after
a failure, which allows remote attackers to cause a denial
of service (out-of-bounds array access) or possibly have
unspecified other impact via a crafted .mov file.
The msrle_decode_pal4 function in msrledec.c in Libav
before 10.7 and 11.x before 11.4 and FFmpeg before 2.0.7,
2.2.x before 2.2.15, 2.4.x before 2.4.8, 2.5.x before 2.5.6,
and 2.6.x before 2.6.2 allows remote attackers to have
unspecified impact via a crafted image, related to a pixel
pointer, which triggers an out-of-bounds array access.
The update_dimensions function in libavcodec/vp8.c in
FFmpeg through 2.8.1, as used in Google Chrome before
46.0.2490.71 and other products, relies on a
coefficient-partition count during multi-threaded operation,
which allows remote attackers to cause a denial of service
(race condition and memory corruption) or possibly have
unspecified other impact via a crafted WebM file.
The ljpeg_decode_yuv_scan function in
libavcodec/mjpegdec.c in FFmpeg before 2.8.2 omits certain
width and height checks, which allows remote attackers to
cause a denial of service (out-of-bounds array access) or
possibly have unspecified other impact via crafted MJPEG
data.
The ff_hevc_parse_sps function in libavcodec/hevc_ps.c in
FFmpeg before 2.8.2 does not validate the Chroma Format
Indicator, which allows remote attackers to cause a denial
of service (out-of-bounds array access) or possibly have
unspecified other impact via crafted High Efficiency Video
Coding (HEVC) data.
The decode_uncompressed function in libavcodec/faxcompr.c
in FFmpeg before 2.8.2 does not validate uncompressed runs,
which allows remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified
other impact via crafted CCITT FAX data.
The init_tile function in libavcodec/jpeg2000dec.c in
FFmpeg before 2.8.2 does not enforce minimum-value and
maximum-value constraints on tile coordinates, which allows
remote attackers to cause a denial of service (out-of-bounds
array access) or possibly have unspecified other impact via
crafted JPEG 2000 data.
The jpeg2000_read_main_headers function in
libavcodec/jpeg2000dec.c in FFmpeg before 2.6.5, 2.7.x
before 2.7.3, and 2.8.x through 2.8.2 does not enforce
uniqueness of the SIZ marker in a JPEG 2000 image, which
allows remote attackers to cause a denial of service
(out-of-bounds heap-memory access) or possibly have
unspecified other impact via a crafted image with two or
more of these markers.
Integer overflow in the ff_ivi_init_planes function in
libavcodec/ivi.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3,
and 2.8.x through 2.8.2 allows remote attackers to cause a
denial of service (out-of-bounds heap-memory access) or
possibly have unspecified other impact via crafted image
dimensions in Indeo Video Interactive data.
The smka_decode_frame function in libavcodec/smacker.c in
FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through
2.8.2 does not verify that the data size is consistent with
the number of channels, which allows remote attackers to
cause a denial of service (out-of-bounds array access) or
possibly have unspecified other impact via crafted Smacker
data.
Use-after-free vulnerability in the ff_h264_free_tables
function in libavcodec/h264.c in FFmpeg before 2.3.6 allows
remote attackers to cause a denial of service or possibly
have unspecified other impact via crafted H.264 data in an
MP4 file, as demonstrated by an HTML VIDEO element that
references H.264 data.
There is a possible XSS vulnerability in rails-html-sanitizer. The gem
allows non-whitelisted attributes to be present in sanitized output
when input with specially-crafted HTML fragments, and these attributes
can lead to an XSS attack on target applications.
Fixed an HTML injection vulnerability that could allow XSS.
When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2,
a specially crafted HTML fragment can cause libxml2 to generate
improperly escaped output, allowing non-whitelisted attributes to be
used on whitelisted elements.
Sanitize now performs additional escaping on affected attributes to
prevent this.
This issue has been created for public disclosure of an XSS / code
injection vulnerability that was responsibly reported by the Shopify
Application Security Team.
Loofah allows non-whitelisted attributes to be present in sanitized
output when input with specially-crafted HTML fragments.
In Jupyter Notebook before 5.4.1, a maliciously forged notebook file
can bypass sanitization to execute JavaScript in the notebook context.
Specifically, invalid HTML is 'fixed' by jQuery after sanitization,
making it dangerous.
An attacker able to exploit this vulnerability can extract files
of the server the application is running on. This may include
configuration files, log files and additionally all files that are
readable for all users on the system. This issue is
post-authentication. That means an attacker would need valid
credentials for the application to log in or needs to exploit an
additional vulnerability of which we are not aware of at this point
of time.
An attacker would also be able to delete files on the system, if
the user running the application has the rights to do so.
Does this issue affect me?
Likely yes, if you are using Squirrelmail. We checked the latest
development version, which is 1.5.2-svn and the latest version
available for download at this point of time, 1.4.22. Both contain
the vulnerable code.
Several issues were discovered with incomplete sanitization of
user-provided text strings, which could potentially lead to SQL
injection attacks against SlurmDBD itself. Such exploits could lead to a
loss of accounting data, or escalation of user privileges on the cluster.
Xiph.Org libvorbis 1.3.5 allows Remote Code Execution
upon freeing uninitialized memory in the function
vorbis_analysis_headerout() in info.c when
vi->channels<=0, a similar issue to Mozilla bug
550184.
In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read
vulnerability exists in the function mapping0_forward() in
mapping0.c, which may lead to DoS when operating on a
crafted audio file with vorbis_analysis().
A number of issues relating to speculative execution
were found last year and publicly announced January 3rd.
Two of these, known as Meltdown and Spectre V2, are addressed
here.
This issue relies on an affected CPU speculatively
executing instructions beyond a faulting instruction. When
this happens, changes to architectural state are not
committed, but observable changes may be left in micro-
architectural state (for example, cache). This may be used
to infer privileged data.
Missing null pointer checks may crash the external
print server process.
On a Samba 4 AD DC any authenticated user can change
other user's passwords over LDAP, including the
passwords of administrative users and service accounts.
When the truncated HMAC extension is enabled and CBC is used,
sending a malicious application packet can be used to selectively
corrupt 6 bytes on the peer's heap, potentially leading to a
crash or remote code execution. This can be triggered remotely
from either side in both TLS and DTLS.
When RSASSA-PSS signature verification is enabled, sending a
maliciously constructed certificate chain can be used to cause a
buffer overflow on the peer's stack, potentially leading to crash
or remote code execution. This can be triggered remotely from
either side in both TLS and DTLS.
Failure to properly bounds check a buffer used for processing
DHCP options allows a malicious server (or an entity
masquerading as a server) to cause a buffer overflow (and
resulting crash) in dhclient by sending a response containing a
specially constructed options section.
A malicious client which is allowed to send very large amounts
of traffic (billions of packets) to a DHCP server can eventually
overflow a 32-bit reference counter, potentially causing dhcpd
to crash.
Laurent Delosieres, Secunia Research at Flexera Software reports:
Secunia Research has discovered a vulnerability in libsndfile, which can be
exploited by malicious people to disclose potentially sensitive information.
The vulnerability is caused due to an error in the "aiff_read_chanmap()" function
(src/aiff.c), which can be exploited to cause an out-of-bounds read memory access
via a specially crafted AIFF file. The vulnerability is confirmed in version 1.0.28.
Other versions may also be affected.
CVE-2017-8361 (Medium): The flac_buffer_copy function in flac.c in
libsndfile 1.0.28 allows remote attackers to cause a denial of service
(buffer overflow and application crash) or possibly have unspecified
other impact via a crafted audio file.
CVE-2017-8362 (Medium): The flac_buffer_copy function in flac.c in
libsndfile 1.0.28 allows remote attackers to cause a denial of service
(invalid read and application crash) via a crafted audio file.
CVE-2017-8363 (Medium): The flac_buffer_copy function in flac.c in
libsndfile 1.0.28 allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) via a crafted audio
file.
CVE-2017-8365 (Medium): The i2les_array function in pcm.c in libsndfile
1.0.28 allows remote attackers to cause a denial of service (buffer
over-read and application crash) via a crafted audio file.
manxorist on Github reports:
CVE-2017-12562 (High): Heap-based Buffer Overflow in the
psf_binheader_writef function in common.c in libsndfile through
1.0.28 allows remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact.
Xin-Jiang on Github reports:
CVE-2017-14634 (Medium): In libsndfile 1.0.28, a divide-by-zero
error exists in the function double64_init() in double64.c, which
may lead to DoS when playing a crafted audio file.
CVE-2017-14245 (Medium): An out of bounds read in the function
d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote
DoS attack or information disclosure, related to mishandling of
the NAN and INFINITY floating-point values.
CVE-2017-14246 (Medium): An out of bounds read in the function
d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote
DoS attack or information disclosure, related to mishandling of the
NAN and INFINITY floating-point values.
my123px on Github reports:
CVE-2017-17456 (Medium): The function d2alaw_array() in alaw.c of
libsndfile 1.0.29pre1 may lead to a remote DoS attack (SEGV on unknown
address 0x000000000000), a different vulnerability than CVE-2017-14245.
CVE-2017-17457 (Medium): The function d2ulaw_array() in ulaw.c of
libsndfile 1.0.29pre1 may lead to a remote DoS attack (SEGV on unknown
address 0x000000000000), a different vulnerability than CVE-2017-14246.
Shibboleth SP software vulnerable to additional data forgery flaws
The XML processing performed by the Service Provider software has
been found to be vulnerable to new flaws similar in nature to the
one addressed in an advisory last month.
These bugs involve the use of other XML constructs rather than
entity references, and therefore required additional mitigation once
discovered. As with the previous issue, this flaw allows for
changes to an XML document that do not break a digital signature but
can alter the user data passed through to applications behind the SP
and result in impersonation attacks and exposure of protected
information.
As before, the use of XML Encryption is a significant mitigation,
but we have not dismissed the possibility that attacks on the
Response "envelope" may be possible, in both the original and this
new case. No actual attacks of this nature are known, so deployers
should prioritize patching systems that expect to handle unencrypted
SAML assertions.
An updated version of XMLTooling-C (V1.6.4) is available that
protects against these new attacks, and should help prevent similar
vulnerabilities in the future.
Unlike the previous case, these bugs are NOT prevented by any
existing Xerces-C parser version on any platform and cannot be
addressed by any means other than the updated XMLTooling-C library.
The Service Provider software relies on a generic XML parser to
process SAML responses and there are limitations in older versions
of the parser that make it impossible to fully disable Document Type
Definition (DTD) processing.
Through addition/manipulation of a DTD, it's possible to make
changes to an XML document that do not break a digital signature but
are mishandled by the SP and its libraries. These manipulations can
alter the user data passed through to applications behind the SP and
result in impersonation attacks and exposure of protected
information.
While newer versions of the xerces-c3 parser are configured by the
SP into disallowing the use of a DTD via an environment variable,
this feature is not present in the xerces-c3 parser before version
3.1.4, so an additional fix is being provided now that an actual DTD
exploit has been identified. Xerces-c3-3.1.4 was committed to the
ports tree already on 2016-07-26.
Several security fixes in this release, including:
[780450] High CVE-2018-6031: Use after free in PDFium. Reported by Anonymous on 2017-11-01
[787103] High CVE-2018-6032: Same origin bypass in Shared Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-20
[793620] High CVE-2018-6033: Race when opening downloaded files. Reported by Juho Nurminen on 2017-12-09
[784183] Medium CVE-2018-6034: Integer overflow in Blink. Reported by Tobias Klein (www.trapkit.de) on 2017-11-12
[797500] Medium CVE-2018-6035: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
[797500] Medium CVE-2018-6035: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
[753645] Medium CVE-2018-6037: Insufficient user gesture requirements in autofill. Reported by Paul Stone of Context Information Security on
2017-08-09
[774174] Medium CVE-2018-6038: Heap buffer overflow in WebGL. Reported by cloudfuzzer on 2017-10-12
[775527] Medium CVE-2018-6039: XSS in DevTools. Reported by Juho Nurminen on 2017-10-17
[778658] Medium CVE-2018-6040: Content security policy bypass. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-26
[760342] Medium CVE-2018-6041: URL spoof in Navigation. Reported by Luan Herrera on 2017-08-29
[773930] Medium CVE-2018-6042: URL spoof in OmniBox. Reported by Khalil Zhani on 2017-10-12
[785809] Medium CVE-2018-6043: Insufficient escaping with external URL handlers. Reported by 0x09AL on 2017-11-16
[797497] Medium CVE-2018-6045: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
[798163] Medium CVE-2018-6046: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-31
[799847] Medium CVE-2018-6047: Cross origin URL leak in WebGL. Reported by Masato Kinugawa on 2018-01-08
[763194] Low CVE-2018-6048: Referrer policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-09-08
[771848] Low CVE-2017-15420: URL spoofing in Omnibox. Reported by Drew Springall (@_aaspring_) on 2017-10-05
[774438] Low CVE-2018-6049: UI spoof in Permissions. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-13
[774842] Low CVE-2018-6050: URL spoof in OmniBox. Reported by Jonathan Kew on 2017-10-15
[441275] Low CVE-2018-6051: Referrer leak in XSS Auditor. Reported by Antonio Sanso (@asanso) on 2014-12-11
[615608] Low CVE-2018-6052: Incomplete no-referrer policy implementation. Reported by Tanner Emek on 2016-05-28
[758169] Low CVE-2018-6053: Leak of page thumbnails in New Tab Page. Reported by Asset Kabdenov on 2017-08-23
[797511] Low CVE-2018-6054: Use after free in WebUI. Reported by Rob Wu on 2017-12-24
Bugs in Git, Subversion, and Mercurial were just announced and patched
which allowed arbitrary local command execution if a malicious name was
used for the remote server, such as starting with - to pass options to
the ssh client:
git clone ssh://-oProxyCommand=some-command...
CVS has a similar problem with the -d option:
Tested vanilla CVS 1.12.13, and Gentoo CVS 1.12.12-r11.
LibreOffice Calc supports a WEBSERVICE function to obtain data by URL.
Vulnerable versions of LibreOffice allow WEBSERVICE to take a local file
URL (e.g file://) which can be used to inject local files into the
spreadsheet without warning the user. Subsequent formulas can operate on
that inserted data and construct a remote URL whose path leaks the local
data to a remote attacker.
In later versions of LibreOffice without this flaw, WEBSERVICE has now
been limited to accessing http and https URLs along with bringing
WEBSERVICE URLs under LibreOffice Calc's link management infrastructure.
Note: This vulnerability has been identified upstream
as CVE-2018-1055, but NVD/Mitre are advising it's a reservation
duplicate of CVE-2018-6871 which should be used instead.
Security constraints defined by annotations of Servlets were only
applied once a Servlet had been loaded. Because security constraints
defined in this way apply to the URL pattern and any URLs below that
point, it was possible - depending on the order Servlets were loaded -
for some security constraints not to be applied. This could have exposed
resources to users who were not authorised to access them.
The URL pattern of "" (the empty string) which exactly maps to the
context root was not correctly handled when used as part of a security
constraint definition. This caused the constraint to be ignored. It was,
therefore, possible for unauthorised users to gain access to web
application resources that should have been protected. Only security
constraints with a URL pattern of the empty string were affected.
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses.
This problem allows a remote server delivering certain ESI
response syntax to trigger a denial of service for all clients
accessing the Squid service.
Due to unrelated changes Squid-3.5 has become vulnerable to some
regular ESI server responses also triggering this issue.
This problem is limited to the Squid custom ESI parser.
Squid built to use libxml2 or libexpat XML parsers do not have
this problem.
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses or downloading
intermediate CA certificates.
This problem allows a remote client delivering certain HTTP
requests in conjunction with certain trusted server responses to
trigger a denial of service for all clients accessing the Squid
service.
AST-2018-004 - When processing a SUBSCRIBE request the
res_pjsip_pubsub module stores the accepted formats present
in the Accept headers of the request. This code did not
limit the number of headers it processed despite having
a fixed limit of 32. If more than 32 Accept headers were
present the code would write outside of its memory and
cause a crash.
AST-2018-005 - A crash occurs when a number of
authenticated INVITE messages are sent over TCP or TLS
and then the connection is suddenly closed. This issue
leads to a segmentation fault.
AST-2018-002 - By crafting an SDP message with an
invalid media format description Asterisk crashes when
using the pjsip channel driver because pjproject's sdp
parsing algorithm fails to catch the invalid media format
description.
AST-2018-003 - By crafting an SDP message body with
an invalid fmtp attribute Asterisk crashes when using the
pjsip channel driver because pjproject's fmtp retrieval
function fails to check if fmtp value is empty (set empty
if previously parsed as invalid).
The GitLab SnippetFinder component contained an information disclosure
which allowed access to snippets restricted to Only team members or
configured as disabled. The issue is now resolved in the latest version.
LDAP API authorization issue
An LDAP API endpoint contained an authorization vulnerability which
unintentionally disclosed bulk LDAP groups data. This issue is now fixed in
the latest release.
Persistent XSS mermaid markdown
The mermaid markdown feature contained a persistent XSS issue that is now
resolved in the latest release.
Insecure direct object reference Todo API
The Todo API was vulnerable to an insecure direct object reference issue
which resulted in an information disclosure of confidential data.
GitHub import access control issue
An improper access control weakness issue was discovered in the GitHub
import feature. The issue allowed an attacker to create projects under other
accounts which they shouldn't have access to. The issue is now resolved in
the latest version.
Protected variables information disclosure
The CI jobs protected tag feature contained a vulnerability which
resulted in an information disclosure of protected variables. The issue is
now resolved in the latest release.
Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that
was caused by insufficient input validation. One of the configurable
parameters in algorithm identifier structures for RSASSA-PSS signatures is the
mask generation function (MGF). Only MGF1 is currently specified for this
purpose. However, this in turn takes itself a parameter that specifies the
underlying hash function. strongSwan's parser did not correctly handle the
case of this parameter being absent, causing an undefined data read.
his vulnerability has been registered as CVE-2018-6459.
This is a security release that fixes an integer overflow in code generated by binpac. This issue can be used by remote attackers to crash Bro (i.e. a DoS attack). There also is a possibility this can be exploited in other ways. (CVE pending.)
Bro before Bro v2.5.2 is vulnerable to an out of bounds write in the ContentLine analyzer allowing remote attackers to cause a denial of service (crash) and possibly other exploitation.
A flaw was found in the embedded DNS library used in consul which
may allow a denial of service attack. Consul was updated to include
the fixed version.
CVE-2018-5800: An off-by-one error within the "LibRaw::kodak_ycbcr_load_raw()"
function (internal/dcraw_common.cpp) can be exploited to cause a heap-based
buffer overflow and subsequently cause a crash.
CVE-2017-5801: An error within the "LibRaw::unpack()" function
(src/libraw_cxx.cpp) can be exploited to trigger a NULL pointer dereference.
CVE-2017-5802: An error within the "kodak_radc_load_raw()" function
(internal/dcraw_common.cpp) related to the "buf" variable can be exploited
to cause an out-of-bounds read memory access and subsequently cause a crash.
CVE-2017-16909: An error related to the "LibRaw::panasonic_load_raw()"
function (dcraw_common.cpp) can be exploited to cause a heap-based buffer
overflow and subsequently cause a crash via a specially crafted TIFF image.
CVE-2017-16910: An error within the "LibRaw::xtrans_interpolate()" function
(internal/dcraw_common.cpp) can be exploited to cause an invalid read
memory access.
The Quagga BGP daemon, bgpd, does not properly bounds
check the data sent with a NOTIFY to a peer, if an attribute
length is invalid. Arbitrary data from the bgpd process
may be sent over the network to a peer and/or it may crash.
The Quagga BGP daemon, bgpd, can double-free memory
when processing certain forms of UPDATE message, containing
cluster-list and/or unknown attributes.
The Quagga BGP daemon, bgpd, can overrun internal BGP
code-to-string conversion tables used for debug by 1
pointer value, based on input.
The Quagga BGP daemon, bgpd, can enter an infinite
loop if sent an invalid OPEN message by a configured peer.
A remote code execution vulnerability has been spotted in use
against some users running PyBitmessage v0.6.2. The cause was
identified and a fix has been added and released as 0.6.3.2. (Will be
updated if/when CVE will be available.)
Jenkins did not properly prevent specifying relative paths that
escape a base directory for URLs accessing plugin resource files. This
allowed users with Overall/Read permission to download files from the
Jenkins master they should not have access to.
bchunk 1.2.0 and 1.2.1 is vulnerable to a heap-based buffer
overflow (with a resultant invalid free) and crash when processing a
malformed CUE (.cue) file.
It was discovered that the uwsgi_expand_path function in utils.c in
Unbit uWSGI, an application container server, has a stack-based buffer
overflow via a large directory length that can cause a
denial-of-service (application crash) or stack corruption.
There is a possible integer overflow in PyString_DecodeEscape
function of the file stringobject.c, which can be abused to gain
a heap overflow, possibly leading to arbitrary code execution.
mpv through 0.28.0 allows remote attackers to execute arbitrary code
via a crafted web site, because it reads HTML documents containing
VIDEO elements, and accepts arbitrary URLs in a src attribute without
a protocol whitelist in player/lua/ytdl_hook.lua. For example, an
av://lavfi:ladspa=file= URL signifies that the product should call
dlopen on a shared object file located at an arbitrary local pathname.
The issue exists because the product does not consider that youtube-dl
can provide a potentially unsafe URL.
Heap-based buffer overflow in the
NCompress::NShrink::CDecoder::CodeReal method in 7-Zip before
18.00 and p7zip allows remote attackers to cause a denial of
service (out-of-bounds write) or potentially execute arbitrary
code via a crafted ZIP archive.
Insufficient exception handling in the method
NCompress::NRar3::CDecoder::Code of 7-Zip before 18.00 and p7zip
can lead to multiple memory corruptions within the PPMd code,
alows remote attackers to cause a denial of service (segmentation
fault) or execute arbitrary code via a crafted RAR archive.
Calls into build_benocde that use %zu could crash on 64 bit
machines due to the size change of size_t. Someone can force
READ_ENC_IA to fail allowing an internal_error to be thrown
and bring down the client.
An XSS vulnerability in the user options CGI could allow a crafted URL
to execute arbitrary javascript in a user's browser. A related issue
could expose information on a user's options page without requiring
login.
CVE-2018-6188: Information leakage in AuthenticationForm
A regression in Django 1.11.8 made AuthenticationForm run its
confirm_login_allowed() method even if an incorrect password is entered.
This can leak information about a user, depending on what messages
confirm_login_allowed() raises. If confirm_login_allowed() isn't
overridden, an attacker enter an arbitrary username and see if that user
has been set to is_active=False. If confirm_login_allowed() is
overridden, more sensitive details could be leaked.
This issue is fixed with the caveat that AuthenticationForm can no
longer raise the "This account is inactive." error if the authentication
backend rejects inactive users (the default authentication backend,
ModelBackend, has done that since Django 1.10). This issue will be
revisited for Django 2.1 as a fix to address the caveat will likely be too
invasive for inclusion in older versions.
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. A abort of
SASL authentication results in a memory leak in Dovecot auth client
used by login processes. The leak has impact in high performance
configuration where same login processes are reused and can cause the
process to crash due to memory exhaustion.
Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code.
During TLS 1.2 exchanges, handshake hashes are generated which
point to a message buffer. This saved data is used for later
messages but in some cases, the handshake transcript can
exceed the space available in the current buffer, causing the
allocation of a new buffer. This leaves a pointer pointing to
the old, freed buffer, resulting in a use-after-free when
handshake hashes are then calculated afterwards. This can
result in a potentially exploitable crash.
A stack-based buffer overflow within GNOME gcab through
0.7.4 can be exploited by malicious attackers to cause a
crash or, potentially, execute arbitrary code via a
crafted .cab file.
libcurl 7.1 through 7.57.0 might accidentally leak authentication
data to third parties. When asked to send custom headers in its HTTP
requests, libcurl will send that set of headers first to the host in
the initial URL but also, if asked to follow redirects and a 30X HTTP
response code is returned, to the host mentioned in URL in the
`Location:` response header value. Sending the same set of headers to
subsequest hosts is in particular a problem for applications that pass
on custom `Authorization:` headers, as this header often contains
privacy sensitive information or data that could allow others to
impersonate the libcurl-using client's request.
[778505] Critical CVE-2017-15407: Out of bounds write in QUIC. Reported by
Ned Williamson on 2017-10-26
[762374] High CVE-2017-15408: Heap buffer overflow in PDFium. Reported by
Ke Liu of Tencent's Xuanwu LAB on 2017-09-06
[763972] High CVE-2017-15409: Out of bounds write in Skia. Reported by
Anonymous on 2017-09-11
[765921] High CVE-2017-15410: Use after free in PDFium. Reported by
Luat Nguyen of KeenLab, Tencent on 2017-09-16
[770148] High CVE-2017-15411: Use after free in PDFium. Reported by
Luat Nguyen of KeenLab, Tencent on 2017-09-29
[727039] High CVE-2017-15412: Use after free in libXML. Reported by
Nick Wellnhofer on 2017-05-27
[766666] High CVE-2017-15413: Type confusion in WebAssembly. Reported by
Gaurav Dewan of Adobe Systems India Pvt. Ltd. on 2017-09-19
[765512] Medium CVE-2017-15415: Pointer information disclosure in IPC call.
Reported by Viktor Brange of Microsoft Offensive Security Research Team on 2017-09-15
[779314] Medium CVE-2017-15416: Out of bounds read in Blink. Reported by
Ned Williamson on 2017-10-28
[699028] Medium CVE-2017-15417: Cross origin information disclosure in Skia.
Reported by Max May on 2017-03-07
[765858] Medium CVE-2017-15418: Use of uninitialized value in Skia. Reported by
Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-09-15
[780312] Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink.
Reported by Jun Kokatsu on 2017-10-31
[777419] Medium CVE-2017-15420: URL spoofing in Omnibox. Reported by
WenXu Wu of Tencent's Xuanwu Lab on 2017-10-23
[774382] Medium CVE-2017-15422: Integer overflow in ICU. Reported by
Yuan Deng of Ant-financial Light-Year Security Lab on 2017-10-13
[780484] Medium CVE-2017-15430: Unsafe navigation in Chromecast Plugin.
Reported by jinmo123 on 2017-01-11
[778101] Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL.
Reported by Greg Hudson on 2017-10-25
[756226] Low CVE-2017-15424: URL Spoof in Omnibox. Reported by
Khalil Zhani on 2017-08-16
[756456] Low CVE-2017-15425: URL Spoof in Omnibox. Reported by
xisigr of Tencent's Xuanwu Lab on 2017-08-17
[757735] Low CVE-2017-15426: URL Spoof in Omnibox. Reported by
WenXu Wu of Tencent's Xuanwu Lab on 2017-08-18
[768910] Low CVE-2017-15427: Insufficient blocking of Javascript in Omnibox.
Reported by Junaid Farhan on 2017-09-26
[792099] Various fixes from internal audits, fuzzing and other initiatives
An issue has been found in the DNSSEC validation component of
PowerDNS Recursor, allowing an ancestor delegation NSEC or NSEC3
record to be used to wrongfully prove the non-existence of a RR
below the owner name of that record. This would allow an attacker in
position of man-in-the-middle to send a NXDOMAIN answer for a name
that does exist.
We discovered a vulnerability in the processing of wildcard synthesized
NSEC records. While synthesis of NSEC records is allowed by RFC4592,
these synthesized owner names should not be used in the NSEC processing.
This does, however, happen in Unbound 1.6.7 and earlier versions.
Password updater working with PostgreSQL - The cron for updating legacy password hashes was running invalid queries on PostgreSQL.
Deleting orphaned attachments w/ large number of orphaned attachments - Orphaned attachment deletion was improved to be able to delete them when a large number of orphaned attachments exist.
Multiple bugfixes for retrieving image size - Multiple issues with retrieving the image size of JPEGs and temporary files were resolved.
Issues with updating from phpBB 3.0.6 - Inconsistencies in the way parent modules were treated caused issues with updating from older phpBB 3.0 versions.
Forum / topic icon blurriness - Fixed issues with forum and topic icons looking blurry on some browsers.
Not all vulnerabilities are relevant for all flavors/versions of the
servers and clients
Vulnerability allows low privileged attacker with network access
via multiple protocols to compromise MySQL Server. Successful attacks
of this vulnerability can result in unauthorized ability to cause a
hang or frequently repeatable crash (complete DOS) of MySQL Server.
GIS: CVE-2018-2573, DDL CVE-2018-2622, Optimizer: CVE-2018-2640,
CVE-2018-2665, CVE-2018-2668, Security:Privileges: CVE-2018-2703,
Partition: CVE-2018-2562.
Vulnerability allows high privileged attacker with network access
via multiple protocols to compromise MySQL Server. Successful attacks
of this vulnerability can result in unauthorized ability to cause a
hang or frequently repeatable crash (complete DOS) of MySQL Server.
InnoDB: CVE-2018-2565, CVE-2018-2612 DML: CVE-2018-2576,
CVE-2018-2646, Stored Procedure: CVE-2018-2583, Performance Schema:
CVE-2018-2590, Partition: CVE-2018-2591, Optimizer: CVE-2018-2600,
CVE-2018-2667, Security:Privileges: CVE-2018-2696, Replication:
CVE-2018-2647.
Vulnerability allows a low or high privileged attacker with network
access via multiple protocols to compromise MySQL Server with
unauthorized creation, deletion, modification or access to data/
critical data. InnoDB: CVE-2018-2612, Performance Schema:
CVE-2018-2645, Replication: CVE-2018-2647, Partition: CVE-2018-2562.
Today we are releasing versions 10.3.4, 10.2.6, and 10.1.6 for
GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain a number of important security fixes,
including two that prevent remote code execution, and we strongly
recommend that all GitLab installations be upgraded to one of these
versions immediately.
The transmission bittorrent client uses a client/server
architecture, the user interface is the client which communicates
to the worker daemon using JSON RPC requests.
As with all HTTP RPC schemes like this, any website can send
requests to the daemon listening on localhost with XMLHttpRequest(),
but the theory is they will be ignored because clients must prove
they can read and set a specific header, X-Transmission-Session-Id.
Unfortunately, this design doesn't work because of an attack called
"DNS rebinding". Any website can simply create a dns name that they
are authorized to communicate with, and then make it resolve to
localhost.
Exploitation is simple, you could set script-torrent-done-enabled
and run any command, or set download-dir to /home/user/ and then
upload a torrent for .bashrc.
Shibboleth SP software vulnerable to forged user attribute data
The Service Provider software relies on a generic XML parser to
process SAML responses and there are limitations in older versions
of the parser that make it impossible to fully disable Document Type
Definition (DTD) processing.
Through addition/manipulation of a DTD, it's possible to make
changes to an XML document that do not break a digital signature but
are mishandled by the SP and its libraries. These manipulations can
alter the user data passed through to applications behind the SP and
result in impersonation attacks and exposure of protected
information.
While newer versions of the xerces-c3 parser are configured by the
SP into disallowing the use of a DTD via an environment variable,
this feature is not present in the xerces-c3 parser before version
3.1.4, so an additional fix is being provided now that an actual DTD
exploit has been identified. Xerces-c3-3.1.4 was committed to the
ports tree already on 2016-07-26.
Awstats version 7.6 and earlier is vulnerable to a path traversal
flaw in the handling of the "config" and "migrate" parameters resulting
in unauthenticated remote code execution.
Jann Horn of Google Project Zero
Security reported that speculative execution performed
by modern CPUs could leak information through a timing
side-channel attack. Microsoft Vulnerability Research
extended this attack to browser JavaScript engines and
demonstrated that code on a malicious web page could
read data from other web sites (violating the
same-origin policy) or private data from the browser
itself.
Since this new class of attacks involves measuring
precise time intervals, as a parti al, short-term,
mitigation we are disabling or reducing the precision of
several time sources in Firefox. The precision of
performance.now() has been reduced from 5?s
to 20?s, and the SharedArrayBuffer feature
has been disabled because it can be used to construct a
high-resolution timer.
A stack out-of-bounds read occurs in match_at() during regular
expression searching. A logical error involving order of validation
and access in match_at() could result in an out-of-bounds read from
a stack buffer (CVE-2017-9224).
A heap out-of-bounds write or read occurs in next_state_val()
during regular expression compilation. Octal numbers larger than 0xff
are not handled correctly in fetch_token() and fetch_token_in_cc().
A malformed regular expression containing an octal number in the form
of '\700' would produce an invalid code point value larger than 0xff
in next_state_val(), resulting in an out-of-bounds write memory
corruption (CVE-2017-9226).
A stack out-of-bounds read occurs in mbc_enc_len() during regular
expression searching. Invalid handling of reg->dmin in
forward_search_range() could result in an invalid pointer dereference,
as an out-of-bounds read from a stack buffer (CVE-2017-9227).
A heap out-of-bounds write occurs in bitset_set_range() during
regular expression compilation due to an uninitialized variable from
an incorrect state transition. An incorrect state transition in
parse_char_class() could create an execution path that leaves a
critical local variable uninitialized until it's used as an index,
resulting in an out-of-bounds write memory corruption (CVE-2017-9228).
A SIGSEGV occurs in left_adjust_char_head() during regular expression
compilation. Invalid handling of reg->dmax in forward_search_range() could
result in an invalid pointer dereference, normally as an immediate
denial-of-service condition (CVE-2017-9228).
The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon.
The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions.
The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xname follows" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions.
When installing themes with unterminated colour formatting
sequences, Irssi may access data beyond the end of the string.
While waiting for the channel synchronisation, Irssi may
incorrectly fail to remove destroyed channels from the query list,
resulting in use after free conditions when updating the state later
on.
Certain incorrectly formatted DCC CTCP messages could cause NULL
pointer dereference.
Overlong nicks or targets may result in a NULL pointer dereference
while splitting the message.
In certain cases Irssi may fail to verify that a Safe channel ID
is long enough, causing reads beyond the end of the string.
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before
1.3.3 allows unauthorized access to arbitrary files on the host's filesystem,
including configuration files, as exploited in the wild in November 2017.
The attacker must be able to authenticate at the target system with a valid
username/password as the attack requires an active session.
An attacker who is logged into OTRS as an agent can request special URLs
from OTRS which can lead to the execution of shell commands with the
permissions of the web server user.
An attacker who is logged into OTRS as a customer can use the ticket search
form to disclose internal article information of their customer tickets.
An attacker who is logged into OTRS as an agent can manipulate form
parameters and execute arbitrary shell commands with the permissions of the
OTRS or web server user.
An attacker can send a specially prepared email to an OTRS system. If this
system has cookie support disabled, and a logged in agent clicks a link in this
email, the session information could be leaked to external systems, allowing the
attacker to take over the agent?s session.
CVE-2017-13098 ("ROBOT"), a Bleichenbacher oracle in TLS
when RSA key exchange is negotiated. This potentially affected
BCJSSE servers and any other TLS servers configured to use JCE
for the underlying crypto - note the two TLS implementations
using the BC lightweight APIs are not affected by this.
A select set of SIP messages create a dialog in Asterisk.
Those SIP messages must contain a contact header. For
those messages, if the header was not present and using
the PJSIP channel driver, it would cause Asterisk to
crash. The severity of this vulnerability is somewhat
mitigated if authentication is enabled. If authentication
is enabled a user would have to first be authorized before
reaching the crash point.
By deceiving a user to click on a crafted URL, it is
possible to perform harmful database operations such as
deleting records, dropping/truncating tables etc.
The cPanel Security Team discovered a vulnerability in Passenger
that allows users to list the contents of arbitrary files on the
system. CVE-2017-16355 has been assigned to this issue.
A non-privileged X client can instruct X server running under root
to open any file by creating own directory with "fonts.dir",
"fonts.alias" or any font file being a symbolic link to any other
file in the system. X server will then open it. This can be issue
with special files such as /dev/watchdog.
If a pattern contains '?' character, any character in the string
is skipped, even if it is '\0'. The rest of the matching then reads
invalid memory.
Without the checks a malformed PCF file can cause the library to
make atom from random heap memory that was behind the `strings`
buffer. This may crash the process or leak information.
It is possible to trigger heap overflows due to an integer
overflow while parsing images and a signedness issue while
parsing comments.
The integer overflow occurs because the chosen limit 0x10000
for dimensions is too large for 32 bit systems, because each pixel
takes 4 bytes. Properly chosen values allow an overflow which in
turn will lead to less allocated memory than needed for subsequent
reads.
The signedness bug is triggered by reading the length of a comment
as unsigned int, but casting it to int when calling the function
XcursorCommentCreate. Turning length into a negative value allows
the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
addition of sizeof (XcursorComment) + 1 makes it possible to
allocate less memory than needed for subsequent reads.
gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before launching
the program specified by the BROWSER environment variable, which might
allow remote attackers to conduct argument-injection attacks via a crafted
URL.
A race condition during Jenkins startup could result in the wrong
order of execution of commands during initialization.
On Jenkins 2.81 and newer, including LTS 2.89.1, this could in
rare cases (we estimate less than 20% of new instances) result in
failure to initialize the setup wizard on the first startup.
There is a very short window of time after startup during which
Jenkins may no longer show the "Please wait while Jenkins is
getting ready to work" message, but Cross-Site Request Forgery
(CSRF) protection may not yet be effective.
Data Confidentiality/Integrity Vulnerability - CVE-2017-15896
Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.
Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.
Also included in OpenSSL update - CVE 2017-3738
Note that CVE 2017-3738 of OpenSSL-1.0.2 affected Node but it was low severity.
Etienne Stalmans from the Heroku product security team reports:
There is a command injection vulnerability in Net::FTP bundled with Ruby.
Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the pipe character "|", the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
User without access to private Wiki can see it on the project page
Matthias Burtscher reported that it was possible for a user to see a
private Wiki on the project page without having the corresponding
permission.
E-mail address disclosure through member search fields
Hugo Geoffroy reported via HackerOne that it was possible to find out the
full e-mail address of any user by brute-forcing the member search
field.
Groups API leaks private projects
An internal code review discovered that users were able to list private
projects they had no access to by using the Groups API.
Cross-Site Scripting (XSS) possible by editing a comment
Sylvain Heiniger reported via HackerOne that it was possible for
arbitrary JavaScript code to be executed when editing a comment.
Issue API allows any user to create a new issue even when issues are
restricted or disabled
Mohammad Hasbini reported that any user could create a new issues in a
project even when issues were disabled or restricted to team members in the
project settings.
If a compound RTCP packet is received containing more
than one report (for example a Receiver Report and a
Sender Report) the RTCP stack will incorrectly store
report information outside of allocated memory potentially
causing a crash.
The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.
A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.
No size checking is done when setting the user field
for Party B on a CDR. Thus, it is possible for someone
to use an arbitrarily large string and write past the end
of the user field storage buffer. The earlier AST-2017-001
advisory for the CDR user field overflow was for the Party
A buffer.
A memory leak occurs when an Asterisk pjsip session
object is created and that call gets rejected before the
session itself is fully established. When this happens
the session object never gets destroyed. This then leads
to file descriptors and RTP ports being leaked as well.
If the chan_skinny (AKA SCCP protocol) channel driver
is flooded with certain requests it can cause the asterisk
process to use excessive amounts of virtual memory
eventually causing asterisk to stop processing requests
of any kind.
NTLM buffer overflow via integer overflow
(CVE-2017-8816) libcurl contains a buffer overrun flaw
in the NTLM authentication code.
The internal function Curl_ntlm_core_mk_ntlmv2_hash sums up
the lengths of the user name + password (= SUM) and multiplies
the sum by two (= SIZE) to figure out how large storage to
allocate from the heap.
FTP wildcard out of bounds read (CVE-2017-8817)
libcurl contains a read out of bounds flaw in the FTP wildcard
function.
libcurl's FTP wildcard matching feature, which is enabled with
the CURLOPT_WILDCARDMATCH option can use a built-in wildcard
function or a user provided one. The built-in wildcard function
has a flaw that makes it not detect the end of the pattern
string if it ends with an open bracket ([) but instead it will
continue reading the heap beyond the end of the URL buffer that
holds the wildcard.
SSL out of buffer access (CVE-2017-8818)
libcurl contains an out boundary access flaw in SSL related code.
When allocating memory for a connection (the internal struct
called connectdata), a certain amount of memory is allocated at
the end of the struct to be used for SSL related structs. Those
structs are used by the particular SSL library libcurl is built
to use. The application can also tell libcurl which specific SSL
library to use if it was built to support more than one.
Invoking SSL_read()/SSL_write() while in an error state
causes data to be passed without being decrypted/encrypted
directly from the SSL/TLS record layer.
In order to exploit this issue an application bug would
have to be present that resulted in a call to
SSL_read()/SSL_write() being issued after having already
received a fatal error. [CVE-2017-3737]
There is an overflow bug in the x86_64 Montgomery
multiplication procedure used in exponentiation with 1024-bit
moduli. This only affects processors that support the AVX2
but not ADX extensions like Intel Haswell (4th generation).
[CVE-2017-3738] This bug only affects FreeBSD 11.x.
Impact:
Applications with incorrect error handling may inappropriately
pass unencrypted data. [CVE-2017-3737]
Mishandling of carry propagation will produce incorrect
output, and make it easier for a remote attacker to obtain
sensitive private-key information. No EC algorithms are
affected and analysis suggests that attacks against RSA and
DSA as a result of this defect would be very difficult to
perform and are not believed likely.
Attacks against DH1024 are considered just feasible
(although very difficult) because most of the work necessary
to deduce information about a private key may be performed
offline. The amount of resources required for such an attack
would be very significant and likely only accessible to a
limited number of attackers. However, for an attack on TLS
to be meaningful, the server would have to share the DH1024
private key among multiple clients, which is no longer an
option since CVE-2016-0701. [CVE-2017-3738]
Read/write after SSL object in error state (CVE-2017-3737)
OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error
state" mechanism. The intent was that if a fatal error occurred
during a handshake then OpenSSL would move into the error state and
would immediately fail if you attempted to continue the handshake.
This works as designed for the explicit handshake functions
(SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to
a bug it does not work correctly if SSL_read() or SSL_write() is
called directly. In that scenario, if the handshake fails then a
fatal error will be returned in the initial function call. If
SSL_read()/SSL_write() is subsequently called by the application for
the same SSL object then it will succeed and the data is passed
without being decrypted/encrypted directly from the SSL/TLS record
layer.
rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
There is an overflow bug in the AVX2 Montgomery multiplication
procedure used in exponentiation with 1024-bit moduli. No EC
algorithms are affected. Analysis suggests that attacks against
RSA and DSA as a result of this defect would be very difficult to
perform and are not believed likely. Attacks against DH1024 are
considered just feasible, because most of the work necessary to
deduce information about a private key may be performed offline.
The amount of resources required for such an attack would be
significant. However, for an attack on TLS to be meaningful, the
server would have to share the DH1024 private key among multiple
clients, which is no longer an option since CVE-2016-0701.
A vulnerability was found in how a number of implementations
can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK,
or IGTK) by replaying a specific frame that is used to
manage the keys.
Impact:
Such reinstallation of the encryption key can result in
two different types of vulnerabilities: disabling replay
protection and significantly reducing the security of
encryption to the point of allowing frames to be decrypted
or some parts of the keys to be determined by an attacker
depending on which cipher is used.
Not all information in the struct ptrace_lwpinfo is
relevant for the state of any thread, and the kernel does
not fill the irrelevant bytes or short strings. Since the
structure filled by the kernel is allocated on the kernel
stack and copied to userspace, a leak of information of the
kernel stack of the thread is possible from the debugger.
Impact:
Some bytes from the kernel stack of the thread using
ptrace(PT_LWPINFO) call can be observed in userspace.
Named paths are globally scoped, meaning a process located
in one jail can read and modify the content of POSIX shared
memory objects created by a process in another jail or the
host system.
Impact:
A malicious user that has access to a jailed system is
able to abuse shared memory by injecting malicious content
in the shared memory region. This memory region might be
executed by applications trusting the shared memory, like
Squid.
This issue could lead to a Denial of Service or local
privilege escalation.
The kernel does not properly clear the memory of the
kld_file_stat structure before filling the data. Since the
structure filled by the kernel is allocated on the kernel
stack and copied to userspace, a leak of information from
the kernel stack is possible.
Impact:
Some bytes from the kernel stack can be observed in
userspace.
If an X.509 certificate has a malformed IPAddressFamily
extension, OpenSSL could do a one-byte buffer overread.
[CVE-2017-3735]
There is a carry propagating bug in the x86_64 Montgomery
squaring procedure. This only affects processors that support
the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th
generation) and later or AMD Ryzen. [CVE-2017-3736] This
bug only affects FreeBSD 11.x.
Impact:
Application using OpenSSL may display erroneous certificate
in text format. [CVE-2017-3735]
Mishandling of carry propagation will produce incorrect
output, and make it easier for a remote attacker to obtain
sensitive private-key information. No EC algorithms are
affected, analysis suggests that attacks against RSA and
DSA as a result of this defect would be very difficult to
perform and are not believed likely.
Attacks against DH are considered just feasible (although
very difficult) because most of the work necessary to deduce
information about a private key may be performed offline.
The amount of resources required for such an attack would
be very significant and likely only accessible to a limited
number of attackers. An attacker would additionally need
online access to an unpatched system using the target private
key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. [CVE-2017-3736]
A wrong if statement in the varnishd source code means that
synthetic objects in stevedores which over-allocate, may leak up to page
size of data from a malloc(3) memory allocation.
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.
Incorrect implementation of access controls allows remote users to
override repository restrictions in Borg servers. A user able to
access a remote Borg SSH server is able to circumvent access controls
post-authentication. Affected releases: 1.1.0, 1.1.1, 1.1.2. Releases
1.0.x are NOT affected.
The scp_v0s_accept function in the session manager uses an untrusted integer as a write length,
which allows local users to cause a denial of service (buffer overflow and application crash)
or possibly have unspecified other impact via a crafted input stream.
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
Directory traversal vulnerability in minion id validation in SaltStack.
Allows remote minions with incorrect credentials to authenticate to a
master via a crafted minion ID. Credit for discovering the security flaw
goes to: Julian Brost (julian@0x4a42.net). NOTE: this vulnerability exists
because of an incomplete fix for CVE-2017-12791.
Remote Denial of Service with a specially crafted authentication request.
Credit for discovering the security flaw goes to: Julian Brost
(julian@0x4a42.net)
A vulnerability exists in the BGP daemon of FRR where a malformed BGP UPDATE
packet can leak information from the BGP daemon and cause a denial of
service by crashing the daemon.
By carefully crafting invalid values in the Cseq and
the Via header port, pjprojects packet parsing code can
create strings larger than the buffer allocated to hold
them. This will usually cause Asterisk to crash immediately.
The packets do not have to be authenticated.
The Shibboleth Service Provider software includes a MetadataProvider
plugin with the plugin type "Dynamic" to obtain metadata on demand
from a query server, in place of the more typical mode of
downloading aggregates separately containing all of the metadata to
load.
All the plugin types rely on MetadataFilter plugins to perform
critical security checks such as signature verification, enforcement
of validity periods, and other checks specific to deployments.
Due to a coding error, the "Dynamic" plugin fails to configure
itself with the filters provided to it and thus omits whatever
checks they are intended to perform, which will typically leave
deployments vulnerable to active attacks involving the substitution
of metadata if the network path to the query service is
compromised.
The PHP development team announces the immediate availability of PHP
5.6.32. This is a security release. Several security bugs were fixed in this
release. All PHP 5.6 users are encouraged to upgrade to this version.
The PHP development team announces the immediate availability of PHP
7.0.25. This is a security release. Several security bugs were fixed in this
release. All PHP 7.0 users are encouraged to upgrade to this version.
The PHP development team announces the immediate availability of PHP
7.1.11. This is a bugfix release, with several bug fixes included. All PHP
7.1 users are encouraged to upgrade to this version.
Stored cross-site scripting (XSS) vulnerability in "geminabox"
(Gem in a Box) before 0.13.10 allows attackers to inject arbitrary
web script via the "homepage" value of a ".gemspec" file, related
to views/gem.erb and views/index.erb.
Konversation has support for colors in IRC messages. Any malicious user connected to the same IRC network can send a carefully crafted message that will crash the Konversation user client.
Jenkins stores metadata related to people, which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping. This potentially resulted in a number of problems.
Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.
bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
Severity: Moderate
There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that
attacks against RSA and DSA as a result of this defect would be
very difficult to perform and are not believed likely. Attacks
against DH are considered just feasible (although very difficult)
because most of the work necessary to deduce information about a
private key may be performed offline.
Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
Severity: Low
This issue was previously announced in security advisory
https://www.openssl.org/news/secadv/20170828.txt, but the fix has
not previously been included in a release due to its low severity.
WordPress versions 4.8.2 and earlier are affected by an issue
where $wpdb->prepare() can create unexpected and unsafe queries
leading to potential SQL injection (SQLi). WordPress core is not
directly vulnerable to this issue, but we've added hardening to
prevent plugins and themes from accidentally causing a vulnerability.
In Wireshark 2.4.0 to 2.4.1, the DOCSIS dissector could go into an infinite loop. This was addressed in plugins/docsis/packet-docsis.c by adding decrements.
In Wireshark 2.4.0 to 2.4.1, the RTSP dissector could crash. This was addressed in epan/dissectors/packet-rtsp.c by correcting the scope of a variable.
In Wireshark 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, and 2.0.0 to 2.0.15, the DMP dissector could crash. This was addressed in epan/dissectors/packet-dmp.c by validating a string length.
In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the BT ATT dissector could crash. This was addressed in epan/dissectors/packet-btatt.c by considering a case where not all of the BTATT packets have the same encapsulation level.
In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the MBIM dissector could crash or exhaust system memory. This was addressed in epan/dissectors/packet-mbim.c by changing the memory-allocation approach.
Wget contains two vulnerabilities, a stack overflow and a heap
overflow, in the handling of HTTP chunked encoding. By convincing
a user to download a specific link over HTTP, an attacker may be
able to execute arbitrary code with the privileges of the user.
Wget contains two vulnerabilities, a stack overflow and a heap
overflow, in the handling of HTTP chunked encoding. By convincing
a user to download a specific link over HTTP, an attacker may be
able to execute arbitrary code with the privileges of the user.
CVE-2017-3157: Arbitrary file disclosure in Calc and Writer
By exploiting the way OpenOffice renders embedded objects, an attacker could craft a document that allows reading in a file from the user's filesystem. Information could be retrieved by the attacker by, e.g., using hidden sections to store the information, tricking the user into saving the document and convincing the user to sent the document back to the attacker.
The vulnerability is mitigated by the need for the attacker to know the precise file path in the target system, and the need to trick the user into saving the document and sending it back.
CVE-2017-9806: Out-of-Bounds Write in Writer's WW8Fonts Constructor
A vulnerability in the OpenOffice Writer DOC file parser, and specifically in the WW8Fonts Constructor, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution.
CVE-2017-12607: Out-of-Bounds Write in Impress' PPT Filter
A vulnerability in OpenOffice's PPT file parser, and specifically in PPTStyleSheet, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution.
CVE-2017-12608: Out-of-Bounds Write in Writer's ImportOldFormatStyles
A vulnerability in OpenOffice Writer DOC file parser, and specifically in ImportOldFormatStyles, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution.
Cross-Site Scripting (XSS) vulnerability in the Markdown sanitization
filter
Yasin Soliman via HackerOne reported a Cross-Site Scripting (XSS)
vulnerability in the GitLab markdown sanitization filter. The sanitization
filter was not properly stripping invalid characters from URL schemes and
was therefore vulnerable to persistent XSS attacks anywhere Markdown was
supported.
Cross-Site Scripting (XSS) vulnerability in search bar
Josh Unger reported a Cross-Site Scripting (XSS) vulnerability in the
issue search bar. Usernames were not being properly HTML escaped inside the
author filter would could allow arbitrary script execution.
Open redirect in repository git redirects
Eric Rafaloff via HackerOne reported that GitLab was vulnerable to an
open redirect vulnerability when redirecting requests for repository names
that include the git extension. GitLab was not properly removing dangerous
parameters from the params field before redirecting which could allow an
attacker to redirect users to arbitrary hosts.
Username changes could leave repositories behind
An internal code review discovered that a bug in the code that moves
repositories during a username change could potentially leave behind
projects, allowing an attacker who knows the previous username to
potentially steal the contents of repositories on instances that are not
configured with hashed namespaces.
Node.js was susceptible to a remote DoS attack due to a change that came in as part of zlib v1.2.9. In zlib v1.2.9 8 became an invalid value for the windowBits parameter and Node's zlib module will crash or throw an exception (depending on the version)
libcurl contains a buffer overrun flaw in the IMAP handler.
An IMAP FETCH response line indicates the size of the returned data,
in number of bytes. When that response says the data is zero bytes,
libcurl would pass on that (non-existing) data with a pointer and
the size (zero) to the deliver-data function.
libcurl's deliver-data function treats zero as a magic number and
invokes strlen() on the data to figure out the length. The strlen()
is called on a heap based buffer that might not be zero terminated
so libcurl might read beyond the end of it into whatever memory lies
after (or just crash) and then deliver that to the application as if
it was actually downloaded.
In MIT krb5 1.7 and later, an authenticated attacker can cause an
assertion failure in krb5kdc by sending an invalid S4U2Self or
S4U2Proxy request.
CVE-2017-11462:
RFC 2744 permits a GSS-API implementation to delete an existing
security context on a second or subsequent call to gss_init_sec_context()
or gss_accept_sec_context() if the call results in an error.
This API behavior has been found to be dangerous, leading to the
possibility of memory errors in some callers. For safety, GSS-API
implementations should instead preserve existing security contexts
on error until the caller deletes them.
All versions of MIT krb5 prior to this change may delete acceptor
contexts on error. Versions 1.13.4 through 1.13.7, 1.14.1 through
1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts
on error.
In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events.
Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server before 2017-06-19 allowed authenticated malicious users to access potentially privileged data from the X server.
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys.
Lucene XML parser does not explicitly prohibit doctype declaration and expansion of external entities which leads to arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions.
Solr "RunExecutableListener" class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API with add-listener command.
An exploitable heap based buffer overflow vulnerability exists in the read_biff_next_record function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.
An exploitable heap-based buffer overflow vulnerability exists in the read_legacy_biff function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.
In libosip2 in GNU oSIP 4.1.0 and 5.0.0, a malformed SIP message can lead to a heap buffer overflow in the msg_osip_body_parse() function defined in osipparser2/osip_message_parse.c, resulting in a remote DoS.
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.
There is a possible unsafe object desrialization vulnerability in
RubyGems. It is possible for YAML deserialization of gem specifications
to bypass class white lists. Specially crafted serialized objects can
possibly be used to escalate to remote code execution.
There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.
There is a reachable assertion abort in the function TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.
Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
X.Org thanks Michal Srb of SuSE for finding these issues
and bringing them to our attention, Julien Cristau of
Debian for getting the fixes integrated, and Adam Jackson
of Red Hat for publishing the release.
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
libcurl may read outside of a heap allocated buffer when doing FTP.
When libcurl connects to an FTP server and successfully logs in
(anonymous or not), it asks the server for the current directory with
the PWD command. The server then responds with a 257 response containing
the path, inside double quotes. The returned path name is then kept by
libcurl for subsequent uses.
Due to a flaw in the string parser for this directory name, a directory
name passed like this but without a closing double quote would lead to
libcurl not adding a trailing NUL byte to the buffer holding the name.
When libcurl would then later access the string, it could read beyond
the allocated heap buffer and crash or wrongly access data beyond the
buffer, thinking it was part of the path.
A malicious server could abuse this fact and effectively prevent
libcurl-based clients to work with it - the PWD command is always issued
on new FTP connections and the mistake has a high chance of causing a
segfault.
There is a programming error in the Heimdal implementation
that used an unauthenticated, plain-text version of the
KDC-REP service name found in a ticket.
Impact:
An attacker who has control of the network between a
client and the service it talks to will be able to impersonate
the service, allowing a successful man-in-the-middle (MITM)
attack that circumvents the mutual authentication.
A remote attacker may be able to cause an affected SSH
server to use excessive amount of CPU by sending very long
passwords, when PasswordAuthentication is enabled by the
system administrator.
Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the Questions field in an "Add New FAQ" action.
Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the "Title of your FAQ" field in the Configuration Module.
In LibRaw through 0.18.4, an out of bounds read flaw related to kodak_65000_load_raw has been reported in dcraw/dcraw.c and internal/dcraw_common.cpp. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash.
In sam2p 0.49.3, a heap-based buffer overflow exists in the pcxLoadImage24 function of the file in_pcx.cpp.
In sam2p 0.49.3, the in_xpm_reader function in in_xpm.cpp has an integer signedness error, leading to a crash when writing to an out-of-bounds array element.
In sam2p 0.49.3, an integer overflow exists in the pcxLoadImage24 function of the file in_pcx.cpp, leading to an invalid write operation.
In sam2p 0.49.3, the pcxLoadRaster function in in_pcx.cpp has an integer signedness error leading to a heap-based buffer overflow.
Because of an integer overflow in sam2p 0.49.3, a loop executes 0xffffffff times, ending with an invalid read of size 1 in the Image::Indexed::sortPal function in image.cpp. However, this also causes memory corruption because of an attempted write to the invalid d[0xfffffffe] array element.
In sam2p 0.49.3, there is an invalid read of size 2 in the parse_rgb function in in_xpm.cpp. However, this can also cause a write to an illegal address.
Malicious attacker create GEM file with crafted homepage value
(gem.homepage in .gemspec file) includes XSS payload.
The attacker access geminabox system and uploads the gem file
(or uses CSRF/SSRF attack to do so).
From now on, any user access Geminabox web server, executes the
malicious XSS payload, that will delete any gems on the server,
and won't let users use the geminabox anymore. (make victim's
browser crash or redirect them to other hosts).
The bounds check in read_key() was performed after using the value,
instead of before. If 'key-method 1' is used, this allowed an
attacker to send a malformed packet to trigger a stack buffer
overflow. [...]
Note that 'key-method 1' has been replaced by 'key method 2' as the
default in OpenVPN 2.0 (released on 2005-04-17), and explicitly
deprecated in 2.4 and marked for removal in 2.5. This should limit
the amount of users impacted by this issue.
An exploitable buffer overflow vulnerability exists in the tag parsing functionality of LibOFX 0.9.11. A specially crafted OFX file can cause a write out of bounds resulting in a buffer overflow on the stack. An attacker can construct a malicious OFX file to trigger this vulnerability.
The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0 mishandles EOCD records, which allows remote attackers to cause a denial of service (memory allocation failure in _zip_cdir_grow in zip_dirent.c) via a crafted ZIP archive.
In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c.
The ReadCAPTIONImage function in coders/caption.c in ImageMagick allows remote attackers to cause a denial of service (infinite loop) via a crafted font file.
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as demonstrated by a backslash character at the end of a bean_id to modules/Emails/DetailView.php. An attacker could exploit these vulnerabilities by sending a crafted SQL request to the affected areas. An exploit could allow the attacker to modify the SQL database. Proper SQL escaping has been added to prevent such exploits.
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a query string. Proper input validation has been added to mitigate this issue.
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along.
A Stack-based Buffer Overflow was discovered in xtrans_interpolate in internal/dcraw_common.cpp in LibRaw before 0.18.3. It could allow a remote denial of service or code execution attack.
The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information.
Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors.
An exploitable buffer overflow vulnerability exists in the tag parsing functionality of Ledger-CLI 3.1.1. A specially crafted journal file can cause an integer underflow resulting in code execution. An attacker can construct a malicious journal file to trigger this vulnerability.
An exploitable use-after-free vulnerability exists in the account parsing component of the Ledger-CLI 3.1.1. A specially crafted ledger file can cause a use-after-free vulnerability resulting in arbitrary code execution. An attacker can convince a user to load a journal file to trigger this vulnerability.
Ansible versions 2.2.3 and earlier are vulnerable to an information disclosure flaw due to the interaction of call back plugins and the no_log directive where the information may not be sanitized properly.
DeleteBitBuffer in libbitbuf/bitbuffer.c in mp4tools aacplusenc 0.17.5 allows remote attackers to cause a denial of service (invalid memory write, SEGV on unknown address 0x000000000030, and application crash) or possibly have unspecified other impact via a crafted .wav file, aka a NULL pointer dereference.
CVE-2017-12814: $ENV{$key} stack buffer overflow on Windows
A possible stack buffer overflow in the %ENV code on Windows has been
fixed by removing the buffer completely since it was superfluous anyway.
CVE-2017-12837: Heap buffer overflow in regular expression compiler
Compiling certain regular expression patterns with the case-insensitive
modifier could cause a heap buffer overflow and crash perl. This has now
been fixed.
CVE-2017-12883: Buffer over-read in regular expression parser
For certain types of syntax error in a regular expression pattern, the
error message could either contain the contents of a random, possibly
large, chunk of memory, or could crash perl. This has now been fixed.
[765433] High CVE-2017-5121: Out-of-bounds access in V8. Reported by
Jordan Rabet, Microsoft Offensive Security Research and Microsoft
ChakraCore team on 2017-09-14
[752423] High CVE-2017-5122: Out-of-bounds access in V8. Reported by
Choongwoo Han of Naver Corporation on 2017-08-04
[767508] Various fixes from internal audits, fuzzing and other initiatives
Apache httpd allows remote attackers to read secret data from
process memory if the Limit directive can be set in a user's
.htaccess file, or if httpd.conf has certain misconfigurations,
aka Optionsbleed. This affects the Apache HTTP Server through
2.2.34 and 2.4.x through 2.4.27. The attacker sends an
unauthenticated OPTIONS HTTP request when attempting to read
secret data. This is a use-after-free issue and thus secret data
is not always sent, and the specific data depends on many factors
including configuration. Exploitation with .htaccess can be
blocked with a patch to the ap_limit_section function in
server/core.c.
CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
If a malicious format string which contains a precious specifier (*)
is passed and a huge minus value is also passed to the specifier,
buffer underrun may be caused. In such situation, the result may
contains heap, or the Ruby interpreter may crash.
CVE-2017-10784: Escape sequence injection vulnerability in the Basic
authentication of WEBrick
When using the Basic authentication of WEBrick, clients can pass an
arbitrary string as the user name. WEBrick outputs the passed user name
intact to its log, then an attacker can inject malicious escape
sequences to the log and dangerous control characters may be executed
on a victim?s terminal emulator.
This vulnerability is similar to a vulnerability already fixed, but
it had not been fixed in the Basic authentication.
CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
If a malicious string is passed to the decode method of OpenSSL::ASN1,
buffer underrun may be caused and the Ruby interpreter may crash.
CVE-2017-14064: Heap exposure vulnerability in generating JSON
The generate method of JSON module optionally accepts an instance of
JSON::Ext::Generator::State class. If a malicious instance is passed,
the result may include contents of heap.
Insufficient RTCP packet validation could allow reading
stale buffer contents and when combined with the "nat"
and "symmetric_rtp" options allow redirecting where
Asterisk sends the next RTCP report.
The RTP stream qualification to learn the source address
of media always accepted the first RTP packet as the new
source and allowed what AST-2017-005 was mitigating. The
intent was to qualify a series of packets before accepting
the new source address.
The RTP/RTCP stack will now validate RTCP packets before processing them.
Charles A. Roelli has found a security flaw in the enriched mode in GNU Emacs.
When Emacs renders MIME text/enriched data (Internet RFC 1896), it
is vulnerable to arbitrary code execution. Since Emacs-based mail
clients decode "Content-Type: text/enriched", this code is exploitable
remotely. This bug affects GNU Emacs versions 19.29 through 25.2.
In older versions, HTML autoescaping was disabled in a portion of the template
for the technical 500 debug page. Given the right circumstances, this allowed a
cross-site scripting attack. This vulnerability shouldn't affect most production
sites since you shouldn't run with DEBUG = True (which makes this page accessible)
in your production settings.
AST-2017-005 - A change was made to the strict RTP
support in the RTP stack to better tolerate late media
when a reinvite occurs. When combined with the symmetric
RTP support this introduced an avenue where media could
be hijacked. Instead of only learning a new address when
expected the new code allowed a new source address to be
learned at all times.
AST-2017-006 - The app_minivm module has an "externnotify"
program configuration option that is executed by the
MinivmNotify dialplan application. The application uses
the caller-id name and number as part of a built string
passed to the OS shell for interpretation and execution.
Since the caller-id name and number can come from an
untrusted source, a crafted caller-id name or number
allows an arbitrary shell command injection.
There is an Integer overflow in the hash_int function of the libpspp library
in GNU PSPP 0.10.5-pre2 (CVE-2017-10791).
There is a NULL Pointer Dereference in the function ll_insert() of the libpspp
library in GNU PSPP 0.10.5-pre2 (CVE-2017-10792).
There is an illegal address access in the function output_hex() in data/data-out.c
of the libpspp library in GNU PSPP 0.11.0 that will lead to remote denial of service (CVE-2017-12958).
There is a reachable assertion abort in the function dict_add_mrset() in data/dictionary.c
of the libpspp library in GNU PSPP 0.11.0 that will lead to a remote denial of service attack (CVE-2017-12959).
There is a reachable assertion abort in the function dict_rename_var() in data/dictionary.c
of the libpspp library in GNU PSPP 0.11.0 that will lead to remote denial of service (CVE-2017-12960).
There is an assertion abort in the function parse_attributes() in data/sys-file-reader.c
of the libpspp library in GNU PSPP 0.11.0 that will lead to remote denial of service (CVE-2017-12961).
The following vulnerabilities have been reported: a DNS request
hijacking vulnerability, an ANSI escape sequence vulnerability, a DoS
vulnerability in the query command, and a vulnerability in the gem
installer that allowed a malicious gem to overwrite arbitrary
files.
Poppler is prone to a stack-based buffer-overflow
vulnerability.
Successful exploits may allow attackers to crash the affected
application, resulting in denial-of-service condition. Due to the
nature of this issue, arbitrary code execution may be possible but
this has not been confirmed.
Fix XSS vulnerability in one of the code examples, CVE-2017-11503. The
code_generator.phps example did not filter user input prior to output. This
file is distributed with a .phps extension, so it it not normally executable
unless it is explicitly renamed, so it is safe by default. There was also an
undisclosed potential XSS vulnerability in the default exception handler
(unused by default). Patches for both issues kindly provided by Patrick
Monnerat of the Fedora Project.
The first issue can lead to a denial of service on 32-bit if a backend
sends crafted answers, and the second to an alteration of dnsdist's ACL
if the API is enabled, writable and an authenticated user is tricked
into visiting a crafted website.
Correct a flaw in minion id validation which could allow certain
minions to authenticate to a master despite not having the correct
credentials. To exploit the vulnerability, an attacker must create a
salt-minion with an ID containing characters that will cause a
directory traversal.
Credit for discovering the security flaw goes to: Vernhk@qq.com
SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN)
allows post-authentication remote code execution via a sendmail.cf
file that is mishandled in a popen call. It's possible to exploit this
vulnerability to execute arbitrary shell commands on the remote
server.
An exploitable code execution vulnerability exists in the trapper command
functionality of Zabbix Server 2.4.X. A specially crafted set of packets
can cause a command injection resulting in remote code execution. An attacker
can make requests from an active Zabbix Proxy to trigger this vulnerability.
supervisord can be configured to run an HTTP server on a TCP socket and/or a Unix domain socket.
The HTTP server is how supervisorctl communicates with supervisord. If an HTTP server has been
enabled, it will always serve both HTML pages and an XML-RPC interface. A vulnerability has been
found where an authenticated client can send a malicious XML-RPC request to supervisord that
will run arbitrary shell commands on the server. The commands will be run as the same user as
supervisord. Depending on how supervisord has been configured, this may be root.
This vulnerability can only be exploited by an authenticated client or if supervisord has been
configured to run an HTTP server without authentication. If authentication has not been enabled,
supervisord will log a message at the critical level every time it starts.
Mercurial's symlink auditing was incomplete prior to 4.3, and could be
abused to write to files outside the repository.
CVE-2017-1000116
Mercurial was not sanitizing hostnames passed to ssh, allowing shell
injection attacks on clients by specifying a hostname starting with
-oProxyCommand. This is also present in Git (CVE-2017-1000117) and
Subversion (CVE-2017-9800), so please patch those tools as well if you
have them installed.
A Subversion client sometimes connects to URLs provided by the repository.
This happens in two primary cases: during 'checkout', 'export', 'update', and
'switch', when the tree being downloaded contains svn:externals properties;
and when using 'svnsync sync' with one URL argument.
A maliciously constructed svn+ssh:// URL would cause Subversion clients to
run an arbitrary shell command. Such a URL could be generated by a malicious
server, by a malicious user committing to a honest server (to attack another
user of that server's repositories), or by a proxy server.
The vulnerability affects all clients, including those that use file://,
http://, and plain (untunneled) svn://.
An external code review performed by Recurity-Labs identified a remote
command execution vulnerability in git that could be exploited via the "Repo
by URL" import option in GitLab. The command line git client was not
properly escaping command line arguments in URLs using the SSH protocol
before invoking the SSH client. A specially crafted URL could be used to
execute arbitrary shell commands on the GitLab server.
To fully patch this vulnerability two fixes were needed. The Omnibus
versions of GitLab contain a patched git client. For source users who may
still be running an older version of git, GitLab now also blocks import URLs
containing invalid host and usernames.
This issue has been assigned CVE-2017-12426.
Improper sanitization of GitLab export files on import
GitLab versions 8.13.3, 8.12.8, 8.11.10, 8.10.13, and 8.9.12 contained a
patch for a critical directory traversal vulnerability in the GitLab export
feature that could be exploited by including symlinks in the export file and
then re-importing it to a GitLab instance. This vulnerability was patched by
checking for and removing symlinks in these files on import.
Recurity-Labs also determined that this fix did not properly remove symlinks for
hidden files. Though not as dangerous as the original vulnerability hidden file
symlinks could still be used to steal copies of git repositories belonging to
other users if the path to the git repository was known by the attacker. An
updated fix has been included in these releases that properly removes all
symlinks.
This import option was not made available to non-admin users until GitLab
8.13.0.
CVE-2016-3092 is a denial of service vulnerability that has been
corrected in the Apache Commons FileUpload component. It occurred
when the length of the multipart boundary was just below the size of
the buffer (4096 bytes) used to read the uploaded file. This caused
the file upload process to take several orders of magnitude longer
than if the boundary length was the typical tens of bytes.
Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti
1.1.13 allows remote authenticated users to inject arbitrary web script
or HTML via specially crafted HTTP Referer headers.
ProFTPD ... controls whether the home directory of a user could
contain a symbolic link through the AllowChrootSymlinks
configuration option, but checks only the last path component when
enforcing AllowChrootSymlinks. Attackers with local access could
bypass the AllowChrootSymlinks control by replacing a path
component (other than the last one) with a symbolic link.
JabberD is prone to an authentication-bypass vulnerability.
An attacker can exploit this issue to bypass the authentication
mechanism and perform unauthorized actions. This may lead to
further attacks.
Genivia gSOAP is prone to a stack-based buffer-overflow
vulnerability because it fails to properly bounds check user-supplied
data before copying it into an insufficiently sized buffer.
A remote attacker may exploit this issue to execute arbitrary code
in the context of the affected device. Failed attempts will likely
cause a denial-of-service condition.
After sending this payload, collectd seems to be entering endless while()
loop in packet_parse consuming high CPU resources, possibly crash/gets killed after a while.
RSA public keys passed to the gmp plugin aren't validated sufficiently
before attempting signature verification, so that invalid input might
lead to a floating point exception. [CVE-2017-9022]
ASN.1 CHOICE types are not correctly handled by the ASN.1 parser when
parsing X.509 certificates with extensions that use such types. This
could lead to infinite looping of the thread parsing a specifically crafted certificate.
Cross-site scripting (XSS) vulnerability in link.php in Cacti
1.1.12 allows remote anonymous users to inject arbitrary web
script or HTML via the id parameter.
The comic book backend in evince 3.24.0 (and earlier) is vulnerable to a command injection bug that can be used to execute arbitrary commands when a CBT file is opened.
The same vulnerability affects atril, the Evince fork.
important: Read after free in mod_http2 (CVE-2017-9789)
When under stress, closing many connections, the HTTP/2 handling
code would sometimes access memory after it has been freed,
resulting in potentially erratic behaviour.
important: Uninitialized memory reflection in mod_auth_digest
(CVE-2017-9788) The value placeholder in [Proxy-]Authorization
headers of type 'Digest' was not initialized or reset before or
between successive key=value assignments. by mod_auth_digest.
Providing an initial key with no '=' assignment could reflect
the stale value of uninitialized pool memory used by the prior
request, leading to leakage of potentially confidential
information, and a segfault.
Updates are now available for all active Node.js release lines as
well as the 7.x line. These include the fix for the high severity
vulnerability identified in the initial announcement, one additional
lower priority Node.js vulnerability in the 4.x release line, as well
as some lower priority fixes for Node.js dependencies across the
current release lines.
Constant Hashtable Seeds (CVE pending)
Node.js was susceptible to hash flooding remote DoS attacks as the
HashTable seed was constant across a given released version of
Node.js. This was a result of building with V8 snapshots enabled by
default which caused the initially randomized seed to be overwritten
on startup. Thanks to Jann Horn of Google Project Zero for reporting
this vulnerability.
This is a high severity vulnerability and applies to all active
release lines (4.x, 6.x, 8.x) as well as the 7.x line.
http.get with numeric authorization options creates uninitialized
buffers
Application code that allows the auth field of the options object
used with http.get() to be set to a number can result in an
uninitialized buffer being created/used as the authentication
string.
This is a low severity defect and only applies to the 4.x release
line.
A security issue was identified in nginx range filter. A specially
crafted request might result in an integer overflow and incorrect
processing of ranges, potentially resulting in sensitive information
leak (CVE-2017-7529).
When receiving messages with invalid time stamps, Irssi
would try to dereference a NULL pointer.
While updating the internal nick list, Irssi may
incorrectly use the GHashTable interface and free the nick while
updating it. This will then result in use-after-free conditions on each
access of the hash table.
Fix double-free in server TCP listener cleanup A double-free in
the server could be triggered by an authenticated user if dropbear
is running with -a (Allow connections to forwarded ports from any
host) This could potentially allow arbitrary code execution as root
by an authenticated user.
Fix information disclosure with ~/.ssh/authorized_keys symlink.
Dropbear parsed authorized_keys as root, even if it were a symlink.
The fix is to switch to user permissions when opening authorized_keys.
Tor 0.3.0.9 fixes a path selection bug that would allow a client
to use a guard that was in the same network family as a chosen exit
relay. This is a security regression; all clients running earlier
versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or
0.3.1.4-alpha.
The second vulnerability (CVE-2017-9773) is a DOS vulnerability.
This only affects Horde installations that do not have a configured image
handling backend, and thus use the "Null" image driver. It is exploitable by
a logged in user clicking on a maliciously crafted URL.
Exim supports the use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time.
In May/June 2017 Guido Vranken threw a fuzzer at OpenVPN 2.4.2. In
the process he found several vulnerabilities and reported them to
the OpenVPN project. [...] The first releases to have these fixes are OpenVPN 2.4.3 and 2.3.17.
This is a list of fixed important vulnerabilities:
Remotely-triggerable ASSERT() on malformed IPv6 packet
Pre-authentication remote crash/information disclosure for clients
Potential double-free in --x509-alt-username
Remote-triggerable memory leaks
Post-authentication remote DoS when using the --x509-track option
Null-pointer dereference in establish_http_proxy_passthru()
The fist vulnerability (CVE-2017-9774) is a Remote Code Execution
vulnerability and is exploitable by a logged in user sending a
maliciously crafted GET request to the Horde server.
ap_get_basic_auth_pw() Authentication Bypass (CVE-2017-3167):
Use of the ap_get_basic_auth_pw() by third-party modules outside
of the authentication phase may lead to authentication requirements
being bypassed.
mod_ssl Null Pointer Dereference (CVE-2017-3169): mod_ssl may
dereference a NULL pointer when third-party modules
call ap_hook_process_connection() during an HTTP request to an HTTPS
port.
mod_http2 Null Pointer Dereference (CVE-2017-7659): A maliciously
constructed HTTP/2 request could cause mod_http2 to dereference a NULL
pointer and crash the server process.
ap_find_token() Buffer Overread (CVE-2017-7668): The HTTP strict
parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token
list parsing, which allows ap_find_token() to search past the end of its
input string. By maliciously crafting a sequence of request headers, an
attacker may be able to cause a segmentation fault, or to force
ap_find_token() to return an incorrect value.
mod_mime Buffer Overread (CVE-2017-7679): mod_mime can read one
byte past the end of a buffer when sending a malicious Content-Type
response header.
1. a file: URL that doesn't use two slashes following the colon, or
2. is told that file is the default scheme to use for URLs without scheme
... and the given path starts with a drive letter and libcurl is built for
Windows or DOS, then libcurl would copy the path with a wrong offset, so that
the end of the given path would write beyond the malloc buffer. Up to seven
bytes too much.
These updates resolve use-after-free vulnerabilities that
could lead to code execution (CVE-2017-3075, CVE-2017-3081,
CVE-2017-3083, CVE-2017-3084).
These updates resolve memory corruption vulnerabilities that
could lead to code execution (CVE-2017-3076, CVE-2017-3077,
CVE-2017-3078, CVE-2017-3079, CVE-2017-3082).
Roundcube Webmail allows arbitrary password resets by
authenticated users. The problem is caused by an improperly restricted
exec call in the virtualmin and sasl drivers of the password plugin.
It was found using the TLS fuzzer tools that decoding a status
response TLS extension with valid contents could lead to a crash
due to a null pointer dereference. The issue affects GnuTLS server
applications.
An input validation flaw was found in Ansible, where it fails to
properly mark lookup-plugin results as unsafe. If an attacker could
control the results of lookup() calls, they could inject Unicode
strings to be parsed by the jinja2 templating system, result in
code execution.
The TLS session cache in FreeRADIUS before 3.0.14 fails to
reliably prevent resumption of an unauthenticated session, which
allows remote attackers (such as malicious 802.1X supplicants) to
bypass authentication via PEAP or TTLS.
An untrusted user may be able to set the http_proxy variable to
an invalid address. If this happens, this will trigger the
configured 'failmode' behavior, which defaults to safe. Safe
mode causes the authentication to report a success.
Commit f469fc6 (2010-10-02) inadvertently caused the
previous hop realm to not be added to the transit path of issued
tickets. This may, in some cases, enable bypass of capath policy in
Heimdal versions 1.5 through 7.2. Note, this may break sites that rely
on the bug. With the bug some incomplete [capaths] worked, that should
not have. These may now break authentication in some cross-realm
configurations. (CVE-2017-6594)
Information Disclosure in Issue and Merge Request Trackers
During an internal code review a critical vulnerability in the GitLab
Issue and Merge Request trackers was discovered. This vulnerability could
allow a user with access to assign ownership of an issue or merge request to
another user to disclose that user's private token, email token, email
address, and encrypted OTP secret. Reporter-level access to a GitLab project
is required to exploit this flaw.
SSRF when importing a project from a Repo by URL
GitLab instances that have enabled project imports using "Repo by URL"
were vulnerable to Server-Side Request Forgery attacks. By specifying a
project import URL of localhost an attacker could target services that are
bound to the local interface of the server. These services often do not
require authentication. Depending on the service an attacker might be able
craft an attack using the project import request URL.
Links in Environments tab vulnerable to tabnabbing
edio via HackerOne reported that user-configured Environment links
include target=_blank but do not also include rel: noopener
noreferrer. Anyone clicking on these links may therefore be subjected to
tabnabbing attacks where a link back to the requesting page is maintained
and can be manipulated by the target server.
Accounts with email set to "Do not show on profile" have addresses
exposed in public atom feed
Several GitLab users reported that even with "Do not show on profile"
configured for their email addresses those addresses were still being leaked
in Atom feeds if they commented on a public project.
A vulnerability was discovered in the NTP server's parsing
of configuration directives. [CVE-2017-6464]
A vulnerability was found in NTP, in the parsing of
packets from the DPTS Clock. [CVE-2017-6462]
A vulnerability was discovered in the NTP server's parsing
of configuration directives. [CVE-2017-6463]
A vulnerability was found in NTP, affecting the origin
timestamp check function. [CVE-2016-9042]
Impact:
A remote, authenticated attacker could cause ntpd to
crash by sending a crafted message. [CVE-2017-6463,
CVE-2017-6464]
A malicious device could send crafted messages, causing
ntpd to crash. [CVE-2017-6462]
An attacker able to spoof messages from all of the
configured peers could send crafted packets to ntpd, causing
later replies from those peers to be discarded, resulting
in denial of service. [CVE-2016-9042]
ipfilter(4), capable of stateful packet inspection, using
the "keep state" or "keep frags" rule options, will not
only maintain the state of connections, such as TCP streams
or UDP communication, it also maintains the state of
fragmented packets. When a packet fragments are received
they are cached in a hash table (and linked list). When a
fragment is received it is compared with fragments already
cached in the hash table for a match. If it does not match
the new entry is used to create a new entry in the hash
table. If on the other hand it does match, unfortunately
the wrong entry is freed, the entry in the hash table. This
results in use after free panic (and for a brief moment
prior to the panic a memory leak due to the wrong entry
being freed).
Impact:
Carefully feeding fragments that are allowed to pass by
an ipfilter(4) firewall can be used to cause a panic followed
by reboot loop denial of service attack.
[There] is a zip file of EXR images that cause segmentation faults in the OpenEXR library (tested against 2.2.0).
CVE-2017-9110
In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash.
CVE-2017-9111
In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h could cause the application to crash or execute arbitrary code.
CVE-2017-9112
In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash.
CVE-2017-9113
In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp could cause the application to crash or execute arbitrary code.
CVE-2017-9114
In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ImfFastHuf.cpp could cause the application to crash.
CVE-2017-9115
In OpenEXR 2.2.0, an invalid write of size 2 in the = operator function in half.h could cause the application to crash or execute arbitrary code.
CVE-2017-9116
In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function in ImfZip.cpp could cause the application to crash.
All versions of Samba from 3.5.0 onwards are vulnerable to a remote
code execution vulnerability, allowing a malicious client to upload
a shared library to a writable share, and then cause the server to
load and execute it.
NVIDIA GPU Display Driver contains vulnerabilities in the
kernel mode layer handler where not correctly validated user
input, NULL pointer dereference, and incorrect access control
may lead to denial of service or potential escalation of
privileges.
An integer signedness error was found in miniupnp's miniwget
allowing an unauthenticated remote entity typically located on the
local network segment to trigger a heap corruption or an access
violation in miniupnp's http response parser when processing a
specially crafted chunked-encoded response to a request for the
xml root description url.
A remote crash can be triggered by sending a SIP packet
to Asterisk with a specially crafted CSeq header and a
Via header with no branch parameter. The issue is that
the PJSIP RFC 2543 transaction key generation algorithm
does not allocate a large enough buffer. By overrunning
the buffer, the memory allocation table becomes corrupted,
leading to an eventual crash.
The multi-part body parser in PJSIP contains a logical
error that can make certain multi-part body parts attempt
to read memory from outside the allowed boundaries. A
specially-crafted packet can trigger these invalid reads
and potentially induce a crash.
This issues is in PJSIP, and so the issue can be fixed
without performing an upgrade of Asterisk at all. However,
we are releasing a new version of Asterisk with the bundled
PJProject updated to include the fix.
If you are running Asterisk with chan_sip, this issue
does not affect you.
A remote memory exhaustion can be triggered by sending
an SCCP packet to Asterisk system with "chan_skinny"
enabled that is larger than the length of the SCCP header
but smaller than the packet length specified in the header.
The loop that reads the rest of the packet doesn't detect
that the call to read() returned end-of-file before the
expected number of bytes and continues infinitely. The
"partial data" message logging in that tight loop causes
Asterisk to exhaust all available memory.
The import/export feature did not properly check for symbolic links
in user-provided archives and therefore it was possible for an
authenticated user to retrieve the contents of any file
accessible to the GitLab service account. This included
sensitive files such as those that contain secret tokens used
by the GitLab service to authenticate users.
OpenVPN v2.4.0 was audited for security vulnerabilities independently by
Quarkslabs (funded by OSTIF) and Cryptography Engineering (funded by
Private Internet Access) between December 2016 and April 2017. The
primary findings were two remote denial-of-service vulnerabilities.
Fixes to them have been backported to v2.3.15.
An authenticated client can do the 'three way handshake'
(P_HARD_RESET, P_HARD_RESET, P_CONTROL), where the P_CONTROL packet
is the first that is allowed to carry payload. If that payload is
too big, the OpenVPN server process will stop running due to an
ASSERT() exception. That is also the reason why servers using
tls-auth/tls-crypt are protected against this attack - the P_CONTROL
packet is only accepted if it contains the session ID we specified,
with a valid HMAC (challenge-response). (CVE-2017-7478)
An authenticated client can cause the server's the packet-id
counter to roll over, which would lead the server process to hit an
ASSERT() and stop running. To make the server hit the ASSERT(), the
client must first cause the server to send it 2^32 packets (at least
196 GB).
CVE-2017-7486: pg_user_mappings view discloses foreign server
passwords. This applies to new databases, see the release notes for
the procedure to apply the fix to an existing database.
KAuth contains a logic flaw in which the service invoking dbus
is not properly checked.
This allows spoofing the identity of the caller and with some
carefully crafted calls can lead to gaining root from an
unprivileged account.
I was using American Fuzzy Lop (afl-fuzz) to fuzz input to the
mime-parse test program. Is fixing these crashes something you're
interested in? The input files can be found here:
https://github.com/rwhitworth/libetpan-fuzz/.
The files can be executed as ./mime-parse id_filename to cause
seg faults.
International Components for Unicode (ICU) for C/C++
before 2017-02-13 has an out-of-bounds write caused by a
heap-based buffer overflow related to the utf8TextAccess
function in common/utext.cpp and the utext_setNativeIndex*
function.
International Components for Unicode (ICU) for C/C++
before 2017-02-13 has an out-of-bounds write caused by a
heap-based buffer overflow related to the utf8TextAccess
function in common/utext.cpp and the utext_moveIndex32*
function.
passdb/userdb dict: Don't double-expand %variables in keys. If dict
was used as the authentication passdb, using specially crafted
%variables in the username could be used to cause DoS.
LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if
SSL_get_verify_result is relied upon for a later check of a
verification result, in a use case where a user-provided verification
callback returns 1, as demonstrated by acceptance of invalid
certificates by nginx.
DNS protocols were designed with the assumption that a certain
amount of trust could be presumed between the operators of primary
and secondary servers for a given zone. However, in current
practice some organizations have scenarios which require them to
accept zone data from sources that are not fully trusted (for
example: providers of secondary name service). A party who is
allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS
updates) can overwhelm the server which is accepting data by
intentionally or accidentally exhausting that server's memory.
WeeChat before 1.7.1 allows a remote crash by sending a filename via DCC to
the IRC plugin. This occurs in the irc_ctcp_dcc_filename_without_quotes
function during quote removal, with a buffer overflow.
[695826] High CVE-2017-5057: Type confusion in PDFium. Credit to
Guang Gong of Alpha Team, Qihoo 360
[694382] High CVE-2017-5058: Heap use after free in Print Preview.
Credit to Khalil Zhani
[684684] High CVE-2017-5059: Type confusion in Blink. Credit to
SkyLined working with Trend Micro's Zero Day Initiative
[683314] Medium CVE-2017-5060: URL spoofing in Omnibox. Credit to
Xudong Zheng
[672847] Medium CVE-2017-5061: URL spoofing in Omnibox. Credit to
Haosheng Wang (@gnehsoah)
[702896] Medium CVE-2017-5062: Use after free in Chrome Apps.
Credit to anonymous
[700836] Medium CVE-2017-5063: Heap overflow in Skia. Credit to
Sweetchip
[693974] Medium CVE-2017-5064: Use after free in Blink. Credit to
Wadih Matar
[704560] Medium CVE-2017-5065: Incorrect UI in Blink. Credit to
Khalil Zhani
[690821] Medium CVE-2017-5066: Incorrect signature handing in Networking.
Credit to Prof. Zhenhua Duan, Prof. Cong Tian, and Ph.D candidate Chu Chen
(ICTT, Xidian University)
[648117] Medium CVE-2017-5067: URL spoofing in Omnibox. Credit to
Khalil Zhani
[691726] Low CVE-2017-5069: Cross-origin bypass in Blink. Credit to
Michael Reizelman
[713205] Various fixes from internal audits, fuzzing and other initiatives
libcurl would attempt to resume a TLS session even if the client
certificate had changed. That is unacceptable since a server by
specification is allowed to skip the client certificate check on
resume, and may instead use the old identity which was established
by the previous certificate (or no certificate).
libcurl supports by default the use of TLS session id/ticket to
resume previous TLS sessions to speed up subsequent TLS handshakes.
They are used when for any reason an existing TLS connection
couldn't be kept alive to make the next handshake faster.
This flaw is a regression and identical to CVE-2016-5419 reported
on August 3rd 2016, but affecting a different version range.
In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to
cause a stack-based buffer overflow via a specially crafted
FLAC file.
In libsndfile before 1.0.28, an error in the
"header_read()" function (common.c) when handling ID3 tags
can be exploited to cause a stack-based buffer overflow
via a specially crafted FLAC file.
In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to
cause a segmentation violation (with write memory access)
via a specially crafted FLAC file during a resample
attempt, a similar issue to CVE-2017-7585.
In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to
cause a segmentation violation (with read memory access)
via a specially crafted FLAC file during a resample
attempt, a similar issue to CVE-2017-7585.
An out-of-bounds write in the Graphite 2 library
triggered with a maliciously crafted Graphite font. This
results in a potentially exploitable crash. This issue was
fixed in the Graphite 2 library as well as Mozilla
products.
An out-of-bounds write during Base64 decoding operation
in the Network Security Services (NSS) library due to
insufficient memory being allocated to the buffer. This
results in a potentially exploitable crash. The NSS library
has been updated to fix this issue to address this issue and
Firefox 53 has been updated with NSS version 3.29.5.
A flaw in DRBG number generation within the Network
Security Services (NSS) library where the internal state V
does not correctly carry bits over. The NSS library has been
updated to fix this issue to address this issue and Firefox
53 has been updated with NSS version 3.29.5.
CVE-2016-10195: The name_parse function in evdns.c in
libevent before 2.1.6-beta allows remote attackers to have
unspecified impact via vectors involving the label_len
variable, which triggers an out-of-bounds stack read.
CVE-2016-10196: Stack-based buffer overflow in the
evutil_parse_sockaddr_port function in evutil.c in libevent
before 2.1.6-beta allows attackers to cause a denial of
service (segmentation fault) via vectors involving a long
string in brackets in the ip_as_string argument.
CVE-2016-10197: The search_make_new function in evdns.c
in libevent before 2.1.6-beta allows attackers to cause a
denial of service (out-of-bounds read) via an empty
hostname.
This Critical Patch Update contains 39 new security fixes for
Oracle MySQL. 11 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a
network without requiring user credentials.
A query with a specific set of characteristics could
cause a server using DNS64 to encounter an assertion
failure and terminate.
An attacker could deliberately construct a query,
enabling denial-of-service against a server if it
was configured to use the DNS64 feature and other
preconditions were met.
Mistaken assumptions about the ordering of records in
the answer section of a response containing CNAME or
DNAME resource records could lead to a situation in
which named would exit with an assertion failure when
processing a response in which records occurred in an
unusual order.
named contains a feature which allows operators to
issue commands to a running server by communicating
with the server process over a control channel,
using a utility program such as rndc.
A regression introduced in a recent feature change
has created a situation under which some versions of
named can be caused to exit with a REQUIRE assertion
failure if they are sent a null command string.
The content auto-download of id Tech 3 can be used to deliver
maliciously crafted content, that triggers downloading of
further content and loading and executing it as native code
with user credentials. This affects ioquake3, ioUrbanTerror,
OpenArena, the original Quake 3 Arena and other forks.
There were two bugs in curl's parser for the command line option
--write-out (or -w for short) that would skip the end of string
zero byte if the string ended in a % (percent) or \ (backslash),
and it would read beyond that buffer in the heap memory and it
could then potentially output pieces of that memory to the
terminal or the target file etc..
The XSA-29 fix introduced an insufficient check on XENMEM_exchange
input, allowing the caller to drive hypervisor memory accesses
outside of the guest provided input/output arrays.
A malicious or buggy 64-bit PV guest may be able to access all of
system memory, allowing for all of privilege escalation, host
crashes, and information leaks.
NVIDIA GPU Display Driver contains vulnerabilities in the
kernel mode layer handler where multiple integer overflows,
improper access control, and improper validation of a user
input may cause a denial of service or potential escalation
of privileges.
No size checking is done when setting the user field
on a CDR. Thus, it is possible for someone to use an
arbitrarily large string and write past the end of the
user field storage buffer. This allows the possibility
of remote code injection.
Unprivileged guests may be able to stall progress of the control
domain or driver domain, possibly leading to a Denial of Service
(DoS) of the entire host.
A vulnerability was discovered where the restrictions
caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are
bypassed under certain PHP versions. This can allow the
login of users who have no password set even if the
administrator has set $cfg['Servers'][$i]['AllowNoPassword']
to false (which is also the default).
This behavior depends on the PHP version used (it seems
PHP 5 is affected, while PHP 7.0 is not).
Severity
We consider this vulnerability to be of moderate severity.
A privileged user within the guest VM can cause a heap overflow in
the device model process, potentially escalating their privileges to
that of the device model process.
Use after free while producing list of netjoins (CWE-416).
This issue was found and reported to us by APic.
This issue usually leads to segmentation faults.
Targeted code execution should be difficult.
When using the NIO connector with sendfile and HTTPS enabled, if a
client breaks the connection while reading the response an infinite loop
is entered leading to a denial of service.
When a response for a request with a request body is
returned to the user agent before the request body is
fully read, by default Tomcat swallows the remaining
request body so that the next request on the connection
may be processed. There was no limit to the size of
request body that Tomcat would swallow. This permitted
a limited Denial of Service as Tomcat would never close
the connection and a processing thread would remain
allocated to the connection.
Moderate: Security Manager bypass CVE-2014-7810
Malicious web applications could use expression
language to bypass the protections of a Security
Manager as expressions were evaluated within a
privileged code section.
An integer overflow in createImageBitmap() was reported
through the Pwn2Own contest. The fix for this vulnerability
disables the experimental extensions to the
createImageBitmap API. This function runs in the content
sandbox, requiring a second vulnerability to compromise a
user's computer.
Tomcat does not properly restrict XSLT stylesheets, which allows
remote attackers to bypass security-manager restrictions and read
arbitrary files via a crafted web application that provides an XML
external entity declaration in conjunction with an entity
reference, related to an XML External Entity (XXE) issue.
An integer overflow, when operated behind a reverse proxy, allows
remote attackers to conduct HTTP request smuggling attacks via a
crafted Content-Length HTTP header.
An integer overflow in parseChunkHeader allows remote attackers
to cause a denial of service (resource consumption) via a malformed
chunk size in chunked transfer coding of a request during the
streaming of data.
In addition to a number of bug fixes and small improvements,
security vulnerabilities have been discovered and fixed. We highly
recommend that you upgrade your sites as soon as possible.
Upgrading should be very straightforward. As per our usual policy,
admins of all registered Moodle sites will be notified of security
issue details directly via email and we'll publish details more
widely in a week.
When using FORM authentication it was possible to bypass the security
constraint checks in the FORM authenticator by appending
"/j_security_check" to the end of the URL if some other component
(such as the Single-Sign-On valve) had called request.setUserPrincipal()
before the call to FormAuthenticator#authenticate().
Many versions of PuTTY prior to 0.68 have a heap-corrupting integer
overflow bug in the ssh_agent_channel_data function which processes
messages sent by remote SSH clients to a forwarded agent connection. [...]
This bug is only exploitable at all if you have enabled SSH
agent forwarding, which is turned off by default. Moreover, an
attacker able to exploit this bug would have to have already be able
to connect to the Unix-domain socket representing the forwarded
agent connection. Since any attacker with that capability would
necessarily already be able to generate signatures with your agent's
stored private keys, you should in normal circumstances be defended
against this vulnerability by the same precautions you and your
operating system were already taking to prevent untrusted people
from accessing your SSH agent.
If a malicious peer supplies a certificate with a specially
crafted secp224k1 public key, then an attacker can cause the
server or client to attempt to free block of memory held on
stack. Depending on the platform, this could result in a Denial
of Service (client crash) or potentially could be exploited to
allow remote code execution with the same privileges as the host
application.
If the client and the server both support MD5 and the client
can be tricked to authenticate to a malicious server, then the
malicious server can impersonate the client. To launch this man
in the middle attack, the adversary has to compute a
chosen-prefix MD5 collision in real time. This is very expensive
computationally, but can be practical. Depending on the
platform, this could result in a Denial of Service (client crash)
or potentially could be exploited to allow remote code execution
with the same privileges as the host application.
A bug in the logic of the parsing of a PEM encoded Certificate
Revocation List in mbedtls_x509_crl_parse() can result in an
infinite loop. In versions before 1.3.10 the same bug results in
an infinite recursion stack overflow that usually crashes the
application. Methods and means of acquiring the CRLs is not part
of the TLS handshake and in the strict TLS setting this
vulnerability cannot be triggered remotely. The vulnerability
cannot be triggered unless the application explicitly calls
mbedtls_x509_crl_parse() or mbedtls_x509_crl_parse_file()on a PEM
formatted CRL of untrusted origin. In which case the
vulnerability can be exploited to launch a denial of service
attack against the application.
A directory traversal issue was found in KTNEF which can be
exploited by tricking a user into opening a malicious winmail.dat
file. The issue allows to write files with the permission of the user
opening the winmail.dat file during extraction.
Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.
This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password@host), and in the
path and the query (e.g. access tokens).
This attack can be carried out remotely (over the LAN) since proxy settings
allow "Detect Proxy Configuration Automatically".
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victim's LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.
ikiwiki 3.20161219 does not properly check if a revision changes
the access permissions for a page on sites with the git and
recentchanges plugins and the CGI interface enabled, which allows
remote attackers to revert certain changes by leveraging permissions
to change the page before the revision was made.
When CGI::FormBuilder->field("foo") is called in list context
(and in particular in the arguments to a subroutine that takes named
arguments), it can return zero or more values for foo from the CGI
request, rather than the expected single value. This breaks the
usual Perl parsing convention for named arguments, similar to
CVE-2014-1572 in Bugzilla (which was caused by a similar API design
issue in CGI.pm).
The ikiwiki maintainers discovered further flaws similar to
CVE-2016-9646 in the passwordauth plugin's use of
CGI::FormBuilder, with a more serious impact:
An attacker who can log in to a site with a password can log in as
a different and potentially more privileged user.
An attacker who can create a new account can set arbitrary fields
in the user database for that account
A buffer overflow error was found in the POSIX unit's procedures
process-execute and process-spawn.
Additionally, a memory leak existed in this code, which would be
triggered when an error is raised during argument and environment
processing.
Irregex versions before 0.9.6 contain a resource exhaustion
vulnerability: when compiling deeply nested regexes containing the
"+" operator due to exponential expansion behaviour.
Due to improper handling of alert packets, OpenSSL would
consume an excessive amount of CPU time processing undefined
alert messages.
Impact:
A remote attacker who can initiate handshakes with an
OpenSSL based server can cause the server to consume a lot
of computation power with very little bandwidth usage, and
may be able to use this technique in a leveraged Denial of
Service attack.
SSL_VERIFYSTATUS ignored
curl and libcurl support "OCSP stapling", also known as the TLS
Certificate Status Request extension (using the
CURLOPT_SSL_VERIFYSTATUS option). When telling curl to use this
feature, it uses that TLS extension to ask for a fresh proof of
the server's certificate's validity. If the server doesn't support
the extension, or fails to provide said proof, curl is expected to
return an error.
Due to a coding mistake, the code that checks for a test success or
failure, ends up always thinking there's valid proof, even when
there is none or if the server doesn't support the TLS extension in
question. Contrary to how it used to function and contrary to how
this feature is documented to work.
This could lead to users not detecting when a server's certificate
goes invalid or otherwise be mislead that the server is in a better
shape than it is in reality.
In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine
cirrus_bitblt_cputovideo fails to check whether the specified
memory region is safe. A malicious guest administrator can cause
an out of bounds memory write, very likely exploitable as a
privilege escalation.
The web site used by this port, http://fbsdmon.org, has been taken over by cybersquatters. That means that users are sending their system info to an unknown party.
Andrew Bartlett of Catalyst reported a defect affecting certain
applications using the Libevent evbuffer API. This defect leaves
applications which pass insanely large inputs to evbuffers open
to a possible heap overflow or infinite loop. In order to exploit
this flaw, an attacker needs to be able to find a way to provoke
the program into trying to make a buffer chunk larger than what
will fit into a single size_t or off_t.
Severity: High
During a renegotiation handshake if the Encrypt-Then-Mac
extension is negotiated where it was not in the original
handshake (or vice-versa) then this can cause OpenSSL to
crash (dependent on ciphersuite). Both clients and servers
are affected.
This issue does not affect OpenSSL version 1.0.2.
ifread.c in gif2png, as used in OptiPNG before 0.7.6, allows remote attackers to cause a denial of service (uninitialized memory read) via a crafted GIF file.
The bmp_read_rows function in pngxtern/pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (invalid memory write and crash) via a series of delta escapes in a crafted BMP image.
Heap-based buffer overflow in the bmp_read_rows function in pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (out-of-bounds read or write access and crash) or possibly execute arbitrary code via a crafted image file.
Off-by-one error in the bmp_rle4_fread function in pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (out-of-bounds read or write access and crash) or possibly execute arbitrary code via a crafted image file, which triggers a heap-based buffer overflow.
libcurl will reuse NTLM-authenticated proxy connections
without properly making sure that the connection was
authenticated with the same credentials as set for this
transfer.
The REPL server is vulnerable to
the HTTP inter-protocol attack
The ?mkdir? procedure of GNU Guile, an implementation of
the Scheme programming language, temporarily changed the process? umask
to zero. During that time window, in a multithreaded application, other
threads could end up creating files with insecure permissions.
I have just released Shotwell 0.24.5 and 0.25.4 which turn
on HTTPS encryption all over the publishing plugins.
Users using Tumblr and Yandex.Fotki publishing are strongly
advised to change their passwords and reauthenticate Shotwell
to those services after upgrade.
Users of Picasa and Youtube publishing are strongly advised
to reauthenticate (Log out and back in) Shotwell to those
services after upgrade.
WordPress versions 4.7.1 and earlier are affected by three security
issues:
The user interface for assigning taxonomy terms in Press This is
shown to users who do not have permissions to use it.
WP_Query is vulnerable to a SQL injection (SQLi) when passing
unsafe data. WordPress core is not directly vulnerable to this
issue, but we?ve added hardening to prevent plugins and
themes from accidentally causing a vulnerability.
A cross-site scripting (XSS) vulnerability was discovered in the
posts list table.
An unauthenticated privilege escalation vulnerability was
discovered in a REST API endpoint.
A security vulnerability in the Intel(R) Ethernet Controller X710
and Intel(R) Ethernet Controller XL710 family of products
(Fortville) has been found in the Non-Volatile Flash Memory (NVM)
image.
The PHP development team announces the immediate availability of
PHP 7.0.15. This is a security release. Several security bugs were
fixed in this release.
The PHP development team announces the immediate availability of
PHP 5.6.30. This is a security release. Several security bugs were
fixed in this release.
When an application with Groovy on classpath uses standard Java
serialization mechanisms, e.g. to communicate between servers or to
store local data, it is possible for an attacker to bake a special
serialized object that will execute code directly when deserialized.
All applications which rely on serialization and do not isolate the
code which deserializes objects are subject to this vulnerability.
This is similar to CVE-2015-3253 but this exploit involves extra
wrapping of objects and catching of exceptions which are now safe
guarded against.
MQTT (MQ Telemetry Transport) connection authentication with a
username/password pair succeeds if an existing username is
provided but the password is omitted from the connection
request. Connections that use TLS with a client-provided
certificate are not affected.
CVE-2016-3492: Remote security vulnerability in 'Server: Optimizer'
sub component.
CVE-2016-5616, CVE-2016-6663: Race condition allows local users with
certain permissions to gain privileges by leveraging use of my_copystat
by REPAIR TABLE to repair a MyISAM table.
CVE-2016-5617, CVE-2016-6664: mysqld_safe, when using file-based
logging, allows local users with access to the mysql account to gain
root privileges via a symlink attack on error logs and possibly other
files.
CVE-2016-5624: Remote security vulnerability in 'Server: DML' sub
component.
CVE-2016-5626: Remote security vulnerability in 'Server: GIS' sub
component.
CVE-2016-5629: Remote security vulnerability in 'Server: Federated'
sub component.
CVE-2016-8283: Remote security vulnerability in 'Server: Types' sub
component.
The ssh-agent(1) agent supports loading a PKCS#11 module
from outside a trusted whitelist. An attacker can request
loading of a PKCS#11 module across forwarded agent-socket.
[CVE-2016-10009]
When privilege separation is disabled, forwarded Unix
domain sockets would be created by sshd(8) with the privileges
of 'root' instead of the authenticated user. [CVE-2016-10010]
Impact:
A remote attacker who have control of a forwarded
agent-socket on a remote system and have the ability to
write files on the system running ssh-agent(1) agent can
run arbitrary code under the same user credential. Because
the attacker must already have some control on both systems,
it is relatively hard to exploit this vulnerability in a
practical attack. [CVE-2016-10009]
When privilege separation is disabled (on FreeBSD,
privilege separation is enabled by default and has to be
explicitly disabled), an authenticated attacker can potentially
gain root privileges on systems running OpenSSH server.
[CVE-2016-10010]
PHPMailer is prone to an local information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information
that may aid in launching further attacks.
Computest found and exploited several issues
that allow a compromised host to execute commands
on the Ansible controller and thus gain access
to other hosts controlled by that controller.
A malformed query response received by a recursive
server in response to a query of RTYPE ANY could
trigger an assertion failure while named is attempting
to add the RRs in the query response to the cache.
Depending on the type of query and the EDNS options
in the query they receive, DNSSEC-enabled authoritative
servers are expected to include RRSIG and other RRsets
in their responses to recursive servers.
DNSSEC-validating servers will also make specific queries
for DS and other RRsets.
Whether DNSSEC-validating or not, an error in processing
malformed query responses that contain DNSSEC-related
RRsets that are inconsistent with other RRsets in the
same query response can trigger an assertion failure.
Although the combination of properties which triggers
the assertion should not occur in normal traffic, it
is potentially possible for the assertion to be triggered
deliberately by an attacker sending a specially-constructed
answer.
An unusually-formed answer containing a DS resource
record could trigger an assertion failure. While the
combination of properties which triggers the assertion
should not occur in normal traffic, it is potentially
possible for the assertion to be triggered deliberately
by an attacker sending a specially-constructed answer
having the required properties.
An error in handling certain queries can cause an
assertion failure when a server is using the
nxdomain-redirect feature to cover a zone for which
it is also providing authoritative service.
A vulnerable server could be intentionally stopped
by an attacker if it was using a configuration that
met the criteria for the vulnerability and if the
attacker could cause it to accept a query that
possessed the required attributes.
These updates resolve a security bypass vulnerability that could
lead to information disclosure (CVE-2017-2938).
These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2017-2932, CVE-2017-2936,
CVE-2017-2937).
These updates resolve heap buffer overflow vulnerabilities that
could lead to code execution (CVE-2017-2927, CVE-2017-2933,
CVE-2017-2934, CVE-2017-2935).
These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2017-2925, CVE-2017-2926, CVE-2017-2928,
CVE-2017-2930, CVE-2017-2931).
The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL
versions and forks is vulnerable to timing attacks when signing with the
standardized elliptic curve P-256 despite featuring constant-time curve
operations and modular inversion. A software defect omits setting the
BN_FLG_CONSTTIME flag for nonces, failing to take a secure code path in
the BN_mod_inverse method and therefore resulting in a cache-timing attack
vulnerability.
A malicious user with local access can recover ECDSA P-256 private keys.
The issue allows a local attacker to cause a Denial of Service,
but can potentially result in Privilege Escalation since
the daemon is running as root. while any local user can
connect to the Unix socket.
Fixed by patch which is released with hpcsc-lite 1.8.20.
Lynx is vulnerable to POODLE by still supporting vulnerable
version of SSL. Lynx is also vulnerable to URL attacks by incorrectly
parsing hostnames ending with an '?'.
It was found using the OSS-FUZZ fuzzer infrastructure that
decoding a specially crafted OpenPGP certificate could lead
to heap and stack overflows. (GNUTLS-SA-2017-2)
It was found using the OSS-FUZZ fuzzer infrastructure that
decoding a specially crafted X.509 certificate with Proxy
Certificate Information extension present could lead to a
double free. (GNUTLS-SA-2017-1)
Two unrelated buffer overflows can be used by a malicious server to overwrite parts of the heap and crash the client (or possibly execute arbitrary code).
These packages have reached End of Life status and/or have
been removed from the Ports Tree. They may contain undocumented
security issues. Please take caution and find alternative
software as soon as possible.
... discovered 3 fresh and previously unknown vulnerabilities
(CVE-2016-7479, CVE-2016-7480, CVE-2016-7478) in the PHP 7
unserialize mechanism.
The first two vulnerabilities allow attackers to take full control
over servers, allowing them to do anything they want with the
website, from spreading malware to defacing it or stealing customer
data.
The last vulnerability generates a Denial of Service attack which
basically hangs the website, exhausts its memory consumption, and
shuts it down.
The PHP security team issued fixes for two of the vulnerabilities
on the 13th of October and 1st of December.
A use-after-free vulnerability exists in H2O up to and including
version 2.0.4 / 2.1.0-beta3 that can be used by a remote attacker to
mount DoS attacks and / or information theft.
An independent research uncovered a critical vulnerability in
PHPMailer that could potentially be used by (unauthenticated)
remote attackers to achieve remote arbitrary code execution in
the context of the web server user and remotely compromise the
target web application.
To exploit the vulnerability an attacker could target common
website components such as contact/feedback forms, registration
forms, password email resets and others that send out emails with
the help of a vulnerable version of the PHPMailer class.
The first patch of the vulnerability CVE-2016-10033 was incomplete.
This advisory demonstrates the bypass of the patch. The bypass allows
to carry out Remote Code Execution on all current versions (including
5.2.19).
Reported this to upstream 8 months ago without response,
so: libupnp's default behaviour allows anyone to write to your
filesystem. Seriously. Find a device running a libupnp based server
(Shodan says there's rather a lot), and POST a file to /testfile.
Then GET /testfile ... and yeah if the server is running as root
(it is) and is using / as the web root (probably not, but maybe)
this gives full host fs access.
Scott Tenaglia reports:
There is a heap buffer overflow vulnerability in the
create_url_list function in upnp/src/gena/gena_device.c.
An independent research uncovered a critical vulnerability in
PHPMailer that could potentially be used by (unauthenticated)
remote attackers to achieve remote arbitrary code execution in
the context of the web server user and remotely compromise the
target web application.
To exploit the vulnerability an attacker could target common
website components such as contact/feedback forms, registration
forms, password email resets and others that send out emails with
the help of a vulnerable version of the PHPMailer class.
[CVE-2016-2123] Authenticated users can supply malicious dnsRecord attributes
on DNS objects and trigger a controlled memory corruption.
[CVE-2016-2125] Samba client code always requests a forwardable ticket
when using Kerberos authentication. This means the target server, which must be in the current or trusted
domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to
fully impersonate the authenticated user or service.
[CVE-2016-2126] A remote, authenticated, attacker can cause the winbindd process
to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum.
A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions.
Exim leaks the private DKIM signing key to the log files.
Additionally, if the build option EXPERIMENTAL_DSN_INFO=yes is used,
the key material is included in the bounce message.
libcurl's (new) internal function that returns a good 32bit
random value was implemented poorly and overwrote the pointer
instead of writing the value into the buffer the pointer
pointed to.
This random value is used to generate nonces for Digest and
NTLM authentication, for generating boundary strings in HTTP
formposts and more. Having a weak or virtually non-existent
random there makes these operations vulnerable.
This function is brand new in 7.52.0 and is the result of an
overhaul to make sure libcurl uses strong random as much as
possible - provided by the backend TLS crypto libraries when
present. The faulty function was introduced in this commit.
Due to incorrect comparison of request headers Squid can deliver
responses containing private data to clients it should not have
reached.
This problem allows a remote attacker to discover private and
sensitive information about another clients browsing session.
Potentially including credentials which allow access to further
sensitive resources. This problem only affects Squid configured
to use the Collapsed Forwarding feature. It is of particular
importance for HTTPS reverse-proxy sites with Collapsed
Forwarding.
Squid security advisory 2016:11 reports:
Due to incorrect HTTP conditional request handling Squid can
deliver responses containing private data to clients it should not
have reached.
This problem allows a remote attacker to discover private and
sensitive information about another clients browsing session.
Potentially including credentials which allow access to further
sensitive resources..
vim before patch 8.0.0056 does not properly validate values for the
'filetype', 'syntax' and 'keymap' options, which may result in the
execution of arbitrary code if a file with a specially crafted
modeline is opened.
Certain PV guest kernel operations (page table writes in
particular) need emulation, and use Xen's general x86 instruction
emulator. This allows a malicious guest kernel which asynchronously
modifies its instruction stream to effect the clearing of EFLAGS.IF
from the state used to return to guest context.
A malicious guest kernel administrator can cause a host hang or
crash, resulting in a Denial of Service.
libcurl's implementation of the printf() functions triggers a
buffer overflow when doing a large floating point output. The bug
occurs when the conversion outputs more than 255 bytes.
Incorrect use of unfiltered data stored to the session on a form
validation failure allows for existing user accounts to be modified;
to include resetting their username, password, and user group
assignments.
[20161202] - Core - Shell Upload
Inadequate filesystem checks allowed files with alternative PHP
file extensions to be uploaded.
[20161203] - Core - Information Disclosure
Inadequate ACL checks in the Beez3 com_content article layout
override enables a user to view restricted content.
Inadequate checks allows for users to register on a site when
registration has been disabled.
[20161002] - Core - Elevated Privilege
Incorrect use of unfiltered data allows for users to register on a
site with elevated privileges.
[20161003] - Core - Account Modifications
Incorrect use of unfiltered data allows for existing user accounts
to be modified; to include resetting their username, password, and
user group assignments.
The Joomla Security Strike team has been following up on the
critical security vulnerability patched last week. Since the recent
update it has become clear that the root cause is a bug in PHP
itself. This was fixed by PHP in September of 2015 with the releases
of PHP 5.4.45, 5.5.29, 5.6.13 (Note that this is fixed in all
versions of PHP 7 and has been back-ported in some specific Linux
LTS versions of PHP 5.3). This fixes the bug across all supported
PHP versions.
[20151207] - Core - SQL Injection
Inadequate filtering of request data leads to a SQL Injection
vulnerability.
Multiple vulnerabilities have been discovered in the NTP
suite:
CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy
of Cisco ASIG.
CVE-2016-9310: Mode 6 unauthenticated trap information
disclosure and DDoS vector. Reported by Matthew Van Gundy
of Cisco ASIG.
CVE-2016-7427: Broadcast Mode Replay Prevention DoS.
Reported by Matthew Van Gundy of Cisco ASIG.
CVE-2016-7428: Broadcast Mode Poll Interval Enforcement
DoS. Reported by Matthew Van Gundy of Cisco ASIG.
CVE-2016-7431: Regression: 010-origin: Zero Origin
Timestamp Bypass. Reported by Sharon Goldberg and Aanchal
Malhotra of Boston University.
CVE-2016-7434: Null pointer dereference in
_IO_str_init_static_internal(). Reported by Magnus Stubman.
CVE-2016-7426: Client rate limiting and server responses.
Reported by Miroslav Lichvar of Red Hat.
CVE-2016-7433: Reboot sync calculation problem. Reported
independently by Brian Utterback of Oracle, and by Sharon
Goldberg and Aanchal Malhotra of Boston University.
Impact:
A remote attacker who can send a specially crafted packet
to cause a NULL pointer dereference that will crash ntpd,
resulting in a Denial of Service. [CVE-2016-9311]
An exploitable configuration modification vulnerability
exists in the control mode (mode 6) functionality of ntpd.
If, against long-standing BCP recommendations, "restrict
default noquery ..." is not specified, a specially crafted
control mode packet can set ntpd traps, providing information
disclosure and DDoS amplification, and unset ntpd traps,
disabling legitimate monitoring by an attacker from remote.
[CVE-2016-9310]
An attacker with access to the NTP broadcast domain can
periodically inject specially crafted broadcast mode NTP
packets into the broadcast domain which, while being logged
by ntpd, can cause ntpd to reject broadcast mode packets
from legitimate NTP broadcast servers. [CVE-2016-7427]
An attacker with access to the NTP broadcast domain can
send specially crafted broadcast mode NTP packets to the
broadcast domain which, while being logged by ntpd, will
cause ntpd to reject broadcast mode packets from legitimate
NTP broadcast servers. [CVE-2016-7428]
Origin timestamp problems were fixed in ntp 4.2.8p6.
However, subsequent timestamp validation checks introduced
a regression in the handling of some Zero origin timestamp
checks. [CVE-2016-7431]
If ntpd is configured to allow mrulist query requests
from a server that sends a crafted malicious packet, ntpd
will crash on receipt of that crafted malicious mrulist
query packet. [CVE-2016-7434]
An attacker who knows the sources (e.g., from an IPv4
refid in server response) and knows the system is (mis)configured
in this way can periodically send packets with spoofed
source address to keep the rate limiting activated and
prevent ntpd from accepting valid responses from its sources.
[CVE-2016-7426]
Ntp Bug 2085 described a condition where the root delay
was included twice, causing the jitter value to be higher
than expected. Due to a misinterpretation of a small-print
variable in The Book, the fix for this problem was incorrect,
resulting in a root distance that did not include the peer
dispersion. The calculations and formulas have been reviewed
and reconciled, and the code has been updated accordingly.
[CVE-2016-7433]
Operations in the DSA signing algorithm should run in constant time
in order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.
The typical behaviour of singlestepping exceptions is determined at
the start of the instruction, with a #DB trap being raised at the
end of the instruction. SYSCALL (and SYSRET, although we don't
implement it) behave differently because the typical behaviour
allows userspace to escalate its privilege. (This difference in
behaviour seems to be undocumented.) Xen wrongly raised the
exception based on the flags at the start of the instruction.
Guest userspace which can invoke the instruction emulator can use
this flaw to escalate its privilege to that of the guest kernel.
A use-after-free vulnerability in SVG Animation has been
discovered. An exploit built on this vulnerability has been
discovered in the wild targeting Firefox and Tor Browser
users on Windows.
modules/chanserv/flags.c in Atheme before 7.2.7 allows remote
attackers to modify the Anope FLAGS behavior by registering and
dropping the (1) LIST, (2) CLEAR, or (3) MODIFY keyword nicks.
Buffer overflow in the xmlrpc_char_encode function in
modules/transport/xmlrpc/xmlrpclib.c in Atheme before 7.2.7 allows
remote attackers to cause a denial of service via vectors related
to XMLRPC response encoding.
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before
1.2.3, when no SMTP server is configured and the sendmail program is
enabled, does not properly restrict the use of custom envelope-from
addresses on the sendmail command line, which allows remote
authenticated users to execute arbitrary code via a modified HTTP
request that sends a crafted e-mail message.
WordPress versions 4.6 and earlier are affected by two security
issues: a cross-site scripting vulnerability via image filename,
reported by SumOfPwn researcher Cengiz Han Sahin; and a path
traversal vulnerability in the upgrade package uploader, reported
by Dominik Schilling from the WordPress security team.
The x86 instruction CMPXCHG8B is supposed to ignore legacy operand
size overrides; it only honors the REX.W override (making it
CMPXCHG16B). So, the operand size is always 8 or 16. When support
for CMPXCHG16B emulation was added to the instruction emulator,
this restriction on the set of possible operand sizes was relied on
in some parts of the emulation; but a wrong, fully general, operand
size value was used for other parts of the emulation. As a result,
if a guest uses a supposedly-ignored operand size prefix, a small
amount of hypervisor stack data is leaked to the guests: a 96 bit
leak to guests running in 64-bit mode; or, a 32 bit leak to other
guests.
A malicious unprivileged guest may be able to obtain sensitive
information from the host.
If an SDP offer or answer is received with the Opus
codec and with the format parameters separated using a
space the code responsible for parsing will recursively
call itself until it crashes. This occurs as the code
does not properly handle spaces separating the parameters.
This does NOT require the endpoint to have Opus configured
in Asterisk. This also does not require the endpoint to
be authenticated. If guest is enabled for chan_sip or
anonymous in chan_pjsip an SDP offer or answer is still
processed and the crash occurs.
The chan_sip channel driver has a liberal definition
for whitespace when attempting to strip the content between
a SIP header name and a colon character. Rather than
following RFC 3261 and stripping only spaces and horizontal
tabs, Asterisk treats any non-printable ASCII character
as if it were whitespace.
This mostly does not pose a problem until Asterisk is
placed in tandem with an authenticating SIP proxy. In
such a case, a crafty combination of valid and invalid
To headers can cause a proxy to allow an INVITE request
into Asterisk without authentication since it believes
the request is an in-dialog request. However, because of
the bug described above, the request will look like an
out-of-dialog request to Asterisk. Asterisk will then
process the request as a new call. The result is that
Asterisk can process calls from unvetted sources without
any authentication.
If you do not use a proxy for authentication, then
this issue does not affect you.
If your proxy is dialog-aware (meaning that the proxy
keeps track of what dialogs are currently valid), then
this issue does not affect you.
If you use chan_pjsip instead of chan_sip, then this
issue does not affect you.
A specially crafted argument can trigger a static buffer
overflow in the library, with possibility to rewrite following
static buffers that belong to other library functions.
Impact:
Due to very limited use of the function in the existing
applications, and limited length of the overflow, exploitation
of the vulnerability does not seem feasible. None of the
utilities and daemons in the base system are known to be
vulnerable. However, careful review of third party software
that may use the function was not performed.
The VNC server websockets decoder will read and buffer data
from websockets clients until it sees the end of the HTTP headers,
as indicated by \r\n\r\n. In theory this allows a malicious to
trick QEMU into consuming an arbitrary amount of RAM.
The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply
limitations on request headers correctly when experimental module
for the HTTP/2 protocol is used to access a resource.
The net result is that a the server allocates too much memory
instead of denying the request. This can lead to memory exhaustion
of the server by a properly crafted request.
An unexpected sequence of memory allocation failures
combined with insufficient error checking could result in
the construction and execution of an argument sequence that
was not intended.
Impact:
An attacker who controls the sequence of memory allocation
failures and success may cause login(1) to run without
authentication and may be able to cause misbehavior of
login(1) replacements.
No practical way of controlling these memory allocation
failures is known at this time.
The bounds checking of accesses to guest memory greater
than 4GB by device emulations is subject to integer
overflow.
Impact:
For a bhyve virtual machine with more than 3GB of guest
memory configured, a malicious guest could craft device
descriptors that could give it access to the heap of the
bhyve process. Since the bhyve process is running as root,
this may allow guests to obtain full control of the hosts
they're running on.
CVE-2015-2141: The InvertibleRWFunction::CalculateInverse function
in rw.cpp in libcrypt++ 5.6.2 does not properly blind private key
operations for the Rabin-Williams digital signature algorithm, which
allows remote attackers to obtain private keys via a timing attack.
Fixed in 5.6.3.
CVE-2016-3995: Incorrect implementation of Rijndael timing attack
countermeasure. Fixed in 5.6.4.
CVE-2016-7420: Library built without -DNDEBUG could egress sensitive
information to the filesystem via a core dump if an assert was triggered.
Fixed in 5.6.5.
Imagemagick before 3cbfb163cff9e5b8cdeace8312e9bfee810ed02b
suffer from a heap overflow in WaveletDenoiseImage(). This problem is
easily trigerrable from a Perl script.
On real hardware, a 32-bit PAE guest must leave the USER and RW bit
clear in L3 pagetable entries, but the pagetable walk behaves as if
they were set. (The L3 entries are cached in processor registers,
and don't actually form part of the pagewalk.)
When running a 32-bit PV guest on a 64-bit Xen, Xen must always OR
in the USER and RW bits for L3 updates for the guest to observe
architectural behaviour. This is unsafe in combination with
recursive pagetables.
As there is no way to construct an L3 recursive pagetable in native
32-bit PAE mode, disallow this option in 32-bit PV guests.
A malicious 32-bit PV guest administrator can escalate their
privilege to that of the host.
When emulating HVM instructions, Xen uses a small i-cache for
fetches from guest memory. The code that handles cache misses does
not check if the address from which it fetched lies within the cache
before blindly writing to it. As such it is possible for the guest
to overwrite hypervisor memory.
It is currently believed that the only way to trigger this bug is
to use the way that Xen currently incorrectly wraps CS:IP in 16 bit
modes. The included patch prevents such wrapping.
A malicious HVM guest administrator can escalate their privilege to
that of the host.
x86 HVM guests running with shadow paging use a subset of the x86
emulator to handle the guest writing to its own pagetables. There
are situations a guest can provoke which result in exceeding the
space allocated for internal state.
A malicious HVM guest administrator can cause Xen to fail a bug
check, causing a denial of service to the host.
When the EVTCHNOP_init_control operation is called with a bad guest
frame number, it takes an error path which frees a control structure
without also clearing the corresponding pointer. Certain subsequent
operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control),
upon finding the non-NULL pointer, continue operation assuming it
points to allocated memory.
A malicious guest administrator can crash the host, leading to a
DoS. Arbitrary code execution (and therefore privilege escalation),
and information leaks, cannot be excluded.
Instructions touching FPU, MMX, or XMM registers are required to
raise a Device Not Available Exception (#NM) when either CR0.EM or
CR0.TS are set. (Their AVX or AVX-512 extensions would consider only
CR0.TS.) While during normal operation this is ensured by the
hardware, if a guest modifies instructions while the hypervisor is
preparing to emulate them, the #NM delivery could be missed.
Guest code in one task may thus (unintentionally or maliciously)
read or modify register state belonging to another task in the same
VM.
A malicious unprivileged guest user may be able to obtain or
corrupt sensitive information (including cryptographic material) in
other programs in the same guest.
The Xen x86 emulator erroneously failed to consider the unusability
of segments when performing memory accesses.
The intended behaviour is as follows: The user data segment (%ds,
%es, %fs and %gs) selectors may be NULL in 32-bit to prevent access.
In 64-bit, NULL has a special meaning for user segments, and there
is no way of preventing access. However, in both 32-bit and 64-bit,
a NULL LDT system segment is intended to prevent access.
On Intel hardware, loading a NULL selector zeros the base as well
as most attributes, but sets the limit field to its largest possible
value. On AMD hardware, loading a NULL selector zeros the attributes,
leaving the stale base and limit intact.
Xen may erroneously permit the access using unexpected base/limit
values.
Ability to exploit this vulnerability on Intel is easy, but on AMD
depends in a complicated way on how the guest kernel manages LDTs.
An unprivileged guest user program may be able to elevate its
privilege to that of the guest operating system.
LDTR, just like TR, is purely a protected mode facility. Hence even
when switching to a VM86 mode task, LDTR loading needs to follow
protected mode semantics. This was violated by the code.
On SVM (AMD hardware): a malicious unprivileged guest process can
escalate its privilege to that of the guest operating system.
On both SVM and VMX (Intel hardware): a malicious unprivileged
guest process can crash the guest.
Both writes to the FS and GS register base MSRs as well as the
WRFSBASE and WRGSBASE instructions require their input values to be
canonical, or a #GP fault will be raised. When the use of those
instructions by the hypervisor was enabled, the previous guard
against #GP faults (having recovery code attached) was accidentally
removed.
A malicious guest administrator can crash the host, leading to a
DoS.
Along with their main kernel binary, unprivileged guests may
arrange to have their Xen environment load (kernel) symbol tables
for their use. The ELF image metadata created for this purpose has a
few unused bytes when the symbol table binary is in 32-bit ELF
format. These unused bytes were not properly cleared during symbol
table loading.
A malicious unprivileged guest may be able to obtain sensitive
information from the host.
The information leak is small and not under the control of the
guest, so effectively exploiting this vulnerability is probably
difficult.
The x86 instructions BT, BTC, BTR, and BTS, when used with a
destination memory operand and a source register rather than an
immediate operand, access a memory location offset from that
specified by the memory operand as specified by the high bits of
the register source.
A malicious guest can modify arbitrary memory, allowing for
arbitrary code execution (and therefore privilege escalation
affecting the whole host), a crash of the host (leading to a DoS),
or information leaks. The vulnerability is sometimes exploitable
by unprivileged guest user processes.
The compiler can emit optimizations in qemu which can lead to
double fetch vulnerabilities. Specifically data on the rings shared
between qemu and the hypervisor (which the guest under control can
obtain mappings of) can be fetched twice (during which time the
guest can alter the contents) possibly leading to arbitrary code
execution in qemu.
Malicious administrators can exploit this vulnerability to take
over the qemu process, elevating its privilege to that of the qemu
process.
In a system not using a device model stub domain (or other
techniques for deprivileging qemu), malicious guest administrators
can thus elevate their privilege to that of the host.
pygrub, the boot loader emulator, fails to quote (or sanity check)
its results when reporting them to its caller.
A malicious guest administrator can obtain the contents of
sensitive host files (an information leak). Additionally, a
malicious guest administrator can cause files on the host to be
removed, causing a denial of service. In some unusual host
configurations, ability to remove certain files may be usable for
privilege escalation.
Pillow prior to 3.3.2 may experience integer overflow
errors in map.c when reading specially crafted image files. This may
lead to memory disclosure or corruption.
Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check
for negative image sizes in ImagingNew in Storage.c. A negative image
size can lead to a smaller allocation than expected, leading to arbi
trary writes.
CVE-2016-9298: heap overflow in WaveletDenoiseImage(), fixed in ImageMagick7-7.0.3.6, discovered 2016-10-31
CVE-2016-8866: memory allocation failure in AcquireMagickMemory (incomplete previous fix for CVE-2016-8862), not fixed yet with the release of this announcement, re-discovered 2016-10-13.
CVE-2016-8862: memory allocation failure in AcquireMagickMemory, initially partially fixed in ImageMagick7-7.0.3.3, discovered 2016-09-14.
GNU wget in version 1.17 and earlier, when used in
mirroring/recursive mode, is affected by a Race Condition
vulnerability that might allow remote attackers to bypass intended
wget access list restrictions specified with -A parameter.
A null pointer dereference bug affects the 16.02 and many old
versions of p7zip. A lack of null pointer check for the variable
folders.PackPositions in function
CInArchive::ReadAndDecodePackedStreams, as used in
the 7z.so library and in 7z applications, will cause a crash and a
denial of service when decoding malformed 7z files.
The Expat XML parser mishandles certain kinds of malformed input
documents, resulting in buffer overflows during processing and error
reporting. The overflows can manifest as a segmentation fault or as
memory corruption during a parse operation. The bugs allow for a
denial of service attack in many applications by an unauthenticated
attacker, and could conceivably result in remote code execution.
There was a bug in the mixing functions of Libgcrypt's random
number generator: An attacker who obtains 4640 bits from the RNG can
trivially predict the next 160 bits of output. This bug exists since
1998 in all GnuPG and Libgcrypt versions.
It was found that original patch for issues CVE-2015-1283
and CVE-2015-2716 used overflow checks that could be optimized out by
some compilers applying certain optimization settings, which can cause
the vulnerability to remain even after applying the patch.
The HTBoundary_put_block function in HTBound.c for W3C libwww
(w3c-libwww) allows remote servers to cause a denial of service
(segmentation fault) via a crafted multipart/byteranges MIME message
that triggers an out-of-bounds read.
The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
as used in the XML-Twig module for Perl, allows context-dependent
attackers to cause a denial of service (application crash) via an XML
document with malformed UTF-8 sequences that trigger a buffer
over-read, related to the doProlog function in lib/xmlparse.c, a
different vulnerability than CVE-2009-2625 and CVE-2009-3720.
The updatePosition function in lib/xmltok_impl.c in libexpat in
Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other
software, allows context-dependent attackers to cause a denial of
service (application crash) via an XML document with crafted UTF-8
sequences that trigger a buffer over-read, a different vulnerability
than CVE-2009-2625.
The mod_dontdothat module of subversion and subversion clients using
http(s):// are vulnerable to a denial-of-service attack, caused by
exponential XML entity expansion. The attack targets XML parsers
causing targeted process to consume excessive amounts of resources.
The attack is also known as the "billions of laughs attack."
Redirection from an HTTP connection to a data: URL
assigns the referring site's origin to the data: URL in some
circumstances. This can result in same-origin violations
against a domain if it loads resources from malicious
sites. Cross-origin setting of cookies has been demonstrated
without the ability to read them.
Inconsistent name for term access query (Less critical - Drupal
7 and Drupal 8)
Drupal provides a mechanism to alter database SELECT queries before
they are executed. Contributed and custom modules may use this
mechanism to restrict access to certain entities by implementing
hook_query_alter() or hook_query_TAG_alter() in order to add
additional conditions. Queries can be distinguished by means of
query tags. As the documentation on EntityFieldQuery::addTag()
suggests, access-tags on entity queries normally follow the form
ENTITY_TYPE_access (e.g. node_access). However, the taxonomy
module's access query tag predated this system and used term_access
as the query tag instead of taxonomy_term_access.
As a result, before this security release modules wishing to
restrict access to taxonomy terms may have implemented an
unsupported tag, or needed to look for both tags (term_access and
taxonomy_term_access) in order to be compatible with queries
generated both by Drupal core as well as those generated by
contributed modules like Entity Reference. Otherwise information
on taxonomy terms might have been disclosed to unprivileged users.
The user password reset form does not specify a proper cache
context, which can lead to cache poisoning and unwanted content on
the page.
Confirmation forms allow external URLs to be injected (Moderately
critical - Drupal 7)
Under certain circumstances, malicious users could construct a URL
to a confirmation form that would trick users into being redirected
to a 3rd party website after interacting with the form, thereby
exposing the users to potential social engineering attacks.
Denial of service via transliterate mechanism (Moderately critical
- Drupal 8)
A specially crafted URL can cause a denial of service via the
transliterate mechanism.
RCE Bugs discovered in MySQL and its variants like MariaDB.
It works by manipulating my.cnf files and using --malloc-lib.
The bug seems fixed in MySQL 5.7.15 by Oracle
Mozilla has updated the version of Network Security
Services (NSS) library used in Firefox to NSS 3.23. This
addresses four moderate rated networking security issues
reported by Mozilla engineers Tyson Smith and Jed Davis.
An unauthenticated remote code execution vulnerability allowed
attackers to transfer a serialized Java object to the Jenkins CLI,
making Jenkins connect to an attacker-controlled LDAP server, which
in turn can send a serialized payload leading to code execution,
bypassing existing protection mechanisms.
ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)
Severity: High
TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS
attack by corrupting larger payloads. This can result in an OpenSSL crash. This
issue is not considered to be exploitable beyond a DoS.
CMS Null dereference (CVE-2016-7053)
Severity: Medium
Applications parsing invalid CMS structures can crash with a NULL pointer
dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type
in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure
callback if an attempt is made to free certain invalid encodings. Only CHOICE
structures using a callback which do not handle NULL value are affected.
Montgomery multiplication may produce incorrect results (CVE-2016-7055)i
Severity: Low
There is a carry propagating bug in the Broadwell-specific Montgomery
multiplication procedure that handles input lengths divisible by, but
longer than 256 bits.
These updates resolve type confusion vulnerabilities that
could lead to code execution (CVE-2016-7860, CVE-2016-7861,
CVE-2016-7865).
These updates resolve use-after-free vulnerabilities that
could lead to code execution (CVE-2016-7857, CVE-2016-7858,
CVE-2016-7859, CVE-2016-7862, CVE-2016-7863, CVE-2016-7864).
A defect in BIND's handling of responses containing
a DNAME answer can cause a resolver to exit after
encountering an assertion failure in db.c or
resolver.c
When processing the SSH_MSG_KEXINIT message, the server
could allocate up to a few hundreds of megabytes of memory
per each connection, before any authentication take place.
Impact:
A remote attacker may be able to cause a SSH server to
allocate an excessive amount of memory. Note that the default
MaxStartups setting on FreeBSD will limit the effectiveness
of this attack.
Today the Django team released Django 1.10.3, Django 1.9.11,
and 1.8.16. These releases addresses two security issues
detailed below. We encourage all users of Django to upgrade
as soon as possible.
User with hardcoded password created when running tests on Oracle
Multiple integer overflow vulnerabilities exist within Memcached
that could be exploited to achieve remote code execution on the
targeted system. These vulnerabilities manifest in various Memcached
functions that are used in inserting, appending, prepending, or
modifying key-value data pairs. Systems which also have Memcached
compiled with support for SASL authentication are also vulnerable to
a third flaw due to how Memcached handles SASL authentication
commands.
An attacker could exploit these vulnerabilities by sending a
specifically crafted Memcached command to the targeted server.
Additionally, these vulnerabilities could also be exploited to leak
sensitive process information which an attacker could use to bypass
common exploitation mitigations, such as ASLR, and can be triggered
multiple times. This enables reliable exploitation which makes these
vulnerabilities severe.
Node.js v6.9.0 LTS contains the following security fixes, specific to v6.x:
Disable auto-loading of openssl.cnf: Don't automatically attempt to load an OpenSSL
configuration file, from the OPENSSL_CONF environment variable or from the default
location for the current platform. Always triggering a configuration file load attempt
may allow an attacker to load compromised OpenSSL configuration into a Node.js process
if they are able to place a file in a default location.
Patched V8 arbitrary memory read (CVE-2016-5172): The V8 parser mishandled scopes,
potentially allowing an attacker to obtain sensitive information from arbitrary memory
locations via crafted JavaScript code. This vulnerability would require an attacker to
be able to execute arbitrary JavaScript code in a Node.js process.
Create a unique v8_inspector WebSocket address: Generate a UUID for each execution of
the inspector. This provides additional security to prevent unauthorized clients from
connecting to the Node.js process via the v8_inspector port when running with --inspect.
Since the debugging protocol allows extensive access to the internals of a running process,
and the execution of arbitrary code, it is important to limit connections to authorized
tools only. Note that the v8_inspector protocol in Node.js is still considered an
experimental feature. Vulnerability originally reported by Jann Horn.
All of these vulnerabilities are considered low-severity for Node.js users, however,
users of Node.js v6.x should upgrade at their earliest convenience.
A flaw exists in sudo's noexec functionality that may allow
a user with sudo privileges to run additional commands even when the
NOEXEC tag has been applied to a command that uses the wordexp()
function.
Apache Axis2 1.7.4 is a maintenance release that includes fixes for
several issues, including the following security issues:
Session fixation (AXIS2-4739) and XSS (AXIS2-5683) vulnerabilities
affecting the admin console.
A dependency on an Apache HttpClient version affected by known security
vulnerabilities (CVE-2012-6153 and CVE-2014-3577); see AXIS2-5757.
Adobe has released security updates for Adobe Flash Player for
Windows, Macintosh, Linux and Chrome OS. These updates address a
critical vulnerability that could potentially allow an attacker to
take control of the affected system.
Adobe is aware of a report that an exploit for CVE-2016-7855
exists in the wild, and is being used in limited, targeted attacks
against users running Windows versions 7, 8.1 and 10.
Node.js has released new versions containing the following security fix:
The following releases all contain fixes for CVE-2016-5180 "ares_create_query single
byte out of buffer write": Node.js v0.10.48 (Maintenance), Node.js v0.12.17 (Maintenance),
Node.js v4.6.1 (LTS "Argon")
While this is not a critical update, all users of these release lines should upgrade at
their earliest convenience.
A special combination of sysarch(2) arguments, specify
a request to uninstall a set of descriptors from the LDT.
The start descriptor is cleared and the number of descriptors
are provided. Due to lack of sufficient bounds checking
during argument validity verification, unbound zero'ing of
the process LDT and adjacent memory can be initiated from
usermode.
Impact:
This vulnerability could cause the kernel to panic. In
addition it is possible to perform a local Denial of Service
against the system by unprivileged processes.
An unchecked array reference in the VGA device emulation
code could potentially allow guests access to the heap of
the bhyve process. Since the bhyve process is running as
root, this may allow guests to obtain full control of the
hosts they are running on.
Impact:
For bhyve virtual machines with the "fbuf" framebuffer
device configured, if exploited, a malicious guest could
obtain full access to not just the host system, but to other
virtual machines running on the system.
Adobe has released security updates for Adobe Flash Player for
Windows, Macintosh, Linux and ChromeOS. These updates address
critical vulnerabilities that could potentially allow an attacker
to take control of the affected system.
These updates resolve a type confusion vulnerability that could
lead to code execution (CVE-2016-6992).
These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-6981, CVE-2016-6987).
These updates resolve a security bypass vulnerability
(CVE-2016-4286).
These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2016-4273, CVE-2016-6982,
CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986,
CVE-2016-6989, CVE-2016-6990).
Apache Axis2 1.7.3 is a security release that contains a fix
for CVE-2010-3981. That security vulnerability affects the admin console
that is part of the Axis2 Web application and was originally reported
for SAP BusinessObjects (which includes a version of Axis2). That report
didn?t mention Axis2 at all and the Axis2 project only recently became
aware (thanks to Devesh Bhatt and Nishant Agarwala) that the issue
affects Apache Axis2 as well.
Various memory handling problems and cases of missing or
incomplete input sanitizing may result in denial of service or the
execution of arbitrary code if malformed SIXEL, PDB, MAP, SGI, TIFF and
CALS files are processed.
Heap-based buffer overflow in the pdf_load_mesh_params
function in pdf/pdf-shade.c in MuPDF allows remote attackers to cause a
denial of service (crash) or execute arbitrary code via a large decode
array.
Use-after-free vulnerability in the pdf_load_xref function in
pdf/pdf-xref.c in MuPDF allows remote attackers to cause a denial of
service (crash) via a crafted PDF file.
Unspecified vulnerability in the Oracle VM VirtualBox
component in Oracle Virtualization VirtualBox prior to 4.0.34, 4.1.42,
4.2.34, 4.3.32, and 5.0.8, when using a Windows guest, allows local
users to affect availability via unknown vectors related to Core.
Unspecified vulnerability in the Oracle VM VirtualBox
component in Oracle Virtualization VirtualBox before 4.0.34, 4.1.42,
4.2.34, 4.3.32, and 5.0.8, when a VM has the Remote Display feature
(RDP) enabled, allows remote attackers to affect availability via
unknown vectors related to Core.
These packages have reached End of Life status and/or have
been removed from the Ports Tree. They may contain undocumented
security issues. Please take caution and find alternative
software as soon as possible.
The exposure exploits the way OLE previews are generated to
embed arbitrary file data into a specially crafted document when it is
opened. Data exposure is possible if the updated document is distributed
to other parties.
File Roller 3.5.4 through 3.20.2 was affected by a path
traversal bug that could result in deleted files if a user
were tricked into opening a malicious archive.
Prevent a class of security bugs caused by treating the contents
of a buffer chunk as if they were a NUL-terminated string. At least
one such bug seems to be present in all currently used versions of
Tor, and would allow an attacker to remotely crash most Tor
instances, especially those compiled with extra compiler hardening.
With this defense in place, such bugs can't crash Tor, though we
should still fix them as they occur. Closes ticket 20384
(TROVE-2016-10-001).
A Heap Buffer Overflow (Out-of-Bounds Write) issue was found in
function opj_dwt_interleave_v of dwt.c. This vulnerability allows
remote attackers to execute arbitrary code on vulnerable installations
of OpenJPEG.
An integer overflow issue exists in function opj_pi_create_decode of
pi.c. It can lead to Out-Of-Bounds Read and Out-Of-Bounds Write in
function opj_pi_next_cprl of pi.c (function opj_pi_next_lrcp,
opj_pi_next_rlcp, opj_pi_next_rpcl, opj_pi_next_pcrl may also be
vulnerable). This vulnerability allows remote attackers to execute
arbitrary code on vulnerable installations of OpenJPEG.
The redis-cli history file (in linenoise) is created with the
default OS umask value which makes it world readable in most systems
and could potentially expose authentication credentials to other
users.
Flaws in libarchive's handling of symlinks and hard links
allow overwriting files outside the extraction directory,
or permission changes to a directory outside the extraction
directory.
Impact:
An attacker who can control freebsd-update's or portsnap's
input to tar(1) can change file content or permissions on
files outside of the update tool's working sandbox.
Tobias Stoeckmann from the OpenBSD project has discovered a
number of issues in the way various X client libraries handle
the responses they receive from servers, and has worked with
X.Org's security team to analyze, confirm, and fix these issues.
These issue come in addition to the ones discovered by Ilja van
Sprundel in 2013.
Most of these issues stem from the client libraries trusting
the server to send correct protocol data, and not verifying
that the values will not overflow or cause other damage. Most
of the time X clients and servers are run by the same user, with
the server more privileged than the clients, so this is not a
problem, but there are scenarios in which a privileged client
can be connected to an unprivileged server, for instance,
connecting a setuid X client (such as a screen lock program)
to a virtual X server (such as Xvfb or Xephyr) which the user
has modified to return invalid data, potentially allowing the
user to escalate their privileges.
Testing by ISC has uncovered a critical error condition
which can occur when a nameserver is constructing a
response. A defect in the rendering of messages into
packets can cause named to exit with an assertion
failure in buffer.c while constructing a response
to a query that meets certain criteria.
The implementation of bspatch is susceptible to integer
overflows with carefully crafted input, potentially allowing
an attacker who can control the patch file to write at
arbitrary locations in the heap. This issue was partially
addressed in FreeBSD-SA-16:25.bspatch, but some possible
integer overflows remained.
Impact:
An attacker who can control the patch file can cause a
crash or run arbitrary code under the credentials of the
user who runs bspatch, in many cases, root.
Flaws in portsnap's verification of downloaded tar files
allows additional files to be included without causing the
verification to fail. Portsnap may then use or execute these
files.
Impact:
An attacker who can conduct man in the middle attack on
the network at the time when portsnap is run can cause
portsnap to execute arbitrary commands under the credentials
of the user who runs portsnap, typically root.
most of the bugs fixed on 2016-09-06 and 2016-09-07 for
issue #1780 are potentially exploitable. The scenario is arbitrary
code execution with specially-crafted files.
An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection.
If specific usernames including "%" symbols can be created on a system
(validated by getpwnam()) then an attacker could run arbitrary code as root
when connecting to Dropbear server.
A dbclient user who can control username or host arguments could potentially
run arbitrary code as the dbclient user. This could be a problem if scripts
or webpages pass untrusted input to the dbclient program.
dropbearconvert import of OpenSSH keys could run arbitrary code as
the local dropbearconvert user when parsing malicious key files.
dbclient could run arbitrary code as the local dbclient user if
particular -m or -c arguments are provided. This could be an issue where
dbclient is used in scripts.
dbclient or dropbear server could expose process memory to the
running user if compiled with DEBUG_TRACE and running with -v
The four libcurl functions curl_escape(), curl_easy_escape(),
curl_unescape and curl_easy_unescape perform string URL percent
escaping and unescaping. They accept custom string length inputs
in signed integer arguments.
The provided string length arguments were not properly checked
and due to arithmetic in the functions, passing in the length
0xffffffff (2^32-1 or UINT_MAX or even just -1) would end up
causing an allocation of zero bytes of heap memory that curl
would attempt to write gigabytes of data into.
RCE Bugs discovered in MySQL and its variants like MariaDB.
It works by manipulating my.cnf files and using --malloc-lib.
The bug seems fixed in MySQL 5.7.15 by Oracle
An independent research has revealed multiple severe MySQL
vulnerabilities. This advisory focuses on a critical
vulnerability with a CVEID of CVE-2016-6662 which can allow
attackers to (remotely) inject malicious settings into MySQL
configuration files (my.cnf) leading to critical
consequences.
Stefan Bühler discovered an issue that affects validation
of certificates using OCSP responses, which can falsely report a
certificate as valid under certain circumstances.
The overlap dialing feature in chan_sip allows chan_sip
to report to a device that the number that has been dialed
is incomplete and more digits are required. If this
functionality is used with a device that has performed
username/password authentication RTP resources are leaked.
This occurs because the code fails to release the old RTP
resources before allocating new ones in this scenario.
If all resources are used then RTP port exhaustion will
occur and no RTP sessions are able to be set up.
If overlap dialing support is not needed the "allowoverlap"
option can be set to no. This will stop any usage of the
scenario which causes the resource exhaustion.
Asterisk can be crashed remotely by sending an ACK to
it from an endpoint username that Asterisk does not
recognize. Most SIP request types result in an "artificial"
endpoint being looked up, but ACKs bypass this lookup.
The resulting NULL pointer results in a crash when
attempting to determine if ACLs should be applied.
This issue was introduced in the Asterisk 13.10 release
and only affects that release.
This issue only affects users using the PJSIP stack
with Asterisk. Those users that use chan_sip are
unaffected.
A serious vulnerability exists in when using m_sasl in
combination with any services that support SASL EXTERNAL.
To be vulnerable you must have m_sasl loaded, and have services which
support SASL EXTERNAL authentication.
We may have to set lifetime for input forms because of recent
activities on cross-site request forgery (CSRF). The form lifetime
is successfully deployed in frameworks like web.py or plone etc.
Proposed branch lp:~tkikuchi/mailman/form-lifetime implement
lifetime in admin, admindb, options and edithtml interfaces.
[...]
The web admin interface has been hardened against CSRF attacks by
adding a hidden, encrypted token with a time stamp to form submissions
and not accepting authentication by cookie if the token is missing,
invalid or older than the new mm_cfg.py setting FORM_LIFETIME which
defaults to one hour. Posthumous thanks go to Tokio Kikuchi for this implementation [...].
zzf of Alibaba discovered an out-of-bounds vulnerability in the code
processing the LogLUV and CIE Lab image format files. An attacker
could create a specially-crafted TIFF file that could cause libtiff
to crash.
LMX of Qihoo 360 Codesafe Team discovered an out-of-bounds read in
tif_getimage.c. An attacker could create a specially-crafted TIFF
file that could cause libtiff to crash.
Security researcher Francis Gabriel reported a heap-based
buffer overflow in the way the Network Security Services
(NSS) libraries parsed certain ASN.1 structures. An attacker
could create a specially-crafted certificate which, when
parsed by NSS, would cause it to crash or execute arbitrary
code with the permissions of the user.
Mozilla developer Tim Taubert used the Address Sanitizer
tool and software fuzzing to discover a use-after-free
vulnerability while processing DER encoded keys in the
Network Security Services (NSS) libraries. The vulnerability
overwrites the freed memory with zeroes.
* sshd(8): Mitigate timing differences in password authentication
that could be used to discern valid from invalid account names
when long passwords were sent and particular password hashing
algorithms are in use on the server. CVE-2016-6210, reported by
EddieEzra.Harari at verint.com
* sshd(8): (portable only) Ignore PAM environment vars when
UseLogin=yes. If PAM is configured to read user-specified
environment variables and UseLogin=yes in sshd_config, then a
hostile local user may attack /bin/login via LD_PRELOAD or
similar environment variables set via PAM. CVE-2015-8325,
found by Shayan Sadigh.
CSRF protection has been extended to the user options page. This
was actually fixed by Tokio Kikuchi as part of the fix for LP:
#775294 and intended for Mailman 2.1.15, but that fix wasn't
completely merged at the time. The full fix also addresses the
admindb, and edithtml pages as well as the user options page and the
previously fixed admin pages. Thanks to Nishant Agarwala for reporting the issue.
A maliciously crafted archive (.zip or .tar.bz2) with "../" in the
file paths could be offered for download via the KNewStuff
framework (e.g. on www.kde-look.org), and upon extraction would
install files anywhere in the user's home directory.
Beginning in PathTools 3.47 and/or perl 5.20.0, the
File::Spec::canonpath() routine returned untained strings even if
passed tainted input. This defect undermines the guarantee of taint
propagation, which is sometimes used to ensure that unvalidated
user input does not reach sensitive code.
This defect was found and reported by David Golden of MongoDB.
In order to prevent an algorithmic complexity attack
against its hashing mechanism, perl will sometimes
recalculate keys and redistribute the contents of a hash.
This mechanism has made perl robust against attacks that
have been demonstrated against other systems.
Research by Yves Orton has recently uncovered a flaw in
the rehashing code which can result in pathological
behavior. This flaw could be exploited to carry out a
denial of service attack against code that uses arbitrary
user input as hash keys.
Because using user-provided strings as hash keys is a
very common operation, we urge users of perl to update their
perl executable as soon as possible.
Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do
not properly remove . (period) characters from the end of the includes
directory array, which might allow local users to gain privileges via a
Trojan horse module under the current working directory.
Tobias Stoeckmann discovered that cache files are insufficiently
validated in fontconfig, a generic font configuration library. An
attacker can trigger arbitrary free() calls, which in turn allows
double free attacks and therefore arbitrary code execution. In
combination with setuid binaries using crafted cache files, this
could allow privilege escalation.
There is a possible XSS vulnerability in Action View. Text declared as "HTML
safe" will not have quotes escaped when used as attribute values in tag
helpers. This vulnerability has been assigned the CVE identifier
CVE-2016-6316.
There is a vulnerability when Active Record is used in conjunction with JSON
parameter parsing. This vulnerability has been assigned the CVE identifier
CVE-2016-6317. This vulnerability is similar to CVE-2012-2660, CVE-2012-2694
and CVE-2013-0155.
Puppet Enterprise previously included a puppet-agent MCollective plugin that allowed you to pass the `--server` argument to MCollective. This insecure argument enabled remote code execution via connection to an untrusted host. The puppet-agent MCollective version included in PE 2016.2.1, this option is disabled by default.
I found 10 vulnerabilities. Some of these are critical and allow remote code
execution. For the average user, that means that these vulnerabilities can be
exploited by a malicious attacker in order to take over any Teamspeak server,
not only becoming serveradmin, but getting a shell on the affected machine.
Due to insufficient validation of the SCTP stream ID,
which serves as an array index, a local unprivileged attacker
can read or write 16-bits of kernel memory.
Impact:
An unprivileged process can read or modify 16-bits of
memory which belongs to the kernel. This may lead to
exposure of sensitive information or allow privilege
escalation.
The input validation of received SCTP RE_CONFIG chunks
is insufficient, and can result in a NULL pointer deference
later.
Impact:
A remote attacker who can send a malformed SCTP packet
to a FreeBSD system that serves SCTP can cause a kernel
panic, resulting in a Denial of Service.
The Neighbor Discover Protocol allows a local router to
advertise a suggested Current Hop Limit value of a link,
which will replace Current Hop Limit on an interface connected
to the link on the FreeBSD system.
Impact:
When the Current Hop Limit (similar to IPv4's TTL) is
small, IPv6 packets may get dropped before they reached
their destinations.
By sending specifically crafted Router Advertisement
packets, an attacker on the local network can cause the
FreeBSD system to lose the ability to communicate with
another IPv6 node on a different network.
TCP connections transitioning to the LAST_ACK state can
become permanently stuck due to mishandling of protocol
state in certain situations, which in turn can lead to
accumulated consumption and eventual exhaustion of system
resources, such as mbufs and sockets.
Impact:
An attacker who can repeatedly establish TCP connections
to a victim system (for instance, a Web server) could create
many TCP connections that are stuck in LAST_ACK state and
cause resource exhaustion, resulting in a denial of service
condition. This may also happen in normal operation where
no intentional attack is conducted, but an attacker who can
send specifically crafted packets can trigger this more
reliably.
Due to insufficient sanitization of the input patch
stream, it is possible for a patch file to cause patch(1)
to run commands in addition to the desired SCCS or RCS
commands.
Impact:
This issue could be exploited to execute arbitrary
commands as the user invoking patch(1) against a specially
crafted patch file, which could be leveraged to obtain
elevated privileges.
There is a mistake with the introduction of VNET, which
converted the global limit on the number of segments that
could belong to reassembly queues into a per-VNET limit.
Because mbufs are allocated from a global pool, in the
presence of a sufficient number of VNETs, the total number
of mbufs attached to reassembly queues can grow to the total
number of mbufs in the system, at which point all network
traffic would cease.
Impact:
An attacker who can establish concurrent TCP connections
across a sufficient number of VNETs and manipulate the
inbound packet streams such that the maximum number of mbufs
are enqueued on each reassembly queue can cause mbuf cluster
exhaustion on the target system, resulting in a Denial of
Service condition.
As the default per-VNET limit on the number of segments
that can belong to reassembly queues is 1/16 of the total
number of mbuf clusters in the system, only systems that
have 16 or more VNET instances are vulnerable.
Due to insufficient sanitization of the input patch
stream, it is possible for a patch file to cause patch(1)
to pass certain ed(1) scripts to the ed(1) editor, which
would run commands.
Impact:
This issue could be exploited to execute arbitrary
commands as the user invoking patch(1) against a specially
crafted patch file, which could be leveraged to obtain
elevated privileges.
The input path in routed(8) will accept queries from any
source and attempt to answer them. However, the output path
assumes that the destination address for the response is
on a directly connected network.
Impact:
Upon receipt of a query from a source which is not on a
directly connected network, routed(8) will trigger an
assertion and terminate. The affected system's routing table
will no longer be updated. If the affected system is a
router, its routes will eventually expire from other routers'
routing tables, and its networks will no longer be reachable
unless they are also connected to another router.
Multiple integer overflows have been discovered in the
XML_GetBuffer() function in the expat library.
Impact:
The integer overflows may be exploited by using specifically
crafted XML data and lead to infinite loop, or a heap buffer
overflow, which results in a Denial of Service condition,
or enables remote attackers to execute arbitrary code.
If the kernel-mode IRET instruction generates an #SS or
#NP exception, but the exception handler does not properly
ensure that the right GS register base for kernel is reloaded,
the userland GS segment may be used in the context of the
kernel exception handler.
Impact:
By causing an IRET with #SS or #NP exceptions, a local
attacker can cause the kernel to use an arbitrary GS base,
which may allow escalated privileges or panic the system.
In rpcbind(8), netbuf structures are copied directly,
which would result in two netbuf structures that reference
to one shared address buffer. When one of the two netbuf
structures is freed, access to the other netbuf structure
would result in an undefined result that may crash the
rpcbind(8) daemon.
Impact:
A remote attacker who can send specifically crafted
packets to the rpcbind(8) daemon can cause it to crash,
resulting in a denial of service condition.
The bsnmpd(8) daemon is prone to a stack-based
buffer-overflow when it has received a specifically crafted
GETBULK PDU request.
Impact:
This issue could be exploited to execute arbitrary code in
the context of the service daemon, or crash the service daemon, causing
a denial-of-service.
The kernel holds a lock over the source directory vnode
while trying to convert the target directory file handle
to a vnode, which needs to be returned with the lock held,
too. This order may be in violation of normal lock order,
which in conjunction with other threads that grab locks in
the right order, constitutes a deadlock condition because
no thread can proceed.
Impact:
An attacker on a trusted client could cause the NFS
server become deadlocked, resulting in a denial of service.
The default devfs rulesets are not loaded on boot, even
when jails are used. Device nodes will be created in the
jail with their normal default access permissions, while
most of them should be hidden and inaccessible.
Impact:
Jailed processes can get access to restricted resources
on the host system. For jailed processes running with
superuser privileges this implies access to all devices on
the system. This level of access could lead to information
leakage and privilege escalation.
FreeBSD may add a reassemble queue entry on the stack
into the segment list when the reassembly queue reaches its
limit. The memory from the stack is undefined after the
function returns. Subsequent iterations of the reassembly
function will attempt to access this entry.
Impact:
An attacker who can send a series of specifically crafted
packets with a connection could cause a denial of service
situation by causing the kernel to crash.
Additionally, because the undefined on stack memory may
be overwritten by other kernel threads, while extremely
difficult, it may be possible for an attacker to construct
a carefully crafted attack to obtain portion of kernel
memory via a connected socket. This may result in the
disclosure of sensitive information such as login credentials,
etc. before or even without crashing the system.
There is a programming error in sendmail(8) that prevented
open file descriptors have close-on-exec properly set.
Consequently a subprocess will be able to access all open
files that the parent process have open.
Impact:
A local user who can execute their own program for mail
delivery will be able to interfere with an open SMTP
connection.
Due to an overlooked merge to -STABLE branches, the size
for page fault kernel trace entries was set incorrectly.
Impact:
A user who can enable kernel process tracing could end
up reading the contents of kernel memory.
Such memory might contain sensitive information, such
as portions of the file cache or terminal buffers. This
information might be directly useful, or it might be leveraged
to obtain elevated privileges in some way; for example, a
terminal buffer might include a user-entered password.
The OpenPAM library searches for policy definitions in
several locations. While doing so, the absence of a policy
file is a soft failure (handled by searching in the next
location) while the presence of an invalid file is a hard
failure (handled by returning an error to the caller).
The policy parser returns the same error code (ENOENT)
when a syntactically valid policy references a non-existent
module as when the requested policy file does not exist.
The search loop regards this as a soft failure and looks
for the next similarly-named policy, without discarding the
partially-loaded configuration.
A similar issue can arise if a policy contains an include
directive that refers to a non-existent policy.
Impact:
If a module is removed, or the name of a module is
misspelled in the policy file, the PAM library will proceed
with a partially loaded configuration. Depending on the
exact circumstances, this may result in a fail-open scenario
where users are allowed to log in without a password, or
with an incorrect password.
In particular, if a policy references a module installed
by a package or port, and that package or port is being
reinstalled or upgraded, there is a brief window of time
during which the module is absent and policies that use it
may fail open. This can be especially damaging to Internet-facing
SSH servers, which are regularly subjected to brute-force
scans.
A NULL pointer dereference in the initialization code
of the HZ module and an out of bounds array access in the
initialization code of the VIQR module make iconv_open(3)
calls involving HZ or VIQR result in an application crash.
Impact:
Services where an attacker can control the arguments of
an iconv_open(3) call can be caused to crash resulting in
a denial-of-service. For example, an email encoded in HZ
may cause an email delivery service to crash if it converts
emails to a more generic encoding like UTF-8 before applying
filtering rules.
A specifically crafted Composite Document File (CDF)
file can trigger an out-of-bounds read or an invalid pointer
dereference. [CVE-2012-1571]
A flaw in regular expression in the awk script detector
makes use of multiple wildcards with unlimited repetitions.
[CVE-2013-7345]
A malicious input file could trigger infinite recursion
in libmagic(3). [CVE-2014-1943]
A specifically crafted Portable Executable (PE) can
trigger out-of-bounds read. [CVE-2014-2270]
Impact:
An attacker who can cause file(1) or any other applications
using the libmagic(3) library to be run on a maliciously
constructed input can the application to crash or consume
excessive CPU resources, resulting in a denial-of-service.
Buffer between control message header and data may not
be completely initialized before being copied to userland.
[CVE-2014-3952]
Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO,
have implicit padding that may not be completely initialized
before being copied to userland. In addition, three SCTP
notifications, SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR and
SCTP_AUTHENTICATION_EVENT, have padding in the returning
data structure that may not be completely initialized before
being copied to userland. [CVE-2014-3953]
Impact:
An unprivileged local process may be able to retrieve
portion of kernel memory.
For the generic control message, the process may be able
to retrieve a maximum of 4 bytes of kernel memory.
For SCTP, the process may be able to retrieve 2 bytes
of kernel memory for all three control messages, plus 92
bytes for SCTP_SNDRCV and 76 bytes for SCTP_EXTRCV. If the
local process is permitted to receive SCTP notification, a
maximum of 112 bytes of kernel memory may be returned to
userland.
This information might be directly useful, or it might
be leveraged to obtain elevated privileges in some way. For
example, a terminal buffer might include a user-entered
password.
When a segment with the SYN flag for an already existing
connection arrives, the TCP stack tears down the connection,
bypassing a check that the sequence number in the segment
is in the expected window.
Impact:
An attacker who has the ability to spoof IP traffic can
tear down a TCP connection by sending only 2 packets, if
they know both TCP port numbers. In case one of the two
port numbers is unknown, a successful attack requires less
than 2**17 packets spoofed, which can be generated within
less than a second on a decent connection to the Internet.
Due to a missing length check in the code that handles
DNS parameters, a malformed router advertisement message
can result in a stack buffer overflow in rtsold(8).
Impact:
Receipt of a router advertisement message with a malformed
DNSSL option, for instance from a compromised host on the
same network, can cause rtsold(8) to crash.
While it is theoretically possible to inject code into
rtsold(8) through malformed router advertisement messages,
it is normally compiled with stack protection enabled,
rendering such an attack extremely difficult.
When rtsold(8) crashes, the existing DNS configuration
will remain in force, and the kernel will continue to receive
and process periodic router advertisements.
The input path in routed(8) will accept queries from any
source and attempt to answer them. However, the output path
assumes that the destination address for the response is
on a directly connected network.
Impact:
Upon receipt of a query from a source which is not on a
directly connected network, routed(8) will trigger an
assertion and terminate. The affected system's routing table
will no longer be updated. If the affected system is a
router, its routes will eventually expire from other routers'
routing tables, and its networks will no longer be reachable
unless they are also connected to another router.
The namei facility will leak a small amount of kernel
memory every time a sandboxed process looks up a nonexistent
path name.
Impact:
A remote attacker that can cause a sandboxed process
(for instance, a web server) to look up a large number of
nonexistent path names can cause memory exhaustion.
Although OpenSSH is not multithreaded, when OpenSSH is
compiled with Kerberos support, the Heimdal libraries bring
in the POSIX thread library as a dependency. Due to incorrect
library ordering while linking sshd(8), symbols in the C
library which are shadowed by the POSIX thread library may
not be resolved correctly at run time.
Note that this problem is specific to the FreeBSD build
system and does not affect other operating systems or the
version of OpenSSH available from the FreeBSD ports tree.
Impact:
An incorrectly linked sshd(8) child process may deadlock
while handling an incoming connection. The connection may
then time out or be interrupted by the client, leaving the
deadlocked sshd(8) child process behind. Eventually, the
sshd(8) parent process stops accepting new connections.
An attacker may take advantage of this by repeatedly
connecting and then dropping the connection after having
begun, but not completed, the authentication process.
When setlogin(2) is called while setting up a new login
session, the login name is copied into an uninitialized
stack buffer, which is then copied into a buffer of the
same size in the session structure. The getlogin(2) system
call returns the entire buffer rather than just the portion
occupied by the login name associated with the session.
Impact:
An unprivileged user can access this memory by calling
getlogin(2) and reading beyond the terminating NUL character
of the resulting string. Up to 16 (FreeBSD 8) or 32 (FreeBSD
9 and 10) bytes of kernel memory may be leaked in this
manner for each invocation of setlogin(2).
This memory may contain sensitive information, such as
portions of the file cache or terminal buffers, which an
attacker might leverage to obtain elevated privileges.
A malicious HTTP server could cause ftp(1) to execute
arbitrary commands.
Impact:
When operating on HTTP URIs, the ftp(1) client follows
HTTP redirects, and uses the part of the path after the
last '/' from the last resource it accesses as the output
filename if '-o' is not specified.
If the output file name provided by the server begins
with a pipe ('|'), the output is passed to popen(3), which
might be used to execute arbitrary commands on the ftp(1)
client machine.
A programming error in the standard I/O library's
__sflush() function could erroneously adjust the buffered
stream's internal state even when no write actually occurred
in the case when write(2) system call returns an error.
Impact:
The accounting mismatch would accumulate, if the caller
does not check for stream status and will eventually lead
to a heap buffer overflow.
Such overflows may lead to data corruption or the execution
of arbitrary code at the privilege level of the calling
program.
A lack of proper input checks in the ICMPv6 processing
in the SCTP stack can lead to either a failed kernel assertion
or to a NULL pointer dereference. In either case, a kernel
panic will follow.
Impact:
A remote, unauthenticated attacker can reliably trigger
a kernel panic in a vulnerable system running IPv6. Any
kernel compiled with both IPv6 and SCTP support is vulnerable.
There is no requirement to have an SCTP socket open.
IPv4 ICMP processing is not impacted by this vulnerability.
A programming error in the Linux compatibility layer
setgroups(2) system call can lead to an unexpected results,
such as overwriting random kernel memory contents.
Impact:
It is possible for a local attacker to overwrite portions
of kernel memory, which may result in a privilege escalation
or cause a system panic.
A programming error in processing a TCP connection with
both TCP_MD5SIG and TCP_NOOPT socket options may lead to
kernel crash.
Impact:
A local attacker can crash the kernel, resulting in a
denial-of-service.
A remote attack is theoretically possible, if server has
a listening socket with TCP_NOOPT set, and server is either
out of SYN cache entries, or SYN cache is disabled by
configuration.
The SNMP protocol supports an authentication model called
USM, which relies on a shared secret. The default permission
of the snmpd configuration file, /etc/snmpd.config, is
weak and does not provide adequate protection against local
unprivileged users.
Impact:
A local user may be able to read the shared secret, if
configured and used by the system administrator.
A cross-protocol attack was discovered that could lead
to decryption of TLS sessions by using a server supporting
SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA
padding oracle. Note that traffic between clients and
non-vulnerable servers can be decrypted provided another
server supporting SSLv2 and EXPORT ciphers (even with a
different protocol such as SMTP, IMAP or POP3) shares the
RSA keys of the non-vulnerable server. This vulnerability
is known as DROWN. [CVE-2016-0800]
A double free bug was discovered when OpenSSL parses
malformed DSA private keys and could lead to a DoS attack
or memory corruption for applications that receive DSA
private keys from untrusted sources. This scenario is
considered rare. [CVE-2016-0705]
The SRP user database lookup method SRP_VBASE_get_by_user
had confusing memory management semantics; the returned
pointer was sometimes newly allocated, and sometimes owned
by the callee. The calling code has no way of distinguishing
these two cases. [CVE-2016-0798]
In the BN_hex2bn function, the number of hex digits is
calculated using an int value |i|. Later |bn_expand| is
called with a value of |i * 4|. For large values of |i|
this can result in |bn_expand| not allocating any memory
because |i * 4| is negative. This can leave the internal
BIGNUM data field as NULL leading to a subsequent NULL
pointer dereference. For very large values of |i|, the
calculation |i * 4| could be a positive value smaller than
|i|. In this case memory is allocated to the internal BIGNUM
data field, but it is insufficiently sized leading to heap
corruption. A similar issue exists in BN_dec2bn. This could
have security consequences if BN_hex2bn/BN_dec2bn is ever
called by user applications with very large untrusted hex/dec
data. This is anticipated to be a rare occurrence.
[CVE-2016-0797]
The internal |fmtstr| function used in processing a "%s"
formatted string in the BIO_*printf functions could overflow
while calculating the length of a string and cause an
out-of-bounds read when printing very long strings.
[CVE-2016-0799]
A side-channel attack was found which makes use of
cache-bank conflicts on the Intel Sandy-Bridge microarchitecture
which could lead to the recovery of RSA keys. [CVE-2016-0702]
s2_srvr.c did not enforce that clear-key-length is 0 for
non-export ciphers. If clear-key bytes are present for these
ciphers, they displace encrypted-key bytes. [CVE-2016-0703]
s2_srvr.c overwrites the wrong bytes in the master key
when applying Bleichenbacher protection for export cipher
suites. [CVE-2016-0704]
Impact:
Servers that have SSLv2 protocol enabled are vulnerable
to the "DROWN" attack which allows a remote attacker to
fast attack many recorded TLS connections made to the server,
even when the client did not make any SSLv2 connections
themselves.
An attacker who can supply malformed DSA private keys
to OpenSSL applications may be able to cause memory corruption
which would lead to a Denial of Service condition.
[CVE-2016-0705]
An attacker connecting with an invalid username can cause
memory leak, which could eventually lead to a Denial of
Service condition. [CVE-2016-0798]
An attacker who can inject malformed data into an
application may be able to cause memory corruption which
would lead to a Denial of Service condition. [CVE-2016-0797,
CVE-2016-0799]
A local attacker who has control of code in a thread
running on the same hyper-threaded core as the victim thread
which is performing decryptions could recover RSA keys.
[CVE-2016-0702]
An eavesdropper who can intercept SSLv2 handshake can
conduct an efficient divide-and-conquer key recovery attack
and use the server as an oracle to determine the SSLv2
master-key, using only 16 connections to the server and
negligible computation. [CVE-2016-0703]
An attacker can use the Bleichenbacher oracle, which
enables more efficient variant of the DROWN attack.
[CVE-2016-0704]
Incorrect signedness comparison in the ioctl(2) handler
allows a malicious local user to overwrite a portion of the
kernel memory.
Impact:
A local user may crash the kernel, read a portion of
kernel memory and execute arbitrary code in kernel context.
The result of executing an arbitrary kernel code is privilege
escalation.
The implementation of the TIOCGSERIAL ioctl(2) does not
clear the output struct before copying it out to userland.
The implementation of the Linux sysinfo() system call
does not clear the output struct before copying it out to
userland.
Impact:
An unprivileged user can read a portion of uninitialised
kernel stack data, which may contain sensitive information,
such as the stack guard, portions of the file cache or
terminal buffers, which an attacker might leverage to obtain
elevated privileges.
The implementation of historic stat(2) system call does
not clear the output struct before copying it out to
userland.
Impact:
An unprivileged user can read a portion of uninitialised
kernel stack data, which may contain sensitive information,
such as the stack guard, portions of the file cache or
terminal buffers, which an attacker might leverage to obtain
elevated privileges.
Multiple vulnerabilities have been discovered in the NTP
suite:
The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
could cause ntpd to crash. [CVE-2016-4957, Reported by
Nicolas Edet of Cisco]
An attacker who knows the origin timestamp and can send
a spoofed packet containing a CRYPTO-NAK to an ephemeral
peer target before any other response is sent can demobilize
that association. [CVE-2016-4953, Reported by Miroslav
Lichvar of Red Hat]
An attacker who is able to spoof packets with correct
origin timestamps from enough servers before the expected
response packets arrive at the target machine can affect
some peer variables and, for example, cause a false leap
indication to be set. [CVE-2016-4954, Reported by Jakub
Prokes of Red Hat]
An attacker who is able to spoof a packet with a correct
origin timestamp before the expected response packet arrives
at the target machine can send a CRYPTO_NAK or a bad MAC
and cause the association's peer variables to be cleared.
If this can be done often enough, it will prevent that
association from working. [CVE-2016-4955, Reported by
Miroslav Lichvar of Red Hat]
The fix for NtpBug2978 does not cover broadcast associations,
so broadcast clients can be triggered to flip into interleave
mode. [CVE-2016-4956, Reported by Miroslav Lichvar of Red
Hat.]
Impact:
Malicious remote attackers may be able to break time
synchronization, or cause the ntpd(8) daemon to crash.
The implementation of bspatch does not check for a
negative value on numbers of bytes read from the diff and
extra streams, allowing an attacker who can control the
patch file to write at arbitrary locations in the heap.
This issue was first discovered by The Chromium Project
and reported independently by Lu Tung-Pin to the FreeBSD
project.
Impact:
An attacker who can control the patch file can cause a
crash or run arbitrary code under the credentials of the
user who runs bspatch, in many cases, root.
lukemftpd(8) is an enhanced BSD FTP server produced
within the NetBSD project. The sources for lukemftpd are
shipped with some versions of FreeBSD, however it is not
built or installed by default. The build system option
WANT_LUKEMFTPD must be set to build and install lukemftpd.
[NOTE: An exception is FreeBSD 4.7-RELEASE,
wherein lukemftpd was installed, but not enabled, by
default.]
Przemyslaw Frasunek discovered several vulnerabilities
in lukemftpd arising from races in the out-of-band signal
handling code used to implement the ABOR command. As a
result of these races, the internal state of the FTP server
may be manipulated in unexpected ways.
A remote attacker may be able to cause FTP commands to
be executed with the privileges of the running lukemftpd
process. This may be a low-privilege `ftp' user if the `-r'
command line option is specified, or it may be superuser
privileges if `-r' is *not* specified.
Chad Loder has discovered vulnerabilities in tcpdump's
ISAKMP protocol handler. During an audit to repair these
issues, Bill Fenner discovered some related problems.
These vulnerabilities may be used by an attacker to crash a
running `tcpdump' process. They can only be triggered if
the `-v' command line option is being used.
NOTE: the racoon ISAKMP/IKE daemon incorporates the ISAKMP
protocol handler from tcpdump, and so is also affected by
this issue.
A flaw in the DTLS SRTP extension parsing code allows an
attacker, who sends a carefully crafted handshake message,
to cause OpenSSL to fail to free up to 64k of memory causing
a memory leak. This could be exploited in a Denial Of Service
attack. This issue affects OpenSSL 1.0.1 server implementations
for both SSL/TLS and DTLS regardless of whether SRTP is used
or configured. Implementations of OpenSSL that have been
compiled with OPENSSL_NO_SRTP defined are not affected.
[CVE-2014-3513].
When an OpenSSL SSL/TLS/DTLS server receives a session
ticket the integrity of that ticket is first verified.
In the event of a session ticket integrity check failing,
OpenSSL will fail to free memory causing a memory leak.
By sending a large number of invalid session tickets an
attacker could exploit this issue in a Denial Of Service
attack. [CVE-2014-3567].
OpenSSL has added support for TLS_FALLBACK_SCSV to allow
applications to block the ability for a MITM attacker to
force a protocol downgrade.
Some client applications (such as browsers) will reconnect
using a downgraded protocol to work around interoperability
bugs in older servers. This could be exploited by an active
man-in-the-middle to downgrade connections to SSL 3.0 even
if both sides of the connection support higher protocols.
SSL 3.0 contains a number of weaknesses including POODLE
[CVE-2014-3566].
When OpenSSL is configured with "no-ssl3" as a build option,
servers could accept and complete a SSL 3.0 handshake, and
clients could be configured to send them. [CVE-2014-3568].
When verifying a PKCS#1 v1.5 signature, OpenSSL ignores any
bytes which follow the cryptographic hash being signed. In
a valid signature there will be no such bytes.
Impact
OpenSSL will incorrectly report some invalid signatures as
valid. When an RSA public exponent of 3 is used, or more
generally when a small public exponent is used with a
relatively large modulus (e.g., a public exponent of 17 with
a 4096-bit modulus), an attacker can construct a signature
which OpenSSL will accept as a valid PKCS#1 v1.5 signature.
An integer overflow in computing the size of a temporary
buffer can result in a buffer which is too small for the requested
operation.
Impact:
An unprivileged process can read or write pages of memory
which belong to the kernel. These may lead to exposure of sensitive
information or allow privilege escalation.
Applications that use SSL_MODE_RELEASE_BUFFERS, such as nginx, are
prone to a race condition which may allow a remote attacker to
inject random data into other connections.
Multiple programming errors have been found in gzip which
can be triggered when gzip is decompressing files. These
errors include insufficient bounds checks in buffer use, a
NULL pointer dereference, and a potential infinite loop.
Impact
The insufficient bounds checks in buffer use can cause gzip
to crash, and may permit the execution of arbitrary code.
The NULL pointer deference can cause gzip to crash. The
infinite loop can cause a Denial-of-Service situation where
gzip uses all available CPU time.
A flaw in a library used by BIND allows an
attacker to deliberately cause excessive memory
consumption by the named(8) process. This
affects both recursive and authoritative
servers.
Applications that use SSL_MODE_RELEASE_BUFFERS, such as nginx/apache,
are prone to a race condition which may allow a remote attacker to
crash the current service.
Two problems have been discovered relating to the
extraction of bzip2-compressed files. First, a carefully
constructed invalid bzip2 archive can cause bzip2 to enter
an infinite loop. Second, when creating a new file, bzip2
closes the file before setting its permissions.
Impact
The first problem can cause bzip2 to extract a bzip2
archive to an infinitely large file. If bzip2 is used in
automated processing of untrusted files this could be
exploited by an attacker to create an denial-of-service
situation by exhausting disk space or by consuming all
available cpu time.
The second problem can allow a local attacker to change the
permissions of local files owned by the user executing bzip2
providing that they have write access to the directory in
which the file is being extracted.
Workaround
Do not uncompress bzip2 archives from untrusted sources and
do not uncompress files in directories where untrusted users
have write access.
A BIND 9 DNS server set up to be a caching resolver is
vulnerable to a user querying a domain with very large resource
record sets (RRSets) when trying to negatively cache a response.
This can cause the BIND 9 DNS server (named process) to crash.
On "7th generation" and "8th generation" processors
manufactured by AMD, including the AMD Athlon, Duron, Athlon
MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, and
Sempron, the fxsave and fxrstor instructions do not save and
restore the FOP, FIP, and FDP registers unless the exception
summary bit (ES) in the x87 status word is set to 1,
indicating that an unmasked x87 exception has occurred.
This behaviour is consistent with documentation provided by
AMD, but is different from processors from other vendors,
which save and restore the FOP, FIP, and FDP registers
regardless of the value of the ES bit. As a result of this
discrepancy remaining unnoticed until now, the FreeBSD kernel
does not restore the contents of the FOP, FIP, and FDP
registers between context switches.
Impact
On affected processors, a local attacker can monitor the
execution path of a process which uses floating-point
operations. This may allow an attacker to steal
cryptographic keys or other sensitive information.
Workaround
No workaround is available, but systems which do not use AMD
Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX,
Opteron, Turion, or Sempron processors are not vulnerable.
There is no mechanism for preventing IPv6 routing headers
from being used to route packets over the same link(s) many
times.
Impact
An attacker can "amplify" a denial of service attack against
a link between two vulnerable hosts; that is, by sending a
small volume of traffic the attacker can consume a much larger
amount of bandwidth between the two vulnerable hosts.
An attacker can use vulnerable hosts to "concentrate" a
denial of service attack against a victim host or network;
that is, a set of packets sent over a period of 30 seconds
or more could be constructed such that they all arrive at
the victim within a period of 1 second or less over a
period of 30 seconds or more could be constructed such that
they all arrive at the victim within a period of 1 second or
less.
OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable.
Local attackers may be able to write arbitrary messages to
logged-in users, including terminal escape sequences. Reported
by Nikolay Edigaryev.
Fixed a privilege separation
weakness related to PAM support. Attackers who could successfully
compromise the pre-authentication process for remote code
execution and who had valid credentials on the host could
impersonate other users.
Fixed a use-after-free bug
related to PAM support that was reachable by attackers who could
compromise the pre-authentication process for remote code
execution.
An un-checked return value in the BGP dissector code can
result in an integer overflow. This value is used in
subsequent buffer management operations, resulting in a stack
based buffer overflow under certain circumstances.
Impact:
By crafting malicious BGP packets, an attacker could exploit
this vulnerability to execute code or crash the tcpdump
process on the target system. This code would be executed in
the context of the user running tcpdump(1). It should be
noted that tcpdump(1) requires privileges in order to open live
network interfaces.
In case of an incoming ICMPv6 'Packet Too Big Message', there
is an insufficient check on the proposed new MTU for a path to
the destination.
Impact:
When the kernel is configured to process IPv6 packets and has
active IPv6 TCP sockets, a specifically crafted ICMPv6 'Packet
Too Big Message' could cause the TCP stack of the kernel to
panic.
Workaround:
Systems without INET6 / IPv6 support are not vulnerable and
neither are systems which do not listen on any IPv6 TCP sockets
and have no active IPv6 connections.
Filter ICMPv6 'Packet Too Big Messages' using a firewall, but
this will at the same time break PMTU support for IPv6
connections.
Historically OpenSSL only ever generated DH parameters based on "safe"
primes. More recently (in version 1.0.2) support was provided for
generating X9.42 style parameter files such as those required for RFC 5114
support. The primes used in such files may not be "safe". Where an
application is using DH configured with parameters based on primes that are
not "safe" then an attacker could use this fact to find a peer's private
DH exponent. This attack requires that the attacker complete multiple
handshakes in which the peer uses the same private DH exponent. For example
this could be used to discover a TLS server's private DH exponent if it's
reusing the private DH exponent or it's using a static DH ciphersuite.
OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
TLS. It is not on by default. If the option is not set then the server
reuses the same private DH exponent for the life of the server process and
would be vulnerable to this attack. It is believed that many popular
applications do set this option and would therefore not be at risk.
(CVE-2016-0701)
A malicious client can negotiate SSLv2 ciphers that have been disabled on
the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
been disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2.
(CVE-2015-3197)
A type * (ANY) query response containing multiple RRsets can
trigger an assertion failure.
Certain recursive queries can cause the nameserver to crash
by using memory which has already been freed.
Impact:
A remote attacker sending a type * (ANY) query to an
authoritative DNS server for a DNSSEC signed zone can cause
the named(8) daemon to exit, resulting in a Denial of
Service.
A remote attacker sending recursive queries can cause the
nameserver to crash, resulting in a Denial of Service.
Workaround:
There is no workaround available, but systems which are not
authoritative servers for DNSSEC signed zones are not
affected by the first issue; and systems which do not permit
untrusted users to perform recursive DNS resolution are not
affected by the second issue. Note that the default
configuration for named(8) in FreeBSD allows local access
only (which on many systems is equivalent to refusing access
to untrusted users).
Unrestricted access to the monlist feature in
ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote
attackers to cause a denial of service (traffic
amplification) via forged (1) REQ_MON_GETLIST or (2)
REQ_MON_GETLIST_1 requests, as exploited in the wild in
December 2013
Use noquery to your default restrictions to block all
status queries.
Use disable monitor to disable the ``ntpdc -c monlist''
command while still allowing other status queries.
When named(8) is operating as a recursive DNS server or
sending NOTIFY requests to slave DNS servers, named(8)
uses a predictable query id.
Impact:
An attacker who can see the query id for some request(s)
sent by named(8) is likely to be able to perform DNS cache
poisoning by predicting the query id for other request(s).
Two problems have been discovered in the FreeBSD TCP stack.
First, when a TCP packets containing a timestamp is
received, inadequate checking of sequence numbers is
performed, allowing an attacker to artificially increase the
internal "recent" timestamp for a connection.
Second, a TCP packet with the SYN flag set is accepted for
established connections, allowing an attacker to overwrite
certain TCP options.
Impact
Using either of the two problems an attacker with knowledge
of the local and remote IP and port numbers associated with
a connection can cause a denial of service situation by
stalling the TCP connection. The stalled TCP connection my
be closed after some time by the other host.
Workaround
In some cases it may be possible to defend against these
attacks by blocking the attack packets using a firewall.
Packets used to effect either of these attacks would have
spoofed source IP addresses.
Symlinks created using the "GNUTYPE_NAMES" tar extension can
be absolute due to lack of proper sanity checks.
Impact:
If an attacker can get a user to extract a specially crafted
tar archive the attacker can overwrite arbitrary files with
the permissions of the user running gtar. If file system
permissions allow it, this may allow the attacker to overwrite
important system file (if gtar is being run as root), or
important user configuration files such as .tcshrc or .bashrc,
which would allow the attacker to run arbitrary commands.
Workaround:
Use "bsdtar", which is the default tar implementation in
FreeBSD 5.3 and higher. For FreeBSD 4.x, bsdtar is available
in the FreeBSD Ports Collection as
ports/archivers/libarchive.
In multiple situations the host's jail rc.d(8) script does
not check if a path inside the jail file system structure is
a symbolic link before using the path. In particular this is
the case when writing the output from the jail start-up to
/var/log/console.log and when mounting and unmounting file
systems inside the jail directory structure.
Impact:
Due to the lack of handling of potential symbolic links the
host's jail rc.d(8) script is vulnerable to "symlink
attacks". By replacing /var/log/console.log inside the jail
with a symbolic link it is possible for the superuser (root)
inside the jail to overwrite files on the host system outside
the jail with arbitrary content. This in turn can be used to
execute arbitrary commands with non-jailed superuser
privileges.
Similarly, by changing directory mount points inside the
jail file system structure into symbolic links, it may be
possible for a jailed attacker to mount file systems which
were meant to be mounted inside the jail at arbitrary points
in the host file system structure, or to unmount arbitrary
file systems on the host system.
NOTE WELL: The above vulnerabilities occur only when a jail
is being started or stopped using the host's jail rc.d(8)
script; once started (and until stopped), running jails
cannot exploit this.
Workaround:
If the sysctl(8) variable security.jail.chflags_allowed is
set to 0 (the default), setting the "sunlnk" system flag on
/var, /var/log, /var/log/console.log, and all file system
mount points and their parent directories inside the jail(s)
will ensure that the console log file and mount points are
not replaced by symbolic links. If this is done while jails
are running, the administrator must check that an attacker
has not replaced any directories with symlinks after setting
the "sunlnk" flag.
If ntpd receives a mode 7 (MODE_PRIVATE) request or error response
from a source address not listed in either a 'restrict ... noquery'
or a 'restrict ... ignore' section it will log the even and send a
mode 7 error response.
As is commonly the case, the IPv6 and ATM network layer
ioctl request handlers are written in such a way that an
unrecognized request is passed on unmodified to the link
layer, which will either handle it or return an error
code.
Network interface drivers, however, assume that the
SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and
SIOCSIFNETMASK requests have been handled at the network
layer, and therefore do not perform input validation or
verify the caller's credentials. Typical link-layer actions
for these requests may include marking the interface as "up"
and resetting the underlying hardware.
Impact:
An unprivileged user with the ability to run arbitrary code
can cause any network interface in the system to perform the
link layer actions associated with a SIOCSIFADDR,
SIOCSIFBRDADDR, SIOCSIFDSTADDR or SIOCSIFNETMASK ioctl
request; or trigger a kernel panic by passing a specially
crafted address structure which causes a network interface
driver to dereference an invalid pointer.
Although this has not been confirmed, the possibility that
an attacker may be able to execute arbitrary code in kernel
context can not be ruled out.
NTF's NTP Project has been notified of the following
1 medium-severity vulnerability that is fixed in
ntp-4.2.8p5, released on Thursday, 7 January 2016:
Due to the interaction between devfs and VFS, a race condition
exists where the kernel might dereference a NULL pointer.
Impact:
Successful exploitation of the race condition can lead to local
kernel privilege escalation, kernel data corruption and/or
crash.
To exploit this vulnerability, an attacker must be able to run
code with user privileges on the target system.
Workaround:
An errata note, FreeBSD-EN-09:05.null has been released
simultaneously to this advisory, and contains a kernel patch
implementing a workaround for a more broad class of
vulnerabilities. However, prior to those changes, no workaround
is available.
NTF's NTP Project has been notified of the following low-
and medium-severity vulnerabilities that are fixed in
ntp-4.2.8p6, released on Tuesday, 19 January 2016:
Bug 2948 / CVE-2015-8158: Potential Infinite Loop
in ntpq. Reported by Cisco ASIG.
Bug 2945 / CVE-2015-8138: origin: Zero Origin
Timestamp Bypass. Reported by Cisco ASIG.
Bug 2942 / CVE-2015-7979: Off-path Denial of
Service (DoS) attack on authenticated broadcast
mode. Reported by Cisco ASIG.
Bug 2940 / CVE-2015-7978: Stack exhaustion in
recursive traversal of restriction list.
Reported by Cisco ASIG.
A logic bug in pf's IP fragment cache may result in a packet
fragment being inserted twice, violating a kernel
invariant.
Impact:
By sending carefully crafted sequence of IP packet fragments,
a remote attacker can cause a system running pf with a ruleset
containing a 'scrub fragment crop' or 'scrub fragment
drop-ovl' rule to crash.
Workaround:
Do not use 'scrub fragment crop' or 'scrub fragment drop-ovl'
rules on systems running pf. In most cases, such rules can be
replaced by 'scrub fragment reassemble' rules; see the
pf.conf(5) manual page for more details.
Systems which do not use pf, or use pf but do not use the
aforementioned rules, are not affected by this issue.
When the arc4random(9) random number generator is
initialized, there may be inadequate entropy to meet the
needs of kernel systems which rely on arc4random(9); and it
may take up to 5 minutes before arc4random(9) is reseeded
with secure entropy from the Yarrow random number generator.
Impact:
All security-related kernel subsystems that rely on a
quality random number generator are subject to a wide range of
possible attacks for the 300 seconds after boot or until 64k
of random data is consumed. The list includes:
* GEOM ELI providers with onetime keys. When a provider is
configured in a way so that it gets attached at the same time
during boot (e.g. it uses the rc subsystem to initialize) it
might be possible for an attacker to recover the encrypted
data.
* GEOM shsec providers. The GEOM shsec subsytem is used to
split a shared secret between two providers so that it can be
recovered when both of them are present. This is done by
writing the random sequence to one of providers while
appending the result of the random sequence on the other host
to the original data. If the provider was created within the
first 300 seconds after booting, it might be possible for an
attacker to extract the original data with access to only one
of the two providers between which the secret data is split.
* System processes started early after boot may receive
predictable IDs.
* The 802.11 network stack uses arc4random(9) to generate
initial vectors (IV) for WEP encryption when operating in
client mode and WEP authentication challenges when operating
in hostap mode, which may be insecure.
* The IPv4, IPv6 and TCP/UDP protocol implementations rely
on a quality random number generator to produce unpredictable
IP packet identifiers, initial TCP sequence numbers and
outgoing port numbers. During the first 300 seconds after
booting, it may be easier for an attacker to execute IP
session hijacking, OS fingerprinting, idle scanning, or in
some cases DNS cache poisoning and blind TCP data injection
attacks.
* The kernel RPC code uses arc4random(9) to retrieve
transaction identifiers, which might make RPC clients
vulnerable to hijacking attacks.
It was discovered that the OpenSSH sshd daemon did not check the
list of keyboard-interactive authentication methods for duplicates.
A remote attacker could use this flaw to bypass the MaxAuthTries
limit, making it easier to perform password guessing attacks.
In the FW_GCROM ioctl, a signed integer comparison is used
instead of an unsigned integer comparison when computing the
length of a buffer to be copied from the kernel into the
calling application.
Impact:
A user in the "operator" group can read the contents of
kernel memory. Such memory might contain sensitive
information, such as portions of the file cache or terminal
buffers. This information might be directly useful, or it
might be leveraged to obtain elevated privileges in some way;
for example, a terminal buffer might include a user-entered
password.
Workaround:
No workaround is available, but systems without IEEE 1394
("FireWire") interfaces are not vulnerable. (Note that
systems with IEEE 1394 interfaces are affected regardless of
whether any devices are attached.)
Note also that FreeBSD does not have any non-root users in
the "operator" group by default; systems on which no users
have been added to this group are therefore also not
vulnerable.
A part of the NFS server code charged with handling incoming
RPC messages via TCP had an error which, when the server
received a message with a zero-length payload, would cause a
NULL pointer dereference which results in a kernel panic. The
kernel will only process the RPC messages if a userland nfsd
daemon is running.
Impact:
The NULL pointer deference allows a remote attacker capable
of sending RPC messages to an affected FreeBSD system to crash
the FreeBSD system.
Workaround:
Disable the NFS server: set the nfs_server_enable
variable to "NO" in /etc/rc.conf, and reboot.
Alternatively, if there are no active NFS clients (as
listed by the showmount(8) utility), simply killing the
mountd and nfsd processes should suffice.
Add firewall rules to block RPC traffic to the NFS server
from untrusted hosts.
The BIND DNS implementation does not randomize the UDP source
port when doing remote queries, and the query id alone does
not provide adequate randomization.
Impact:
The lack of source port randomization reduces the amount of
data the attacker needs to guess in order to successfully
execute a DNS cache poisoning attack. This allows the
attacker to influence or control the results of DNS queries
being returned to users from target systems.
Workaround:
Limiting the group of machines that can do recursive queries
on the DNS server will make it more difficult, but not
impossible, for this vulnerability to be exploited.
To limit the machines able to perform recursive queries, add an ACL in
named.conf and limit recursion like the following:
Because OpenSSH and OpenPAM have conflicting designs (one is event-
driven while the other is callback-driven), it is necessary for
OpenSSH to fork a child process to handle calls to the PAM framework.
However, if the unprivileged child terminates while PAM authentication
is under way, the parent process incorrectly believes that the PAM
child also terminated. The parent process then terminates, and the
PAM child is left behind.
Due to the way OpenSSH performs internal accounting, these orphaned
PAM children are counted as pending connections by the master OpenSSH
server process. Once a certain number of orphans has accumulated, the
master decides that it is overloaded and stops accepting client
connections.
Impact:
By repeatedly connecting to a vulnerable server, waiting for
a password prompt, and closing the connection, an attacker can
cause OpenSSH to stop accepting client connections until the
system restarts or an administrator manually kills the orphaned
PAM processes.
Workaround:
The following command will show a list of orphaned PAM
processes:
# pgrep -lf 'sshd.*\[pam\]'
The following command will kill orphaned PAM processes:
# pkill -f 'sshd.*\[pam\]'
To prevent OpenSSH from leaving orphaned PAM processes behind,
perform one of the following:
Disable PAM authentication in OpenSSH. Users will still
be able to log in using their Unix password, OPIE or SSH
keys.
To do this, execute the following commands as root:
If disabling PAM is not an option - if, for instance, you use
RADIUS authentication, or store user passwords in an SQL database
- you may instead disable privilege separation. However, this may
leave OpenSSH vulnerable to hitherto unknown bugs, and should be
considered a last resort.
To do this, execute the following commands as root:
IPv6 routers may allow "on-link" IPv6 nodes to create and
update the router's neighbor cache and forwarding
information. A malicious IPv6 node sharing a common router
but on a different physical segment from another node may be
able to spoof Neighbor Discovery messages, allowing it to
update router information for the victim node.
Impact:
An attacker on a different physical network connected to the
same IPv6 router as another node could redirect IPv6 traffic
intended for that node. This could lead to denial of service
or improper access to private network traffic.
Workaround:
Firewall packet filters can be used to filter incoming
Neighbor Solicitation messages but may interfere with normal
IPv6 operation if not configured carefully.
Reverse path forwarding checks could be used to make
gateways, such as routers or firewalls, drop Neighbor
Solicitation messages from nodes with unexpected source
addresses on a particular interface.
IPv6 router administrators are encouraged to read RFC 3756
for further discussion of Neighbor Discovery security
implications.
If a General Protection Fault happens on a FreeBSD/amd64
system while it is returning from an interrupt, trap or
system call, the swapgs CPU instruction may be called one
extra time when it should not resulting in userland and
kernel state being mixed.
Impact:
A local attacker can by causing a General Protection Fault
while the kernel is returning from an interrupt, trap or
system call while manipulating stack frames and, run
arbitrary code with kernel privileges.
The vulnerability can be used to gain kernel / supervisor
privilege. This can for example be used by normal users to
gain root privileges, to break out of jails, or bypass
Mandatory Access Control (MAC) restrictions.
Workaround:
No workaround is available, but only systems running the 64
bit FreeBSD/amd64 kernels are vulnerable.
Systems with 64 bit capable CPUs, but running the 32 bit
FreeBSD/i386 kernel are not vulnerable.
When downloading updates to FreeBSD via 'freebsd-update fetch' or
'freebsd-update upgrade', the freebsd-update(8) utility copies
currently installed files into its working directory
(/var/db/freebsd-update by default) both for the purpose of merging
changes to configuration files and in order to be able to roll back
installed updates.
The default working directory used by freebsd-update(8) is normally
created during the installation of FreeBSD with permissions which
allow all local users to see its contents, and freebsd-update(8) does
not take any steps to restrict access to files stored in said
directory.
An error in the handling of TKEY queries can be exploited
by an attacker for use as a denial-of-service vector, as a constructed
packet can use the defect to trigger a REQUIRE assertion failure,
causing BIND to exit.
The read-only flag is not correctly copied when a mbuf buffer
reference is duplicated. When the sendfile(2) system call is used to
transmit data over the loopback interface, this can result in the
backing pages for the transmitted file being modified, causing data
corruption.
A buffer allocated from the kernel stack may not be completely
initialized before being copied to userland. [CVE-2006-0379]
A logic error in computing a buffer length may allow too much
data to be copied into userland. [CVE-2006-0380]
Impact:
Portions of kernel memory may be disclosed to local users.
Such memory might contain sensitive information, such as
portions of the file cache or terminal buffers. This
information might be directly useful, or it might be
leveraged to obtain elevated privileges in some way. For
example, a terminal buffer might include a user-entered
password.
Integer signedness error in the archive_write_zip_data function in
archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when
running on 64-bit machines, allows context-dependent attackers to
cause a denial of service (crash) via unspecified vectors, which
triggers an improper conversion between unsigned and signed types,
leading to a buffer overflow.
Absolute path traversal vulnerability in bsdcpio in libarchive
3.1.2 and earlier allows remote attackers to write to arbitrary
files via a full pathname in an archive.
Libarchive issue tracker reports:
Using a crafted tar file bsdtar can perform an out-of-bounds memory
read which will lead to a SEGFAULT. The issue exists when the
executable skips data in the archive. The amount of data to skip is
defined in byte offset [16-19] If ASLR is disabled, the issue can
lead to an infinite loop.
Various user defined input such as mount points, devices, and
mount options are prepared and passed as arguments to
nmount(2) into the kernel. Under certain error conditions,
user defined data will be copied into a stack allocated buffer
stored in the kernel without sufficient bounds checking.
Impact:
If the system is configured to allow unprivileged users to
mount file systems, it is possible for a local adversary to
exploit this vulnerability and execute code in the context of
the kernel.
Workaround:
It is possible to work around this issue by allowing only
privileged users to mount file systems by running the
following sysctl(8) command:
A flaw in OBJ_obj2txt may cause pretty printing functions
such as X509_name_oneline, X509_name_print_ex et al. to leak
some information from the stack. [CVE-2014-3508]
The issue affects OpenSSL clients and allows a malicious
server to crash the client with a null pointer dereference
(read) by specifying an SRP ciphersuite even though it was
not properly negotiated with the client. [CVE-2014-5139]
If a multithreaded client connects to a malicious server
using a resumed session and the server sends an ec point
format extension it could write up to 255 bytes to freed
memory. [CVE-2014-3509]
An attacker can force an error condition which causes
openssl to crash whilst processing DTLS packets due to
memory being freed twice. This can be exploited through
a Denial of Service attack. [CVE-2014-3505]
An attacker can force openssl to consume large amounts
of memory whilst processing DTLS handshake messages.
This can be exploited through a Denial of Service
attack. [CVE-2014-3506]
By sending carefully crafted DTLS packets an attacker
could cause openssl to leak memory. This can be exploited
through a Denial of Service attack. [CVE-2014-3507]
OpenSSL DTLS clients enabling anonymous (EC)DH
ciphersuites are subject to a denial of service attack.
A malicious server can crash the client with a null pointer
dereference (read) by specifying an anonymous (EC)DH
ciphersuite and sending carefully crafted handshake
messages. [CVE-2014-3510]
A flaw in the OpenSSL SSL/TLS server code causes the
server to negotiate TLS 1.0 instead of higher protocol
versions when the ClientHello message is badly
fragmented. This allows a man-in-the-middle attacker
to force a downgrade to TLS 1.0 even if both the server
and the client support a higher protocol version, by
modifying the client's TLS records. [CVE-2014-3511]
A malicious client or server can send invalid SRP
parameters and overrun an internal buffer. Only
applications which are explicitly set up for SRP
use are affected. [CVE-2014-3512]
When writing data into a buffer in the file_printf function,
the length of the unused portion of the buffer is not
correctly tracked, resulting in a buffer overflow when
processing certain files.
Impact:
An attacker who can cause file(1) to be run on a maliciously
constructed input can cause file(1) to crash. It may be
possible for such an attacker to execute arbitrary code with
the privileges of the user running file(1).
The above also applies to any other applications using the
libmagic(3) library.
Workaround:
No workaround is available, but systems where file(1) and
other libmagic(3)-using applications are never run on
untrusted input are not vulnerable.
A race condition exists in the pipe close() code relating
to kqueues, causing use-after-free for kernel memory, which
may lead to an exploitable NULL pointer vulnerability in the
kernel, kernel memory corruption, and other unpredictable
results.
Impact:
Successful exploitation of the race condition can lead to
local kernel privilege escalation, kernel data corruption
and/or crash.
To exploit this vulnerability, an attacker must be able to
run code on the target system.
Workaround
An errata notice, FreeBSD-EN-09:05.null has been released
simultaneously to this advisory, and contains a kernel patch
implementing a workaround for a more broad class of
vulnerabilities. However, prior to those changes, no
workaround is available.
When replaying setattr transaction, the replay code would set the
attributes with certain insecure defaults, when the logged
transaction did not touch these attributes.
Named is potentially vulnerable to the OpenSSL vulnerability described in CVE-2015-3193.
Incorrect reference counting could result in an INSIST
failure if a socket error occurred while performing a lookup. This flaw
is disclosed in CVE-2015-8461. [RT#40945]
Insufficient testing when parsing a message allowed records
with an incorrect class to be be accepted, triggering a REQUIRE failure
when those records were subsequently cached. This flaw is disclosed in
CVE-2015-8000. [RT #40987]
We have today posted updated versions of 9.9.6 and 9.10.1
to address a significant security vulnerability in DNS
resolution. The flaw was discovered by Florian Maury of
ANSSI, and applies to any recursive resolver that does not
support a limit on the number of recursions. [CERTFR-2014-AVI-512],
[USCERT VU#264212]
A flaw in delegation handling could be exploited to put named
into an infinite loop, in which each lookup of a name server
triggered additional lookups of more name servers. This has
been addressed by placing limits on the number of levels of
recursion named will allow (default 7), and on the number of
queries that it will send before terminating a recursive query
(default 50). The recursion depth limit is configured via the
max-recursion-depth option, and the query limit via the
max-recursion-queries option. For more information, see the
security advisory at https://kb.isc.org/article/AA-01216/.
[CVE-2014-8500]
[RT #37580]
In addition, we have also corrected a potential security
vulnerability in the GeoIP feature in the 9.10.1 release only.
For more information on this issue, see the security advisory
at https://kb.isc.org/article/AA-01217.
[CVE-2014-8680]
Due to insufficient permission checks in the virtual memory
system, a tracing process (such as a debugger) may be able to
modify portions of the traced process's address space to which
the traced process itself does not have write access.
When running setuid programs rtld will normally remove potentially
dangerous environment variables. Due to recent changes in FreeBSD
environment variable handling code, a corrupt environment may
result in attempts to unset environment variables failing.
NTF's NTP Project has been notified of the following low-
and medium-severity vulnerabilities that are fixed in
ntp-4.2.8p7, released on Tuesday, 26 April 2016:
Bug 3020 / CVE-2016-1551: Refclock impersonation
vulnerability, AKA: refclock-peering. Reported by
Matt Street and others of Cisco ASIG
Bug 3012 / CVE-2016-1549: Sybil vulnerability:
ephemeral association attack, AKA: ntp-sybil -
MITIGATION ONLY. Reported by Matthew Van Gundy
of Cisco ASIG
Bug 3011 / CVE-2016-2516: Duplicate IPs on
unconfig directives will cause an assertion botch.
Reported by Yihan Lian of the Cloud Security Team,
Qihoo 360
Bug 3010 / CVE-2016-2517: Remote configuration
trustedkey/requestkey values are not properly
validated. Reported by Yihan Lian of the Cloud
Security Team, Qihoo 360
Bug 3009 / CVE-2016-2518: Crafted addpeer with
hmode > 7 causes array wraparound with MATCH_ASSOC.
Reported by Yihan Lian of the Cloud Security Team,
Qihoo 360
Bug 3008 / CVE-2016-2519: ctl_getitem() return
value not always checked. Reported by Yihan Lian
of the Cloud Security Team, Qihoo 360
Bug 3007 / CVE-2016-1547: Validate crypto-NAKs,
AKA: nak-dos. Reported by Stephen Gray and
Matthew Van Gundy of Cisco ASIG
Bug 2978 / CVE-2016-1548: Interleave-pivot -
MITIGATION ONLY. Reported by Miroslav Lichvar of
RedHat and separately by Jonathan Gardner of
Cisco ASIG.
Bug 2952 / CVE-2015-7704: KoD fix: peer
associations were broken by the fix for
NtpBug2901, AKA: Symmetric active/passive mode
is broken. Reported by Michael Tatarinov,
NTP Project Developer Volunteer
Bug 2945 / Bug 2901 / CVE-2015-8138: Zero
Origin Timestamp Bypass, AKA: Additional KoD Checks.
Reported by Jonathan Gardner of Cisco ASIG
Bug 2879 / CVE-2016-1550: Improve NTP security
against buffer comparison timing attacks,
authdecrypt-timing, AKA: authdecrypt-timing.
Reported independently by Loganaden Velvindron,
and Matthew Van Gundy and Stephen Gray of
Cisco ASIG.
The nullfs(5) implementation of the VOP_LINK(9) VFS
operation does not check whether the source and target of
the link are both in the same nullfs instance. It is
therefore possible to create a hardlink from a location in
one nullfs instance to a file in another, as long as the
underlying (source) filesystem is the same.
Impact:
If multiple nullfs views into the same filesystem are
mounted in different locations, a user with read access to
one of these views and write access to another will be able
to create a hard link from the latter to a file in the
former, even though they are, from the user's perspective,
different filesystems. The user may thereby gain write
access to files which are nominally on a read-only
filesystem.
NTF's NTP Project has been notified of the following 13 low-
and medium-severity vulnerabilities that are fixed in
ntp-4.2.8p4, released on Wednesday, 21 October 2015:
Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric
association authentication bypass via crypto-NAK
(Cisco ASIG)
Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch
instead of returning FAIL on some bogus values (IDA)
The only generally-exploitable bug in the above list is the
crypto-NAK bug, which has a CVSS2 score of 6.4.
Additionally, three bugs that have already been fixed in
ntp-4.2.8 but were not fixed in ntp-4.2.6 as it was EOL'd
have a security component, but are all below 1.8 CVSS score,
so we're reporting them here:
Bug 2382 : Peer precision < -31 gives division by zero
Bug 1774 : Segfaults if cryptostats enabled when built
without OpenSSL
Bug 1593 : ntpd abort in free() with logconfig syntax error
Some function pointers for netgraph and bluetooth sockets are
not properly initialized.
Impact:
A local user can cause the FreeBSD kernel to execute
arbitrary code. This could be used by an attacker directly;
or it could be used to gain root privilege or to escape from
a jail.
Workaround:
No workaround is available, but systems without local
untrusted users are not vulnerable. Furthermore, systems are
not vulnerable if they have neither the ng_socket nor
ng_bluetooth kernel modules loaded or compiled into the
kernel.
Systems with the security.jail.socket_unixiproute_only
sysctl set to 1 (the default) are only vulnerable if they have
local untrusted users outside of jails.
A very uncommon combination of zone data has been found
that triggers a bug in BIND, with the result that named
will exit with a "REQUIRE" failure in name.c when validating
the data returned in answer to a recursive query.
A recursive resolver that is performing DNSSEC validation
can be deliberately terminated by any attacker who can
cause a query to be performed against a maliciously
constructed zone. This will result in a denial of
service to clients who rely on that resolver.
Because of a defect in handling queries for NSEC3-signed zones,
BIND can crash with an "INSIST" failure in name.c when processing
queries possessing certain properties. By exploiting this defect
an attacker deliberately constructing a query with the right
properties could achieve denial of service against an authoritative
nameserver serving NSEC3-signed zones.
The firewall maintains a pointer to layer 4 header
information in the event that it needs to send a TCP reset
or ICMP error message to discard packets. Due to incorrect
handling of IP fragments, this pointer fails to get
initialized.
Impact:
An attacker can cause the firewall to crash by sending ICMP
IP fragments to or through firewalls which match any reset,
reject or unreach actions.
Workaround:
Change any reset, reject or unreach actions to deny. It
should be noted that this will result in packets being
silently discarded.
An integer overflow in the handling of corrupt IEEE 802.11
beacon or probe response frames when scanning for existing
wireless networks can result in the frame overflowing a
buffer.
Impact:
An attacker able broadcast a carefully crafted beacon or
probe response frame may be able to execute arbitrary code
within the context of the FreeBSD kernel on any system
scanning for wireless networks.
Workaround:
No workaround is available, but systems without IEEE 802.11
hardware or drivers loaded are not vulnerable.
When initializing the SCTP state cookie being sent in INIT-ACK chunks,
a buffer allocated from the kernel stack is not completely initialized.
Impact:
Fragments of kernel memory may be included in SCTP packets and
transmitted over the network. For each SCTP session, there are two
separate instances in which a 4-byte fragment may be transmitted.
This memory might contain sensitive information, such as portions of the
file cache or terminal buffers. This information might be directly
useful, or it might be leveraged to obtain elevated privileges in
some way. For example, a terminal buffer might include a user-entered
password.
OpenSSH clients between versions 5.4 and 7.1 are vulnerable to
information disclosure that may allow a malicious server to retrieve
information including under some circumstances, user's private keys.
Missing sanitisation of untrusted input allows an
authenticated user who is able to request X11 forwarding
to inject commands to xauth(1).
Injection of xauth commands grants the ability to read
arbitrary files under the authenticated user's privilege,
Other xauth commands allow limited information leakage,
file overwrite, port probing and generally expose xauth(1),
which was not written with a hostile user in mind, as an
attack surface.
Mitigation:
Set X11Forwarding=no in sshd_config. This is the default.
For authorized_keys that specify a "command" restriction,
also set the "restrict" (available in OpenSSH >=7.2) or
"no-x11-forwarding" restrictions.
If a client requests DNSSEC records with the Checking Disabled (CD)
flag set, BIND may cache the unvalidated responses. These responses
may later be returned to another client that has not set the CD
flag.
The kernel incorrectly uses client supplied credentials
instead of the one configured in exports(5) when filling out the
anonymous credential for a NFS export, when -network or -host
restrictions are used at the same time.
Impact:
The remote client may supply privileged credentials (e.g. the
root user) when accessing a file under the NFS share, which will bypass
the normal access checks.
The ftpd(8) server splits long commands into several
requests. This may result in the server executing a command
which is hidden inside another very long command.
Impact:
This could, with a specifically crafted command, be used in a
cross-site request forgery attack.
FreeBSD systems running ftpd(8) server could act as a point
of privilege escalation in an attack against users using web
browser to access trusted FTP sites.
Workaround:
No workaround is available, but systems not running FTP
servers are not vulnerable. Systems not running the FreeBSD
ftp(8) server are not affected, but users of other ftp
daemons are advised to take care since several other ftp
daemons are known to have related bugs.
Parsing a malformed DNSSEC key can cause a validating
resolver to exit due to a failed assertion in buffer.c. It is possible
for a remote attacker to deliberately trigger this condition, for
example by using a query which requires a response from a zone
containing a deliberately malformed key.
For a recursive DNS server, a remote attacker sending enough
recursive queries for the replies to arrive after all the
interested clients have left the recursion queue will trigger
an INSIST failure in the named(8) daemon. Also for a
recursive DNS server, an assertion failure can occur when
processing a query whose reply will contain more than one
SIG(covered) RRset.
For an authoritative DNS server serving a RFC 2535 DNSSEC
zone which is queried for the SIG records where there are
multiple SIG(covered) RRsets (e.g. a zone apex), named(8)
will trigger an assertion failure when it tries to construct
the response.
Impact
An attacker who can perform recursive lookups on a DNS server
and is able to send a sufficiently large number of recursive
queries, or is able to get the DNS server to return more than
one SIG(covered) RRsets can stop the functionality of the DNS
service.
An attacker querying an authoritative DNS server serving a
RFC 2535 DNSSEC zone may be able to crash the DNS server.
Workaround
A possible workaround is to only allow trusted clients to
perform recursive queries.
The PV pagetable code has fast-paths for making updates to
pre-existing pagetable entries, to skip expensive re-validation
in safe cases (e.g. clearing only Access/Dirty bits). The bits
considered safe were too broad, and not actually safe.
A malicious PV guest administrator can escalate their privilege to
that of the host.
Supervisor Mode Access Prevention is a hardware feature designed
to make an Operating System more robust, by raising a pagefault
rather than accidentally following a pointer into userspace.
However, legitimate accesses into userspace require whitelisting,
and the exception delivery mechanism for 32bit PV guests wasn't
whitelisted.
A malicious 32-bit PV guest kernel can trigger a safety check,
crashing the hypervisor and causing a denial of service to other
VMs on the host.
A guest can submit virtio requests without bothering to wait for
completion and is therefore not bound by virtqueue size...
A malicious guest administrator can cause unbounded memory
allocation in QEMU, which can cause an Out-of-Memory condition
in the domain running qemu. Thus, a malicious guest administrator
can cause a denial of service affecting the whole host.
libidn: Fix out-of-bounds stack read in idna_to_ascii_4i.
idn: Solve out-of-bounds-read when reading one zero byte as input.
Also replaced fgets with getline.
libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8. It was
always documented to only accept UTF-8 data, but now it doesn't
crash when presented with such data.
The Xerces-C XML parser fails to successfully parse a
DTD that is deeply nested, and this causes a stack overflow, which
makes a denial of service attack against many applications possible
by an unauthenticated attacker.
Also, CVE-2016-2099: Use-after-free vulnerability in
validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier
allows context-dependent attackers to have unspecified impact via an
invalid character in an XML document.
An OpenDocument Presentation .ODP or Presentation Template
.OTP file can contain invalid presentation elements that lead
to memory corruption when the document is loaded in Apache
OpenOffice Impress. The defect may cause the document to appear
as corrupted and OpenOffice may crash in a recovery-stuck mode
requiring manual intervention. A crafted exploitation of the
defect can allow an attacker to cause denial of service
(memory corruption and application crash) and possible
execution of arbitrary code.
Extbase request handling fails to implement a proper access check for
requested controller/ action combinations, which makes it possible for an
attacker to execute arbitrary Extbase actions by crafting a special request. To
successfully exploit this vulnerability, an attacker must have access to at
least one Extbase plugin or module action in a TYPO3 installation. The missing
access check inevitably leads to information disclosure or remote code
execution, depending on the action that an attacker is able to execute.
These updates resolve a race condition vulnerability that could
lead to information disclosure (CVE-2016-4247).
These updates resolve type confusion vulnerabilities that could
lead to code execution (CVE-2016-4223, CVE-2016-4224,
CVE-2016-4225).
These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-4173, CVE-2016-4174, CVE-2016-4222,
CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229,
CVE-2016-4230, CVE-2016-4231, CVE-2016-4248).
These updates resolve a heap buffer overflow vulnerability that
could lead to code execution (CVE-2016-4249).
These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2016-4172, CVE-2016-4175, CVE-2016-4179,
CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183,
CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187,
CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217,
CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221,
CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236,
CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240,
CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244,
CVE-2016-4245, CVE-2016-4246).
These updates resolve a memory leak vulnerability (CVE-2016-4232).
These updates resolve stack corruption vulnerabilities that could
lead to code execution (CVE-2016-4176, CVE-2016-4177).
These updates resolve a security bypass vulnerability that could
lead to information disclosure (CVE-2016-4178).
An exploitable Use After Free vulnerability exists in the
RTF parser LibreOffice. A specially crafted file can cause a use after
free resulting in a possible arbitrary code execution. To exploit the
vulnerability a malicious file needs to be opened by the user via
vulnerable application.
An exploitable heap overflow vulnerability exists in the
NArchive::NHfs::CHandler::ExtractZlibFile method functionality of
7zip that can lead to arbitrary code execution.
An out-of-bounds read vulnerability exists in the way 7-Zip
handles Universal Disk Format (UDF) files.
Central to 7-Zip?s processing of UDF files is the
CInArchive::ReadFileItem method. Because volumes can have more than
one partition map, their objects are kept in an object vector. To
start looking for an item, this method tries to reference the proper
object using the partition map?s object vector and the "PartitionRef"
field from the Long Allocation Descriptor. Lack of checking whether
the "PartitionRef" field is bigger than the available amount of
partition map objects causes a read out-of-bounds and can lead, in
some circumstances, to arbitrary code execution.
ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack
in the specific scenario where there was a signature that referenced at the same
time 2 elements (but past the scheme validator process since 1 of the element was
inside the encrypted assertion).
ruby-saml users must update to 1.3.0, which implements 3 extra validations to
mitigate this kind of attack.
The onReadyRead function in core/coreauthhandler.cpp in Quassel
before 0.12.4 allows remote attackers to cause a denial of service
(NULL pointer dereference and crash) via invalid handshake data.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the Rocker switch emulation support is
vulnerable to an off-by-one error. It happens while processing
transmit(tx) descriptors in 'tx_consume' routine, if a descriptor
was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments.
A privileged user inside guest could use this flaw to cause memory
leakage on the host or crash the Qemu process instance resulting in
DoS issue.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the Q35 chipset based pc system emulator
is vulnerable to a heap based buffer overflow. It occurs during VM
guest migration, as more(16 bytes) data is moved into allocated
(8 bytes) memory area.
A privileged guest user could use this issue to corrupt the VM
guest image, potentially leading to a DoS. This issue affects q35
machine types.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the Human Monitor Interface(HMP) support
is vulnerable to an OOB write issue. It occurs while processing
'sendkey' command in hmp_sendkey routine, if the command argument is
longer than the 'keyname_buf' buffer size.
A user/process could use this flaw to crash the Qemu process
instance resulting in DoS.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator
support is vulnerable to a memory leakage flaw. It occurs when a
guest repeatedly tries to activate the vmxnet3 device.
A privileged guest user could use this flaw to leak host memory,
resulting in DoS on the host.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the SCSI MegaRAID SAS HBA emulation
support is vulnerable to a stack buffer overflow issue. It occurs
while processing the SCSI controller's CTRL_GET_INFO command. A
privileged guest user could use this flaw to crash the Qemu process
instance resulting in DoS.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the i8255x (PRO100) emulation support is
vulnerable to an infinite loop issue. It could occur while
processing a chain of commands located in the Command Block List
(CBL). Each Command Block(CB) points to the next command in the
list. An infinite loop unfolds if the link to the next CB points
to the same block or there is a closed loop in the chain.
A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw
to crash the Qemu instance resulting in DoS.
The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509
client certificate correctly when experimental module for the HTTP/2
protocol is used to access a resource.
The net result is that a resource that should require a valid client
certificate in order to get access can be accessed without that credential.
HTTP header injection in urrlib2/urllib/httplib/http.client with
newlines in header values, where newlines have a semantic consequence of
denoting the start of an additional header line.
In the x86 shadow pagetable code, the guest frame number of a
superpage mapping is stored in a 32-bit field. If a shadowed guest
can cause a superpage mapping of a guest-physical address at or
above 2^44 to be shadowed, the top bits of the address will be lost,
causing an assertion failure or NULL dereference later on, in code
that removes the shadow.
A HVM guest using shadow pagetables can cause the host to crash.
A PV guest using shadow pagetables (i.e. being migrated) with PV
superpages enabled (which is not the default) can crash the host, or
corrupt hypervisor memory, and so a privilege escalation cannot be
ruled out.
Various parts of libxl device-handling code inappropriately use
information from (partially) guest controlled areas of xenstore.
A malicious guest administrator can cause denial of service by
resource exhaustion.
A malicious guest administrator can confuse and/or deny service to
management facilities.
A malicious guest administrator of a guest configured with channel
devices may be able to escalate their privilege to that of the
backend domain (i.e., normally, to that of the host).
The Page Size (PS) page table entry bit exists at all page table
levels other than L1. Its meaning is reserved in L4, and
conditionally reserved in L3 and L2 (depending on hardware
capabilities). The software page table walker in the hypervisor,
however, so far ignored that bit in L4 and (on respective hardware)
L3 entries, resulting in pages to be treated as page tables which
the guest OS may not have designated as such. If the page in
question is writable by an unprivileged user, then that user will
be able to map arbitrary guest memory.
On vulnerable OSes, guest user mode code may be able to establish
mappings of arbitrary memory inside the guest, allowing it to
elevate its privileges inside the guest.
Qemu VGA module allows banked access to video memory using the
window at 0xa00000 and it supports different access modes with
different address calculations.
Qemu VGA module allows guest to edit certain registers in 'vbe'
and 'vga' modes.
A privileged guest user could use CVE-2016-3710 to exceed the bank
address window and write beyond the said memory area, potentially
leading to arbitrary code execution with privileges of the Qemu
process. If the system is not using stubdomains, this will be in
domain 0.
A privileged guest user could use CVE-2016-3712 to cause potential
integer overflow or OOB read access issues in Qemu, resulting in a DoS
of the guest itself. More dangerous effect, such as data leakage or
code execution, are not known but cannot be ruled out.
When the libxl toolstack launches qemu for HVM guests, it pipes the
output of stderr to a file in /var/log/xen. This output is not
rate-limited in any way. The guest can easily cause qemu to print
messages to stderr, causing this file to become arbitrarily large.
The disk containing the logfile can be exhausted, possibly causing a
denial-of-service (DoS).
Affected versions of SQLite reject potential tempdir locations if
they are not readable, falling back to '.'. Thus, SQLite will favor
e.g. using cwd for tempfiles on such a system, even if cwd is an
unsafe location. Notably, SQLite also checks the permissions of
'.', but ignores the results of that check.
A vulnerability in smtplib allowing MITM attacker to perform a
startTLS stripping attack. smtplib does not seem to raise an exception
when the remote end (smtp server) is capable of negotiating starttls but
fails to respond with 220 (ok) to an explicit call of SMTP.starttls().
This may allow a malicious MITM to perform a startTLS stripping attack
if the client code does not explicitly check the response code for startTLS.
Some partition-level operations exist that do not explicitly also
authorize privileges of the parent table. This can lead to issues when
the parent table would have denied the operation, but no denial occurs
because the partition-level privilege is not checked by the
authorization framework, which defines authorization entities only
from the table level upwards.
Multiple versions of Open vSwitch are vulnerable to remote buffer
overflow attacks, in which crafted MPLS packets could overflow the
buffer reserved for MPLS labels in an OVS internal data structure.
The MPLS packets that trigger the vulnerability and the potential for
exploitation vary depending on version:
Open vSwitch 2.1.x and earlier are not vulnerable.
In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be
exploited for arbitrary remote code execution.
In Open vSwitch 2.4.x, the MPLS buffer overflow does not obviously lead
to a remote code execution exploit, but testing shows that it can allow a
remote denial of service. See the mitigation section for details.
The parse_chunk_header function in libtorrent before 1.1.1
allows remote attackers to cause a denial of service (crash) via a
crafted (1) HTTP response or possibly a (2) UPnP broadcast.
OpenSSL through 1.0.2h incorrectly uses pointer arithmetic
for heap-buffer boundary checks, which might allow remote attackers to
cause a denial of service (integer overflow and application crash) or
possibly have unspecified other impact by leveraging unexpected malloc
behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.
Dnsmasq before 2.76 allows remote servers to cause a denial
of service (crash) via a reply with an empty DNS address that has an (1)
A or (2) AAAA record defined locally.
HAproxy 1.6.x before 1.6.6, when a deny comes from a
reqdeny rule, allows remote attackers to cause a denial of service
(uninitialized memory access and crash) or possibly have unspecified
other impact via unknown vectors.
WordPress 4.5.3 is now available. This is a security release for
all previous versions and we strongly encourage you to update your
sites immediately.
WordPress versions 4.5.2 and earlier are affected by several
security issues: redirect bypass in the customizer, reported by
Yassine Aboukir; two different XSS problems via attachment names,
reported by Jouko Pynnönenand Divyesh Prajapati; revision history
information disclosure, reported independently by John Blackbourn
from the WordPress security team and by Dan Moen from the Wordfence
Research Team; oEmbed denial of service reported by Jennifer Dodd
from Automattic; unauthorized category removal from a post, reported
by David Herrera from Alley Interactive; password change via stolen
cookie, reported by Michael Adams from the WordPress security team;
and some less secure sanitize_file_name edge cases reported by Peter
Westwood of the WordPress security team.
The Piwik Security team is grateful for the responsible
disclosures by our security researchers: Egidio Romano (granted a
critical security bounty), James Kettle and Pawe? Bartunek (XSS) and
Emanuel Bronshtein (limited XSS).
On a server redirect from HTTP to a FTP resource, wget would trust the
HTTP server and uses the name in the redirected URL as the destination
filename.
These updates harden a mitigation against JIT spraying attacks that
could be used to bypass memory layout randomization mitigations
(CVE-2016-1006).
These updates resolve type confusion vulnerabilities that could
lead to code execution (CVE-2016-1015, CVE-2016-1019).
These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016,
CVE-2016-1017, CVE-2016-1031).
These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021,
CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025,
CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029,
CVE-2016-1032, CVE-2016-1033).
These updates resolve a stack overflow vulnerability that could
lead to code execution (CVE-2016-1018).
These updates resolve a security bypass vulnerability
(CVE-2016-1030).
These updates resolve a vulnerability in the directory search path
used to find resources that could lead to code execution
(CVE-2016-1014).
These updates resolve type confusion vulnerabilities that could
lead to code execution (CVE-2016-1105, CVE-2016-4117).
These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107,
CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108,
CVE-2016-4110, CVE-2016-4121).
These updates resolve a heap buffer overflow vulnerability that
could lead to code execution (CVE-2016-1101).
These updates resolve a buffer overflow vulnerability that could
lead to code execution (CVE-2016-1103).
These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099,
CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109,
CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114,
CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161,
CVE-2016-4162, CVE-2016-4163).
These updates resolve a vulnerability in the directory search path
used to find resources that could lead to code execution
(CVE-2016-4116).
These updates resolve type confusion vulnerabilities that could
lead to code execution (CVE-2016-4144, CVE-2016-4149).
These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-4142, CVE-2016-4143, CVE-2016-4145,
CVE-2016-4146, CVE-2016-4147, CVE-2016-4148).
These updates resolve heap buffer overflow vulnerabilities that
could lead to code execution (CVE-2016-4135, CVE-2016-4136,
CVE-2016-4138).
These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124,
CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129,
CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133,
CVE-2016-4134, CVE-2016-4137, CVE-2016-4141, CVE-2016-4150,
CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154,
CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171).
These updates resolve a vulnerability in the directory search path
used to find resources that could lead to code execution
(CVE-2016-4140).
These updates resolve a vulnerability that could be exploited to
bypass the same-origin-policy and lead to information disclosure
(CVE-2016-4139).
Botan 1.10.13 has been released backporting some side channel
protections for ECDSA signatures (CVE-2016-2849) and PKCS #1 RSA
decryption (CVE-2015-7827).
The Miller-Rabin primality check in Botan before 1.10.8 and 1.11.x
before 1.11.9 improperly uses a single random base, which makes it
easier for remote attackers to defeat cryptographic protection
mechanisms via a DH group.
A malicious process can connect to an iperf3 server and,
by sending a malformed message on the control channel,
corrupt the server process's heap area. This can lead to a
crash (and a denial of service), or theoretically a remote
code execution as the user running the iperf3 server. A
malicious iperf3 server could potentially mount a similar
attack on an iperf3 client.
Cross-site scripting (XSS) vulnerability in the cgierror function
in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers
to inject arbitrary web script or HTML via unspecified vectors
involving an error message.
Avoid a potential denial of service issue, by fixing a bug in
pioctl logic that allowed a local user to overrun a kernel buffer
with a single NUL byte.
A problem was identified in nginx code responsible for saving
client request body to a temporary file. A specially crafted
request might result in worker process crash due to a NULL
pointer dereference while writing client request body to a
temporary file.
Foreign users can bypass access controls to create groups as
system:administrators, including in the user namespace and the
system: namespace.
The contents of uninitialized memory are sent on the wire when
clients perform certain RPCs. Depending on the RPC, the information
leaked may come from kernel memory or userspace.
When H2O tries to disconnect a premature HTTP/2 connection, it
calls free(3) to release memory allocated for the connection and
immediately after then touches the memory. No malloc-related
operation is performed by the same thread between the time it calls
free and the time the memory is touched. Fixed by Frederik
Deweerdt.
Because user SQL queries are part of the URL, sensitive
information made as part of a user query can be exposed by
clicking on external links to attackers monitoring user GET
query parameters or included in the webserver logs.
Severity
We consider this to be non-critical.
Description
A specially crafted attack could allow for special HTML
characters to be passed as URL encoded values and displayed
back as special characters in the page.
A specially crafted bug summary could trigger XSS in dependency graphs.
Due to an incorrect parsing of the image map generated by the dot script,
a specially crafted bug summary could trigger XSS in dependency graphs.
OpenVPN 2.3.11 [...] fixes two vulnerabilities: a port-share bug
with DoS potential and a buffer overflow by user supplied data when
using pam authentication.[...]
Heap-based buffer overflow in the zip_read_mac_metadata function
in archive_read_support_format_zip.c in libarchive before 3.2.0
allows remote attackers to execute arbitrary code via crafted
entry-size values in a ZIP archive.
WordPress 4.5.2 is now available. This is a security release for
all previous versions and we strongly encourage you to update your
sites immediately.
WordPress versions 4.5.1 and earlier are affected by a SOME
vulnerability through Plupload, the third-party library WordPress
uses for uploading files. WordPress versions 4.2 through 4.5.1 are
vulnerable to reflected XSS using specially crafted URIs through
MediaElement.js, the third-party library used for media players.
MediaElement.js and Plupload have also released updates fixing
these issues.
Insufficient filtering for filename passed to delegate's command
allows remote code execution during conversion of several file
formats. Any service which uses ImageMagick to process user
supplied images and uses default delegates.xml / policy.xml,
may be vulnerable to this issue.
It is possible to make ImageMagick perform a HTTP GET or FTP
request
It is possible to delete files by using ImageMagick's 'ephemeral'
pseudo protocol which deletes files after reading.
It is possible to move image files to file with any extension
in any folder by using ImageMagick's 'msl' pseudo protocol.
msl.txt and image.gif should exist in known location - /tmp/
for PoC (in real life it may be web service written in PHP,
which allows to upload raw txt files and process images with
ImageMagick).
It is possible to get content of the files from the server
by using ImageMagick's 'label' pseudo protocol.
During an internal code review, we discovered a critical security
flaw in the "impersonate" feature of GitLab. Added in GitLab 8.2,
this feature was intended to allow an administrator to simulate
being logged in as any other user.
A part of this feature was not properly secured and it was possible
for any authenticated user, administrator or not, to "log in" as any
other user, including administrators. Please see the issue for more
details.
svnserve, the svn:// protocol server, can optionally use the Cyrus
SASL library for authentication, integrity protection, and encryption.
Due to a programming oversight, authentication against Cyrus SASL
would permit the remote user to specify a realm string which is
a prefix of the expected realm string.
Subversion's httpd servers are vulnerable to a remotely triggerable crash
in the mod_authz_svn module. The crash can occur during an authorization
check for a COPY or MOVE request with a specially crafted header value.
This allows remote attackers to cause a denial of service.
Passwords Printed in Log Files under Some Conditions
It was discovered that, in Logstash 2.1.0+, log messages
generated by a stalled pipeline during shutdown will print
plaintext contents of password fields. While investigating
this issue we also discovered that debug logging has
included this data for quite some time. Our latest releases
fix both leaks. You will want to scrub old log files if this
is of particular concern to you. This was fixed in issue
#4965
The vulnerability exists due to application does not properly
verify origin of HTTP requests in "Interface Translation"
functionality.: A remote unauthenticated attacker can create
a specially crafted malicious web page with CSRF exploit, trick
a logged-in administrator to visit the page, spoof the HTTP
request, as if it was coming from the legitimate user, inject
and execute arbitrary PHP code on the target system with privileges
of the webserver.
Due to incorrect buffer management Squid cachemgr.cgi tool is
vulnerable to a buffer overflow when processing remotely supplied
inputs relayed to it from Squid.
This problem allows any client to seed the Squid manager reports
with data that will cause a buffer overflow when processed by the
cachemgr.cgi tool. However, this does require manual administrator
actions to take place. Which greatly reduces the impact and
possible uses.
Squid security advisory 2016:6 reports:
Due to buffer overflow issues Squid is vulnerable to a denial of
service attack when processing ESI responses. Due to incorrect input
validation Squid is vulnerable to public information disclosure of
the server stack layout when processing ESI responses. Due to
incorrect input validation and buffer overflow Squid is vulnerable
to remote code execution when processing ESI responses.
These problems allow ESI components to be used to perform a denial
of service attack on the Squid service and all other services on the
same machine. Under certain build conditions these problems allow
remote clients to view large sections of the server memory. However,
the bugs are exploitable only if you have built and configured the
ESI features to be used by a reverse-proxy and if the ESI components
being processed by Squid can be controlled by an attacker.
The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before
1.3.6rc2 does not properly handle the TLSDHParamFile directive, which
might cause a weaker than intended Diffie-Hellman (DH) key to be used
and consequently allow attackers to have unspecified impact via
unknown vectors.
The get_option function in dhcp.c in dhcpcd before 6.2.0, as used
in dhcpcd 5.x in Android before 5.1 and other products, does not
validate the relationship between length fields and the amount of
data, which allows remote DHCP servers to execute arbitrary code or
cause a denial of service (memory corruption) via a large length
value of an option in a DHCPACK message.
The print_option function in dhcp-common.c in dhcpcd through 6.9.1,
as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other
products, misinterprets the return value of the snprintf function,
which allows remote DHCP servers to execute arbitrary code or cause
a denial of service (memory corruption) via a crafted message.
PJProject has a limit on the number of TCP connections
that it can accept. Furthermore, PJProject does not close
TCP connections it accepts. By default, this value is
approximately 60.
An attacker can deplete the number of allowed TCP
connections by opening TCP connections and sending no
data to Asterisk.
If PJProject has been compiled in debug mode, then
once the number of allowed TCP connections has been
depleted, the next attempted TCP connection to Asterisk
will crash due to an assertion in PJProject.
If PJProject has not been compiled in debug mode, then
any further TCP connection attempts will be rejected.
This makes Asterisk unable to process TCP SIP traffic.
Note that this only affects TCP/TLS, since UDP is
connectionless.
Go has an infinite loop in several big integer routines that makes
Go programs vulnerable to remote denial of service attacks. Programs
using HTTPS client authentication or the Go ssh server libraries are
both exposed to this vulnerability.
[CVE-2015-5370] Errors in Samba DCE-RPC code can lead to denial of service
(crashes and high cpu consumption) and man in the middle attacks.
[CVE-2016-2110] The feature negotiation of NTLMSSP is not downgrade protected.
A man in the middle is able to clear even required flags, especially
NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL.
[CVE-2016-2111] When Samba is configured as Domain Controller it allows remote
attackers to spoof the computer name of a secure channel's endpoints, and obtain
sensitive session information, by running a crafted application and leveraging
the ability to sniff network traffic.
[CVE-2016-2112] A man in the middle is able to downgrade LDAP connections
to no integrity protection.
[CVE-2016-2113] Man in the middle attacks are possible for client triggered LDAP
connections (with ldaps://) and ncacn_http connections (with https://).
[CVE-2016-2114] Due to a bug Samba doesn't enforce required smb signing, even if explicitly configured.
[CVE-2016-2115] The protection of DCERPC communication over ncacn_np (which is
the default for most the file server related protocols) is inherited from the underlying SMB connection.
[CVE-2016-2118] a.k.a. BADLOCK. A man in the middle can intercept any DCERPC traffic
between a client and a server in order to impersonate the client and get the same privileges
as the authenticated user account. This is most problematic against active directory domain controllers.
The pcre_compile2 function in pcre_compile.c in PCRE 8.38
mishandles the /((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/
pattern and related patterns with named subgroups, which allows
remote attackers to cause a denial of service (heap-based buffer
overflow) or possibly have unspecified other impact via a crafted
regular expression, as demonstrated by a JavaScript RegExp object
encountered by Konqueror.
A recently-discovered vulnerability in the datagrid templates allows an
attacker to generate a URL to any datagrid page containing malicious code
in a column sorting value. If the user visits that URL and then clicks
that column, the code will execute.
The cause of the vulnerability was due to a template not escaping
user-provided values.
Due to a buffer overrun Squid pinger binary is vulnerable to
denial of service or information leak attack when processing
ICMPv6 packets.
This bug also permits the server response to manipulate other
ICMP and ICMPv6 queries processing to cause information leak.
This bug allows any remote server to perform a denial of service
attack on the Squid service by crashing the pinger. This may
affect Squid HTTP routing decisions. In some configurations,
sub-optimal routing decisions may result in serious service
degradation or even transaction failures.
If the system does not contain buffer-overrun protection leading
to that crash this bug will instead allow attackers to leak
arbitrary amounts of information from the heap into Squid log
files. This is of higher importance than usual because the pinger
process operates with root priviliges.
Squid security advisory 2016:4 reports:
Due to incorrect bounds checking Squid is vulnerable to a denial
of service attack when processing HTTP responses.
This problem allows a malicious client script and remote server
delivering certain unusual HTTP response syntax to trigger a
denial of service for all clients accessing the Squid service.
Excess memory allocation in BER decoder - The BER decoder would allocate a fairly arbitrary amount of memory in a length field, even if there was no chance the read request would succeed. This might cause the process to run out of memory or invoke the OOM killer.
Crash in BER decoder - The BER decoder would crash due to reading from offset 0 of an empty vector if it encountered a BIT STRING which did not contain any data at all. This can be used to easily crash applications reading untrusted ASN.1 data, but does not seem exploitable for code execution.
Infinite loop in modular square root algorithm - The ressol function implements the Tonelli-Shanks algorithm for finding square roots could be sent into a nearly infinite loop due to a misplaced conditional check. This could occur if a composite modulus is provided, as this algorithm is only defined for primes. This function is exposed to attacker controlled input via the OS2ECP function during ECC point decompression.
Heap overflow on invalid ECC point - The PointGFp constructor did not check that the affine coordinate arguments were less than the prime, but then in curve multiplication assumed that both arguments if multiplied would fit into an integer twice the size of the prime.
The bigint_mul and bigint_sqr functions received the size of the output buffer, but only used it to dispatch to a faster algorithm in cases where there was sufficient output space to call an unrolled multiplication function.
The result is a heap overflow accessible via ECC point decoding, which accepted untrusted inputs. This is likely exploitable for remote code execution.
On systems which use the mlock pool allocator, it would allow an attacker to overwrite memory held in secure_vector objects. After this point the write will hit the guard page at the end of the mmapped region so it probably could not be used for code execution directly, but would allow overwriting adjacent key material.
This release closes security hole CVE-2016-2193
(https://access.redhat.com/security/cve/CVE-2016-2193), where a query
plan might get reused for more than one ROLE in the same session.
This could cause the wrong set of Row Level Security (RLS) policies to
be used for the query.
The update also fixes CVE-2016-3065
(https://access.redhat.com/security/cve/CVE-2016-3065), a server crash
bug triggered by using `pageinspect` with BRIN index pages. Since an
attacker might be able to expose a few bytes of server memory, this
crash is being treated as a security issue.
These updates resolve integer overflow vulnerabilities that
could lead to code execution (CVE-2016-0963, CVE-2016-0993,
CVE-2016-1010).
These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-0987, CVE-2016-0988,
CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995,
CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999,
CVE-2016-1000).
These updates resolve a heap overflow vulnerability that could
lead to code execution (CVE-2016-1001).
These updates resolve memory corruption vulnerabilities that
could lead to code execution (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992,
CVE-2016-1002, CVE-2016-1005).
This issue affects all Salt versions prior to 2015.8.8/2015.5.10
when PAM external authentication is enabled. This issue involves
passing an alternative PAM authentication service with a command
that is sent to LocalClient, enabling the attacker to bypass the
configured authentication service.
The web based administration console does not set the
X-Frame-Options header in HTTP responses. This allows the console to be embedded
in a frame or iframe which could then be used to cause a user to perform an
unintended action in the console.
Alvaro Muatoz, Matthias Kaiser and Christian Schneider reports:
JMS Object messages depends on Java Serialization for
marshaling/unmashaling of the message payload. There are a couple of places
inside the broker where deserialization can occur, like web console or stomp
object message transformation. As deserialization of untrusted data can lead to
security flaws as demonstrated in various reports, this leaves the broker
vulnerable to this attack vector. Additionally, applications that consume
ObjectMessage type of messages can be vulnerable as they deserialize objects on
ObjectMessage.getObject() calls.
Several instances of cross-site scripting vulnerabilities were
identified to be present in the web based administration console as well as the
ability to trigger a Java memory dump into an arbitrary folder. The root cause
of these issues are improper user data output validation and incorrect
permissions configured on Jolokia.
PCRE does not validate that handling the (*ACCEPT) verb
will occur within the bounds of the cworkspace stack buffer, leading to
a stack buffer overflow.
RPC traffic from clients, potentially including authentication
credentials, may be intercepted by a malicious user with access to
run tasks or containers on a cluster.
Security researcher Holger Fuhrmannek and Mozilla
security engineer Tyson Smith reported a number of security
vulnerabilities in the Graphite 2 library affecting version
1.3.5.
The issue reported by Holger Fuhrmannek is a mechanism to
induce stack corruption with a malicious graphite font. This
leads to a potentially exploitable crash when the font is
loaded.
Tyson Smith used the Address Sanitizer tool in concert with
a custom software fuzzer to find a series of uninitialized
memory, out-of-bounds read, and out-of-bounds write errors
when working with fuzzed graphite fonts.
Security researcher James Clawson used the Address
Sanitizer tool to discover an out-of-bounds write in the
Graphite 2 library when loading a crafted Graphite font
file. This results in a potentially exploitable crash.
JpGraph is an object oriented library for PHP that can be used to create
various types of graphs which also contains support for client side
image maps.
The GetURLArguments function for the JpGraph's Graph class does not
properly sanitize the names of get and post variables, leading to a
cross site scripting vulnerability.
The pidgin-otr plugin version 4.0.2 fixes a heap use after
free error.
The bug is triggered when a user tries to authenticate a buddy and
happens in the function create_smp_dialog.
By sending a nickname with some HTML tags in a contact
request, an attacker could cause Ricochet to make network requests
without Tor after the request is accepted, which would reveal the user's
IP address.
[583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.
Mozilla Foundation reports:
Security researcher Luke Li reported a pointer underflow
bug in the Brotli library's decompression that leads to a
buffer overflow. This results in a potentially exploitable
crash when triggered.
Security researcher Hanno Böck reported that calculations
with mp_div and mp_exptmod in Network Security Services
(NSS) can produce wrong results in some circumstances. These
functions are used within NSS for a variety of cryptographic
division functions, leading to potential cryptographic
weaknesses.
Mozilla developer Eric Rescorla reported that a failed
allocation during DHE and ECDHE handshakes would lead to a
use-after-free vulnerability.
An exploitable denial of service vulnerability exists
in the font handling of Libgraphite. A specially crafted font can cause
an out-of-bounds read potentially resulting in an information leak or
denial of service.
A specially crafted font can cause a buffer overflow
resulting in potential code execution.
An exploitable NULL pointer dereference exists in the
bidirectional font handling functionality of Libgraphite. A specially
crafted font can cause a NULL pointer dereference resulting in a
crash.
WordPress 4.4.1 is now available. This is a security release for
all previous versions and we strongly encourage you to update your
sites immediately.
WordPress versions 4.4 and earlier are affected by a cross-site
scripting vulnerability that could allow a site to be compromised.
This was reported by Crtc4L.
WordPress 4.4.2 is now available. This is a security release for
all previous versions and we strongly encourage you to update your
sites immediately.
WordPress versions 4.4.1 and earlier are affected by two security
issues: a possible SSRF for certain local URIs, reported by Ronni
Skansing; and an open redirection attack, reported by Shailesh
Suthar.
Many versions of PSCP prior to 0.67 have a stack corruption
vulnerability in their treatment of the 'sink' direction (i.e.
downloading from server to client) of the old-style SCP protocol.
In order for this vulnerability to be exploited, the user must
connect to a malicious server and attempt to download any file.[...]
you can work around it in a vulnerable PSCP by using the -sftp
option to force the use of the newer SFTP protocol, provided your
server supports that protocol.
Jakub Palaczynski discovered that websvn, a web viewer for
Subversion repositories, does not correctly sanitize user-supplied
input, which allows a remote user to run reflected cross-site
scripting attacks.
Rails 4.2.5.2, 4.1.14.2, and 3.2.22.2 have been released! These
contain the following important security fixes, and it is
recommended that users upgrade as soon as possible.
"Arbitrary files with a known path can be accessed in websvn by
committing a symlink to a repository and then downloading the file
(using the download link).
An attacker must have write access to the repo, and the download
option must have been enabled in the websvn config file."
libssh versions 0.1 and above have a bits/bytes confusion bug and
generate an abnormally short ephemeral secret for the
diffie-hellman-group1 and diffie-hellman-group14 key exchange
methods. The resulting secret is 128 bits long, instead of the
recommended sizes of 1024 and 2048 bits respectively. There are
practical algorithms (Baby steps/Giant steps, Pollard?s rho) that can
solve this problem in O(2^63) operations.
Both client and server are are vulnerable, pre-authentication.
This vulnerability could be exploited by an eavesdropper with enough
resources to decrypt or intercept SSH sessions. The bug was found
during an internal code review by Aris Adamantiadis of the libssh
team.
All installations having Exim set-uid root and using 'perl_startup' are
vulnerable to a local privilege escalation. Any user who can start an
instance of Exim (and this is normally any user) can gain root
privileges. If you do not use 'perl_startup' you should be safe.
Due to incorrect bounds checking Squid is vulnerable to a denial
of service attack when processing HTTP responses.
These problems allow remote servers delivering certain unusual
HTTP response syntax to trigger a denial of service for all
clients accessing the Squid service.
HTTP responses containing malformed headers that trigger this
issue are becoming common. We are not certain at this time if
that is a sign of malware or just broken server scripting.
The PV superpage functionality lacks certain validity checks on
data being passed to the hypervisor by guests. This is the case
for the page identifier (MFN) passed to MMUEXT_MARK_SUPER and
MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as
well as for various forms of page table updates.
Use of the feature, which is disabled by default, may have unknown
effects, ranging from information leaks through Denial of Service to
privilege escalation.
While INVLPG does not cause a General Protection Fault when used on
a non-canonical address, INVVPID in its "individual address"
variant, which is used to back the intercepted INVLPG in certain
cases, fails in such cases. Failure of INVVPID results in a
hypervisor bug check.
A malicious guest can crash the host, leading to a Denial of
Service.
VMX refuses attempts to enter a guest with an instruction pointer
which doesn't satisfy certain requirements. In particular, the
instruction pointer needs to be canonical when entering a guest
currently in 64-bit mode. This is the case even if the VM entry
information specifies an exception to be injected immediately (in
which case the bad instruction pointer would possibly never get used
for other than pushing onto the exception handler's stack).
Provided the guest OS allows user mode to map the virtual memory
space immediately below the canonical/non-canonical address
boundary, a non-canonical instruction pointer can result even from
normal user mode execution. VM entry failure, however, is fatal to
the guest.
Malicious HVM guest user mode code may be able to crash the
guest.
The Xerces-C XML parser mishandles certain kinds of malformed input
documents, resulting in buffer overflows during processing and error
reporting. The overflows can manifest as a segmentation fault or as
memory corruption during a parse operation. The bugs allow for a
denial of service attack in many applications by an unauthenticated
attacker, and could conceivably result in remote code execution.
Double-clicking a file in the user's media library with a
specially-crafted path or filename allows for arbitrary code execution
with the permissions of the user running Pitivi.
A heap overflow may occur in the giffix utility included in
giflib-5.1.1 when processing records of the type
`IMAGE_DESC_RECORD_TYPE' due to the allocated size of `LineBuffer'
equaling the value of the logical screen width, `GifFileIn->SWidth',
while subsequently having `GifFileIn->Image.Width' bytes of data written
to it.
SECURITY-232 / CVE-2016-0788(Remote code execution vulnerability in remoting module)
A vulnerability in the Jenkins remoting module allowed
unauthenticated remote attackers to open a JRMP listener on the
server hosting the Jenkins master process, which allowed arbitrary
code execution.
An HTTP response splitting vulnerability in the CLI command
documentation allowed attackers to craft Jenkins URLs that serve
malicious content.
SECURITY-241 / CVE-2016-0790(Non-constant time comparison of API token)
The verification of user-provided API tokens with the expected
value did not use a constant-time comparison algorithm, potentially
allowing attackers to use statistical methods to determine valid
API tokens using brute-force methods.
SECURITY-245 / CVE-2016-0791(Non-constant time comparison of CSRF crumbs)
The verification of user-provided CSRF crumbs with the expected
value did not use a constant-time comparison algorithm, potentially
allowing attackers to use statistical methods to determine valid
CSRF crumbs using brute-force methods.
SECURITY-247 / CVE-2016-0792(Remote code execution through remote API)
Jenkins has several API endpoints that allow low-privilege users
to POST XML files that then get deserialized by Jenkins.
Maliciously crafted XML files sent to these API endpoints could
result in arbitrary code execution.
The library is affected by a double-free vulnerability in function
jas_iccattrval_destroy()
as well as a heap-based buffer overflow in function jp2_decode().
A specially crafted jp2 file can be used to trigger the vulnerabilities.
oCERT reports:
The library is affected by an off-by-one error in a buffer boundary check
in jpc_dec_process_sot(), leading to a heap based buffer overflow, as well
as multiple unrestricted stack memory use issues in jpc_qmfb.c, leading to
stack overflow.
A specially crafted jp2 file can be used to trigger the vulnerabilities.
oCERT reports:
Multiple off-by-one flaws, leading to heap-based buffer overflows, were
found in the way JasPer decoded JPEG 2000 files. A specially crafted file
could cause an application using JasPer to crash or,
possibly, execute arbitrary code.
limingxing reports:
A vulnerability was found in the way the JasPer's jas_matrix_clip()
function parses certain JPEG 2000 image files. A specially crafted file
could cause an application using JasPer to crash.
A double free flaw was found in the way JasPer's
jasper_image_stop_load() function parsed certain JPEG 2000 image files.
A specially crafted file could cause an application using JasPer to
crash.
Feist Josselin reports:
A new use-after-free was found in Jasper JPEG-200. The
use-after-free appears in the function mif_process_cmpt of the
src/libjasper/mif/mif_cod.c file.
Prevent potential DoS attack due to lack of bounds checking on RTP
header CSRC count and extension header length. Credit goes to
Randell Jesup and the Firefox team for reporting this issue.
This release fixes a remote code execution vulnerability that was
identified in BeanShell by Alvaro Muñoz and Christian Schneider.
The BeanShell team would like to thank them for their help and
contributions to this fix!
An application that includes BeanShell on the classpath may be
vulnerable if another part of the application uses Java
serialization or XStream to deserialize data from an untrusted
source.
A vulnerable application could be exploited for remote code
execution, including executing arbitrary shell commands.
This update fixes the vulnerability in BeanShell, but it is worth
noting that applications doing such deserialization might still be
insecure through other libraries. It is recommended that application
developers take further measures such as using a restricted class
loader when deserializing. See notes on Java serialization security
XStream security and How to secure deserialization from untrusted
input without using encryption or sealing.
A stack-based buffer overflow was found in libresolv when invoked
from nss_dns, allowing specially crafted DNS responses to seize
control of EIP in the DNS client. The buffer overflow occurs in the
functions send_dg (send datagram) and send_vc (send TCP) for the
NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
family, or in some cases AF_INET6 family. The use of AF_UNSPEC (or
AF_INET6 in some cases) triggers the low-level resolver code to
send out two parallel queries for A and AAAA. A mismanagement of
the buffers used for those queries could result in the response of
a query writing beyond the alloca allocated buffer created by
__res_nquery.
Due to incorrectly handling server errors Squid is vulnerable to a
denial of service attack when connecting to TLS or SSL servers.
This problem allows any trusted client to perform a denial of
service attack on the Squid service regardless of whether TLS or
SSL is configured for use in the proxy.
Misconfigured client or server software may trigger this issue
to perform a denial of service unintentionally.
However, the bug is exploitable only if Squid is built using the
--with-openssl option.
The FreeBSD port does not use SSL by default and is not vulnerable
in the default configuration.
Amos Jeffries, release manager of the Squid-3 series, reports:
Vulnerable versions are 3.5.0.1 to 3.5.8 (inclusive), which are
built with OpenSSL and configured for "SSL-Bump" decryption.
Integer overflows can lead to invalid pointer math reading from
random memory on some CPU architectures. In the best case this leads
to wrong TLS extensions being used for the client, worst-case a
crash of the proxy terminating all active transactions.
Incorrect message size checks and assumptions about the existence
of TLS extensions in the SSL/TLS handshake message can lead to very
high CPU consumption (up to and including 'infinite loop'
behaviour).
The above can be triggered remotely. Though there is one layer of
authorization applied before this processing to check that the
client is allowed to use the proxy, that check is generally weak. MS
Skype on Windows XP is known to trigger some of these.
The FreeBSD port does not use SSL by default and is not vulnerable
in the default configuration.
MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept
responses to plugin network requests made through the browser. Plugins which
make security decisions based on the content of network requests can have these
decisions subverted if a service worker forges responses to those requests. For
example, a forged crossdomain.xml could allow a malicious site to violate the
same-origin policy using the Flash plugin.
Out of memory in nghttpd, nghttp, and libnghttp2_asio applications
due to unlimited incoming HTTP header fields.
nghttpd, nghttp, and libnghttp2_asio applications do not limit the memory usage
for the incoming HTTP header field. If peer sends specially crafted HTTP/2
HEADERS frames and CONTINUATION frames, they will crash with out of memory
error.
Note that libnghttp2 itself is not affected by this vulnerability.
CVE-2016-0773: This release closes security hole CVE-2016-0773,
an issue with regular expression (regex) parsing. Prior code allowed
users to pass in expressions which included out-of-range Unicode
characters, triggering a backend crash. This issue is critical for
PostgreSQL systems with untrusted users or which generate regexes
based on user input.
CVE-2016-0766: The update also fixes CVE-2016-0766, a privilege
escalation issue for users of PL/Java. Certain custom configuration
settings (GUCS) for PL/Java will now be modifiable only by the
database superuser
These updates resolve a type confusion vulnerability that
could lead to code execution (CVE-2016-0985).
These updates resolve use-after-free vulnerabilities that
could lead to code execution (CVE-2016-0973, CVE-2016-0974,
CVE-2016-0975, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984).
These updates resolve a heap buffer overflow vulnerability
that could lead to code execution (CVE-2016-0971).
These updates resolve memory corruption vulnerabilities
that could lead to code execution (CVE-2016-0964,
CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, CVE-2016-0968,
CVE-2016-0969, CVE-2016-0970, CVE-2016-0972, CVE-2016-0976,
CVE-2016-0977, CVE-2016-0978, CVE-2016-0979, CVE-2016-0980,
CVE-2016-0981).
If a large value was passed into the new size for an image, it is
possible to overflow an int32 value passed into malloc, leading the
malloc?d buffer to be undersized. These allocations are followed by
a loop that writes out of bounds. This can lead to corruption on
the heap of the Python process with attacker controlled float
data.
Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on
x64 may overflow a buffer when reading a specially crafted tiff
file.
Specifically, libtiff >= 4.0.0 changed the return type of
TIFFScanlineSize from int32 to machine dependent int32|64. If the
scanline is sized so that it overflows an int32, it may be
interpreted as a negative number, which will then pass the size check
in TiffDecode.c line 236. To do this, the logical scanline size has
to be > 2gb, and for the test file, the allocated buffer size is 64k
against a roughly 4gb scan line size. Any image data over 64k is
written over the heap, causing a segfault.
This issue was found by security researcher FourOne.
In all versions of Pillow, dating back at least to the last PIL
1.1.7 release, FliDecode.c has a buffer overflow error.
There is a memcpy error where x is added to a target buffer
address. X is used in several internal temporary variable roles,
but can take a value up to the width of the image. Im->image[y]
is a set of row pointers to segments of memory that are the size of
the row. At the max y, this will write the contents of the line off
the end of the memory buffer, causing a segfault.
This issue was found by Alyssa Besseling at Atlassian.
In all versions of Pillow, dating back at least to the last PIL
1.1.7 release, PcdDecode.c has a buffer overflow error.
The state.buffer for PcdDecode.c is allocated based on a 3 bytes
per pixel sizing, where PcdDecode.c wrote into the buffer assuming
4 bytes per pixel. This writes 768 bytes beyond the end of the
buffer into other Python object storage. In some cases, this causes
a segfault, in others an internal Python malloc error.
Shotwell has a serious security issue ("Shotwell does not
verify TLS certificates"). Upstream is no longer active and
I do not expect any further upstream releases unless someone
from the community steps up to maintain it.
What is the impact of the issue? If you ever used any of
the publish functionality (publish to Facebook, publish to
Flickr, etc.), your passwords may have been stolen; changing
them is not a bad idea.
What is the risk of the update? Regressions. The easiest
way to validate TLS certificates was to upgrade WebKit; it
seems to work but I don't have accounts with the online
services it supports, so I don't know if photo publishing
still works properly on all the services.
[CVE-2015-3223] Malicious request can cause Samba LDAP server to hang, spinning using CPU.
[CVE-2015-5330] Malicious request can cause Samba LDAP server
to return uninitialized memory that should not be part of the reply.
[CVE-2015-5296] Requesting encryption should also request
signing when setting up the connection to protect against man-in-the-middle attacks.
[CVE-2015-5299] A missing access control check in the VFS
shadow_copy2 module could allow unauthorized users to access snapshots.
[CVE-2015-7540] Malicious request can cause Samba LDAP server to return crash.
[CVE-2015-8467] Samba can expose Windows DCs to MS15-096
Denial of service via the creation of multiple machine accounts(The Microsoft issue is CVE-2015-2535).
[CVE-2015-5252] Insufficient symlink verification could allow data access outside share path.
The ScrollView::paint function in platform/scroll/ScrollView.cpp
in Blink, as used in Google Chrome before 35.0.1916.114, allows
remote attackers to spoof the UI by extending scrollbar painting
into the parent frame.
Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, and 3.2.22.1 have been
released! These contain important security fixes, and it is
recommended that users upgrade as soon as possible.
In the OpenSSL address implementation the hard coded 1024
bit DH p parameter was not prime. The effective cryptographic strength
of a key exchange using these parameters was weaker than the one one
could get by using a prime p. Moreover, since there is no indication of
how these parameters were chosen, the existence of a trapdoor that makes
possible for an eavesdropper to recover the shared secret from a key
exchange that uses them cannot be ruled out.
GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are
prone to an integer overflow vulnerability which leads to a buffer
overflow and potentially to remote code execution.
GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are
prone to an out-of-bounds read vulnerability due to missing checks.
Enforce the reader to run in constant memory. One of the
operation on the reader could resolve entities leading to
the classic expansion issue. Make sure the buffer used for
xmlreader operation is bounded. Introduce a new allocation
type for the buffers for this effect.
Ilja van Sprundel, a security researcher with IOActive, has
discovered an issue in the parsing of BDF font files by libXfont.
Additional testing by Alan Coopersmith and William Robinet with
the American Fuzzy Lop (afl) tool uncovered two more issues in
the parsing of BDF font files.
As libXfont is used by the X server to read font files, and an
unprivileged user with access to the X server can tell the X
server to read a given font file from a path of their choosing,
these vulnerabilities have the potential to allow unprivileged
users to run code with the privileges of the X server
(often root access).
Several problems in nginx resolver were identified, which
might allow an attacker to cause worker process crash, or might have
potential other impact if the "resolver" directive
is used in a configuration file.
This release fixes heap-use-after-free bug in idle stream
handling code. We strongly recommend to upgrade the older installation
to this latest version as soon as possible.
By calling some scripts that are part of phpMyAdmin in an
unexpected way, it is possible to trigger phpMyAdmin to
display a PHP error message which contains the full path of
the directory where phpMyAdmin is installed.
We consider these vulnerabilities to be non-critical.
This path disclosure is possible on servers where the
recommended setting of the PHP configuration directive
display_errors is set to on, which is against the
recommendations given in the PHP manual for a production
server.
With a crafted table name it is possible to trigger
an XSS attack in the database search page.
With a crafted SET value or a crafted search query, it
is possible to trigger an XSS attacks in the zoom search
page.
With a crafted hostname header, it is possible to
trigger an XSS attacks in the home page.
We consider these vulnerabilities to be non-critical.
These vulnerabilities can be triggered only by someone
who is logged in to phpMyAdmin, as the usual token
protection prevents non-logged-in users from accessing the
required pages.
The comparison of the XSRF/CSRF token parameter with the
value saved in the session is vulnerable to timing
attacks. Moreover, the comparison could be bypassed if the
XSRF/CSRF token matches a particular pattern.
By calling some scripts that are part of phpMyAdmin in an
unexpected way, it is possible to trigger phpMyAdmin to
display a PHP error message which contains the full path of
the directory where phpMyAdmin is installed.
We consider these vulnerabilities to be non-critical.
This path disclosure is possible on servers where the
recommended setting of the PHP configuration directive
display_errors is set to on, which is against the
recommendations given in the PHP manual for a production
server.
With a crafted table name it is possible to trigger an
XSS attack in the database normalization page.
We consider this vulnerability to be non-critical.
This vulnerability can be triggered only by someone who is
logged in to phpMyAdmin, as the usual token protection
prevents non-logged-in users from accessing the required page.
By calling a particular script that is part of phpMyAdmin
in an unexpected way, it is possible to trigger phpMyAdmin
to display a PHP error message which contains the full path
of the directory where phpMyAdmin is installed.
We consider this vulnerability to be non-critical.
This path disclosure is possible on servers where the
recommended setting of the PHP configuration directive
display_errors is set to on, which is against the
recommendations given in the PHP manual for a production
server.
With a crafted SQL query, it is possible to trigger an
XSS attack in the SQL editor.
We consider this vulnerability to be non-critical.
This vulnerability can be triggered only by someone who is
logged in to phpMyAdmin, as the usual token protection
prevents non-logged-in users from accessing the required
pages.
sudoedit in Sudo before 1.8.15 allows local users to gain
privileges via a symlink attack on a file whose full path is defined
using multiple wildcards in /etc/sudoers, as demonstrated by
"/home/*/*/file.txt."
Fixed a memory leak when rejecting client connections due to the
socket limit being reached (CID 66382). This affected Privoxy 3.0.21
when compiled with IPv6 support (on most platforms this is the
default).
Fixed an immediate-use-after-free bug (CID 66394) and two
additional unconfirmed use-after-free complaints made by Coverity
scan (CID 66391, CID 66376).
MITRE reports:
Privoxy before 3.0.22 allows remote attackers to cause a denial
of service (file descriptor consumption) via unspecified vectors.
Prevent invalid reads in case of corrupt chunk-encoded content.
CVE-2016-1982. Bug discovered with afl-fuzz and AddressSanitizer.
Remove empty Host headers in client requests. Previously they
would result in invalid reads. CVE-2016-1983. Bug discovered with
afl-fuzz and AddressSanitizer.
Proxy authentication headers are removed unless the new directive
enable-proxy-authentication-forwarding is used. Forwarding the
headers potentially allows malicious sites to trick the user into
providing them with login information. Reported by Chris John Riley.
Fixed a DoS issue in case of client requests with incorrect
chunk-encoded body. When compiled with assertions enabled (the
default) they could previously cause Privoxy to abort(). Reported
by Matthew Daley. CVE-2015-1380.
Fixed multiple segmentation faults and memory leaks in the pcrs
code. This fix also increases the chances that an invalid pcrs
command is rejected as such. Previously some invalid commands would
be loaded without error. Note that Privoxy's pcrs sources (action
and filter files) are considered trustworthy input and should not be
writable by untrusted third-parties. CVE-2015-1381.
Fixed an 'invalid read' bug which could at least theoretically
cause Privoxy to crash. So far, no crashes have been observed.
CVE-2015-1382.
So in codeconv.c there is a function for Japanese character set
conversion called conv_jistoeuc(). There is no bounds checking on
the output buffer, which is created on the stack with alloca()
Bug can be triggered by sending an email to TAILS_luser@riseup.net
or whatever.
Since my C is completely rusty, you might be able to make a better
judgment on the severity of this issue. Marking critical for now.
A buffer overflow flaw was discovered in the libproxy's
url::get_pac() used to download proxy.pac proxy auto-configuration
file. A malicious host hosting proxy.pac, or a man in the middle
attacker, could use this flaw to trigger a stack-based buffer
overflow in an application using libproxy, if proxy configuration
instructed it to download proxy.pac file from a remote HTTP
server.
A security-related issue has been reported in Go's math/big
package. The issue was introduced in Go 1.5. We recommend that all
users upgrade to Go 1.5.3, which fixes the issue. Go programs must
be recompiled with Go 1.5.3 in order to receive the fix.
The Go team would like to thank Nick Craig-Wood for identifying the
issue.
This issue can affect RSA computations in crypto/rsa, which is used
by crypto/tls. TLS servers on 32-bit systems could plausibly leak
their RSA private key due to this issue. Other protocol
implementations that create many RSA signatures could also be
impacted in the same way.
Specifically, incorrect results in one part of the RSA Chinese
Remainder computation can cause the result to be incorrect in such a
way that it leaks one of the primes. While RSA blinding should
prevent an attacker from crafting specific inputs that trigger the
bug, on 32-bit systems the bug can be expected to occur at random
around one in 2^26 times. Thus collecting around 64 million
signatures (of known data) from an affected server should be enough
to extract the private key used.
On 64-bit systems, the frequency of the bug is so low (less than
one in 2^50) that it would be very difficult to exploit.
Nonetheless, everyone is strongly encouraged to upgrade.
ffmpeg has a vulnerability in the current version that allows the
attacker to create a specially crafted video file, downloading which
will send files from a user PC to a remote attacker server. The
attack does not even require the user to open that file ? for
example, KDE Dolphin thumbnail generation is enough.
The FontManager._get_nix_font_path function in formatters/img.py
in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute
arbitrary commands via shell metacharacters in a font name.
Integer overflow in the
authentication_agent_new_cookie function in PolicyKit (aka polkit)
before 0.113 allows local users to gain privileges by creating a large
number of connections, which triggers the issuance of a duplicate cookie
value.
The authentication_agent_new function in
polkitbackend/polkitbackendinteractiveauthority.c in PolicyKit (aka
polkit) before 0.113 allows local users to cause a denial of service
(NULL pointer dereference and polkitd daemon crash) by calling
RegisterAuthenticationAgent with an invalid object path.
The polkit_backend_action_pool_init function in
polkitbackend/polkitbackendactionpool.c in PolicyKit (aka polkit) before
0.113 might allow local users to gain privileges via duplicate action
IDs in action descriptions.
PolicyKit (aka polkit) before 0.113 allows local
users to cause a denial of service (memory corruption and polkitd daemon
crash) and possibly gain privileges via unspecified vectors, related to
"javascript rule evaluation."
This Critical Patch Update contains 25 new security fixes
for Oracle Java SE. 24 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a
network without the need for a username and password.
librsync before 1.0.0 uses a truncated MD4 checksum to
match blocks, which makes it easier for remote attackers to modify
transmitted data via a birthday attack.
heap overflow via malformed dhcp responses later in print_option
(via dhcp_envoption1) due to incorrect option length values.
Exploitation is non-trivial, but I'd love to be proven wrong.
invalid read/crash via malformed dhcp responses. not exploitable
beyond DoS as far as I can judge.
The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU
binutils 2.24 and earlier allows remote attackers to cause a
denial of service (out-of-bounds write) and possibly have other
unspecified impact via a crafted NumberOfRvaAndSizes field in the
AOUT header in a PE executable.
US-CERT/NIST reports:
Heap-based buffer overflow in the pe_print_edata function in
bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote
attackers to cause a denial of service (crash) and possibly have
other unspecified impact via a truncated export table in a PE
file.
US-CERT/NIST reports:
Stack-based buffer overflow in the ihex_scan function in
bfd/ihex.c in GNU binutils 2.24 and earlier allows remote
attackers to cause a denial of service (crash) and possibly have
other unspecified impact via a crafted ihex file.
MD5 handshake signatures in TLS 1.2 are vulnerable to the SLOTH attack
on TLS 1.2 server authentication. They have been disabled by default.
Other attacks from the SLOTH paper do not apply to any version of mbed
TLS or PolarSSL.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the AMD PC-Net II Ethernet Controller
support is vulnerable to a heap buffer overflow flaw. While
receiving packets in the loopback mode, it appends CRC code to the
receive buffer. If the data size given is same as the receive buffer
size, the appended CRC code overwrites 4 bytes beyond this
's->buffer' array.
A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw
to crash the Qemu instance resulting in DoS or potentially execute
arbitrary code with privileges of the Qemu process on the host.
The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets
from a remote host(non-loopback mode), fails to validate the
received data size, thus resulting in a buffer overflow issue. It
could potentially lead to arbitrary code execution on the host, with
privileges of the Qemu process. It requires the guest NIC to have
larger MTU limit.
A remote user could use this flaw to crash the guest instance
resulting in DoS or potentially execute arbitrary code on a remote
host with privileges of the Qemu process.
When constructing a guest which is configured to use a PV
bootloader which runs as a userspace process in the toolstack domain
(e.g. pygrub) libxl creates a mapping of the files to be used as
kernel and initial ramdisk when building the guest domain.
However if building the domain subsequently fails these mappings
would not be released leading to a leak of virtual address space in
the calling process, as well as preventing the recovery of the
temporary disk files containing the kernel and initial ramdisk.
For toolstacks which manage multiple domains within the same
process, an attacker who is able to repeatedly start a suitable
domain (or many such domains) can cause an out-of-memory condition in the
toolstack process, leading to a denial of service.
Under the same circumstances an attacker can also cause files to
accumulate on the toolstack domain filesystem (usually under /var in
dom0) used to temporarily store the kernel and initial ramdisk,
perhaps leading to a denial of service against arbitrary other
services using that filesystem.
Single memory accesses in source code can be translated to multiple
ones in machine code by the compiler, requiring special caution when
accessing shared memory. Such precaution was missing from the
hypervisor code inspecting the state of I/O requests sent to the
device model for assistance.
Due to the offending field being a bitfield, it is however believed
that there is no issue in practice, since compilers, at least when
optimizing (which is always the case for non-debug builds), should find
it more expensive to extract the bit field value twice than to keep the
calculated value in a register.
This vulnerability is exposed to malicious device models. In
conventional Xen systems this means the qemu which service an HVM
domain. On such systems this vulnerability can only be exploited if
the attacker has gained control of the device model qemu via another
vulnerability.
Privilege escalation, host crash (Denial of Service), and leaked
information all cannot be excluded.
Error handling in the operation may involve handing back pages to
the domain. This operation may fail when in parallel the domain gets
torn down. So far this failure unconditionally resulted in the host
being brought down due to an internal error being assumed. This is
CVE-2015-8339.
Furthermore error handling so far wrongly included the release of a
lock. That lock, however, was either not acquired or already released
on all paths leading to the error handling sequence. This is
CVE-2015-8340.
A malicious guest administrator may be able to deny service by
crashing the host or causing a deadlock.
When XSAVE/XRSTOR are not in use by Xen to manage guest extended
register state, the initial values in the FPU stack and XMM
registers seen by the guest upon first use are those left there by
the previous user of those registers.
A malicious domain may be able to leverage this to obtain sensitive
information such as cryptographic keys from another domain.
Florian Weimer of Redhat discovered that an optimization in
RSA signature validation can result in disclosure of the
server's private key under certain fault conditions.
Sebastian Ramacher identified an error in wolfSSL's implementation
of the server side of the DTLS handshake, which could be abused
for DDoS amplification or a DoS on the DTLS server itself.
ISC Kea may terminate unexpectedly (crash) while handling
a malformed client packet. Related defects in the kea-dhcp4
and kea-dhcp6 servers can cause the server to crash during
option processing if a client sends a malformed packet.
An attacker sending a crafted malformed packet can cause
an ISC Kea server providing DHCP services to IPv4 or IPv6
clients to exit unexpectedly.
The kea-dhcp4 server is vulnerable only in versions
0.9.2 and 1.0.0-beta, and furthermore only when logging
at debug level 40 or higher. Servers running kea-dhcp4
versions 0.9.1 or lower, and servers which are not
logging or are logging at debug level 39 or below are
not vulnerable.
The kea-dhcp6 server is vulnerable only in versions
0.9.2 and 1.0.0-beta, and furthermore only when
logging at debug level 45 or higher. Servers running
kea-dhcp6 versions 0.9.1 or lower, and servers
which are not logging or are logging at debug level 44
or below are not vulnerable.
SQL injection vulnerability in include/top_graph_header.php in
Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary
SQL commands via the rra_id parameter in a properties action to
graph.php.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the PCI MSI-X support is vulnerable to
null pointer dereference issue. It occurs when the controller
attempts to write to the pending bit array(PBA) memory region.
Because the MSI-X MMIO support did not define the .write method.
A privileges used inside guest could use this flaw to crash the
Qemu process resulting in DoS issue.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the USB EHCI emulation support is
vulnerable to an infinite loop issue. It occurs during communication
between host controller interface(EHCI) and a respective device
driver. These two communicate via a isochronous transfer descriptor
list(iTD) and an infinite loop unfolds if there is a closed loop in
this list.
A privileges user inside guest could use this flaw to consume
excessive CPU cycles & resources on the host.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the VNC display driver support is
vulnerable to an arithmetic exception flaw. It occurs on the VNC
server side while processing the 'SetPixelFormat' messages from a
client.
A privileged remote client could use this flaw to crash the guest
resulting in DoS.
mini_httpd 1.21 and earlier allows remote attackers to obtain
sensitive information from process memory via an HTTP request with
a long protocol string, which triggers an incorrect response size
calculation and an out-of-bounds read.
(rene) ACME, the author, claims that the vulnerability is fixed
*after* version 1.22, released on 2015-12-28
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the e1000 NIC emulation support is
vulnerable to an infinite loop issue. It could occur while
processing transmit descriptor data when sending a network packet.
A privileged user inside guest could use this flaw to crash the
Qemu instance resulting in DoS.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the Virtual Network Device(virtio-net)
support is vulnerable to a DoS issue. It could occur while receiving
large packets over the tuntap/macvtap interfaces and when guest's
virtio-net driver did not support big/mergeable receive buffers.
An attacker on the local network could use this flaw to disable
guest's networking by sending a large number of jumbo frames to the
guest, exhausting all receive buffers and thus leading to a DoS
situation.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the NE2000 NIC emulation support is
vulnerable to an infinite loop issue. It could occur when receiving
packets over the network.
A privileged user inside guest could use this flaw to crash the
Qemu instance resulting in DoS.
Qemu emulator built with the NE2000 NIC emulation support is
vulnerable to a heap buffer overflow issue. It could occur when
receiving packets over the network.
A privileged user inside guest could use this flaw to crash the
Qemu instance or potentially execute arbitrary code on the host.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the VNC display driver is vulnerable to an
infinite loop issue. It could occur while processing a
CLIENT_CUT_TEXT message with specially crafted payload message.
A privileged guest user could use this flaw to crash the Qemu
process on the host, resulting in DoS.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the IDE disk and CD/DVD-ROM emulation
support is vulnerable to a divide by zero issue. It could occur
while executing an IDE command WIN_READ_NATIVE_MAX to determine
the maximum size of a drive.
A privileged user inside guest could use this flaw to crash the
Qemu instance resulting in DoS.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the virtio-serial vmchannel support is
vulnerable to a buffer overflow issue. It could occur while
exchanging virtio control messages between guest and the host.
A malicious guest could use this flaw to corrupt few bytes of Qemu
memory area, potentially crashing the Qemu process.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the VNC display driver support is
vulnerable to a buffer overflow flaw leading to a heap memory
corruption issue. It could occur while refreshing the server
display surface via routine vnc_refresh_server_surface().
A privileged guest user could use this flaw to corrupt the heap
memory and crash the Qemu process instance OR potentially use it
to execute arbitrary code on the host.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the SCSI device emulation support is
vulnerable to a stack buffer overflow issue. It could occur while
parsing SCSI command descriptor block with an invalid operation
code.
A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw
to crash the Qemu instance resulting in DoS.
Due converting PIO to the new memory read/write api we no longer
provide separate I/O region lenghts for read and write operations.
As a result, reading from PIT Mode/Command register will end with
accessing pit->channels with invalid index and potentially cause
memory corruption and/or minor information leak.
A privileged guest user in a guest with QEMU PIT emulation enabled
could potentially (tough unlikely) use this flaw to execute
arbitrary code on the host with the privileges of the hosting QEMU
process.
Please note that by default QEMU/KVM guests use in-kernel (KVM) PIT
emulation and are thus not vulnerable to this issue.
An attacker who can cause a carefully-chosen string to be
converted to a floating-point number can cause a crash and potentially
induce arbitrary code execution.
These updates resolve a type confusion vulnerability that
could lead to code execution (CVE-2015-8644).
These updates resolve an integer overflow vulnerability
that could lead to code execution (CVE-2015-8651).
These updates resolve use-after-free vulnerabilities that
could lead to code execution (CVE-2015-8634, CVE-2015-8635,
CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641,
CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647,
CVE-2015-8648, CVE-2015-8649, CVE-2015-8650).
These updates resolve memory corruption vulnerabilities
that could lead to code execution (CVE-2015-8459,
CVE-2015-8460, CVE-2015-8636, CVE-2015-8645).
This release fixes the issues discovered since 2.0.18,
containing multiple important stability and correctness related
improvements, including a fix for a bug which allowed malformed DNS
records to cause netsplits on a network.
Security researcher Karthikeyan Bhargavan reported an
issue in Network Security Services (NSS) where MD5
signatures in the server signature within the TLS 1.2
ServerKeyExchange message are still accepted. This is an
issue since NSS has officially disallowed the accepting MD5
as a hash algorithm in signatures since 2011. This issues
exposes NSS based clients such as Firefox to theoretical
collision-based forgery attacks.
By calling some scripts that are part of phpMyAdmin in an
unexpected way, it is possible to trigger phpMyAdmin to
display a PHP error message which contains the full path of
the directory where phpMyAdmin is installed.
We consider these vulnerabilities to be non-critical.
This path disclosure is possible on servers where the
recommended setting of the PHP configuration directive
display_errors is set to on, which is against the
recommendations given in the PHP manual for a production
server.
Hanno Boeck discovered a stack-based buffer overflow in the
dpkg-deb component of dpkg, the Debian package management system.
This flaw could potentially lead to arbitrary code execution if a
user or an automated system were tricked into processing a specially
crafted Debian binary package (.deb) in the old style Debian binary
package format.
If an application allows users to specify an unvalidated
format for dates and passes this format to the date filter, e.g. {{
last_updated|date:user_date_format }}, then a malicious user could
obtain any secret in the application's settings by specifying a settings
key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".
Internal review discovered that Special:DeletedContributions did
not properly protect the IP of autoblocked users. This fix makes
the functionality of Special:DeletedContributions consistent with
Special:Contributions and Special:BlockList.
Internal review discovered that watchlist anti-csrf tokens were not
being compared in constant time, which could allow various timing
attacks. This could allow an attacker to modify a user's watchlist
via csrf
John Menerick reported that MediaWiki's thumb.php failed to sanitize
various error messages, resulting in xss.
Wikipedia user RobinHood70 reported two issues in the chunked
upload API. The API failed to correctly stop adding new chunks to
the upload when the reported size was exceeded (T91203), allowing
a malicious users to upload add an infinite number of chunks for a
single file upload. Additionally, a malicious user could upload
chunks of 1 byte for very large files, potentially creating a very
large number of files on the server's filesystem (T91205).
Internal review discovered that it is not possible to throttle file
uploads.
Internal review discovered a missing authorization check when
removing suppression from a revision. This allowed users with the
'viewsuppressed' user right but not the appropriate
'suppressrevision' user right to unsuppress revisions.
Richard Stanway from teamliquid.net reported that thumbnails of PNG
files generated with ImageMagick contained the local file path in
the image metadata.
(T117899) SECURITY: $wgArticlePath can no longer be set to relative
paths that do not begin with a slash. This enabled trivial XSS
attacks. Configuration values such as "http://my.wiki.com/wiki/$1"
are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is
not and will now throw an error.
(T119309) SECURITY: Use hash_compare() for edit token comparison.
(T118032) SECURITY: Don't allow cURL to interpret POST parameters
starting with '@' as file uploads.
(T115522) SECURITY: Passwords generated by User::randomPassword()
can no longer be shorter than $wgMinimalPasswordLength.
(T97897) SECURITY: Improve IP parsing and trimming. Previous
behavior could result in improper blocks being issued.
(T109724) SECURITY: Special:MyPage, Special:MyTalk,
Special:MyContributions and related pages no longer use HTTP
redirects and are now redirected by MediaWiki.
There is an unsafe tainted string vulnerability in Fiddle and DL.
This issue was originally reported and fixed with CVE-2009-5147 in
DL, but reappeared after DL was reimplemented using Fiddle and
libffi.
And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not
fixed at other branches, then rubies which bundled DL except Ruby
1.9.1 are still vulnerable.
During the generation of a dependency graph, the code for
the HTML image map is generated locally if a local dot
installation is used. With escaped HTML characters in a bug
summary, it is possible to inject unfiltered HTML code in
the map file which the CreateImagemap function generates.
This could be used for a cross-site scripting attack.