FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  441777
Date:      2017-05-26
Time:      12:25:36Z
Committer: feld

List all Vulnerabilities, by package

VuXML entries as processed by FreshPorts
DateDecscriptionPort(s)
2017-05-26

Problem Description:

A vulnerability was discovered in the NTP server's parsing of configuration directives. [CVE-2017-6464]

A vulnerability was found in NTP, in the parsing of packets from the DPTS Clock. [CVE-2017-6462]

A vulnerability was discovered in the NTP server's parsing of configuration directives. [CVE-2017-6463]

A vulnerability was found in NTP, affecting the origin timestamp check function. [CVE-2016-9042]

Impact:

A remote, authenticated attacker could cause ntpd to crash by sending a crafted message. [CVE-2017-6463, CVE-2017-6464]

A malicious device could send crafted messages, causing ntpd to crash. [CVE-2017-6462]

An attacker able to spoof messages from all of the configured peers could send crafted packets to ntpd, causing later replies from those peers to be discarded, resulting in denial of service. [CVE-2016-9042]

more...
FreeBSD
2017-05-26

Problem Description:

ipfilter(4), capable of stateful packet inspection, using the "keep state" or "keep frags" rule options, will not only maintain the state of connections, such as TCP streams or UDP communication, it also maintains the state of fragmented packets. When a packet fragments are received they are cached in a hash table (and linked list). When a fragment is received it is compared with fragments already cached in the hash table for a match. If it does not match the new entry is used to create a new entry in the hash table. If on the other hand it does match, unfortunately the wrong entry is freed, the entry in the hash table. This results in use after free panic (and for a brief moment prior to the panic a memory leak due to the wrong entry being freed).

Impact:

Carefully feeding fragments that are allowed to pass by an ipfilter(4) firewall can be used to cause a panic followed by reboot loop denial of service attack.

more...
FreeBSD-kernel
2017-05-26*

The OpenSSL project reports:

  • Truncated packet could crash via OOB read (CVE-2017-3731)

    Severity: Moderate

    If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash.
  • Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)

    Severity: Moderate

    If a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack.
  • BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)

    Severity: Moderate

    There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem.
  • Montgomery multiplication may produce incorrect results (CVE-2016-7055)

    Severity: Low

    There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits. (OpenSSL 1.0.2 only)

    This issue was previously fixed in 1.1.0c
more...
FreeBSD
linux-c6-openssl
linux-c7-openssl-libs
openssl
openssl-devel
2017-05-26

Check Point research team reports:

Remote code execution via crafted subtitles

more...
vlc
vlc-qt4
2017-05-25
  • CVE-2017-5506: Double free vulnerability in magick/profile.c in ImageMagick allows remote attackers to have unspecified impact via a crafted file.
  • CVE-2017-5507: Memory leak in coders/mpc.c in ImageMagick before 6.9.7-4 and 7.x before 7.0.4-4 allows remote attackers to cause a denial of service (memory consumption) via vectors involving a pixel cache.
  • CVE-2017-5508: Heap-based buffer overflow in the PushQuantumPixel function in ImageMagick before 6.9.7-3 and 7.x before 7.0.4-3 allows remote attackers to cause a denial of service (application crash) via a crafted TIFF file.
  • CVE-2017-5509: coders/psd.c in ImageMagick allows remote attackers to have unspecified impact via a crafted PSD file, which triggers an out-of-bounds write.
  • CVE-2017-5510: coders/psd.c in ImageMagick allows remote attackers to have unspecified impact via a crafted PSD file, which triggers an out-of-bounds write.
  • CVE-2017-5511: coders/psd.c in ImageMagick allows remote attackers to have unspecified impact by leveraging an improper cast, which triggers a heap-based buffer overflow.
  • CVE-2017-6497: An issue was discovered in ImageMagick 6.9.7. A specially crafted psd file could lead to a NULL pointer dereference (thus, a DoS).
  • CVE-2017-6498: An issue was discovered in ImageMagick 6.9.7. Incorrect TGA files could trigger assertion failures, thus leading to DoS.
  • CVE-2017-6499: An issue was discovered in Magick++ in ImageMagick 6.9.7. A specially crafted file creating a nested exception could lead to a memory leak (thus, a DoS).
  • CVE-2017-6500: An issue was discovered in ImageMagick 6.9.7. A specially crafted sun file triggers a heap-based buffer over-read.
  • CVE-2017-6501: An issue was discovered in ImageMagick 6.9.7. A specially crafted xcf file could lead to a NULL pointer dereference.
  • CVE-2017-6502: An issue was discovered in ImageMagick 6.9.7. A specially crafted webp file could lead to a file-descriptor leak in libmagickcore (thus, a DoS).
  • CVE-2017-7275: The ReadPCXImage function in coders/pcx.c in ImageMagick 7.0.4.9 allows remote attackers to cause a denial of service (attempted large memory allocation and application crash) via a crafted file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8862 and CVE-2016-8866.
  • CVE-2017-7606: coders/rle.c in ImageMagick 7.0.5-4 has an "outside the range of representable values of type unsigned char" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.
  • CVE-2017-7619: In ImageMagick 7.0.4-9, an infinite loop can occur because of a floating-point rounding error in some of the color algorithms. This affects ModulateHSL, ModulateHCL, ModulateHCLp, ModulateHSB, ModulateHSI, ModulateHSV, ModulateHWB, ModulateLCHab, and ModulateLCHuv.
  • CVE-2017-7941: The ReadSGIImage function in sgi.c allows remote attackers to consume an amount of available memory via a crafted file.
  • CVE-2017-7942: The ReadAVSImage function in avs.c allows remote attackers to consume an amount of available memory via a crafted file.
  • CVE-2017-7943: The ReadSVGImage function in svg.c allows remote attackers to consume an amount of available memory via a crafted file.
  • CVE-2017-8343: ReadAAIImage function in aai.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-8344: ReadPCXImage function in pcx.c allows attackers to cause a denial of service (memory leak) via a crafted file. The ReadMNGImage function in png.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-8345: ReadMNGImage function in png.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-8346: ReadMATImage function in mat.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-8347: ReadMATImage function in mat.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-8348: ReadMATImage function in mat.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-8349: ReadSFWImage function in sfw.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-8350: ReadJNGImage function in png.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-8351: ReadPCDImage function in pcd.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-8352: ReadXWDImage function in xwd.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-8353: ReadPICTImage function in pict.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-8354: ReadBMPImage function in bmp.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-8355: ReadMTVImage function in mtv.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-8356: ReadSUNImage function in sun.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-8357: ReadEPTImage function in ept.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-8365: The function named ReadICONImage in coders\icon.c has a memory leak vulnerability which can cause memory exhaustion via a crafted ICON file.
  • CVE-2017-8830: ReadBMPImage function in bmp.c:1379 allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-9141: A crafted file could trigger an assertion failure in the ResetImageProfileIterator function in MagickCore/profile.c because of missing checks in the ReadDDSImage function in coders/dds.c.
  • CVE-2017-9142: A crafted file could trigger an assertion failure in the WriteBlob function in MagickCore/blob.c because of missing checks in the ReadOneJNGImage function in coders/png.c.
  • CVE-2017-9143: ReadARTImage function in coders/art.c allows attackers to cause a denial of service (memory leak) via a crafted .art file.
  • CVE-2017-9144: A crafted RLE image can trigger a crash because of incorrect EOF handling in coders/rle.c.
more...
imagemagick
2017-05-25

Brandon Perry reports:

[There] is a zip file of EXR images that cause segmentation faults in the OpenEXR library (tested against 2.2.0).

  • CVE-2017-9110 In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash.
  • CVE-2017-9111 In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h could cause the application to crash or execute arbitrary code.
  • CVE-2017-9112 In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash.
  • CVE-2017-9113 In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp could cause the application to crash or execute arbitrary code.
  • CVE-2017-9114 In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ImfFastHuf.cpp could cause the application to crash.
  • CVE-2017-9115 In OpenEXR 2.2.0, an invalid write of size 2 in the = operator function in half.h could cause the application to crash or execute arbitrary code.
  • CVE-2017-9116 In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function in ImfZip.cpp could cause the application to crash.
more...
OpenEXR
2017-05-24

The samba project reports:

Remote code execution from a writable share.

All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

more...
samba42
samba43
samba44
samba45
samba46
2017-05-23

NVIDIA Unix security team reports:

NVIDIA GPU Display Driver contains vulnerabilities in the kernel mode layer handler where not correctly validated user input, NULL pointer dereference, and incorrect access control may lead to denial of service or potential escalation of privileges.

more...
nvidia-driver
2017-05-22

Tintinweb reports:

An integer signedness error was found in miniupnp's miniwget allowing an unauthenticated remote entity typically located on the local network segment to trigger a heap corruption or an access violation in miniupnp's http response parser when processing a specially crafted chunked-encoded response to a request for the xml root description url.

more...
miniupnpc
2017-05-21

WordPress versions 4.7.4 and earlier are affected by six security issues

  • Insufficient redirect validation in the HTTP class.
  • Improper handling of post meta data values in the XML-RPC API.
  • Lack of capability checks for post meta data in the XML-RPC API.
  • A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog.
  • A cross-site scripting (XSS) vulnerability was discovered related to the Customizer.
more...
de-wordpress
fr-wordpress
ja-wordpress
ru-wordpress
wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
2017-05-19

The Asterisk project reports:

A remote crash can be triggered by sending a SIP packet to Asterisk with a specially crafted CSeq header and a Via header with no branch parameter. The issue is that the PJSIP RFC 2543 transaction key generation algorithm does not allocate a large enough buffer. By overrunning the buffer, the memory allocation table becomes corrupted, leading to an eventual crash.

The multi-part body parser in PJSIP contains a logical error that can make certain multi-part body parts attempt to read memory from outside the allowed boundaries. A specially-crafted packet can trigger these invalid reads and potentially induce a crash.

This issues is in PJSIP, and so the issue can be fixed without performing an upgrade of Asterisk at all. However, we are releasing a new version of Asterisk with the bundled PJProject updated to include the fix.

If you are running Asterisk with chan_sip, this issue does not affect you.

more...
asterisk13
pjsip
pjsip-extsrtp
2017-05-19

The Asterisk project reports:

A remote memory exhaustion can be triggered by sending an SCCP packet to Asterisk system with "chan_skinny" enabled that is larger than the length of the SCCP header but smaller than the packet length specified in the header. The loop that reads the rest of the packet doesn't detect that the call to read() returned end-of-file before the expected number of bytes and continues infinitely. The "partial data" message logging in that tight loop causes Asterisk to exhaust all available memory.

more...
asterisk13
2017-05-18

JSST reports:

Inadequate filtering of request data leads to a SQL Injection vulnerability.

more...
joomla3
2017-05-18

GitLab reports:

Information Disclosure in Issue and Merge Request Trackers

During an internal code review a critical vulnerability in the GitLab Issue and Merge Request trackers was discovered. This vulnerability could allow a user with access to assign ownership of an issue or merge request to another user to disclose that user's private token, email token, email address, and encrypted OTP secret. Reporter-level access to a GitLab project is required to exploit this flaw.

SSRF when importing a project from a Repo by URL

GitLab instances that have enabled project imports using "Repo by URL" were vulnerable to Server-Side Request Forgery attacks. By specifying a project import URL of localhost an attacker could target services that are bound to the local interface of the server. These services often do not require authentication. Depending on the service an attacker might be able craft an attack using the project import request URL.

Links in Environments tab vulnerable to tabnabbing

edio via HackerOne reported that user-configured Environment links include target=_blank but do not also include rel: noopener noreferrer. Anyone clicking on these links may therefore be subjected to tabnabbing attacks where a link back to the requesting page is maintained and can be manipulated by the target server.

Accounts with email set to "Do not show on profile" have addresses exposed in public atom feed

Several GitLab users reported that even with "Do not show on profile" configured for their email addresses those addresses were still being leaked in Atom feeds if they commented on a public project.

more...
gitlab
2017-05-18

GitLab reports:

Cross-Site Scripting (XSS) vulnerability in project import file names for gitlab_project import types

Timo Schmid from ERNW reported a persistent Cross-Site Scripting vulnerability in the new project import view for gitlab_project import types. This XSS vulnerability was caused by the use of Hamlit filters inside HAML views without manually escaping HTML. Unlike content outside of a filter, content inside Hamlit filters (:css, :javascript, :preserve, :plain) is not automatically escaped.

Cross-Site Scripting (XSS) vulnerability in git submodule support

Jobert Abma from HackerOne reported a persitent XSS vulnerability in the GitLab repository files view that could be exploited by injecting malicious script into a git submodule.

Cross-Site Scripting (XSS) vulnerability in repository "new branch" view

A GitLab user reported a persistent XSS vulnerability in the repository new branch view that allowed malicious branch names or git references to execute arbitrary Javascript.

Cross-Site Scripting (XSS) vulnerability in mirror errors display

While investigating Timo Schmid's previously reported XSS vulnerability in import filenames another persistent XSS vulnerability was discovered in the GitLab Enterprise Edition's (EE) mirror view. This vulnerability was also caused by the misuse of Hamlit filters.

Potential XSS vulnerability in DropLab

An internal code audit disclosed a vulnerability in DropLab's templating that, while not currently exploitable, could become exploitable depending on how the templates were used in the future.

Tab Nabbing vulnerabilities in mardown link filter, Asciidoc files, and other markup files

edio via HackerOne reported two tab nabbing vulnerabilities. The first tab nabbing vulnerability was caused by improper hostname filtering when identifying user-supplied external links. GitLab did not properly filter usernames from the URL. An attacker could construct a specially crafted link including a username to bypass GitLab's external link filter. This allowed an attacker to post links in Markdown that did not include the appropriate "noreferrer noopener" options, allowing tab nabbing attacks.

The second vulnerability was in the AsciiDoctor markup library. AsciiDoctor was not properly including the "noreferrer noopener" options with external links. An internal investigation discovered other markup libraries that were also vulnerable.

Unauthorized disclosure of wiki pages in search

M. Hasbini reported a flaw in the project search feature that allowed authenticated users to disclose the contents of private wiki pages inside public projects.

External users can view internal snippets

Christian Kühn discovered a vulnerability in GitLab snippets that allowed an external user to view the contents of internal snippets.

Subgroup visibility for private subgroups under a public parent group

Matt Harrison discovered a vulnerability with subgroups that allowed private subgroup names to be disclosed when they belong to a parent group that is public.

more...
gitlab
2017-05-17

Werner Lemberg reports:

CVE-2017-8105, CVE-2017-8287: Older FreeType versions have out-of-bounds writes caused by heap-based buffer overflows related to Type 1 fonts.

more...
freetype2
2017-05-11

Samuli Seppänen reports:

OpenVPN v2.4.0 was audited for security vulnerabilities independently by Quarkslabs (funded by OSTIF) and Cryptography Engineering (funded by Private Internet Access) between December 2016 and April 2017. The primary findings were two remote denial-of-service vulnerabilities. Fixes to them have been backported to v2.3.15.

An authenticated client can do the 'three way handshake' (P_HARD_RESET, P_HARD_RESET, P_CONTROL), where the P_CONTROL packet is the first that is allowed to carry payload. If that payload is too big, the OpenVPN server process will stop running due to an ASSERT() exception. That is also the reason why servers using tls-auth/tls-crypt are protected against this attack - the P_CONTROL packet is only accepted if it contains the session ID we specified, with a valid HMAC (challenge-response). (CVE-2017-7478)

An authenticated client can cause the server's the packet-id counter to roll over, which would lead the server process to hit an ASSERT() and stop running. To make the server hit the ASSERT(), the client must first cause the server to send it 2^32 packets (at least 196 GB).

more...
openvpn
openvpn-mbedtls
openvpn-polarssl
openvpn23
openvpn23-polarssl
2017-05-11

The PostgreSQL project reports:

Security Fixes nested CASE expressions + database and role names with embedded special characters

  • CVE-2017-7484: selectivity estimators bypass SELECT privilege checks.
  • CVE-2017-7485: libpq ignores PGREQUIRESSL environment variable
  • CVE-2017-7486: pg_user_mappings view discloses foreign server passwords. This applies to new databases, see the release notes for the procedure to apply the fix to an existing database.
more...
postgresql92-client
postgresql92-server
postgresql93-client
postgresql93-server
postgresql94-client
postgresql94-server
postgresql95-client
postgresql95-server
postgresql96-client
postgresql96-server
2017-05-10

Albert Astals Cid reports:

KAuth contains a logic flaw in which the service invoking dbus is not properly checked. This allows spoofing the identity of the caller and with some carefully crafted calls can lead to gaining root from an unprivileged account.

more...
kdelibs
kf5-kauth
2017-05-09

rwhitworth reports:

I was using American Fuzzy Lop (afl-fuzz) to fuzz input to the mime-parse test program. Is fixing these crashes something you're interested in? The input files can be found here: https://github.com/rwhitworth/libetpan-fuzz/. The files can be executed as ./mime-parse id_filename to cause seg faults.

more...
libetpan
2017-05-04*

NVD reports:

International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function.

International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function.

more...
icu
linux-c6-icu
linux-c7-icu
2017-05-03

Google Chrome Releases reports:

1 security fix in this release:

  • [679306] High CVE-2017-5068: Race condition in WebRTC. Credit to Philipp Hancke
more...
chromium
2017-04-30

Timo Sirainen reports:

passdb/userdb dict: Don't double-expand %variables in keys. If dict was used as the authentication passdb, using specially crafted %variables in the username could be used to cause DoS.

more...
dovecot2
2017-04-28

Jakub Jirutka reports:

LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx.

more...
libressl
libressl-devel
2017-04-27

Jenkins Security Advisory:

Description

SECURITY-412 through SECURITY-420 / CVE-2017-1000356

CSRF: Multiple vulnerabilities

SECURITY-429 / CVE-2017-1000353

CLI: Unauthenticated remote code execution

SECURITY-466 / CVE-2017-1000354

CLI: Login command allowed impersonating any Jenkins user

SECURITY-503 / CVE-2017-1000355

XStream: Java crash when trying to instantiate void/Void

more...
jenkins
jenkins-lts
2017-04-25

The CodeIgniter changelog reports:

Fixed a header injection vulnerability in common function set_status_header() under Apache (thanks to Guillermo Caminer from Flowgate).

Fixed byte-safety issues in Encrypt Library (DEPRECATED) when mbstring.func_overload is enabled.

Fixed byte-safety issues in Encryption Library when mbstring.func_overload is enabled.

Fixed byte-safety issues in compatibility functions password_hash(), hash_pbkdf2() when mbstring.func_overload is enabled.

Updated Encrypt Library (DEPRECATED) to call mcrypt_create_iv() with MCRYPT_DEV_URANDOM.

more...
codeigniter
2017-04-24*

ISC reports:

DNS protocols were designed with the assumption that a certain amount of trust could be presumed between the operators of primary and secondary servers for a given zone. However, in current practice some organizations have scenarios which require them to accept zone data from sources that are not fully trusted (for example: providers of secondary name service). A party who is allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS updates) can overwhelm the server which is accepting data by intentionally or accidentally exhausting that server's memory.

more...
bind9-devel
bind910
bind911
bind99
knot
knot1
knot2
nsd
powerdns
2017-04-24

Common Vulnerabilities and Exposures:

WeeChat before 1.7.1 allows a remote crash by sending a filename via DCC to the IRC plugin. This occurs in the irc_ctcp_dcc_filename_without_quotes function during quote removal, with a buffer overflow.

more...
weechat
2017-04-21

Drupal Security Team Reports:

CVE-2017-6919: Access bypass

more...
drupal8
2017-04-21

Google Chrome Releases reports:

29 security fixes in this release, including:

  • [695826] High CVE-2017-5057: Type confusion in PDFium. Credit to Guang Gong of Alpha Team, Qihoo 360
  • [694382] High CVE-2017-5058: Heap use after free in Print Preview. Credit to Khalil Zhani
  • [684684] High CVE-2017-5059: Type confusion in Blink. Credit to SkyLined working with Trend Micro's Zero Day Initiative
  • [683314] Medium CVE-2017-5060: URL spoofing in Omnibox. Credit to Xudong Zheng
  • [672847] Medium CVE-2017-5061: URL spoofing in Omnibox. Credit to Haosheng Wang (@gnehsoah)
  • [702896] Medium CVE-2017-5062: Use after free in Chrome Apps. Credit to anonymous
  • [700836] Medium CVE-2017-5063: Heap overflow in Skia. Credit to Sweetchip
  • [693974] Medium CVE-2017-5064: Use after free in Blink. Credit to Wadih Matar
  • [704560] Medium CVE-2017-5065: Incorrect UI in Blink. Credit to Khalil Zhani
  • [690821] Medium CVE-2017-5066: Incorrect signature handing in Networking. Credit to Prof. Zhenhua Duan, Prof. Cong Tian, and Ph.D candidate Chu Chen (ICTT, Xidian University)
  • [648117] Medium CVE-2017-5067: URL spoofing in Omnibox. Credit to Khalil Zhani
  • [691726] Low CVE-2017-5069: Cross-origin bypass in Blink. Credit to Michael Reizelman
  • [713205] Various fixes from internal audits, fuzzing and other initiatives
more...
chromium
chromium-pulse
2017-04-20

NVD reports:

LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value.

The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.

tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image.

The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image.

The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.

LibTIFF 4.0.7 has an "outside the range of representable values of type float" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.

tif_dirread.c in LibTIFF 4.0.7 has an "outside the range of representable values of type float" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.

tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.

LibTIFF 4.0.7 has an "outside the range of representable values of type short" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.

LibTIFF 4.0.7 has an "outside the range of representable values of type unsigned char" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.

LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.

LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.

more...
linux-c6-tiff
linux-c7-tiff
linux-f10-tiff
linux-f8-tiff
tiff
2017-04-20

cURL security advisory:

libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate).

libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster.

This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.

more...
curl
2017-04-20

NVD reports:

In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file.

In libsndfile before 1.0.28, an error in the "header_read()" function (common.c) when handling ID3 tags can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file.

In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with write memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585.

In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with read memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585.

more...
libsndfile
linux-c6-libsndfile
linux-c7-libsndfile
2017-04-20*

Mozilla Foundation reports:

An out-of-bounds write in the Graphite 2 library triggered with a maliciously crafted Graphite font. This results in a potentially exploitable crash. This issue was fixed in the Graphite 2 library as well as Mozilla products.

more...
graphite2
linux-c7-graphite2
2017-04-20

NVD reports:

In libsamplerate before 0.1.9, a buffer over-read occurs in the calc_output_single function in src_sinc.c via a crafted audio file.

more...
libsamplerate
linux-c6-libsamplerate
linux-c7-libsamplerate
2017-04-19

Mozilla Foundation reports:

An out-of-bounds write during Base64 decoding operation in the Network Security Services (NSS) library due to insufficient memory being allocated to the buffer. This results in a potentially exploitable crash. The NSS library has been updated to fix this issue to address this issue and Firefox 53 has been updated with NSS version 3.29.5.

A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox 53 has been updated with NSS version 3.29.5.

more...
linux-c6-nss
linux-c7-nss
linux-f10-nss
nss
2017-04-19

Mozilla Foundation reports:

CVE-2017-5433: Use-after-free in SMIL animation functions

CVE-2017-5435: Use-after-free during transaction processing in the editor

CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2

CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS

CVE-2017-5459: Buffer overflow in WebGL

CVE-2017-5466: Origin confusion when reloading isolated data:text/html URL

CVE-2017-5434: Use-after-free during focus handling

CVE-2017-5432: Use-after-free in text input selection

CVE-2017-5460: Use-after-free in frame selection

CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing

CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing

CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing

CVE-2017-5441: Use-after-free with selection during scroll events

CVE-2017-5442: Use-after-free during style changes

CVE-2017-5464: Memory corruption with accessibility and DOM manipulation

CVE-2017-5443: Out-of-bounds write during BinHex decoding

CVE-2017-5444: Buffer overflow while parsing application/http-index-format content

CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data

CVE-2017-5447: Out-of-bounds read during glyph processing

CVE-2017-5465: Out-of-bounds read in ConvolvePixel

CVE-2017-5448: Out-of-bounds write in ClearKeyDecryptor

CVE-2017-5437: Vulnerabilities in Libevent library

CVE-2017-5454: Sandbox escape allowing file system read access through file picker

CVE-2017-5455: Sandbox escape through internal feed reader APIs

CVE-2017-5456: Sandbox escape allowing local file system access

CVE-2017-5469: Potential Buffer overflow in flex-generated code

CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content

CVE-2017-5449: Crash during bidirectional unicode manipulation with animation

CVE-2017-5450: Addressbar spoofing using javascript: URI on Firefox for Android

CVE-2017-5451: Addressbar spoofing with onblur event

CVE-2017-5462: DRBG flaw in NSS

CVE-2017-5463: Addressbar spoofing through reader view on Firefox for Android

CVE-2017-5467: Memory corruption when drawing Skia content

CVE-2017-5452: Addressbar spoofing during scrolling with editable content on Firefox for Android

CVE-2017-5453: HTML injection into RSS Reader feed preview page through TITLE element

CVE-2017-5458: Drag and drop of javascript: URLs can allow for self-XSS

CVE-2017-5468: Incorrect ownership model for Private Browsing information

CVE-2017-5430: Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1

CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1

more...
firefox
firefox-esr
libxul
linux-firefox
linux-seamonkey
linux-thunderbird
seamonkey
thunderbird
2017-04-19

Debian Security reports:

CVE-2016-10195: The name_parse function in evdns.c in libevent before 2.1.6-beta allows remote attackers to have unspecified impact via vectors involving the label_len variable, which triggers an out-of-bounds stack read.

CVE-2016-10196: Stack-based buffer overflow in the evutil_parse_sockaddr_port function in evutil.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (segmentation fault) via vectors involving a long string in brackets in the ip_as_string argument.

CVE-2016-10197: The search_make_new function in evdns.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (out-of-bounds read) via an empty hostname.

more...
libevent
libevent2
linux-c6-libevent2
linux-c7-libevent
2017-04-19

Oracle reports:

This Critical Patch Update contains 39 new security fixes for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

more...
mariadb100-server
mariadb101-server
mariadb55-server
mysql55-server
mysql56-server
mysql57-server
2017-04-13*

ISC reports:

A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate.

An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met.

Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order.

named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc.

A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string.

more...
bind9-devel
bind910
bind911
bind99
2017-04-07

The content auto-download of id Tech 3 can be used to deliver maliciously crafted content, that triggers downloading of further content and loading and executing it as native code with user credentials. This affects ioquake3, ioUrbanTerror, OpenArena, the original Quake 3 Arena and other forks.

more...
ioquake3
ioquake3-devel
iourbanterror
openarena
2017-04-06*

The cURL project reports:

There were two bugs in curl's parser for the command line option --write-out (or -w for short) that would skip the end of string zero byte if the string ended in a % (percent) or \ (backslash), and it would read beyond that buffer in the heap memory and it could then potentially output pieces of that memory to the terminal or the target file etc..

This flaw only exists in the command line tool.

We are not aware of any exploit of this flaw.

more...
curl
2017-04-06

The Xen Project reports:

The XSA-29 fix introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays.

A malicious or buggy 64-bit PV guest may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks.

more...
xen-kernel
2017-04-04

NVIDIA Unix security team reports:

NVIDIA GPU Display Driver contains vulnerabilities in the kernel mode layer handler where multiple integer overflows, improper access control, and improper validation of a user input may cause a denial of service or potential escalation of privileges.

more...
nvidia-driver
nvidia-driver-304
nvidia-driver-340
2017-04-04

The Asterisk project reports:

No size checking is done when setting the user field on a CDR. Thus, it is possible for someone to use an arbitrarily large string and write past the end of the user field storage buffer. This allows the possibility of remote code injection.

more...
asterisk13
2017-04-04

Django team reports:

These release addresses two security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

  • Open redirect and possible XSS attack via user-supplied numeric redirect URLs
  • Open redirect vulnerability in django.views.static.serve()
more...
py27-django
py27-django110
py27-django18
py27-django19
py33-django
py33-django18
py33-django19
py34-django
py34-django18
py34-django19
py35-django
py35-django18
py35-django19
py36-django
py36-django18
py36-django19
2017-03-30

The Xen Project reports:

Unprivileged guests may be able to stall progress of the control domain or driver domain, possibly leading to a Denial of Service (DoS) of the entire host.

more...
xen-tools
2017-03-30

Google Chrome Releases reports:

5 security fixes in this release, including:

  • [698622] Critical CVE-2017-5055: Use after free in printing. Credit to Wadih Matar
  • [699166] High CVE-2017-5054: Heap buffer overflow in V8. Credit to Nicolas Trippar of Zimperium zLabs
  • [662767] High CVE-2017-5052: Bad cast in Blink. Credit to JeongHoon Shin
  • [705445] High CVE-2017-5056: Use after free in Blink. Credit to anonymous
  • [702058] High CVE-2017-5053: Out of bounds memory access in V8. Credit to Team Sniper (Keen Lab and PC Mgr) reported through ZDI (ZDI-CAN-4587)
more...
chromium
chromium-npapi
chromium-pulse
2017-03-29

The phpMYAdmin team reports:

Summary

Bypass $cfg['Servers'][$i]['AllowNoPassword']

Description

A vulnerability was discovered where the restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions. This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default).

This behavior depends on the PHP version used (it seems PHP 5 is affected, while PHP 7.0 is not).

Severity

We consider this vulnerability to be of moderate severity.

Mitigation factor

Set a password for all users.

more...
phpMyAdmin
2017-03-24

Samba team reports:

A time-of-check, time-of-use race condition can allow clients to access non-exported parts of the file system via symlinks.

more...
samba36
samba4
samba41
samba42
samba43
samba44
samba45
samba46
2017-03-23

The Xen Project reports:

A privileged user within the guest VM can cause a heap overflow in the device model process, potentially escalating their privileges to that of the device model process.

more...
xen-tools
2017-03-22*

Jouni Malinen reports:

psk configuration parameter update allowing arbitrary data to be written (2016-1 - CVE-2016-4476/CVE-2016-4477).

more...
hostapd
wpa_supplicant
2017-03-22*

Jouni Malinen reports:

wpa_supplicant unauthorized WNM Sleep Mode GTK control. (2015-6 - CVE-2015-5310)

EAP-pwd missing last fragment length validation. (2015-7 - CVE-2015-5315)

EAP-pwd peer error path failure on unexpected Confirm message. (2015-8 - CVE-2015-5316)

more...
hostapd
wpa_supplicant
2017-03-18

The irssi project reports:

Use after free while producing list of netjoins (CWE-416). This issue was found and reported to us by APic. This issue usually leads to segmentation faults. Targeted code execution should be difficult.

more...
irssi
2017-03-18*

The Apache Software Foundation reports:

Important: Remote Code Execution CVE-2016-8735

Important: Information Disclosure CVE-2016-6816

more...
tomcat
tomcat7
tomcat8
2017-03-18*

The Apache Software Foundation reports:

When using the NIO connector with sendfile and HTTPS enabled, if a client breaks the connection while reading the response an infinite loop is entered leading to a denial of service.

more...
tomcat
tomcat7
2017-03-18*

Mark Thomas reports:

  • CVE-2015-5345 Apache Tomcat Directory disclosure

  • CVE-2016-0706 Apache Tomcat Security Manager bypass

  • CVE-2016-0714 Apache Tomcat Security Manager Bypass

more...
tomcat
tomcat7
tomcat8
2017-03-18*

Apache Software Foundation reports:

Low: Denial of Service CVE-2014-0230

When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection.

Moderate: Security Manager bypass CVE-2014-7810

Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section.

more...
hadoop2
oozie
tomcat
tomcat7
tomcat8
2017-03-18*

The Apache Software Foundation reports:

Low: Unrestricted Access to Global Resources CVE-2016-6797

Low: Security Manager Bypass CVE-2016-6796

Low: System Property Disclosure CVE-2016-6794

Low: Security Manager Bypass CVE-2016-5018

Low: Timing Attack CVE-2016-0762

more...
tomcat
tomcat7
tomcat8
2017-03-18

The Mozilla Foundation reports:

An integer overflow in createImageBitmap() was reported through the Pwn2Own contest. The fix for this vulnerability disables the experimental extensions to the createImageBitmap API. This function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer.

more...
firefox
2017-03-18*

Jochen Wiedmann reports:

A malicious client can send file upload requests that cause the HTTP server using the Apache Commons Fileupload library to become unresponsive, preventing the server from servicing other requests.

more...
apache-struts
tomcat
tomcat7
tomcat8
2017-03-18

Openwall reports:

C client library for MySQL (libmysqlclient.so) has use-after-free defect which can cause crash of applications using that MySQL client.

more...
mariadb100-client
mariadb101-client
mariadb55-client
mysql55-client
mysql56-client
mysql57-client
2017-03-18*

Tomcat Security Team reports:

Tomcat does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

An integer overflow, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.

An integer overflow in parseChunkHeader allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.

more...
tomcat
tomcat7
tomcat8
2017-03-18*

The Apache Software Foundation reports:

The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request.

more...
tomcat
tomcat7
2017-03-18

Marina Glancy reports:

In addition to a number of bug fixes and small improvements, security vulnerabilities have been discovered and fixed. We highly recommend that you upgrade your sites as soon as possible. Upgrading should be very straightforward. As per our usual policy, admins of all registered Moodle sites will be notified of security issue details directly via email and we'll publish details more widely in a week.

more...
moodle29
moodle30
moodle31
moodle32
2017-03-18*

The Apache Software Foundation reports:

Important: Information Disclosure CVE-2016-8745

more...
tomcat
tomcat7
tomcat8
2017-03-18*

The Apache Software Foundation reports:

When using FORM authentication it was possible to bypass the security constraint checks in the FORM authenticator by appending "/j_security_check" to the end of the URL if some other component (such as the Single-Sign-On valve) had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate().

more...
tomcat
tomcat7
2017-03-18

Marina Glancy reports:

  • MSA-17-0001: System file inclusion when adding own preset file in Boost theme

  • MSA-17-0002: Incorrect sanitation of attributes in forums

  • MSA-17-0003: PHPMailer vulnerability in no-reply address

  • MSA-17-0004: XSS in assignment submission page

.

more...
moodle29
moodle30
moodle31
moodle32
2017-03-17

Drupal Security Team reports:

CVE-2017-6377: Editor module incorrectly checks access to inline private files

CVE-2017-6379: Some admin paths were not protected with a CSRF token

CVE-2017-6381: Remote code execution

more...
drupal8
2017-03-16

Adobe reports:

  • These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2017-2997).
  • These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2017-2998, CVE-2017-2999).
  • These updates resolve a random number generator vulnerability used for constant blinding that could lead to information disclosure (CVE-2017-3000).
  • These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2017-3001, CVE-2017-3002, CVE-2017-3003).
more...
linux-flashplayer
2017-03-16

Simon G. Tatham reports:

Many versions of PuTTY prior to 0.68 have a heap-corrupting integer overflow bug in the ssh_agent_channel_data function which processes messages sent by remote SSH clients to a forwarded agent connection. [...]

This bug is only exploitable at all if you have enabled SSH agent forwarding, which is turned off by default. Moreover, an attacker able to exploit this bug would have to have already be able to connect to the Unix-domain socket representing the forwarded agent connection. Since any attacker with that capability would necessarily already be able to generate signatures with your agent's stored private keys, you should in normal circumstances be defended against this vulnerability by the same precautions you and your operating system were already taking to prevent untrusted people from accessing your SSH agent.

more...
putty
2017-03-14*

Oracle reports:

No further details have been provided in the Critical Patch Update

more...
mariadb100-server
mariadb101-server
mariadb55-server
mysql55-server
mysql56-server
mysql57-server
2017-03-12

The Legion of the Bouncy Castle reports:

Release: 1.56

2.1.4 Security Related Changes and CVE's Addressed by this Release: (multiple)

more...
bouncycastle15
2017-03-12

Google Chrome Releases reports:

36 security fixes in this release, including:

  • [682194] High CVE-2017-5030: Memory corruption in V8. Credit to Brendon Tiszka
  • [682020] High CVE-2017-5031: Use after free in ANGLE. Credit to Looben Yang
  • [668724] High CVE-2017-5032: Out of bounds write in PDFium. Credit to Ashfaq Ansari - Project Srishti
  • [676623] High CVE-2017-5029: Integer overflow in libxslt. Credit to Holger Fuhrmannek
  • [678461] High CVE-2017-5034: Use after free in PDFium. Credit to Ke Liu of Tencent's Xuanwu Lab
  • [688425] High CVE-2017-5035: Incorrect security UI in Omnibox. Credit to Enzo Aguado
  • [691371] High CVE-2017-5036: Use after free in PDFium. Credit to Anonymous
  • [679640] High CVE-2017-5037: Multiple out of bounds writes in ChunkDemuxer. Credit to Yongke Wang of Tecent's Xuanwu Lab
  • [679649] High CVE-2017-5039: Use after free in PDFium. Credit to jinmo123
  • [691323] Medium CVE-2017-5040: Information disclosure in V8. Credit to Choongwoo Han
  • [642490] Medium CVE-2017-5041: Address spoofing in Omnibox. Credit to Jordi Chancel
  • [669086] Medium CVE-2017-5033: Bypass of Content Security Policy in Blink. Credit to Nicolai Grodum
  • [671932] Medium CVE-2017-5042: Incorrect handling of cookies in Cast. Credit to Mike Ruddy
  • [695476] Medium CVE-2017-5038: Use after free in GuestView. Credit to Anonymous
  • [683523] Medium CVE-2017-5043: Use after free in GuestView. Credit to Anonymous
  • [688987] Medium CVE-2017-5044: Heap overflow in Skia. Credit to Kushal Arvind Shah of Fortinet's FortiGuard Labs
  • [667079] Medium CVE-2017-5045: Information disclosure in XSS Auditor. Credit to Dhaval Kapil
  • [680409] Medium CVE-2017-5046: Information disclosure in Blink. Credit to Masato Kinugawa
  • [699618] Various fixes from internal audits, fuzzing and other initiatives
more...
chromium
chromium-npapi
chromium-pulse
2017-03-12

Janos Follath reports:

  • If a malicious peer supplies a certificate with a specially crafted secp224k1 public key, then an attacker can cause the server or client to attempt to free block of memory held on stack. Depending on the platform, this could result in a Denial of Service (client crash) or potentially could be exploited to allow remote code execution with the same privileges as the host application.
  • If the client and the server both support MD5 and the client can be tricked to authenticate to a malicious server, then the malicious server can impersonate the client. To launch this man in the middle attack, the adversary has to compute a chosen-prefix MD5 collision in real time. This is very expensive computationally, but can be practical. Depending on the platform, this could result in a Denial of Service (client crash) or potentially could be exploited to allow remote code execution with the same privileges as the host application.
  • A bug in the logic of the parsing of a PEM encoded Certificate Revocation List in mbedtls_x509_crl_parse() can result in an infinite loop. In versions before 1.3.10 the same bug results in an infinite recursion stack overflow that usually crashes the application. Methods and means of acquiring the CRLs is not part of the TLS handshake and in the strict TLS setting this vulnerability cannot be triggered remotely. The vulnerability cannot be triggered unless the application explicitely calls mbedtls_x509_crl_parse() or mbedtls_x509_crl_parse_file()on a PEM formatted CRL of untrusted origin. In which case the vulnerability can be exploited to launch a denial of service attack against the application.
more...
mbedtls
polarssl13
2017-03-11

Albert Aastals Cid reports:

A maliciously crafted command line for kdesu can result in the user only seeing part of the commands that will actually get executed as super user.

more...
kde-runtime
2017-03-11

Albert Aastals Cid reports:

A directory traversal issue was found in KTNEF which can be exploited by tricking a user into opening a malicious winmail.dat file. The issue allows to write files with the permission of the user opening the winmail.dat file during extraction.

more...
kdepimlibs
2017-03-11

Albert Astals Cid reports:

Using a malicious PAC file, and then using exfiltration methods in the PAC function FindProxyForURL() enables the attacker to expose full https URLs.

This is a security issue since https URLs may contain sensitive information in the URL authentication part (user:password@host), and in the path and the query (e.g. access tokens).

This attack can be carried out remotely (over the LAN) since proxy settings allow "Detect Proxy Configuration Automatically". This setting uses WPAD to retrieve the PAC file, and an attacker who has access to the victim's LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP) and inject his/her own malicious PAC instead of the legitimate one.

more...
kdelibs
kf5-kio
2017-03-07

WordPress versions 4.7.2 and earlier are affected by six security issues.

  • Cross-site scripting (XSS) via media file metadata.
  • Control characters can trick redirect URL validation.
  • Unintended files can be deleted by administrators using the plugin deletion functionality.
  • Cross-site scripting (XSS) via video URL in YouTube embeds.
  • Cross-site scripting (XSS) via taxonomy term names.
  • Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.
more...
de-wordpress
ja-wordpress
ru-wordpress
wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
2017-03-07

Mozilla Foundation reports:

CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP

CVE-2017-5401: Memory Corruption when handling ErrorResult

CVE-2017-5402: Use-after-free working with events in FontFace objects

CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object

CVE-2017-5404: Use-after-free working with ranges in selections

CVE-2017-5406: Segmentation fault in Skia with canvas operations

CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters

CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping

CVE-2017-5411: Use-after-free in Buffer Storage in libGLES

CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service

CVE-2017-5408: Cross-origin reading of video captions in violation of CORS

CVE-2017-5412: Buffer overflow read in SVG filters

CVE-2017-5413: Segmentation fault during bidirectional operations

CVE-2017-5414: File picker can choose incorrect default directory

CVE-2017-5415: Addressbar spoofing through blob URL

CVE-2017-5416: Null dereference crash in HttpChannel

CVE-2017-5417: Addressbar spoofing by draging and dropping URLs

CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access

CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running

CVE-2017-5427: Non-existent chrome.manifest file loaded during startup

CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses

CVE-2017-5419: Repeated authentication prompts lead to DOS attack

CVE-2017-5420: Javascript: URLs can obfuscate addressbar location

CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports

CVE-2017-5421: Print preview spoofing

CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink

CVE-2017-5399: Memory safety bugs fixed in Firefox 52

CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8

more...
firefox
firefox-esr
libxul
linux-firefox
linux-seamonkey
linux-thunderbird
seamonkey
thunderbird
2017-03-05

Mitre reports:

ikiwiki 3.20161219 does not properly check if a revision changes the access permissions for a page on sites with the git and recentchanges plugins and the CGI interface enabled, which allows remote attackers to revert certain changes by leveraging permissions to change the page before the revision was made.

When CGI::FormBuilder->field("foo") is called in list context (and in particular in the arguments to a subroutine that takes named arguments), it can return zero or more values for foo from the CGI request, rather than the expected single value. This breaks the usual Perl parsing convention for named arguments, similar to CVE-2014-1572 in Bugzilla (which was caused by a similar API design issue in CGI.pm).

more...
ikiwiki
2017-03-05

The CodeIgniter changelog reports:

Fixed an XSS vulnerability in Security Library method xss_clean().

Fixed a possible file inclusion vulnerability in Loader Library method vars().

Fixed a possible remote code execution vulnerability in the Email Library when ?mail? or ?sendmail? are used (thanks to Paul Buonopane from NamePros).

Added protection against timing side-channel attacks in Security Library method csrf_verify().

Added protection against BREACH attacks targeting the CSRF token field generated by Form Helper function form_open().

more...
codeigniter
2017-03-05

ikiwiki reports:

The ikiwiki maintainers discovered further flaws similar to CVE-2016-9646 in the passwordauth plugin's use of CGI::FormBuilder, with a more serious impact:

An attacker who can log in to a site with a password can log in as a different and potentially more privileged user.

An attacker who can create a new account can set arbitrary fields in the user database for that account

more...
ikiwiki
2017-03-05*

Peter Bex reports:

A buffer overflow error was found in the POSIX unit's procedures process-execute and process-spawn.

Additionally, a memory leak existed in this code, which would be triggered when an error is raised during argument and environment processing.

Irregex versions before 0.9.6 contain a resource exhaustion vulnerability: when compiling deeply nested regexes containing the "+" operator due to exponential expansion behaviour.

more...
chicken
2017-02-28

potrace reports:

CVE-2016-8685: invalid memory access in findnext

CVE-2016-8686: memory allocation failure

more...
potrace
2017-02-26

The MPD project reports:

httpd: fix two buffer overflows in IcyMetaData length calculation

more...
musicpd
2017-02-22*

Problem Description:

Due to improper handling of alert packets, OpenSSL would consume an excessive amount of CPU time processing undefined alert messages.

Impact:

A remote attacker who can initiate handshakes with an OpenSSL based server can cause the server to consume a lot of computation power with very little bandwidth usage, and may be able to use this technique in a leveraged Denial of Service attack.

more...
FreeBSD
linux-c6-openssl
linux-c7-openssl-libs
openssl
openssl-devel
2017-02-22

The cURL project reports:

SSL_VERIFYSTATUS ignored

curl and libcurl support "OCSP stapling", also known as the TLS Certificate Status Request extension (using the CURLOPT_SSL_VERIFYSTATUS option). When telling curl to use this feature, it uses that TLS extension to ask for a fresh proof of the server's certificate's validity. If the server doesn't support the extension, or fails to provide said proof, curl is expected to return an error.

Due to a coding mistake, the code that checks for a test success or failure, ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. Contrary to how it used to function and contrary to how this feature is documented to work.

This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality.

more...
curl
2017-02-22

The Xen Project reports:

In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo fails to check wethehr the specified memory region is safe. A malicious guest administrator can cause an out of bounds memory write, very likely exploitable as a privilege escalation.

more...
xen-tools
2017-02-21

Alan Somers reports:

The web site used by this port, http://fbsdmon.org, has been taken over by cybersquatters. That means that users are sending their system info to an unknown party.

more...
fbsdmon
2017-02-20*

Debian Security Team reports:

Andrew Bartlett of Catalyst reported a defect affecting certain applications using the Libevent evbuffer API. This defect leaves applications which pass insanely large inputs to evbuffers open to a possible heap overflow or infinite loop. In order to exploit this flaw, an attacker needs to be able to find a way to provoke the program into trying to make a buffer chunk larger than what will fit into a single size_t or off_t.

more...
libevent
libevent2
2017-02-18

David Bryant reports:

global buffer overread in read_code / read_words.c

heap out of bounds read in WriteCaffHeader / caff.c

heap out of bounds read in unreorder_channels / wvunpack.c

heap oob read in read_new_config_info / open_utils.c

more...
wavpack
2017-02-16*

Ximin Luo reports:

[v67] introduced a security hole where diffoscope may write to arbitrary locations on disk depending on the contents of an untrusted archive.

more...
py34-diffoscope
py35-diffoscope
py36-diffoscope
2017-02-16

The OpenSSL project reports:

Severity: High

During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected.

This issue does not affect OpenSSL version 1.0.2.

more...
openssl-devel
2017-02-16

ifread.c in gif2png, as used in OptiPNG before 0.7.6, allows remote attackers to cause a denial of service (uninitialized memory read) via a crafted GIF file.

The bmp_read_rows function in pngxtern/pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (invalid memory write and crash) via a series of delta escapes in a crafted BMP image.

Heap-based buffer overflow in the bmp_read_rows function in pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (out-of-bounds read or write access and crash) or possibly execute arbitrary code via a crafted image file.

Off-by-one error in the bmp_rle4_fread function in pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (out-of-bounds read or write access and crash) or possibly execute arbitrary code via a crafted image file, which triggers a heap-based buffer overflow.

more...
optipng
2017-02-12

FFmpeg security reports:

FFmpeg 3.2.4 fixes the following vulnerabilities: CVE-2017-5024, CVE-2017-5025

more...
ffmpeg
2017-02-11

Daniel P. Berrange reports:

CVE-2017-5884 - fix bounds checking for RRE, hextile and copyrect encodings

CVE-2017-5885 - fix color map index bounds checking.

more...
gtk-vnc
2017-02-11

The Xen Project reports:

When doing bitblt copy backwards, qemu should negate the blit width. This avoids an oob access before the start of video memory.

A malicious guest administrator can cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation.

more...
xen-tools
2017-02-06*

The cURL project reports:

libcurl will reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer.

more...
curl
2017-02-06

libtiff project reports:

Multiple flaws have been discovered in libtiff library and utilities.

more...
linux-c6-libtiff
linux-c6-tiff
linux-c7-libtiff
linux-c7-tiff
tiff
2017-02-04

wdollman reports:

The value of the view_type parameter on the view_all_bug_page.php page is not encoded before being displayed on the page.

more...
mantis
2017-02-04

TALOS reports:

An exploitable out-of-bounds write vulnerability exists in the XMP image handling functionality of the FreeImage library.

more...
freeimage
2017-02-04

Mortiz Bunkus reports:

Multiple invalid memory accesses vulnerabilities.

more...
libebml
2017-02-04

Ludovic Courtès reports:

The REPL server is vulnerable to the HTTP inter-protocol attack

The ?mkdir? procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the process? umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions.

more...
guile2
2017-02-01

Jens Georg reports:

I have just released Shotwell 0.24.5 and 0.25.4 which turn on HTTPS encyption all over the publishing plugins.

Users using Tumblr and Yandex.Fotki publishing are strongly advised to change their passwords and reauthenticate Shotwell to those services after upgrade.

Users of Picasa and Youtube publishing are strongly advised to reauthenticate (Log out and back in) Shotwell to those services after upgrade.

more...
shotwell
2017-02-01

Jenkins Security Advisory:

Description

SECURITY-304 / CVE-2017-2598

Use of AES ECB block cipher mode without IV for encrypting secrets

SECURITY-321 / CVE-2017-2599

Items could be created with same name as existing item

SECURITY-343 / CVE-2017-2600

Node monitor data could be viewed by low privilege users

SECURITY-349 / CVE-2011-4969

Possible cross-site scripting vulnerability in jQuery bundled with timeline widget

SECURITY-353 / CVE-2017-2601

Persisted cross-site scripting vulnerability in parameter names and descriptions

SECURITY-354 / CVE-2015-0886

Outdated jbcrypt version bundled with Jenkins

SECURITY-358 / CVE-2017-2602

Pipeline metadata files not blacklisted in agent-to-master security subsystem

SECURITY-362 / CVE-2017-2603

User data leak in disconnected agents' config.xml API

SECURITY-371 / CVE-2017-2604

Low privilege users were able to act on administrative monitors

SECURITY-376 / CVE-2017-2605

Re-key admin monitor leaves behind unencrypted credentials in upgraded installations

SECURITY-380 / CVE-2017-2606

Internal API allowed access to item names that should not be visible

SECURITY-382 / CVE-2017-2607

Persisted cross-site scripting vulnerability in console notes

SECURITY-383 / CVE-2017-2608

XStream remote code execution vulnerability

SECURITY-385 / CVE-2017-2609

Information disclosure vulnerability in search suggestions

SECURITY-388 / CVE-2017-2610

Persisted cross-site scripting vulnerability in search suggestions

SECURITY-389 / CVE-2017-2611

Insufficient permission check for periodic processes

SECURITY-392 / CVE-2017-2612

Low privilege users were able to override JDK download credentials

SECURITY-406 / CVE-2017-2613

User creation CSRF using GET by admins

more...
jenkins
jenkins-lts
2017-01-29

Aaron D. Campbell reports:

WordPress versions 4.7.1 and earlier are affected by three security issues:

  • The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it.
  • WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we?ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.
  • A cross-site scripting (XSS) vulnerability was discovered in the posts list table.
  • An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint.
more...
de-wordpress
ja-wordpress
ru-wordpress
wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
2017-01-27

Peter Haag reports:

A remote attacker with access to the web interface to execute arbitrary commands on the host operating system.

more...
nfsen
2017-01-26

Google Chrome Releases reports:

51 security fixes in this release, including:

  • [671102] High CVE-2017-5007: Universal XSS in Blink. Credit to Mariusz Mlynski
  • [673170] High CVE-2017-5006: Universal XSS in Blink. Credit to Mariusz Mlynski
  • [668552] High CVE-2017-5008: Universal XSS in Blink. Credit to Mariusz Mlynski
  • [663476] High CVE-2017-5010: Universal XSS in Blink. Credit to Mariusz Mlynski
  • [662859] High CVE-2017-5011: Unauthorised file access in Devtools. Credit to Khalil Zhani
  • [667504] High CVE-2017-5009: Out of bounds memory access in WebRTC. Credit to Sean Stanek and Chip Bradford
  • [681843] High CVE-2017-5012: Heap overflow in V8. Credit to Gergely Nagy (Tresorit)
  • [677716] Medium CVE-2017-5013: Address spoofing in Omnibox. Credit to Haosheng Wang (@gnehsoah)
  • [675332] Medium CVE-2017-5014: Heap overflow in Skia. Credit to sweetchip
  • [673971] Medium CVE-2017-5015: Address spoofing in Omnibox. Credit to Armin Razmdjou
  • [666714] Medium CVE-2017-5019: Use after free in Renderer. Credit to Wadih Matar
  • [673163] Medium CVE-2017-5016: UI spoofing in Blink. Credit to Haosheng Wang (@gnehsoah)
  • [676975] Medium CVE-2017-5017: Uninitialised memory access in webm video. Credit to danberm
  • [668665] Medium CVE-2017-5018: Universal XSS in chrome://apps. Credit to Rob Wu
  • [668653] Medium CVE-2017-5020: Universal XSS in chrome://downloads. Credit to Rob Wu
  • [663726] Low CVE-2017-5021: Use after free in Extensions. Credit to Rob Wu
  • [663620] Low CVE-2017-5022: Bypass of Content Security Policy in Blink. Credit to Pujun Li of PKAV Team
  • [651443] Low CVE-2017-5023: Type confunsion in metrics. Credit to the UK's National Cyber Security Centre (NCSC)
  • [643951] Low CVE-2017-5024: Heap overflow in FFmpeg. Credit to Paul Mehta
  • [643950] Low CVE-2017-5025: Heap overflow in FFmpeg. Credit to Paul Mehta
  • [634108] Low CVE-2017-5026: UI spoofing. Credit to Ronni Skansing
  • [685349] Various fixes from internal audits, fuzzing and other initiatives
more...
chromium
chromium-npapi
chromium-pulse
2017-01-24

The phpMyAdmin development team reports:

Summary

Open redirect

Description

It was possible to trick phpMyAdmin to redirect to insecure using special request path.

Severity

We consider this vulnerability to be non critical.

Summary

php-gettext code execution

Description

The php-gettext library can suffer to code execution. However there is no way to trigger this inside phpMyAdmin.

Severity

We consider this to be minor.

Summary

DOS vulnerabiltiy in table editing

Description

It was possible to trigger recursive include operation by crafter parameters when editing table data.

Severity

We consider this to be non critical.

Summary

CSS injection in themes

Description

It was possible to cause CSS injection in themes by crafted cookie parameters.

Severity

We consider this to be non critical.

Summary

Cookie attribute injection attack

Description

A vulnerability was found where, under some circumstances, an attacker can inject arbitrary values in the browser cookies. This was incompletely fixed in PMASA-2016-18.

Severity

We consider this to be non-critical.

Summary

SSRF in replication

Description

For a user with appropriate MySQL privileges it was possible to connect to arbitrary host.

Severity

We consider this to be non-critical.

Summary

DOS in replication status

Description

It was possible to trigger DOS in replication status by specially crafted table name.

Severity

We consider this to be non critical.

more...
phpMyAdmin
2017-01-24

Mozilla Foundation reports:

CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7

CVE-2017-5374: Memory safety bugs fixed in Firefox 51

CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP

CVE-2017-5376: Use-after-free in XSL

CVE-2017-5377: Memory corruption with transforms to create gradients in Skia

CVE-2017-5378: Pointer and frame data leakage of Javascript objects

CVE-2017-5379: Use-after-free in Web Animations

CVE-2017-5380: Potential use-after-free during DOM manipulations

CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations

CVE-2017-5382: Feed preview can expose privileged content errors and exceptions

CVE-2017-5383: Location bar spoofing with unicode characters

CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)

CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers

CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions

CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages

CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks

CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests

CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer

CVE-2017-5391: Content about: pages can load privileged about: pages

CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage

CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager

CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events

CVE-2017-5395: Android location bar spoofing during scrolling

CVE-2017-5396: Use-after-free with Media Decoder

more...
firefox
firefox-esr
libxul
linux-firefox
linux-seamonkey
linux-thunderbird
seamonkey
thunderbird
2017-01-23

Intel Corporaion reports:

A security vulnerability in the Intel(R) Ethernet Controller X710 and Intel(R) Ethernet Controller XL710 family of products (Fortville) has been found in the Non-Volatile Flash Memory (NVM) image.

more...
intel-nvmupdate
2017-01-20*

The PHP project reports:

The PHP development team announces the immediate availability of PHP 7.0.15. This is a security release. Several security bugs were fixed in this release.

The PHP development team announces the immediate availability of PHP 5.6.30. This is a security release. Several security bugs were fixed in this release.

more...
php56
php70
2017-01-19

Choongwoo Han reports:

An exploitable crash exists in the wrestool utility on 64-bit systems where the result of subtracting two pointers exceeds the size of int.

more...
icoutils
2017-01-18

PowerDNS reports:

2016-02: Crafted queries can cause abnormal CPU usage

2016-03: Denial of service via the web server

2016-04: Insufficient validation of TSIG signatures

2016-05: Crafted zone record can cause a denial of service

more...
powerdns
powerdns-recursor
2017-01-15*

Irssi reports:

Five vulnerabilities have been located in Irssi

  • A NULL pointer dereference in the nickcmp function found by Joseph Bisch. (CWE-690)
  • Use after free when receiving invalid nick message (Issue #466, CWE-146)
  • Out of bounds read in certain incomplete control codes found by Joseph Bisch. (CWE-126)
  • Out of bounds read in certain incomplete character sequences found by Hanno Böck and independently by J. Bisch. (CWE-126)
  • Out of bounds read when Printing the value '%['. Found by Hanno Böck. (CWE-126)

These issues may result in denial of service (remote crash).

more...
irssi
2017-01-15

The Apache Groovy project reports:

When an application with Groovy on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. This is similar to CVE-2015-3253 but this exploit involves extra wrapping of objects and catching of exceptions which are now safe guarded against.

more...
groovy
2017-01-15

Pivotal.io reports:

MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.

more...
rabbitmq
2017-01-15

Aaron D. Campbell reports:

WordPress versions 4.7 and earlier are affected by eight security issues...

more...
de-wordpress
ja-wordpress
ru-wordpress
wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
2017-01-15*

Oracle reports:

Local security vulnerability in 'Server: Packaging' sub component.

more...
mysql57-client
mysql57-server
2017-01-14

The MySQL project reports:

  • CVE-2016-3492: Remote security vulnerability in 'Server: Optimizer' sub component.
  • CVE-2016-5616, CVE-2016-6663: Race condition allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table.
  • CVE-2016-5617, CVE-2016-6664: mysqld_safe, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.
  • CVE-2016-5624: Remote security vulnerability in 'Server: DML' sub component.
  • CVE-2016-5626: Remote security vulnerability in 'Server: GIS' sub component.
  • CVE-2016-5629: Remote security vulnerability in 'Server: Federated' sub component.
  • CVE-2016-8283: Remote security vulnerability in 'Server: Types' sub component.
more...
mariadb100-client
mariadb100-server
mariadb101-client
mariadb101-server
mariadb55-client
mariadb55-server
mysql55-client
mysql55-server
mysql56-client
mysql56-server
mysql57-client
mysql57-server
percona55-client
percona55-server
percona56-client
percona56-server
2017-01-13*

Problem Description:

The ssh-agent(1) agent supports loading a PKCS#11 module from outside a trusted whitelist. An attacker can request loading of a PKCS#11 module across forwarded agent-socket. [CVE-2016-10009]

When privilege separation is disabled, forwarded Unix domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. [CVE-2016-10010]

Impact:

A remote attacker who have control of a forwarded agent-socket on a remote system and have the ability to write files on the system running ssh-agent(1) agent can run arbitrary code under the same user credential. Because the attacker must already have some control on both systems, it is relatively hard to exploit this vulnerability in a practical attack. [CVE-2016-10009]

When privilege separation is disabled (on FreeBSD, privilege separation is enabled by default and has to be explicitly disabled), an authenticated attacker can potentially gain root privileges on systems running OpenSSH server. [CVE-2016-10010]

more...
FreeBSD
openssh-portable
2017-01-12

SecurityFocus reports:

PHPMailer is prone to an local information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks.

more...
phpmailer
tt-rss
2017-01-12

Computest reports:

Computest found and exploited several issues that allow a compromised host to execute commands on the Ansible controller and thus gain access to other hosts controlled by that controller.

more...
ansible
2017-01-12

ISC reports:

A malformed query response received by a recursive server in response to a query of RTYPE ANY could trigger an assertion failure while named is attempting to add the RRs in the query response to the cache.

Depending on the type of query and the EDNS options in the query they receive, DNSSEC-enabled authoritative servers are expected to include RRSIG and other RRsets in their responses to recursive servers. DNSSEC-validating servers will also make specific queries for DS and other RRsets. Whether DNSSEC-validating or not, an error in processing malformed query responses that contain DNSSEC-related RRsets that are inconsistent with other RRsets in the same query response can trigger an assertion failure. Although the combination of properties which triggers the assertion should not occur in normal traffic, it is potentially possible for the assertion to be triggered deliberately by an attacker sending a specially-constructed answer.

An unusually-formed answer containing a DS resource record could trigger an assertion failure. While the combination of properties which triggers the assertion should not occur in normal traffic, it is potentially possible for the assertion to be triggered deliberately by an attacker sending a specially-constructed answer having the required properties.

An error in handling certain queries can cause an assertion failure when a server is using the nxdomain-redirect feature to cover a zone for which it is also providing authoritative service. A vulnerable server could be intentionally stopped by an attacker if it was using a configuration that met the criteria for the vulnerability and if the attacker could cause it to accept a query that possessed the required attributes.

more...
bind9-devel
bind910
bind911
bind99
FreeBSD
2017-01-11

Adobe reports:

These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2017-2938).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2017-2932, CVE-2017-2936, CVE-2017-2937).

These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2017-2927, CVE-2017-2933, CVE-2017-2934, CVE-2017-2935).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2017-2925, CVE-2017-2926, CVE-2017-2928, CVE-2017-2930, CVE-2017-2931).

more...
linux-flashplayer
2017-01-11*

Cesar Pereida Garcia reports:

The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versions and forks is vulnerable to timing attacks when signing with the standardized elliptic curve P-256 despite featuring constant-time curve operations and modular inversion. A software defect omits setting the BN_FLG_CONSTTIME flag for nonces, failing to take a secure code path in the BN_mod_inverse method and therefore resulting in a cache-timing attack vulnerability.

A malicious user with local access can recover ECDSA P-256 private keys.

more...
libressl
libressl-devel
openssl
2017-01-10*

Peter Wu on Openwall mailing-list reports:

The issue allows a local attacker to cause a Denial of Service, but can potentially result in Privilege Escalation since the daemon is running as root. while any local user can connect to the Unix socket. Fixed by patch which is released with hpcsc-lite 1.8.20.

more...
pcsc-lite
2017-01-09

Oracle reports:

Lynx is vulnerable to POODLE by still supporting vulnerable version of SSL. Lynx is also vulnerable to URL attacks by incorrectly parsing hostnames ending with an '?'.

more...
lynx
2017-01-09

The GnuTLS project reports:

  • It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted OpenPGP certificate could lead to heap and stack overflows. (GNUTLS-SA-2017-2)
  • It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted X.509 certificate with Proxy Certificate Information extension present could lead to a double free. (GNUTLS-SA-2017-1)
more...
gnutls
2017-01-09

libvnc server reports:

Two unrelated buffer overflows can be used by a malicious server to overwrite parts of the heap and crash the client (or possibly execute arbitrary code).

more...
libvncserver
2017-01-09

Christian Rebischke reports:

libdwarf is vulnerable to multiple issues including arbitrary code execution, information disclosure and denial of service.

more...
libdwarf
2017-01-09

Talos Security reports:

  • CVE-2016-4330 (TALOS-2016-0176) - HDF5 Group libhdf5 H5T_ARRAY Code Execution Vulnerability

  • CVE-2016-4331 (TALOS-2016-0177) - HDF5 Group libhdf5 H5Z_NBIT Code Execution Vulnerability

  • CVE-2016-4332 (TALOS-2016-0178) - HDF5 Group libhdf5 Shareable Message Type Code Execution Vulnerability

  • CVE-2016-4333 (TALOS-2016-0179) - HDF5 Group libhdf5 H5T_COMPOUND Code Execution Vulnerability

more...
hdf5
hdf5-18
2017-01-09

Thomas Waldmann reports:

  • fix XSS in AttachFile view (multifile related) CVE-2016-7148

  • fix XSS in GUI editor's attachment dialogue CVE-2016-7146

  • fix XSS in GUI editor's link dialogue CVE-2016-9119

more...
moinmoin
2017-01-09*

Multiple remote code execution and denial of service conditions present.

more...
ja-w3m
ja-w3m-img
w3m
w3m-img
2017-01-06

The CodeIgniter changelog reports:

Fixed a number of new vulnerabilities in Security Library method xss_clean().

more...
codeigniter
2017-01-06

The CodeIgniter changelog reports:

Fixed an SQL injection in the ?odbc? database driver.

Updated set_realpath() Path Helper function to filter-out php:// wrapper inputs.

more...
codeigniter
2017-01-06

These packages have reached End of Life status and/or have been removed from the Ports Tree. They may contain undocumented security issues. Please take caution and find alternative software as soon as possible.

more...
drupal6
py27-django16
py33-django16
py34-django16
py35-django16
2017-01-04*

Check Point reports:

... discovered 3 fresh and previously unknown vulnerabilities (CVE-2016-7479, CVE-2016-7480, CVE-2016-7478) in the PHP 7 unserialize mechanism.

The first two vulnerabilities allow attackers to take full control over servers, allowing them to do anything they want with the website, from spreading malware to defacing it or stealing customer data.

The last vulnerability generates a Denial of Service attack which basically hangs the website, exhausts its memory consumption, and shuts it down.

The PHP security team issued fixes for two of the vulnerabilities on the 13th of October and 1st of December.

more...
php70
2016-12-29

The PHP project reports:

  • Use After Free Vulnerability in unserialize() (CVE-2016-9936)
  • Invalid read when wddx decodes empty boolean element (CVE-2016-9935)
more...
php70
2016-12-29

Kazuho Oku reports:

A use-after-free vulnerability exists in H2O up to and including version 2.0.4 / 2.1.0-beta3 that can be used by a remote attacker to mount DoS attacks and / or information theft.

more...
h2o
2016-12-28

Legal Hackers reports:

An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.

To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.

The first patch of the vulnerability CVE-2016-10033 was incomplete. This advisory demonstrates the bypass of the patch. The bypass allows to carry out Remote Code Execution on all current versions (including 5.2.19).

more...
phpmailer
tt-rss
2016-12-27

Matthew Garett reports:

Reported this to upstream 8 months ago without response, so: libupnp's default behaviour allows anyone to write to your filesystem. Seriously. Find a device running a libupnp based server (Shodan says there's rather a lot), and POST a file to /testfile. Then GET /testfile ... and yeah if the server is running as root (it is) and is using / as the web root (probably not, but maybe) this gives full host fs access.

Scott Tenaglia reports:

There is a heap buffer overflow vulnerability in the create_url_list function in upnp/src/gena/gena_device.c.

more...
upnp
2016-12-26

Legal Hackers reports:

An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.

To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.

more...
phpmailer
tt-rss
2016-12-26*

Samba team reports:

[CVE-2016-2123] Authenicated users can supply malicious dnsRecord attributes on DNS objects and trigger a controlled memory corruption.

[CVE-2016-2125] Samba client code always requests a forwardable ticket when using Kerberos authentication. This means the target server, which must be in the current or trusted domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to fully impersonate the authenticated user or service.

[CVE-2016-2126] A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum. A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions.

more...
samba36
samba4
samba41
samba42
samba43
samba44
samba45
2016-12-25

The Exim project reports:

Exim leaks the private DKIM signing key to the log files. Additionally, if the build option EXPERIMENTAL_DSN_INFO=yes is used, the key material is included in the bounce message.

more...
exim
2016-12-24

Project curl Security Advisory:

libcurl's (new) internal function that returns a good 32bit random value was implemented poorly and overwrote the pointer instead of writing the value into the buffer the pointer pointed to.

This random value is used to generate nonces for Digest and NTLM authentication, for generating boundary strings in HTTP formposts and more. Having a weak or virtually non-existent random there makes these operations vulnerable.

This function is brand new in 7.52.0 and is the result of an overhaul to make sure libcurl uses strong random as much as possible - provided by the backend TLS crypto libraries when present. The faulty function was introduced in this commit.

We are not aware of any exploit of this flaw.

more...
curl
2016-12-23

Squid security advisory 2016:10 reports:

Due to incorrect comparsion of request headers Squid can deliver responses containing private data to clients it should not have reached.

This problem allows a remote attacker to discover private and sensitive information about another clients browsing session. Potentially including credentials which allow access to further sensitive resources. This problem only affects Squid configured to use the Collapsed Forwarding feature. It is of particular importance for HTTPS reverse-proxy sites with Collapsed Forwarding.

Squid security advisory 2016:11 reports:

Due to incorrect HTTP conditional request handling Squid can deliver responses containing private data to clients it should not have reached.

This problem allows a remote attacker to discover private and sensitive information about another clients browsing session. Potentially including credentials which allow access to further sensitive resources..

more...
squid
squid-devel
2016-12-23

Mitre reports:

vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.

more...
neovim
vim
vim-lite
2016-12-22

The Xen Project reports:

Certain PV guest kernel operations (page table writes in particular) need emulation, and use Xen's general x86 instruction emulator. This allows a malicious guest kernel which asynchronously modifies its instruction stream to effect the clearing of EFLAGS.IF from the state used to return to guest context.

A malicious guest kernel administrator can cause a host hang or crash, resulting in a Denial of Service.

more...
xen-kernel
2016-12-22

The cURL project reports:

printf floating point buffer overflow

libcurl's implementation of the printf() functions triggers a buffer overflow when doing a large floating point output. The bug occurs whenthe conversion outputs more than 255 bytes.

more...
curl
2016-12-22

The JSST and the Joomla! Security Center report:

[20161201] - Core - Elevated Privileges

Incorrect use of unfiltered data stored to the session on a form validation failure allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.

[20161202] - Core - Shell Upload

Inadequate filesystem checks allowed files with alternative PHP file extensions to be uploaded.

[20161203] - Core - Information Disclosure

Inadequate ACL checks in the Beez3 com_content article layout override enables a user to view restricted content.

more...
joomla3
2016-12-22*

Apache Software Foundation reports:

  • Important: Apache HTTP Request Parsing Whitespace Defects CVE-2016-8743

    Apache HTTP Server, prior to release 2.4.25, accepted a broad pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the request line and request header lines, as well as HTAB in parsing the request line. Any bare CR present in request lines was treated as whitespace and remained in the request field member "the_request", while a bare CR in the request header field name would be honored as whitespace, and a bare CR in the request header field value was retained the input headers array. Implied additional whitespace was accepted in the request line and prior to the ':' delimiter of any request header lines.



    RFC7230 Section 3.5 calls out some of these whitespace exceptions, and section 3.2.3 eliminated and clarified the role of implied whitespace in the grammer of this specification. Section 3.1.1 requires exactly one single SP between the method and request-target, and between the request-target and HTTP-version, followed immediately by a CRLF sequence. None of these fields permit any (unencoded) CTL character whatsoever. Section 3.2.4 explicitly disallowed any whitespace from the request header field prior to the ':' character, while Section 3.2 disallows all CTL characters in the request header line other than the HTAB character as whitespace.



    These defects represent a security concern when httpd is participating in any chain of proxies or interacting with back-end application servers, either through mod_proxy or using conventional CGI mechanisms. In each case where one agent accepts such CTL characters and does not treat them as whitespace, there is the possiblity in a proxy chain of generating two responses from a server behind the uncautious proxy agent. In a sequence of two requests, this results in request A to the first proxy being interpreted as requests A + A' by the backend server, and if requests A and B were submitted to the first proxy in a keepalive connection, the proxy may interpret response A' as the response to request B, polluting the cache or potentially serving the A' content to a different downstream user-agent.



    These defects are addressed with the release of Apache HTTP Server 2.4.25 and coordinated by a new directive

    HttpProtocolOptions Strict

  • low: DoS vulnerability in mod_auth_digest CVE-2016-2161

    Malicious input to mod_auth_digest will cause the server to crash, and each instance continues to crash even for subsequently valid requests.

  • low: Padding Oracle in Apache mod_session_crypto CVE-2016-0736

    Authenticate the session data/cookie presented to mod_session_crypto with a MAC (SipHash) to prevent deciphering or tampering with a padding oracle attack.

  • low: Padding Oracle in Apache mod_session_crypto CVE-2016-0736

    Authenticate the session data/cookie presented to mod_session_crypto with a MAC (SipHash) to prevent deciphering or tampering with a padding oracle attack.

  • low: HTTP/2 CONTINUATION denial of service CVE-2016-8740

    The HTTP/2 protocol implementation (mod_http2) had an incomplete handling of the LimitRequestFields directive. This allowed an attacker to inject unlimited request headers into the server, leading to eventual memory exhaustion.

  • n/a: HTTP_PROXY environment variable "httpoxy" mitigation CVE-2016-5387

    HTTP_PROXY is a well-defined environment variable in a CGI process, which collided with a number of libraries which failed to avoid colliding with this CGI namespace. A mitigation is provided for the httpd CGI environment to avoid populating the "HTTP_PROXY" variable from a "Proxy:" header, which has never been registered by IANA.
more...
apache24
2016-12-22

The JSST and the Joomla! Security Center report:

[20161001] - Core - Account Creation

Inadequate checks allows for users to register on a site when registration has been disabled.

[20161002] - Core - Elevated Privilege

Incorrect use of unfiltered data allows for users to register on a site with elevated privileges.

[20161003] - Core - Account Modifications

Incorrect use of unfiltered data allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.

more...
joomla3
2016-12-22*

The JSST and the Joomla! Security Center report:

[20151201] - Core - Remote Code Execution Vulnerability

Browser information is not filtered properly while saving the session values into the database which leads to a Remote Code Execution vulnerability.

[20151202] - Core - CSRF Hardening

Add additional CSRF hardening in com_templates.

[20151203] - Core - Directory Traversal

Failure to properly sanitise input data from the XML install file located within an extension's package archive allows for directory traversal.

[20151204] - Core - Directory Traversal

Inadequate filtering of request data leads to a Directory Traversal vulnerability.

more...
joomla3
2016-12-22

The JSST and the Joomla! Security Center report:

[20151206] - Core - Session Hardening

The Joomla Security Strike team has been following up on the critical security vulnerability patched last week. Since the recent update it has become clear that the root cause is a bug in PHP itself. This was fixed by PHP in September of 2015 with the releases of PHP 5.4.45, 5.5.29, 5.6.13 (Note that this is fixed in all versions of PHP 7 and has been back-ported in some specific Linux LTS versions of PHP 5.3). This fixes the bug across all supported PHP versions.

[20151207] - Core - SQL Injection

Inadequate filtering of request data leads to a SQL Injection vulnerability.

more...
joomla3
2016-12-22

Netsparker reports:

Proof of Concept URL for XSS in Pligg CMS:

Page: groups.php

Parameter Name: keyword

Parameter Type: GET

Attack Pattern: http://example.com/pligg-cms-2.0.2/groups.php?view=search&keyword='+alert(0x000D82)+'

For more information on cross-site scripting vulnerabilities read the article Cross-site Scripting (XSS).

more...
pligg
2016-12-22

The JSST and the Joomla! Security Center report:

[20160801] - Core - ACL Violation

Inadequate ACL checks in com_content provide potential read access to data which should be access restricted to users with edit_own level.

[20160802] - Core - XSS Vulnerability

Inadequate escaping leads to XSS vulnerability in mail component.

[20160803] - Core - CSRF

Add additional CSRF hardening in com_joomlaupdate.

more...
joomla3
2016-12-22

Problem Description:

Multiple vulnerabilities have been discovered in the NTP suite:

CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy of Cisco ASIG.

CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS vector. Reported by Matthew Van Gundy of Cisco ASIG.

CVE-2016-7427: Broadcast Mode Replay Prevention DoS. Reported by Matthew Van Gundy of Cisco ASIG.

CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS. Reported by Matthew Van Gundy of Cisco ASIG.

CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass. Reported by Sharon Goldberg and Aanchal Malhotra of Boston University.

CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal(). Reported by Magnus Stubman.

CVE-2016-7426: Client rate limiting and server responses. Reported by Miroslav Lichvar of Red Hat.

CVE-2016-7433: Reboot sync calculation problem. Reported independently by Brian Utterback of Oracle, and by Sharon Goldberg and Aanchal Malhotra of Boston University.

Impact:

A remote attacker who can send a specially crafted packet to cause a NULL pointer dereference that will crash ntpd, resulting in a Denial of Service. [CVE-2016-9311]

An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. If, against long-standing BCP recommendations, "restrict default noquery ..." is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring by an attacker from remote. [CVE-2016-9310]

An attacker with access to the NTP broadcast domain can periodically inject specially crafted broadcast mode NTP packets into the broadcast domain which, while being logged by ntpd, can cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers. [CVE-2016-7427]

An attacker with access to the NTP broadcast domain can send specially crafted broadcast mode NTP packets to the broadcast domain which, while being logged by ntpd, will cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers. [CVE-2016-7428]

Origin timestamp problems were fixed in ntp 4.2.8p6. However, subsequent timestamp validation checks introduced a regression in the handling of some Zero origin timestamp checks. [CVE-2016-7431]

If ntpd is configured to allow mrulist query requests from a server that sends a crafted malicious packet, ntpd will crash on receipt of that crafted malicious mrulist query packet. [CVE-2016-7434]

An attacker who knows the sources (e.g., from an IPv4 refid in server response) and knows the system is (mis)configured in this way can periodically send packets with spoofed source address to keep the rate limiting activated and prevent ntpd from accepting valid responses from its sources. [CVE-2016-7426]

Ntp Bug 2085 described a condition where the root delay was included twice, causing the jitter value to be higher than expected. Due to a misinterpretation of a small-print variable in The Book, the fix for this problem was incorrect, resulting in a root distance that did not include the peer dispersion. The calculations and formulas have been reviewed and reconciled, and the code has been updated accordingly. [CVE-2016-7433]

more...
FreeBSD
2016-12-20*

The OpenSSL team reports:

Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key.

more...
libressl
libressl-devel
openssl
2016-12-20

The Xen Project reports:

The typical behaviour of singlestepping exceptions is determined at the start of the instruction, with a #DB trap being raised at the end of the instruction. SYSCALL (and SYSRET, although we don't implement it) behave differently because the typical behaviour allows userspace to escalate its privilege. (This difference in behaviour seems to be undocumented.) Xen wrongly raised the exception based on the flags at the start of the instruction.

Guest userspace which can invoke the instruction emulator can use this flaw to escalate its privilege to that of the guest kernel.

more...
xen-kernel
2016-12-16*

The Mozilla Foundation reports:

A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.

more...
firefox
firefox-esr
libxul
linux-firefox
linux-seamonkey
linux-thunderbird
seamonkey
thunderbird
2016-12-16

Mitre reports:

modules/chanserv/flags.c in Atheme before 7.2.7 allows remote attackers to modify the Anope FLAGS behavior by registering and dropping the (1) LIST, (2) CLEAR, or (3) MODIFY keyword nicks.

Buffer overflow in the xmlrpc_char_encode function in modules/transport/xmlrpc/xmlrpclib.c in Atheme before 7.2.7 allows remote attackers to cause a denial of service via vectors related to XMLRPC response encoding.

more...
atheme-services
2016-12-14*

The Roundcube project reports

steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.

more...
roundcube
2016-12-14

Mozilla Foundation reports:

CVE-2016-9894: Buffer overflow in SkiaGL

CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements

CVE-2016-9895: CSP bypass using marquee tag

CVE-2016-9896: Use-after-free with WebVR

CVE-2016-9897: Memory corruption in libGLES

CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees

CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs

CVE-2016-9904: Cross-origin information leak in shared atoms

CVE-2016-9901: Data from Pocket server improperly sanitized before execution

CVE-2016-9902: Pocket extension does not validate the origin of events

CVE-2016-9903: XSS injection vulnerability in add-ons SDK

CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1

CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6

more...
firefox
firefox-esr
libxul
linux-firefox
linux-seamonkey
linux-thunderbird
seamonkey
thunderbird
2016-12-14

Jeremy Felt reports:

WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.

more...
de-wordpress
ja-wordpress
ru-wordpress
wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
2016-12-14

The Xen Project reports:

The x86 instruction CMPXCHG8B is supposed to ignore legacy operand size overrides; it only honors the REX.W override (making it CMPXCHG16B). So, the operand size is always 8 or 16. When support for CMPXCHG16B emulation was added to the instruction emulator, this restriction on the set of possible operand sizes was relied on in some parts of the emulation; but a wrong, fully general, operand size value was used for other parts of the emulation. As a result, if a guest uses a supposedly-ignored operand size prefix, a small amount of hypervisor stack data is leaked to the guests: a 96 bit leak to guests running in 64-bit mode; or, a 32 bit leak to other guests.

A malicious unprivileged guest may be able to obtain sensitive information from the host.

more...
xen-kernel
2016-12-12

The PHP project reports:

This is a security release. Several security bugs were fixed in this release.

more...
php56
php70
2016-12-09

The Asterisk project reports:

If an SDP offer or answer is received with the Opus codec and with the format parameters separated using a space the code responsible for parsing will recursively call itself until it crashes. This occurs as the code does not properly handle spaces separating the parameters. This does NOT require the endpoint to have Opus configured in Asterisk. This also does not require the endpoint to be authenticated. If guest is enabled for chan_sip or anonymous in chan_pjsip an SDP offer or answer is still processed and the crash occurs.

more...
asterisk13
2016-12-09

The Asterisk project reports:

The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace.

This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication.

If you do not use a proxy for authentication, then this issue does not affect you.

If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you.

If you use chan_pjsip instead of chan_sip, then this issue does not affect you.

more...
asterisk11
asterisk13
2016-12-08*

Problem Description:

A specially crafted argument can trigger a static buffer overflow in the library, with possibility to rewrite following static buffers that belong to other library functions.

Impact:

Due to very limited use of the function in the existing applications, and limited length of the overflow, exploitation of the vulnerability does not seem feasible. None of the utilities and daemons in the base system are known to be vulnerable. However, careful review of third party software that may use the function was not performed.

more...
FreeBSD
2016-12-06*

Daniel P. Berrange reports:

The VNC server websockets decoder will read and buffer data from websockets clients until it sees the end of the HTTP headers, as indicated by \r\n\r\n. In theory this allows a malicious to trick QEMU into consuming an arbitrary amount of RAM.

more...
qemu
qemu-devel
qemu-sbruno
2016-12-06

mod_http2 reports:

The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply limitations on request headers correctly when experimental module for the HTTP/2 protocol is used to access a resource.

The net result is that a the server allocates too much memory instead of denying the request. This can lead to memory exhaustion of the server by a properly crafted request.

more...
apache24
mod_http2-devel
2016-12-06

Problem Description:

An unexpected sequence of memory allocation failures combined with insufficient error checking could result in the construction and execution of an argument sequence that was not intended.

Impact:

An attacker who controls the sequence of memory allocation failures and success may cause login(1) to run without authentication and may be able to cause misbehavior of login(1) replacements.

No practical way of controlling these memory allocation failures is known at this time.

more...
FreeBSD
2016-12-06*

Alex Gaynor reports:

Fixed a bug where ``HKDF`` would return an empty byte-string if used with a ``length`` less than ``algorithm.digest_size``.

more...
py27-cryptography
py33-cryptography
py34-cryptography
py35-cryptography
2016-12-06

Problem Description:

The bounds checking of accesses to guest memory greater than 4GB by device emulations is subject to integer overflow.

Impact:

For a bhyve virtual machine with more than 3GB of guest memory configured, a malicious guest could craft device descriptors that could give it access to the heap of the bhyve process. Since the bhyve process is running as root, this may allow guests to obtain full control of the hosts they're running on.

more...
FreeBSD
2016-12-06

Multiple sources report:

CVE-2015-2141: The InvertibleRWFunction::CalculateInverse function in rw.cpp in libcrypt++ 5.6.2 does not properly blind private key operations for the Rabin-Williams digital signature algorithm, which allows remote attackers to obtain private keys via a timing attack. Fixed in 5.6.3.

CVE-2016-3995: Incorrect implementation of Rijndael timing attack countermeasure. Fixed in 5.6.4.

CVE-2016-7420: Library built without -DNDEBUG could egress sensitive information to the filesystem via a core dump if an assert was triggered. Fixed in 5.6.5.

more...
cryptopp
2016-12-05

Google Chrome Releases reports:

36 security fixes in this release, including:

  • [664411] High CVE-2016-9651: Private property access in V8. Credit to Guang Gong of Alpha Team Of Qihoo 360
  • [658535] High CVE-2016-5208: Universal XSS in Blink. Credit to Mariusz Mlynski
  • [655904] High CVE-2016-5207: Universal XSS in Blink. Credit to Mariusz Mlynski
  • [653749] High CVE-2016-5206: Same-origin bypass in PDFium. Credit to Rob Wu (robwu.nl)
  • [646610] High CVE-2016-5205: Universal XSS in Blink. Credit to Anonymous
  • [630870] High CVE-2016-5204: Universal XSS in Blink. Credit to Mariusz Mlynski
  • [664139] High CVE-2016-5209: Out of bounds write in Blink. Credit to Giwan Go of STEALIEN
  • [644219] High CVE-2016-5203: Use after free in PDFium. Credit to Anonymous
  • [654183] High CVE-2016-5210: Out of bounds write in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB
  • [653134] High CVE-2016-5212: Local file disclosure in DevTools. Credit to Khalil Zhani
  • [649229] High CVE-2016-5211: Use after free in PDFium. Credit to Anonymous
  • [652548] High CVE-2016-5213: Use after free in V8. Credit to Khalil Zhani
  • [601538] Medium CVE-2016-5214: File download protection bypass. Credit to Jonathan Birch and MSVR
  • [653090] Medium CVE-2016-5216: Use after free in PDFium. Credit to Anonymous
  • [619463] Medium CVE-2016-5215: Use after free in Webaudio. Credit to Looben Yang
  • [654280] Medium CVE-2016-5217: Use of unvalidated data in PDFium. Credit to Rob Wu (robwu.nl)
  • [660498] Medium CVE-2016-5218: Address spoofing in Omnibox. Credit to Abdulrahman Alqabandi (@qab)
  • [657568] Medium CVE-2016-5219: Use after free in V8. Credit to Rob Wu (robwu.nl)
  • [660854] Medium CVE-2016-5221: Integer overflow in ANGLE. Credit to Tim Becker of ForAllSecure
  • [654279] Medium CVE-2016-5220: Local file access in PDFium. Credit to Rob Wu (robwu.nl)
  • [657720] Medium CVE-2016-5222: Address spoofing in Omnibox. Credit to xisigr of Tencent's Xuanwu Lab
  • [653034] Low CVE-2016-9650: CSP Referrer disclosure. Credit to Jakub ?oczek
  • [652038] Low CVE-2016-5223: Integer overflow in PDFium. Credit to Hwiwon Lee
  • [639750] Low CVE-2016-5226: Limited XSS in Blink. Credit to Jun Kokatsu (@shhnjk)
  • [630332] Low CVE-2016-5225: CSP bypass in Blink. Credit to Scott Helme (@Scott_Helme, scotthelme.co.uk)
  • [615851] Low CVE-2016-5224: Same-origin bypass in SVG. Credit to Roeland Krak
  • [669928] CVE-2016-9652: Various fixes from internal audits, fuzzing and other initiatives
more...
chromium
chromium-npapi
chromium-pulse
2016-12-04

Bastien Roucaries reports:

Imagemagick before 3cbfb163cff9e5b8cdeace8312e9bfee810ed02b suffer from a heap overflow in WaveletDenoiseImage(). This problem is easelly trigerrable from a perl script.

more...
ImageMagick
ImageMagick-nox11
ImageMagick7
ImageMagick7-nox11
2016-12-04

The Xen Project reports:

On real hardware, a 32-bit PAE guest must leave the USER and RW bit clear in L3 pagetable entries, but the pagetable walk behaves as if they were set. (The L3 entries are cached in processor registers, and don't actually form part of the pagewalk.)

When running a 32-bit PV guest on a 64-bit Xen, Xen must always OR in the USER and RW bits for L3 updates for the guest to observe architectural behaviour. This is unsafe in combination with recursive pagetables.

As there is no way to construct an L3 recursive pagetable in native 32-bit PAE mode, disallow this option in 32-bit PV guests.

A malicious 32-bit PV guest administrator can escalate their privilege to that of the host.

more...
xen-kernel
2016-12-04

The Xen Project reports:

When emulating HVM instructions, Xen uses a small i-cache for fetches from guest memory. The code that handles cache misses does not check if the address from which it fetched lies within the cache before blindly writing to it. As such it is possible for the guest to overwrite hypervisor memory.

It is currently believed that the only way to trigger this bug is to use the way that Xen currently incorrectly wraps CS:IP in 16 bit modes. The included patch prevents such wrapping.

A malicious HVM guest administrator can escalate their privilege to that of the host.

more...
xen-kernel
2016-12-04

The Xen Project reports:

x86 HVM guests running with shadow paging use a subset of the x86 emulator to handle the guest writing to its own pagetables. There are situations a guest can provoke which result in exceeding the space allocated for internal state.

A malicious HVM guest administrator can cause Xen to fail a bug check, causing a denial of service to the host.

more...
xen-kernel
2016-12-04

The Xen Project reports:

When the EVTCHNOP_init_control operation is called with a bad guest frame number, it takes an error path which frees a control structure without also clearing the corresponding pointer. Certain subsequent operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control), upon finding the non-NULL pointer, continue operation assuming it points to allocated memory.

A malicious guest administrator can crash the host, leading to a DoS. Arbitrary code execution (and therefore privilege escalation), and information leaks, cannot be excluded.

more...
xen-kernel
2016-12-04

The Xen Project reports:

Instructions touching FPU, MMX, or XMM registers are required to raise a Device Not Available Exception (#NM) when either CR0.EM or CR0.TS are set. (Their AVX or AVX-512 extensions would consider only CR0.TS.) While during normal operation this is ensured by the hardware, if a guest modifies instructions while the hypervisor is preparing to emulate them, the #NM delivery could be missed.

Guest code in one task may thus (unintentionally or maliciously) read or modify register state belonging to another task in the same VM.

A malicious unprivileged guest user may be able to obtain or corrupt sensitive information (including cryptographic material) in other programs in the same guest.

more...
xen-kernel
2016-12-04

The Xen Project reports:

The Xen x86 emulator erroneously failed to consider the unusability of segments when performing memory accesses.

The intended behaviour is as follows: The user data segment (%ds, %es, %fs and %gs) selectors may be NULL in 32-bit to prevent access. In 64-bit, NULL has a special meaning for user segments, and there is no way of preventing access. However, in both 32-bit and 64-bit, a NULL LDT system segment is intended to prevent access.

On Intel hardware, loading a NULL selector zeros the base as well as most attributes, but sets the limit field to its largest possible value. On AMD hardware, loading a NULL selector zeros the attributes, leaving the stale base and limit intact.

Xen may erroneously permit the access using unexpected base/limit values.

Ability to exploit this vulnerability on Intel is easy, but on AMD depends in a complicated way on how the guest kernel manages LDTs.

An unprivileged guest user program may be able to elevate its privilege to that of the guest operating system.

more...
xen-kernel
2016-12-04

The Xen Project reports:

LDTR, just like TR, is purely a protected mode facility. Hence even when switching to a VM86 mode task, LDTR loading needs to follow protected mode semantics. This was violated by the code.

On SVM (AMD hardware): a malicious unprivileged guest process can escalate its privilege to that of the guest operating system.

On both SVM and VMX (Intel hardware): a malicious unprivileged guest process can crash the guest.

more...
xen-kernel
2016-12-04

The Xen Project reports:

Both writes to the FS and GS register base MSRs as well as the WRFSBASE and WRGSBASE instructions require their input values to be canonical, or a #GP fault will be raised. When the use of those instructions by the hypervisor was enabled, the previous guard against #GP faults (having recovery code attached) was accidentally removed.

A malicious guest administrator can crash the host, leading to a DoS.

more...
xen-kernel
2016-12-04

The Xen Project reports:

Along with their main kernel binary, unprivileged guests may arrange to have their Xen environment load (kernel) symbol tables for their use. The ELF image metadata created for this purpose has a few unused bytes when the symbol table binary is in 32-bit ELF format. These unused bytes were not properly cleared during symbol table loading.

A malicious unprivileged guest may be able to obtain sensitive information from the host.

The information leak is small and not under the control of the guest, so effectively exploiting this vulnerability is probably difficult.

more...
xen-kernel
2016-12-04

The Xen Project reports:

The x86 instructions BT, BTC, BTR, and BTS, when used with a destination memory operand and a source register rather than an immediate operand, access a memory location offset from that specified by the memory operand as specified by the high bits of the register source.

A malicious guest can modify arbitrary memory, allowing for arbitrary code execution (and therefore privilege escalation affecting the whole host), a crash of the host (leading to a DoS), or information leaks. The vulnerability is sometimes exploitable by unprivileged guest user processes.

more...
xen-kernel
2016-12-04

The Xen Project reports:

The compiler can emit optimizations in qemu which can lead to double fetch vulnerabilities. Specifically data on the rings shared between qemu and the hypervisor (which the guest under control can obtain mappings of) can be fetched twice (during which time the guest can alter the contents) possibly leading to arbitrary code execution in qemu.

Malicious administrators can exploit this vulnerability to take over the qemu process, elevating its privilege to that of the qemu process.

In a system not using a device model stub domain (or other techniques for deprivileging qemu), malicious guest administrators can thus elevate their privilege to that of the host.

more...
xen-tools
2016-12-04

The Xen Project reports:

pygrub, the boot loader emulator, fails to quote (or sanity check) its results when reporting them to its caller.

A malicious guest administrator can obtain the contents of sensitive host files (an information leak). Additionally, a malicious guest administrator can cause files on the host to be removed, causing a denial of service. In some unusual host configurations, ability to remove certain files may be useable for privilege escalation.

more...
xen-tools
2016-12-04

Pillow reports:

Pillow prior to 3.3.2 may experience integer overflow errors in map.c when reading specially crafted image files. This may lead to memory disclosure or corruption.

Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check for negative image sizes in ImagingNew in Storage.c. A negative image size can lead to a smaller allocation than expected, leading to arbi trary writes.

more...
py27-pillow
py33-pillow
py34-pillow
py35-pillow
2016-12-04

Multiple sources report:

CVE-2016-9298: heap overflow in WaveletDenoiseImage(), fixed in ImageMagick7-7.0.3.6, discovered 2016-10-31

CVE-2016-8866: memory allocation failure in AcquireMagickMemory (incomplete previous fix for CVE-2016-8862), not fixed yet with the release of this announcement, re-discovered 2016-10-13.

CVE-2016-8862: memory allocation failure in AcquireMagickMemory, initially partially fixed in ImageMagick7-7.0.3.3, discovered 2016-09-14.

more...
ImageMagick7
ImageMagick7-nox11
2016-12-01

Wireshark project reports:

Wireshark project is releasing Wireshark 2.2.2, which addresses:

  • wnpa-sec-2016-58: Profinet I/O long loop - CVE-2016-9372
  • wnpa-sec-2016-59: AllJoyn crash - CVE-2016-9374
  • wnpa-sec-2016-60: OpenFlow crash - CVE-2016-9376
  • wnpa-sec-2016-61: DCERPC crash - CVE-2016-9373
  • wnpa-sec-2016-62: DTN infinite loop - CVE-2016-9375
more...
tshark
tshark-lite
wireshark
wireshark-lite
wireshark-qt5
2016-11-30

Dawid Golunski reports:

GNU wget in version 1.17 and earlier, when used in mirroring/recursive mode, is affected by a Race Condition vulnerability that might allow remote attackers to bypass intended wget access list restrictions specified with -A parameter.

more...
wget
2016-11-30

MITRE reports:

A null pointer dereference bug affects the 16.02 and many old versions of p7zip. A lack of null pointer check for the variable folders.PackPositions in function CInArchive::ReadAndDecodePackedStreams, as used in the 7z.so library and in 7z applications, will cause a crash and a denial of service when decoding malformed 7z files.

more...
p7zip
2016-11-30*

Gustavo Grieco reports:

The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution.

more...
expat
linux-c6-expat
linux-c7-expat
2016-11-30*

Werner Koch reports:

There was a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions.

more...
gnupg1
libgcrypt
linux-c6-libgcrypt
linux-c7-libgcrypt
2016-11-30*

Adam Maris reports:

It was found that original patch for issues CVE-2015-1283 and CVE-2015-2716 used overflow checks that could be optimized out by some compilers applying certain optimization settings, which can cause the vulnerability to remain even after applying the patch.

more...
expat
2016-11-29

Mitre reports:

The HTBoundary_put_block function in HTBound.c for W3C libwww (w3c-libwww) allows remote servers to cause a denial of service (segmentation fault) via a crafted multipart/byteranges MIME message that triggers an out-of-bounds read.

The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.

The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.

more...
libwww
2016-11-29

The Apache Software Foundation reports:

The mod_dontdothat module of subversion and subversion clients using http(s):// are vulnerable to a denial-of-service attack, caused by exponential XML entity expansion. The attack targets XML parsers causing targeted process to consume excessive amounts of resources. The attack is also known as the "billions of laughs attack."

more...
subversion
subversion18
2016-11-29

The Mozilla Foundation reports:

Redirection from an HTTP connection to a data: URL assigns the referring site's origin to the data: URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them.

more...
firefox
2016-11-27*

The Drupal development team reports:

Inconsistent name for term access query (Less critical - Drupal 7 and Drupal 8)

Drupal provides a mechanism to alter database SELECT queries before they are executed. Contributed and custom modules may use this mechanism to restrict access to certain entities by implementing hook_query_alter() or hook_query_TAG_alter() in order to add additional conditions. Queries can be distinguished by means of query tags. As the documentation on EntityFieldQuery::addTag() suggests, access-tags on entity queries normally follow the form ENTITY_TYPE_access (e.g. node_access). However, the taxonomy module's access query tag predated this system and used term_access as the query tag instead of taxonomy_term_access.

As a result, before this security release modules wishing to restrict access to taxonomy terms may have implemented an unsupported tag, or needed to look for both tags (term_access and taxonomy_term_access) in order to be compatible with queries generated both by Drupal core as well as those generated by contributed modules like Entity Reference. Otherwise information on taxonomy terms might have been disclosed to unprivileged users.

Incorrect cache context on password reset page (Less critical - Drupal 8)

The user password reset form does not specify a proper cache context, which can lead to cache poisoning and unwanted content on the page.

Confirmation forms allow external URLs to be injected (Moderately critical - Drupal 7)

Under certain circumstances, malicious users could construct a URL to a confirmation form that would trick users into being redirected to a 3rd party website after interacting with the form, thereby exposing the users to potential social engineering attacks.

Denial of service via transliterate mechanism (Moderately critical - Drupal 8)

A specially crafted URL can cause a denial of service via the transliterate mechanism.

more...
drupal7
drupal8
2016-11-27*

Marina Glancy reports:

  • MSA-16-0023: Question engine allows access to files that should not be available

  • MSA-16-0024: Non-admin site managers may accidentally edit admins via web services

  • MSA-16-0025: Capability to view course notes is checked in the wrong context

  • MSA-16-0026: When debugging is enabled, error exceptions returned from webservices could contain private data

more...
moodle29
moodle30
moodle31
2016-11-25

The phpMYAdmin development team reports:

Summary

Open redirection

Description

A vulnerability was discovered where a user can be tricked in to following a link leading to phpMyAdmin, which after authentication redirects to another malicious site.

The attacker must sniff the user's valid phpMyAdmin token.

Severity

We consider this vulnerability to be of moderate severity.

Summary

Unsafe generation of blowfish secret

Description

When the user does not specify a blowfish_secret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created using a weak algorithm.

This could allow an attacker to determine the user's blowfish_secret and potentially decrypt their cookies.

Severity

We consider this vulnerability to be of moderate severity.

Mitigation factor

This vulnerability only affects cookie authentication and only when a user has not defined a $cfg['blowfish_secret'] in their config.inc.php

Summary

phpinfo information leak value of sensitive (HttpOnly) cookies

Description

phpinfo (phpinfo.php) shows PHP information including values of HttpOnly cookies.

Severity

We consider this vulnerability to be non-critical.

Mitigation factor

phpinfo in disabled by default and needs to be enabled explicitly.

Summary

Username deny rules bypass (AllowRoot & Others) by using Null Byte

Description

It is possible to bypass AllowRoot restriction ($cfg['Servers'][$i]['AllowRoot']) and deny rules for username by using Null Byte in the username.

Severity

We consider this vulnerability to be severe.

Summary

Username rule matching issues

Description

A vulnerability in username matching for the allow/deny rules may result in wrong matches and detection of the username in the rule due to non-constant execution time.

Severity

We consider this vulnerability to be severe.

Summary

Bypass logout timeout

Description

With a crafted request parameter value it is possible to bypass the logout timeout.

Severity

We consider this vulnerability to be of moderate severity.

Summary

Multiple full path disclosure vulnerabilities

Description

By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin is written to the export file.

Severity

We consider these vulnerability to be non-critical.

Summary

Multiple XSS vulnerabilities

Description

Several XSS vulnerabilities have been reported, including an improper fix for PMASA-2016-10 and a weakness in a regular expression using in some JavaScript processing.

Severity

We consider this vulnerability to be non-critical.

Summary

Multiple DOS vulnerabilities

Description

With a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature.

With a crafted request parameter value it is possible to initiate a denial of service attack in import feature.

An unauthenticated user can execute a denial of service attack when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true;.

Severity

We consider these vulnerabilities to be of moderate severity.

Summary

Bypass white-list protection for URL redirection

Description

Due to the limitation in URL matching, it was possible to bypass the URL white-list protection.

Severity

We consider this vulnerability to be of moderate severity.

Summary

BBCode injection vulnerability

Description

With a crafted login request it is possible to inject BBCode in the login page.

Severity

We consider this vulnerability to be severe.

Mitigation factor

This exploit requires phpMyAdmin to be configured with the "cookie" auth_type; other authentication methods are not affected.

Summary

DOS vulnerability in table partitioning

Description

With a very large request to table partitioning function, it is possible to invoke a Denial of Service (DOS) attack.

Severity

We consider this vulnerability to be of moderate severity.

Summary

Multiple SQL injection vulnerabilities

Description

With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the mysql database.

Severity

We consider these vulnerabilities to be serious.

Summary

Incorrect serialized string parsing

Description

Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function.

Severity

We consider this vulnerability to be severe.

Summary

CSRF token not stripped from the URL

Description

When the arg_separator is different from its default value of &, the token was not properly stripped from the return URL of the preference import action.

Severity

We have not yet determined a severity for this issue.

more...
phpMyAdmin
2016-11-24*

LegalHackers' reports:

RCE Bugs discovered in MySQL and its variants like MariaDB. It works by manupulating my.cnf files and using --malloc-lib. The bug seems fixed in MySQL5.7.15 by Oracle

more...
mysql55-client
mysql55-server
mysql56-client
mysql56-server
mysql57-client
mysql57-server
2016-11-23*

Mozilla Foundation reports:

Mozilla has updated the version of Network Security Services (NSS) library used in Firefox to NSS 3.23. This addresses four moderate rated networking security issues reported by Mozilla engineers Tyson Smith and Jed Davis.

more...
linux-c6-nss
linux-c7-nss
linux-seamonkey
nss
2016-11-22

Network Time Foundation reports:

NTF's NTP Project is releasing ntp-4.2.8p9, which addresses:

  • 1 HIGH severity vulnerability that only affects Windows
  • 2 MEDIUM severity vulnerabilities
  • 2 MEDIUM/LOW severity vulnerabilities
  • 5 LOW severity vulnerabilities
  • 28 other non-security fixes and improvements

All of the security issues in this release are listed in VU#633847.

more...
ntp
ntp-devel
2016-11-21

Teeworlds project reports:

Attacker controlled memory-writes and possibly arbitrary code execution on the client, abusable by any server the client joins

more...
teeworlds
2016-11-16

Jenkins Security Advisory:

An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.

more...
jenkins
jenkins-lts
2016-11-16

Marina Glancy reports:

  • MSA-16-0022: Web service tokens should be invalidated when the user password is changed or forced to be changed.

more...
moodle29
moodle30
moodle31
2016-11-16

Mozilla Foundation reports:

CVE-2016-5289: Memory safety bugs fixed in Firefox 50

CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5

CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file

CVE-2016-5292: URL parsing causes crash

CVE-2016-5293: Write to arbitrary file with updater and moz maintenance service using updater.log h

CVE-2016-5294: Arbitrary target directory for result files of update process

CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM

CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1

CVE-2016-5297: Incorrect argument length checking in Javascript

CVE-2016-5298: SSL indicator can mislead the user about the real URL visited

CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an app

CVE-2016-9061: API Key (glocation) in broadcast protected with signature-level permission can be accessed by an a

CVE-2016-9062: Private browsing browser traces (android) in browser.db and wal file

CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat

CVE-2016-9064: Addons update must verify IDs match between current and new versions

CVE-2016-9065: Firefox for Android location bar spoofing using fullscreen

CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler

CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore

CVE-2016-9068: heap-use-after-free in nsRefreshDriver

CVE-2016-9070: Sidebar bookmark can have reference to chrome window

CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP

CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile

CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"

CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler

CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges

CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s

CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing atta

more...
firefox
firefox-esr
libxul
linux-firefox
linux-seamonkey
linux-thunderbird
seamonkey
thunderbird
2016-11-12

Debian reports:

smogrify script creates insecure temporary files.

lives creates and uses world-writable directory.

more...
lives
2016-11-11*

OpenSSL reports:

  • ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)

    Severity: High

    TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS.
  • CMS Null dereference (CVE-2016-7053)

    Severity: Medium

    Applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. Only CHOICE structures using a callback which do not handle NULL value are affected.
  • Montgomery multiplication may produce incorrect results (CVE-2016-7055)i

    Severity: Low

    There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits.
more...
openssl-devel
2016-11-10

Adobe reports:

  • These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-7860, CVE-2016-7861, CVE-2016-7865).
  • These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-7857, CVE-2016-7858, CVE-2016-7859, CVE-2016-7862, CVE-2016-7863, CVE-2016-7864).
more...
linux-c6-flashplugin
linux-c7-flashplugin
linux-f10-flashplugin
2016-11-10

Google Chrome Releases reports:

4 security fixes in this release, including:

  • [643948] High CVE-2016-5199: Heap corruption in FFmpeg. Credit to Paul Mehta
  • [658114] High CVE-2016-5200: Out of bounds memory access in V8. Credit to Choongwoo Han
  • [660678] Medium CVE-2016-5201: Info leak in extensions. Credit to Rob Wu
  • [662843] CVE-2016-5202: Various fixes from internal audits, fuzzing and other initiatives
more...
chromium
chromium-npapi
chromium-pulse
2016-11-09

GitLab reports:

The import/export feature did not properly check for symbolic links in user-provided archives and therefore it was possible for an authenticated user to retrieve the contents of any file accessible to the GitLab service account. This included sensitive files such as those that contain secret tokens used by the GitLab service to authenticate users.

more...
gitlab
2016-11-06*

Sebastian Pipping reports:

CVE-2012-6702 -- Resolve troublesome internal call to srand that was introduced with Expat 2.1.0 when addressing CVE-2012-0876 (issue #496)

CVE-2016-5300 -- Use more entropy for hash initialization than the original fix to CVE-2012-0876.

more...
expat
2016-11-03

Google Chrome Releases reports:

[659475] High CVE-2016-5198: Out of bounds memory access in V8. Credit to Tencent Keen Security Lab, working with Trend Micro's Zero Day Initiative.

more...
chromium
chromium-npapi
chromium-pulse
2016-11-02

ISC reports:

A defect in BIND's handling of responses containing a DNAME answer can cause a resolver to exit after encountering an assertion failure in db.c or resolver.c

more...
bind9-devel
bind910
bind911
bind99
FreeBSD
2016-11-02*

Problem Description:

When processing the SSH_MSG_KEXINIT message, the server could allocate up to a few hundreds of megabytes of memory per each connection, before any authentication take place.

Impact:

A remote attacker may be able to cause a SSH server to allocate an excessive amount of memory. Note that the default MaxStartups setting on FreeBSD will limit the effectiveness of this attack.

more...
FreeBSD
openssh-portable
2016-11-02

The cURL project reports

  • cookie injection for other servers
  • case insensitive password comparison
  • OOB write via unchecked multiplication
  • double-free in curl_maprintf
  • double-free in krb5 code
  • glob parser write/read out of bounds
  • curl_getdate read out of bounds
  • URL unescape heap overflow via integer truncation
  • Use-after-free via shared cookies
  • invalid URL parsing with '#'
  • IDNA 2003 makes curl use wrong host
more...
curl
2016-11-02

The Django project reports:

Today the Django team released Django 1.10.3, Django 1.9.11, and 1.8.16. These releases addresses two security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

  • User with hardcoded password created when running tests on Oracle
  • DNS rebinding vulnerability when DEBUG=True
more...
py27-django
py27-django110
py27-django18
py27-django19
py33-django
py33-django110
py33-django18
py33-django19
py34-django
py34-django110
py34-django18
py34-django19
py35-django
py35-django110
py35-django18
py35-django19
2016-11-02

Cisco Talos reports:

Multiple integer overflow vulnerabilities exist within Memcached that could be exploited to achieve remote code execution on the targeted system. These vulnerabilities manifest in various Memcached functions that are used in inserting, appending, prepending, or modifying key-value data pairs. Systems which also have Memcached compiled with support for SASL authentication are also vulnerable to a third flaw due to how Memcached handles SASL authentication commands.

An attacker could exploit these vulnerabilities by sending a specifically crafted Memcached command to the targeted server. Additionally, these vulnerabilities could also be exploited to leak sensitive process information which an attacker could use to bypass common exploitation mitigations, such as ASLR, and can be triggered multiple times. This enables reliable exploitation which makes these vulnerabilities severe.

more...
memcached
2016-11-01

The MariaDB project reports:

Fixes for the following security vulnerabilities:

  • CVE-2016-7440
  • CVE-2016-5584
more...
mariadb55-server
mysql55-server
mysql56-server
mysql57-server
2016-10-31

Google Chrome Releases reports:

21 security fixes in this release, including:

  • [645211] High CVE-2016-5181: Universal XSS in Blink. Credit to Anonymous
  • [638615] High CVE-2016-5182: Heap overflow in Blink. Credit to Giwan Go of STEALIEN
  • [645122] High CVE-2016-5183: Use after free in PDFium. Credit to Anonymous
  • [630654] High CVE-2016-5184: Use after free in PDFium. Credit to Anonymous
  • [621360] High CVE-2016-5185: Use after free in Blink. Credit to cloudfuzzer
  • [639702] High CVE-2016-5187: URL spoofing. Credit to Luan Herrera
  • [565760] Medium CVE-2016-5188: UI spoofing. Credit to Luan Herrera
  • [633885] Medium CVE-2016-5192: Cross-origin bypass in Blink. Credit to haojunhou@gmail.com
  • [646278] Medium CVE-2016-5189: URL spoofing. Credit to xisigr of Tencent's Xuanwu Lab
  • [644963] Medium CVE-2016-5186: Out of bounds read in DevTools. Credit to Abdulrahman Alqabandi (@qab)
  • [639126] Medium CVE-2016-5191: Universal XSS in Bookmarks. Credit to Gareth Hughes
  • [642067] Medium CVE-2016-5190: Use after free in Internals. Credit to Atte Kettunen of OUSPG
  • [639658] Low CVE-2016-5193: Scheme bypass. Credit to Yuyang ZHOU (martinzhou96)
  • [654782] CVE-2016-5194: Various fixes from internal audits, fuzzing and other initiatives
more...
chromium
chromium-npapi
chromium-pulse
2016-10-31

Google Chrome Releases reports:

3 security fixes in this release, including:

  • [642496] High CVE-2016-5177: Use after free in V8. Credit to Anonymous
  • [651092] CVE-2016-5178: Various fixes from internal audits, fuzzing and other initiatives.
more...
chromium
chromium-npapi
chromium-pulse
2016-10-28

Node.js v6.9.0 LTS contains the following security fixes, specific to v6.x:

Disable auto-loading of openssl.cnf: Don't automatically attempt to load an OpenSSL configuration file, from the OPENSSL_CONF environment variable or from the default location for the current platform. Always triggering a configuration file load attempt may allow an attacker to load compromised OpenSSL configuration into a Node.js process if they are able to place a file in a default location.

Patched V8 arbitrary memory read (CVE-2016-5172): The V8 parser mishandled scopes, potentially allowing an attacker to obtain sensitive information from arbitrary memory locations via crafted JavaScript code. This vulnerability would require an attacker to be able to execute arbitrary JavaScript code in a Node.js process.

Create a unique v8_inspector WebSocket address: Generate a UUID for each execution of the inspector. This provides additional security to prevent unauthorized clients from connecting to the Node.js process via the v8_inspector port when running with --inspect. Since the debugging protocol allows extensive access to the internals of a running process, and the execution of arbitrary code, it is important to limit connections to authorized tools only. Note that the v8_inspector protocol in Node.js is still considered an experimental feature. Vulnerability originally reported by Jann Horn.

All of these vulnerabilities are considered low-severity for Node.js users, however, users of Node.js v6.x should upgrade at their earliest convenience.

more...
node
2016-10-28

Todd C. Miller reports:

A flaw exists in sudo's noexec functionality that may allow a user with sudo privileges to run additional commands even when the NOEXEC tag has been applied to a command that uses the wordexp() function.

more...
sudo
2016-10-28

Apache Axis2 reports:

Apache Axis2 1.7.4 is a maintenance release that includes fixes for several issues, including the following security issues: Session fixation (AXIS2-4739) and XSS (AXIS2-5683) vulnerabilities affecting the admin console. A dependency on an Apache HttpClient version affected by known security vulnerabilities (CVE-2012-6153 and CVE-2014-3577); see AXIS2-5757.

more...
axis2
2016-10-28

urllib3 reports:

CVE-2016-9015: Certification verification failure

more...
py-urllib3
2016-10-27

Adobe reports:

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address a critical vulnerability that could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10.

more...
linux-c6-flashplugin
linux-c7-flashplugin
linux-f10-flashplugin
2016-10-26

Node.js has released new verions containing the following security fix:

The following releases all contain fixes for CVE-2016-5180 "ares_create_query single byte out of buffer write": Node.js v0.10.48 (Maintenance), Node.js v0.12.17 (Maintenance), Node.js v4.6.1 (LTS "Argon")

While this is not a critical update, all users of these release lines should upgrade at their earliest convenience.

more...
node010
node012
node4
2016-10-25*

Problem Description:

A special combination of sysarch(2) arguments, specify a request to uninstall a set of descriptors from the LDT. The start descriptor is cleared and the number of descriptors are provided. Due to lack of sufficient bounds checking during argument validity verification, unbound zero'ing of the process LDT and adjacent memory can be initiated from usermode.

Impact:

This vulnerability could cause the kernel to panic. In addition it is possible to perform a local Denial of Service against the system by unprivileged processes.

more...
FreeBSD-kernel
2016-10-25*

Problem Description:

An unchecked array reference in the VGA device emulation code could potentially allow guests access to the heap of the bhyve process. Since the bhyve process is running as root, this may allow guests to obtain full control of the hosts they are running on.

Impact:

For bhyve virtual machines with the "fbuf" framebuffer device configured, if exploited, a malicious guest could obtain full access to not just the host system, but to other virtual machines running on the system.

more...
FreeBSD-kernel
2016-10-24

Adobe reports:

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2016-6992).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-6981, CVE-2016-6987).

These updates resolve a security bypass vulnerability (CVE-2016-4286).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4273, CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986, CVE-2016-6989, CVE-2016-6990).

more...
linux-c6-flashplugin
linux-c6_64-flashplugin
linux-c7-flashplugin
linux-f10-flashplugin
2016-10-21*

Mozilla Foundation reports:

CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]

CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]

CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]

CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]

CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]

CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]

CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]

CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]

CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]

CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]

CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]

CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]

CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]

CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]

CVE-2016-5281 - use-after-free in DOMSVGLength [high]

CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]

CVE-2016-5283 -