-
-
Save anonymous/bdb896b4714e95ffe8cce9cd72be581a to your computer and use it in GitHub Desktop.
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<!DOCTYPE vuxml PUBLIC "-//vuxml.org//DTD VuXML 1.1//EN" "http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd"> | |
<!-- | |
Copyright 2003-2016 Jacques Vidrine and contributors | |
Redistribution and use in source (VuXML) and 'compiled' forms (SGML, | |
HTML, PDF, PostScript, RTF and so forth) with or without modification, | |
are permitted provided that the following conditions are met: | |
1. Redistributions of source code (VuXML) must retain the above | |
copyright notice, this list of conditions and the following | |
disclaimer as the first lines of this file unmodified. | |
2. Redistributions in compiled form (transformed to other DTDs, | |
published online in any format, converted to PDF, PostScript, | |
RTF and other formats) must reproduce the above copyright | |
notice, this list of conditions and the following disclaimer | |
in the documentation and/or other materials provided with the | |
distribution. | |
THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" | |
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, | |
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS | |
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, | |
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT | |
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR | |
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, | |
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE | |
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, | |
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
$FreeBSD: head/security/vuxml/vuln.xml 420194 2016-08-14 17:12:26Z junovitch $ | |
QUICK GUIDE TO ADDING A NEW ENTRY | |
1. run 'make newentry' to add a template to the top of the document | |
2. fill in the template | |
3. use 'make validate' to verify syntax correctness (you might need to install | |
textproc/libxml2 for parser, and this port for catalogs) | |
4. fix any errors | |
5. use 'make VID=xxx-yyy-zzz html' to emit the entry's html file for formatting review | |
6. profit! | |
Additional tests can be done this way: | |
$ pkg audit -f ./vuln.xml py26-django-1.6 | |
$ pkg audit -f ./vuln.xml py27-django-1.6.1 | |
Extensive documentation of the format and help with writing and verifying | |
a new entry is available in The Porter's Handbook at: | |
http://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html | |
Help is also available from ports-security@freebsd.org. | |
Notes: | |
* Please add new entries to the beginning of this file. | |
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.) | |
--> | |
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> | |
<vuln vid="f7dd2d09-625e-11e6-828b-fcaa14edc6a6"> | |
<topic>Several vulnerabilities found in Teamspeak3-server</topic> | |
<affects> | |
<package> | |
<name>teamspeak3-server</name> | |
<range><le>3.0.13_1,1</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Hanz Jenson audit report:</p> | |
<blockquote cite="http://seclists.org/fulldisclosure/2016/Aug/61"> | |
<p>I found 10 vulnerabilities. Some of these are critical and allow remote code | |
execution. For the average user, that means that these vulnerabilities can be | |
exploited by a malicious attacker in order to take over any Teamspeak server, | |
not only becoming serveradmin, but getting a shell on the affected machine.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://seclists.org/fulldisclosure/2016/Aug/61</url> | |
</references> | |
<dates> | |
<discovery>2016-08-12</discovery> | |
<entry>2016-08-14</entry> | |
</dates> | |
</vuln> | |
<vuln vid="df502a2f-61f6-11e6-a461-643150d3111d"> | |
<topic>mcollective-puppet-agent -- Remote Code Execution in mcollective-puppet-agent plugin</topic> | |
<affects> | |
<package> | |
<name>mcollective-puppet-agent</name> | |
<range><lt>1.11.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Puppet reports:</p> | |
<blockquote cite="https://puppet.com/security/cve/cve-2015-7331"> | |
<p>Puppet Enterprise previously included a puppet-agent MCollective plugin that allowed you to pass the `--server` argument to MCollective. This insecure argument enabled remote code execution via connection to an untrusted host. The puppet-agent MCollective version included in PE 2016.2.1, this option is disabled by default.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://puppet.com/security/cve/cve-2015-7331</url> | |
<cvename>CVE-2015-7331</cvename> | |
</references> | |
<dates> | |
<discovery>2016-08-09</discovery> | |
<entry>2016-08-15</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7d4f4955-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Heap vulnerability in bspatch</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.3</ge><lt>10.3_6</lt></range> | |
<range><ge>10.2</ge><lt>10.2_20</lt></range> | |
<range><ge>10.1</ge><lt>10.1_37</lt></range> | |
<range><ge>9.3</ge><lt>9.3_45</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>The implementation of bspatch does not check for a | |
negative value on numbers of bytes read from the diff and | |
extra streams, allowing an attacker who can control the | |
patch file to write at arbitrary locations in the heap.</p> | |
<p>This issue was first discovered by The Chromium Project | |
and reported independently by Lu Tung-Pin to the FreeBSD | |
project.</p> | |
<h1>Impact:</h1> | |
<p>An attacker who can control the patch file can cause a | |
crash or run arbitrary code under the credentials of the | |
user who runs bspatch, in many cases, root.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-9862</cvename> | |
<freebsdsa>SA-16:25.bspatch</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-07-25</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7cfcea05-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Multiple vulnerabilities of ntp</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.3</ge><lt>10.3_5</lt></range> | |
<range><ge>10.2</ge><lt>10.2_19</lt></range> | |
<range><ge>10.1</ge><lt>10.1_36</lt></range> | |
<range><ge>9.3</ge><lt>9.3_44</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>Multiple vulnerabilities have been discovered in the NTP | |
suite:</p> | |
<p>The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that | |
could cause ntpd to crash. [CVE-2016-4957, Reported by | |
Nicolas Edet of Cisco]</p> | |
<p>An attacker who knows the origin timestamp and can send | |
a spoofed packet containing a CRYPTO-NAK to an ephemeral | |
peer target before any other response is sent can demobilize | |
that association. [CVE-2016-4953, Reported by Miroslav | |
Lichvar of Red Hat]</p> | |
<p>An attacker who is able to spoof packets with correct | |
origin timestamps from enough servers before the expected | |
response packets arrive at the target machine can affect | |
some peer variables and, for example, cause a false leap | |
indication to be set. [CVE-2016-4954, Reported by Jakub | |
Prokes of Red Hat]</p> | |
<p>An attacker who is able to spoof a packet with a correct | |
origin timestamp before the expected response packet arrives | |
at the target machine can send a CRYPTO_NAK or a bad MAC | |
and cause the association's peer variables to be cleared. | |
If this can be done often enough, it will prevent that | |
association from working. [CVE-2016-4955, Reported by | |
Miroslav Lichvar of Red Hat]</p> | |
<p>The fix for NtpBug2978 does not cover broadcast associations, | |
so broadcast clients can be triggered to flip into interleave | |
mode. [CVE-2016-4956, Reported by Miroslav Lichvar of Red | |
Hat.]</p> | |
<h1>Impact:</h1> | |
<p>Malicious remote attackers may be able to break time | |
synchronization, or cause the ntpd(8) daemon to crash.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4953</cvename> | |
<cvename>CVE-2016-4954</cvename> | |
<cvename>CVE-2016-4955</cvename> | |
<cvename>CVE-2016-4956</cvename> | |
<cvename>CVE-2016-4957</cvename> | |
<freebsdsa>SA-16:24.ntp</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-06-04</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7cad4795-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Kernel stack disclosure in 4.3BSD compatibility layer</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.3</ge><lt>10.3_4</lt></range> | |
<range><ge>10.2</ge><lt>10.2_18</lt></range> | |
<range><ge>10.1</ge><lt>10.1_35</lt></range> | |
<range><ge>9.3</ge><lt>9.3_43</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>The implementation of historic stat(2) system call does | |
not clear the output struct before copying it out to | |
userland.</p> | |
<h1>Impact:</h1> | |
<p>An unprivileged user can read a portion of uninitialised | |
kernel stack data, which may contain sensitive information, | |
such as the stack guard, portions of the file cache or | |
terminal buffers, which an attacker might leverage to obtain | |
elevated privileges.</p> | |
</body> | |
</description> | |
<references> | |
<freebsdsa>SA-16:21.43bsd</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-05-31</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7c5d64dd-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Kernel stack disclosure in Linux compatibility layer</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.3</ge><lt>10.3_4</lt></range> | |
<range><ge>10.2</ge><lt>10.2_18</lt></range> | |
<range><ge>10.1</ge><lt>10.1_35</lt></range> | |
<range><ge>9.3</ge><lt>9.3_43</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>The implementation of the TIOCGSERIAL ioctl(2) does not | |
clear the output struct before copying it out to userland.</p> | |
<p>The implementation of the Linux sysinfo() system call | |
does not clear the output struct before copying it out to | |
userland.</p> | |
<h1>Impact:</h1> | |
<p>An unprivileged user can read a portion of uninitialised | |
kernel stack data, which may contain sensitive information, | |
such as the stack guard, portions of the file cache or | |
terminal buffers, which an attacker might leverage to obtain | |
elevated privileges.</p> | |
</body> | |
</description> | |
<references> | |
<freebsdsa>SA-16:20.linux</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-05-31</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7c0bac69-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Incorrect argument handling in sendmsg(2)</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.3</ge><lt>10.3_3</lt></range> | |
<range><ge>10.2</ge><lt>10.2_17</lt></range> | |
<range><ge>10.1</ge><lt>10.1_34</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>Incorrect argument handling in the socket code allows | |
malicious local user to overwrite large portion of the | |
kernel memory.</p> | |
<h1>Impact:</h1> | |
<p>Malicious local user may crash kernel or execute arbitrary | |
code in the kernel, potentially gaining superuser privileges.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1887</cvename> | |
<freebsdsa>SA-16:19.sendmsg</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-05-17</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7bbc0e8c-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Buffer overflow in keyboard driver</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.3</ge><lt>10.3_3</lt></range> | |
<range><ge>10.2</ge><lt>10.2_17</lt></range> | |
<range><ge>10.1</ge><lt>10.1_34</lt></range> | |
<range><ge>9.3</ge><lt>9.3_42</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>Incorrect signedness comparison in the ioctl(2) handler | |
allows a malicious local user to overwrite a portion of the | |
kernel memory.</p> | |
<h1>Impact:</h1> | |
<p>A local user may crash the kernel, read a portion of | |
kernel memory and execute arbitrary code in kernel context. | |
The result of executing an arbitrary kernel code is privilege | |
escalation.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1886</cvename> | |
<freebsdsa>SA-16:18.atkbd</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-05-17</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7b6a11b5-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Incorrect argument validation in sysarch(2)</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.2</ge><lt>10.2_14</lt></range> | |
<range><ge>10.1</ge><lt>10.1_31</lt></range> | |
<range><ge>9.3</ge><lt>9.3_39</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>A special combination of sysarch(2) arguments, specify | |
a request to uninstall a set of descriptors from the LDT. | |
The start descriptor is cleared and the number of descriptors | |
are provided. Due to invalid use of a signed intermediate | |
value in the bounds checking during argument validity | |
verification, unbound zero'ing of the process LDT and | |
adjacent memory can be initiated from usermode.</p> | |
<h1>Impact:</h1> | |
<p>This vulnerability could cause the kernel to panic. In | |
addition it is possible to perform a local Denial of Service | |
against the system by unprivileged processes.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1885</cvename> | |
<freebsdsa>SA-16:15.sysarch</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-03-16</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7b1a4a27-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Multiple OpenSSL vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.2</ge><lt>10.2_13</lt></range> | |
<range><ge>10.1</ge><lt>10.1_30</lt></range> | |
<range><ge>9.3</ge><lt>9.3_38</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>A cross-protocol attack was discovered that could lead | |
to decryption of TLS sessions by using a server supporting | |
SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA | |
padding oracle. Note that traffic between clients and | |
non-vulnerable servers can be decrypted provided another | |
server supporting SSLv2 and EXPORT ciphers (even with a | |
different protocol such as SMTP, IMAP or POP3) shares the | |
RSA keys of the non-vulnerable server. This vulnerability | |
is known as DROWN. [CVE-2016-0800]</p> | |
<p>A double free bug was discovered when OpenSSL parses | |
malformed DSA private keys and could lead to a DoS attack | |
or memory corruption for applications that receive DSA | |
private keys from untrusted sources. This scenario is | |
considered rare. [CVE-2016-0705]</p> | |
<p>The SRP user database lookup method SRP_VBASE_get_by_user | |
had confusing memory management semantics; the returned | |
pointer was sometimes newly allocated, and sometimes owned | |
by the callee. The calling code has no way of distinguishing | |
these two cases. [CVE-2016-0798]</p> | |
<p>In the BN_hex2bn function, the number of hex digits is | |
calculated using an int value |i|. Later |bn_expand| is | |
called with a value of |i * 4|. For large values of |i| | |
this can result in |bn_expand| not allocating any memory | |
because |i * 4| is negative. This can leave the internal | |
BIGNUM data field as NULL leading to a subsequent NULL | |
pointer dereference. For very large values of |i|, the | |
calculation |i * 4| could be a positive value smaller than | |
|i|. In this case memory is allocated to the internal BIGNUM | |
data field, but it is insufficiently sized leading to heap | |
corruption. A similar issue exists in BN_dec2bn. This could | |
have security consequences if BN_hex2bn/BN_dec2bn is ever | |
called by user applications with very large untrusted hex/dec | |
data. This is anticipated to be a rare occurrence. | |
[CVE-2016-0797]</p> | |
<p>The internal |fmtstr| function used in processing a "%s" | |
formatted string in the BIO_*printf functions could overflow | |
while calculating the length of a string and cause an | |
out-of-bounds read when printing very long strings. | |
[CVE-2016-0799]</p> | |
<p>A side-channel attack was found which makes use of | |
cache-bank conflicts on the Intel Sandy-Bridge microarchitecture | |
which could lead to the recovery of RSA keys. [CVE-2016-0702]</p> | |
<p>s2_srvr.c did not enforce that clear-key-length is 0 for | |
non-export ciphers. If clear-key bytes are present for these | |
ciphers, they displace encrypted-key bytes. [CVE-2016-0703]</p> | |
<p>s2_srvr.c overwrites the wrong bytes in the master key | |
when applying Bleichenbacher protection for export cipher | |
suites. [CVE-2016-0704]</p> | |
<h1>Impact:</h1> | |
<p>Servers that have SSLv2 protocol enabled are vulnerable | |
to the "DROWN" attack which allows a remote attacker to | |
fast attack many recorded TLS connections made to the server, | |
even when the client did not make any SSLv2 connections | |
themselves.</p> | |
<p>An attacker who can supply malformed DSA private keys | |
to OpenSSL applications may be able to cause memory corruption | |
which would lead to a Denial of Service condition. | |
[CVE-2016-0705]</p> | |
<p>An attacker connecting with an invalid username can cause | |
memory leak, which could eventually lead to a Denial of | |
Service condition. [CVE-2016-0798]</p> | |
<p>An attacker who can inject malformed data into an | |
application may be able to cause memory corruption which | |
would lead to a Denial of Service condition. [CVE-2016-0797, | |
CVE-2016-0799]</p> | |
<p>A local attacker who has control of code in a thread | |
running on the same hyper-threaded core as the victim thread | |
which is performing decryptions could recover RSA keys. | |
[CVE-2016-0702]</p> | |
<p>An eavesdropper who can intercept SSLv2 handshake can | |
conduct an efficient divide-and-conquer key recovery attack | |
and use the server as an oracle to determine the SSLv2 | |
master-key, using only 16 connections to the server and | |
negligible computation. [CVE-2016-0703]</p> | |
<p>An attacker can use the Bleichenbacher oracle, which | |
enables more efficient variant of the DROWN attack. | |
[CVE-2016-0704]</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-0702</cvename> | |
<cvename>CVE-2016-0703</cvename> | |
<cvename>CVE-2016-0704</cvename> | |
<cvename>CVE-2016-0705</cvename> | |
<cvename>CVE-2016-0797</cvename> | |
<cvename>CVE-2016-0798</cvename> | |
<cvename>CVE-2016-0799</cvename> | |
<cvename>CVE-2016-0800</cvename> | |
<freebsdsa>SA-16:12.openssl</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-03-10</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7ac28df1-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Linux compatibility layer issetugid(2) system call</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.2</ge><lt>10.2_11</lt></range> | |
<range><ge>10.1</ge><lt>10.1_28</lt></range> | |
<range><ge>9.3</ge><lt>9.3_35</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>A programming error in the Linux compatibility layer | |
could cause the issetugid(2) system call to return incorrect | |
information.</p> | |
<h1>Impact:</h1> | |
<p>If an application relies on output of the issetugid(2) | |
system call and that information is incorrect, this could | |
lead to a privilege escalation.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1883</cvename> | |
<freebsdsa>SA-16:10.linux</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-01-27</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7a31dfba-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Insecure default snmpd.config permissions</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.2</ge><lt>10.2_9</lt></range> | |
<range><ge>10.1</ge><lt>10.1_26</lt></range> | |
<range><ge>9.3</ge><lt>9.3_33</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>The SNMP protocol supports an authentication model called | |
USM, which relies on a shared secret. The default permission | |
of the snmpd.configiguration file, /etc/snmpd.config, is | |
weak and does not provide adequate protection against local | |
unprivileged users.</p> | |
<h1>Impact:</h1> | |
<p>A local user may be able to read the shared secret, if | |
configured and used by the system administrator.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5677</cvename> | |
<freebsdsa>SA-16:06.bsnmpd</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-01-14</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="79dfc135-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- TCP MD5 signature denial of service</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.2</ge><lt>10.2_9</lt></range> | |
<range><ge>10.1</ge><lt>10.1_26</lt></range> | |
<range><ge>9.3</ge><lt>9.3_33</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>A programming error in processing a TCP connection with | |
both TCP_MD5SIG and TCP_NOOPT socket options may lead to | |
kernel crash.</p> | |
<h1>Impact:</h1> | |
<p>A local attacker can crash the kernel, resulting in a | |
denial-of-service.</p> | |
<p>A remote attack is theoretically possible, if server has | |
a listening socket with TCP_NOOPT set, and server is either | |
out of SYN cache entries, or SYN cache is disabled by | |
configuration.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1882</cvename> | |
<freebsdsa>SA-16:05.tcp</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-01-14</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="798f63e0-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Linux compatibility layer setgroups(2) system call</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.2</ge><lt>10.2_9</lt></range> | |
<range><ge>10.1</ge><lt>10.1_26</lt></range> | |
<range><ge>9.3</ge><lt>9.3_33</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>A programming error in the Linux compatibility layer | |
setgroups(2) system call can lead to an unexpected results, | |
such as overwriting random kernel memory contents.</p> | |
<h1>Impact:</h1> | |
<p>It is possible for a local attacker to overwrite portions | |
of kernel memory, which may result in a privilege escalation | |
or cause a system panic.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1881</cvename> | |
<freebsdsa>SA-16:04.linux</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-01-14</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="793fb19c-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Linux compatibility layer incorrect futex handling</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.2</ge><lt>10.2_9</lt></range> | |
<range><ge>10.1</ge><lt>10.1_26</lt></range> | |
<range><ge>9.3</ge><lt>9.3_33</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>A programming error in the handling of Linux futex robust | |
lists may result in incorrect memory locations being | |
accessed.</p> | |
<h1>Impact:</h1> | |
<p>It is possible for a local attacker to read portions of | |
kernel memory, which may result in a privilege escalation.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1880</cvename> | |
<freebsdsa>SA-16:03.linux</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-01-14</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="78f06a6c-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- SCTP ICMPv6 error message vulnerability</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.2</ge><lt>10.2_9</lt></range> | |
<range><ge>10.1</ge><lt>10.1_26</lt></range> | |
<range><ge>9.3</ge><lt>9.3_33</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>A lack of proper input checks in the ICMPv6 processing | |
in the SCTP stack can lead to either a failed kernel assertion | |
or to a NULL pointer dereference. In either case, a kernel | |
panic will follow.</p> | |
<h1>Impact:</h1> | |
<p>A remote, unauthenticated attacker can reliably trigger | |
a kernel panic in a vulnerable system running IPv6. Any | |
kernel compiled with both IPv6 and SCTP support is vulnerable. | |
There is no requirement to have an SCTP socket open.</p> | |
<p>IPv4 ICMP processing is not impacted by this vulnerability.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1879</cvename> | |
<freebsdsa>SA-16:01.sctp</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-01-14</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0e5d6969-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- rpcbind(8) remote denial of service [REVISED]</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.2</ge><lt>10.2_5</lt></range> | |
<range><ge>10.1</ge><lt>10.1_22</lt></range> | |
<range><ge>9.3</ge><lt>9.3_28</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>In rpcbind(8), netbuf structures are copied directly, | |
which would result in two netbuf structures that reference | |
to one shared address buffer. When one of the two netbuf | |
structures is freed, access to the other netbuf structure | |
would result in an undefined result that may crash the | |
rpcbind(8) daemon.</p> | |
<h1>Impact:</h1> | |
<p>A remote attacker who can send specifically crafted | |
packets to the rpcbind(8) daemon can cause it to crash, | |
resulting in a denial of service condition.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7236</cvename> | |
<freebsdsa>SA-15:24.rpcbind</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2015-09-29</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0dfa5dde-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Local privilege escalation in IRET handler</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.1</ge><lt>10.1_19</lt></range> | |
<range><ge>9.3</ge><lt>9.3_24</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>If the kernel-mode IRET instruction generates an #SS or | |
#NP exception, but the exception handler does not properly | |
ensure that the right GS register base for kernel is reloaded, | |
the userland GS segment may be used in the context of the | |
kernel exception handler.</p> | |
<h1>Impact:</h1> | |
<p>By causing an IRET with #SS or #NP exceptions, a local | |
attacker can cause the kernel to use an arbitrary GS base, | |
which may allow escalated privileges or panic the system.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5675</cvename> | |
<freebsdsa>SA-15:21.amd64</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2015-08-25</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0da8a68e-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Multiple integer overflows in expat (libbsdxml) XML parser</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.1</ge><lt>10.1_18</lt></range> | |
<range><ge>10.2</ge><lt>10.2_1</lt></range> | |
<range><ge>9.3</ge><lt>9.3_23</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>Multiple integer overflows have been discovered in the | |
XML_GetBuffer() function in the expat library.</p> | |
<h1>Impact:</h1> | |
<p>The integer overflows may be exploited by using specifically | |
crafted XML data and lead to infinite loop, or a heap buffer | |
overflow, which results in a Denial of Service condition, | |
or enables remote attackers to execute arbitrary code.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-1283</cvename> | |
<freebsdsa>SA-15:20.expat</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2015-08-18</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0d584493-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- routed(8) remote denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.1</ge><lt>10.1_17</lt></range> | |
<range><ge>9.3</ge><lt>9.3_22</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>The input path in routed(8) will accept queries from any | |
source and attempt to answer them. However, the output path | |
assumes that the destination address for the response is | |
on a directly connected network.</p> | |
<h1>Impact:</h1> | |
<p>Upon receipt of a query from a source which is not on a | |
directly connected network, routed(8) will trigger an | |
assertion and terminate. The affected system's routing table | |
will no longer be updated. If the affected system is a | |
router, its routes will eventually expire from other routers' | |
routing tables, and its networks will no longer be reachable | |
unless they are also connected to another router.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5674</cvename> | |
<freebsdsa>SA-15:19.routed</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2015-08-05</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0d090952-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- shell injection vulnerability in patch(1)</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.1</ge><lt>10.1_17</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>Due to insufficient sanitization of the input patch | |
stream, it is possible for a patch file to cause patch(1) | |
to pass certain ed(1) scripts to the ed(1) editor, which | |
would run commands.</p> | |
<h1>Impact:</h1> | |
<p>This issue could be exploited to execute arbitrary | |
commands as the user invoking patch(1) against a specically | |
crafted patch file, which could be leveraged to obtain | |
elevated privileges.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-1418</cvename> | |
<freebsdsa>SA-15:18.bsdpatch</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2015-08-05</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0cb9d5bb-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Resource exhaustion in TCP reassembly</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.1</ge><lt>10.1_16</lt></range> | |
<range><ge>9.3</ge><lt>9.3_21</lt></range> | |
<range><ge>8.4</ge><lt>8.4_35</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>There is a mistake with the introduction of VNET, which | |
converted the global limit on the number of segments that | |
could belong to reassembly queues into a per-VNET limit. | |
Because mbufs are allocated from a global pool, in the | |
presence of a sufficient number of VNETs, the total number | |
of mbufs attached to reassembly queues can grow to the total | |
number of mbufs in the system, at which point all network | |
traffic would cease.</p> | |
<h1>Impact:</h1> | |
<p>An attacker who can establish concurrent TCP connections | |
across a sufficient number of VNETs and manipulate the | |
inbound packet streams such that the maximum number of mbufs | |
are enqueued on each reassembly queue can cause mbuf cluster | |
exhaustion on the target system, resulting in a Denial of | |
Service condition.</p> | |
<p>As the default per-VNET limit on the number of segments | |
that can belong to reassembly queues is 1/16 of the total | |
number of mbuf clusters in the system, only systems that | |
have 16 or more VNET instances are vulnerable.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-1417</cvename> | |
<freebsdsa>SA-15:15.tcp</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2015-07-28</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0c6759dd-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- shell injection vulnerability in patch(1)</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.1</ge><lt>10.1_16</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>Due to insufficient sanitization of the input patch | |
stream, it is possible for a patch file to cause patch(1) | |
to run commands in addition to the desired SCCS or RCS | |
commands.</p> | |
<h1>Impact:</h1> | |
<p>This issue could be exploited to execute arbitrary | |
commands as the user invoking patch(1) against a specically | |
crafted patch file, which could be leveraged to obtain | |
elevated privileges.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-1416</cvename> | |
<freebsdsa>SA-15:14.bsdpatch</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2015-07-28</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0c064c43-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Resource exhaustion due to sessions stuck in LAST_ACK state</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.1</ge><lt>10.1_15</lt></range> | |
<range><ge>9.3</ge><lt>9.3_20</lt></range> | |
<range><ge>8.4</ge><lt>8.4_34</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>TCP connections transitioning to the LAST_ACK state can | |
become permanently stuck due to mishandling of protocol | |
state in certain situations, which in turn can lead to | |
accumulated consumption and eventual exhaustion of system | |
resources, such as mbufs and sockets.</p> | |
<h1>Impact:</h1> | |
<p>An attacker who can repeatedly establish TCP connections | |
to a victim system (for instance, a Web server) could create | |
many TCP connections that are stuck in LAST_ACK state and | |
cause resource exhaustion, resulting in a denial of service | |
condition. This may also happen in normal operation where | |
no intentional attack is conducted, but an attacker who can | |
send specifically crafted packets can trigger this more | |
reliably.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5358</cvename> | |
<freebsdsa>SA-15:13.tcp</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2015-07-21</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0bb55a18-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Denial of Service with IPv6 Router Advertisements</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.1</ge><lt>10.1_9</lt></range> | |
<range><ge>9.3</ge><lt>9.3_13</lt></range> | |
<range><ge>8.4</ge><lt>8.4_27</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>The Neighbor Discover Protocol allows a local router to | |
advertise a suggested Current Hop Limit value of a link, | |
which will replace Current Hop Limit on an interface connected | |
to the link on the FreeBSD system.</p> | |
<h1>Impact:</h1> | |
<p>When the Current Hop Limit (similar to IPv4's TTL) is | |
small, IPv6 packets may get dropped before they reached | |
their destinations.</p> | |
<p>By sending specifically crafted Router Advertisement | |
packets, an attacker on the local network can cause the | |
FreeBSD system to lose the ability to communicate with | |
another IPv6 node on a different network.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-2923</cvename> | |
<freebsdsa>SA-15:09.ipv6</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2015-04-07</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0b65f297-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Insecure default GELI keyfile permissions</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.1</ge><lt>10.1_9</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>The default permission set by bsdinstall(8) installer | |
when configuring full disk encrypted ZFS is too open.</p> | |
<h1>Impact:</h1> | |
<p>A local attacker may be able to get a copy of the geli(8) | |
provider's keyfile which is located at a fixed location.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-1415</cvename> | |
<freebsdsa>SA-15:08.bsdinstall</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2015-04-07</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0afe8b29-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Integer overflow in IGMP protocol</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.1</ge><lt>10.1_9</lt></range> | |
<range><ge>9.3</ge><lt>9.3_13</lt></range> | |
<range><ge>8.4</ge><lt>8.4_27</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>An integer overflow in computing the size of IGMPv3 data | |
buffer can result in a buffer which is too small for the | |
requested operation.</p> | |
<h1>Impact:</h1> | |
<p>An attacker who can send specifically crafted IGMP packets | |
could cause a denial of service situation by causing the | |
kernel to crash.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-1414</cvename> | |
<freebsdsa>SA-15:04.igmp</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2015-02-25</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0aad3ce5-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- SCTP stream reset vulnerability</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.1</ge><lt>10.1_5</lt></range> | |
<range><ge>10.0</ge><lt>10.0_17</lt></range> | |
<range><ge>9.3</ge><lt>9.3_9</lt></range> | |
<range><ge>8.4</ge><lt>8.4_23</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>The input validation of received SCTP RE_CONFIG chunks | |
is insufficient, and can result in a NULL pointer deference | |
later.</p> | |
<h1>Impact:</h1> | |
<p>A remote attacker who can send a malformed SCTP packet | |
to a FreeBSD system that serves SCTP can cause a kernel | |
panic, resulting in a Denial of Service.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-8613</cvename> | |
<freebsdsa>SA-15:03.sctp</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2015-01-27</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0a5cf6d8-600a-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- SCTP SCTP_SS_VALUE kernel memory corruption and disclosure</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.1</ge><lt>10.1_5</lt></range> | |
<range><ge>10.0</ge><lt>10.0_17</lt></range> | |
<range><ge>9.3</ge><lt>9.3_9</lt></range> | |
<range><ge>8.4</ge><lt>8.4_23</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>Due to insufficient validation of the SCTP stream ID, | |
which serves as an array index, a local unprivileged attacker | |
can read or write 16-bits of kernel memory.</p> | |
<h1>Impact:</h1> | |
<p>An unprivileged process can read or modify 16-bits of | |
memory which belongs to the kernel. This smay lead to | |
exposure of sensitive information or allow privilege | |
escalation.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-8612</cvename> | |
<freebsdsa>SA-15:02.kmem</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2015-01-27</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="74ded00e-6007-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Buffer overflow in stdio</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.1</ge><lt>10.1_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>A programming error in the standard I/O library's | |
__sflush() function could erroneously adjust the buffered | |
stream's internal state even when no write actually occurred | |
in the case when write(2) system call returns an error.</p> | |
<h1>Impact:</h1> | |
<p>The accounting mismatch would accumulate, if the caller | |
does not check for stream status and will eventually lead | |
to a heap buffer overflow.</p> | |
<p>Such overflows may lead to data corruption or the execution | |
of arbitrary code at the privilege level of the calling | |
program.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-8611</cvename> | |
<freebsdsa>SA-14:27.stdio</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-12-10</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7488378d-6007-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Remote command execution in ftp(1)</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.0</ge><lt>10.0_12</lt></range> | |
<range><ge>9.3</ge><lt>9.3_5</lt></range> | |
<range><ge>9.2</ge><lt>9.2_15</lt></range> | |
<range><ge>9.1</ge><lt>9.1_22</lt></range> | |
<range><ge>8.4</ge><lt>8.4_19</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>A malicious HTTP server could cause ftp(1) to execute | |
arbitrary commands.</p> | |
<h1>Impact:</h1> | |
<p>When operating on HTTP URIs, the ftp(1) client follows | |
HTTP redirects, and uses the part of the path after the | |
last '/' from the last resource it accesses as the output | |
filename if '-o' is not specified.</p> | |
<p>If the output file name provided by the server begins | |
with a pipe ('|'), the output is passed to popen(3), which | |
might be used to execute arbitrary commands on the ftp(1) | |
client machine.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-8517</cvename> | |
<freebsdsa>SA-14:26.ftp</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-11-04</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="74389f22-6007-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Kernel stack disclosure in setlogin(2) / getlogin(2)</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.0</ge><lt>10.0_12</lt></range> | |
<range><ge>9.3</ge><lt>9.3_5</lt></range> | |
<range><ge>9.2</ge><lt>9.2_15</lt></range> | |
<range><ge>9.1</ge><lt>9.1_22</lt></range> | |
<range><ge>8.4</ge><lt>8.4_19</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>When setlogin(2) is called while setting up a new login | |
session, the login name is copied into an uninitialized | |
stack buffer, which is then copied into a buffer of the | |
same size in the session structure. The getlogin(2) system | |
call returns the entire buffer rather than just the portion | |
occupied by the login name associated with the session.</p> | |
<h1>Impact:</h1> | |
<p>An unprivileged user can access this memory by calling | |
getlogin(2) and reading beyond the terminating NUL character | |
of the resulting string. Up to 16 (FreeBSD 8) or 32 (FreeBSD | |
9 and 10) bytes of kernel memory may be leaked in this | |
manner for each invocation of setlogin(2).</p> | |
<p>This memory may contain sensitive information, such as | |
portions of the file cache or terminal buffers, which an | |
attacker might leverage to obtain elevated privileges.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-8476</cvename> | |
<freebsdsa>SA-14:25.setlogin</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-11-04</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="73e9a137-6007-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Denial of service attack against sshd(8)</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.0</ge><lt>10.0_12</lt></range> | |
<range><ge>9.2</ge><lt>9.2_15</lt></range> | |
<range><ge>9.1</ge><lt>9.1_22</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>Although OpenSSH is not multithreaded, when OpenSSH is | |
compiled with Kerberos support, the Heimdal libraries bring | |
in the POSIX thread library as a dependency. Due to incorrect | |
library ordering while linking sshd(8), symbols in the C | |
library which are shadowed by the POSIX thread library may | |
not be resolved correctly at run time.</p> | |
<p>Note that this problem is specific to the FreeBSD build | |
system and does not affect other operating systems or the | |
version of OpenSSH available from the FreeBSD ports tree.</p> | |
<h1>Impact:</h1> | |
<p>An incorrectly linked sshd(8) child process may deadlock | |
while handling an incoming connection. The connection may | |
then time out or be interrupted by the client, leaving the | |
deadlocked sshd(8) child process behind. Eventually, the | |
sshd(8) parent process stops accepting new connections.</p> | |
<p>An attacker may take advantage of this by repeatedly | |
connecting and then dropping the connection after having | |
begun, but not completed, the authentication process.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-8475</cvename> | |
<freebsdsa>SA-14:24.sshd</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-11-04</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="73964eac-6007-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- memory leak in sandboxed namei lookup</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.0</ge><lt>10.0_10</lt></range> | |
<range><ge>9.3</ge><lt>9.3_3</lt></range> | |
<range><ge>9.2</ge><lt>9.2_13</lt></range> | |
<range><ge>9.1</ge><lt>9.1_20</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>The namei facility will leak a small amount of kernel | |
memory every time a sandboxed process looks up a nonexistent | |
path name.</p> | |
<h1>Impact:</h1> | |
<p>A remote attacker that can cause a sandboxed process | |
(for instance, a web server) to look up a large number of | |
nonexistent path names can cause memory exhaustion.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-3711</cvename> | |
<freebsdsa>SA-14:22.namei</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-10-21</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="734233f4-6007-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- routed(8) remote denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.0</ge><lt>10.0_10</lt></range> | |
<range><ge>9.3</ge><lt>9.3_3</lt></range> | |
<range><ge>9.2</ge><lt>9.2_13</lt></range> | |
<range><ge>9.1</ge><lt>9.1_20</lt></range> | |
<range><ge>8.4</ge><lt>8.4_17</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>The input path in routed(8) will accept queries from any | |
source and attempt to answer them. However, the output path | |
assumes that the destination address for the response is | |
on a directly connected network.</p> | |
<h1>Impact:</h1> | |
<p>Upon receipt of a query from a source which is not on a | |
directly connected network, routed(8) will trigger an | |
assertion and terminate. The affected system's routing table | |
will no longer be updated. If the affected system is a | |
router, its routes will eventually expire from other routers' | |
routing tables, and its networks will no longer be reachable | |
unless they are also connected to another router.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-3955</cvename> | |
<freebsdsa>SA-14:21.routed</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-10-21</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="72ee7111-6007-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- rtsold(8) remote buffer overflow vulnerability</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.0</ge><lt>10.0_10</lt></range> | |
<range><ge>9.3</ge><lt>9.3_3</lt></range> | |
<range><ge>9.2</ge><lt>9.2_13</lt></range> | |
<range><ge>9.1</ge><lt>9.1_20</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>Due to a missing length check in the code that handles | |
DNS parameters, a malformed router advertisement message | |
can result in a stack buffer overflow in rtsold(8).</p> | |
<h1>Impact:</h1> | |
<p>Receipt of a router advertisement message with a malformed | |
DNSSL option, for instance from a compromised host on the | |
same network, can cause rtsold(8) to crash.</p> | |
<p>While it is theoretically possible to inject code into | |
rtsold(8) through malformed router advertisement messages, | |
it is normally compiled with stack protection enabled, | |
rendering such an attack extremely difficult.</p> | |
<p>When rtsold(8) crashes, the existing DNS configuration | |
will remain in force, and the kernel will continue to receive | |
and process periodic router advertisements.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-3954</cvename> | |
<freebsdsa>SA-14:20.rtsold</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-10-21</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="729c4a9f-6007-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Denial of Service in TCP packet processing</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.0</ge><lt>10.0_9</lt></range> | |
<range><ge>9.3</ge><lt>9.3_2</lt></range> | |
<range><ge>9.2</ge><lt>9.2_12</lt></range> | |
<range><ge>9.1</ge><lt>9.1_19</lt></range> | |
<range><ge>8.4</ge><lt>8.4_16</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>When a segment with the SYN flag for an already existing | |
connection arrives, the TCP stack tears down the connection, | |
bypassing a check that the sequence number in the segment | |
is in the expected window.</p> | |
<h1>Impact:</h1> | |
<p>An attacker who has the ability to spoof IP traffic can | |
tear down a TCP connection by sending only 2 packets, if | |
they know both TCP port numbers. In case one of the two | |
port numbers is unknown, a successful attack requires less | |
than 2**17 packets spoofed, which can be generated within | |
less than a second on a decent connection to the Internet.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2004-0230</cvename> | |
<freebsdsa>SA-14:19.tcp</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-09-16</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7240de58-6007-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Kernel memory disclosure in control messages and SCTP</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.0</ge><lt>10.0_7</lt></range> | |
<range><ge>9.2</ge><lt>9.2_10</lt></range> | |
<range><ge>9.1</ge><lt>9.1_17</lt></range> | |
<range><ge>8.4</ge><lt>8.4_14</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>Buffer between control message header and data may not | |
be completely initialized before being copied to userland. | |
[CVE-2014-3952]</p> | |
<p>Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO, | |
have implicit padding that may not be completely initialized | |
before being copied to userland. In addition, three SCTP | |
notifications, SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR and | |
SCTP_AUTHENTICATION_EVENT, have padding in the returning | |
data structure that may not be completely initialized before | |
being copied to userland. [CVE-2014-3953]</p> | |
<h1>Impact:</h1> | |
<p>An unprivileged local process may be able to retrieve | |
portion of kernel memory.</p> | |
<p>For the generic control message, the process may be able | |
to retrieve a maximum of 4 bytes of kernel memory.</p> | |
<p>For SCTP, the process may be able to retrieve 2 bytes | |
of kernel memory for all three control messages, plus 92 | |
bytes for SCTP_SNDRCV and 76 bytes for SCTP_EXTRCV. If the | |
local process is permitted to receive SCTP notification, a | |
maximum of 112 bytes of kernel memory may be returned to | |
userland.</p> | |
<p>This information might be directly useful, or it might | |
be leveraged to obtain elevated privileges in some way. For | |
example, a terminal buffer might include a user-entered | |
password.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-3952</cvename> | |
<cvename>CVE-2014-3953</cvename> | |
<freebsdsa>SA-14:17.kmem</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-07-08</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="70140f20-6007-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Multiple vulnerabilities in file(1) and libmagic(3)</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.0</ge><lt>10.0_6</lt></range> | |
<range><ge>9.2</ge><lt>9.2_9</lt></range> | |
<range><ge>9.1</ge><lt>9.1_16</lt></range> | |
<range><ge>8.4</ge><lt>8.4_13</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>A specifically crafted Composite Document File (CDF) | |
file can trigger an out-of-bounds read or an invalid pointer | |
dereference. [CVE-2012-1571]</p> | |
<p>A flaw in regular expression in the awk script detector | |
makes use of multiple wildcards with unlimited repetitions. | |
[CVE-2013-7345]</p> | |
<p>A malicious input file could trigger infinite recursion | |
in libmagic(3). [CVE-2014-1943]</p> | |
<p>A specifically crafted Portable Executable (PE) can | |
trigger out-of-bounds read. [CVE-2014-2270]</p> | |
<h1>Impact:</h1> | |
<p>An attacker who can cause file(1) or any other applications | |
using the libmagic(3) library to be run on a maliciously | |
constructed input can the application to crash or consume | |
excessive CPU resources, resulting in a denial-of-service.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2012-1571</cvename> | |
<cvename>CVE-2013-7345</cvename> | |
<cvename>CVE-2014-1943</cvename> | |
<cvename>CVE-2014-2270</cvename> | |
<freebsdsa>SA-14:16.file</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-06-24</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6f91a709-6007-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- iconv(3) NULL pointer dereference and out-of-bounds array access</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.0</ge><lt>10.0_6</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>A NULL pointer dereference in the initialization code | |
of the HZ module and an out of bounds array access in the | |
initialization code of the VIQR module make iconv_open(3) | |
calls involving HZ or VIQR result in an application crash.</p> | |
<h1>Impact:</h1> | |
<p>Services where an attacker can control the arguments of | |
an iconv_open(3) call can be caused to crash resulting in | |
a denial-of-service. For example, an email encoded in HZ | |
may cause an email delivery service to crash if it converts | |
emails to a more generic encoding like UTF-8 before applying | |
filtering rules.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-3951</cvename> | |
<freebsdsa>SA-14:15.iconv</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-06-24</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6e8f9003-6007-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Incorrect error handling in PAM policy parser</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>9.2</ge><lt>9.2_7</lt></range> | |
<range><ge>10.0</ge><lt>10.0_4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>The OpenPAM library searches for policy definitions in | |
several locations. While doing so, the absence of a policy | |
file is a soft failure (handled by searching in the next | |
location) while the presence of an invalid file is a hard | |
failure (handled by returning an error to the caller).</p> | |
<p>The policy parser returns the same error code (ENOENT) | |
when a syntactically valid policy references a non-existent | |
module as when the requested policy file does not exist. | |
The search loop regards this as a soft failure and looks | |
for the next similarly-named policy, without discarding the | |
partially-loaded configuration.</p> | |
<p>A similar issue can arise if a policy contains an include | |
directive that refers to a non-existent policy.</p> | |
<h1>Impact:</h1> | |
<p>If a module is removed, or the name of a module is | |
misspelled in the policy file, the PAM library will proceed | |
with a partially loaded configuration. Depending on the | |
exact circumstances, this may result in a fail-open scenario | |
where users are allowed to log in without a password, or | |
with an incorrect password.</p> | |
<p>In particular, if a policy references a module installed | |
by a package or port, and that package or port is being | |
reinstalled or upgraded, there is a brief window of time | |
during which the module is absent and policies that use it | |
may fail open. This can be especially damaging to Internet-facing | |
SSH servers, which are regularly subjected to brute-force | |
scans.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-3879</cvename> | |
<freebsdsa>SA-14:13.pam</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-06-03</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6e04048b-6007-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- ktrace kernel memory disclosure</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>9.2</ge><lt>9.2_7</lt></range> | |
<range><ge>9.1</ge><lt>9.1_14</lt></range> | |
<range><ge>8.4</ge><lt>8.4_11</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>Due to an overlooked merge to -STABLE branches, the size | |
for page fault kernel trace entries was set incorrectly.</p> | |
<h1>Impact:</h1> | |
<p>A user who can enable kernel process tracing could end | |
up reading the contents of kernel memory.</p> | |
<p>Such memory might contain sensitive information, such | |
as portions of the file cache or terminal buffers. This | |
information might be directly useful, or it might be leveraged | |
to obtain elevated privileges in some way; for example, a | |
terminal buffer might include a user-entered password.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-3873</cvename> | |
<freebsdsa>SA-14:12.ktrace</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-06-03</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6d9eadaf-6007-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- sendmail improper close-on-exec flag handling</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.0</ge><lt>10.0_4</lt></range> | |
<range><ge>9.2</ge><lt>9.2_7</lt></range> | |
<range><ge>9.1</ge><lt>9.1_14</lt></range> | |
<range><ge>8.4</ge><lt>8.4_11</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>There is a programming error in sendmail(8) that prevented | |
open file descriptors have close-on-exec properly set. | |
Consequently a subprocess will be able to access all open | |
files that the parent process have open.</p> | |
<h1>Impact:</h1> | |
<p>A local user who can execute their own program for mail | |
delivery will be able to interfere with an open SMTP | |
connection.</p> | |
</body> | |
</description> | |
<references> | |
<freebsdsa>SA-14:11.sendmail</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-06-03</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6d472244-6007-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- TCP reassembly vulnerability</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>8.4</ge><lt>8.4_9</lt></range> | |
<range><ge>8.3</ge><lt>8.3_16</lt></range> | |
<range><ge>9.2</ge><lt>9.2_5</lt></range> | |
<range><ge>9.1</ge><lt>9.1_12</lt></range> | |
<range><ge>10.0</ge><lt>10.0_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>FreeBSD may add a reassemble queue entry on the stack | |
into the segment list when the reassembly queue reaches its | |
limit. The memory from the stack is undefined after the | |
function returns. Subsequent iterations of the reassembly | |
function will attempt to access this entry.</p> | |
<h1>Impact:</h1> | |
<p>An attacker who can send a series of specifically crafted | |
packets with a connection could cause a denial of service | |
situation by causing the kernel to crash.</p> | |
<p>Additionally, because the undefined on stack memory may | |
be overwritten by other kernel threads, while extremely | |
difficult, it may be possible for an attacker to construct | |
a carefully crafted attack to obtain portion of kernel | |
memory via a connected socket. This may result in the | |
disclosure of sensitive information such as login credentials, | |
etc. before or even without crashing the system.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-3000</cvename> | |
<freebsdsa>SA-14:08.tcp</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-04-30</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6b6ca5b6-6007-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- devfs rules not applied by default for jails</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.0</ge><lt>10.0_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>The default devfs rulesets are not loaded on boot, even | |
when jails are used. Device nodes will be created in the | |
jail with their normal default access permissions, while | |
most of them should be hidden and inaccessible.</p> | |
<h1>Impact:</h1> | |
<p>Jailed processes can get access to restricted resources | |
on the host system. For jailed processes running with | |
superuser privileges this implies access to all devices on | |
the system. This level of access could lead to information | |
leakage and privilege escalation.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-3001</cvename> | |
<freebsdsa>SA-14:07.devfs</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-04-30</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6a384960-6007-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Deadlock in the NFS server</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>10.0</ge><lt>10.0_1</lt></range> | |
<range><ge>9.2</ge><lt>9.2_4</lt></range> | |
<range><ge>9.1</ge><lt>9.1_11</lt></range> | |
<range><ge>8.4</ge><lt>8.4_8</lt></range> | |
<range><ge>8.3</ge><lt>8.3_15</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<h1>Problem Description:</h1> | |
<p>The kernel holds a lock over the source directory vnode | |
while trying to convert the target directory file handle | |
to a vnode, which needs to be returned with the lock held, | |
too. This order may be in violation of normal lock order, | |
which in conjunction with other threads that grab locks in | |
the right order, constitutes a deadlock condition because | |
no thread can proceed.</p> | |
<h1>Impact:</h1> | |
<p>An attacker on a trusted client could cause the NFS | |
server become deadlocked, resulting in a denial of service.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-1453</cvename> | |
<freebsdsa>SA-14:05.nfsserver</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-04-08</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="4c96ecf2-5fd9-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- bsnmpd remote denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>9.2</ge><lt>9.2_3</lt></range> | |
<range><ge>9.1</ge><lt>9.1_10</lt></range> | |
<range><ge>8.4</ge><lt>8.4_7</lt></range> | |
<range><ge>8.3</ge><lt>8.3_14</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Problem Description:</p> | |
<p>The bsnmpd(8) daemon is prone to a stack-based | |
buffer-overflow when it has received a specifically crafted | |
GETBULK PDU request.</p> | |
<p>Impact:</p> | |
<p>This issue could be exploited to execute arbitrary code in | |
the context of the service daemon, or crash the service daemon, causing | |
a denial-of-service.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-1452</cvename> | |
<freebsdsa>SA-14:01.bsnmpd</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2014-01-14</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ca16fd0b-5fd1-11e6-a6f2-6cc21735f730"> | |
<topic>PostgreSQL -- Denial-of-Service and Code Injection Vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>postgresql91-server</name> | |
<range><ge>9.1.0</ge><lt>9.1.23</lt></range> | |
</package> | |
<package> | |
<name>postgresql92-server</name> | |
<range><ge>9.2.0</ge><lt>9.2.18</lt></range> | |
</package> | |
<package> | |
<name>postgresql93-server</name> | |
<range><ge>9.3.0</ge><lt>9.3.11</lt></range> | |
</package> | |
<package> | |
<name>postgresql94-server</name> | |
<range><ge>9.4.0</ge><lt>9.4.9</lt></range> | |
</package> | |
<package> | |
<name>postgresql95-server</name> | |
<range><ge>9.5.0</ge><lt>9.5.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>PostgreSQL project reports:</p> | |
<blockquote cite="http://www.postgresql.org/about/news/1688/"> | |
<p> | |
Security Fixes nested CASE expressions + | |
database and role names with embedded special characters | |
</p> | |
<ul> | |
<li>CVE-2016-5423: certain nested CASE expressions can cause the | |
server to crash. | |
</li> | |
<li>CVE-2016-5424: database and role names with embedded special | |
characters can allow code injection during administrative operations | |
like pg_dumpall. | |
</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-5423</cvename> | |
<cvename>CVE-2016-5424</cvename> | |
</references> | |
<dates> | |
<discovery>2016-08-11</discovery> | |
<entry>2016-08-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="28bf62ef-5e2c-11e6-a15f-00248c0c745d"> | |
<topic>piwik -- XSS vulnerability</topic> | |
<affects> | |
<package> | |
<name>piwik</name> | |
<range><lt>2.16.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Piwik reports:</p> | |
<blockquote cite="https://piwik.org/changelog/piwik-2-16-2/"> | |
<p>We have identified and fixed several XSS security issues in this release.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>We have identified and fixed several XSS security issues in this release.</url> | |
</references> | |
<dates> | |
<discovery>2016-08-03</discovery> | |
<entry>2016-08-09</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7d08e608-5e95-11e6-b334-002590263bf5"> | |
<topic>BIND,Knot,NSD,PowerDNS -- denial over service via oversized zone transfers</topic> | |
<affects> | |
<package> | |
<name>bind99</name> | |
<range><le>9.9.9P2</le></range> | |
</package> | |
<package> | |
<name>bind910</name> | |
<range><le>9.10.4P2</le></range> | |
</package> | |
<package> | |
<name>bind911</name> | |
<range><le>9.11.0.b2</le></range> | |
</package> | |
<package> | |
<name>bind9-devel</name> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>knot</name> | |
<name>knot1</name> | |
<range><lt>1.6.8</lt></range> | |
</package> | |
<package> | |
<name>knot2</name> | |
<range><lt>2.3.0</lt></range> | |
</package> | |
<package> | |
<name>nsd</name> | |
<range><lt>4.1.11</lt></range> | |
</package> | |
<package> | |
<name>powerdns</name> | |
<range><lt>4.0.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ISC reports:</p> | |
<blockquote cite="https://kb.isc.org/article/AA-01390"> | |
<p>DNS protocols were designed with the assumption that a certain | |
amount of trust could be presumed between the operators of primary | |
and secondary servers for a given zone. However, in current | |
practice some organizations have scenarios which require them to | |
accept zone data from sources that are not fully trusted (for | |
example: providers of secondary name service). A party who is | |
allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS | |
updates) can overwhelm the server which is accepting data by | |
intentionally or accidentally exhausting that server's memory.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-6170</cvename> | |
<cvename>CVE-2016-6171</cvename> | |
<cvename>CVE-2016-6172</cvename> | |
<cvename>CVE-2016-6173</cvename> | |
<url>https://kb.isc.org/article/AA-01390</url> | |
<mlist>http://www.openwall.com/lists/oss-security/2016/07/06/4</mlist> | |
</references> | |
<dates> | |
<discovery>2016-07-06</discovery> | |
<entry>2016-08-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="dd48d9b9-5e7e-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Kernel memory disclosure in sctp(4)</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>9.1</ge><lt>9.1_6</lt></range> | |
<range><ge>8.4</ge><lt>8.4_3</lt></range> | |
<range><ge>8.3</ge><lt>8.3_10</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Problem Description:</p> | |
<p>When initializing the SCTP state cookie being sent in INIT-ACK chunks, | |
a buffer allocated from the kernel stack is not completely initialized.</p> | |
<p>Impact:</p> | |
<p>Fragments of kernel memory may be included in SCTP packets and | |
transmitted over the network. For each SCTP session, there are two | |
separate instances in which a 4-byte fragment may be transmitted.</p> | |
<p>This memory might contain sensitive information, such as portions of the | |
file cache or terminal buffers. This information might be directly | |
useful, or it might be leveraged to obtain elevated privileges in | |
some way. For example, a terminal buffer might include a user-entered | |
password.</p> | |
</body> | |
</description> | |
<references> | |
<freebsdsa>SA-13:10.sctp</freebsdsa> | |
<cvename>CVE-2013-5209</cvename> | |
</references> | |
<dates> | |
<discovery>2013-08-22</discovery> | |
<entry>2016-08-09</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0844632f-5e78-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- integer overflow in IP_MSFILTER</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>9.1</ge><lt>9.1_6</lt></range> | |
<range><ge>8.4</ge><lt>8.4_3</lt></range> | |
<range><ge>8.3</ge><lt>8.3_10</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Problem Description:</p> | |
<p>An integer overflow in computing the size of a temporary | |
buffer can result in a buffer which is too small for the requested | |
operation.</p> | |
<p>Impact:</p> | |
<p>An unprivileged process can read or write pages of memory | |
which belong to the kernel. These may lead to exposure of sensitive | |
information or allow privilege escalation.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2013-3077</cvename> | |
<freebsdsa>SA-13:09.ip_multicast</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2013-08-22</discovery> | |
<entry>2016-08-09</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e5d2442d-5e76-11e6-a6c3-14dae9d210b8"> | |
<topic>FreeBSD -- Incorrect privilege validation in the NFS server</topic> | |
<affects> | |
<package> | |
<name>FreeBSD-kernel</name> | |
<range><ge>9.1</ge><lt>9.1_5</lt></range> | |
<range><ge>8.3</ge><lt>8.3_9</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Problem Description:</p> | |
<p>The kernel incorrectly uses client supplied credentials | |
instead of the one configured in exports(5) when filling out the | |
anonymous credential for a NFS export, when -network or -host | |
restrictions are used at the same time.</p> | |
<p>Impact:</p> | |
<p>The remote client may supply privileged credentials (e.g. the | |
root user) when accessing a file under the NFS share, which will bypass | |
the normal access checks.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2013-4851</cvename> | |
<freebsdsa>SA-13:08.nfsserver</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2013-07-06</discovery> | |
<entry>2016-08-09</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6da45e38-5b55-11e6-8859-000c292ee6b8"> | |
<topic>collectd -- Network plugin heap overflow</topic> | |
<affects> | |
<package> | |
<name>collectd5</name> | |
<range><lt>5.5.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The collectd Project reports:</p> | |
<blockquote cite="http://collectd.org/news.shtml#news98"> | |
<p>Emilien Gaspar has identified a heap overflow in collectd's | |
network plugin which can be triggered remotely and is potentially | |
exploitable.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-6254</cvename> | |
<url>http://collectd.org/news.shtml#news98</url> | |
</references> | |
<dates> | |
<discovery>2016-07-26</discovery> | |
<entry>2016-08-05</entry> | |
</dates> | |
</vuln> | |
<vuln vid="3ddcb42b-5b78-11e6-b334-002590263bf5"> | |
<topic>moodle -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>moodle28</name> | |
<range><le>2.8.12</le></range> | |
</package> | |
<package> | |
<name>moodle29</name> | |
<range><lt>2.9.7</lt></range> | |
</package> | |
<package> | |
<name>moodle30</name> | |
<range><lt>3.0.5</lt></range> | |
</package> | |
<package> | |
<name>moodle31</name> | |
<range><lt>3.1.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Marina Glancy reports:</p> | |
<blockquote cite="https://moodle.org/security/"> | |
<ul> | |
<li><p>MSA-16-0019: Glossary search displays entries without | |
checking user permissions to view them</p></li> | |
<li><p>MSA-16-0020: Text injection in email headers</p></li> | |
<li><p>MSA-16-0021: Unenrolled user still receives event monitor | |
notifications even though they can no longer access course</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-5012</cvename> | |
<cvename>CVE-2016-5013</cvename> | |
<cvename>CVE-2016-5014</cvename> | |
<url>https://moodle.org/security/</url> | |
</references> | |
<dates> | |
<discovery>2016-07-19</discovery> | |
<entry>2016-08-06</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7a31e0de-5b6d-11e6-b334-002590263bf5"> | |
<topic>bind -- denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>bind99</name> | |
<range><lt>9.9.9P2</lt></range> | |
</package> | |
<package> | |
<name>bind910</name> | |
<range><lt>9.10.4P2</lt></range> | |
</package> | |
<package> | |
<name>bind911</name> | |
<range><lt>9.11.0.b2</lt></range> | |
</package> | |
<package> | |
<name>bind9-devel</name> | |
<range><lt>9.12.0.a.2016.07.14</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ISC reports:</p> | |
<blockquote cite="https://kb.isc.org/article/AA-01393"> | |
<p>A query name which is too long can cause a segmentation fault in | |
lwresd.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2775</cvename> | |
<url>https://kb.isc.org/article/AA-01393</url> | |
</references> | |
<dates> | |
<discovery>2016-07-18</discovery> | |
<entry>2016-08-06</entry> | |
</dates> | |
</vuln> | |
<vuln vid="610101ea-5b6a-11e6-b334-002590263bf5"> | |
<topic>wireshark -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>wireshark</name> | |
<name>wireshark-lite</name> | |
<name>wireshark-qt5</name> | |
<name>tshark</name> | |
<name>tshark-lite</name> | |
<range><lt>2.0.5</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Wireshark development team reports:</p> | |
<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.5.html"> | |
<p>The following vulnerabilities have been fixed:</p> | |
<ul> | |
<li><p>wnpa-sec-2016-41</p> | |
<p>PacketBB crash. (Bug 12577)</p></li> | |
<li><p>wnpa-sec-2016-42</p> | |
<p>WSP infinite loop. (Bug 12594)</p></li> | |
<li><p>wnpa-sec-2016-44</p> | |
<p>RLC long loop. (Bug 12660)</p></li> | |
<li><p>wnpa-sec-2016-45</p> | |
<p>LDSS dissector crash. (Bug 12662)</p></li> | |
<li><p>wnpa-sec-2016-46</p> | |
<p>RLC dissector crash. (Bug 12664)</p></li> | |
<li><p>wnpa-sec-2016-47</p> | |
<p>OpenFlow long loop. (Bug 12659)</p></li> | |
<li><p>wnpa-sec-2016-48</p> | |
<p>MMSE, WAP, WBXML, and WSP infinite loop. (Bug 12661)</p></li> | |
<li><p>wnpa-sec-2016-49</p> | |
<p>WBXML crash. (Bug 12663)</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-6505</cvename> | |
<cvename>CVE-2016-6506</cvename> | |
<cvename>CVE-2016-6508</cvename> | |
<cvename>CVE-2016-6509</cvename> | |
<cvename>CVE-2016-6510</cvename> | |
<cvename>CVE-2016-6511</cvename> | |
<cvename>CVE-2016-6512</cvename> | |
<cvename>CVE-2016-6513</cvename> | |
<url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.5.html</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/08/01/4</url> | |
</references> | |
<dates> | |
<discovery>2016-07-27</discovery> | |
<entry>2016-08-06</entry> | |
</dates> | |
</vuln> | |
<vuln vid="3e08047f-5a6c-11e6-a6c3-14dae9d210b8"> | |
<topic>p5-XSLoader -- local arbitrary code execution</topic> | |
<affects> | |
<package> | |
<name>p5-XSLoader</name> | |
<range><lt>0.22</lt></range> | |
</package> | |
<package> | |
<name>perl5</name> | |
<name>perl5.18</name> | |
<name>perl5.20</name> | |
<name>perl5.22</name> | |
<name>perl5.24</name> | |
<name>perl5-devel</name> | |
<range><ge>5.18</ge><lt>5.18.99</lt></range> | |
<range><ge>5.20</ge><lt>5.20.99</lt></range> | |
<range><ge>5.21</ge><lt>5.22.3.r2</lt></range> | |
<range><ge>5.23</ge><lt>5.24.1.r2</lt></range> | |
<range><ge>5.25</ge><lt>5.25.2.87</lt></range> | |
</package> | |
<package> | |
<name>perl</name> | |
<range><ge>0</ge></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jakub Wilk reports:</p> | |
<blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829578"> | |
<p>XSLoader tries to load code from a subdirectory in the cwd when | |
called inside a string eval</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829578</url> | |
<cvename>CVE-2016-6185</cvename> | |
</references> | |
<dates> | |
<discovery>2016-06-30</discovery> | |
<entry>2016-08-04</entry> | |
<modified>2016-08-13</modified> | |
</dates> | |
</vuln> | |
<vuln vid="72bfbb09-5a6a-11e6-a6c3-14dae9d210b8"> | |
<topic>perl -- local arbitrary code execution</topic> | |
<affects> | |
<package> | |
<name>perl5</name> | |
<name>perl5.18</name> | |
<name>perl5.20</name> | |
<name>perl5.22</name> | |
<name>perl5.24</name> | |
<name>perl5-devel</name> | |
<range><ge>5.18</ge><lt>5.18.4_23</lt></range> | |
<range><ge>5.20</ge><lt>5.20.3_14</lt></range> | |
<range><ge>5.21</ge><lt>5.22.3.r2</lt></range> | |
<range><ge>5.23</ge><lt>5.24.1.r2</lt></range> | |
<range><ge>5.25</ge><lt>5.25.3.18</lt></range> | |
</package> | |
<package> | |
<name>perl</name> | |
<range><ge>0</ge></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Sawyer X reports:</p> | |
<blockquote cite="http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html"> | |
<p>Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do | |
not properly remove . (period) characters from the end of the includes | |
directory array, which might allow local users to gain privileges via a | |
Trojan horse module under the current working directory.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html</url> | |
<cvename>CVE-2016-1238</cvename> | |
</references> | |
<dates> | |
<discovery>2016-07-21</discovery> | |
<entry>2016-08-04</entry> | |
<modified>2016-08-13</modified> | |
</dates> | |
</vuln> | |
<vuln vid="556d2286-5a51-11e6-a6c3-14dae9d210b8"> | |
<topic>gd -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>gd</name> | |
<range><lt>2.2.3,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Pierre Joye reports:</p> | |
<blockquote cite="https://github.com/libgd/libgd/releases/tag/gd-2.2.3"> | |
<ul> | |
<li><p>fix php bug 72339, Integer Overflow in _gd2GetHeader | |
(CVE-2016-5766)</p></li> | |
<li><p>gd: Buffer over-read issue when parsing crafted TGA | |
file (CVE-2016-6132)</p></li> | |
<li><p>Integer overflow error within _gdContributionsAlloc() | |
(CVE-2016-6207)</p></li> | |
<li><p>fix php bug 72494, invalid color index not handled, can | |
lead to crash ( CVE-2016-6128)</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://github.com/libgd/libgd/releases/tag/gd-2.2.3</url> | |
<cvename>CVE-2016-5766</cvename> | |
<cvename>CVE-2016-6132</cvename> | |
<cvename>CVE-2016-6207</cvename> | |
<cvename>CVE-2016-6128</cvename> | |
</references> | |
<dates> | |
<discovery>2016-07-21</discovery> | |
<entry>2016-08-04</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e4bc70fc-5a2f-11e6-a1bc-589cfc0654e1"> | |
<topic>Vulnerabilities in Curl</topic> | |
<affects> | |
<package> | |
<name>curl</name> | |
<range><ge>7.32.0</ge><lt>7.50.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Curl security team reports:</p> | |
<blockquote cite="https://curl.haxx.se/docs/security.html"> | |
<p>CVE-2016-5419 - TLS session resumption client cert bypass</p> | |
<p>CVE-2016-5420 - Re-using connections with wrong client cert</p> | |
<p>CVE-2016-5421 - use of connection struct after free</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-5419</cvename> | |
<cvename>CVE-2016-5420</cvename> | |
<cvename>CVE-2016-5421</cvename> | |
<url>https://curl.haxx.se/docs/adv_20160803A.html</url> | |
<url>https://curl.haxx.se/docs/adv_20160803B.html</url> | |
<url>https://curl.haxx.se/docs/adv_20160803C.html</url> | |
</references> | |
<dates> | |
<discovery>2016-08-03</discovery> | |
<entry>2016-08-04</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ef0033ad-5823-11e6-80cc-001517f335e2"> | |
<topic>lighttpd - multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>lighttpd</name> | |
<range><lt>1.4.41</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Lighttpd Project reports:</p> | |
<blockquote cite="http://www.lighttpd.net/2016/7/31/1.4.41/"> | |
<p>Security fixes for Lighttpd:</p> | |
<ul> | |
<li><p>security: encode quoting chars in HTML and XML</p></li> | |
<li><p>security: ensure gid != 0 if server.username is set, but not server.groupname</p></li> | |
<li><p>security: disable stat_cache if server.follow-symlink = “disable”</p></li> | |
<li><p>security: httpoxy defense: do not emit HTTP_PROXY to CGI env</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.lighttpd.net/2016/7/31/1.4.41/</url> | |
<freebsdpr>ports/211495</freebsdpr> | |
</references> | |
<dates> | |
<discovery>2016-07-31</discovery> | |
<entry>2016-08-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="06574c62-5854-11e6-b334-002590263bf5"> | |
<topic>xen-tools -- virtio: unbounded memory allocation issue</topic> | |
<affects> | |
<package> | |
<name>xen-tools</name> | |
<range><lt>4.7.0_4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-184.html"> | |
<p>A guest can submit virtio requests without bothering to wait for | |
completion and is therefore not bound by virtqueue size...</p> | |
<p>A malicious guest administrator can cause unbounded memory | |
allocation in QEMU, which can cause an Out-of-Memory condition | |
in the domain running qemu. Thus, a malicious guest administrator | |
can cause a denial of service affecting the whole host.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-5403</cvename> | |
<freebsdpr>ports/211482</freebsdpr> | |
<url>http://xenbits.xen.org/xsa/advisory-184.html</url> | |
</references> | |
<dates> | |
<discovery>2016-07-27</discovery> | |
<entry>2016-08-02</entry> | |
</dates> | |
</vuln> | |
<vuln vid="04cf89e3-5854-11e6-b334-002590263bf5"> | |
<topic>xen-kernel -- x86: Missing SMAP whitelisting in 32-bit exception / event delivery</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><gt>4.5</gt><lt>4.7.0_3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-183.html"> | |
<p>Supervisor Mode Access Prevention is a hardware feature designed | |
to make an Operating System more robust, by raising a pagefault | |
rather than accidentally following a pointer into userspace. | |
However, legitimate accesses into userspace require whitelisting, | |
and the exception delivery mechanism for 32bit PV guests wasn't | |
whitelisted.</p> | |
<p>A malicious 32-bit PV guest kernel can trigger a safety check, | |
crashing the hypervisor and causing a denial of service to other | |
VMs on the host.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-6259</cvename> | |
<freebsdpr>ports/211482</freebsdpr> | |
<url>http://xenbits.xen.org/xsa/advisory-183.html</url> | |
</references> | |
<dates> | |
<discovery>2016-07-26</discovery> | |
<entry>2016-08-02</entry> | |
</dates> | |
</vuln> | |
<vuln vid="032aa524-5854-11e6-b334-002590263bf5"> | |
<topic>xen-kernel -- x86: Privilege escalation in PV guests</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><lt>4.7.0_3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-182.html"> | |
<p>The PV pagetable code has fast-paths for making updates to | |
pre-existing pagetable entries, to skip expensive re-validation | |
in safe cases (e.g. clearing only Access/Dirty bits). The bits | |
considered safe were too broad, and not actually safe.</p> | |
<p>A malicous PV guest administrator can escalate their privilege to | |
that of the host.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-6258</cvename> | |
<freebsdpr>ports/211482</freebsdpr> | |
<url>http://xenbits.xen.org/xsa/advisory-182.html</url> | |
</references> | |
<dates> | |
<discovery>2016-07-26</discovery> | |
<entry>2016-08-02</entry> | |
</dates> | |
</vuln> | |
<vuln vid="cb5189eb-572f-11e6-b334-002590263bf5"> | |
<topic>libidn -- mulitiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>libidn</name> | |
<range><lt>1.33</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Simon Josefsson reports:</p> | |
<blockquote cite="https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html"> | |
<p>libidn: Fix out-of-bounds stack read in idna_to_ascii_4i.</p> | |
<p>idn: Solve out-of-bounds-read when reading one zero byte as input. | |
Also replaced fgets with getline.</p> | |
<p>libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8. It was | |
always documented to only accept UTF-8 data, but now it doesn't | |
crash when presented with such data.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-6261</cvename> | |
<cvename>CVE-2015-8948</cvename> | |
<cvename>CVE-2016-6262</cvename> | |
<cvename>CVE-2016-6263</cvename> | |
<url>https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/07/21/4</url> | |
</references> | |
<dates> | |
<discovery>2016-07-20</discovery> | |
<entry>2016-07-31</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6fb8a90f-c9d5-4d14-b940-aed3d63c2edc"> | |
<topic>The GIMP -- Use after Free vulnerability</topic> | |
<affects> | |
<package> | |
<name>gimp-app</name> | |
<range><lt>2.8.18,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The GIMP team reports:</p> | |
<blockquote cite="https://mail.gnome.org/archives/gimp-developer-list/2016-July/msg00020.html"> | |
<p>A Use-after-free vulnerability was found in the xcf_load_image function.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://mail.gnome.org/archives/gimp-developer-list/2016-July/msg00020.html</url> | |
<url>https://bugzilla.gnome.org/show_bug.cgi?id=767873</url> | |
<cvename>CVE-2016-4994</cvename> | |
</references> | |
<dates> | |
<discovery>2016-06-20</discovery> | |
<entry>2016-07-19</entry> | |
</dates> | |
</vuln> | |
<vuln vid="cb09a7aa-5344-11e6-a7bd-14dae9d210b8"> | |
<topic>xercesi-c3 -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>xerces-c3</name> | |
<range><lt>3.1.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Apache reports:</p> | |
<blockquote cite="https://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt"> | |
<p>The Xerces-C XML parser fails to successfully parse a | |
DTD that is deeply nested, and this causes a stack overflow, which | |
makes a denial of service attack against many applications possible | |
by an unauthenticated attacker.</p> | |
<p>Also, CVE-2016-2099: Use-after-free vulnerability in | |
validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier | |
allows context-dependent attackers to have unspecified impact via an | |
invalid character in an XML document.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/05/09/7</url> | |
<cvename>CVE-2016-2099</cvename> | |
<cvename>CVE-2016-4463</cvename> | |
</references> | |
<dates> | |
<discovery>2016-05-09</discovery> | |
<entry>2016-07-26</entry> | |
</dates> | |
</vuln> | |
<vuln vid="b6402385-533b-11e6-a7bd-14dae9d210b8"> | |
<topic>php -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>php55</name> | |
<range><lt>5.5.38</lt></range> | |
</package> | |
<package> | |
<name>php56</name> | |
<range><lt>5.6.24</lt></range> | |
</package> | |
<package> | |
<name>php70</name> | |
<range><lt>7.0.9</lt></range> | |
</package> | |
<package> | |
<name>php70-curl</name> | |
<range><lt>7.0.9</lt></range> | |
</package> | |
<package> | |
<name>php55-bz2</name> | |
<range><lt>5.5.38</lt></range> | |
</package> | |
<package> | |
<name>php56-bz2</name> | |
<range><lt>5.6.24</lt></range> | |
</package> | |
<package> | |
<name>php70-bz2</name> | |
<range><lt>7.0.9</lt></range> | |
</package> | |
<package> | |
<name>php55-exif</name> | |
<range><lt>5.5.38</lt></range> | |
</package> | |
<package> | |
<name>php56-exif</name> | |
<range><lt>5.6.24</lt></range> | |
</package> | |
<package> | |
<name>php70-exif</name> | |
<range><lt>7.0.9</lt></range> | |
</package> | |
<package> | |
<name>php55-gd</name> | |
<range><lt>5.5.38</lt></range> | |
</package> | |
<package> | |
<name>php56-gd</name> | |
<range><lt>5.6.24</lt></range> | |
</package> | |
<package> | |
<name>php70-gd</name> | |
<range><lt>7.0.9</lt></range> | |
</package> | |
<package> | |
<name>php70-mcrypt</name> | |
<range><lt>7.0.9</lt></range> | |
</package> | |
<package> | |
<name>php55-odbc</name> | |
<range><lt>5.5.38</lt></range> | |
</package> | |
<package> | |
<name>php56-odbc</name> | |
<range><lt>5.6.24</lt></range> | |
</package> | |
<package> | |
<name>php70-odbc</name> | |
<range><lt>7.0.9</lt></range> | |
</package> | |
<package> | |
<name>php55-snmp</name> | |
<range><lt>5.5.38</lt></range> | |
</package> | |
<package> | |
<name>php56-snmp</name> | |
<range><lt>5.6.24</lt></range> | |
</package> | |
<package> | |
<name>php70-snmp</name> | |
<range><lt>7.0.9</lt></range> | |
</package> | |
<package> | |
<name>php55-xmlrpc</name> | |
<range><lt>5.5.38</lt></range> | |
</package> | |
<package> | |
<name>php56-xmlrpc</name> | |
<range><lt>5.6.24</lt></range> | |
</package> | |
<package> | |
<name>php70-xmlrpc</name> | |
<range><lt>7.0.9</lt></range> | |
</package> | |
<package> | |
<name>php55-zip</name> | |
<range><lt>5.5.38</lt></range> | |
</package> | |
<package> | |
<name>php56-zip</name> | |
<range><lt>5.6.24</lt></range> | |
</package> | |
<package> | |
<name>php70-zip</name> | |
<range><lt>7.0.9</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>PHP reports:</p> | |
<blockquote cite="http://www.php.net/ChangeLog-5.php#5.5.38"> | |
<ul> | |
<li><p>Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns)</p></li> | |
<li><p>Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()).</p></li> | |
<li><p>Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access).</p></li> | |
<li><p>Fixed bug #72519 (imagegif/output out-of-bounds access).</p></li> | |
<li><p>Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener).</p></li> | |
<li><p>Fixed bug #72533 (locale_accept_from_http out-of-bounds access).</p></li> | |
<li><p>Fixed bug #72541 (size_t overflow lead to heap corruption).</p></li> | |
<li><p>Fixed bug #72551, bug #72552 (Incorrect casting from size_t to int lead to heap overflow in mdecrypt_generic).</p></li> | |
<li><p>Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).</p></li> | |
<li><p>Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications).</p></li> | |
<li><p>Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).</p></li> | |
<li><p>Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).</p></li> | |
<li><p>Fixed bug #72613 (Inadequate error handling in bzread()).</p></li> | |
<li><p>Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.php.net/ChangeLog-5.php#5.5.38</url> | |
<url>http://www.php.net/ChangeLog-5.php#5.6.24</url> | |
<url>http://www.php.net/ChangeLog-7.php#7.0.8</url> | |
<url>http://seclists.org/oss-sec/2016/q3/121</url> | |
<cvename>CVE-2015-8879</cvename> | |
<cvename>CVE-2016-5385</cvename> | |
<cvename>CVE-2016-5399</cvename> | |
<cvename>CVE-2016-6288</cvename> | |
<cvename>CVE-2016-6289</cvename> | |
<cvename>CVE-2016-6290</cvename> | |
<cvename>CVE-2016-6291</cvename> | |
<cvename>CVE-2016-6292</cvename> | |
<cvename>CVE-2016-6294</cvename> | |
<cvename>CVE-2016-6295</cvename> | |
<cvename>CVE-2016-6296</cvename> | |
<cvename>CVE-2016-6297</cvename> | |
</references> | |
<dates> | |
<discovery>2016-07-21</discovery> | |
<entry>2016-07-26</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6fae9fe1-5048-11e6-8aa7-3065ec8fd3ec"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>52.0.2743.82</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="https://googlechromereleases.blogspot.nl/2016/07/stable-channel-update.html"> | |
<p>48 security fixes in this release, including:</p> | |
<ul> | |
<li>[610600] High CVE-2016-1706: Sandbox escape in PPAPI. Credit to | |
Pinkie Pie xisigr of Tencent's Xuanwu Lab</li> | |
<li>[613949] High CVE-2016-1708: Use-after-free in Extensions. | |
Credit to Adam Varsan</li> | |
<li>[614934] High CVE-2016-1709: Heap-buffer-overflow in sfntly. | |
Credit to ChenQin of Topsec Security Team</li> | |
<li>[616907] High CVE-2016-1710: Same-origin bypass in Blink. | |
Credit to Mariusz Mlynski</li> | |
<li>[617495] High CVE-2016-1711: Same-origin bypass in Blink. | |
Credit to Mariusz Mlynski</li> | |
<li>[618237] High CVE-2016-5127: Use-after-free in Blink. Credit | |
to cloudfuzzer</li> | |
<li>[619166] High CVE-2016-5128: Same-origin bypass in V8. Credit | |
to Anonymous</li> | |
<li>[620553] High CVE-2016-5129: Memory corruption in V8. Credit to | |
Jeonghoon Shin</li> | |
<li>[623319] High CVE-2016-5130: URL spoofing. Credit to Wadih | |
Matar</li> | |
<li>[623378] High CVE-2016-5131: Use-after-free in libxml. Credit | |
to Nick Wellnhofer</li> | |
<li>[607543] Medium CVE-2016-5132: Limited same-origin bypass in | |
Service Workers. Credit to Ben Kelly</li> | |
<li>[613626] Medium CVE-2016-5133: Origin confusion in proxy | |
authentication. Credit to Patch Eudor</li> | |
<li>[593759] Medium CVE-2016-5134: URL leakage via PAC script. | |
Credit to Paul Stone</li> | |
<li>[605451] Medium CVE-2016-5135: Content-Security-Policy bypass. | |
Credit to kingxwy</li> | |
<li>[625393] Medium CVE-2016-5136: Use after free in extensions. | |
Credit to Rob Wu</li> | |
<li>[625945] Medium CVE-2016-5137: History sniffing with HSTS and | |
CSP. Credit to Xiaoyin Liu</li> | |
<li>[629852] CVE-2016-1705: Various fixes from internal audits, | |
fuzzing and other initiatives.</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1705</cvename> | |
<cvename>CVE-2016-1706</cvename> | |
<cvename>CVE-2016-1708</cvename> | |
<cvename>CVE-2016-1709</cvename> | |
<cvename>CVE-2016-1710</cvename> | |
<cvename>CVE-2016-1711</cvename> | |
<cvename>CVE-2016-5127</cvename> | |
<cvename>CVE-2016-5128</cvename> | |
<cvename>CVE-2016-5129</cvename> | |
<cvename>CVE-2016-5130</cvename> | |
<cvename>CVE-2016-5131</cvename> | |
<cvename>CVE-2016-5132</cvename> | |
<cvename>CVE-2016-5133</cvename> | |
<cvename>CVE-2016-5134</cvename> | |
<cvename>CVE-2016-5135</cvename> | |
<cvename>CVE-2016-5136</cvename> | |
<cvename>CVE-2016-5137</cvename> | |
<url>https://googlechromereleases.blogspot.nl/2016/07/stable-channel-update.html</url> | |
</references> | |
<dates> | |
<discovery>2016-07-20</discovery> | |
<entry>2016-07-22</entry> | |
</dates> | |
</vuln> | |
<vuln vid="62d45229-4fa0-11e6-9d13-206a8a720317"> | |
<topic>krb5 -- KDC denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>krb5-113</name> | |
<range><lt>1.13.6</lt></range> | |
</package> | |
<package> | |
<name>krb5-114</name> | |
<range><lt>1.14.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Major changes in krb5 1.14.3 and krb5 1.13.6:</p> | |
<blockquote cite="http://web.mit.edu/kerberos/krb5-1.14/"> | |
<p>Fix a rare KDC denial of service vulnerability when anonymous | |
client principals are restricted to obtaining TGTs only | |
[CVE-2016-3120] .</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-3120</cvename> | |
<url>http://web.mit.edu/kerberos/krb5-1.14/</url> | |
</references> | |
<dates> | |
<discovery>2016-07-20</discovery> | |
<entry>2016-07-21</entry> | |
<modified>2016-07-26</modified> | |
</dates> | |
</vuln> | |
<vuln vid="72f71e26-4f69-11e6-ac37-ac9e174be3af"> | |
<topic>Apache OpenOffice 4.1.2 -- Memory Corruption Vulnerability (Impress Presentations)</topic> | |
<affects> | |
<package> | |
<name>apache-openoffice</name> | |
<range><lt>4.1.2_8</lt></range> | |
</package> | |
<package> | |
<name>apache-openoffice-devel</name> | |
<range><lt>4.2.1753426,4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Apache OpenOffice Project reports:</p> | |
<blockquote cite="http://www.openoffice.org/security/cves/CVE-2016-1513.html"> | |
<p>An OpenDocument Presentation .ODP or Presentation Template | |
.OTP file can contain invalid presentation elements that lead | |
to memory corruption when the document is loaded in Apache | |
OpenOffice Impress. The defect may cause the document to appear | |
as corrupted and OpenOffice may crash in a recovery-stuck mode | |
requiring manual intervention. A crafted exploitation of the | |
defect can allow an attacker to cause denial of service | |
(memory corruption and application crash) and possible | |
execution of arbitrary code.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1513</cvename> | |
<url>http://www.openoffice.org/security/cves/CVE-2015-4551.html</url> | |
</references> | |
<dates> | |
<discovery>2016-07-17</discovery> | |
<entry>2016-07-21</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ca5cb202-4f51-11e6-b2ec-b499baebfeaf"> | |
<topic>MySQL -- Multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>mariadb55-server</name> | |
<range><le>5.5.49</le></range> | |
</package> | |
<package> | |
<name>mariadb100-server</name> | |
<range><le>10.0.25</le></range> | |
</package> | |
<package> | |
<name>mariadb101-server</name> | |
<range><le>10.1.14</le></range> | |
</package> | |
<package> | |
<name>mysql55-server</name> | |
<range><le>5.5.49</le></range> | |
</package> | |
<package> | |
<name>mysql56-server</name> | |
<range><lt>5.6.30</lt></range> | |
</package> | |
<package> | |
<name>mysql57-server</name> | |
<range><lt>5.7.12_1</lt></range> | |
</package> | |
<package> | |
<name>percona55-server</name> | |
<range><le>5.5.49</le></range> | |
</package> | |
<package> | |
<name>percona56-server</name> | |
<range><le>5.6.30</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Oracle reports:</p> | |
<blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL"> | |
<p>The quarterly Critical Patch Update contains 22 new security fixes for | |
Oracle MySQL 5.5.49, 5.6.30, 5.7.13 and earlier</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL</url> | |
<cvename>CVE-2016-3477</cvename> | |
<cvename>CVE-2016-3440</cvename> | |
<cvename>CVE-2016-2105</cvename> | |
<cvename>CVE-2016-3471</cvename> | |
<cvename>CVE-2016-3486</cvename> | |
<cvename>CVE-2016-3501</cvename> | |
<cvename>CVE-2016-3518</cvename> | |
<cvename>CVE-2016-3521</cvename> | |
<cvename>CVE-2016-3588</cvename> | |
<cvename>CVE-2016-3615</cvename> | |
<cvename>CVE-2016-3614</cvename> | |
<cvename>CVE-2016-5436</cvename> | |
<cvename>CVE-2016-3459</cvename> | |
<cvename>CVE-2016-5437</cvename> | |
<cvename>CVE-2016-3424</cvename> | |
<cvename>CVE-2016-5439</cvename> | |
<cvename>CVE-2016-5440</cvename> | |
<cvename>CVE-2016-5441</cvename> | |
<cvename>CVE-2016-5442</cvename> | |
<cvename>CVE-2016-5443</cvename> | |
<cvename>CVE-2016-5444</cvename> | |
<cvename>CVE-2016-3452</cvename> | |
</references> | |
<dates> | |
<discovery>2016-07-20</discovery> | |
<entry>2016-07-21</entry> | |
<modified>2016-08-08</modified> | |
</dates> | |
</vuln> | |
<vuln vid="3caf4e6c-4cef-11e6-a15f-00248c0c745d"> | |
<topic>typo3 -- Missing access check in Extbase</topic> | |
<affects> | |
<package> | |
<name>typo3</name> | |
<range><lt>7.6.8</lt></range> | |
</package> | |
<package> | |
<name>typo3-lts</name> | |
<range><lt>6.2.24</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>TYPO3 reports:</p> | |
<blockquote cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/"> | |
<p>Extbase request handling fails to implement a proper access check for | |
requested controller/ action combinations, which makes it possible for an | |
attacker to execute arbitrary Extbase actions by crafting a special request. To | |
successfully exploit this vulnerability, an attacker must have access to at | |
least one Extbase plugin or module action in a TYPO3 installation. The missing | |
access check inevitably leads to information disclosure or remote code | |
execution, depending on the action that an attacker is able to execute.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-5091</cvename> | |
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/</url> | |
<url>https://wiki.typo3.org/TYPO3_CMS_7.6.8</url> | |
<url>https://wiki.typo3.org/TYPO3_CMS_6.2.24</url> | |
</references> | |
<dates> | |
<discovery>2016-05-24</discovery> | |
<entry>2016-07-18</entry> | |
</dates> | |
</vuln> | |
<vuln vid="cf0b5668-4d1b-11e6-b2ec-b499baebfeaf"> | |
<cancelled/> | |
</vuln> | |
<vuln vid="00cb1469-4afc-11e6-97ea-002590263bf5"> | |
<topic>atutor -- multiple vulnerabilites</topic> | |
<affects> | |
<package> | |
<name>atutor</name> | |
<range><lt>2.2.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ATutor reports:</p> | |
<blockquote cite="https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2"> | |
<p>Security Fixes: Added a new layer of security over all php | |
superglobals, fixed several XSS, CSRF, and SQL injection | |
vulnerabilities.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2</url> | |
</references> | |
<dates> | |
<discovery>2016-07-01</discovery> | |
<entry>2016-07-16</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ffa8ca79-4afb-11e6-97ea-002590263bf5"> | |
<topic>atutor -- multiple vulnerabilites</topic> | |
<affects> | |
<package> | |
<name>atutor</name> | |
<range><lt>2.2.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ATutor reports:</p> | |
<blockquote cite="https://github.com/atutor/ATutor/releases/tag/atutor_2_2_1"> | |
<p>Security Fixes: A number of minor XSS vulnerabilities discovered in | |
the previous version of ATutor have been corrected.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://github.com/atutor/ATutor/releases/tag/atutor_2_2_1</url> | |
</references> | |
<dates> | |
<discovery>2016-01-30</discovery> | |
<entry>2016-07-16</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a522d6ac-4aed-11e6-97ea-002590263bf5"> | |
<topic>flash -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>linux-c6-flashplugin</name> | |
<name>linux-c6_64-flashplugin</name> | |
<name>linux-f10-flashplugin</name> | |
<range><lt>11.2r202.632</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adobe reports:</p> | |
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-25.htmL"> | |
<p>These updates resolve a race condition vulnerability that could | |
lead to information disclosure (CVE-2016-4247).</p> | |
<p>These updates resolve type confusion vulnerabilities that could | |
lead to code execution (CVE-2016-4223, CVE-2016-4224, | |
CVE-2016-4225).</p> | |
<p>These updates resolve use-after-free vulnerabilities that could | |
lead to code execution (CVE-2016-4173, CVE-2016-4174, CVE-2016-4222, | |
CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, | |
CVE-2016-4230, CVE-2016-4231, CVE-2016-4248).</p> | |
<p>These updates resolve a heap buffer overflow vulnerability that | |
could lead to code execution (CVE-2016-4249).</p> | |
<p>These updates resolve memory corruption vulnerabilities that could | |
lead to code execution (CVE-2016-4172, CVE-2016-4175, CVE-2016-4179, | |
CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183, | |
CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187, | |
CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217, | |
CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221, | |
CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236, | |
CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240, | |
CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244, | |
CVE-2016-4245, CVE-2016-4246).</p> | |
<p>These updates resolve a memory leak vulnerability (CVE-2016-4232). | |
</p> | |
<p>These updates resolve stack corruption vulnerabilities that could | |
lead to code execution (CVE-2016-4176, CVE-2016-4177).</p> | |
<p>These updates resolve a security bypass vulnerability that could | |
lead to information disclosure (CVE-2016-4178).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4172</cvename> | |
<cvename>CVE-2016-4173</cvename> | |
<cvename>CVE-2016-4174</cvename> | |
<cvename>CVE-2016-4175</cvename> | |
<cvename>CVE-2016-4176</cvename> | |
<cvename>CVE-2016-4177</cvename> | |
<cvename>CVE-2016-4178</cvename> | |
<cvename>CVE-2016-4179</cvename> | |
<cvename>CVE-2016-4180</cvename> | |
<cvename>CVE-2016-4181</cvename> | |
<cvename>CVE-2016-4182</cvename> | |
<cvename>CVE-2016-4183</cvename> | |
<cvename>CVE-2016-4184</cvename> | |
<cvename>CVE-2016-4185</cvename> | |
<cvename>CVE-2016-4186</cvename> | |
<cvename>CVE-2016-4187</cvename> | |
<cvename>CVE-2016-4188</cvename> | |
<cvename>CVE-2016-4189</cvename> | |
<cvename>CVE-2016-4190</cvename> | |
<cvename>CVE-2016-4217</cvename> | |
<cvename>CVE-2016-4218</cvename> | |
<cvename>CVE-2016-4219</cvename> | |
<cvename>CVE-2016-4220</cvename> | |
<cvename>CVE-2016-4221</cvename> | |
<cvename>CVE-2016-4222</cvename> | |
<cvename>CVE-2016-4223</cvename> | |
<cvename>CVE-2016-4224</cvename> | |
<cvename>CVE-2016-4225</cvename> | |
<cvename>CVE-2016-4226</cvename> | |
<cvename>CVE-2016-4227</cvename> | |
<cvename>CVE-2016-4228</cvename> | |
<cvename>CVE-2016-4229</cvename> | |
<cvename>CVE-2016-4230</cvename> | |
<cvename>CVE-2016-4231</cvename> | |
<cvename>CVE-2016-4232</cvename> | |
<cvename>CVE-2016-4233</cvename> | |
<cvename>CVE-2016-4234</cvename> | |
<cvename>CVE-2016-4235</cvename> | |
<cvename>CVE-2016-4236</cvename> | |
<cvename>CVE-2016-4237</cvename> | |
<cvename>CVE-2016-4238</cvename> | |
<cvename>CVE-2016-4239</cvename> | |
<cvename>CVE-2016-4240</cvename> | |
<cvename>CVE-2016-4241</cvename> | |
<cvename>CVE-2016-4242</cvename> | |
<cvename>CVE-2016-4243</cvename> | |
<cvename>CVE-2016-4244</cvename> | |
<cvename>CVE-2016-4245</cvename> | |
<cvename>CVE-2016-4246</cvename> | |
<cvename>CVE-2016-4247</cvename> | |
<cvename>CVE-2016-4248</cvename> | |
<cvename>CVE-2016-4249</cvename> | |
<url>https://helpx.adobe.com/security/products/flash-player/apsb16-25.html</url> | |
</references> | |
<dates> | |
<discovery>2016-07-12</discovery> | |
<entry>2016-07-16</entry> | |
</dates> | |
</vuln> | |
<vuln vid="61b8c359-4aab-11e6-a7bd-14dae9d210b8"> | |
<topic>Apache Commons FileUpload -- denial of service</topic> | |
<affects> | |
<package> | |
<name>tomcat6</name> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>tomcat7</name> | |
<range><lt>7.0.70</lt></range> | |
</package> | |
<package> | |
<name>tomcat8</name> | |
<range><lt>8.0.36</lt></range> | |
</package> | |
<package> | |
<name>apache-struts</name> | |
<range><le>2.5.2</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jochen Wiedmann reports:</p> | |
<blockquote cite="http://jvn.jp/en/jp/JVN89379547/index.html"> | |
<p>A malicious client can send file upload requests that cause | |
the HTTP server using the Apache Commons Fileupload library to become | |
unresponsive, preventing the server from servicing other requests.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://jvn.jp/en/jp/JVN89379547/index.html</url> | |
<url>http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E</url> | |
<cvename>CVE-2016-3092</cvename> | |
</references> | |
<dates> | |
<discovery>2016-06-21</discovery> | |
<entry>2016-07-15</entry> | |
<modified>2016-07-15</modified> | |
</dates> | |
</vuln> | |
<vuln vid="3159cd70-4aaa-11e6-a7bd-14dae9d210b8"> | |
<topic>libreoffice -- use-after-free vulnerability</topic> | |
<affects> | |
<package> | |
<name>libreoffice</name> | |
<range><lt>5.1.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Talos reports:</p> | |
<blockquote cite="http://www.talosintelligence.com/reports/TALOS-2016-0126/"> | |
<p>An exploitable Use After Free vulnerability exists in the | |
RTF parser LibreOffice. A specially crafted file can cause a use after | |
free resulting in a possible arbitrary code execution. To exploit the | |
vulnerability a malicious file needs to be opened by the user via | |
vulnerable application.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.talosintelligence.com/reports/TALOS-2016-0126/</url> | |
<url>http://www.libreoffice.org/about-us/security/advisories/cve-2016-4324/</url> | |
<cvename>CVE-2016-4324</cvename> | |
</references> | |
<dates> | |
<discovery>2016-06-27</discovery> | |
<entry>2016-07-15</entry> | |
</dates> | |
</vuln> | |
<vuln vid="c17fe91d-4aa6-11e6-a7bd-14dae9d210b8"> | |
<cancelled/> | |
</vuln> | |
<vuln vid="0ab66088-4aa5-11e6-a7bd-14dae9d210b8"> | |
<topic>tiff -- buffer overflow</topic> | |
<affects> | |
<package> | |
<name>tiff</name> | |
<range><lt>4.0.6_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mathias Svensson reports:</p> | |
<blockquote cite="https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2"> | |
<p>potential buffer write overrun in PixarLogDecode() on | |
corrupted/unexpected images</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2</url> | |
<cvename>CVE-2016-5875</cvename> | |
</references> | |
<dates> | |
<discovery>2016-06-28</discovery> | |
<entry>2016-07-15</entry> | |
</dates> | |
</vuln> | |
<vuln vid="42ecf370-4aa4-11e6-a7bd-14dae9d210b8"> | |
<topic>tiff -- denial of service</topic> | |
<affects> | |
<package> | |
<name>tiff</name> | |
<range><lt>4.0.6_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Aladdin Mubaied reports:</p> | |
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=1319503"> | |
<p>Buffer-overflow in gif2tiff utility</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1319503</url> | |
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1319666</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/03/30/2</url> | |
<cvename>CVE-2016-3186</cvename> | |
</references> | |
<dates> | |
<discovery>2016-03-20</discovery> | |
<entry>2016-07-15</entry> | |
</dates> | |
</vuln> | |
<vuln vid="d706a3a3-4a7c-11e6-97f7-5453ed2e2b49"> | |
<topic>p7zip -- out-of-bounds read vulnerability</topic> | |
<affects> | |
<package> | |
<name>p7zip</name> | |
<range><lt>15.14_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Cisco Talos reports:</p> | |
<blockquote cite="http://www.talosintelligence.com/reports/TALOS-2016-0094/"> | |
<p>An out-of-bounds read vulnerability exists in the way 7-Zip | |
handles Universal Disk Format (UDF) files.</p> | |
<p>Central to 7-Zip’s processing of UDF files is the | |
CInArchive::ReadFileItem method. Because volumes can have more than | |
one partition map, their objects are kept in an object vector. To | |
start looking for an item, this method tries to reference the proper | |
object using the partition map’s object vector and the "PartitionRef" | |
field from the Long Allocation Descriptor. Lack of checking whether | |
the "PartitionRef" field is bigger than the available amount of | |
partition map objects causes a read out-of-bounds and can lead, in | |
some circumstances, to arbitrary code execution.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2335</cvename> | |
<url>http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html</url> | |
</references> | |
<dates> | |
<discovery>2016-05-11</discovery> | |
<entry>2016-07-15</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a9bcaf57-4a7b-11e6-97f7-5453ed2e2b49"> | |
<topic>p7zip -- heap overflow vulnerability</topic> | |
<affects> | |
<package> | |
<name>p7zip</name> | |
<range><lt>15.14_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Cisco Talos reports:</p> | |
<blockquote cite="http://www.talosintelligence.com/reports/TALOS-2016-0093/"> | |
<p>An exploitable heap overflow vulnerability exists in the | |
NArchive::NHfs::CHandler::ExtractZlibFile method functionality of | |
7zip that can lead to arbitrary code execution.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2334</cvename> | |
<url>http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html</url> | |
</references> | |
<dates> | |
<discovery>2016-05-11</discovery> | |
<entry>2016-07-15</entry> | |
</dates> | |
</vuln> | |
<vuln vid="4729c849-4897-11e6-b704-000c292e4fd8"> | |
<topic>samba -- client side SMB2/3 required signing can be downgraded</topic> | |
<affects> | |
<package> | |
<name>samba4</name> | |
<range><ge>4.0.0</ge><le>4.0.26</le></range> | |
</package> | |
<package> | |
<name>samba41</name> | |
<range><ge>4.1.0</ge><le>4.1.23</le></range> | |
</package> | |
<package> | |
<name>samba42</name> | |
<range><ge>4.2.0</ge><lt>4.2.14</lt></range> | |
</package> | |
<package> | |
<name>samba43</name> | |
<range><ge>4.3.0</ge><lt>4.3.11</lt></range> | |
</package> | |
<package> | |
<name>samba44</name> | |
<range><ge>4.4.0</ge><lt>4.4.5</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Samba team reports:</p> | |
<blockquote cite="https://www.samba.org/samba/security/CVE-2016-2119.html"> | |
<p>A man in the middle attack can disable client signing over | |
SMB2/3, even if enforced by configuration parameters.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2119</cvename> | |
<url>https://www.samba.org/samba/security/CVE-2016-2119.html</url> | |
</references> | |
<dates> | |
<discovery>2016-07-07</discovery> | |
<entry>2016-07-13</entry> | |
</dates> | |
</vuln> | |
<vuln vid="3fcd52b2-4510-11e6-a15f-00248c0c745d"> | |
<topic>ruby-saml -- XML signature wrapping attack</topic> | |
<affects> | |
<package> | |
<name>rubygem-ruby-saml</name> | |
<range><lt>1.3.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>RubySec reports:</p> | |
<blockquote cite="http://rubysec.com/advisories/CVE-2016-5697/"> | |
<p>ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack | |
in the specific scenario where there was a signature that referenced at the same | |
time 2 elements (but past the scheme validator process since 1 of the element was | |
inside the encrypted assertion).</p> | |
<p>ruby-saml users must update to 1.3.0, which implements 3 extra validations to | |
mitigate this kind of attack.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-5697</cvename> | |
<url>http://rubysec.com/advisories/CVE-2016-5697/</url> | |
<url>https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995</url> | |
</references> | |
<dates> | |
<discovery>2016-06-24</discovery> | |
<entry>2016-07-08</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7d64d00c-43e3-11e6-ab34-002590263bf5"> | |
<topic>quassel -- remote denial of service</topic> | |
<affects> | |
<package> | |
<name>quassel</name> | |
<range><lt>0.12.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mitre reports:</p> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4414"> | |
<p>The onReadyRead function in core/coreauthhandler.cpp in Quassel | |
before 0.12.4 allows remote attackers to cause a denial of service | |
(NULL pointer dereference and crash) via invalid handshake data.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4414</cvename> | |
<url>http://quassel-irc.org/node/129</url> | |
<url>https://github.com/quassel/quassel/commit/e678873</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/04/30/2</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/04/30/4</url> | |
</references> | |
<dates> | |
<discovery>2016-04-24</discovery> | |
<entry>2016-07-07</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e9d1e040-42c9-11e6-9608-20cf30e32f6d"> | |
<topic>apache24 -- X509 Client certificate based authentication can be bypassed when HTTP/2 is used</topic> | |
<affects> | |
<package> | |
<name>apache24</name> | |
<range><ge>2.4.18</ge><lt>2.4.23</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Apache Software Foundation reports:</p> | |
<blockquote cite="INSERT URL HERE"> | |
<p>The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509 | |
client certificate correctly when experimental module for the HTTP/2 | |
protocol is used to access a resource.</p> | |
<p>The net result is that a resource that should require a valid client | |
certificate in order to get access can be accessed without that credential.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4979</cvename> | |
<url>http://mail-archives.apache.org/mod_mbox/httpd-announce/201607.mbox/CVE-2016-4979-68283</url> | |
</references> | |
<dates> | |
<discovery>2016-07-01</discovery> | |
<entry>2016-07-05</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e800cd4b-4212-11e6-942d-bc5ff45d0f28"> | |
<topic>xen-tools -- Unrestricted qemu logging</topic> | |
<affects> | |
<package> | |
<name>xen-tools</name> | |
<range><lt>4.7.0_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-180.html"> | |
<p>When the libxl toolstack launches qemu for HVM guests, it pipes the | |
output of stderr to a file in /var/log/xen. This output is not | |
rate-limited in any way. The guest can easily cause qemu to print | |
messages to stderr, causing this file to become arbitrarily large. | |
</p> | |
<p>The disk containing the logfile can be exausted, possibly causing a | |
denial-of-service (DoS).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-3672</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-180.html</url> | |
</references> | |
<dates> | |
<discovery>2016-05-23</discovery> | |
<entry>2016-07-04</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e6ce6f50-4212-11e6-942d-bc5ff45d0f28"> | |
<topic>xen-tools -- QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks</topic> | |
<affects> | |
<package> | |
<name>xen-tools</name> | |
<range><lt>4.7.0_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-179.html"> | |
<p>Qemu VGA module allows banked access to video memory using the | |
window at 0xa00000 and it supports different access modes with | |
different address calculations.</p> | |
<p>Qemu VGA module allows guest to edit certain registers in 'vbe' | |
and 'vga' modes.</p> | |
<p>A privileged guest user could use CVE-2016-3710 to exceed the bank | |
address window and write beyond the said memory area, potentially | |
leading to arbitrary code execution with privileges of the Qemu | |
process. If the system is not using stubdomains, this will be in | |
domain 0.</p> | |
<p>A privileged guest user could use CVE-2016-3712 to cause potential | |
integer overflow or OOB read access issues in Qemu, resulting in a DoS | |
of the guest itself. More dangerous effect, such as data leakage or | |
code execution, are not known but cannot be ruled out.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-3710</cvename> | |
<cvename>CVE-2016-3712</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-179.html</url> | |
</references> | |
<dates> | |
<discovery>2016-05-09</discovery> | |
<entry>2016-07-04</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e589ae90-4212-11e6-942d-bc5ff45d0f28"> | |
<topic>xen-tools -- Unsanitised driver domain input in libxl device handling</topic> | |
<affects> | |
<package> | |
<name>xen-tools</name> | |
<range><lt>4.7.0_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-178.html"> | |
<p>libxl's device-handling code freely uses and trusts information | |
from the backend directories in xenstore.</p> | |
<p>A malicious driver domain can deny service to management tools.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4963</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-178.html</url> | |
</references> | |
<dates> | |
<discovery>2016-06-02</discovery> | |
<entry>2016-07-04</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e43b210a-4212-11e6-942d-bc5ff45d0f28"> | |
<topic>xen-kernel -- x86 software guest page walk PS bit handling flaw</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><lt>4.7.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-176.html"> | |
<p>The Page Size (PS) page table entry bit exists at all page table | |
levels other than L1. Its meaning is reserved in L4, and | |
conditionally reserved in L3 and L2 (depending on hardware | |
capabilities). The software page table walker in the hypervisor, | |
however, so far ignored that bit in L4 and (on respective hardware) | |
L3 entries, resulting in pages to be treated as page tables which | |
the guest OS may not have designated as such. If the page in | |
question is writable by an unprivileged user, then that user will | |
be able to map arbitrary guest memory.</p> | |
<p>On vulnerable OSes, guest user mode code may be able to establish | |
mappings of arbitrary memory inside the guest, allowing it to | |
elevate its privileges inside the guest.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4480</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-176.html</url> | |
</references> | |
<dates> | |
<discovery>2016-05-17</discovery> | |
<entry>2016-07-04</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e2fca11b-4212-11e6-942d-bc5ff45d0f28"> | |
<topic>xen-tools -- Unsanitised guest input in libxl device handling code</topic> | |
<affects> | |
<package> | |
<name>xen-tools</name> | |
<range><lt>4.7.0_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-175.html"> | |
<p>Various parts of libxl device-handling code inappropriately use | |
information from (partially) guest controlled areas of xenstore.</p> | |
<p>A malicious guest administrator can cause denial of service by | |
resource exhaustion.</p> | |
<p>A malicious guest administrator can confuse and/or deny service to | |
management facilities.</p> | |
<p>A malicious guest administrator of a guest configured with channel | |
devices may be able to escalate their privilege to that of the | |
backend domain (i.e., normally, to that of the host).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4962</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-175.html</url> | |
</references> | |
<dates> | |
<discovery>2016-06-02</discovery> | |
<entry>2016-07-04</entry> | |
</dates> | |
</vuln> | |
<vuln vid="d51ced72-4212-11e6-942d-bc5ff45d0f28"> | |
<topic>xen-kernel -- x86 shadow pagetables: address width overflow</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><ge>3.4</ge><lt>4.7.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-173.html"> | |
<p>In the x86 shadow pagetable code, the guest frame number of a | |
superpage mapping is stored in a 32-bit field. If a shadowed guest | |
can cause a superpage mapping of a guest-physical address at or | |
above 2^44 to be shadowed, the top bits of the address will be lost, | |
causing an assertion failure or NULL dereference later on, in code | |
that removes the shadow.</p> | |
<p>A HVM guest using shadow pagetables can cause the host to crash. | |
</p> | |
<p>A PV guest using shadow pagetables (i.e. being migrated) with PV | |
superpages enabled (which is not the default) can crash the host, or | |
corrupt hypervisor memory, and so a privilege escalation cannot be | |
ruled out.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-3960</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-173.html</url> | |
</references> | |
<dates> | |
<discovery>2016-04-18</discovery> | |
<entry>2016-07-04</entry> | |
</dates> | |
</vuln> | |
<vuln vid="313e9557-41e8-11e6-ab34-002590263bf5"> | |
<topic>wireshark -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>wireshark</name> | |
<name>wireshark-lite</name> | |
<name>wireshark-qt5</name> | |
<name>tshark</name> | |
<name>tshark-lite</name> | |
<range><lt>2.0.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Wireshark development team reports:</p> | |
<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.4.html"> | |
<p>The following vulnerabilities have been fixed:</p> | |
<ul> | |
<li><p>wnpa-sec-2016-29</p> | |
<p>The SPOOLS dissector could go into an infinite loop. Discovered | |
by the CESG.</p></li> | |
<li><p>wnpa-sec-2016-30</p> | |
<p>The IEEE 802.11 dissector could crash. (Bug 11585)</p></li> | |
<li><p>wnpa-sec-2016-31</p> | |
<p>The IEEE 802.11 dissector could crash. Discovered by Mateusz | |
Jurczyk. (Bug 12175)</p></li> | |
<li><p>wnpa-sec-2016-32</p> | |
<p>The UMTS FP dissector could crash. (Bug 12191)</p></li> | |
<li><p>wnpa-sec-2016-33</p> | |
<p>Some USB dissectors could crash. Discovered by Mateusz | |
Jurczyk. (Bug 12356)</p></li> | |
<li><p>wnpa-sec-2016-34</p> | |
<p>The Toshiba file parser could crash. Discovered by iDefense | |
Labs. (Bug 12394)</p></li> | |
<li><p>wnpa-sec-2016-35</p> | |
<p>The CoSine file parser could crash. Discovered by iDefense | |
Labs. (Bug 12395)</p></li> | |
<li><p>wnpa-sec-2016-36</p> | |
<p>The NetScreen file parser could crash. Discovered by iDefense | |
Labs. (Bug 12396)</p></li> | |
<li><p>wnpa-sec-2016-37</p> | |
<p>The Ethernet dissector could crash. (Bug 12440)</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-5350</cvename> | |
<cvename>CVE-2016-5351</cvename> | |
<cvename>CVE-2016-5352</cvename> | |
<cvename>CVE-2016-5353</cvename> | |
<cvename>CVE-2016-5354</cvename> | |
<cvename>CVE-2016-5355</cvename> | |
<cvename>CVE-2016-5356</cvename> | |
<cvename>CVE-2016-5357</cvename> | |
<cvename>CVE-2016-5358</cvename> | |
<url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.4.html</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/06/09/4</url> | |
</references> | |
<dates> | |
<discovery>2016-06-07</discovery> | |
<entry>2016-07-04</entry> | |
</dates> | |
</vuln> | |
<vuln vid="8656cf5f-4170-11e6-8dfe-002590263bf5"> | |
<topic>moodle -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>moodle28</name> | |
<range><lt>2.8.12</lt></range> | |
</package> | |
<package> | |
<name>moodle29</name> | |
<range><lt>2.9.6</lt></range> | |
</package> | |
<package> | |
<name>moodle30</name> | |
<range><lt>3.0.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Marina Glancy reports:</p> | |
<blockquote cite="https://moodle.org/security/"> | |
<ul> | |
<li><p>MSA-16-0013: Users are able to change profile fields that | |
were locked by the administrator.</p></li> | |
<li><p>MSA-16-0015: Information disclosure of hidden forum names | |
and sub-names.</p></li> | |
<li><p>MSA-16-0016: User can view badges of other users without | |
proper permissions.</p></li> | |
<li><p>MSA-16-0017: Course idnumber not protected from teacher | |
restore.</p></li> | |
<li><p>MSA-16-0018: CSRF in script marking forum posts as read.</p> | |
</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-3729</cvename> | |
<cvename>CVE-2016-3731</cvename> | |
<cvename>CVE-2016-3732</cvename> | |
<cvename>CVE-2016-3733</cvename> | |
<cvename>CVE-2016-3734</cvename> | |
<url>https://moodle.org/security/</url> | |
</references> | |
<dates> | |
<discovery>2016-05-18</discovery> | |
<entry>2016-07-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ad9b77f6-4163-11e6-b05b-14dae9d210b8"> | |
<topic>icingaweb2 -- remote code execution</topic> | |
<affects> | |
<package> | |
<name>icingaweb2</name> | |
<range><lt>2.3.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Eric Lippmann reports:</p> | |
<blockquote cite="https://www.icinga.org/2016/06/23/icinga-web-2-v2-3-4-v2-2-2-and-v2-1-4-releases/"> | |
<p>Possibility of remote code execution via the remote command | |
transport.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.icinga.org/2016/06/23/icinga-web-2-v2-3-4-v2-2-2-and-v2-1-4-releases/</url> | |
</references> | |
<dates> | |
<discovery>2016-06-23</discovery> | |
<entry>2016-07-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a5c204b5-4153-11e6-8dfe-002590263bf5"> | |
<topic>hive -- authorization logic vulnerability</topic> | |
<affects> | |
<package> | |
<name>hive</name> | |
<range><lt>2.0.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Sushanth Sowmyan reports:</p> | |
<blockquote cite="http://mail-archives.apache.org/mod_mbox/hive-user/201601.mbox/%3C20160128205008.2154F185EB%40minotaur.apache.org%3E"> | |
<p>Some partition-level operations exist that do not explicitly also | |
authorize privileges of the parent table. This can lead to issues when | |
the parent table would have denied the operation, but no denial occurs | |
because the partition-level privilege is not checked by the | |
authorization framework, which defines authorization entities only | |
from the table level upwards.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7521</cvename> | |
<url>http://mail-archives.apache.org/mod_mbox/hive-user/201601.mbox/%3C20160128205008.2154F185EB%40minotaur.apache.org%3E</url> | |
</references> | |
<dates> | |
<discovery>2016-01-28</discovery> | |
<entry>2016-07-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="546deeea-3fc6-11e6-a671-60a44ce6887b"> | |
<topic>SQLite3 -- Tempdir Selection Vulnerability</topic> | |
<affects> | |
<package> | |
<name>sqlite3</name> | |
<range><lt>3.13.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>KoreLogic security reports:</p> | |
<blockquote cite="https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt"> | |
<p>Affected versions of SQLite reject potential tempdir locations if | |
they are not readable, falling back to '.'. Thus, SQLite will favor | |
e.g. using cwd for tempfiles on such a system, even if cwd is an | |
unsafe location. Notably, SQLite also checks the permissions of | |
'.', but ignores the results of that check.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-6153</cvename> | |
<freebsdpr>ports/209827</freebsdpr> | |
<url>https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt</url> | |
<url>http://openwall.com/lists/oss-security/2016/07/01/2</url> | |
<url>http://www.sqlite.org/cgi/src/info/67985761aa93fb61</url> | |
<url>http://www.sqlite.org/cgi/src/info/b38fe522cfc971b3</url> | |
<url>http://www.sqlite.org/cgi/src/info/614bb709d34e1148</url> | |
</references> | |
<dates> | |
<discovery>2016-07-01</discovery> | |
<entry>2016-07-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="8d5368ef-40fe-11e6-b2ec-b499baebfeaf"> | |
<topic>Python -- smtplib StartTLS stripping vulnerability</topic> | |
<affects> | |
<package> | |
<name>python27</name> | |
<range><lt>2.7.12</lt></range> | |
</package> | |
<package> | |
<name>python33</name> | |
<range><gt>0</gt></range> | |
</package> | |
<package> | |
<name>python34</name> | |
<range><lt>3.4.5</lt></range> | |
</package> | |
<package> | |
<name>python35</name> | |
<range><lt>3.5.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Red Hat reports:</p> | |
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772"> | |
<p>A vulnerability in smtplib allowing MITM attacker to perform a | |
startTLS stripping attack. smtplib does not seem to raise an exception | |
when the remote end (smtp server) is capable of negotiating starttls but | |
fails to respond with 220 (ok) to an explicit call of SMTP.starttls(). | |
This may allow a malicious MITM to perform a startTLS stripping attack | |
if the client code does not explicitly check the response code for startTLS.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772</url> | |
<cvename>CVE-2016-0772</cvename> | |
</references> | |
<dates> | |
<discovery>2016-06-14</discovery> | |
<entry>2016-07-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e7028e1d-3f9b-11e6-81f9-6805ca0b3d42"> | |
<topic>phpMyAdmin -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>phpmyadmin</name> | |
<range><ge>4.6.0</ge><lt>4.6.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The phpMYAdmin development team reports:</p> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-17/"> | |
<h3>Summary</h3> | |
<p>BBCode injection vulnerability</p> | |
<h3>Description</h3> | |
<p>A vulnerability was discovered that allows an BBCode | |
injection to setup script in case it's not accessed on | |
https.</p> | |
<h3>Severity</h3> | |
<p>We consider this to be non-critical.</p> | |
</blockquote> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-18/"> | |
<h3>Summary</h3> | |
<p>Cookie attribute injection attack</p> | |
<h3>Description</h3> | |
<p>A vulnerability was found where, under some | |
circumstances, an attacker can inject arbitrary values | |
in the browser cookies.</p> | |
<h3>Severity</h3> | |
<p>We consider this to be non-critical.</p> | |
</blockquote> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-19/"> | |
<h3>Summary</h3> | |
<p>SQL injection attack</p> | |
<h3>Description</h3> | |
<p>A vulnerability was discovered that allows an SQL | |
injection attack to run arbitrary commands as the | |
control user.</p> | |
<h3>Severity</h3> | |
<p>We consider this vulnerability to be serious</p> | |
</blockquote> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-20/"> | |
<h3>Summary</h3> | |
<p>XSS on table structure page</p> | |
<h3>Description</h3> | |
<p>An XSS vulnerability was discovered on the table | |
structure page</p> | |
<h3>Severity</h3> | |
<p>We consider this to be a serious | |
vulnerability</p> | |
</blockquote> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-21/"> | |
<h3>Summary</h3> | |
<p>Multiple XSS vulnerabilities</p> | |
<h3>Description</h3> | |
<ul> | |
<li>An XSS vulnerability was discovered on the user | |
privileges page.</li> | |
<li>An XSS vulnerability was discovered in the error | |
console.</li> | |
<li>An XSS vulnerability was discovered in the central | |
columns feature.</li> | |
<li>An XSS vulnerability was discovered in the query | |
bookmarks feature.</li> | |
<li>An XSS vulnerability was discovered in the user groups | |
feature.</li> | |
</ul> | |
<h3>Severity</h3> | |
<p>We consider this to be a serious vulnerability</p> | |
</blockquote> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-22/"> | |
<h3>Summary</h3> | |
<p>DOS attack</p> | |
<h3>Description</h3> | |
<p>A Denial Of Service (DOS) attack was discovered in | |
the way phpMyAdmin loads some JavaScript files.</p> | |
<h3>Severity</h3> | |
<p>We consider this to be of moderate severity</p> | |
</blockquote> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-23/"> | |
<h3>Summary</h3> | |
<p>Multiple full path disclosure vulnerabilities</p> | |
<h3>Description</h3> | |
<p>This PMASA contains information on multiple full-path | |
disclosure vulnerabilities reported in phpMyAdmin.</p> | |
<p>By specially crafting requests in the following | |
areas, it is possible to trigger phpMyAdmin to display a | |
PHP error message which contains the full path of the | |
directory where phpMyAdmin is installed.</p> | |
<ol> | |
<li>Setup script</li> | |
<li>Example OpenID authentication script</li> | |
</ol> | |
<h3>Severity</h3> | |
<p>We consider these vulnerabilities to be | |
non-critical.</p> | |
</blockquote> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-24/"> | |
<h3>Summary</h3> | |
<p>XSS through FPD</p> | |
<h3>Description</h3> | |
<p>With a specially crafted request, it is possible to | |
trigger an XSS attack through the example OpenID | |
authentication script.</p> | |
<h3>Severity</h3> | |
<p>We do not consider this vulnerability to be | |
secure due to the non-standard required PHP setting | |
for html_errors.</p> | |
</blockquote> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-25/"> | |
<h3>Summary</h3> | |
<p>XSS in partition range functionality</p> | |
<h3>Description</h3> | |
<p>A vulnerability was reported allowing a specially | |
crafted table parameters to cause an XSS attack through | |
the table structure page.</p> | |
<h3>Severity</h3> | |
<p>We consider this vulnerability to be severe.</p> | |
</blockquote> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-26/"> | |
<h3>Summary</h3> | |
<p>Multiple XSS vulnerabilities</p> | |
<h3>Description</h3> | |
<ul> | |
<li>A vulnerability was reported allowing a specially | |
crafted table name to cause an XSS attack through the | |
functionality to check database privileges. | |
<ul> | |
<li>This XSS doesn't exist in some translations due to | |
different quotes being used there (eg. Czech).</li> | |
</ul> | |
</li> | |
<li>A vulnerability was reported allowing a | |
specifically-configured MySQL server to execute an XSS | |
attack. This particular attack requires configuring the | |
MySQL server log_bin directive with the payload.</li> | |
<li>Several XSS vulnerabilities were found with the | |
Transformation feature</li> | |
<li>Several XSS vulnerabilities were found in AJAX error | |
handling</li> | |
<li>Several XSS vulnerabilities were found in the Designer | |
feature</li> | |
<li>An XSS vulnerability was found in the charts | |
feature</li> | |
<li>An XSS vulnerability was found in the zoom search | |
feature</li> | |
</ul> | |
<h3>Severity</h3> | |
<p>We consider these attacks to be of moderate | |
severity.</p> | |
</blockquote> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-27/"> | |
<h3>Summary</h3> | |
<p>Unsafe handling of preg_replace parameters</p> | |
<h3>Description</h3> | |
<p>In some versions of PHP, it's possible for an | |
attacker to pass parameters to the | |
<code>preg_replace()</code> function which can allow the | |
execution of arbitrary PHP code. This code is not | |
properly sanitized in phpMyAdmin as part of the table | |
search and replace feature.</p> | |
<h3>Severity</h3> | |
<p>We consider this vulnerability to be of moderate | |
severity.</p> | |
</blockquote> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-28/"> | |
<h3>Summary</h3> | |
<p>Referrer leak in transformations</p> | |
<h3>Description</h3> | |
<p>A vulnerability was reported where a specially | |
crafted Transformation could be used to leak information | |
including the authentication token. This could be used | |
to direct a CSRF attack against a user.</p> | |
<p>Furthermore, the CSP code used in version 4.0.x is | |
outdated and has been updated to more modern | |
standards.</p> | |
<h3>Severity</h3> | |
<p>We consider this to be of moderate severity</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-17/</url> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-18/</url> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-19/</url> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-20/</url> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-21/</url> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-22/</url> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-23/</url> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-24/</url> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-25/</url> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-26/</url> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-27/</url> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-28/</url> | |
<cvename>CVE-2016-5701</cvename> | |
<cvename>CVE-2016-5702</cvename> | |
<cvename>CVE-2016-5703</cvename> | |
<cvename>CVE-2016-5704</cvename> | |
<cvename>CVE-2016-5705</cvename> | |
<cvename>CVE-2016-5706</cvename> | |
<cvename>CVE-2016-5730</cvename> | |
<cvename>CVE-2016-5731</cvename> | |
<cvename>CVE-2016-5732</cvename> | |
<cvename>CVE-2016-5733</cvename> | |
<cvename>CVE-2016-5734</cvename> | |
<cvename>CVE-2016-5739</cvename> | |
</references> | |
<dates> | |
<discovery>2016-06-23</discovery> | |
<entry>2016-07-01</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f1c219ba-3f14-11e6-b3c8-14dae9d210b8"> | |
<topic>haproxy -- denial of service</topic> | |
<affects> | |
<package> | |
<name>haproxy</name> | |
<range><ge>1.6.0</ge><lt>1.6.5_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>HAproxy reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/06/09/5"> | |
<p>HAproxy 1.6.x before 1.6.6, when a deny comes from a | |
reqdeny rule, allows remote attackers to cause a denial of service | |
(uninitialized memory access and crash) or possibly have unspecified | |
other impact via unknown vectors.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openwall.com/lists/oss-security/2016/06/09/5</url> | |
<cvename>CVE-2016-5360</cvename> | |
</references> | |
<dates> | |
<discovery>2016-06-09</discovery> | |
<entry>2016-06-30</entry> | |
</dates> | |
</vuln> | |
<vuln vid="093584f2-3f14-11e6-b3c8-14dae9d210b8"> | |
<topic>libtorrent-rasterbar -- denial of service</topic> | |
<affects> | |
<package> | |
<name>libtorrent-rasterbar</name> | |
<range><lt>1.1.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Brandon Perry reports:</p> | |
<blockquote cite="https://github.com/arvidn/libtorrent/issues/780"> | |
<p>The parse_chunk_header function in libtorrent before 1.1.1 | |
allows remote attackers to cause a denial of service (crash) via a | |
crafted (1) HTTP response or possibly a (2) UPnP broadcast.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://github.com/arvidn/libtorrent/issues/780</url> | |
<cvename>CVE-2016-5301</cvename> | |
</references> | |
<dates> | |
<discovery>2016-06-03</discovery> | |
<entry>2016-06-30</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ff76f0e0-3f11-11e6-b3c8-14dae9d210b8"> | |
<topic>expat2 -- denial of service</topic> | |
<affects> | |
<package> | |
<name>expat2</name> | |
<range><lt>2.1.1_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adam Maris reports:</p> | |
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=1344251"> | |
<p>It was found that original patch for issues CVE-2015-1283 | |
and CVE-2015-2716 used overflow checks that could be optimized out by | |
some compilers applying certain optimization settings, which can cause | |
the vulnerability to remain even after applying the patch.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1344251</url> | |
<cvename>CVE-2016-4472</cvename> | |
</references> | |
<dates> | |
<discovery>2016-06-09</discovery> | |
<entry>2016-06-30</entry> | |
</dates> | |
</vuln> | |
<vuln vid="875e4cf8-3f0e-11e6-b3c8-14dae9d210b8"> | |
<topic>dnsmasq -- denial of service</topic> | |
<affects> | |
<package> | |
<name>dnsmasq</name> | |
<range><lt>2.76,1</lt></range> | |
</package> | |
<package> | |
<name>dnsmasq-devel</name> | |
<range><lt>2.76.0test1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p> reports:</p> | |
<blockquote cite="http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html"> | |
<p>Dnsmasq before 2.76 allows remote servers to cause a denial | |
of service (crash) via a reply with an empty DNS address that has an (1) | |
A or (2) AAAA record defined locally.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/06/03/7</url> | |
<cvename>CVE-2015-8899</cvename> | |
</references> | |
<dates> | |
<discovery>2016-04-18</discovery> | |
<entry>2016-06-30</entry> | |
<modified>2016-06-30</modified> | |
</dates> | |
</vuln> | |
<vuln vid="a61374fc-3a4d-11e6-a671-60a44ce6887b"> | |
<topic>Python -- HTTP Header Injection in Python urllib</topic> | |
<affects> | |
<package> | |
<name>python27</name> | |
<range><lt>2.7.10</lt></range> | |
</package> | |
<package> | |
<name>python33</name> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>python34</name> | |
<range><lt>3.4.4</lt></range> | |
</package> | |
<package> | |
<name>python35</name> | |
<range><lt>3.5.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Guido Vranken reports:</p> | |
<blockquote cite="https://bugs.python.org/issue22928"> | |
<p>HTTP header injection in urrlib2/urllib/httplib/http.client with | |
newlines in header values, where newlines have a semantic consequence of | |
denoting the start of an additional header line.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://bugs.python.org/issue22928</url> | |
<url>http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/06/14/7</url> | |
<cvename>CVE-2016-5699</cvename> | |
</references> | |
<dates> | |
<discovery>2014-11-24</discovery> | |
<entry>2016-06-30</entry> | |
<modified>2016-07-04</modified> | |
</dates> | |
</vuln> | |
<vuln vid="0ca24682-3f03-11e6-b3c8-14dae9d210b8"> | |
<topic>openssl -- denial of service</topic> | |
<affects> | |
<package> | |
<name>openssl</name> | |
<range><lt>1.0.2_14</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mitre reports:</p> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177"> | |
<p>OpenSSL through 1.0.2h incorrectly uses pointer arithmetic | |
for heap-buffer boundary checks, which might allow remote attackers to | |
cause a denial of service (integer overflow and application crash) or | |
possibly have unspecified other impact by leveraging unexpected malloc | |
behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177</url> | |
<url>ihttps://bugzilla.redhat.com/show_bug.cgi?id=1341705</url> | |
<url>https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/</url> | |
<cvename>CVE-2016-2177</cvename> | |
</references> | |
<dates> | |
<discovery>2016-06-01</discovery> | |
<entry>2016-06-30</entry> | |
</dates> | |
</vuln> | |
<vuln vid="cbceeb49-3bc7-11e6-8e82-002590263bf5"> | |
<topic>tomcat -- remote DoS in the Apache Commons FileUpload component</topic> | |
<affects> | |
<package> | |
<name>tomcat7</name> | |
<range><lt>7.0.70</lt></range> | |
</package> | |
<package> | |
<name>tomcat8</name> | |
<range><lt>8.0.36</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mark Thomas reports:</p> | |
<blockquote cite="http://mail-archives.apache.org/mod_mbox/tomcat-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832%40apache.org%3E"> | |
<p>CVE-2016-3092 is a denial of service vulnerability that has been | |
corrected in the Apache Commons FileUpload component. It occurred | |
when the length of the multipart boundary was just below the size of | |
the buffer (4096 bytes) used to read the uploaded file. This caused | |
the file upload process to take several orders of magnitude longer | |
than if the boundary length was the typical tens of bytes.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-3092</cvename> | |
<freebsdpr>ports/209669</freebsdpr> | |
<url>http://tomcat.apache.org/security-7.html</url> | |
<url>http://tomcat.apache.org/security-8.html</url> | |
<url>http://mail-archives.apache.org/mod_mbox/tomcat-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832%40apache.org%3E</url> | |
</references> | |
<dates> | |
<discovery>2016-06-20</discovery> | |
<entry>2016-06-26</entry> | |
</dates> | |
</vuln> | |
<vuln vid="bfcc23b6-3b27-11e6-8e82-002590263bf5"> | |
<topic>wordpress -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>wordpress</name> | |
<range><lt>4.5.3,1</lt></range> | |
</package> | |
<package> | |
<name>de-wordpress</name> | |
<name>ja-wordpress</name> | |
<name>ru-wordpress</name> | |
<name>zh-wordpress-zh_CN</name> | |
<name>zh-wordpress-zh_TW</name> | |
<range><lt>4.5.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adam Silverstein reports:</p> | |
<blockquote cite="https://wordpress.org/news/2016/06/wordpress-4-5-3/"> | |
<p>WordPress 4.5.3 is now available. This is a security release for | |
all previous versions and we strongly encourage you to update your | |
sites immediately.</p> | |
<p>WordPress versions 4.5.2 and earlier are affected by several | |
security issues: redirect bypass in the customizer, reported by | |
Yassine Aboukir; two different XSS problems via attachment names, | |
reported by Jouko Pynnönenand Divyesh Prajapati; revision history | |
information disclosure, reported independently by John Blackbourn | |
from the WordPress security team and by Dan Moen from the Wordfence | |
Research Team; oEmbed denial of service reported by Jennifer Dodd | |
from Automattic; unauthorized category removal from a post, reported | |
by David Herrera from Alley Interactive; password change via stolen | |
cookie, reported by Michael Adams from the WordPress security team; | |
and some less secure sanitize_file_name edge cases reported by Peter | |
Westwood of the WordPress security team.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-5832</cvename> | |
<cvename>CVE-2016-5833</cvename> | |
<cvename>CVE-2016-5834</cvename> | |
<cvename>CVE-2016-5835</cvename> | |
<cvename>CVE-2016-5836</cvename> | |
<cvename>CVE-2016-5837</cvename> | |
<cvename>CVE-2016-5838</cvename> | |
<cvename>CVE-2016-5839</cvename> | |
<freebsdpr>ports/210480</freebsdpr> | |
<freebsdpr>ports/210581</freebsdpr> | |
<url>https://wordpress.org/news/2016/06/wordpress-4-5-3/</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/06/23/9</url> | |
</references> | |
<dates> | |
<discovery>2016-06-18</discovery> | |
<entry>2016-06-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="66d77c58-3b1d-11e6-8e82-002590263bf5"> | |
<topic>php -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>php55</name> | |
<name>php55-gd</name> | |
<name>php55-mbstring</name> | |
<name>php55-wddx</name> | |
<name>php55-zip</name> | |
<range><lt>5.5.37</lt></range> | |
</package> | |
<package> | |
<name>php56</name> | |
<name>php56-gd</name> | |
<name>php56-mbstring</name> | |
<name>php56-phar</name> | |
<name>php56-wddx</name> | |
<name>php56-zip</name> | |
<range><lt>5.6.23</lt></range> | |
</package> | |
<package> | |
<name>php70</name> | |
<name>php70-gd</name> | |
<name>php70-mbstring</name> | |
<name>php70-phar</name> | |
<name>php70-wddx</name> | |
<name>php70-zip</name> | |
<range><lt>7.0.8</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The PHP Group reports:</p> | |
<blockquote cite="http://php.net/ChangeLog-5.php#5.5.37"> | |
<ul><li>Core: | |
<ul> | |
<li>Fixed bug #72268 (Integer Overflow in nl2br())</li> | |
<li>Fixed bug #72275 (Integer Overflow in json_encode()/ | |
json_decode()/ json_utf8_to_utf16())</li> | |
<li>Fixed bug #72400 (Integer Overflow in addcslashes/ | |
addslashes)</li> | |
<li>Fixed bug #72403 (Integer Overflow in Length of String-typed | |
ZVAL)</li> | |
</ul></li> | |
<li>GD: | |
<ul> | |
<li>Fixed bug #66387 (Stack overflow with imagefilltoborder) | |
(CVE-2015-8874)</li> | |
<li>Fixed bug #72298 (pass2_no_dither out-of-bounds access)</li> | |
<li>Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting | |
in heap overflow) (CVE-2016-5766)</li> | |
<li>Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert)</li> | |
<li>Fixed bug #72446 (Integer Overflow in | |
gdImagePaletteToTrueColor() resulting in heap overflow) | |
(CVE-2016-5767)</li> | |
</ul></li> | |
<li>mbstring: | |
<ul> | |
<li>Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free) | |
(CVE-2016-5768)</li> | |
</ul></li> | |
<li>mcrypt: | |
<ul> | |
<li>Fixed bug #72455 (Heap Overflow due to integer overflows) | |
(CVE-2016-5769)</li> | |
</ul></li> | |
<li>Phar: | |
<ul> | |
<li>Fixed bug #72321 (invalid free in phar_extract_file()). (PHP | |
5.6/7.0 only)</li> | |
</ul></li> | |
<li>SPL: | |
<ul> | |
<li>Fixed bug #72262 (int/size_t confusion in SplFileObject::fread) | |
(CVE-2016-5770)</li> | |
<li>Fixed bug #72433 (Use After Free Vulnerability in PHP's GC | |
algorithm and unserialize) (CVE-2016-5771)</li> | |
</ul></li> | |
<li>WDDX: | |
<ul> | |
<li>Fixed bug #72340 (Double Free Courruption in wddx_deserialize) | |
(CVE-2016-5772)</li> | |
</ul></li> | |
<li>zip: | |
<ul> | |
<li>Fixed bug #72434 (ZipArchive class Use After Free Vulnerability | |
in PHP's GC algorithm and unserialize). (CVE-2016-5773)</li> | |
</ul></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8874</cvename> | |
<cvename>CVE-2016-5766</cvename> | |
<cvename>CVE-2016-5767</cvename> | |
<cvename>CVE-2016-5768</cvename> | |
<cvename>CVE-2016-5769</cvename> | |
<cvename>CVE-2016-5770</cvename> | |
<cvename>CVE-2016-5771</cvename> | |
<cvename>CVE-2016-5772</cvename> | |
<cvename>CVE-2016-5773</cvename> | |
<freebsdpr>ports/210491</freebsdpr> | |
<freebsdpr>ports/210502</freebsdpr> | |
<url>http://php.net/ChangeLog-5.php#5.5.37</url> | |
<url>http://php.net/ChangeLog-5.php#5.6.23</url> | |
<url>http://php.net/ChangeLog-7.php#7.0.8</url> | |
</references> | |
<dates> | |
<discovery>2016-06-23</discovery> | |
<entry>2016-06-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="4a0d9b53-395d-11e6-b3c8-14dae9d210b8"> | |
<topic>libarchive -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>libarchive</name> | |
<range><lt>3.2.1,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Hanno Bock and Cisco Talos report:</p> | |
<blockquote cite="http://openwall.com/lists/oss-security/2016/06/23/6"> | |
<ul> | |
<li><p>Out of bounds heap read in RAR parser</p></li> | |
<li><p>Signed integer overflow in ISO parser</p></li> | |
<li><p>TALOS-2016-0152 [CVE-2016-4300]: 7-Zip | |
read_SubStreamsInfo Integer Overflow</p></li> | |
<li><p>TALOS-2016-0153 [CVE-2016-4301]: mtree parse_device Stack | |
Based Buffer Overflow</p></li> | |
<li><p>TALOS-2016-0154 [CVE-2016-4302]: Libarchive Rar RestartModel | |
Heap Overflow</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://openwall.com/lists/oss-security/2016/06/23/6</url> | |
<url>https://github.com/libarchive/libarchive/issues/521</url> | |
<url>https://github.com/libarchive/libarchive/issues/717#event-697151157</url> | |
<url>http://blog.talosintel.com/2016/06/the-poisoned-archives.html</url> | |
<cvename>CVE-2015-8934</cvename> | |
<cvename>CVE-2016-4300</cvename> | |
<cvename>CVE-2016-4301</cvename> | |
<cvename>CVE-2016-4302</cvename> | |
</references> | |
<dates> | |
<discovery>2016-06-23</discovery> | |
<entry>2016-06-23</entry> | |
</dates> | |
</vuln> | |
<vuln vid="22775cdd-395a-11e6-b3c8-14dae9d210b8"> | |
<topic>piwik -- XSS vulnerability</topic> | |
<affects> | |
<package> | |
<name>piwik</name> | |
<range><lt>2.16.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Piwik reports:</p> | |
<blockquote cite="http://piwik.org/changelog/piwik-2-16-1/"> | |
<p>iThe Piwik Security team is grateful for the responsible | |
disclosures by our security researchers: Egidio Romano (granted a | |
critical security bounty), James Kettle and Paweł Bartunek (XSS) and | |
Emanuel Bronshtein (limited XSS).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://piwik.org/changelog/piwik-2-16-1/</url> | |
</references> | |
<dates> | |
<discovery>2016-04-11</discovery> | |
<entry>2016-06-23</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6df56c60-3738-11e6-a671-60a44ce6887b"> | |
<topic>wget -- HTTP to FTP redirection file name confusion vulnerability</topic> | |
<affects> | |
<package> | |
<name>wget</name> | |
<range><lt>1.18</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Giuseppe Scrivano reports:</p> | |
<blockquote cite="http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html"> | |
<p>On a server redirect from HTTP to a FTP resource, wget would trust the | |
HTTP server and uses the name in the redirected URL as the destination | |
filename.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html</url> | |
<cvename>CVE-2016-4971</cvename> | |
</references> | |
<dates> | |
<discovery>2016-06-09</discovery> | |
<entry>2016-06-21</entry> | |
</dates> | |
</vuln> | |
<vuln vid="1a2aa04f-3718-11e6-b3c8-14dae9d210b8"> | |
<topic>libxslt -- Denial of Service</topic> | |
<affects> | |
<package> | |
<name>libxslt</name> | |
<range><lt>1.1.29</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google reports:</p> | |
<blockquote cite="http://seclists.org/bugtraq/2016/Jun/81"> | |
<ul> | |
<li>[583156] Medium CVE-2016-1683: Out-of-bounds access in libxslt. | |
Credit to Nicolas Gregoire.</li> | |
<li>[583171] Medium CVE-2016-1684: Integer overflow in libxslt. | |
Credit to Nicolas Gregoire.</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://googlechromereleases.blogspot.com/2016/05/stable-channel-update_25.html</url> | |
<cvename>CVE-2016-1683</cvename> | |
<cvename>CVE-2016-1684</cvename> | |
</references> | |
<dates> | |
<discovery>2016-05-25</discovery> | |
<entry>2016-06-20</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0e3dfdde-35c4-11e6-8e82-002590263bf5"> | |
<topic>flash -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>linux-c6-flashplugin</name> | |
<name>linux-c6_64-flashplugin</name> | |
<name>linux-f10-flashplugin</name> | |
<range><lt>11.2r202.626</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adobe reports:</p> | |
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-18.html"> | |
<p>These updates resolve type confusion vulnerabilities that could | |
lead to code execution (CVE-2016-4144, CVE-2016-4149).</p> | |
<p>These updates resolve use-after-free vulnerabilities that could | |
lead to code execution (CVE-2016-4142, CVE-2016-4143, CVE-2016-4145, | |
CVE-2016-4146, CVE-2016-4147, CVE-2016-4148).</p> | |
<p>These updates resolve heap buffer overflow vulnerabilities that | |
could lead to code execution (CVE-2016-4135, CVE-2016-4136, | |
CVE-2016-4138).</p> | |
<p>These updates resolve memory corruption vulnerabilities that could | |
lead to code execution (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, | |
CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, | |
CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, | |
CVE-2016-4134, CVE-2016-4137, CVE-2016-4141, CVE-2016-4150, | |
CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, | |
CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171).</p> | |
<p>These updates resolve a vulnerability in the directory search path | |
used to find resources that could lead to code execution | |
(CVE-2016-4140).</p> | |
<p>These updates resolve a vulnerability that could be exploited to | |
bypass the same-origin-policy and lead to information disclosure | |
(CVE-2016-4139).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4122</cvename> | |
<cvename>CVE-2016-4123</cvename> | |
<cvename>CVE-2016-4124</cvename> | |
<cvename>CVE-2016-4125</cvename> | |
<cvename>CVE-2016-4127</cvename> | |
<cvename>CVE-2016-4128</cvename> | |
<cvename>CVE-2016-4129</cvename> | |
<cvename>CVE-2016-4130</cvename> | |
<cvename>CVE-2016-4131</cvename> | |
<cvename>CVE-2016-4132</cvename> | |
<cvename>CVE-2016-4133</cvename> | |
<cvename>CVE-2016-4134</cvename> | |
<cvename>CVE-2016-4135</cvename> | |
<cvename>CVE-2016-4136</cvename> | |
<cvename>CVE-2016-4137</cvename> | |
<cvename>CVE-2016-4138</cvename> | |
<cvename>CVE-2016-4139</cvename> | |
<cvename>CVE-2016-4140</cvename> | |
<cvename>CVE-2016-4141</cvename> | |
<cvename>CVE-2016-4142</cvename> | |
<cvename>CVE-2016-4143</cvename> | |
<cvename>CVE-2016-4144</cvename> | |
<cvename>CVE-2016-4145</cvename> | |
<cvename>CVE-2016-4146</cvename> | |
<cvename>CVE-2016-4147</cvename> | |
<cvename>CVE-2016-4148</cvename> | |
<cvename>CVE-2016-4149</cvename> | |
<cvename>CVE-2016-4150</cvename> | |
<cvename>CVE-2016-4151</cvename> | |
<cvename>CVE-2016-4152</cvename> | |
<cvename>CVE-2016-4153</cvename> | |
<cvename>CVE-2016-4154</cvename> | |
<cvename>CVE-2016-4155</cvename> | |
<cvename>CVE-2016-4156</cvename> | |
<cvename>CVE-2016-4166</cvename> | |
<cvename>CVE-2016-4171</cvename> | |
<url>https://helpx.adobe.com/security/products/flash-player/apsb16-18.html</url> | |
</references> | |
<dates> | |
<discovery>2016-06-16</discovery> | |
<entry>2016-06-19</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0c6b008d-35c4-11e6-8e82-002590263bf5"> | |
<topic>flash -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>linux-c6-flashplugin</name> | |
<name>linux-c6_64-flashplugin</name> | |
<name>linux-f10-flashplugin</name> | |
<range><lt>11.2r202.621</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adobe reports:</p> | |
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-15.html"> | |
<p>These updates resolve type confusion vulnerabilities that could | |
lead to code execution (CVE-2016-1105, CVE-2016-4117).</p> | |
<p>These updates resolve use-after-free vulnerabilities that could | |
lead to code execution (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, | |
CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, | |
CVE-2016-4110, CVE-2016-4121).</p> | |
<p>These updates resolve a heap buffer overflow vulnerability that | |
could lead to code execution (CVE-2016-1101).</p> | |
<p>These updates resolve a buffer overflow vulnerability that could | |
lead to code execution (CVE-2016-1103).</p> | |
<p>These updates resolve memory corruption vulnerabilities that could | |
lead to code execution (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, | |
CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, | |
CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, | |
CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161, | |
CVE-2016-4162, CVE-2016-4163).</p> | |
<p>These updates resolve a vulnerability in the directory search path | |
used to find resources that could lead to code execution | |
(CVE-2016-4116).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1096</cvename> | |
<cvename>CVE-2016-1097</cvename> | |
<cvename>CVE-2016-1098</cvename> | |
<cvename>CVE-2016-1099</cvename> | |
<cvename>CVE-2016-1100</cvename> | |
<cvename>CVE-2016-1101</cvename> | |
<cvename>CVE-2016-1102</cvename> | |
<cvename>CVE-2016-1103</cvename> | |
<cvename>CVE-2016-1104</cvename> | |
<cvename>CVE-2016-1105</cvename> | |
<cvename>CVE-2016-1106</cvename> | |
<cvename>CVE-2016-1107</cvename> | |
<cvename>CVE-2016-1108</cvename> | |
<cvename>CVE-2016-1109</cvename> | |
<cvename>CVE-2016-1110</cvename> | |
<cvename>CVE-2016-4108</cvename> | |
<cvename>CVE-2016-4109</cvename> | |
<cvename>CVE-2016-4110</cvename> | |
<cvename>CVE-2016-4111</cvename> | |
<cvename>CVE-2016-4112</cvename> | |
<cvename>CVE-2016-4113</cvename> | |
<cvename>CVE-2016-4114</cvename> | |
<cvename>CVE-2016-4115</cvename> | |
<cvename>CVE-2016-4116</cvename> | |
<cvename>CVE-2016-4117</cvename> | |
<cvename>CVE-2016-4120</cvename> | |
<cvename>CVE-2016-4121</cvename> | |
<cvename>CVE-2016-4160</cvename> | |
<cvename>CVE-2016-4161</cvename> | |
<cvename>CVE-2016-4162</cvename> | |
<cvename>CVE-2016-4163</cvename> | |
<url>https://helpx.adobe.com/security/products/flash-player/apsb16-15.html</url> | |
</references> | |
<dates> | |
<discovery>2016-05-12</discovery> | |
<entry>2016-06-19</entry> | |
</dates> | |
</vuln> | |
<vuln vid="07888b49-35c4-11e6-8e82-002590263bf5"> | |
<topic>flash -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>linux-c6-flashplugin</name> | |
<name>linux-c6_64-flashplugin</name> | |
<name>linux-f10-flashplugin</name> | |
<range><lt>11.2r202.616</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adobe reports:</p> | |
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-10.html"> | |
<p>These updates harden a mitigation against JIT spraying attacks that | |
could be used to bypass memory layout randomization mitigations | |
(CVE-2016-1006).</p> | |
<p>These updates resolve type confusion vulnerabilities that could | |
lead to code execution (CVE-2016-1015, CVE-2016-1019).</p> | |
<p>These updates resolve use-after-free vulnerabilities that could | |
lead to code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, | |
CVE-2016-1017, CVE-2016-1031).</p> | |
<p>These updates resolve memory corruption vulnerabilities that could | |
lead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, | |
CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, | |
CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, | |
CVE-2016-1032, CVE-2016-1033).</p> | |
<p>These updates resolve a stack overflow vulnerability that could | |
lead to code execution (CVE-2016-1018).</p> | |
<p>These updates resolve a security bypass vulnerability | |
(CVE-2016-1030).</p> | |
<p>These updates resolve a vulnerability in the directory search path | |
used to find resources that could lead to code execution | |
(CVE-2016-1014).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1006</cvename> | |
<cvename>CVE-2016-1011</cvename> | |
<cvename>CVE-2016-1012</cvename> | |
<cvename>CVE-2016-1013</cvename> | |
<cvename>CVE-2016-1014</cvename> | |
<cvename>CVE-2016-1015</cvename> | |
<cvename>CVE-2016-1016</cvename> | |
<cvename>CVE-2016-1017</cvename> | |
<cvename>CVE-2016-1018</cvename> | |
<cvename>CVE-2016-1019</cvename> | |
<cvename>CVE-2016-1020</cvename> | |
<cvename>CVE-2016-1021</cvename> | |
<cvename>CVE-2016-1022</cvename> | |
<cvename>CVE-2016-1023</cvename> | |
<cvename>CVE-2016-1024</cvename> | |
<cvename>CVE-2016-1025</cvename> | |
<cvename>CVE-2016-1026</cvename> | |
<cvename>CVE-2016-1027</cvename> | |
<cvename>CVE-2016-1028</cvename> | |
<cvename>CVE-2016-1029</cvename> | |
<cvename>CVE-2016-1030</cvename> | |
<cvename>CVE-2016-1031</cvename> | |
<cvename>CVE-2016-1032</cvename> | |
<cvename>CVE-2016-1033</cvename> | |
<url>https://helpx.adobe.com/security/products/flash-player/apsb16-10.html</url> | |
</references> | |
<dates> | |
<discovery>2016-04-07</discovery> | |
<entry>2016-06-19</entry> | |
</dates> | |
</vuln> | |
<vuln vid="d59ebed4-34be-11e6-be25-3065ec8fd3ec"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>51.0.2704.103</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="https://googlechromereleases.blogspot.nl/2016/06/stable-channel-update_16.html"> | |
<p>3 security fixes in this release, including:</p> | |
<ul> | |
<li>[620742] CVE-2016-1704: Various fixes from internal audits, | |
fuzzing and other initiatives.</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1704</cvename> | |
<url>https://googlechromereleases.blogspot.nl/2016/06/stable-channel-update_16.html</url> | |
</references> | |
<dates> | |
<discovery>2016-06-16</discovery> | |
<entry>2016-06-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="1d0f6852-33d8-11e6-a671-60a44ce6887b"> | |
<topic>Python -- Integer overflow in zipimport module</topic> | |
<affects> | |
<package> | |
<name>python35</name> | |
<range><lt>3.5.1_3</lt></range> | |
</package> | |
<package> | |
<name>python34</name> | |
<range><lt>3.4.4_3</lt></range> | |
</package> | |
<package> | |
<name>python33</name> | |
<range><lt>3.3.6_5</lt></range> | |
</package> | |
<package> | |
<name>python27</name> | |
<range><lt>2.7.11_3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Python reports:</p> | |
<blockquote cite="http://bugs.python.org/issue26171"> | |
<p>Possible integer overflow and heap corruption in | |
zipimporter.get_data()</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://bugs.python.org/issue26171</url> | |
<cvename>CVE-2016-5636</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-21</discovery> | |
<entry>2016-06-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7932548e-3427-11e6-8e82-002590263bf5"> | |
<topic>drupal -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>drupal7</name> | |
<range><lt>7.44</lt></range> | |
</package> | |
<package> | |
<name>drupal8</name> | |
<range><lt>8.1.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Drupal Security Team reports:</p> | |
<blockquote cite="https://www.drupal.org/SA-CORE-2016-002"> | |
<ul> | |
<li><p>Saving user accounts can sometimes grant the user all roles | |
(User module - Drupal 7 - Moderately Critical)</p></li> | |
<li><p>Views can allow unauthorized users to see Statistics | |
information (Views module - Drupal 8 - Less Critical)</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-6211</cvename> | |
<cvename>CVE-2016-6212</cvename> | |
<url>https://www.drupal.org/SA-CORE-2016-002</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/07/13/7</url> | |
</references> | |
<dates> | |
<discovery>2016-06-15</discovery> | |
<entry>2016-06-17</entry> | |
<modified>2016-07-16</modified> | |
</dates> | |
</vuln> | |
<vuln vid="ac0900df-31d0-11e6-8e82-002590263bf5"> | |
<topic>botan -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>botan110</name> | |
<range><lt>1.10.13</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jack Lloyd reports:</p> | |
<blockquote cite="https://lists.randombit.net/pipermail/botan-devel/2016-April/002101.html"> | |
<p>Botan 1.10.13 has been released backporting some side channel | |
protections for ECDSA signatures (CVE-2016-2849) and PKCS #1 RSA | |
decryption (CVE-2015-7827).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2849</cvename> | |
<cvename>CVE-2015-7827</cvename> | |
<url>https://lists.randombit.net/pipermail/botan-devel/2016-April/002101.html</url> | |
</references> | |
<dates> | |
<discovery>2016-04-28</discovery> | |
<entry>2016-06-14</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f771880c-31cf-11e6-8e82-002590263bf5"> | |
<topic>botan -- cryptographic vulnerability</topic> | |
<affects> | |
<package> | |
<name>botan110</name> | |
<range><lt>1.10.8</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>MITRE reports:</p> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9742"> | |
<p>The Miller-Rabin primality check in Botan before 1.10.8 and 1.11.x | |
before 1.11.9 improperly uses a single random base, which makes it | |
easier for remote attackers to defeat cryptographic protection | |
mechanisms via a DH group.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-9742</cvename> | |
</references> | |
<dates> | |
<discovery>2014-04-11</discovery> | |
<entry>2016-06-14</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6d402857-2fba-11e6-9f31-5404a68ad561"> | |
<topic>VLC -- Possibly remote code execution via crafted file</topic> | |
<affects> | |
<package> | |
<name>vlc</name> | |
<range><lt>2.2.4,4</lt></range> | |
</package> | |
<package> | |
<name>vlc-qt4</name> | |
<range><lt>2.2.4,4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The VLC project reports:</p> | |
<blockquote cite="https://www.videolan.org/developers/vlc-branch/NEWS"> | |
<p>Fix out-of-bound write in adpcm QT IMA codec (CVE-2016-5108)</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-5108</cvename> | |
</references> | |
<dates> | |
<discovery>2016-05-25</discovery> | |
<entry>2016-06-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="97e86d10-2ea7-11e6-ae88-002590263bf5"> | |
<topic>roundcube -- XSS vulnerability</topic> | |
<affects> | |
<package> | |
<name>roundcube</name> | |
<range><lt>1.1.5_1,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Roundcube reports:</p> | |
<blockquote cite="https://github.com/roundcube/roundcubemail/wiki/Changelog"> | |
<p>Fix XSS issue in href attribute on area tag (#5240).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-5103</cvename> | |
<freebsdpr>ports/209841</freebsdpr> | |
<url>https://github.com/roundcube/roundcubemail/issues/5240</url> | |
<url>http://seclists.org/oss-sec/2016/q2/414</url> | |
</references> | |
<dates> | |
<discovery>2016-05-06</discovery> | |
<entry>2016-06-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6f0529e2-2e82-11e6-b2ec-b499baebfeaf"> | |
<topic>OpenSSL -- vulnerability in DSA signing</topic> | |
<affects> | |
<package> | |
<name>openssl</name> | |
<range><lt>1.0.2_13</lt></range> | |
</package> | |
<package> | |
<name>openssl-devel</name> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>libressl</name> | |
<range><lt>2.2.9</lt></range> | |
<range><ge>2.3.0</ge><lt>2.3.6</lt></range> | |
</package> | |
<package> | |
<name>libressl-devel</name> | |
<range><lt>2.4.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The OpenSSL team reports:</p> | |
<blockquote cite="https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2"> | |
<p>Operations in the DSA signing algorithm should run in constant time | |
in order to avoid side channel attacks. A flaw in the OpenSSL DSA | |
implementation means that a non-constant time codepath is followed for | |
certain operations. This has been demonstrated through a cache-timing | |
attack to be sufficient for an attacker to recover the private DSA key. | |
</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2</url> | |
<cvename>CVE-2016-2178</cvename> | |
</references> | |
<dates> | |
<discovery>2016-06-09</discovery> | |
<entry>2016-06-09</entry> | |
<modified>2016-06-19</modified> | |
</dates> | |
</vuln> | |
<vuln vid="c9c252f5-2def-11e6-ae88-002590263bf5"> | |
<topic>expat -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>expat</name> | |
<range><lt>2.1.1_1</lt></range> | |
</package> | |
<package> | |
<name>linux-c6-expat</name> | |
<name>linux-f10-expat</name> | |
<range><ge>0</ge></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Sebastian Pipping reports:</p> | |
<blockquote cite="https://sourceforge.net/p/expat/code_git/ci/07cc2fcacf81b32b2e06aa918df51756525240c0/"> | |
<p>CVE-2012-6702 -- Resolve troublesome internal call to srand that | |
was introduced with Expat 2.1.0 when addressing CVE-2012-0876 | |
(issue #496)</p> | |
<p>CVE-2016-5300 -- Use more entropy for hash initialization than the | |
original fix to CVE-2012-0876.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2012-6702</cvename> | |
<cvename>CVE-2016-5300</cvename> | |
<freebsdpr>ports/210155</freebsdpr> | |
<url>https://sourceforge.net/p/expat/code_git/ci/07cc2fcacf81b32b2e06aa918df51756525240c0/</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/03/18/3</url> | |
</references> | |
<dates> | |
<discovery>2016-03-18</discovery> | |
<entry>2016-06-09</entry> | |
</dates> | |
</vuln> | |
<vuln vid="d6bbf2d8-2cfc-11e6-800b-080027468580"> | |
<topic>iperf3 -- buffer overflow</topic> | |
<affects> | |
<package> | |
<name>iperf3</name> | |
<range><ge>3.1</ge><lt>3.1.3</lt></range> | |
<range><ge>3.0</ge><lt>3.0.12</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ESnet reports:</p> | |
<blockquote cite="https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc"> | |
<p>A malicious process can connect to an iperf3 server and, | |
by sending a malformed message on the control channel, | |
corrupt the server process's heap area. This can lead to a | |
crash (and a denial of service), or theoretically a remote | |
code execution as the user running the iperf3 server. A | |
malicious iperf3 server could potentially mount a similar | |
attack on an iperf3 client. | |
</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4303</cvename> | |
<url>https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc</url> | |
</references> | |
<dates> | |
<discovery>2016-06-08</discovery> | |
<entry>2016-06-08</entry> | |
</dates> | |
</vuln> | |
<vuln vid="9c196cfd-2ccc-11e6-94b0-0011d823eebd"> | |
<topic>gnutls -- file overwrite by setuid programs</topic> | |
<affects> | |
<package> | |
<name>gnutls</name> | |
<range><ge>3.4.12</ge><lt>3.4.13</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>gnutls.org reports:</p> | |
<blockquote cite="https://gnutls.org/security.html#GNUTLS-SA-2016-1"> | |
<p>Setuid programs using GnuTLS 3.4.12 could potentially allow an | |
attacker to overwrite and corrupt arbitrary files in the | |
filesystem.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://gnutls.org/security.html#GNUTLS-SA-2016-1</url> | |
</references> | |
<dates> | |
<discovery>2016-06-06</discovery> | |
<entry>2016-06-07</entry> | |
</dates> | |
</vuln> | |
<vuln vid="32166082-53fa-41fa-b081-207e7a989a0a"> | |
<topic>NSS -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>nss</name> | |
<name>linux-c6-nss</name> | |
<range><ge>3.22</ge><lt>3.23</lt></range> | |
</package> | |
<package> | |
<name>linux-seamonkey</name> | |
<range><lt>2.44</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mozilla Foundation reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-61/"> | |
<p>Mozilla has updated the version of Network Security | |
Services (NSS) library used in Firefox to NSS 3.23. This | |
addresses four moderate rated networking security issues | |
reported by Mozilla engineers Tyson Smith and Jed Davis.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2834</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-61/</url> | |
<url>https://hg.mozilla.org/projects/nss/rev/1ba7cd83c672</url> | |
<url>https://hg.mozilla.org/projects/nss/rev/8d78a5ae260a</url> | |
<url>https://hg.mozilla.org/projects/nss/rev/5fde729fdbff</url> | |
<url>https://hg.mozilla.org/projects/nss/rev/329932eb1700</url> | |
</references> | |
<dates> | |
<discovery>2016-06-07</discovery> | |
<entry>2016-06-07</entry> | |
<modified>2016-06-10</modified> | |
</dates> | |
</vuln> | |
<vuln vid="8065d37b-8e7c-4707-a608-1b0a2b8509c3"> | |
<topic>mozilla -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>firefox</name> | |
<range><lt>47.0,1</lt></range> | |
</package> | |
<package> | |
<name>seamonkey</name> | |
<name>linux-seamonkey</name> | |
<range><lt>2.44</lt></range> | |
</package> | |
<package> | |
<name>firefox-esr</name> | |
<range><lt>45.2.0,1</lt></range> | |
</package> | |
<package> | |
<name>linux-firefox</name> | |
<range><lt>45.2.0,2</lt></range> | |
</package> | |
<package> | |
<name>libxul</name> | |
<name>thunderbird</name> | |
<name>linux-thunderbird</name> | |
<range><lt>45.2.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mozilla Foundation reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox47"> | |
<p>MFSA 2016-49 Miscellaneous memory safety hazards (rv:47.0 / | |
rv:45.2)</p> | |
<p>MFSA 2016-50 Buffer overflow parsing HTML5 fragments</p> | |
<p>MFSA 2016-51 Use-after-free deleting tables from a | |
contenteditable document</p> | |
<p>MFSA 2016-52 Addressbar spoofing though the SELECT element</p> | |
<p>MFSA 2016-54 Partial same-origin-policy through setting | |
location.host through data URI</p> | |
<p>MFSA 2016-56 Use-after-free when textures are used in WebGL | |
operations after recycle pool destruction</p> | |
<p>MFSA 2016-57 Incorrect icon displayed on permissions | |
notifications</p> | |
<p>MFSA 2016-58 Entering fullscreen and persistent pointerlock | |
without user permission</p> | |
<p>MFSA 2016-59 Information disclosure of disabled plugins | |
through CSS pseudo-classes</p> | |
<p>MFSA 2016-60 Java applets bypass CSP protections</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2815</cvename> | |
<cvename>CVE-2016-2818</cvename> | |
<cvename>CVE-2016-2819</cvename> | |
<cvename>CVE-2016-2821</cvename> | |
<cvename>CVE-2016-2822</cvename> | |
<cvename>CVE-2016-2825</cvename> | |
<cvename>CVE-2016-2828</cvename> | |
<cvename>CVE-2016-2829</cvename> | |
<cvename>CVE-2016-2831</cvename> | |
<cvename>CVE-2016-2832</cvename> | |
<cvename>CVE-2016-2833</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-49/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-50/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-51/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-52/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-54/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-56/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-57/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-58/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-59/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-60/</url> | |
</references> | |
<dates> | |
<discovery>2016-06-07</discovery> | |
<entry>2016-06-07</entry> | |
</dates> | |
</vuln> | |
<vuln vid="c039a761-2c29-11e6-8912-3065ec8fd3ec"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>51.0.2704.79</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.nl/2016/06/stable-channel-update.html"> | |
<p>15 security fixes in this release, including:</p> | |
<ul> | |
<li>601073] High CVE-2016-1696: Cross-origin bypass in Extension | |
bindings. Credit to anonymous.</li> | |
<li>[613266] High CVE-2016-1697: Cross-origin bypass in Blink. | |
Credit to Mariusz Mlynski.</li> | |
<li>[603725] Medium CVE-2016-1698: Information leak in Extension | |
bindings. Credit to Rob Wu.</li> | |
<li>[607939] Medium CVE-2016-1699: Parameter sanitization failure | |
in DevTools. Credit to Gregory Panakkal.</li> | |
<li>[608104] Medium CVE-2016-1700: Use-after-free in Extensions. | |
Credit to Rob Wu.</li> | |
<li>[608101] Medium CVE-2016-1701: Use-after-free in Autofill. | |
Credit to Rob Wu.</li> | |
<li>[609260] Medium CVE-2016-1702: Out-of-bounds read in Skia. | |
Credit to cloudfuzzer.</li> | |
<li>[616539] CVE-2016-1703: Various fixes from internal audits, | |
fuzzing and other initiatives.</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1695</cvename> | |
<cvename>CVE-2016-1696</cvename> | |
<cvename>CVE-2016-1697</cvename> | |
<cvename>CVE-2016-1698</cvename> | |
<cvename>CVE-2016-1699</cvename> | |
<cvename>CVE-2016-1700</cvename> | |
<cvename>CVE-2016-1701</cvename> | |
<cvename>CVE-2016-1702</cvename> | |
<cvename>CVE-2016-1703</cvename> | |
<url>http://googlechromereleases.blogspot.nl/2016/06/stable-channel-update.html</url> | |
</references> | |
<dates> | |
<discovery>2016-06-01</discovery> | |
<entry>2016-06-06</entry> | |
</dates> | |
</vuln> | |
<vuln vid="bcbd3fe0-2b46-11e6-ae88-002590263bf5"> | |
<topic>openafs -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>openafs</name> | |
<range><lt>1.6.17</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The OpenAFS development team reports:</p> | |
<blockquote cite="http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt"> | |
<p>Foreign users can bypass access controls to create groups as | |
system:administrators, including in the user namespace and the | |
system: namespace.</p> | |
</blockquote> | |
<blockquote cite="http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt"> | |
<p>The contents of uninitialized memory are sent on the wire when | |
clients perform certain RPCs. Depending on the RPC, the information | |
leaked may come from kernel memory or userspace.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2860</cvename> | |
<cvename>CVE-2016-4536</cvename> | |
<freebsdpr>ports/209534</freebsdpr> | |
<url>http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt</url> | |
<url>http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt</url> | |
</references> | |
<dates> | |
<discovery>2016-03-16</discovery> | |
<entry>2016-06-05</entry> | |
</dates> | |
</vuln> | |
<vuln vid="2e8fe57e-2b46-11e6-ae88-002590263bf5"> | |
<topic>openafs -- local DoS vulnerability</topic> | |
<affects> | |
<package> | |
<name>openafs</name> | |
<range><lt>1.6.16</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The OpenAFS development team reports:</p> | |
<blockquote cite="https://www.openafs.org/dl/1.6.16/RELNOTES-1.6.16"> | |
<p>Avoid a potential denial of service issue, by fixing a bug in | |
pioctl logic that allowed a local user to overrun a kernel buffer | |
with a single NUL byte.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8312</cvename> | |
<url>https://www.openafs.org/dl/1.6.16/RELNOTES-1.6.16</url> | |
</references> | |
<dates> | |
<discovery>2016-03-16</discovery> | |
<entry>2016-06-05</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0297b260-2b3b-11e6-ae88-002590263bf5"> | |
<topic>ikiwiki -- XSS vulnerability</topic> | |
<affects> | |
<package> | |
<name>ikiwiki</name> | |
<range><lt>3.20160509</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mitre reports:</p> | |
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4561"> | |
<p>Cross-site scripting (XSS) vulnerability in the cgierror function | |
in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers | |
to inject arbitrary web script or HTML via unspecified vectors | |
involving an error message.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4561</cvename> | |
<freebsdpr>ports/209593</freebsdpr> | |
</references> | |
<dates> | |
<discovery>2016-05-04</discovery> | |
<entry>2016-06-05</entry> | |
</dates> | |
</vuln> | |
<vuln vid="65bb1858-27de-11e6-b714-74d02b9a84d5"> | |
<topic>h2o -- use after free on premature connection close</topic> | |
<affects> | |
<package> | |
<name>h2o</name> | |
<range><lt>1.7.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Tim Newsha reports:</p> | |
<blockquote cite="http://h2o.examp1e.net/vulnerabilities.html"> | |
<p>When H2O tries to disconnect a premature HTTP/2 connection, it | |
calls free(3) to release memory allocated for the connection and | |
immediately after then touches the memory. No malloc-related | |
operation is performed by the same thread between the time it calls | |
free and the time the memory is touched. Fixed by Frederik | |
Deweerdt.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://h2o.examp1e.net/vulnerabilities.html</url> | |
</references> | |
<dates> | |
<discovery>2016-05-17</discovery> | |
<entry>2016-06-01</entry> | |
</dates> | |
</vuln> | |
<vuln vid="36cf7670-2774-11e6-af29-f0def16c5c1b"> | |
<topic>nginx -- a specially crafted request might result in worker process crash</topic> | |
<affects> | |
<package> | |
<name>nginx</name> | |
<range><ge>1.4.0</ge><lt>1.8.1_3,2</lt></range> | |
<range><ge>1.10.0,2</ge><lt>1.10.1,2</lt></range> | |
</package> | |
<package> | |
<name>nginx-devel</name> | |
<range><ge>1.3.9</ge><lt>1.9.15_1</lt></range> | |
<range><ge>1.10.0</ge><lt>1.11.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Maxim Dounin reports:</p> | |
<blockquote cite="http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html"> | |
<p>A problem was identified in nginx code responsible for saving | |
client request body to a temporary file. A specially crafted | |
request might result in worker process crash due to a NULL | |
pointer dereference while writing client request body to a | |
temporary file.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html</url> | |
<cvename>CVE-2016-4450</cvename> | |
</references> | |
<dates> | |
<discovery>2016-05-31</discovery> | |
<entry>2016-05-31</entry> | |
<modified>2016-06-05</modified> | |
</dates> | |
</vuln> | |
<vuln vid="6167b341-250c-11e6-a6fb-003048f2e514"> | |
<topic>cacti -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>cacti</name> | |
<range><lt>0.8.8h</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Cacti Group, Inc. reports:</p> | |
<blockquote cite="http://www.cacti.net/release_notes_0_8_8h.php"> | |
<p>Changelog</p> | |
<ul> | |
<li>bug:0002667: Cacti SQL Injection Vulnerability</li> | |
<li>bug:0002673: CVE-2016-3659 - Cacti graph_view.php SQL Injection | |
Vulnerability</li> | |
<li>bug:0002656: Authentication using web authentication as a user | |
not in the cacti database allows complete access (regression)</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-3659</cvename> | |
<url>http://www.cacti.net/release_notes_0_8_8h.php</url> | |
<url>http://bugs.cacti.net/view.php?id=2673</url> | |
<url>http://seclists.org/fulldisclosure/2016/Apr/4</url> | |
<url>http://packetstormsecurity.com/files/136547/Cacti-0.8.8g-SQL-Injection.html</url> | |
</references> | |
<dates> | |
<discovery>2016-04-04</discovery> | |
<entry>2016-05-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="b53bbf58-257f-11e6-9f4d-20cf30e32f6d"> | |
<topic>openvswitch -- MPLS buffer overflow</topic> | |
<affects> | |
<package> | |
<name>openvswitch</name> | |
<range><ge>2.2.0</ge><lt>2.3.3</lt></range> | |
<range><ge>2.4.0</ge><lt>2.4.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Open vSwitch reports:</p> | |
<blockquote cite="http://openvswitch.org/pipermail/announce/2016-March/000082.html"> | |
<p>Multiple versions of Open vSwitch are vulnerable to remote buffer | |
overflow attacks, in which crafted MPLS packets could overflow the | |
buffer reserved for MPLS labels in an OVS internal data structure. | |
The MPLS packets that trigger the vulnerability and the potential for | |
exploitation vary depending on version:</p> | |
<p>Open vSwitch 2.1.x and earlier are not vulnerable.</p> | |
<p>In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be | |
exploited for arbitrary remote code execution.</p> | |
<p>In Open vSwitch 2.4.x, the MPLS buffer overflow does not obviously lead | |
to a remote code execution exploit, but testing shows that it can allow a | |
remote denial of service. See the mitigation section for details.</p> | |
<p>Open vSwitch 2.5.x is not vulnerable.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2074</cvename> | |
<url>http://openvswitch.org/pipermail/announce/2016-March/000082.html</url> | |
<url>http://openvswitch.org/pipermail/announce/2016-March/000083.html</url> | |
</references> | |
<dates> | |
<discovery>2016-03-28</discovery> | |
<entry>2016-05-29</entry> | |
<modified>2016-07-03</modified> | |
</dates> | |
</vuln> | |
<vuln vid="1a6bbb95-24b8-11e6-bd31-3065ec8fd3ec"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>51.0.2704.63</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update_25.html"> | |
<p>42 security fixes in this release, including:</p> | |
<ul> | |
<li>[590118] High CVE-2016-1672: Cross-origin bypass in extension | |
bindings. Credit to Mariusz Mlynski.</li> | |
<li>[597532] High CVE-2016-1673: Cross-origin bypass in Blink. | |
Credit to Mariusz Mlynski.</li> | |
<li>[598165] High CVE-2016-1674: Cross-origin bypass in extensions.i | |
Credit to Mariusz Mlynski.</li> | |
<li>[600182] High CVE-2016-1675: Cross-origin bypass in Blink. | |
Credit to Mariusz Mlynski.</li> | |
<li>[604901] High CVE-2016-1676: Cross-origin bypass in extension | |
bindings. Credit to Rob Wu.</li> | |
<li>[602970] Medium CVE-2016-1677: Type confusion in V8. Credit to | |
Guang Gong of Qihoo 360.</li> | |
<li>[595259] High CVE-2016-1678: Heap overflow in V8. Credit to | |
Christian Holler.</li> | |
<li>[606390] High CVE-2016-1679: Heap use-after-free in V8 | |
bindings. Credit to Rob Wu.</li> | |
<li>[589848] High CVE-2016-1680: Heap use-after-free in Skia. | |
Credit to Atte Kettunen of OUSPG.</li> | |
<li>[613160] High CVE-2016-1681: Heap overflow in PDFium. Credit to | |
Aleksandar Nikolic of Cisco Talos.</li> | |
<li>[579801] Medium CVE-2016-1682: CSP bypass for ServiceWorker. | |
Credit to KingstonTime.</li> | |
<li>[601362] Medium CVE-2016-1685: Out-of-bounds read in PDFium. | |
Credit to Ke Liu of Tencent's Xuanwu LAB.</li> | |
<li>[603518] Medium CVE-2016-1686: Out-of-bounds read in PDFium. | |
Credit to Ke Liu of Tencent's Xuanwu LAB.</li> | |
<li>[603748] Medium CVE-2016-1687: Information leak in extensions. | |
Credit to Rob Wu.</li> | |
<li>[604897] Medium CVE-2016-1688: Out-of-bounds read in V8. | |
Credit to Max Korenko.</li> | |
<li>[606185] Medium CVE-2016-1689: Heap buffer overflow in media. | |
Credit to Atte Kettunen of OUSPG.</li> | |
<li>[608100] Medium CVE-2016-1690: Heap use-after-free in Autofill. | |
Credit to Rob Wu.</li> | |
<li>[597926] Low CVE-2016-1691: Heap buffer-overflow in Skia. | |
Credit to Atte Kettunen of OUSPG.</li> | |
<li>[598077] Low CVE-2016-1692: Limited cross-origin bypass in | |
ServiceWorker. Credit to Til Jasper Ullrich.</li> | |
<li>[598752] Low CVE-2016-1693: HTTP Download of Software Removal | |
Tool. Credit to Khalil Zhani.</li> | |
<li>[603682] Low CVE-2016-1694: HPKP pins removed on cache | |
clearance. Credit to Ryan Lester and Bryant Zadegan.</li> | |
<li>[614767] CVE-2016-1695: Various fixes from internal audits, | |
fuzzing and other initiatives.</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1672</cvename> | |
<cvename>CVE-2016-1673</cvename> | |
<cvename>CVE-2016-1674</cvename> | |
<cvename>CVE-2016-1675</cvename> | |
<cvename>CVE-2016-1672</cvename> | |
<cvename>CVE-2016-1677</cvename> | |
<cvename>CVE-2016-1678</cvename> | |
<cvename>CVE-2016-1679</cvename> | |
<cvename>CVE-2016-1680</cvename> | |
<cvename>CVE-2016-1681</cvename> | |
<cvename>CVE-2016-1682</cvename> | |
<cvename>CVE-2016-1685</cvename> | |
<cvename>CVE-2016-1686</cvename> | |
<cvename>CVE-2016-1687</cvename> | |
<cvename>CVE-2016-1688</cvename> | |
<cvename>CVE-2016-1689</cvename> | |
<cvename>CVE-2016-1690</cvename> | |
<cvename>CVE-2016-1691</cvename> | |
<cvename>CVE-2016-1692</cvename> | |
<cvename>CVE-2016-1693</cvename> | |
<cvename>CVE-2016-1694</cvename> | |
<cvename>CVE-2016-1695</cvename> | |
<url>http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update_25.html</url> | |
</references> | |
<dates> | |
<discovery>2016-05-25</discovery> | |
<entry>2016-05-28</entry> | |
<modified>2016-06-20</modified> | |
</dates> | |
</vuln> | |
<vuln vid="4dfafa16-24ba-11e6-bd31-3065ec8fd3ec"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>50.0.2661.102</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update.html"> | |
<p>5 security fixes in this release, including:</p> | |
<ul> | |
<li>[605766] High CVE-2016-1667: Same origin bypass in DOM. Credit | |
to Mariusz Mlynski.</li> | |
<li>[605910] High CVE-2016-1668: Same origin bypass in Blink V8 | |
bindings. Credit to Mariusz Mlynski.</li> | |
<li>[606115] High CVE-2016-1669: Buffer overflow in V8. Credit to | |
Choongwoo Han.</li> | |
<li>[578882] Medium CVE-2016-1670: Race condition in loader. Credit | |
to anonymous.</li> | |
<li>[586657] Medium CVE-2016-1671: Directory traversal using the | |
file scheme on Android. Credit to Jann Horn.</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1667</cvename> | |
<cvename>CVE-2016-1668</cvename> | |
<cvename>CVE-2016-1669</cvename> | |
<cvename>CVE-2016-1670</cvename> | |
<cvename>CVE-2016-1671</cvename> | |
<url>http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update.html</url> | |
</references> | |
<dates> | |
<discovery>2016-05-11</discovery> | |
<entry>2016-05-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7da1da96-24bb-11e6-bd31-3065ec8fd3ec"> | |
<topic>chromium -- multiple vulnerablities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>50.0.2661.94</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_28.html"> | |
<p>9 security fixes in this release, including:</p> | |
<ul> | |
<li>[574802] High CVE-2016-1660: Out-of-bounds write in Blink. | |
Credit to Atte Kettunen of OUSPG.</li> | |
<li>[601629] High CVE-2016-1661: Memory corruption in cross-process | |
frames. Credit to Wadih Matar.</li> | |
<li>[603732] High CVE-2016-1662: Use-after-free in extensions. | |
Credit to Rob Wu.</li> | |
<li>[603987] High CVE-2016-1663: Use-after-free in Blink's V8 | |
bindings. Credit to anonymous.</li> | |
<li>[597322] Medium CVE-2016-1664: Address bar spoofing. Credit to | |
Wadih Matar.</li> | |
<li>[606181] Medium CVE-2016-1665: Information leak in V8. Credit | |
to HyungSeok Han.</li> | |
<li>[607652] CVE-2016-1666: Various fixes from internal audits, | |
fuzzing and other initiatives.</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1660</cvename> | |
<cvename>CVE-2016-1661</cvename> | |
<cvename>CVE-2016-1662</cvename> | |
<cvename>CVE-2016-1663</cvename> | |
<cvename>CVE-2016-1664</cvename> | |
<cvename>CVE-2016-1665</cvename> | |
<cvename>CVE-2016-1666</cvename> | |
<url>http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_28.html</url> | |
</references> | |
<dates> | |
<discovery>2016-04-28</discovery> | |
<entry>2016-05-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6b110175-246d-11e6-8dd3-002590263bf5"> | |
<topic>php -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>php70-gd</name> | |
<name>php70-intl</name> | |
<range><lt>7.0.7</lt></range> | |
</package> | |
<package> | |
<name>php56</name> | |
<name>php56-gd</name> | |
<range><lt>5.6.22</lt></range> | |
</package> | |
<package> | |
<name>php55</name> | |
<name>php55-gd</name> | |
<name>php55-phar</name> | |
<range><lt>5.5.36</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The PHP Group reports:</p> | |
<blockquote cite="http://php.net/ChangeLog-5.php#5.5.36"> | |
<ul><li>Core: | |
<ul> | |
<li>Fixed bug #72114 (Integer underflow / arbitrary null write in | |
fread/gzread). (CVE-2016-5096) (PHP 5.5/5.6 only)</li> | |
<li>Fixed bug #72135 (Integer Overflow in php_html_entities). | |
(CVE-2016-5094) (PHP 5.5/5.6 only)</li> | |
</ul></li> | |
<li>GD: | |
<ul> | |
<li>Fixed bug #72227 (imagescale out-of-bounds read). | |
(CVE-2013-7456)</li> | |
</ul></li> | |
<li>Intl: | |
<ul> | |
<li>Fixed bug #72241 (get_icu_value_internal out-of-bounds read). | |
(CVE-2016-5093)</li> | |
</ul></li> | |
<li>Phar: | |
<ul> | |
<li>Fixed bug #71331 (Uninitialized pointer in | |
phar_make_dirstream()). (CVE-2016-4343) (PHP 5.5 only)</li> | |
</ul></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-5096</cvename> | |
<cvename>CVE-2016-5094</cvename> | |
<cvename>CVE-2013-7456</cvename> | |
<cvename>CVE-2016-5093</cvename> | |
<cvename>CVE-2016-4343</cvename> | |
<freebsdpr>ports/209779</freebsdpr> | |
<url>http://php.net/ChangeLog-7.php#7.0.7</url> | |
<url>http://php.net/ChangeLog-5.php#5.6.22</url> | |
<url>http://php.net/ChangeLog-5.php#5.5.36</url> | |
</references> | |
<dates> | |
<discovery>2016-05-26</discovery> | |
<entry>2016-05-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="00ec1be1-22bb-11e6-9ead-6805ca0b3d42"> | |
<topic>phpmyadmin -- XSS and sensitive data leakage</topic> | |
<affects> | |
<package> | |
<name>phpmyadmin</name> | |
<range><ge>4.6.0</ge><lt>4.6.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The phpmyadmin development team reports:</p> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-14/"> | |
<h2>Description</h2> | |
<p>Because user SQL queries are part of the URL, sensitive | |
information made as part of a user query can be exposed by | |
clicking on external links to attackers monitoring user GET | |
query parameters or included in the webserver logs.</p> | |
<h2>Severity</h2> | |
<p>We consider this to be non-critical.</p> | |
</blockquote> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-16/"> | |
<h2>Description</h2> | |
<p>A specially crafted attack could allow for special HTML | |
characters to be passed as URL encoded values and displayed | |
back as special characters in the page.</p> | |
<h2>Severity</h2> | |
<p>We consider this to be non-critical.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-14/</url> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-16/</url> | |
<cvename>CVE-2016-5097</cvename> | |
<cvename>CVE-2016-5099</cvename> | |
</references> | |
<dates> | |
<discovery>2016-05-25</discovery> | |
<entry>2016-05-25</entry> | |
<modified>2016-05-26</modified> | |
</dates> | |
</vuln> | |
<vuln vid="b50f53ce-2151-11e6-8dd3-002590263bf5"> | |
<topic>mediawiki -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>mediawiki123</name> | |
<range><lt>1.23.14</lt></range> | |
</package> | |
<package> | |
<name>mediawiki124</name> | |
<range><le>1.24.6</le></range> | |
</package> | |
<package> | |
<name>mediawiki125</name> | |
<range><lt>1.25.6</lt></range> | |
</package> | |
<package> | |
<name>mediawiki126</name> | |
<range><lt>1.26.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mediawiki reports:</p> | |
<blockquote cite="https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html"> | |
<p>Security fixes:</p> | |
<p>T122056: Old tokens are remaining valid within a new session</p> | |
<p>T127114: Login throttle can be tricked using non-canonicalized | |
usernames</p> | |
<p>T123653: Cross-domain policy regexp is too narrow</p> | |
<p>T123071: Incorrectly identifying http link in a's href | |
attributes, due to m modifier in regex</p> | |
<p>T129506: MediaWiki:Gadget-popups.js isn't renderable</p> | |
<p>T125283: Users occasionally logged in as different users after | |
SessionManager deployment</p> | |
<p>T103239: Patrol allows click catching and patrolling of any | |
page</p> | |
<p>T122807: [tracking] Check php crypto primatives</p> | |
<p>T98313: Graphs can leak tokens, leading to CSRF</p> | |
<p>T130947: Diff generation should use PoolCounter</p> | |
<p>T133507: Careless use of $wgExternalLinkTarget is insecure</p> | |
<p>T132874: API action=move is not rate limited</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html</url> | |
</references> | |
<dates> | |
<discovery>2016-05-20</discovery> | |
<entry>2016-05-24</entry> | |
</dates> | |
</vuln> | |
<vuln vid="967b852b-1e28-11e6-8dd3-002590263bf5"> | |
<topic>wpa_supplicant -- psk configuration parameter update allowing arbitrary data to be written</topic> | |
<affects> | |
<package> | |
<name>wpa_supplicant</name> | |
<range><lt>2.5_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jouni Malinen reports:</p> | |
<blockquote cite="http://w1.fi/security/2016-1/psk-parameter-config-update.txt"> | |
<p>psk configuration parameter update allowing arbitrary data to be | |
written (2016-1 - CVE-2016-4476/CVE-2016-4477).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4476</cvename> | |
<cvename>CVE-2016-4477</cvename> | |
<freebsdpr>/ports/209564</freebsdpr> | |
<url>http://w1.fi/security/2016-1/psk-parameter-config-update.txt</url> | |
</references> | |
<dates> | |
<discovery>2016-05-02</discovery> | |
<entry>2016-05-20</entry> | |
</dates> | |
</vuln> | |
<vuln vid="57b3aba7-1e25-11e6-8dd3-002590263bf5"> | |
<topic>expat -- denial of service vulnerability on malformed input</topic> | |
<affects> | |
<package> | |
<name>expat</name> | |
<range><lt>2.1.1</lt></range> | |
</package> | |
<package> | |
<name>linux-c6-expat</name> | |
<range><lt>2.1.1</lt></range> | |
</package> | |
<package> | |
<name>linux-f10-expat</name> | |
<range><lt>2.1.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Gustavo Grieco reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/17/12"> | |
<p>The Expat XML parser mishandles certain kinds of malformed input | |
documents, resulting in buffer overflows during processing and error | |
reporting. The overflows can manifest as a segmentation fault or as | |
memory corruption during a parse operation. The bugs allow for a | |
denial of service attack in many applications by an unauthenticated | |
attacker, and could conceivably result in remote code execution.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-0718</cvename> | |
<freebsdpr>ports/209360</freebsdpr> | |
<url>http://www.openwall.com/lists/oss-security/2016/05/17/12</url> | |
</references> | |
<dates> | |
<discovery>2016-05-17</discovery> | |
<entry>2016-05-20</entry> | |
<modified>2016-06-05</modified> | |
</dates> | |
</vuln> | |
<vuln vid="036d6c38-1c5b-11e6-b9e0-20cf30e32f6d"> | |
<topic>Bugzilla security issues</topic> | |
<affects> | |
<package> | |
<name>bugzilla44</name> | |
<range><lt>4.4.12</lt></range> | |
</package> | |
<package> | |
<name>bugzilla50</name> | |
<range><lt>5.0.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Bugzilla Security Advisory</p> | |
<blockquote cite="https://www.bugzilla.org/security/4.4.11/"> | |
<p>A specially crafted bug summary could trigger XSS in dependency graphs. | |
Due to an incorrect parsing of the image map generated by the dot script, | |
a specially crafted bug summary could trigger XSS in dependency graphs.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2803</cvename> | |
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=1253263</url> | |
</references> | |
<dates> | |
<discovery>2016-03-03</discovery> | |
<entry>2016-05-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0dc8be9e-19af-11e6-8de0-080027ef73ec"> | |
<topic>OpenVPN -- Buffer overflow in PAM authentication and DoS through port sharing</topic> | |
<affects> | |
<package> | |
<name>openvpn</name> | |
<range><lt>2.3.11</lt></range> | |
</package> | |
<package> | |
<name>openvpn-polarssl</name> | |
<range><lt>2.3.11</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Samuli Seppänen reports:</p> | |
<blockquote cite="https://sourceforge.net/p/openvpn/mailman/message/35076507/"> | |
<p>OpenVPN 2.3.11 [...] fixes two vulnerabilities: a port-share bug | |
with DoS potential and a buffer overflow by user supplied data when | |
using pam authentication.[...]</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://sourceforge.net/p/openvpn/mailman/message/35076507/</url> | |
<url>https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11</url> | |
</references> | |
<dates> | |
<discovery>2016-03-03</discovery> | |
<entry>2016-05-14</entry> | |
</dates> | |
</vuln> | |
<vuln vid="82b702e0-1907-11e6-857b-00221503d280"> | |
<topic>imagemagick -- buffer overflow</topic> | |
<affects> | |
<package> | |
<name>ImageMagick</name> | |
<name>ImageMagick-nox11</name> | |
<range><lt>6.9.4.1,1</lt></range> | |
</package> | |
<package> | |
<name>ImageMagick7</name> | |
<name>ImageMagick7-nox11</name> | |
<range><ge>7.0.0.0.b20150715</ge><lt>7.0.1.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ImageMagick reports:</p> | |
<blockquote cite="http://legacy.imagemagick.org/script/changelog.php"> | |
<p>Fix a buffer overflow in magick/drag.c/DrawStrokePolygon().</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://legacy.imagemagick.org/script/changelog.php</url> | |
</references> | |
<dates> | |
<discovery>2016-05-09</discovery> | |
<entry>2016-05-13</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e387834a-17ef-11e6-9947-7054d2909b71"> | |
<topic>jenkins -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>jenkins</name> | |
<range><le>2.2</le></range> | |
</package> | |
<package> | |
<name>jenkins2</name> | |
<range><le>2.2</le></range> | |
</package> | |
<package> | |
<name>jenkins-lts</name> | |
<range><le>1.651.1</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jenkins Security Advisory:</p> | |
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11"> | |
<h1>Description</h1> | |
<h5>SECURITY-170 / CVE-2016-3721</h5> | |
<p>Arbitrary build parameters are passed to build scripts as environment variables</p> | |
<h5>SECURITY-243 / CVE-2016-3722</h5> | |
<p>Malicious users with multiple user accounts can prevent other users from logging in</p> | |
<h5>SECURITY-250 / CVE-2016-3723</h5> | |
<p>Information on installed plugins exposed via API</p> | |
<h5>SECURITY-266 / CVE-2016-3724</h5> | |
<p>Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration</p> | |
<h5>SECURITY-273 / CVE-2016-3725</h5> | |
<p>Regular users can trigger download of update site metadata</p> | |
<h5>SECURITY-276 / CVE-2016-3726</h5> | |
<p>Open redirect to scheme-relative URLs</p> | |
<h5>SECURITY-281 / CVE-2016-3727</h5> | |
<p>Granting the permission to read node configurations allows access to overall system configuration</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-3721</cvename> | |
<cvename>CVE-2016-3722</cvename> | |
<cvename>CVE-2016-3723</cvename> | |
<cvename>CVE-2016-3724</cvename> | |
<cvename>CVE-2016-3725</cvename> | |
<cvename>CVE-2016-3726</cvename> | |
<cvename>CVE-2016-3727</cvename> | |
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11</url> | |
</references> | |
<dates> | |
<discovery>2016-05-11</discovery> | |
<entry>2016-05-12</entry> | |
</dates> | |
</vuln> | |
<vuln vid="d9f99491-1656-11e6-94fa-002590263bf5"> | |
<topic>perl5 -- taint mechanism bypass vulnerability</topic> | |
<affects> | |
<package> | |
<name>perl5</name> | |
<range><lt>5.18.4_21</lt></range> | |
<range><ge>5.20.0</ge><lt>5.20.3_12</lt></range> | |
<range><ge>5.22.0</ge><lt>5.22.1_8</lt></range> | |
</package> | |
<package> | |
<name>perl5.18</name> | |
<range><ge>5.18.0</ge><lt>5.18.4_21</lt></range> | |
</package> | |
<package> | |
<name>perl5.20</name> | |
<range><ge>5.20.0</ge><lt>5.20.3_12</lt></range> | |
</package> | |
<package> | |
<name>perl5.22</name> | |
<range><ge>5.22.0</ge><lt>5.22.1_8</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>MITRE reports:</p> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2381"> | |
<p>Perl might allow context-dependent attackers to bypass the taint | |
protection mechanism in a child process via duplicate environment | |
variables in envp.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2381</cvename> | |
<freebsdpr>ports/208879</freebsdpr> | |
</references> | |
<dates> | |
<discovery>2016-04-08</discovery> | |
<entry>2016-05-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="3686917b-164d-11e6-94fa-002590263bf5"> | |
<topic>wordpress -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>wordpress</name> | |
<range><lt>4.5.2,1</lt></range> | |
</package> | |
<package> | |
<name>de-wordpress</name> | |
<name>ja-wordpress</name> | |
<name>ru-wordpress</name> | |
<name>zh-wordpress-zh_CN</name> | |
<name>zh-wordpress-zh_TW</name> | |
<range><lt>4.5.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Helen Hou-Sandi reports:</p> | |
<blockquote cite="https://wordpress.org/news/2016/05/wordpress-4-5-2/"> | |
<p>WordPress 4.5.2 is now available. This is a security release for | |
all previous versions and we strongly encourage you to update your | |
sites immediately.</p> | |
<p>WordPress versions 4.5.1 and earlier are affected by a SOME | |
vulnerability through Plupload, the third-party library WordPress | |
uses for uploading files. WordPress versions 4.2 through 4.5.1 are | |
vulnerable to reflected XSS using specially crafted URIs through | |
MediaElement.js, the third-party library used for media players. | |
MediaElement.js and Plupload have also released updates fixing | |
these issues.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4566</cvename> | |
<cvename>CVE-2016-4567</cvename> | |
<url>https://wordpress.org/news/2016/05/wordpress-4-5-2/</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/05/07/7</url> | |
</references> | |
<dates> | |
<discovery>2016-05-06</discovery> | |
<entry>2016-05-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="2b4c8e1f-1609-11e6-b55e-b499baebfeaf"> | |
<topic>libarchive -- RCE vulnerability</topic> | |
<affects> | |
<package> | |
<name>libarchive</name> | |
<range><lt>3.2.0,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The libarchive project reports:</p> | |
<blockquote cite="https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7"> | |
<p>Heap-based buffer overflow in the zip_read_mac_metadata function | |
in archive_read_support_format_zip.c in libarchive before 3.2.0 | |
allows remote attackers to execute arbitrary code via crafted | |
entry-size values in a ZIP archive.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1541</cvename> | |
<url>https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7</url> | |
</references> | |
<dates> | |
<discovery>2016-05-01</discovery> | |
<entry>2016-05-09</entry> | |
<modified>2016-05-10</modified> | |
</dates> | |
</vuln> | |
<vuln vid="25e5205b-1447-11e6-9ead-6805ca0b3d42"> | |
<topic>squid -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>squid</name> | |
<range><ge>3.0.0</ge><lt>3.5.18</lt></range> | |
</package> | |
<package> | |
<name>squid-devel</name> | |
<range><ge>4.0.0</ge><lt>4.0.10</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The squid development team reports:</p> | |
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_7.txt"> | |
<dl> | |
<dt>Problem Description:</dt> | |
<dd>Due to incorrect data validation of intercepted HTTP | |
Request messages Squid is vulnerable to clients bypassing | |
the protection against CVE-2009-0801 related issues. This | |
leads to cache poisoning.</dd> | |
<dt>Severity:</dt> | |
<dd>This problem is serious because it allows any client, | |
including browser scripts, to bypass local security and | |
poison the proxy cache and any downstream caches with | |
content from an arbitrary source.</dd> | |
</dl> | |
</blockquote> | |
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_8.txt"> | |
<dl> | |
<dt>Problem Description:</dt> | |
<dd>Due to incorrect input validation Squid is vulnerable | |
to a header smuggling attack leading to cache poisoning | |
and to bypass of same-origin security policy in Squid and | |
some client browsers.</dd> | |
<dt>Severity:</dt> | |
<dd>This problem allows a client to smuggle Host header | |
value past same-origin security protections to cause Squid | |
operating as interception or reverse-proxy to contact the | |
wrong origin server. Also poisoning any downstream cache | |
which stores the response.</dd> | |
<dd>However, the cache poisoning is only possible if the | |
caching agent (browser or explicit/forward proxy) is not | |
following RFC 7230 processing guidelines and lets the | |
smuggled value through.</dd> | |
</dl> | |
</blockquote> | |
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_9.txt"> | |
<dl> | |
<dt>Problem Description:</dt> | |
<dd>Due to incorrect pointer handling and reference | |
counting Squid is vulnerable to a denial of service attack | |
when processing ESI responses.</dd> | |
<dt>Severity:</dt> | |
<dd>These problems allow a remote server delivering | |
certain ESI response syntax to trigger a denial of service | |
for all clients accessing the Squid service.</dd> | |
<dd>Due to unrelated changes Squid-3.5 has become | |
vulnerable to some regular ESI server responses also | |
triggering one or more of these issues.</dd> | |
</dl> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4553</cvename> | |
<cvename>CVE-2016-4554</cvename> | |
<cvename>CVE-2016-4555</cvename> | |
<cvename>CVE-2016-4556</cvename> | |
<url>http://www.squid-cache.org/Advisories/SQUID-2016_7.txt</url> | |
<url>http://www.squid-cache.org/Advisories/SQUID-2016_8.txt</url> | |
<url>http://www.squid-cache.org/Advisories/SQUID-2016_9.txt</url> | |
</references> | |
<dates> | |
<discovery>2016-05-06</discovery> | |
<entry>2016-05-07</entry> | |
<modified>2016-05-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="0d724b05-687f-4527-9c03-af34d3b094ec"> | |
<topic>ImageMagick -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>ImageMagick</name> | |
<name>ImageMagick-nox11</name> | |
<range><lt>6.9.3.9_1,1</lt></range> | |
</package> | |
<package> | |
<name>ImageMagick7</name> | |
<name>ImageMagick7-nox11</name> | |
<range><ge>7.0.0.0.b20150715</ge><lt>7.0.1.0_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Openwall reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/03/18"> | |
<p>Insufficient filtering for filename passed to delegate's command | |
allows remote code execution during conversion of several file | |
formats. Any service which uses ImageMagick to process user | |
supplied images and uses default delegates.xml / policy.xml, | |
may be vulnerable to this issue.</p> | |
<p>It is possible to make ImageMagick perform a HTTP GET or FTP | |
request</p> | |
<p>It is possible to delete files by using ImageMagick's 'ephemeral' | |
pseudo protocol which deletes files after reading.</p> | |
<p>It is possible to move image files to file with any extension | |
in any folder by using ImageMagick's 'msl' pseudo protocol. | |
msl.txt and image.gif should exist in known location - /tmp/ | |
for PoC (in real life it may be web service written in PHP, | |
which allows to upload raw txt files and process images with | |
ImageMagick).</p> | |
<p>It is possible to get content of the files from the server | |
by using ImageMagick's 'label' pseudo protocol.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-3714</cvename> | |
<cvename>CVE-2016-3715</cvename> | |
<cvename>CVE-2016-3716</cvename> | |
<cvename>CVE-2016-3717</cvename> | |
<cvename>CVE-2016-3718</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2016/05/03/18</url> | |
<url>https://imagetragick.com/</url> | |
</references> | |
<dates> | |
<discovery>2016-05-03</discovery> | |
<entry>2016-05-06</entry> | |
<modified>2016-05-07</modified> | |
</dates> | |
</vuln> | |
<vuln vid="a6cd01fa-11bd-11e6-bb3c-9cb654ea3e1c"> | |
<topic>jansson -- local denial of service vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>jansson</name> | |
<range><lt>2.7_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>QuickFuzz reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/01/5"> | |
<p>A crash caused by stack exhaustion parsing a JSON was found.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openwall.com/lists/oss-security/2016/05/01/5</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/05/02/1</url> | |
<cvename>CVE-2016-4425</cvename> | |
</references> | |
<dates> | |
<discovery>2016-05-01</discovery> | |
<entry>2016-05-04</entry> | |
</dates> | |
</vuln> | |
<vuln vid="01d729ca-1143-11e6-b55e-b499baebfeaf"> | |
<topic>OpenSSL -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>openssl</name> | |
<range><lt>1.0.2_11</lt></range> | |
</package> | |
<package> | |
<name>linux-c6-openssl</name> | |
<range><lt>1.0.1e_8</lt></range> | |
</package> | |
<package> | |
<name>libressl</name> | |
<range><ge>2.3.0</ge><lt>2.3.4</lt></range> | |
<range><lt>2.2.7</lt></range> | |
</package> | |
<package> | |
<name>libressl-devel</name> | |
<range><lt>2.3.4</lt></range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.3</ge><lt>10.3_2</lt></range> | |
<range><ge>10.2</ge><lt>10.2_16</lt></range> | |
<range><ge>10.1</ge><lt>10.1_33</lt></range> | |
<range><ge>9.3</ge><lt>9.3_41</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>OpenSSL reports:</p> | |
<blockquote cite="https://www.openssl.org/news/secadv/20160503.txt"> | |
<p>Memory corruption in the ASN.1 encoder</p> | |
<p>Padding oracle in AES-NI CBC MAC check</p> | |
<p>EVP_EncodeUpdate overflow</p> | |
<p>EVP_EncryptUpdate overflow</p> | |
<p>ASN.1 BIO excessive memory allocation</p> | |
<p>EBCDIC overread (OpenSSL only)</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.openssl.org/news/secadv/20160503.txt</url> | |
<url>https://marc.info/?l=openbsd-tech&m=146228598730414</url> | |
<cvename>CVE-2016-2105</cvename> | |
<cvename>CVE-2016-2106</cvename> | |
<cvename>CVE-2016-2107</cvename> | |
<cvename>CVE-2016-2108</cvename> | |
<cvename>CVE-2016-2109</cvename> | |
<cvename>CVE-2016-2176</cvename> | |
<freebsdsa>SA-16:17.openssl</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-05-03</discovery> | |
<entry>2016-05-03</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="95564990-1138-11e6-b55e-b499baebfeaf"> | |
<cancelled superseded="01d729ca-1143-11e6-b55e-b499baebfeaf"/> | |
</vuln> | |
<vuln vid="be72e773-1131-11e6-94fa-002590263bf5"> | |
<topic>gitlab -- privilege escalation via "impersonate" feature</topic> | |
<affects> | |
<package> | |
<name>gitlab</name> | |
<range><ge>8.2.0</ge><lt>8.2.5</lt></range> | |
<range><ge>8.3.0</ge><lt>8.3.9</lt></range> | |
<range><ge>8.4.0</ge><lt>8.4.10</lt></range> | |
<range><ge>8.5.0</ge><lt>8.5.12</lt></range> | |
<range><ge>8.6.0</ge><lt>8.6.8</lt></range> | |
<range><ge>8.7.0</ge><lt>8.7.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>GitLab reports:</p> | |
<blockquote cite="https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/"> | |
<p>During an internal code review, we discovered a critical security | |
flaw in the "impersonate" feature of GitLab. Added in GitLab 8.2, | |
this feature was intended to allow an administrator to simulate | |
being logged in as any other user.</p> | |
<p>A part of this feature was not properly secured and it was possible | |
for any authenticated user, administrator or not, to "log in" as any | |
other user, including administrators. Please see the issue for more | |
details.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4340</cvename> | |
<freebsdpr>ports/209225</freebsdpr> | |
<url>https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/</url> | |
<url>https://gitlab.com/gitlab-org/gitlab-ce/issues/15548</url> | |
</references> | |
<dates> | |
<discovery>2016-05-02</discovery> | |
<entry>2016-05-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="5764c634-10d2-11e6-94fa-002590263bf5"> | |
<topic>php -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>php70</name> | |
<name>php70-bcmath</name> | |
<name>php70-exif</name> | |
<name>php70-gd</name> | |
<name>php70-xml</name> | |
<range><lt>7.0.6</lt></range> | |
</package> | |
<package> | |
<name>php56</name> | |
<name>php56-bcmath</name> | |
<name>php56-exif</name> | |
<name>php56-gd</name> | |
<name>php56-xml</name> | |
<range><lt>5.6.21</lt></range> | |
</package> | |
<package> | |
<name>php55</name> | |
<name>php55-bcmath</name> | |
<name>php55-exif</name> | |
<name>php55-gd</name> | |
<name>php55-xml</name> | |
<range><lt>5.5.35</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The PHP Group reports:</p> | |
<blockquote cite="http://www.php.net/ChangeLog-5.php#5.5.35"> | |
<ul><li>BCMath: | |
<ul> | |
<li>Fixed bug #72093 (bcpowmod accepts negative scale and corrupts | |
_one_ definition).</li> | |
</ul></li> | |
<li>Exif: | |
<ul> | |
<li>Fixed bug #72094 (Out of bounds heap read access in exif header | |
processing).</li> | |
</ul></li> | |
<li>GD: | |
<ul> | |
<li>Fixed bug #71912 (libgd: signedness vulnerability). | |
(CVE-2016-3074)</li> | |
</ul></li> | |
<li>Intl: | |
<ul> | |
<li>Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos | |
with negative offset).</li> | |
</ul></li> | |
<li>XML: | |
<ul> | |
<li>Fixed bug #72099 (xml_parse_into_struct segmentation fault). | |
</li> | |
</ul></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-3074</cvename> | |
<freebsdpr>ports/209145</freebsdpr> | |
<url>http://www.php.net/ChangeLog-7.php#7.0.6</url> | |
<url>http://www.php.net/ChangeLog-5.php#5.6.21</url> | |
<url>http://www.php.net/ChangeLog-5.php#5.5.35</url> | |
</references> | |
<dates> | |
<discovery>2016-04-28</discovery> | |
<entry>2016-05-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a1134048-10c6-11e6-94fa-002590263bf5"> | |
<topic>libksba -- local denial of service vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>libksba</name> | |
<range><lt>1.3.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Martin Prpic, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/04/29/5"> | |
<p>Denial of Service due to stack overflow in src/ber-decoder.c.</p> | |
<p>Integer overflow in the BER decoder src/ber-decoder.c.</p> | |
<p>Integer overflow in the DN decoder src/dn.c.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4353</cvename> | |
<cvename>CVE-2016-4354</cvename> | |
<cvename>CVE-2016-4355</cvename> | |
<cvename>CVE-2016-4356</cvename> | |
<url>http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=07116a314f4dcd4d96990bbd74db95a03a9f650a</url> | |
<url>http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=aea7b6032865740478ca4b706850a5217f1c3887</url> | |
<url>http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=243d12fdec66a4360fbb3e307a046b39b5b4ffc3</url> | |
<url>https://security.gentoo.org/glsa/201604-04</url> | |
<mlist>http://www.openwall.com/lists/oss-security/2016/04/29/5</mlist> | |
</references> | |
<dates> | |
<discovery>2015-04-08</discovery> | |
<entry>2016-05-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7e36c369-10c0-11e6-94fa-002590263bf5"> | |
<topic>wireshark -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>wireshark</name> | |
<name>wireshark-lite</name> | |
<name>wireshark-qt5</name> | |
<name>tshark</name> | |
<name>tshark-lite</name> | |
<range><lt>2.0.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Wireshark development team reports:</p> | |
<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.3.html"> | |
<p>The following vulnerabilities have been fixed:</p> | |
<ul> | |
<li><p>wnpa-sec-2016-19</p> | |
<p>The NCP dissector could crash. (Bug 11591)</p></li> | |
<li><p>wnpa-sec-2016-20</p> | |
<p>TShark could crash due to a packet reassembly bug. (Bug 11799) | |
</p></li> | |
<li><p>wnpa-sec-2016-21</p> | |
<p>The IEEE 802.11 dissector could crash. (Bug 11824, Bug 12187) | |
</p></li> | |
<li><p>wnpa-sec-2016-22</p> | |
<p>The PKTC dissector could crash. (Bug 12206)</p></li> | |
<li><p>wnpa-sec-2016-23</p> | |
<p>The PKTC dissector could crash. (Bug 12242)</p></li> | |
<li><p>wnpa-sec-2016-24</p> | |
<p>The IAX2 dissector could go into an infinite loop. (Bug | |
12260)</p></li> | |
<li><p>wnpa-sec-2016-25</p> | |
<p>Wireshark and TShark could exhaust the stack. (Bug 12268)</p> | |
</li> | |
<li><p>wnpa-sec-2016-26</p> | |
<p>The GSM CBCH dissector could crash. (Bug 12278)</p></li> | |
<li><p>wnpa-sec-2016-27</p> | |
<p>MS-WSP dissector crash. (Bug 12341)</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4076</cvename> | |
<cvename>CVE-2016-4077</cvename> | |
<cvename>CVE-2016-4078</cvename> | |
<cvename>CVE-2016-4079</cvename> | |
<cvename>CVE-2016-4080</cvename> | |
<cvename>CVE-2016-4081</cvename> | |
<cvename>CVE-2016-4006</cvename> | |
<cvename>CVE-2016-4082</cvename> | |
<cvename>CVE-2016-4083</cvename> | |
<cvename>CVE-2016-4084</cvename> | |
<url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.3.html</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/04/25/2</url> | |
</references> | |
<dates> | |
<discovery>2016-04-22</discovery> | |
<entry>2016-05-02</entry> | |
<modified>2016-07-04</modified> | |
</dates> | |
</vuln> | |
<vuln vid="78abc022-0fee-11e6-9a1c-0014a5a57822"> | |
<topic>mercurial -- arbitrary code execution vulnerability</topic> | |
<affects> | |
<package> | |
<name>mercurial</name> | |
<range><lt>3.8.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mercurial reports:</p> | |
<blockquote cite="https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.8_.2F_3.8.1_.282016-5-1.29"> | |
<p>CVE-2016-3105: Arbitrary code execution when converting | |
Git repos</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-3105</cvename> | |
<url>https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.8_.2F_3.8.1_.282016-5-1.29</url> | |
</references> | |
<dates> | |
<discovery>2016-05-01</discovery> | |
<entry>2016-05-01</entry> | |
</dates> | |
</vuln> | |
<vuln vid="8c2b2f11-0ebe-11e6-b55e-b499baebfeaf"> | |
<topic>MySQL -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>mariadb55-server</name> | |
<range><lt>5.5.49</lt></range> | |
</package> | |
<package> | |
<name>mariadb100-server</name> | |
<range><lt>10.0.25</lt></range> | |
</package> | |
<package> | |
<name>mariadb101-server</name> | |
<range><lt>10.1.12</lt></range> | |
</package> | |
<package> | |
<name>mysql55-server</name> | |
<range><lt>5.5.49</lt></range> | |
</package> | |
<package> | |
<name>mysql56-server</name> | |
<range><lt>5.6.30</lt></range> | |
</package> | |
<package> | |
<name>mysql57-server</name> | |
<range><lt>5.7.12</lt></range> | |
</package> | |
<package> | |
<name>percona55-server</name> | |
<range><lt>5.5.49</lt></range> | |
</package> | |
<package> | |
<name>percona-server</name> | |
<range><lt>5.6.30</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Oracle reports reports:</p> | |
<blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html#AppendixMSQL"> | |
<p>Critical Patch Update contains 31 new security fixes for Oracle MySQL | |
5.5.48, 5.6.29, 5.7.11 and earlier</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html#AppendixMSQL</url> | |
<url>https://mariadb.com/kb/en/mariadb/mariadb-5549-release-notes/</url> | |
<url>https://mariadb.com/kb/en/mariadb/mariadb-10025-release-notes/</url> | |
<url>https://mariadb.com/kb/en/mariadb/mariadb-10112-release-notes/</url> | |
<cvename>CVE-2016-0705</cvename> | |
<cvename>CVE-2016-0639</cvename> | |
<cvename>CVE-2015-3194</cvename> | |
<cvename>CVE-2016-0640</cvename> | |
<cvename>CVE-2016-0641</cvename> | |
<cvename>CVE-2016-3461</cvename> | |
<cvename>CVE-2016-2047</cvename> | |
<cvename>CVE-2016-0642</cvename> | |
<cvename>CVE-2016-0643</cvename> | |
<cvename>CVE-2016-0644</cvename> | |
<cvename>CVE-2016-0646</cvename> | |
<cvename>CVE-2016-0647</cvename> | |
<cvename>CVE-2016-0648</cvename> | |
<cvename>CVE-2016-0649</cvename> | |
<cvename>CVE-2016-0650</cvename> | |
<cvename>CVE-2016-0652</cvename> | |
<cvename>CVE-2016-0653</cvename> | |
<cvename>CVE-2016-0654</cvename> | |
<cvename>CVE-2016-0655</cvename> | |
<cvename>CVE-2016-0656</cvename> | |
<cvename>CVE-2016-0657</cvename> | |
<cvename>CVE-2016-0658</cvename> | |
<cvename>CVE-2016-0651</cvename> | |
<cvename>CVE-2016-0659</cvename> | |
<cvename>CVE-2016-0661</cvename> | |
<cvename>CVE-2016-0662</cvename> | |
<cvename>CVE-2016-0663</cvename> | |
<cvename>CVE-2016-0665</cvename> | |
<cvename>CVE-2016-0666</cvename> | |
<cvename>CVE-2016-0667</cvename> | |
<cvename>CVE-2016-0668</cvename> | |
</references> | |
<dates> | |
<discovery>2016-04-19</discovery> | |
<entry>2016-04-30</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f2d4f879-0d7c-11e6-925f-6805ca0b3d42"> | |
<topic>logstash -- password disclosure vulnerability</topic> | |
<affects> | |
<package> | |
<name>logstash</name> | |
<range><ge>2.1.0</ge><lt>2.3.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Logstash developers report:</p> | |
<blockquote cite="https://www.elastic.co/blog/logstash-2.3.1-and-2.2.4-released#Passwords_Printed_in_Log_Files_under_Some_Conditions_18"> | |
<h2>Passwords Printed in Log Files under Some Conditions</h2> | |
<p>It was discovered that, in Logstash 2.1.0+, log messages | |
generated by a stalled pipeline during shutdown will print | |
plaintext contents of password fields. While investigating | |
this issue we also discovered that debug logging has | |
included this data for quite some time. Our latest releases | |
fix both leaks. You will want to scrub old log files if this | |
is of particular concern to you. This was fixed in issue | |
#4965</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.elastic.co/blog/logstash-2.3.1-and-2.2.4-released#Passwords_Printed_in_Log_Files_under_Some_Conditions_18</url> | |
<url>https://github.com/elastic/logstash/pull/4965</url> | |
</references> | |
<dates> | |
<discovery>2016-04-01</discovery> | |
<entry>2016-04-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="c8174b63-0d3a-11e6-b06e-d43d7eed0ce2"> | |
<topic>subversion -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>subversion</name> | |
<range><ge>1.9.0</ge><lt>1.9.4</lt></range> | |
<range><ge>1.0.0</ge><lt>1.8.15</lt></range> | |
</package> | |
<package> | |
<name>subversion18</name> | |
<range><ge>1.0.0</ge><lt>1.8.15</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Subversion project reports:</p> | |
<blockquote cite="http://subversion.apache.org/security/CVE-2016-2167-advisory.txt"> | |
<p>svnserve, the svn:// protocol server, can optionally use the Cyrus | |
SASL library for authentication, integrity protection, and encryption. | |
Due to a programming oversight, authentication against Cyrus SASL | |
would permit the remote user to specify a realm string which is | |
a prefix of the expected realm string.</p> | |
</blockquote> | |
<blockquote cite="http://subversion.apache.org/security/CVE-2016-2168-advisory.txt"> | |
<p>Subversion's httpd servers are vulnerable to a remotely triggerable crash | |
in the mod_authz_svn module. The crash can occur during an authorization | |
check for a COPY or MOVE request with a specially crafted header value.</p> | |
<p>This allows remote attackers to cause a denial of service.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2167</cvename> | |
<url>http://subversion.apache.org/security/CVE-2016-2167-advisory.txt</url> | |
<cvename>CVE-2016-2168</cvename> | |
<url>http://subversion.apache.org/security/CVE-2016-2168-advisory.txt</url> | |
</references> | |
<dates> | |
<discovery>2016-04-21</discovery> | |
<entry>2016-04-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="b2487d9a-0c30-11e6-acd0-d050996490d0"> | |
<topic>ntp -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>ntp</name> | |
<range><lt>4.2.8p7</lt></range> | |
</package> | |
<package> | |
<name>ntp-devel</name> | |
<range><lt>4.3.92</lt></range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.3</ge><lt>10.3_1</lt></range> | |
<range><ge>10.2</ge><lt>10.2_15</lt></range> | |
<range><ge>10.1</ge><lt>10.1_32</lt></range> | |
<range><ge>9.3</ge><lt>9.3_40</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Network Time Foundation reports:</p> | |
<blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security"> | |
<p>NTF's NTP Project has been notified of the following low- | |
and medium-severity vulnerabilities that are fixed in | |
ntp-4.2.8p7, released on Tuesday, 26 April 2016:</p> | |
<ul> | |
<li>Bug 3020 / CVE-2016-1551: Refclock impersonation | |
vulnerability, AKA: refclock-peering. Reported by | |
Matt Street and others of Cisco ASIG</li> | |
<li>Bug 3012 / CVE-2016-1549: Sybil vulnerability: | |
ephemeral association attack, AKA: ntp-sybil - | |
MITIGATION ONLY. Reported by Matthew Van Gundy | |
of Cisco ASIG</li> | |
<li>Bug 3011 / CVE-2016-2516: Duplicate IPs on | |
unconfig directives will cause an assertion botch. | |
Reported by Yihan Lian of the Cloud Security Team, | |
Qihoo 360</li> | |
<li>Bug 3010 / CVE-2016-2517: Remote configuration | |
trustedkey/requestkey values are not properly | |
validated. Reported by Yihan Lian of the Cloud | |
Security Team, Qihoo 360</li> | |
<li>Bug 3009 / CVE-2016-2518: Crafted addpeer with | |
hmode > 7 causes array wraparound with MATCH_ASSOC. | |
Reported by Yihan Lian of the Cloud Security Team, | |
Qihoo 360</li> | |
<li>Bug 3008 / CVE-2016-2519: ctl_getitem() return | |
value not always checked. Reported by Yihan Lian | |
of the Cloud Security Team, Qihoo 360</li> | |
<li>Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, | |
AKA: nak-dos. Reported by Stephen Gray and | |
Matthew Van Gundy of Cisco ASIG</li> | |
<li>Bug 2978 / CVE-2016-1548: Interleave-pivot - | |
MITIGATION ONLY. Reported by Miroslav Lichvar of | |
RedHat and separately by Jonathan Gardner of | |
Cisco ASIG.</li> | |
<li>Bug 2952 / CVE-2015-7704: KoD fix: peer | |
associations were broken by the fix for | |
NtpBug2901, AKA: Symmetric active/passive mode | |
is broken. Reported by Michael Tatarinov, | |
NTP Project Developer Volunteer</li> | |
<li>Bug 2945 / Bug 2901 / CVE-2015-8138: Zero | |
Origin Timestamp Bypass, AKA: Additional KoD Checks. | |
Reported by Jonathan Gardner of Cisco ASIG</li> | |
<li>Bug 2879 / CVE-2016-1550: Improve NTP security | |
against buffer comparison timing attacks, | |
authdecrypt-timing, AKA: authdecrypt-timing. | |
Reported independently by Loganaden Velvindron, | |
and Matthew Van Gundy and Stephen Gray of | |
Cisco ASIG.</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdsa>SA-16:16.ntp</freebsdsa> | |
<cvename>CVE-2015-7704</cvename> | |
<cvename>CVE-2015-8138</cvename> | |
<cvename>CVE-2016-1547</cvename> | |
<cvename>CVE-2016-1548</cvename> | |
<cvename>CVE-2016-1549</cvename> | |
<cvename>CVE-2016-1550</cvename> | |
<cvename>CVE-2016-1551</cvename> | |
<cvename>CVE-2016-2516</cvename> | |
<cvename>CVE-2016-2517</cvename> | |
<cvename>CVE-2016-2518</cvename> | |
<cvename>CVE-2016-2519</cvename> | |
<url>http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security</url> | |
</references> | |
<dates> | |
<discovery>2016-04-26</discovery> | |
<entry>2016-04-27</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="92d44f83-a7bf-41cf-91ee-3d1b8ecf579f"> | |
<topic>mozilla -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>firefox</name> | |
<name>linux-firefox</name> | |
<range><lt>46.0,1</lt></range> | |
</package> | |
<package> | |
<name>seamonkey</name> | |
<name>linux-seamonkey</name> | |
<range><lt>2.43</lt></range> | |
</package> | |
<package> | |
<name>firefox-esr</name> | |
<range><ge>39.0,1</ge><lt>45.1.0,1</lt></range> | |
<range><lt>38.8.0,1</lt></range> | |
</package> | |
<package> | |
<name>libxul</name> | |
<name>thunderbird</name> | |
<name>linux-thunderbird</name> | |
<range><ge>39.0</ge><lt>45.1.0</lt></range> | |
<range><lt>38.8.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mozilla Foundation reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox46"> | |
<p>MFSA 2016-39 Miscellaneous memory safety hazards (rv:46.0 / | |
rv:45.1 / rv:38.8)</p> | |
<p>MFSA 2016-42 Use-after-free and buffer overflow | |
in Service Workers</p> | |
<p>MFSA 2016-44 Buffer overflow in libstagefright with | |
CENC offsets</p> | |
<p>MFSA 2016-45 CSP not applied to pages sent with | |
multipart/x-mixed-replace</p> | |
<p>MFSA 2016-46 Elevation of privilege with | |
chrome.tabs.update API in web extensions</p> | |
<p>MFSA 2016-47 Write to invalid HashMap entry through | |
JavaScript.watch()</p> | |
<p>MFSA 2016-48 Firefox Health Reports could accept events | |
from untrusted domains</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2804</cvename> | |
<cvename>CVE-2016-2805</cvename> | |
<cvename>CVE-2016-2806</cvename> | |
<cvename>CVE-2016-2807</cvename> | |
<cvename>CVE-2016-2808</cvename> | |
<cvename>CVE-2016-2811</cvename> | |
<cvename>CVE-2016-2812</cvename> | |
<cvename>CVE-2016-2814</cvename> | |
<cvename>CVE-2016-2816</cvename> | |
<cvename>CVE-2016-2817</cvename> | |
<cvename>CVE-2016-2820</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-39/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-42/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-44/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-45/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-46/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-47/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-48/</url> | |
</references> | |
<dates> | |
<discovery>2016-04-26</discovery> | |
<entry>2016-04-26</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f87a9376-0943-11e6-8fc4-00a0986f28c4"> | |
<topic>phpmyfaq -- cross-site request forgery vulnerability</topic> | |
<affects> | |
<package> | |
<name>phpmyfaq</name> | |
<range><lt>2.8.27</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The phpMyFAQ team reports:</p> | |
<blockquote cite="http://www.phpmyfaq.de/security/advisory-2016-04-11"> | |
<p>The vulnerability exists due to application does not properly | |
verify origin of HTTP requests in "Interface Translation" | |
functionality.: A remote unauthenticated attacker can create | |
a specially crafted malicious web page with CSRF exploit, trick | |
a logged-in administrator to visit the page, spoof the HTTP | |
request, as if it was coming from the legitimate user, inject | |
and execute arbitrary PHP code on the target system with privileges | |
of the webserver.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.phpmyfaq.de/security/advisory-2016-04-11</url> | |
<url>https://www.htbridge.com/advisory/HTB23300</url> | |
</references> | |
<dates> | |
<discovery>2016-04-11</discovery> | |
<entry>2016-04-23</entry> | |
</dates> | |
</vuln> | |
<vuln vid="1b0d2938-0766-11e6-94fa-002590263bf5"> | |
<topic>libtasn1 -- denial of service parsing malicious DER certificates</topic> | |
<affects> | |
<package> | |
<name>libtasn1</name> | |
<range><lt>4.8</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>GNU Libtasn1 NEWS reports:</p> | |
<blockquote cite="http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=blob_plain;f=NEWS;hb=e9bcdc86b920d72c9cffc2570d14eea2f6365b37"> | |
<p>Fixes to avoid an infinite recursion when decoding without the | |
ASN1_DECODE_FLAG_STRICT_DER flag. Reported by Pascal Cuoq.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4008</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2016/04/13/3</url> | |
<url>http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=blob_plain;f=NEWS;hb=e9bcdc86b920d72c9cffc2570d14eea2f6365b37</url> | |
</references> | |
<dates> | |
<discovery>2016-04-11</discovery> | |
<entry>2016-04-21</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e05bfc92-0763-11e6-94fa-002590263bf5"> | |
<topic>squid -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>squid</name> | |
<range><lt>3.5.17</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Squid security advisory 2016:5 reports:</p> | |
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_5.txt"> | |
<p>Due to incorrect buffer management Squid cachemgr.cgi tool is | |
vulnerable to a buffer overflow when processing remotely supplied | |
inputs relayed to it from Squid.</p> | |
<p>This problem allows any client to seed the Squid manager reports | |
with data that will cause a buffer overflow when processed by the | |
cachemgr.cgi tool. However, this does require manual administrator | |
actions to take place. Which greatly reduces the impact and | |
possible uses.</p> | |
</blockquote> | |
<p>Squid security advisory 2016:6 reports:</p> | |
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_6.txt"> | |
<p>Due to buffer overflow issues Squid is vulnerable to a denial of | |
service attack when processing ESI responses. Due to incorrect input | |
validation Squid is vulnerable to public information disclosure of | |
the server stack layout when processing ESI responses. Due to | |
incorrect input validation and buffer overflow Squid is vulnerable | |
to remote code execution when processing ESI responses.</p> | |
<p>These problems allow ESI components to be used to perform a denial | |
of service attack on the Squid service and all other services on the | |
same machine. Under certain build conditions these problems allow | |
remote clients to view large sections of the server memory. However, | |
the bugs are exploitable only if you have built and configured the | |
ESI features to be used by a reverse-proxy and if the ESI components | |
being processed by Squid can be controlled by an attacker.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-4051</cvename> | |
<cvename>CVE-2016-4052</cvename> | |
<cvename>CVE-2016-4053</cvename> | |
<cvename>CVE-2016-4054</cvename> | |
<freebsdpr>ports/208939</freebsdpr> | |
<url>http://www.squid-cache.org/Advisories/SQUID-2016_5.txt</url> | |
<url>http://www.squid-cache.org/Advisories/SQUID-2016_6.txt</url> | |
</references> | |
<dates> | |
<discovery>2016-04-20</discovery> | |
<entry>2016-04-21</entry> | |
</dates> | |
</vuln> | |
<vuln vid="253c6889-06f0-11e6-925f-6805ca0b3d42"> | |
<topic>ansible -- use of predictable paths in lxc_container</topic> | |
<affects> | |
<package> | |
<name>ansible</name> | |
<range><ge>2.0.0.0</ge><lt>2.0.2.0</lt></range> | |
</package> | |
<package> | |
<name>ansible1</name> | |
<range><lt>1.9.6</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Ansible developers report:</p> | |
<blockquote cite="https://github.com/ansible/ansible-modules-extras/pull/1941/commits/8c6fe646ee79f5e55361b885b7efed5bec72d4a4"> | |
<p>CVE-2016-3096: do not use predictable paths in lxc_container</p> | |
<ul> | |
<li>do not use a predictable filename for the LXC attach | |
script</li> | |
<li>don't use predictable filenames for LXC attach script | |
logging</li> | |
<li>don't set a predictable archive_path</li> | |
</ul> | |
<p>this should prevent symlink attacks which could result | |
in</p> | |
<ul> | |
<li>data corruption</li> | |
<li>data leakage</li> | |
<li>privilege escalation</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-3096</cvename> | |
<url>https://github.com/ansible/ansible-modules-extras/pull/1941/commits/8c6fe646ee79f5e55361b885b7efed5bec72d4a4</url> | |
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1322925</url> | |
</references> | |
<dates> | |
<discovery>2016-04-02</discovery> | |
<entry>2016-04-20</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a733b5ca-06eb-11e6-817f-3085a9a4510d"> | |
<topic>proftpd -- vulnerability in mod_tls</topic> | |
<affects> | |
<package> | |
<name>proftpd</name> | |
<range><lt>1.3.5b</lt></range> | |
<range><eq>1.3.6.r1</eq></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>MITRE reports:</p> | |
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3125"> | |
<p>The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before | |
1.3.6rc2 does not properly handle the TLSDHParamFile directive, which | |
might cause a weaker than intended Diffie-Hellman (DH) key to be used | |
and consequently allow attackers to have unspecified impact via | |
unknown vectors.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-3125</cvename> | |
</references> | |
<dates> | |
<discovery>2016-03-08</discovery> | |
<entry>2016-04-20</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6d8505f0-0614-11e6-b39c-00262d5ed8ee"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>50.0.2661.75</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_13.html"> | |
<p>20 security fixes in this release, including:</p> | |
<ul> | |
<li>[590275] High CVE-2016-1652: Universal XSS in extension | |
bindings. Credit to anonymous.</li> | |
<li>[589792] High CVE-2016-1653: Out-of-bounds write in V8. Credit | |
to Choongwoo Han.</li> | |
<li>[591785] Medium CVE-2016-1651: Out-of-bounds read in Pdfium | |
JPEG2000 decoding. Credit to kdot working with HP's Zero Day | |
Initiative.</li> | |
<li>[589512] Medium CVE-2016-1654: Uninitialized memory read in | |
media. Credit to Atte Kettunen of OUSPG.</li> | |
<li>[582008] Medium CVE-2016-1655: Use-after-free related to | |
extensions. Credit to Rob Wu.</li> | |
<li>[570750] Medium CVE-2016-1656: Android downloaded file path | |
restriction bypass. Credit to Dzmitry Lukyanenko.</li> | |
<li>[567445] Medium CVE-2016-1657: Address bar spoofing. Credit to | |
Luan Herrera.</li> | |
<li>[573317] Low CVE-2016-1658: Potential leak of sensitive | |
information to malicious extensions. Credit to Antonio Sanso | |
(@asanso) of Adobe.</li> | |
<li>[602697] CVE-2016-1659: Various fixes from internal audits, | |
fuzzing and other initiatives.</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1651</cvename> | |
<cvename>CVE-2016-1652</cvename> | |
<cvename>CVE-2016-1653</cvename> | |
<cvename>CVE-2016-1654</cvename> | |
<cvename>CVE-2016-1655</cvename> | |
<cvename>CVE-2016-1656</cvename> | |
<cvename>CVE-2016-1657</cvename> | |
<cvename>CVE-2016-1658</cvename> | |
<cvename>CVE-2016-1659</cvename> | |
<url>http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_13.html</url> | |
</references> | |
<dates> | |
<discovery>2016-04-13</discovery> | |
<entry>2016-04-19</entry> | |
</dates> | |
</vuln> | |
<vuln vid="976567f6-05c5-11e6-94fa-002590263bf5"> | |
<topic>wpa_supplicant -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>wpa_supplicant</name> | |
<range><lt>2.5_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jouni Malinen reports:</p> | |
<blockquote cite="http://w1.fi/security/2015-6/wpa_supplicant-unauthorized-wnm-sleep-mode-gtk-control.txt"> | |
<p>wpa_supplicant unauthorized WNM Sleep Mode GTK control. (2015-6 - | |
CVE-2015-5310)</p> | |
</blockquote> | |
<blockquote cite="http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt"> | |
<p>EAP-pwd missing last fragment length validation. (2015-7 - | |
CVE-2015-5315)</p> | |
</blockquote> | |
<blockquote cite="http://w1.fi/security/2015-8/eap-pwd-unexpected-confirm.txt"> | |
<p>EAP-pwd peer error path failure on unexpected Confirm message. | |
(2015-8 - CVE-2015-5316)</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5310</cvename> | |
<cvename>CVE-2015-5315</cvename> | |
<cvename>CVE-2015-5316</cvename> | |
<freebsdpr>ports/208482</freebsdpr> | |
<url>http://w1.fi/security/2015-6/wpa_supplicant-unauthorized-wnm-sleep-mode-gtk-control.txt</url> | |
<url>http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt</url> | |
<url>http://w1.fi/security/2015-8/eap-pwd-unexpected-confirm.txt</url> | |
</references> | |
<dates> | |
<discovery>2015-11-10</discovery> | |
<entry>2016-04-19</entry> | |
</dates> | |
</vuln> | |
<vuln vid="092156c9-04d7-11e6-b1ce-002590263bf5"> | |
<topic>dhcpcd -- remote code execution/denial of service</topic> | |
<affects> | |
<package> | |
<name>dhcpcd</name> | |
<range><lt>6.9.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>MITRE reports:</p> | |
<blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7912"> | |
<p>The get_option function in dhcp.c in dhcpcd before 6.2.0, as used | |
in dhcpcd 5.x in Android before 5.1 and other products, does not | |
validate the relationship between length fields and the amount of | |
data, which allows remote DHCP servers to execute arbitrary code or | |
cause a denial of service (memory corruption) via a large length | |
value of an option in a DHCPACK message.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-7912</cvename> | |
<url>http://roy.marples.name/projects/dhcpcd/info/d71cfd8aa203bffe</url> | |
</references> | |
<dates> | |
<discovery>2015-06-19</discovery> | |
<entry>2016-04-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6ec9f210-0404-11e6-9aee-bc5ff4fb5ea1"> | |
<topic>dhcpcd -- remote code execution/denial of service</topic> | |
<affects> | |
<package> | |
<name>dhcpcd</name> | |
<range><lt>6.10.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>MITRE reports:</p> | |
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7913"> | |
<p>The print_option function in dhcp-common.c in dhcpcd through 6.9.1, | |
as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other | |
products, misinterprets the return value of the snprintf function, | |
which allows remote DHCP servers to execute arbitrary code or cause | |
a denial of service (memory corruption) via a crafted message.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-7913</cvename> | |
<freebsdpr>ports/208702</freebsdpr> | |
<url>http://roy.marples.name/projects/dhcpcd/info/528541c4c619520e</url> | |
</references> | |
<dates> | |
<discovery>2016-01-22</discovery> | |
<entry>2016-04-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e21474c6-031a-11e6-aa86-001999f8d30b"> | |
<topic>PJSIP -- TCP denial of service in PJProject</topic> | |
<affects> | |
<package> | |
<name>pjsip</name> | |
<range><le>2.4.5</le></range> | |
</package> | |
<package> | |
<name>pjsip-extsrtp</name> | |
<range><le>2.4.5</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Asterisk project reports:</p> | |
<blockquote cite="http://www.asterisk.org/downloads/security-advisories"> | |
<p>PJProject has a limit on the number of TCP connections | |
that it can accept. Furthermore, PJProject does not close | |
TCP connections it accepts. By default, this value is | |
approximately 60.</p> | |
<p>An attacker can deplete the number of allowed TCP | |
connections by opening TCP connections and sending no | |
data to Asterisk.</p> | |
<p>If PJProject has been compiled in debug mode, then | |
once the number of allowed TCP connections has been | |
depleted, the next attempted TCP connection to Asterisk | |
will crash due to an assertion in PJProject.</p> | |
<p>If PJProject has not been compiled in debug mode, then | |
any further TCP connection attempts will be rejected. | |
This makes Asterisk unable to process TCP SIP traffic.</p> | |
<p>Note that this only affects TCP/TLS, since UDP is | |
connectionless.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://downloads.asterisk.org/pub/security/AST-2016-005.html</url> | |
</references> | |
<dates> | |
<discovery>2016-02-15</discovery> | |
<entry>2016-04-15</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ee50726e-0319-11e6-aa86-001999f8d30b"> | |
<topic>asterisk -- Long Contact URIs in REGISTER requests can crash Asterisk</topic> | |
<affects> | |
<package> | |
<name>asterisk13</name> | |
<range><lt>13.8.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Asterisk project reports:</p> | |
<blockquote cite="http://www.asterisk.org/downloads/security-advisories"> | |
<p>Asterisk may crash when processing an incoming REGISTER | |
request if that REGISTER contains a Contact header with | |
a lengthy URI.</p> | |
<p>This crash will only happen for requests that pass | |
authentication. Unauthenticated REGISTER requests will | |
not result in a crash occurring.</p> | |
<p>This vulnerability only affects Asterisk when using | |
PJSIP as its SIP stack. The chan_sip module does not have | |
this problem.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://downloads.asterisk.org/pub/security/AST-2016-004.html</url> | |
</references> | |
<dates> | |
<discovery>2016-01-19</discovery> | |
<entry>2016-04-15</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f2217cdf-01e4-11e6-b1ce-002590263bf5"> | |
<topic>go -- remote denial of service</topic> | |
<affects> | |
<package> | |
<name>go</name> | |
<range><lt>1.6.1,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jason Buberel reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/04/05/2"> | |
<p>Go has an infinite loop in several big integer routines that makes | |
Go programs vulnerable to remote denial of service attacks. Programs | |
using HTTPS client authentication or the Go ssh server libraries are | |
both exposed to this vulnerability.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-3959</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2016/04/05/2</url> | |
<url>https://golang.org/cl/21533</url> | |
</references> | |
<dates> | |
<discovery>2016-04-05</discovery> | |
<entry>2016-04-14</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a636fc26-00d9-11e6-b704-000c292e4fd8"> | |
<topic>samba -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>samba36</name> | |
<range><ge>3.6.0</ge><le>3.6.25_3</le></range> | |
</package> | |
<package> | |
<name>samba4</name> | |
<range><ge>4.0.0</ge><le>4.0.26</le></range> | |
</package> | |
<package> | |
<name>samba41</name> | |
<range><ge>4.1.0</ge><le>4.1.23</le></range> | |
</package> | |
<package> | |
<name>samba42</name> | |
<range><ge>4.2.0</ge><lt>4.2.11</lt></range> | |
</package> | |
<package> | |
<name>samba43</name> | |
<range><ge>4.3.0</ge><lt>4.3.8</lt></range> | |
</package> | |
<package> | |
<name>samba44</name> | |
<range><ge>4.4.0</ge><lt>4.4.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Samba team reports:</p> | |
<blockquote cite="https://www.samba.org/samba/latest_news.html#4.4.2"> | |
<p>[CVE-2015-5370] Errors in Samba DCE-RPC code can lead to denial of service | |
(crashes and high cpu consumption) and man in the middle attacks.</p> | |
<p>[CVE-2016-2110] The feature negotiation of NTLMSSP is not downgrade protected. | |
A man in the middle is able to clear even required flags, especially | |
NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL.</p> | |
<p>[CVE-2016-2111] When Samba is configured as Domain Controller it allows remote | |
attackers to spoof the computer name of a secure channel's endpoints, and obtain | |
sensitive session information, by running a crafted application and leveraging | |
the ability to sniff network traffic.</p> | |
<p>[CVE-2016-2112] A man in the middle is able to downgrade LDAP connections | |
to no integrity protection.</p> | |
<p>[CVE-2016-2113] Man in the middle attacks are possible for client triggered LDAP | |
connections (with ldaps://) and ncacn_http connections (with https://).</p> | |
<p>[CVE-2016-2114] Due to a bug Samba doesn't enforce required smb signing, even if explicitly configured.</p> | |
<p>[CVE-2016-2115] The protection of DCERPC communication over ncacn_np (which is | |
the default for most the file server related protocols) is inherited from the underlying SMB connection.</p> | |
<p>[CVE-2016-2118] a.k.a. BADLOCK. A man in the middle can intercept any DCERPC traffic | |
between a client and a server in order to impersonate the client and get the same privileges | |
as the authenticated user account. This is most problematic against active directory domain controllers.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5370</cvename> | |
<url>https://www.samba.org/samba/security/CVE-2015-5370.html</url> | |
<cvename>CVE-2016-2110</cvename> | |
<url>https://www.samba.org/samba/security/CVE-2016-2110.html</url> | |
<cvename>CVE-2016-2111</cvename> | |
<url>https://www.samba.org/samba/security/CVE-2016-2111.html</url> | |
<cvename>CVE-2016-2112</cvename> | |
<url>https://www.samba.org/samba/security/CVE-2016-2112.html</url> | |
<cvename>CVE-2016-2113</cvename> | |
<url>https://www.samba.org/samba/security/CVE-2016-2113.html</url> | |
<cvename>CVE-2016-2114</cvename> | |
<url>https://www.samba.org/samba/security/CVE-2016-2114.html</url> | |
<cvename>CVE-2016-2115</cvename> | |
<url>https://www.samba.org/samba/security/CVE-2016-2115.html</url> | |
<cvename>CVE-2016-2118</cvename> | |
<url>https://www.samba.org/samba/security/CVE-2016-2118.html</url> | |
</references> | |
<dates> | |
<discovery>2016-04-12</discovery> | |
<entry>2016-04-12</entry> | |
<modified>2016-04-12</modified> | |
</dates> | |
</vuln> | |
<vuln vid="482d40cb-f9a3-11e5-92ce-002590263bf5"> | |
<topic>php -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>php70</name> | |
<name>php70-fileinfo</name> | |
<name>php70-mbstring</name> | |
<name>php70-phar</name> | |
<name>php70-snmp</name> | |
<range><lt>7.0.5</lt></range> | |
</package> | |
<package> | |
<name>php56</name> | |
<name>php56-fileinfo</name> | |
<name>php56-mbstring</name> | |
<name>php56-phar</name> | |
<name>php56-snmp</name> | |
<range><lt>5.6.20</lt></range> | |
</package> | |
<package> | |
<name>php55</name> | |
<name>php55-fileinfo</name> | |
<name>php55-mbstring</name> | |
<name>php55-phar</name> | |
<name>php55-snmp</name> | |
<range><lt>5.5.34</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The PHP Group reports:</p> | |
<blockquote cite="http://php.net/ChangeLog-7.php#7.0.5"> | |
<ul><li>Fileinfo: | |
<ul> | |
<li>Fixed bug #71527 (Buffer over-write in finfo_open with | |
malformed magic file).</li> | |
</ul></li> | |
<li>mbstring: | |
<ul> | |
<li>Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) | |
in mbfl_strcut).</li> | |
</ul></li> | |
<li>Phar: | |
<ul> | |
<li>Fixed bug #71860 (Invalid memory write in phar on filename with | |
\0 in name).</li> | |
</ul></li> | |
<li>SNMP: | |
<ul> | |
<li>Fixed bug #71704 (php_snmp_error() Format String Vulnerability). | |
</li> | |
</ul></li> | |
<li>Standard: | |
<ul> | |
<li>Fixed bug #71798 (Integer Overflow in php_raw_url_encode).</li> | |
</ul></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/208465</freebsdpr> | |
<url>http://php.net/ChangeLog-7.php#7.0.5</url> | |
<url>http://php.net/ChangeLog-5.php#5.6.20</url> | |
<url>http://php.net/ChangeLog-5.php#5.5.34</url> | |
</references> | |
<dates> | |
<discovery>2016-03-31</discovery> | |
<entry>2016-04-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="497b82e0-f9a0-11e5-92ce-002590263bf5"> | |
<topic>pcre -- heap overflow vulnerability</topic> | |
<affects> | |
<package> | |
<name>pcre</name> | |
<range><lt>8.38_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mitre reports:</p> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1283"> | |
<p>The pcre_compile2 function in pcre_compile.c in PCRE 8.38 | |
mishandles the /((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/ | |
pattern and related patterns with named subgroups, which allows | |
remote attackers to cause a denial of service (heap-based buffer | |
overflow) or possibly have unspecified other impact via a crafted | |
regular expression, as demonstrated by a JavaScript RegExp object | |
encountered by Konqueror.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1283</cvename> | |
<freebsdpr>ports/208260</freebsdpr> | |
<url>https://bugs.exim.org/show_bug.cgi?id=1767</url> | |
</references> | |
<dates> | |
<discovery>2016-02-27</discovery> | |
<entry>2016-04-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="df328fac-f942-11e5-92ce-002590263bf5"> | |
<topic>py-djblets -- Self-XSS vulnerability</topic> | |
<affects> | |
<package> | |
<name>py27-djblets</name> | |
<name>py32-djblets</name> | |
<name>py33-djblets</name> | |
<name>py34-djblets</name> | |
<name>py35-djblets</name> | |
<range><lt>0.9.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Djblets Release Notes reports:</p> | |
<blockquote cite="https://www.reviewboard.org/docs/releasenotes/djblets/0.9.2/"> | |
<p>A recently-discovered vulnerability in the datagrid templates allows an | |
attacker to generate a URL to any datagrid page containing malicious code | |
in a column sorting value. If the user visits that URL and then clicks | |
that column, the code will execute.</p> | |
<p>The cause of the vulnerability was due to a template not escaping | |
user-provided values.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.reviewboard.org/docs/releasenotes/djblets/0.9.2/</url> | |
</references> | |
<dates> | |
<discovery>2016-03-01</discovery> | |
<entry>2016-04-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a430e15d-f93f-11e5-92ce-002590263bf5"> | |
<topic>moodle -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>moodle28</name> | |
<range><lt>2.8.11</lt></range> | |
</package> | |
<package> | |
<name>moodle29</name> | |
<range><lt>2.9.5</lt></range> | |
</package> | |
<package> | |
<name>moodle30</name> | |
<range><lt>3.0.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Marina Glancy reports:</p> | |
<blockquote cite="https://moodle.org/security/"> | |
<ul> | |
<li><p>MSA-16-0003: Incorrect capability check when displaying | |
users emails in Participants list</p></li> | |
<li><p>MSA-16-0004: XSS from profile fields from external db</p> | |
</li> | |
<li><p>MSA-16-0005: Reflected XSS in mod_data advanced search</p> | |
</li> | |
<li><p>MSA-16-0006: Hidden courses are shown to students in Event | |
Monitor</p></li> | |
<li><p>MSA-16-0007: Non-Editing Instructor role can edit exclude | |
checkbox in Single View</p></li> | |
<li><p>MSA-16-0008: External function get_calendar_events return | |
events that pertains to hidden activities</p></li> | |
<li><p>MSA-16-0009: CSRF in Assignment plugin management page</p> | |
</li> | |
<li><p>MSA-16-0010: Enumeration of category details possible without | |
authentication</p></li> | |
<li><p>MSA-16-0011: Add no referrer to links with _blank target | |
attribute</p></li> | |
<li><p>MSA-16-0012: External function mod_assign_save_submission | |
does not check due dates</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2151</cvename> | |
<cvename>CVE-2016-2152</cvename> | |
<cvename>CVE-2016-2153</cvename> | |
<cvename>CVE-2016-2154</cvename> | |
<cvename>CVE-2016-2155</cvename> | |
<cvename>CVE-2016-2156</cvename> | |
<cvename>CVE-2016-2157</cvename> | |
<cvename>CVE-2016-2158</cvename> | |
<cvename>CVE-2016-2190</cvename> | |
<cvename>CVE-2016-2159</cvename> | |
<url>https://moodle.org/security/</url> | |
</references> | |
<dates> | |
<discovery>2016-03-21</discovery> | |
<entry>2016-04-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="297117ba-f92d-11e5-92ce-002590263bf5"> | |
<topic>squid -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>squid</name> | |
<range><lt>3.5.16</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Squid security advisory 2016:3 reports:</p> | |
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_3.txt"> | |
<p>Due to a buffer overrun Squid pinger binary is vulnerable to | |
denial of service or information leak attack when processing | |
ICMPv6 packets.</p> | |
<p>This bug also permits the server response to manipulate other | |
ICMP and ICMPv6 queries processing to cause information leak.</p> | |
<p>This bug allows any remote server to perform a denial of service | |
attack on the Squid service by crashing the pinger. This may | |
affect Squid HTTP routing decisions. In some configurations, | |
sub-optimal routing decisions may result in serious service | |
degradation or even transaction failures.</p> | |
<p>If the system does not contain buffer-overrun protection leading | |
to that crash this bug will instead allow attackers to leak | |
arbitrary amounts of information from the heap into Squid log | |
files. This is of higher importance than usual because the pinger | |
process operates with root priviliges.</p> | |
</blockquote> | |
<p>Squid security advisory 2016:4 reports:</p> | |
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_4.txt"> | |
<p>Due to incorrect bounds checking Squid is vulnerable to a denial | |
of service attack when processing HTTP responses.</p> | |
<p>This problem allows a malicious client script and remote server | |
delivering certain unusual HTTP response syntax to trigger a | |
denial of service for all clients accessing the Squid service.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-3947</cvename> | |
<cvename>CVE-2016-3948</cvename> | |
<freebsdpr>ports/208463</freebsdpr> | |
<url>http://www.squid-cache.org/Advisories/SQUID-2016_3.txt</url> | |
<url>http://www.squid-cache.org/Advisories/SQUID-2016_4.txt</url> | |
</references> | |
<dates> | |
<discovery>2016-03-28</discovery> | |
<entry>2016-04-02</entry> | |
</dates> | |
</vuln> | |
<vuln vid="97a24d2e-f74c-11e5-8458-6cc21735f730"> | |
<topic>PostgreSQL -- minor security problems.</topic> | |
<affects> | |
<package> | |
<name>postgresql95-server</name> | |
<name>postgresql95-contrib</name> | |
<range><ge>9.5.0</ge><lt>9.5.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>PostgreSQL project reports:</p> | |
<blockquote cite="http://www.postgresql.org/about/news/1656/"> | |
<p>Security Fixes for RLS, BRIN</p> | |
<p> | |
This release closes security hole CVE-2016-2193 | |
(https://access.redhat.com/security/cve/CVE-2016-2193), where a query | |
plan might get reused for more than one ROLE in the same session. | |
This could cause the wrong set of Row Level Security (RLS) policies to | |
be used for the query.</p> | |
<p> | |
The update also fixes CVE-2016-3065 | |
(https://access.redhat.com/security/cve/CVE-2016-3065), a server crash | |
bug triggered by using `pageinspect` with BRIN index pages. Since an | |
attacker might be able to expose a few bytes of server memory, this | |
crash is being treated as a security issue.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2193</cvename> | |
<cvename>CVE-2016-3065</cvename> | |
</references> | |
<dates> | |
<discovery>2016-03-01</discovery> | |
<entry>2016-03-31</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f7b3d1eb-f738-11e5-a710-0011d823eebd"> | |
<topic>flash -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>linux-c6-flashplugin</name> | |
<name>linux-f10-flashplugin</name> | |
<name>linux-c6_64-flashplugin</name> | |
<range><lt>11.2r202.577</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adobe reports:</p> | |
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-08.html"> | |
<p>These updates resolve integer overflow vulnerabilities that | |
could lead to code execution (CVE-2016-0963, CVE-2016-0993, | |
CVE-2016-1010).</p> | |
<p>These updates resolve use-after-free vulnerabilities that could | |
lead to code execution (CVE-2016-0987, CVE-2016-0988, | |
CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, | |
CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, | |
CVE-2016-1000).</p> | |
<p>These updates resolve a heap overflow vulnerability that could | |
lead to code execution (CVE-2016-1001).</p> | |
<p>These updates resolve memory corruption vulnerabilities that | |
could lead to code execution (CVE-2016-0960, CVE-2016-0961, | |
CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, | |
CVE-2016-1002, CVE-2016-1005).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-0960</cvename> | |
<cvename>CVE-2016-0961</cvename> | |
<cvename>CVE-2016-0962</cvename> | |
<cvename>CVE-2016-0963</cvename> | |
<cvename>CVE-2016-0986</cvename> | |
<cvename>CVE-2016-0987</cvename> | |
<cvename>CVE-2016-0988</cvename> | |
<cvename>CVE-2016-0989</cvename> | |
<cvename>CVE-2016-0990</cvename> | |
<cvename>CVE-2016-0991</cvename> | |
<cvename>CVE-2016-0992</cvename> | |
<cvename>CVE-2016-0993</cvename> | |
<cvename>CVE-2016-0994</cvename> | |
<cvename>CVE-2016-0995</cvename> | |
<cvename>CVE-2016-0996</cvename> | |
<cvename>CVE-2016-0997</cvename> | |
<cvename>CVE-2016-0998</cvename> | |
<cvename>CVE-2016-0999</cvename> | |
<cvename>CVE-2016-1000</cvename> | |
<cvename>CVE-2016-1001</cvename> | |
<cvename>CVE-2016-1002</cvename> | |
<cvename>CVE-2016-1005</cvename> | |
<cvename>CVE-2016-1010</cvename> | |
<url>https://helpx.adobe.com/security/products/flash-player/apsb16-08.html</url> | |
</references> | |
<dates> | |
<discovery>2016-03-10</discovery> | |
<entry>2016-03-31</entry> | |
</dates> | |
</vuln> | |
<vuln vid="4cd9b19f-f66d-11e5-b94c-001999f8d30b"> | |
<topic>Multiple vulnerabilities in Botan</topic> | |
<affects> | |
<package> | |
<name>botan110</name> | |
<range><lt>1.10.11</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The botan developers reports:</p> | |
<blockquote cite="http://botan.randombit.net/security.html"> | |
<p>Infinite loop in modular square root algorithm - The ressol function implements the Tonelli-Shanks algorithm for finding square roots could be sent into a nearly infinite loop due to a misplaced conditional check. This could occur if a composite modulus is provided, as this algorithm is only defined for primes. This function is exposed to attacker controlled input via the OS2ECP function during ECC point decompression.</p> | |
<p>Heap overflow on invalid ECC point - The PointGFp constructor did not check that the affine coordinate arguments were less than the prime, but then in curve multiplication assumed that both arguments if multiplied would fit into an integer twice the size of the prime.</p> | |
<p>The bigint_mul and bigint_sqr functions received the size of the output buffer, but only used it to dispatch to a faster algorithm in cases where there was sufficient output space to call an unrolled multiplication function.</p> | |
<p>The result is a heap overflow accessible via ECC point decoding, which accepted untrusted inputs. This is likely exploitable for remote code execution.</p> | |
<p>On systems which use the mlock pool allocator, it would allow an attacker to overwrite memory held in secure_vector objects. After this point the write will hit the guard page at the end of the mmapped region so it probably could not be used for code execution directly, but would allow overwriting adjacent key material.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://botan.randombit.net/security.html</url> | |
<cvename>CVE-2016-2194</cvename> | |
<cvename>CVE-2016-2195</cvename> | |
</references> | |
<dates> | |
<discovery>2016-02-01</discovery> | |
<entry>2016-03-31</entry> | |
</dates> | |
</vuln> | |
<vuln vid="2004616d-f66c-11e5-b94c-001999f8d30b"> | |
<topic>Botan BER Decoder vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>botan110</name> | |
<range><lt>1.10.10</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The botan developers reports:</p> | |
<blockquote cite="http://botan.randombit.net/"> | |
<p>Excess memory allocation in BER decoder - The BER decoder would allocate a fairly arbitrary amount of memory in a length field, even if there was no chance the read request would succeed. This might cause the process to run out of memory or invoke the OOM killer.</p> | |
<p>Crash in BER decoder - The BER decoder would crash due to reading from offset 0 of an empty vector if it encountered a BIT STRING which did not contain any data at all. This can be used to easily crash applications reading untrusted ASN.1 data, but does not seem exploitable for code execution.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://botan.randombit.net/security.html</url> | |
<cvename>CVE-2015-5726</cvename> | |
<cvename>CVE-2015-5727</cvename> | |
</references> | |
<dates> | |
<discovery>2015-08-03</discovery> | |
<entry>2016-03-31</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e1085b15-f609-11e5-a230-0014a5a57822"> | |
<topic>mercurial -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>mercurial</name> | |
<range><lt>2.7.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mercurial reports:</p> | |
<blockquote cite="https://www.mercurial-scm.org/pipermail/mercurial/2016-March/049452.html"> | |
<p>CVE-2016-3630: Remote code execution in binary delta decoding</p> | |
<p>CVE-2016-3068: Arbitrary code execution with Git subrepos</p> | |
<p>CVE-2016-3069: Arbitrary code execution when converting | |
Git repos</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-3630</cvename> | |
<cvename>CVE-2016-3068</cvename> | |
<cvename>CVE-2016-3069</cvename> | |
<url>https://www.mercurial-scm.org/pipermail/mercurial/2016-March/049452.html</url> | |
</references> | |
<dates> | |
<discovery>2016-03-29</discovery> | |
<entry>2016-03-29</entry> | |
</dates> | |
</vuln> | |
<vuln vid="8be8ca39-ae70-4422-bf1a-d8fae6911c5e"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>49.0.2623.108</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_24.html"> | |
<p>[594574] High CVE-2016-1646: Out-of-bounds read in V8.</p> | |
<p>[590284] High CVE-2016-1647: Use-after-free in Navigation.</p> | |
<p>[590455] High CVE-2016-1648: Use-after-free in Extensions.</p> | |
<p>[597518] CVE-2016-1650: Various fixes from internal audits, | |
fuzzing and other initiatives.</p> | |
<p>Multiple vulnerabilities in V8 fixed at the tip of the | |
4.9 branch</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1646</cvename> | |
<cvename>CVE-2016-1647</cvename> | |
<cvename>CVE-2016-1648</cvename> | |
<cvename>CVE-2016-1649</cvename> | |
<cvename>CVE-2016-1650</cvename> | |
<url>http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_24.html</url> | |
</references> | |
<dates> | |
<discovery>2016-03-24</discovery> | |
<entry>2016-03-29</entry> | |
</dates> | |
</vuln> | |
<vuln vid="5c288f68-c7ca-4c0d-b7dc-1ec6295200b3"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>49.0.2623.87</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_8.html"> | |
<p>[589838] High CVE-2016-1643: Type confusion in Blink.</p> | |
<p>[590620] High CVE-2016-1644: Use-after-free in Blink.</p> | |
<p>[587227] High CVE-2016-1645: Out-of-bounds write in PDFium.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1643</cvename> | |
<cvename>CVE-2016-1644</cvename> | |
<cvename>CVE-2016-1645</cvename> | |
<url>http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_8.html</url> | |
</references> | |
<dates> | |
<discovery>2016-03-08</discovery> | |
<entry>2016-03-29</entry> | |
</dates> | |
</vuln> | |
<vuln vid="cd409df7-f483-11e5-92ce-002590263bf5"> | |
<topic>bind -- denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>bind910</name> | |
<range><ge>9.10.0</ge><lt>9.10.3P4</lt></range> | |
</package> | |
<package> | |
<name>bind9-devel</name> | |
<range><lt>9.11.0.a20160309</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ISC reports:</p> | |
<blockquote cite="https://kb.isc.org/article/AA-01351"> | |
<p>A response containing multiple DNS cookies causes servers with | |
cookie support enabled to exit with an assertion failure.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2088</cvename> | |
<url>https://kb.isc.org/article/AA-01351</url> | |
</references> | |
<dates> | |
<discovery>2016-03-09</discovery> | |
<entry>2016-03-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="cba246d2-f483-11e5-92ce-002590263bf5"> | |
<topic>bind -- denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>bind98</name> | |
<range><le>9.8.8</le></range> | |
</package> | |
<package> | |
<name>bind99</name> | |
<range><ge>9.9.0</ge><lt>9.9.8P4</lt></range> | |
</package> | |
<package> | |
<name>bind910</name> | |
<range><ge>9.10.0</ge><lt>9.10.3P4</lt></range> | |
</package> | |
<package> | |
<name>bind9-devel</name> | |
<range><lt>9.11.0.a20160309</lt></range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>9.3</ge><lt>9.3_38</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ISC reports:</p> | |
<blockquote cite="https://kb.isc.org/article/AA-01353"> | |
<p>A problem parsing resource record signatures for DNAME resource | |
records can lead to an assertion failure in resolver.c or db.c</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1286</cvename> | |
<freebsdsa>SA-16:13.bind</freebsdsa> | |
<url>https://kb.isc.org/article/AA-01353</url> | |
</references> | |
<dates> | |
<discovery>2016-03-09</discovery> | |
<entry>2016-03-28</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="c9075321-f483-11e5-92ce-002590263bf5"> | |
<topic>bind -- denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>bind98</name> | |
<range><le>9.8.8</le></range> | |
</package> | |
<package> | |
<name>bind99</name> | |
<range><ge>9.9.0</ge><lt>9.9.8P4</lt></range> | |
</package> | |
<package> | |
<name>bind910</name> | |
<range><ge>9.10.0</ge><lt>9.10.3P4</lt></range> | |
</package> | |
<package> | |
<name>bind9-devel</name> | |
<range><lt>9.11.0.a20160309</lt></range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>9.3</ge><lt>9.3_38</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ISC reports:</p> | |
<blockquote cite="https://kb.isc.org/article/AA-01352"> | |
<p>An error parsing input received by the rndc control channel can | |
cause an assertion failure in sexpr.c or alist.c.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1285</cvename> | |
<freebsdsa>SA-16:13.bind</freebsdsa> | |
<url>https://kb.isc.org/article/AA-01352</url> | |
</references> | |
<dates> | |
<discovery>2016-03-09</discovery> | |
<entry>2016-03-28</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="6d25c306-f3bb-11e5-92ce-002590263bf5"> | |
<topic>salt -- Insecure configuration of PAM external authentication service</topic> | |
<affects> | |
<package> | |
<name>py27-salt</name> | |
<name>py32-salt</name> | |
<name>py33-salt</name> | |
<name>py34-salt</name> | |
<name>py35-salt</name> | |
<range><lt>2015.5.10</lt></range> | |
<range><ge>2015.8.0</ge><lt>2015.8.8</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>SaltStack reports:</p> | |
<blockquote cite="https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html"> | |
<p>This issue affects all Salt versions prior to 2015.8.8/2015.5.10 | |
when PAM external authentication is enabled. This issue involves | |
passing an alternative PAM authentication service with a command | |
that is sent to LocalClient, enabling the attacker to bypass the | |
configured authentication service.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-3176</cvename> | |
<url>https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html</url> | |
</references> | |
<dates> | |
<discovery>2016-03-17</discovery> | |
<entry>2016-03-27</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a258604d-f2aa-11e5-b4a9-ac220bdcec59"> | |
<topic>activemq -- Unsafe deserialization</topic> | |
<affects> | |
<package> | |
<name>activemq</name> | |
<range><lt>5.13.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Alvaro Muatoz, Matthias Kaiser and Christian Schneider reports:</p> | |
<blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt"> | |
<p>JMS Object messages depends on Java Serialization for | |
marshaling/unmashaling of the message payload. There are a couple of places | |
inside the broker where deserialization can occur, like web console or stomp | |
object message transformation. As deserialization of untrusted data can leaed to | |
security flaws as demonstrated in various reports, this leaves the broker | |
vunerable to this attack vector. Additionally, applications that consume | |
ObjectMessage type of messages can be vunerable as they deserlize objects on | |
ObjectMessage.getObject() calls.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt</url> | |
<cvename>CVE-2015-5254</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-08</discovery> | |
<entry>2016-03-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="950b2d60-f2a9-11e5-b4a9-ac220bdcec59"> | |
<topic>activemq -- Web Console Clickjacking</topic> | |
<affects> | |
<package> | |
<name>activemq</name> | |
<range><lt>5.13.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Michael Furman reports:</p> | |
<blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt"> | |
<p>The web based administration console does not set the | |
X-Frame-Options header in HTTP responses. This allows the console to be embedded | |
in a frame or iframe which could then be used to cause a user to perform an | |
unintended action in the console.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt</url> | |
<cvename>CVE-2016-0734</cvename> | |
</references> | |
<dates> | |
<discovery>2016-03-10</discovery> | |
<entry>2016-03-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a6cc5753-f29e-11e5-b4a9-ac220bdcec59"> | |
<topic>activemq -- Web Console Cross-Site Scripting</topic> | |
<affects> | |
<package> | |
<name>activemq</name> | |
<range><lt>5.13.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Vladimir Ivanov (Positive Technologies) reports:</p> | |
<blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt"> | |
<p>Several instances of cross-site scripting vulnerabilities were | |
identified to be present in the web based administration console as well as the | |
ability to trigger a Java memory dump into an arbitrary folder. The root cause | |
of these issues are improper user data output validation and incorrect | |
permissions configured on Jolokia.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt</url> | |
<cvename>CVE-2016-0782</cvename> | |
</references> | |
<dates> | |
<discovery>2016-03-10</discovery> | |
<entry>2016-03-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7033b42d-ef09-11e5-b766-14dae9d210b8"> | |
<topic>pcre -- stack buffer overflow</topic> | |
<affects> | |
<package> | |
<name>pcre</name> | |
<range><lt>8.38</lt></range> | |
</package> | |
<package> | |
<name>pcre2</name> | |
<range><lt>10.20_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Philip Hazel reports:</p> | |
<blockquote cite="https://bugs.exim.org/show_bug.cgi?id=1791"> | |
<p>PCRE does not validate that handling the (*ACCEPT) verb | |
will occur within the bounds of the cworkspace stack buffer, leading to | |
a stack buffer overflow.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://bugs.exim.org/show_bug.cgi?id=1791</url> | |
<cvename>CVE-2016-3191</cvename> | |
</references> | |
<dates> | |
<discovery>2016-02-09</discovery> | |
<entry>2016-03-21</entry> | |
<modified>2016-03-21</modified> | |
</dates> | |
</vuln> | |
<vuln vid="c428de09-ed69-11e5-92ce-002590263bf5"> | |
<topic>kamailio -- SEAS Module Heap overflow</topic> | |
<affects> | |
<package> | |
<name>kamailio</name> | |
<range><lt>4.3.5</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Stelios Tsampas reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2016/q1/338"> | |
<p>A (remotely exploitable) heap overflow vulnerability was found in | |
Kamailio v4.3.4.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2385</cvename> | |
<url>https://github.com/kamailio/kamailio/commit/f50c9c853e7809810099c970780c30b0765b0643</url> | |
<url>https://census-labs.com/news/2016/03/30/kamailio-seas-heap-overflow/</url> | |
<url>http://seclists.org/oss-sec/2016/q1/338</url> | |
</references> | |
<dates> | |
<discovery>2016-02-15</discovery> | |
<entry>2016-03-19</entry> | |
<modified>2016-04-03</modified> | |
</dates> | |
</vuln> | |
<vuln vid="5dd39f26-ed68-11e5-92ce-002590263bf5"> | |
<topic>hadoop2 -- unauthorized disclosure of data vulnerability</topic> | |
<affects> | |
<package> | |
<name>hadoop2</name> | |
<range><ge>2.6</ge><lt>2.7</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Arun Suresh reports:</p> | |
<blockquote cite="http://mail-archives.apache.org/mod_mbox/hadoop-general/201602.mbox/browser"> | |
<p>RPC traffic from clients, potentially including authentication | |
credentials, may be intercepted by a malicious user with access to | |
run tasks or containers on a cluster.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-1776</cvename> | |
<url>http://mail-archives.apache.org/mod_mbox/hadoop-general/201602.mbox/browser</url> | |
</references> | |
<dates> | |
<discovery>2016-02-15</discovery> | |
<entry>2016-03-19</entry> | |
</dates> | |
</vuln> | |
<vuln vid="d2a84feb-ebe0-11e5-92ce-002590263bf5"> | |
<topic>git -- integer overflow</topic> | |
<affects> | |
<package> | |
<name>git</name> | |
<range><lt>2.4.11</lt></range> | |
<range><ge>2.5.0</ge><lt>2.5.5</lt></range> | |
<range><ge>2.6.0</ge><lt>2.6.6</lt></range> | |
<range><ge>2.7.0</ge><lt>2.7.4</lt></range> | |
</package> | |
<package> | |
<name>git-gui</name> | |
<range><lt>2.4.11</lt></range> | |
<range><ge>2.5.0</ge><lt>2.5.5</lt></range> | |
<range><ge>2.6.0</ge><lt>2.6.6</lt></range> | |
<range><ge>2.7.0</ge><lt>2.7.4</lt></range> | |
</package> | |
<package> | |
<name>git-lite</name> | |
<range><lt>2.4.11</lt></range> | |
<range><ge>2.5.0</ge><lt>2.5.5</lt></range> | |
<range><ge>2.6.0</ge><lt>2.6.6</lt></range> | |
<range><ge>2.7.0</ge><lt>2.7.4</lt></range> | |
</package> | |
<package> | |
<name>git-subversion</name> | |
<range><lt>2.4.11</lt></range> | |
<range><ge>2.5.0</ge><lt>2.5.5</lt></range> | |
<range><ge>2.6.0</ge><lt>2.6.6</lt></range> | |
<range><ge>2.7.0</ge><lt>2.7.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Debian reports:</p> | |
<blockquote cite="https://security-tracker.debian.org/tracker/CVE-2016-2324"> | |
<p>integer overflow due to a loop which adds more to "len".</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2324</cvename> | |
<url>https://security-tracker.debian.org/tracker/CVE-2016-2324</url> | |
<url>https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d</url> | |
</references> | |
<dates> | |
<discovery>2016-02-24</discovery> | |
<entry>2016-03-18</entry> | |
</dates> | |
</vuln> | |
<vuln vid="93ee802e-ebde-11e5-92ce-002590263bf5"> | |
<topic>git -- potential code execution</topic> | |
<affects> | |
<package> | |
<name>git</name> | |
<range><lt>2.7.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Debian reports:</p> | |
<blockquote cite="https://security-tracker.debian.org/tracker/CVE-2016-2315"> | |
<p>"int" is the wrong data type for ... nlen assignment.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2315</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2016/03/15/6</url> | |
<url>https://marc.info/?l=oss-security&m=145809217306686&w=2</url> | |
<url>https://github.com/git/git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305</url> | |
<url>https://security-tracker.debian.org/tracker/CVE-2016-2315</url> | |
</references> | |
<dates> | |
<discovery>2015-09-24</discovery> | |
<entry>2016-03-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6d33b3e5-ea03-11e5-85be-14dae9d210b8"> | |
<topic>node -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>node</name> | |
<range><lt>5.7.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jeremiah Senkpiel reports:</p> | |
<blockquote cite="https://github.com/nodejs/node/commit/805f054cc7791c447dbb960fbf3b179ea05294ac"> | |
<ul> | |
<li><p>Fix a double-free defect in parsing malformed DSA keys | |
that may potentially be used for DoS or memory corruption attacks.</p></li> | |
<li><p>Fix a defect that can cause memory corruption in | |
certain very rare cases</p></li> | |
<li><p>Fix a defect that makes the CacheBleed Attack possible</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://github.com/nodejs/node/commit/805f054cc7791c447dbb960fbf3b179ea05294ac</url> | |
<cvename>CVE-2016-0702</cvename> | |
<cvename>CVE-2016-0705</cvename> | |
<cvename>CVE-2016-0797</cvename> | |
</references> | |
<dates> | |
<discovery>2016-03-02</discovery> | |
<entry>2016-03-14</entry> | |
</dates> | |
</vuln> | |
<vuln vid="8eb78cdc-e9ec-11e5-85be-14dae9d210b8"> | |
<topic>dropbear -- authorized_keys command= bypass</topic> | |
<affects> | |
<package> | |
<name>dropbear</name> | |
<range><lt>2016.72</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Matt Johnson reports:</p> | |
<blockquote cite="https://matt.ucc.asn.au/dropbear/CHANGES"> | |
<p>Validate X11 forwarding input. Could allow bypass of | |
authorized_keys command= restrictions</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://matt.ucc.asn.au/dropbear/CHANGES</url> | |
<cvename>CVE-2016-3116</cvename> | |
</references> | |
<dates> | |
<discovery>2016-03-11</discovery> | |
<entry>2016-03-14</entry> | |
</dates> | |
</vuln> | |
<vuln vid="77b7ffb7-e937-11e5-8bed-5404a68ad561"> | |
<topic>jpgraph2 -- XSS vulnerability</topic> | |
<affects> | |
<package> | |
<name>jpgraph2</name> | |
<range><lt>3.0.7_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Martin Barbella reports:</p> | |
<blockquote cite="http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded"> | |
<p>JpGraph is an object oriented library for PHP that can be used to create | |
various types of graphs which also contains support for client side | |
image maps. | |
The GetURLArguments function for the JpGraph's Graph class does not | |
properly sanitize the names of get and post variables, leading to a | |
cross site scripting vulnerability.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded</url> | |
</references> | |
<dates> | |
<discovery>2009-12-22</discovery> | |
<entry>2016-03-13</entry> | |
</dates> | |
</vuln> | |
<vuln vid="5af511e5-e928-11e5-92ce-002590263bf5"> | |
<topic>php7 -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>php70</name> | |
<name>php70-soap</name> | |
<range><lt>7.0.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The PHP Group reports:</p> | |
<blockquote cite="http://php.net/ChangeLog-7.php#7.0.4"> | |
<ul><li>Core: | |
<ul> | |
<li>Fixed bug #71637 (Multiple Heap Overflow due to integer | |
overflows in xml/filter_url/addcslashes).</li> | |
</ul></li> | |
<li>SOAP: | |
<ul> | |
<li>Fixed bug #71610 (Type Confusion Vulnerability - SOAP / | |
make_http_soap_request()).</li> | |
</ul></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://php.net/ChangeLog-7.php#7.0.4</url> | |
</references> | |
<dates> | |
<discovery>2016-03-03</discovery> | |
<entry>2016-03-13</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e991ef79-e920-11e5-92ce-002590263bf5"> | |
<topic>php5 -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>php55-phar</name> | |
<name>php55-wddx</name> | |
<range><lt>5.5.33</lt></range> | |
</package> | |
<package> | |
<name>php56-phar</name> | |
<name>php56-wddx</name> | |
<range><lt>5.6.19</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The PHP Group reports:</p> | |
<blockquote cite="http://php.net/ChangeLog-5.php#5.6.19"> | |
<ul><li>Phar: | |
<ul> | |
<li>Fixed bug #71498 (Out-of-Bound Read in phar_parse_zipfile()). | |
</li> | |
</ul></li> | |
<li>WDDX: | |
<ul> | |
<li>Fixed bug #71587 (Use-After-Free / Double-Free in WDDX | |
Deserialize).</li> | |
</ul></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://php.net/ChangeLog-5.php#5.6.19</url> | |
<url>http://php.net/ChangeLog-5.php#5.5.33</url> | |
</references> | |
<dates> | |
<discovery>2016-03-03</discovery> | |
<entry>2016-03-13</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e4644df8-e7da-11e5-829d-c80aa9043978"> | |
<topic>openssh -- command injection when X11Forwarding is enabled</topic> | |
<affects> | |
<package> | |
<name>openssh-portable</name> | |
<range><lt>7.2.p2,1</lt></range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.2</ge><lt>10.2_14</lt></range> | |
<range><ge>10.1</ge><lt>10.1_31</lt></range> | |
<range><ge>9.3</ge><lt>9.3_39</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The OpenSSH project reports:</p> | |
<blockquote cite="http://www.openssh.com/txt/x11fwd.adv"> | |
<p>Missing sanitisation of untrusted input allows an | |
authenticated user who is able to request X11 forwarding | |
to inject commands to xauth(1). | |
</p> | |
<p>Injection of xauth commands grants the ability to read | |
arbitrary files under the authenticated user's privilege, | |
Other xauth commands allow limited information leakage, | |
file overwrite, port probing and generally expose xauth(1), | |
which was not written with a hostile user in mind, as an | |
attack surface. | |
</p> | |
<p>Mitigation:</p> | |
<p>Set X11Forwarding=no in sshd_config. This is the default.</p> | |
<p>For authorized_keys that specify a "command" restriction, | |
also set the "restrict" (available in OpenSSH >=7.2) or | |
"no-x11-forwarding" restrictions. | |
</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openssh.com/txt/x11fwd.adv</url> | |
<cvename>CVE-2016-3115</cvename> | |
<freebsdsa>SA-16:14.openssh</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-03-11</discovery> | |
<entry>2016-03-11</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="70c44cd0-e717-11e5-85be-14dae9d210b8"> | |
<topic>quagga -- stack based buffer overflow vulnerability</topic> | |
<affects> | |
<package> | |
<name>quagga</name> | |
<range><lt>1.0.20160309</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Donald Sharp reports:</p> | |
<blockquote cite="https://www.kb.cert.org/vuls/id/270232"> | |
<p>A malicious BGP peer may execute arbitrary code in | |
particularly configured remote bgpd hosts.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.kb.cert.org/vuls/id/270232</url> | |
<url>http://savannah.nongnu.org/forum/forum.php?forum_id=8476</url> | |
<cvename>CVE-2016-2342</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-27</discovery> | |
<entry>2016-03-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="d71831ef-e6f8-11e5-85be-14dae9d210b8"> | |
<topic>ricochet -- information disclosure</topic> | |
<affects> | |
<package> | |
<name>ricochet</name> | |
<range><lt>1.1.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>special reports:</p> | |
<blockquote cite="https://github.com/ricochet-im/ricochet/releases/tag/v1.1.2"> | |
<p>By sending a nickname with some HTML tags in a contact | |
request, an attacker could cause Ricochet to make network requests | |
without Tor after the request is accepted, which would reveal the user's | |
IP address.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://github.com/ricochet-im/ricochet/releases/tag/v1.1.2</url> | |
</references> | |
<dates> | |
<discovery>2016-02-15</discovery> | |
<entry>2016-03-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="77e0b631-e6cf-11e5-85be-14dae9d210b8"> | |
<topic>pidgin-otr -- use after free</topic> | |
<affects> | |
<package> | |
<name>pidgin-otr</name> | |
<range><lt>4.0.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Hanno Bock reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2016/q1/572"> | |
<p>The pidgin-otr plugin version 4.0.2 fixes a heap use after | |
free error. | |
The bug is triggered when a user tries to authenticate a buddy and | |
happens in the function create_smp_dialog.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://seclists.org/oss-sec/2016/q1/572</url> | |
<url>https://bugs.otr.im/issues/88</url> | |
<url>https://bugs.otr.im/issues/128</url> | |
<cvename>CVE-2015-8833</cvename> | |
</references> | |
<dates> | |
<discovery>2015-04-04</discovery> | |
<entry>2016-03-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="c2b1652c-e647-11e5-85be-14dae9d210b8"> | |
<topic>libotr -- integer overflow</topic> | |
<affects> | |
<package> | |
<name>libotr</name> | |
<range><lt>4.1.1</lt></range> | |
</package> | |
<package> | |
<name>libotr3</name> | |
<range><ge>0</ge></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>X41 D-Sec reports:</p> | |
<blockquote cite="https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/"> | |
<p>A remote attacker may crash or execute arbitrary code in | |
libotr by sending large OTR messages.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/</url> | |
<cvename>CVE-2016-2851</cvename> | |
</references> | |
<dates> | |
<discovery>2016-02-17</discovery> | |
<entry>2016-03-09</entry> | |
<modified>2016-03-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="1bcfd963-e483-41b8-ab8e-bad5c3ce49c9"> | |
<topic>brotli -- buffer overflow</topic> | |
<affects> | |
<package> | |
<name>brotli</name> | |
<range><ge>0.3.0</ge><lt>0.3.0_1</lt></range> | |
<range><lt>0.2.0_2</lt></range> | |
</package> | |
<package> | |
<name>libbrotli</name> | |
<range><lt>0.3.0_3</lt></range> | |
</package> | |
<package> | |
<name>chromium</name> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>48.0.2564.109</lt></range> | |
</package> | |
<package> | |
<name>firefox</name> | |
<name>linux-firefox</name> | |
<range><lt>45.0,1</lt></range> | |
</package> | |
<package> | |
<name>seamonkey</name> | |
<name>linux-seamonkey</name> | |
<range><lt>2.42</lt></range> | |
</package> | |
<package> | |
<name>firefox-esr</name> | |
<range><lt>38.7.0,1</lt></range> | |
</package> | |
<package> | |
<name>libxul</name> | |
<name>thunderbird</name> | |
<name>linux-thunderbird</name> | |
<range><lt>38.7.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_9.html"> | |
<p>[583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.</p> | |
</blockquote> | |
<p>Mozilla Foundation reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-30/"> | |
<p>Security researcher Luke Li reported a pointer underflow | |
bug in the Brotli library's decompression that leads to a | |
buffer overflow. This results in a potentially exploitable | |
crash when triggered.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1624</cvename> | |
<cvename>CVE-2016-1968</cvename> | |
<url>https://github.com/google/brotli/commit/37a320dd81db8d546cd24a45b4c61d87b45dcade</url> | |
<url>https://chromium.googlesource.com/chromium/src/+/7716418a27d561ee295a99f11fd3865580748de2%5E!/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-30/</url> | |
<url>https://hg.mozilla.org/releases/mozilla-release/rev/4a5d8ade4e3e</url> | |
</references> | |
<dates> | |
<discovery>2016-02-08</discovery> | |
<entry>2016-03-08</entry> | |
<modified>2016-03-08</modified> | |
</dates> | |
</vuln> | |
<vuln vid="2225c5b4-1e5a-44fc-9920-b3201c384a15"> | |
<topic>mozilla -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>firefox</name> | |
<name>linux-firefox</name> | |
<range><lt>45.0,1</lt></range> | |
</package> | |
<package> | |
<name>seamonkey</name> | |
<name>linux-seamonkey</name> | |
<range><lt>2.42</lt></range> | |
</package> | |
<package> | |
<name>firefox-esr</name> | |
<range><lt>38.7.0,1</lt></range> | |
</package> | |
<package> | |
<name>libxul</name> | |
<name>thunderbird</name> | |
<name>linux-thunderbird</name> | |
<range><lt>38.7.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mozilla Foundation reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox45"> | |
<p>MFSA 2016-16 Miscellaneous memory safety hazards (rv:45.0 | |
/ rv:38.7)</p> | |
<p>MFSA 2016-17 Local file overwriting and potential | |
privilege escalation through CSP reports</p> | |
<p>MFSA 2016-18 CSP reports fail to strip location | |
information for embedded iframe pages</p> | |
<p>MFSA 2016-19 Linux video memory DOS with Intel | |
drivers</p> | |
<p>MFSA 2016-20 Memory leak in libstagefright when deleting | |
an array during MP4 processing</p> | |
<p>MFSA 2016-21 Displayed page address can be overridden</p> | |
<p>MFSA 2016-22 Service Worker Manager out-of-bounds read in | |
Service Worker Manager</p> | |
<p>MFSA 2016-23 Use-after-free in HTML5 string parser</p> | |
<p>MFSA 2016-24 Use-after-free in SetBody</p> | |
<p>MFSA 2016-25 Use-after-free when using multiple WebRTC | |
data channels</p> | |
<p>MFSA 2016-26 Memory corruption when modifying a file | |
being read by FileReader</p> | |
<p>MFSA 2016-27 Use-after-free during XML | |
transformations</p> | |
<p>MFSA 2016-28 Addressbar spoofing though history | |
navigation and Location protocol property</p> | |
<p>MFSA 2016-29 Same-origin policy violation using | |
perfomance.getEntries and history navigation with session | |
restore</p> | |
<p>MFSA 2016-31 Memory corruption with malicious NPAPI | |
plugin</p> | |
<p>MFSA 2016-32 WebRTC and LibVPX vulnerabilities found | |
through code inspection</p> | |
<p>MFSA 2016-33 Use-after-free in GetStaticInstance in | |
WebRTC</p> | |
<p>MFSA 2016-34 Out-of-bounds read in HTML parser following | |
a failed allocation</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1952</cvename> | |
<cvename>CVE-2016-1953</cvename> | |
<cvename>CVE-2016-1954</cvename> | |
<cvename>CVE-2016-1955</cvename> | |
<cvename>CVE-2016-1956</cvename> | |
<cvename>CVE-2016-1957</cvename> | |
<cvename>CVE-2016-1958</cvename> | |
<cvename>CVE-2016-1959</cvename> | |
<cvename>CVE-2016-1960</cvename> | |
<cvename>CVE-2016-1961</cvename> | |
<cvename>CVE-2016-1962</cvename> | |
<cvename>CVE-2016-1963</cvename> | |
<cvename>CVE-2016-1964</cvename> | |
<cvename>CVE-2016-1965</cvename> | |
<cvename>CVE-2016-1966</cvename> | |
<cvename>CVE-2016-1967</cvename> | |
<cvename>CVE-2016-1970</cvename> | |
<cvename>CVE-2016-1971</cvename> | |
<cvename>CVE-2016-1972</cvename> | |
<cvename>CVE-2016-1973</cvename> | |
<cvename>CVE-2016-1974</cvename> | |
<cvename>CVE-2016-1975</cvename> | |
<cvename>CVE-2016-1976</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-16/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-17/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-18/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-19/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-20/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-21/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-22/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-23/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-24/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-25/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-26/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-27/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-28/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-29/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-31/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-32/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-33/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-34/</url> | |
</references> | |
<dates> | |
<discovery>2016-03-08</discovery> | |
<entry>2016-03-08</entry> | |
<modified>2016-03-08</modified> | |
</dates> | |
</vuln> | |
<vuln vid="adffe823-e692-4921-ae9c-0b825c218372"> | |
<topic>graphite2 -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>graphite2</name> | |
<range><lt>1.3.6</lt></range> | |
</package> | |
<package> | |
<name>linux-firefox</name> | |
<range><lt>45.0,1</lt></range> | |
</package> | |
<package> | |
<name>linux-thunderbird</name> | |
<range><lt>38.7.0</lt></range> | |
</package> | |
<package> | |
<name>linux-seamonkey</name> | |
<range><lt>2.42</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mozilla Foundation reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/"> | |
<p>Security researcher Holger Fuhrmannek and Mozilla | |
security engineer Tyson Smith reported a number of security | |
vulnerabilities in the Graphite 2 library affecting version | |
1.3.5. | |
The issue reported by Holger Fuhrmannek is a mechanism to | |
induce stack corruption with a malicious graphite font. This | |
leads to a potentially exploitable crash when the font is | |
loaded. | |
Tyson Smith used the Address Sanitizer tool in concert with | |
a custom software fuzzer to find a series of uninitialized | |
memory, out-of-bounds read, and out-of-bounds write errors | |
when working with fuzzed graphite fonts.</p> | |
</blockquote> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-38/"> | |
<p>Security researcher James Clawson used the Address | |
Sanitizer tool to discover an out-of-bounds write in the | |
Graphite 2 library when loading a crafted Graphite font | |
file. This results in a potentially exploitable crash.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-37/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-38/</url> | |
<cvename>CVE-2016-1969</cvename> | |
<cvename>CVE-2016-1977</cvename> | |
<cvename>CVE-2016-2790</cvename> | |
<cvename>CVE-2016-2791</cvename> | |
<cvename>CVE-2016-2792</cvename> | |
<cvename>CVE-2016-2793</cvename> | |
<cvename>CVE-2016-2794</cvename> | |
<cvename>CVE-2016-2795</cvename> | |
<cvename>CVE-2016-2796</cvename> | |
<cvename>CVE-2016-2797</cvename> | |
<cvename>CVE-2016-2798</cvename> | |
<cvename>CVE-2016-2799</cvename> | |
<cvename>CVE-2016-2800</cvename> | |
<cvename>CVE-2016-2801</cvename> | |
<cvename>CVE-2016-2802</cvename> | |
</references> | |
<dates> | |
<discovery>2016-03-08</discovery> | |
<entry>2016-03-08</entry> | |
<modified>2016-03-14</modified> | |
</dates> | |
</vuln> | |
<vuln vid="c4292768-5273-4f17-a267-c5fe35125ce4"> | |
<topic>NSS -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>nss</name> | |
<name>linux-c6-nss</name> | |
<range><ge>3.20</ge><lt>3.21.1</lt></range> | |
<range><lt>3.19.2.3</lt></range> | |
</package> | |
<package> | |
<name>linux-firefox</name> | |
<range><lt>45.0,1</lt></range> | |
</package> | |
<package> | |
<name>linux-thunderbird</name> | |
<range><lt>38.7.0</lt></range> | |
</package> | |
<package> | |
<name>linux-seamonkey</name> | |
<range><lt>2.42</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mozilla Foundation reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-35/"> | |
<p>Security researcher Francis Gabriel reported a heap-based | |
buffer overflow in the way the Network Security Services | |
(NSS) libraries parsed certain ASN.1 structures. An attacker | |
could create a specially-crafted certificate which, when | |
parsed by NSS, would cause it to crash or execute arbitrary | |
code with the permissions of the user.</p> | |
</blockquote> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-36/"> | |
<p>Mozilla developer Tim Taubert used the Address Sanitizer | |
tool and software fuzzing to discover a use-after-free | |
vulnerability while processing DER encoded keys in the | |
Network Security Services (NSS) libraries. The vulnerability | |
overwrites the freed memory with zeroes.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1950</cvename> | |
<cvename>CVE-2016-1979</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-35/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-36/</url> | |
<url>https://hg.mozilla.org/projects/nss/rev/b9a31471759d</url> | |
<url>https://hg.mozilla.org/projects/nss/rev/7033b1193c94</url> | |
</references> | |
<dates> | |
<discovery>2016-03-08</discovery> | |
<entry>2016-03-08</entry> | |
</dates> | |
</vuln> | |
<vuln vid="75091516-6f4b-4059-9884-6727023dc366"> | |
<topic>NSS -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>nss</name> | |
<name>linux-c6-nss</name> | |
<range><lt>3.21</lt></range> | |
</package> | |
<package> | |
<name>linux-firefox</name> | |
<range><lt>44.0,1</lt></range> | |
</package> | |
<package> | |
<name>linux-seamonkey</name> | |
<range><lt>2.41</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mozilla Foundation reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-07/"> | |
<p>Security researcher Hanno Böck reported that calculations | |
with mp_div and mp_exptmod in Network Security Services | |
(NSS) can produce wrong results in some circumstances. These | |
functions are used within NSS for a variety of cryptographic | |
division functions, leading to potential cryptographic | |
weaknesses.</p> | |
</blockquote> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-15/"> | |
<p>Mozilla developer Eric Rescorla reported that a failed | |
allocation during DHE and ECDHE handshakes would lead to a | |
use-after-free vulnerability.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1938</cvename> | |
<cvename>CVE-2016-1978</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-07/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-15/</url> | |
<url>https://hg.mozilla.org/projects/nss/rev/a555bf0fc23a</url> | |
<url>https://hg.mozilla.org/projects/nss/rev/a245a4ccd354</url> | |
</references> | |
<dates> | |
<discovery>2016-01-26</discovery> | |
<entry>2016-03-08</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f9e6c0d1-e4cc-11e5-b2bd-002590263bf5"> | |
<topic>django -- multiple vulnerabilies</topic> | |
<affects> | |
<package> | |
<name>py27-django</name> | |
<name>py32-django</name> | |
<name>py33-django</name> | |
<name>py34-django</name> | |
<name>py35-django</name> | |
<range><lt>1.8.10</lt></range> | |
</package> | |
<package> | |
<name>py27-django18</name> | |
<name>py32-django18</name> | |
<name>py33-django18</name> | |
<name>py34-django18</name> | |
<name>py35-django18</name> | |
<range><lt>1.8.10</lt></range> | |
</package> | |
<package> | |
<name>py27-django19</name> | |
<name>py32-django19</name> | |
<name>py33-django19</name> | |
<name>py34-django19</name> | |
<name>py35-django19</name> | |
<range><lt>1.9.3</lt></range> | |
</package> | |
<package> | |
<name>py27-django-devel</name> | |
<name>py32-django-devel</name> | |
<name>py33-django-devel</name> | |
<name>py34-django-devel</name> | |
<name>py35-django-devel</name> | |
<range><le>20150709,1</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Tim Graham reports:</p> | |
<blockquote cite="https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/"> | |
<p>Malicious redirect and possible XSS attack via user-supplied | |
redirect URLs containing basic auth</p> | |
<p>User enumeration through timing difference on password hasher work | |
factor upgrade</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2512</cvename> | |
<cvename>CVE-2016-2513</cvename> | |
<url>https://www.djangoproject.com/weblog/2016/mar/01/security-releases/</url> | |
</references> | |
<dates> | |
<discovery>2016-03-01</discovery> | |
<entry>2016-03-08</entry> | |
</dates> | |
</vuln> | |
<vuln vid="fef03980-e4c6-11e5-b2bd-002590263bf5"> | |
<topic>wordpress -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>wordpress</name> | |
<range><lt>4.4.2,1</lt></range> | |
</package> | |
<package> | |
<name>de-wordpress</name> | |
<name>ja-wordpress</name> | |
<name>ru-wordpress</name> | |
<name>zh-wordpress-zh_CN</name> | |
<name>zh-wordpress-zh_TW</name> | |
<range><lt>4.4.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Samuel Sidler reports:</p> | |
<blockquote cite="https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/"> | |
<p>WordPress 4.4.2 is now available. This is a security release for | |
all previous versions and we strongly encourage you to update your | |
sites immediately.</p> | |
<p>WordPress versions 4.4.1 and earlier are affected by two security | |
issues: a possible SSRF for certain local URIs, reported by Ronni | |
Skansing; and an open redirection attack, reported by Shailesh | |
Suthar.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2221</cvename> | |
<cvename>CVE-2016-2222</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2016/02/04/6</url> | |
<url>https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/</url> | |
</references> | |
<dates> | |
<discovery>2016-02-02</discovery> | |
<entry>2016-03-08</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7f0fbb30-e462-11e5-a3f3-080027ef73ec"> | |
<topic>PuTTY - old-style scp downloads may allow remote code execution</topic> | |
<affects> | |
<package> | |
<name>putty</name> | |
<range><lt>0.67</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Simon G. Tatham reports:</p> | |
<blockquote cite="http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html"> | |
<p>Many versions of PSCP prior to 0.67 have a stack corruption | |
vulnerability in their treatment of the 'sink' direction (i.e. | |
downloading from server to client) of the old-style SCP protocol. | |
</p> | |
<p>In order for this vulnerability to be exploited, the user must | |
connect to a malicious server and attempt to download any file.[...] | |
you can work around it in a vulnerable PSCP by using the -sftp | |
option to force the use of the newer SFTP protocol, provided your | |
server supports that protocol.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html</url> | |
<cvename>CVE-2016-2563</cvename> | |
<url>https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563</url> | |
</references> | |
<dates> | |
<discovery>2016-02-26</discovery> | |
<entry>2016-03-07</entry> | |
</dates> | |
</vuln> | |
<vuln vid="12d1b5a6-e39d-11e5-9f77-5453ed2e2b49"> | |
<topic>websvn -- reflected cross-site scripting</topic> | |
<affects> | |
<package> | |
<name>websvn</name> | |
<range><lt>2.3.3_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Sebastien Delafond reports:</p> | |
<blockquote cite="https://lists.debian.org/debian-security-announce/2016/msg00060.html"> | |
<p>Jakub Palaczynski discovered that websvn, a web viewer for | |
Subversion repositories, does not correctly sanitize user-supplied | |
input, which allows a remote user to run reflected cross-site | |
scripting attacks.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2511</cvename> | |
<url>https://lists.debian.org/debian-security-announce/2016/msg00060.html</url> | |
<url>http://seclists.org/fulldisclosure/2016/Feb/99</url> | |
</references> | |
<dates> | |
<discovery>2016-02-22</discovery> | |
<entry>2016-03-06</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f69e1f09-e39b-11e5-9f77-5453ed2e2b49"> | |
<topic>websvn -- information disclosure</topic> | |
<affects> | |
<package> | |
<name>websvn</name> | |
<range><lt>2.3.3_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Thijs Kinkhorst reports:</p> | |
<blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682"> | |
<p>James Clawson reported:</p> | |
<p>"Arbitrary files with a known path can be accessed in websvn by | |
committing a symlink to a repository and then downloading the file | |
(using the download link).</p> | |
<p>An attacker must have write access to the repo, and the download | |
option must have been enabled in the websvn config file."</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2013-6892</cvename> | |
<url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6892</url> | |
<url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682</url> | |
</references> | |
<dates> | |
<discovery>2015-01-18</discovery> | |
<entry>2016-03-06</entry> | |
</dates> | |
</vuln> | |
<vuln vid="5a016dd0-8aa8-490e-a596-55f4cc17e4ef"> | |
<topic>rails -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>rubygem-actionpack</name> | |
<range><lt>3.2.22.2</lt></range> | |
</package> | |
<package> | |
<name>rubygem-actionpack4</name> | |
<range><lt>4.2.5.2</lt></range> | |
</package> | |
<package> | |
<name>rubygem-actionview</name> | |
<range><lt>4.2.5.2</lt></range> | |
</package> | |
<package> | |
<name>rubygem-rails</name> | |
<range><lt>3.2.22.2</lt></range> | |
</package> | |
<package> | |
<name>rubygem-rails4</name> | |
<range><lt>4.2.5.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Ruby on Rails blog:</p> | |
<blockquote cite="http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"> | |
<p>Rails 4.2.5.2, 4.1.14.2, and 3.2.22.2 have been released! These | |
contain the following important security fixes, and it is | |
recommended that users upgrade as soon as possible.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2097</cvename> | |
<cvename>CVE-2016-2098</cvename> | |
<url>https://groups.google.com/d/msg/rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ</url> | |
<url>https://groups.google.com/d/msg/rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ</url> | |
<url>http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/</url> | |
</references> | |
<dates> | |
<discovery>2016-02-29</discovery> | |
<entry>2016-03-06</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f85fa236-e2a6-412e-b5c7-c42120892de5"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>49.0.2623.75</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.de/2016/03/stable-channel-update.html"> | |
<p>[560011] High CVE-2016-1630: Same-origin bypass in Blink.</p> | |
<p>[569496] High CVE-2016-1631: Same-origin bypass in Pepper Plugin.</p> | |
<p>[549986] High CVE-2016-1632: Bad cast in Extensions.</p> | |
<p>[572537] High CVE-2016-1633: Use-after-free in Blink.</p> | |
<p>[559292] High CVE-2016-1634: Use-after-free in Blink.</p> | |
<p>[585268] High CVE-2016-1635: Use-after-free in Blink.</p> | |
<p>[584155] High CVE-2016-1636: SRI Validation Bypass.</p> | |
<p>[555544] Medium CVE-2016-1637: Information Leak in Skia.</p> | |
<p>[585282] Medium CVE-2016-1638: WebAPI Bypass.</p> | |
<p>[572224] Medium CVE-2016-1639: Use-after-free in WebRTC.</p> | |
<p>[550047] Medium CVE-2016-1640: Origin confusion in Extensions UI.</p> | |
<p>[583718] Medium CVE-2016-1641: Use-after-free in Favicon.</p> | |
<p>[591402] CVE-2016-1642: Various fixes from internal audits, fuzzing and other initiatives.</p> | |
<p>Multiple vulnerabilities in V8 fixed.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1630</cvename> | |
<cvename>CVE-2016-1631</cvename> | |
<cvename>CVE-2016-1632</cvename> | |
<cvename>CVE-2016-1633</cvename> | |
<cvename>CVE-2016-1634</cvename> | |
<cvename>CVE-2016-1635</cvename> | |
<cvename>CVE-2016-1636</cvename> | |
<cvename>CVE-2016-1637</cvename> | |
<cvename>CVE-2016-1638</cvename> | |
<cvename>CVE-2016-1639</cvename> | |
<cvename>CVE-2016-1640</cvename> | |
<cvename>CVE-2016-1641</cvename> | |
<cvename>CVE-2016-1642</cvename> | |
<url>http://googlechromereleases.blogspot.de/2016/03/stable-channel-update.html</url> | |
</references> | |
<dates> | |
<discovery>2016-03-02</discovery> | |
<entry>2016-03-05</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6b3591ea-e2d2-11e5-a6be-5453ed2e2b49"> | |
<topic>libssh -- weak Diffie-Hellman secret generation</topic> | |
<affects> | |
<package> | |
<name>libssh</name> | |
<range><lt>0.7.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Andreas Schneider reports:</p> | |
<blockquote cite="https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/"> | |
<p>libssh versions 0.1 and above have a bits/bytes confusion bug and | |
generate the an anormaly short ephemeral secret for the | |
diffie-hellman-group1 and diffie-hellman-group14 key exchange | |
methods. The resulting secret is 128 bits long, instead of the | |
recommended sizes of 1024 and 2048 bits respectively. There are | |
practical algorithms (Baby steps/Giant steps, Pollard’s rho) that can | |
solve this problem in O(2^63) operations.</p> | |
<p>Both client and server are are vulnerable, pre-authentication. | |
This vulnerability could be exploited by an eavesdropper with enough | |
resources to decrypt or intercept SSH sessions. The bug was found | |
during an internal code review by Aris Adamantiadis of the libssh | |
team.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-0739</cvename> | |
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0739</url> | |
<url>https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/</url> | |
</references> | |
<dates> | |
<discovery>2016-02-23</discovery> | |
<entry>2016-03-05</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7d09b9ee-e0ba-11e5-abc4-6fb07af136d2"> | |
<topic>exim -- local privilleges escalation</topic> | |
<affects> | |
<package> | |
<name>exim</name> | |
<range><lt>4.86.2</lt></range> | |
<range><lt>4.85.2</lt></range> | |
<range><lt>4.84.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Exim development team reports:</p> | |
<blockquote cite="https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html"> | |
<p>All installations having Exim set-uid root and using 'perl_startup' are | |
vulnerable to a local privilege escalation. Any user who can start an | |
instance of Exim (and this is normally <strong>any</strong> user) can gain root | |
privileges. If you do not use 'perl_startup' you <strong>should</strong> be safe.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1531</cvename> | |
<url>https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html</url> | |
</references> | |
<dates> | |
<discovery>2016-02-26</discovery> | |
<entry>2016-03-02</entry> | |
</dates> | |
</vuln> | |
<vuln vid="db3301be-e01c-11e5-b2bd-002590263bf5"> | |
<topic>cacti -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>cacti</name> | |
<range><lt>0.8.8g</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Cacti Group, Inc. reports:</p> | |
<blockquote cite="http://www.cacti.net/release_notes_0_8_8g.php"> | |
<p>Changelog</p> | |
<ul> | |
<li>bug:0002652: CVE-2015-8604: SQL injection in graphs_new.php</li> | |
<li>bug:0002655: CVE-2015-8377: SQL injection vulnerability in the | |
host_new_graphs_save function in graphs_new.php</li> | |
<li>bug:0002656: Authentication using web authentication as a user | |
not in the cacti database allows complete access</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8377</cvename> | |
<cvename>CVE-2015-8604</cvename> | |
<cvename>CVE-2016-2313</cvename> | |
<url>http://www.cacti.net/release_notes_0_8_8g.php</url> | |
<url>http://bugs.cacti.net/view.php?id=2652</url> | |
<url>http://bugs.cacti.net/view.php?id=2655</url> | |
<url>http://bugs.cacti.net/view.php?id=2656</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/02/09/3</url> | |
</references> | |
<dates> | |
<discovery>2016-02-21</discovery> | |
<entry>2016-03-02</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f682a506-df7c-11e5-81e4-6805ca0b3d42"> | |
<topic>phpmyadmin -- multiple XSS and a man-in-the-middle vulnerability</topic> | |
<affects> | |
<package> | |
<name>phpmyadmin</name> | |
<range><ge>4.5.0</ge><lt>4.5.5.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The phpMyAdmin development team reports:</p> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-10/"> | |
<p>XSS vulnerability in SQL parser.</p> | |
<p>Using a crafted SQL query, it is possible to trigger an XSS | |
attack through the SQL query page.</p> | |
<p>We consider this vulnerability to be non-critical.</p> | |
</blockquote> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-11/"> | |
<p>Multiple XSS vulnerabilities.</p> | |
<p>By sending a specially crafted URL as part of the HOST | |
header, it is possible to trigger an XSS attack.</p> | |
<p>A weakness was found that allows an XSS attack with Internet | |
Explorer versions older than 8 and Safari on Windows using a | |
specially crafted URL.</p> | |
<p>Using a crafted SQL query, it is possible to trigger an XSS | |
attack through the SQL query page.</p> | |
<p>Using a crafted parameter value, it is possible to trigger | |
an XSS attack in user accounts page.</p> | |
<p>Using a crafted parameter value, it is possible to trigger | |
an XSS attack in zoom search page.</p> | |
<p>We consider this vulnerability to be non-critical.</p> | |
</blockquote> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-12/"> | |
<p>Multiple XSS vulnerabilities.</p> | |
<p>With a crafted table/column name it is possible to trigger | |
an XSS attack in the database normalization page.</p> | |
<p>With a crafted parameter it is possible to trigger an XSS | |
attack in the database structure page.</p> | |
<p>With a crafted parameter it is possible to trigger an XSS | |
attack in central columns page.</p> | |
<p>We consider this vulnerability to be non-critical.</p> | |
</blockquote> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-13/"> | |
<p>Vulnerability allowing man-in-the-middle attack on API | |
call to GitHub.</p> | |
<p>A vulnerability in the API call to GitHub can be exploited | |
to perform a man-in-the-middle attack.</p> | |
<p>We consider this vulnerability to be serious.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-10/</url> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-11/</url> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-12/</url> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-13/</url> | |
<cvename>CVE-2016-2559</cvename> | |
<cvename>CVE-2016-2560</cvename> | |
<cvename>CVE-2016-2561</cvename> | |
<cvename>CVE-2016-2562</cvename> | |
</references> | |
<dates> | |
<discovery>2016-02-29</discovery> | |
<entry>2016-03-01</entry> | |
</dates> | |
</vuln> | |
<vuln vid="45117749-df55-11e5-b2bd-002590263bf5"> | |
<topic>wireshark -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>wireshark</name> | |
<name>wireshark-lite</name> | |
<name>wireshark-qt5</name> | |
<name>tshark</name> | |
<name>tshark-lite</name> | |
<range><lt>2.0.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Wireshark development team reports:</p> | |
<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.2.html"> | |
<p>The following vulnerabilities have been fixed:</p> | |
<ul> | |
<li><p>wnpa-sec-2016-02</p> | |
<p>ASN.1 BER dissector crash. (Bug 11828) CVE-2016-2522</p></li> | |
<li><p>wnpa-sec-2016-03</p> | |
<p>DNP dissector infinite loop. (Bug 11938) CVE-2016-2523</p></li> | |
<li><p>wnpa-sec-2016-04</p> | |
<p>X.509AF dissector crash. (Bug 12002) CVE-2016-2524</p></li> | |
<li><p>wnpa-sec-2016-05</p> | |
<p>HTTP/2 dissector crash. (Bug 12077) CVE-2016-2525</p></li> | |
<li><p>wnpa-sec-2016-06</p> | |
<p>HiQnet dissector crash. (Bug 11983) CVE-2016-2526</p></li> | |
<li><p>wnpa-sec-2016-07</p> | |
<p>3GPP TS 32.423 Trace file parser crash. (Bug 11982) | |
</p>CVE-2016-2527</li> | |
<li><p>wnpa-sec-2016-08</p> | |
<p>LBMC dissector crash. (Bug 11984) CVE-2016-2528</p></li> | |
<li><p>wnpa-sec-2016-09</p> | |
<p>iSeries file parser crash. (Bug 11985) CVE-2016-2529</p></li> | |
<li><p>wnpa-sec-2016-10</p> | |
<p>RSL dissector crash. (Bug 11829) CVE-2016-2530 | |
CVE-2016-2531</p></li> | |
<li><p>wnpa-sec-2016-11</p> | |
<p>LLRP dissector crash. (Bug 12048) CVE-2016-2532</p></li> | |
<li><p>wnpa-sec-2016-12</p> | |
<p>Ixia IxVeriWave file parser crash. (Bug 11795)</p></li> | |
<li><p>wnpa-sec-2016-13</p> | |
<p>IEEE 802.11 dissector crash. (Bug 11818)</p></li> | |
<li><p>wnpa-sec-2016-14</p> | |
<p>GSM A-bis OML dissector crash. (Bug 11825)</p></li> | |
<li><p>wnpa-sec-2016-15</p> | |
<p>ASN.1 BER dissector crash. (Bug 12106)</p></li> | |
<li><p>wnpa-sec-2016-16</p> | |
<p>SPICE dissector large loop. (Bug 12151)</p></li> | |
<li><p>wnpa-sec-2016-17</p> | |
<p>NFS dissector crash.</p></li> | |
<li><p>wnpa-sec-2016-18</p> | |
<p>ASN.1 BER dissector crash. (Bug 11822)</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2522</cvename> | |
<cvename>CVE-2016-2523</cvename> | |
<cvename>CVE-2016-2524</cvename> | |
<cvename>CVE-2016-2525</cvename> | |
<cvename>CVE-2016-2526</cvename> | |
<cvename>CVE-2016-2527</cvename> | |
<cvename>CVE-2016-2528</cvename> | |
<cvename>CVE-2016-2529</cvename> | |
<cvename>CVE-2016-2530</cvename> | |
<cvename>CVE-2016-2531</cvename> | |
<cvename>CVE-2016-2532</cvename> | |
<cvename>CVE-2016-4415</cvename> | |
<cvename>CVE-2016-4416</cvename> | |
<cvename>CVE-2016-4417</cvename> | |
<cvename>CVE-2016-4418</cvename> | |
<cvename>CVE-2016-4419</cvename> | |
<cvename>CVE-2016-4420</cvename> | |
<cvename>CVE-2016-4421</cvename> | |
<url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.2.html</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/05/01/1</url> | |
</references> | |
<dates> | |
<discovery>2016-02-26</discovery> | |
<entry>2016-03-01</entry> | |
<modified>2016-07-04</modified> | |
</dates> | |
</vuln> | |
<vuln vid="42c2c422-df55-11e5-b2bd-002590263bf5"> | |
<topic>wireshark -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>wireshark</name> | |
<name>wireshark-lite</name> | |
<name>wireshark-qt5</name> | |
<name>tshark</name> | |
<name>tshark-lite</name> | |
<range><lt>2.0.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Wireshark development team reports:</p> | |
<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.1.html"> | |
<p>The following vulnerabilities have been fixed:</p> | |
<ul> | |
<li><p>wnpa-sec-2015-31</p> | |
<p>NBAP dissector crashes. (Bug 11602, Bug 11835, Bug 11841)</p> | |
</li> | |
<li><p>wnpa-sec-2015-37</p> | |
<p>NLM dissector crash.</p></li> | |
<li><p>wnpa-sec-2015-39</p> | |
<p>BER dissector crash.</p></li> | |
<li><p>wnpa-sec-2015-40</p> | |
<p>Zlib decompression crash. (Bug 11548)</p></li> | |
<li><p>wnpa-sec-2015-41</p> | |
<p>SCTP dissector crash. (Bug 11767)</p></li> | |
<li><p>wnpa-sec-2015-42</p> | |
<p>802.11 decryption crash. (Bug 11790, Bug 11826)</p></li> | |
<li><p>wnpa-sec-2015-43</p> | |
<p>DIAMETER dissector crash. (Bug 11792)</p></li> | |
<li><p>wnpa-sec-2015-44</p> | |
<p>VeriWave file parser crashes. (Bug 11789, Bug 11791)</p></li> | |
<li><p>wnpa-sec-2015-45</p> | |
<p>RSVP dissector crash. (Bug 11793)</p></li> | |
<li><p>wnpa-sec-2015-46</p> | |
<p>ANSI A and GSM A dissector crashes. (Bug 11797)</p></li> | |
<li><p>wnpa-sec-2015-47</p> | |
<p>Ascend file parser crash. (Bug 11794)</p></li> | |
<li><p>wnpa-sec-2015-48</p> | |
<p>NBAP dissector crash. (Bug 11815)</p></li> | |
<li><p>wnpa-sec-2015-49</p> | |
<p>RSL dissector crash. (Bug 11829)</p></li> | |
<li><p>wnpa-sec-2015-50</p> | |
<p>ZigBee ZCL dissector crash. (Bug 11830)</p></li> | |
<li><p>wnpa-sec-2015-51</p> | |
<p>Sniffer file parser crash. (Bug 11827)</p></li> | |
<li><p>wnpa-sec-2015-52</p> | |
<p>NWP dissector crash. (Bug 11726)</p></li> | |
<li><p>wnpa-sec-2015-53</p> | |
<p>BT ATT dissector crash. (Bug 11817)</p></li> | |
<li><p>wnpa-sec-2015-54</p> | |
<p>MP2T file parser crash. (Bug 11820)</p></li> | |
<li><p>wnpa-sec-2015-55</p> | |
<p>MP2T file parser crash. (Bug 11821)</p></li> | |
<li><p>wnpa-sec-2015-56</p> | |
<p>S7COMM dissector crash. (Bug 11823)</p></li> | |
<li><p>wnpa-sec-2015-57</p> | |
<p>IPMI dissector crash. (Bug 11831)</p></li> | |
<li><p>wnpa-sec-2015-58</p> | |
<p>TDS dissector crash. (Bug 11846)</p></li> | |
<li><p>wnpa-sec-2015-59</p> | |
<p>PPI dissector crash. (Bug 11876)</p></li> | |
<li><p>wnpa-sec-2015-60</p> | |
<p>MS-WSP dissector crash. (Bug 11931)</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.1.html</url> | |
</references> | |
<dates> | |
<discovery>2015-12-29</discovery> | |
<entry>2016-03-01</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7bbc3016-de63-11e5-8fa8-14dae9d210b8"> | |
<topic>tomcat -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>tomcat7</name> | |
<range><lt>7.0.68</lt></range> | |
</package> | |
<package> | |
<name>tomcat8</name> | |
<range><lt>8.0.30</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mark Thomas reports:</p> | |
<blockquote cite="http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF96.7070701@apache.org%3e"> | |
<ul> | |
<li><p>CVE-2015-5346 Apache Tomcat Session fixation</p></li> | |
<li><p>CVE-2015-5351 Apache Tomcat CSRF token leak</p></li> | |
<li><p>CVE-2016-0763 Apache Tomcat Security Manager Bypass</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF96.7070701@apache.org%3e</url> | |
<url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF7B.1010901@apache.org%3e</url> | |
<url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEFB2.9030605@apache.org%3e</url> | |
<cvename>CVE-2015-5346</cvename> | |
<cvename>CVE-2015-5351</cvename> | |
<cvename>CVE-2016-0763</cvename> | |
</references> | |
<dates> | |
<discovery>2016-02-22</discovery> | |
<entry>2016-02-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="1f1124fe-de5c-11e5-8fa8-14dae9d210b8"> | |
<topic>tomcat -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>tomcat6</name> | |
<range><lt>6.0.45</lt></range> | |
</package> | |
<package> | |
<name>tomcat7</name> | |
<range><lt>7.0.68</lt></range> | |
</package> | |
<package> | |
<name>tomcat8</name> | |
<range><lt>8.0.30</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mark Thomas reports:</p> | |
<blockquote cite="http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF96.7070701@apache.org%3e"> | |
<ul> | |
<li><p>CVE-2015-5345 Apache Tomcat Directory disclosure</p></li> | |
<li><p>CVE-2016-0706 Apache Tomcat Security Manager bypass</p></li> | |
<li><p>CVE-2016-0714 Apache Tomcat Security Manager Bypass</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF96.7070701@apache.org%3e</url> | |
<url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF6A.70703@apache.org%3e</url> | |
<url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF4F.5090003@apache.org%3e</url> | |
<cvename>CVE-2015-5345</cvename> | |
<cvename>CVE-2015-5346</cvename> | |
<cvename>CVE-2016-0706</cvename> | |
<cvename>CVE-2016-0714</cvename> | |
</references> | |
<dates> | |
<discovery>2016-02-22</discovery> | |
<entry>2016-02-28</entry> | |
<modified>2016-02-28</modified> | |
</dates> | |
</vuln> | |
<vuln vid="a7f2e9c6-de20-11e5-8458-6cc21735f730"> | |
<topic>xerces-c3 -- Parser Crashes on Malformed Input</topic> | |
<affects> | |
<package> | |
<name>xerces-c3</name> | |
<range><lt>3.1.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Apache Software Foundation reports:</p> | |
<blockquote cite="http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt"> | |
<p>The Xerces-C XML parser mishandles certain kinds of malformed input | |
documents, resulting in buffer overlows during processing and error | |
reporting. The overflows can manifest as a segmentation fault or as | |
memory corruption during a parse operation. The bugs allow for a | |
denial of service attack in many applications by an unauthenticated | |
attacker, and could conceivably result in remote code execution.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-0729</cvename> | |
<url>http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt</url> | |
</references> | |
<dates> | |
<discovery>2016-02-25</discovery> | |
<entry>2016-02-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6b1d8a39-ddb3-11e5-8fa8-14dae9d210b8"> | |
<topic>django -- regression in permissions model</topic> | |
<affects> | |
<package> | |
<name>py27-django19</name> | |
<name>py33-django19</name> | |
<name>py34-django19</name> | |
<name>py35-django19</name> | |
<range><lt>1.9.2</lt></range> | |
</package> | |
<package> | |
<name>py27-django-devel</name> | |
<name>py33-django-devel</name> | |
<name>py34-django-devel</name> | |
<name>py35-django-devel</name> | |
<range><le>20150709,1</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Tim Graham reports:</p> | |
<blockquote cite="https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/"> | |
<p>User with "change" but not "add" permission can create | |
objects for ModelAdmin’s with save_as=True</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/</url> | |
<cvename>CVE-2016-2048</cvename> | |
</references> | |
<dates> | |
<discovery>2016-02-01</discovery> | |
<entry>2016-02-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="81f9d6a4-ddaf-11e5-b2bd-002590263bf5"> | |
<topic>xen-kernel -- VMX: guest user mode may crash guest with non-canonical RIP</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><lt>4.5.2_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-170.html"> | |
<p>VMX refuses attempts to enter a guest with an instruction pointer | |
which doesn't satisfy certain requirements. In particular, the | |
instruction pointer needs to be canonical when entering a guest | |
currently in 64-bit mode. This is the case even if the VM entry | |
information specifies an exception to be injected immediately (in | |
which case the bad instruction pointer would possibly never get used | |
for other than pushing onto the exception handler's stack). | |
Provided the guest OS allows user mode to map the virtual memory | |
space immediately below the canonical/non-canonical address | |
boundary, a non-canonical instruction pointer can result even from | |
normal user mode execution. VM entry failure, however, is fatal to | |
the guest.</p> | |
<p>Malicious HVM guest user mode code may be able to crash the | |
guest.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2271</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-170.html</url> | |
</references> | |
<dates> | |
<discovery>2016-02-17</discovery> | |
<entry>2016-02-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="80adc394-ddaf-11e5-b2bd-002590263bf5"> | |
<topic>xen-kernel -- VMX: intercept issue with INVLPG on non-canonical address</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><ge>3.3</ge><lt>4.5.2_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-168.html"> | |
<p>While INVLPG does not cause a General Protection Fault when used on | |
a non-canonical address, INVVPID in its "individual address" | |
variant, which is used to back the intercepted INVLPG in certain | |
cases, fails in such cases. Failure of INVVPID results in a | |
hypervisor bug check.</p> | |
<p>A malicious guest can crash the host, leading to a Denial of | |
Service.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1571</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-168.html</url> | |
</references> | |
<dates> | |
<discovery>2016-01-20</discovery> | |
<entry>2016-02-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7ed7c36f-ddaf-11e5-b2bd-002590263bf5"> | |
<topic>xen-kernel -- PV superpage functionality missing sanity checks</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><eq>3.4.0</eq></range> | |
<range><eq>3.4.1</eq></range> | |
<range><ge>4.1</ge><lt>4.5.2_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-167.html"> | |
<p>The PV superpage functionality lacks certain validity checks on | |
data being passed to the hypervisor by guests. This is the case | |
for the page identifier (MFN) passed to MMUEXT_MARK_SUPER and | |
MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as | |
well as for various forms of page table updates.</p> | |
<p>Use of the feature, which is disabled by default, may have unknown | |
effects, ranging from information leaks through Denial of Service to | |
privilege escalation.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1570</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-167.html</url> | |
</references> | |
<dates> | |
<discovery>2016-01-20</discovery> | |
<entry>2016-02-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="2d299950-ddb0-11e5-8fa8-14dae9d210b8"> | |
<topic>moodle -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>moodle28</name> | |
<range><lt>2.8.10</lt></range> | |
</package> | |
<package> | |
<name>moodle29</name> | |
<range><lt>2.9.4</lt></range> | |
</package> | |
<package> | |
<name>moodle30</name> | |
<range><lt>3.0.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Marina Glancy reports:</p> | |
<blockquote cite="https://moodle.org/security/"> | |
<ul> | |
<li><p>MSA-16-0001: Two enrolment-related web services don't | |
check course visibility</p></li> | |
<li><p>MSA-16-0002: XSS Vulnerability in course management | |
search</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://moodle.org/security/</url> | |
<cvename>CVE-2016-0724</cvename> | |
<cvename>CVE-2016-0725</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-18</discovery> | |
<entry>2016-02-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6540c8f0-dca3-11e5-8fa8-14dae9d210b8"> | |
<topic>pitivi -- code execution</topic> | |
<affects> | |
<package> | |
<name>pitivi</name> | |
<range><lt>0.95</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Luke Farone reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/23/8"> | |
<p>Double-clicking a file in the user's media library with a | |
specially-crafted path or filename allows for arbitrary code execution | |
with the permissions of the user running Pitivi.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/23/8</url> | |
<url>https://git.gnome.org/browse/pitivi/commit/?id=45a4c84edb3b4343f199bba1c65502e3f49f5bb2</url> | |
<cvename>CVE-2015-0855</cvename> | |
</references> | |
<dates> | |
<discovery>2015-09-13</discovery> | |
<entry>2016-02-26</entry> | |
</dates> | |
</vuln> | |
<vuln vid="90c8385a-dc9f-11e5-8fa8-14dae9d210b8"> | |
<topic>giflib -- heap overflow</topic> | |
<affects> | |
<package> | |
<name>giflib</name> | |
<range><lt>5.1.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Hans Jerry Illikainen reports:</p> | |
<blockquote cite="http://seclists.org/bugtraq/2015/Dec/114"> | |
<p>A heap overflow may occur in the giffix utility included in | |
giflib-5.1.1 when processing records of the type | |
`IMAGE_DESC_RECORD_TYPE' due to the allocated size of `LineBuffer' | |
equaling the value of the logical screen width, `GifFileIn->SWidth', | |
while subsequently having `GifFileIn->Image.Width' bytes of data written | |
to it.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://seclists.org/bugtraq/2015/Dec/114</url> | |
<cvename>CVE-2015-7555</cvename> | |
</references> | |
<dates> | |
<discovery>2015-12-21</discovery> | |
<entry>2016-02-26</entry> | |
</dates> | |
</vuln> | |
<vuln vid="59a0af97-dbd4-11e5-8fa8-14dae9d210b8"> | |
<topic>drupal -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>drupal6</name> | |
<range><lt>6.38</lt></range> | |
</package> | |
<package> | |
<name>drupal7</name> | |
<range><lt>7.43</lt></range> | |
</package> | |
<package> | |
<name>drupal8</name> | |
<range><lt>8.0.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Drupal Security Team reports:</p> | |
<blockquote cite="https://www.drupal.org/SA-CORE-2016-001"> | |
<ul> | |
<li><p>File upload access bypass and denial of service (File | |
module - Drupal 7 and 8 - Moderately Critical)</p></li> | |
<li><p>Brute force amplification attacks via XML-RPC (XML-RPC | |
server - Drupal 6 and 7 - Moderately Critical)</p></li> | |
<li><p>Open redirect via path manipulation (Base system - | |
Drupal 6, 7 and 8 - Moderately Critical) </p></li> | |
<li><p>Form API ignores access restrictions on submit buttons | |
(Form API - Drupal 6 - Critical)</p></li> | |
<li><p>HTTP header injection using line breaks (Base system - | |
Drupal 6 - Moderately Critical)</p></li> | |
<li><p>Open redirect via double-encoded 'destination' | |
parameter (Base system - Drupal 6 - Moderately Critical)</p></li> | |
<li><p>Reflected file download vulnerability (System module - | |
Drupal 6 and 7 - Moderately Critical)</p></li> | |
<li><p>Saving user accounts can sometimes grant the user all | |
roles (User module - Drupal 6 and 7 - Less Critical)</p></li> | |
<li><p>Email address can be matched to an account (User module | |
- Drupal 7 and 8 - Less Critical)</p></li> | |
<li><p>Session data truncation can lead to unserialization of | |
user provided data (Base system - Drupal 6 - Less Critical)</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.drupal.org/SA-CORE-2016-001</url> | |
</references> | |
<dates> | |
<discovery>2016-02-24</discovery> | |
<entry>2016-02-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7e01df39-db7e-11e5-b937-00e0814cab4e"> | |
<topic>jenkins -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>jenkins</name> | |
<range><le>1.650</le></range> | |
</package> | |
<package> | |
<name>jenkins-lts</name> | |
<range><le>1.642.2</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jenkins Security Advisory:</p> | |
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Security+Advisory+2016-02-24"> | |
<h1>Description</h1> | |
<h5>SECURITY-232 / CVE-2016-0788(Remote code execution vulnerability in remoting module)</h5> | |
<p>A vulnerability in the Jenkins remoting module allowed | |
unauthenticated remote attackers to open a JRMP listener on the | |
server hosting the Jenkins master process, which allowed arbitrary | |
code execution.</p> | |
<h5>SECURITY-238 / CVE-2016-0789(HTTP response splitting vulnerability)</h5> | |
<p>An HTTP response splitting vulnerability in the CLI command | |
documentation allowed attackers to craft Jenkins URLs that serve | |
malicious content.</p> | |
<h5>SECURITY-241 / CVE-2016-0790(Non-constant time comparison of API token)</h5> | |
<p>The verification of user-provided API tokens with the expected | |
value did not use a constant-time comparison algorithm, potentially | |
allowing attackers to use statistical methods to determine valid | |
API tokens using brute-force methods.</p> | |
<h5>SECURITY-245 / CVE-2016-0791(Non-constant time comparison of CSRF crumbs)</h5> | |
<p>The verification of user-provided CSRF crumbs with the expected | |
value did not use a constant-time comparison algorithm, potentially | |
allowing attackers to use statistical methods to determine valid | |
CSRF crumbs using brute-force methods.</p> | |
<h5>SECURITY-247 / CVE-2016-0792(Remote code execution through remote API)</h5> | |
<p>Jenkins has several API endpoints that allow low-privilege users | |
to POST XML files that then get deserialized by Jenkins. | |
Maliciously crafted XML files sent to these API endpoints could | |
result in arbitrary code execution.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://wiki.jenkins-ci.org/display/SECURITY/Security+Advisory+2016-02-24</url> | |
</references> | |
<dates> | |
<discovery>2016-02-24</discovery> | |
<entry>2016-02-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="660ebbf5-daeb-11e5-b2bd-002590263bf5"> | |
<topic>squid -- remote DoS in HTTP response processing</topic> | |
<affects> | |
<package> | |
<name>squid</name> | |
<range><lt>3.5.15</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Squid security advisory 2016:2 reports:</p> | |
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_2.txt"> | |
<p>Due to incorrect bounds checking Squid is vulnerable to a denial | |
of service attack when processing HTTP responses.</p> | |
<p>These problems allow remote servers delivering certain unusual | |
HTTP response syntax to trigger a denial of service for all | |
clients accessing the Squid service.</p> | |
<p>HTTP responses containing malformed headers that trigger this | |
issue are becoming common. We are not certain at this time if | |
that is a sign of malware or just broken server scripting.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2569</cvename> | |
<cvename>CVE-2016-2570</cvename> | |
<cvename>CVE-2016-2571</cvename> | |
<freebsdpr>ports/207454</freebsdpr> | |
<url>http://www.squid-cache.org/Advisories/SQUID-2016_2.txt</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/02/24/12</url> | |
</references> | |
<dates> | |
<discovery>2016-02-24</discovery> | |
<entry>2016-02-24</entry> | |
<modified>2016-02-28</modified> | |
</dates> | |
</vuln> | |
<vuln vid="9e5bbffc-d8ac-11e5-b2bd-002590263bf5"> | |
<topic>bsh -- remote code execution vulnerability</topic> | |
<affects> | |
<package> | |
<name>bsh</name> | |
<range><lt>2.0.b6</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Stian Soiland-Reyes reports:</p> | |
<blockquote cite="https://github.com/beanshell/beanshell/releases/tag/2.0b6"> | |
<p>This release fixes a remote code execution vulnerability that was | |
identified in BeanShell by Alvaro Muñoz and Christian Schneider. | |
The BeanShell team would like to thank them for their help and | |
contributions to this fix!</p> | |
<p>An application that includes BeanShell on the classpath may be | |
vulnerable if another part of the application uses Java | |
serialization or XStream to deserialize data from an untrusted | |
source.</p> | |
<p>A vulnerable application could be exploited for remote code | |
execution, including executing arbitrary shell commands.</p> | |
<p>This update fixes the vulnerability in BeanShell, but it is worth | |
noting that applications doing such deserialization might still be | |
insecure through other libraries. It is recommended that application | |
developers take further measures such as using a restricted class | |
loader when deserializing. See notes on Java serialization security | |
XStream security and How to secure deserialization from untrusted | |
input without using encryption or sealing.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2510</cvename> | |
<freebsdpr>ports/207334</freebsdpr> | |
<url>https://github.com/beanshell/beanshell/releases/tag/2.0b6</url> | |
</references> | |
<dates> | |
<discovery>2016-02-18</discovery> | |
<entry>2016-02-21</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6171eb07-d8a9-11e5-b2bd-002590263bf5"> | |
<topic>libsrtp -- DoS via crafted RTP header vulnerability</topic> | |
<affects> | |
<package> | |
<name>libsrtp</name> | |
<range><lt>1.5.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>libsrtp reports:</p> | |
<blockquote cite="https://github.com/cisco/libsrtp/commit/704a31774db0dd941094fd2b47c21638b8dc3de2"> | |
<p>Prevent potential DoS attack due to lack of bounds checking on RTP | |
header CSRC count and extension header length. Credit goes to | |
Randell Jesup and the Firefox team for reporting this issue.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-6360</cvename> | |
<freebsdpr>ports/207003</freebsdpr> | |
<url>https://github.com/cisco/libsrtp/releases/tag/v1.5.3</url> | |
<url>https://github.com/cisco/libsrtp/commit/704a31774db0dd941094fd2b47c21638b8dc3de2</url> | |
<url>https://github.com/cisco/libsrtp/commit/be95365fbb4788b688cab7af61c65b7989055fb4</url> | |
<url>https://github.com/cisco/libsrtp/commit/be06686c8e98cc7bd934e10abb6f5e971d03f8ee</url> | |
<url>https://github.com/cisco/libsrtp/commit/cdc69f2acde796a4152a250f869271298abc233f</url> | |
</references> | |
<dates> | |
<discovery>2015-11-02</discovery> | |
<entry>2016-02-21</entry> | |
</dates> | |
</vuln> | |
<vuln vid="006e3b7c-d7d7-11e5-b85f-0018fe623f2b"> | |
<topic>jasper -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>jasper</name> | |
<range><lt>1.900.1_16</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>oCERT reports:</p> | |
<blockquote cite="http://www.ocert.org/advisories/ocert-2014-012.html"> | |
<p>The library is affected by a double-free vulnerability in function | |
jas_iccattrval_destroy() | |
as well as a heap-based buffer overflow in function jp2_decode(). | |
A specially crafted jp2 file can be used to trigger the vulnerabilities.</p> | |
</blockquote> | |
<p>oCERT reports:</p> | |
<blockquote cite="http://www.ocert.org/advisories/ocert-2015-001.html"> | |
<p>The library is affected by an off-by-one error in a buffer boundary check | |
in jpc_dec_process_sot(), leading to a heap based buffer overflow, as well | |
as multiple unrestricted stack memory use issues in jpc_qmfb.c, leading to | |
stack overflow. | |
A specially crafted jp2 file can be used to trigger the vulnerabilities.</p> | |
</blockquote> | |
<p>oCERT reports:</p> | |
<blockquote cite="http://www.ocert.org/advisories/ocert-2014-009.html"> | |
<p>Multiple off-by-one flaws, leading to heap-based buffer overflows, were | |
found in the way JasPer decoded JPEG 2000 files. A specially crafted file | |
could cause an application using JasPer to crash or, | |
possibly, execute arbitrary code.</p> | |
</blockquote> | |
<p>limingxing reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2016/q1/233"> | |
<p>A vulnerability was found in the way the JasPer's jas_matrix_clip() | |
function parses certain JPEG 2000 image files. A specially crafted file | |
could cause an application using JasPer to crash.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.ocert.org/advisories/ocert-2014-012.html</url> | |
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1173157</url> | |
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1173162</url> | |
<url>http://www.ocert.org/advisories/ocert-2015-001.html</url> | |
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1179282</url> | |
<url>http://www.ocert.org/advisories/ocert-2014-009.html</url> | |
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1167537</url> | |
<url>http://seclists.org/oss-sec/2016/q1/233</url> | |
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1302636</url> | |
<cvename>CVE-2014-8137</cvename> | |
<cvename>CVE-2014-8138</cvename> | |
<cvename>CVE-2014-8157</cvename> | |
<cvename>CVE-2014-8158</cvename> | |
<cvename>CVE-2014-9029</cvename> | |
<cvename>CVE-2016-2089</cvename> | |
</references> | |
<dates> | |
<discovery>2014-12-10</discovery> | |
<entry>2016-02-20</entry> | |
<modified>2016-02-24</modified> | |
</dates> | |
</vuln> | |
<vuln vid="368993bb-d685-11e5-8858-00262d5ed8ee"> | |
<topic>chromium -- same origin bypass</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>48.0.2564.116</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_18.html"> | |
<p>[583431] Critical CVE-2016-1629: Same-origin bypass in Blink | |
and Sandbox escape in Chrome. Credit to anonymous.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1629</cvename> | |
<url>http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_18.html</url> | |
</references> | |
<dates> | |
<discovery>2016-02-18</discovery> | |
<entry>2016-02-18</entry> | |
</dates> | |
</vuln> | |
<vuln vid="2dd7e97e-d5e8-11e5-bcbd-bc5ff45d0f28"> | |
<topic>glibc -- getaddrinfo stack-based buffer overflow</topic> | |
<affects> | |
<package> | |
<name>linux_base-c6</name> | |
<name>linux_base-c6_64</name> | |
<range><lt>6.7_1</lt></range> | |
</package> | |
<package> | |
<name>linux_base-f10</name> | |
<range><ge>0</ge></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Fabio Olive Leite reports:</p> | |
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7547"> | |
<p>A stack-based buffer overflow was found in libresolv when invoked | |
from nss_dns, allowing specially crafted DNS responses to seize | |
control of EIP in the DNS client. The buffer overflow occurs in the | |
functions send_dg (send datagram) and send_vc (send TCP) for the | |
NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC | |
family, or in some cases AF_INET6 family. The use of AF_UNSPEC (or | |
AF_INET6 in some cases) triggers the low-level resolver code to | |
send out two parallel queries for A and AAAA. A mismanagement of | |
the buffers used for those queries could result in the response of | |
a query writing beyond the alloca allocated buffer created by | |
__res_nquery.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7547</cvename> | |
<freebsdpr>ports/207272</freebsdpr> | |
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7547</url> | |
<url>https://blog.des.no/2016/02/freebsd-and-cve-2015-7547/</url> | |
<url>https://googleonlinesecurity.blogspot.no/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html</url> | |
<url>https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html</url> | |
</references> | |
<dates> | |
<discovery>2016-02-16</discovery> | |
<entry>2016-02-18</entry> | |
</dates> | |
</vuln> | |
<vuln vid="56562efb-d5e4-11e5-b2bd-002590263bf5"> | |
<topic>squid -- SSL/TLS processing remote DoS</topic> | |
<affects> | |
<package> | |
<name>squid</name> | |
<range><ge>3.5.13</ge><lt>3.5.14</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Squid security advisory 2016:1 reports:</p> | |
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_1.txt"> | |
<p>Due to incorrectly handling server errors Squid is vulnerable to a | |
denial of service attack when connecting to TLS or SSL servers.</p> | |
<p>This problem allows any trusted client to perform a denial of | |
service attack on the Squid service regardless of whether TLS or | |
SSL is configured for use in the proxy.</p> | |
<p>Misconfigured client or server software may trigger this issue | |
to perform a denial of service unintentionally.</p> | |
<p>However, the bug is exploitable only if Squid is built using the | |
--with-openssl option.</p> | |
</blockquote> | |
<p>The FreeBSD port does not use SSL by default and is not vulnerable | |
in the default configuration.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2390</cvename> | |
<freebsdpr>ports/207294</freebsdpr> | |
<url>http://www.squid-cache.org/Advisories/SQUID-2016_1.txt</url> | |
</references> | |
<dates> | |
<discovery>2016-02-16</discovery> | |
<entry>2016-02-18</entry> | |
</dates> | |
</vuln> | |
<vuln vid="dd563930-d59a-11e5-8fa8-14dae9d210b8"> | |
<topic>adminer -- remote code execution</topic> | |
<affects> | |
<package> | |
<name>adminer</name> | |
<range><lt>4.2.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jakub Vrana reports:</p> | |
<blockquote cite="https://github.com/vrana/adminer/commit/e5352cc5acad21513bb02677e2021b80bf7e7b8b"> | |
<p>Fix remote code execution in SQLite query</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://github.com/vrana/adminer/commit/e5352cc5acad21513bb02677e2021b80bf7e7b8b</url> | |
</references> | |
<dates> | |
<discovery>2016-02-06</discovery> | |
<entry>2016-02-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="18201a1c-d59a-11e5-8fa8-14dae9d210b8"> | |
<topic>adminer -- XSS vulnerability</topic> | |
<affects> | |
<package> | |
<name>adminer</name> | |
<range><lt>4.2.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jakub Vrana reports:</p> | |
<blockquote cite="https://github.com/vrana/adminer/commit/4be0b6655e0bf415960659db2a6dd4e60eebbd66"> | |
<p>Fix XSS in indexes (non-MySQL only)</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://github.com/vrana/adminer/commit/4be0b6655e0bf415960659db2a6dd4e60eebbd66</url> | |
</references> | |
<dates> | |
<discovery>2015-11-08</discovery> | |
<entry>2016-02-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ad91ee9b-d599-11e5-8fa8-14dae9d210b8"> | |
<topic>adminer -- XSS vulnerability</topic> | |
<affects> | |
<package> | |
<name>adminer</name> | |
<range><lt>4.2.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jakub Vrana reports:</p> | |
<blockquote cite="https://github.com/vrana/adminer/commit/596f8df373cd3efe5bcb6013858bd7a6bb5ecb2c"> | |
<p>Fix XSS in alter table</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://github.com/vrana/adminer/commit/596f8df373cd3efe5bcb6013858bd7a6bb5ecb2c</url> | |
</references> | |
<dates> | |
<discovery>2015-08-05</discovery> | |
<entry>2016-02-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="8cf54d73-d591-11e5-8fa8-14dae9d210b8"> | |
<topic>adminer -- XSS vulnerability</topic> | |
<affects> | |
<package> | |
<name>adminer</name> | |
<range><lt>4.2.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jakub Vrana reports:</p> | |
<blockquote cite="https://github.com/vrana/adminer/commit/c990de3b3ee1816afb130bd0e1570577bf54a8e5"> | |
<p>Fix XSS in login form</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://github.com/vrana/adminer/commit/c990de3b3ee1816afb130bd0e1570577bf54a8e5</url> | |
<url>https://sourceforge.net/p/adminer/bugs-and-features/436/</url> | |
</references> | |
<dates> | |
<discovery>2015-01-30</discovery> | |
<entry>2016-02-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="95b92e3b-d451-11e5-9794-e8e0b747a45a"> | |
<topic>libgcrypt -- side-channel attack on ECDH</topic> | |
<affects> | |
<package> | |
<name>libgcrypt</name> | |
<range><lt>1.6.5</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>GnuPG reports:</p> | |
<blockquote cite="https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html"> | |
<p>Mitigate side-channel attack on ECDH with Weierstrass curves.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7511</cvename> | |
<url>https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html</url> | |
</references> | |
<dates> | |
<discovery>2016-02-09</discovery> | |
<entry>2016-02-16</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f1bf28c5-d447-11e5-b2bd-002590263bf5"> | |
<topic>xdelta3 -- buffer overflow vulnerability</topic> | |
<affects> | |
<package> | |
<name>xdelta3</name> | |
<range><lt>3.0.9,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Stepan Golosunov reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/02/08/1"> | |
<p>Buffer overflow was found and fixed in xdelta3 binary diff tool | |
that allows arbitrary code execution from input files at least on | |
some systems.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-9765</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2016/02/08/1</url> | |
<url>https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2</url> | |
</references> | |
<dates> | |
<discovery>2014-10-08</discovery> | |
<entry>2016-02-16</entry> | |
</dates> | |
</vuln> | |
<vuln vid="172b22cb-d3f6-11e5-ac9e-485d605f4717"> | |
<topic>firefox -- Same-origin-policy violation using Service Workers with plugins</topic> | |
<affects> | |
<package> | |
<name>firefox</name> | |
<range><lt>44.0.2,1</lt></range> | |
</package> | |
<package> | |
<name>linux-firefox</name> | |
<range><lt>44.0.2,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Mozilla Foundation reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox44.0.2"> | |
<p>MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept | |
responses to plugin network requests made through the browser. Plugins which | |
make security decisions based on the content of network requests can have these | |
decisions subverted if a service worker forges responses to those requests. For | |
example, a forged crossdomain.xml could allow a malicious site to violate the | |
same-origin policy using the Flash plugin.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1949</cvename> | |
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-13/</url> | |
</references> | |
<dates> | |
<discovery>2016-02-11</discovery> | |
<entry>2016-02-15</entry> | |
</dates> | |
</vuln> | |
<vuln vid="07718e2b-d29d-11e5-a95f-b499baebfeaf"> | |
<topic>nghttp2 -- Out of memory in nghttpd, nghttp, and libnghttp2_asio</topic> | |
<affects> | |
<package> | |
<name>nghttp2</name> | |
<range><lt>1.7.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Nghttp2 reports:</p> | |
<blockquote cite="https://nghttp2.org/blog/2016/02/11/nghttp2-v1-7-1/"> | |
<p>Out of memory in nghttpd, nghttp, and libnghttp2_asio applications | |
due to unlimited incoming HTTP header fields.</p> | |
<p>nghttpd, nghttp, and libnghttp2_asio applications do not limit the memory usage | |
for the incoming HTTP header field. If peer sends specially crafted HTTP/2 | |
HEADERS frames and CONTINUATION frames, they will crash with out of memory | |
error.</p> | |
<p>Note that libnghttp2 itself is not affected by this vulnerability.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://nghttp2.org/blog/2016/02/11/nghttp2-v1-7-1/</url> | |
<cvename>CVE-2016-1544</cvename> | |
</references> | |
<dates> | |
<discovery>2016-02-03</discovery> | |
<entry>2016-02-13</entry> | |
</dates> | |
</vuln> | |
<vuln vid="3aa8b781-d2c4-11e5-b2bd-002590263bf5"> | |
<topic>horde -- XSS vulnerabilies</topic> | |
<affects> | |
<package> | |
<name>horde</name> | |
<range><lt>5.2.9</lt></range> | |
</package> | |
<package> | |
<name>pear-Horde_Core</name> | |
<range><lt>2.22.6</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Horde Team reports:</p> | |
<blockquote cite="http://lists.horde.org/archives/announce/2016/001149.html"> | |
<p>Fixed XSS vulnerabilities in menu bar and form renderer.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8807</cvename> | |
<cvename>CVE-2016-2228</cvename> | |
<url>https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253</url> | |
<url>https://bugs.horde.org/ticket/14213</url> | |
<url>https://github.com/horde/horde/commit/f03301cf6edcca57121a15e80014c4d0f29d99a0</url> | |
<url>https://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/02/06/4</url> | |
<url>http://lists.horde.org/archives/announce/2016/001149.html</url> | |
</references> | |
<dates> | |
<discovery>2016-02-02</discovery> | |
<entry>2016-02-14</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e8b6605b-d29f-11e5-8458-6cc21735f730"> | |
<topic>PostgreSQL -- Security Fixes for Regular Expressions, PL/Java.</topic> | |
<affects> | |
<package> | |
<name>postgresql91-server</name> | |
<range><ge>9.1.0</ge><lt>9.1.20</lt></range> | |
</package> | |
<package> | |
<name>postgresql92-server</name> | |
<range><ge>9.2.0</ge><lt>9.2.15</lt></range> | |
</package> | |
<package> | |
<name>postgresql93-server</name> | |
<range><ge>9.3.0</ge><lt>9.3.11</lt></range> | |
</package> | |
<package> | |
<name>postgresql94-server</name> | |
<range><ge>9.4.0</ge><lt>9.4.6</lt></range> | |
</package> | |
<package> | |
<name>postgresql95-server</name> | |
<range><ge>9.5.0</ge><lt>9.5.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>PostgreSQL project reports:</p> | |
<blockquote cite="http://www.postgresql.org/about/news/1644/"> | |
<p> | |
Security Fixes for Regular Expressions, PL/Java | |
</p> | |
<ul> | |
<li>CVE-2016-0773: This release closes security hole CVE-2016-0773, | |
an issue with regular expression (regex) parsing. Prior code allowed | |
users to pass in expressions which included out-of-range Unicode | |
characters, triggering a backend crash. This issue is critical for | |
PostgreSQL systems with untrusted users or which generate regexes | |
based on user input. | |
</li> | |
<li>CVE-2016-0766: The update also fixes CVE-2016-0766, a privilege | |
escalation issue for users of PL/Java. Certain custom configuration | |
settings (GUCS) for PL/Java will now be modifiable only by the | |
database superuser | |
</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-0773</cvename> | |
<cvename>CVE-2016-0766</cvename> | |
</references> | |
<dates> | |
<discovery>2016-02-08</discovery> | |
<entry>2016-02-12</entry> | |
</dates> | |
</vuln> | |
<vuln vid="5d8e56c3-9e67-4d5b-81c9-3a409dfd705f"> | |
<topic>flash -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>linux-c6-flashplugin</name> | |
<name>linux-f10-flashplugin</name> | |
<name>linux-c6_64-flashplugin</name> | |
<range><lt>11.2r202.569</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adobe reports:</p> | |
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-04.html"> | |
<p>These updates resolve a type confusion vulnerability that | |
could lead to code execution (CVE-2016-0985).</p> | |
<p>These updates resolve use-after-free vulnerabilities that | |
could lead to code execution (CVE-2016-0973, CVE-2016-0974, | |
CVE-2016-0975, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984).</p> | |
<p>These updates resolve a heap buffer overflow vulnerability | |
that could lead to code execution (CVE-2016-0971).</p> | |
<p>These updates resolve memory corruption vulnerabilities | |
that could lead to code execution (CVE-2016-0964, | |
CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, CVE-2016-0968, | |
CVE-2016-0969, CVE-2016-0970, CVE-2016-0972, CVE-2016-0976, | |
CVE-2016-0977, CVE-2016-0978, CVE-2016-0979, CVE-2016-0980, | |
CVE-2016-0981).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-0964</cvename> | |
<cvename>CVE-2016-0965</cvename> | |
<cvename>CVE-2016-0966</cvename> | |
<cvename>CVE-2016-0967</cvename> | |
<cvename>CVE-2016-0968</cvename> | |
<cvename>CVE-2016-0969</cvename> | |
<cvename>CVE-2016-0970</cvename> | |
<cvename>CVE-2016-0971</cvename> | |
<cvename>CVE-2016-0972</cvename> | |
<cvename>CVE-2016-0973</cvename> | |
<cvename>CVE-2016-0974</cvename> | |
<cvename>CVE-2016-0975</cvename> | |
<cvename>CVE-2016-0976</cvename> | |
<cvename>CVE-2016-0977</cvename> | |
<cvename>CVE-2016-0978</cvename> | |
<cvename>CVE-2016-0979</cvename> | |
<cvename>CVE-2016-0980</cvename> | |
<cvename>CVE-2016-0981</cvename> | |
<cvename>CVE-2016-0982</cvename> | |
<cvename>CVE-2016-0983</cvename> | |
<cvename>CVE-2016-0984</cvename> | |
<cvename>CVE-2016-0985</cvename> | |
<url>https://helpx.adobe.com/security/products/flash-player/apsb16-04.html</url> | |
</references> | |
<dates> | |
<discovery>2016-02-09</discovery> | |
<entry>2016-02-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="515b4327-cf8a-11e5-96d6-14dae9d210b8"> | |
<topic>dnscrypt-proxy -- code execution</topic> | |
<affects> | |
<package> | |
<name>dnscrypt-proxy</name> | |
<range><ge>1.1.0</ge><lt>1.6.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Frank Denis reports:</p> | |
<blockquote cite="https://github.com/jedisct1/dnscrypt-proxy/blob/1d129f7d5f0d469308967cbe4eacb4a6919f1fa1/NEWS#L2-L8"> | |
<p>Malformed packets could lead to denial of service or code | |
execution.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://github.com/jedisct1/dnscrypt-proxy/blob/1d129f7d5f0d469308967cbe4eacb4a6919f1fa1/NEWS#L2-L8</url> | |
</references> | |
<dates> | |
<discovery>2016-02-02</discovery> | |
<entry>2016-02-10</entry> | |
<modified>2016-02-14</modified> | |
</dates> | |
</vuln> | |
<vuln vid="36034227-cf81-11e5-9c2b-00262d5ed8ee"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>48.0.2564.109</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_9.html"> | |
<p>6 security fixes in this release, including:</p> | |
<ul> | |
<li>[546677] High CVE-2016-1622: Same-origin bypass in Extensions. | |
Credit to anonymous.</li> | |
<li>[577105] High CVE-2016-1623: Same-origin bypass in DOM. Credit | |
to Mariusz Mlynski.</li> | |
<li>[509313] Medium CVE-2016-1625: Navigation bypass in Chrome | |
Instant. Credit to Jann Horn.</li> | |
<li>[571480] Medium CVE-2016-1626: Out-of-bounds read in PDFium. | |
Credit to anonymous, working with HP's Zero Day Initiative.</li> | |
<li>[585517] CVE-2016-1627: Various fixes from internal audits, | |
fuzzing and other initiatives.</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1622</cvename> | |
<cvename>CVE-2016-1623</cvename> | |
<cvename>CVE-2016-1625</cvename> | |
<cvename>CVE-2016-1626</cvename> | |
<cvename>CVE-2016-1627</cvename> | |
<url>http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_9.html</url> | |
</references> | |
<dates> | |
<discovery>2016-02-08</discovery> | |
<entry>2016-02-09</entry> | |
<modified>2016-03-08</modified> | |
</dates> | |
</vuln> | |
<vuln vid="8f10fa04-cf6a-11e5-96d6-14dae9d210b8"> | |
<topic>graphite2 -- code execution vulnerability</topic> | |
<affects> | |
<package> | |
<name>graphite2</name> | |
<range><lt>1.3.5</lt></range> | |
</package> | |
<package> | |
<name>silgraphite</name> | |
<range><lt>2.3.1_4</lt></range> | |
</package> | |
<package> | |
<name>linux-thunderbird</name> | |
<range><lt>38.6.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Talos reports:</p> | |
<blockquote cite="http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html"> | |
<ul> | |
<li><p>An exploitable denial of service vulnerability exists | |
in the font handling of Libgraphite. A specially crafted font can cause | |
an out-of-bounds read potentially resulting in an information leak or | |
denial of service.</p></li> | |
<li><p>A specially crafted font can cause a buffer overflow | |
resulting in potential code execution.</p></li> | |
<li><p>An exploitable NULL pointer dereference exists in the | |
bidirectional font handling functionality of Libgraphite. A specially | |
crafted font can cause a NULL pointer dereference resulting in a | |
crash.</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html</url> | |
<url>http://www.talosintel.com/reports/TALOS-2016-0061/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-14/</url> | |
<cvename>CVE-2016-1521</cvename> | |
<cvename>CVE-2016-1522</cvename> | |
<cvename>CVE-2016-1523</cvename> | |
<cvename>CVE-2016-1526</cvename> | |
</references> | |
<dates> | |
<discovery>2016-02-05</discovery> | |
<entry>2016-02-09</entry> | |
<modified>2016-03-08</modified> | |
</dates> | |
</vuln> | |
<vuln vid="1cecd5e0-c372-11e5-96d6-14dae9d210b8"> | |
<topic>xymon-server -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>xymon-server</name> | |
<range><lt>4.3.25</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>J.C. Cleaver reports:</p> | |
<blockquote cite="http://lists.xymon.com/pipermail/xymon/2016-February/042986.html"> | |
<ul> | |
<li><p>CVE-2016-2054: Buffer overflow in xymond handling of | |
"config" command</p></li> | |
<li><p> CVE-2016-2055: Access to possibly confidential files | |
in the Xymon configuration directory</p></li> | |
<li><p>CVE-2016-2056: Shell command injection in the | |
"useradm" and "chpasswd" web applications</p></li> | |
<li><p>CVE-2016-2057: Incorrect permissions on IPC queues | |
used by the xymond daemon can bypass IP access filtering</p></li> | |
<li><p>CVE-2016-2058: Javascript injection in "detailed status | |
webpage" of monitoring items; XSS vulnerability via malformed | |
acknowledgment messages</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://lists.xymon.com/pipermail/xymon/2016-February/042986.html</url> | |
<cvename>CVE-2016-2054</cvename> | |
<cvename>CVE-2016-2055</cvename> | |
<cvename>CVE-2016-2056</cvename> | |
<cvename>CVE-2016-2057</cvename> | |
<cvename>CVE-2016-2058</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-19</discovery> | |
<entry>2016-02-09</entry> | |
</dates> | |
</vuln> | |
<vuln vid="85eb4e46-cf16-11e5-840f-485d605f4717"> | |
<topic>php -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>php55</name> | |
<name>php55-phar</name> | |
<name>php55-wddx</name> | |
<range><lt>5.5.32</lt></range> | |
</package> | |
<package> | |
<name>php56</name> | |
<name>php56-phar</name> | |
<name>php56-wddx</name> | |
<range><lt>5.6.18</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>PHP reports:</p> | |
<blockquote cite="http://php.net/ChangeLog-5.php#5.6.18"> | |
<ul><li>Core: | |
<ul> | |
<li>Fixed bug #71039 (exec functions ignore length but look for NULL | |
termination).</li> | |
<li>Fixed bug #71323 (Output of stream_get_meta_data can be | |
falsified by its input).</li> | |
<li>Fixed bug #71459 (Integer overflow in iptcembed()).</li> | |
</ul></li> | |
<li>PCRE: | |
<ul> | |
<li>Upgraded bundled PCRE library to 8.38.(CVE-2015-8383, | |
CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, | |
CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)</li> | |
</ul></li> | |
<li>Phar: | |
<ul> | |
<li>Fixed bug #71354 (Heap corruption in tar/zip/phar parser).</li> | |
<li>Fixed bug #71391 (NULL Pointer Dereference in | |
phar_tar_setupmetadata()).</li> | |
<li>Fixed bug #71488 (Stack overflow when decompressing tar | |
archives). (CVE-2016-2554)</li> | |
</ul></li> | |
<li>WDDX: | |
<ul> | |
<li>Fixed bug #71335 (Type Confusion in WDDX Packet | |
Deserialization).</li> | |
</ul></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8383</cvename> | |
<cvename>CVE-2015-8386</cvename> | |
<cvename>CVE-2015-8387</cvename> | |
<cvename>CVE-2015-8389</cvename> | |
<cvename>CVE-2015-8390</cvename> | |
<cvename>CVE-2015-8391</cvename> | |
<cvename>CVE-2015-8393</cvename> | |
<cvename>CVE-2015-8394</cvename> | |
<cvename>CVE-2016-2554</cvename> | |
<url>http://php.net/ChangeLog-5.php#5.6.18</url> | |
<url>http://php.net/ChangeLog-5.php#5.5.32</url> | |
</references> | |
<dates> | |
<discovery>2016-02-04</discovery> | |
<entry>2016-02-09</entry> | |
<modified>2016-03-13</modified> | |
</dates> | |
</vuln> | |
<vuln vid="a8de962a-cf15-11e5-805c-5453ed2e2b49"> | |
<topic>py-imaging, py-pillow -- Buffer overflow in PCD decoder</topic> | |
<affects> | |
<package> | |
<name>py27-pillow</name> | |
<name>py33-pillow</name> | |
<name>py34-pillow</name> | |
<name>py35-pillow</name> | |
<range><lt>2.9.0_1</lt></range> | |
</package> | |
<package> | |
<name>py27-imaging</name> | |
<range><lt>1.1.7_6</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Pillow maintainers report:</p> | |
<blockquote cite="https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html"> | |
<p>In all versions of Pillow, dating back at least to the last PIL | |
1.1.7 release, PcdDecode.c has a buffer overflow error.</p> | |
<p>The state.buffer for PcdDecode.c is allocated based on a 3 bytes | |
per pixel sizing, where PcdDecode.c wrote into the buffer assuming | |
4 bytes per pixel. This writes 768 bytes beyond the end of the | |
buffer into other Python object storage. In some cases, this causes | |
a segfault, in others an internal Python malloc error.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<mlist>http://openwall.com/lists/oss-security/2016/02/02/5</mlist> | |
<url>https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4</url> | |
<url>https://github.com/python-pillow/Pillow/issues/568</url> | |
</references> | |
<dates> | |
<discovery>2016-02-02</discovery> | |
<entry>2016-02-09</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0519db18-cf15-11e5-805c-5453ed2e2b49"> | |
<topic>py-pillow -- Integer overflow in Resample.c</topic> | |
<affects> | |
<package> | |
<name>py27-pillow</name> | |
<name>py33-pillow</name> | |
<name>py34-pillow</name> | |
<name>py35-pillow</name> | |
<range><lt>2.9.0_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Pillow maintainers report:</p> | |
<blockquote cite="https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html"> | |
<p>If a large value was passed into the new size for an image, it is | |
possible to overflow an int32 value passed into malloc, leading the | |
malloc’d buffer to be undersized. These allocations are followed by | |
a loop that writes out of bounds. This can lead to corruption on | |
the heap of the Python process with attacker controlled float | |
data.</p> | |
<p>This issue was found by Ned Williamson.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://github.com/python-pillow/Pillow/commit/41fae6d9e2da741d2c5464775c7f1a609ea03798</url> | |
<url>https://github.com/python-pillow/Pillow/issues/1710</url> | |
</references> | |
<dates> | |
<discovery>2016-02-05</discovery> | |
<entry>2016-02-09</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6ea60e00-cf13-11e5-805c-5453ed2e2b49"> | |
<topic>py-imaging, py-pillow -- Buffer overflow in FLI decoding code</topic> | |
<affects> | |
<package> | |
<name>py27-pillow</name> | |
<name>py33-pillow</name> | |
<name>py34-pillow</name> | |
<name>py35-pillow</name> | |
<range><lt>2.9.0_1</lt></range> | |
</package> | |
<package> | |
<name>py27-imaging</name> | |
<range><lt>1.1.7_6</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Pillow maintainers report:</p> | |
<blockquote cite="https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html"> | |
<p>In all versions of Pillow, dating back at least to the last PIL | |
1.1.7 release, FliDecode.c has a buffer overflow error.</p> | |
<p>There is a memcpy error where x is added to a target buffer | |
address. X is used in several internal temporary variable roles, | |
but can take a value up to the width of the image. Im->image[y] | |
is a set of row pointers to segments of memory that are the size of | |
the row. At the max y, this will write the contents of the line off | |
the end of the memory buffer, causing a segfault.</p> | |
<p>This issue was found by Alyssa Besseling at Atlassian.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-0775</cvename> | |
<url>https://github.com/python-pillow/Pillow/commit/bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec</url> | |
</references> | |
<dates> | |
<discovery>2016-02-05</discovery> | |
<entry>2016-02-09</entry> | |
</dates> | |
</vuln> | |
<vuln vid="53252879-cf11-11e5-805c-5453ed2e2b49"> | |
<topic>py-pillow -- Buffer overflow in TIFF decoding code</topic> | |
<affects> | |
<package> | |
<name>py27-pillow</name> | |
<name>py33-pillow</name> | |
<name>py34-pillow</name> | |
<name>py35-pillow</name> | |
<range><lt>2.9.0_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Pillow maintainers report:</p> | |
<blockquote cite="https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html"> | |
<p>Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on | |
x64 may overflow a buffer when reading a specially crafted tiff | |
file.</p> | |
<p>Specifically, libtiff >= 4.0.0 changed the return type of | |
TIFFScanlineSize from int32 to machine dependent int32|64. If the | |
scanline is sized so that it overflows an int32, it may be | |
interpreted as a negative number, which will then pass the size check | |
in TiffDecode.c line 236. To do this, the logical scanline size has | |
to be > 2gb, and for the test file, the allocated buffer size is 64k | |
against a roughly 4gb scan line size. Any image data over 64k is | |
written over the heap, causing a segfault.</p> | |
<p>This issue was found by security researcher FourOne.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-0740</cvename> | |
<url>https://github.com/python-pillow/Pillow/commit/6dcbf5bd96b717c58d7b642949da8d323099928e</url> | |
</references> | |
<dates> | |
<discovery>2016-02-04</discovery> | |
<entry>2016-02-09</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6ac79ed8-ccc2-11e5-932b-5404a68ad561"> | |
<topic>ffmpeg -- remote denial of service in JPEG2000 decoder</topic> | |
<affects> | |
<package> | |
<name>ffmpeg</name> | |
<range><lt>2.8.6,1</lt></range> | |
</package> | |
<package> | |
<name>mplayer</name> | |
<name>mencoder</name> | |
<range> | |
<lt>1.2.r20151219_3</lt> | |
</range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>FFmpeg security reports:</p> | |
<blockquote cite="https://www.ffmpeg.org/security.html"> | |
<p>FFmpeg 2.8.6 fixes the following vulnerabilities: | |
CVE-2016-2213</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-2213</cvename> | |
<url>https://www.ffmpeg.org/security.html</url> | |
</references> | |
<dates> | |
<discovery>2016-01-27</discovery> | |
<entry>2016-02-06</entry> | |
</dates> | |
</vuln> | |
<vuln vid="448047e9-030e-4ce4-910b-f21a3ad5d9a0"> | |
<topic>shotwell -- not verifying certificates</topic> | |
<affects> | |
<package> | |
<name>shotwell</name> | |
<range><lt>0.22.0.99</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Michael Catanzaro reports:</p> | |
<blockquote cite="https://mail.gnome.org/archives/distributor-list/2016-January/msg00000.html"> | |
<p>Shotwell has a serious security issue ("Shotwell does not | |
verify TLS certificates"). Upstream is no longer active and | |
I do not expect any further upstream releases unless someone | |
from the community steps up to maintain it.</p> | |
<p>What is the impact of the issue? If you ever used any of | |
the publish functionality (publish to Facebook, publish to | |
Flickr, etc.), your passwords may have been stolen; changing | |
them is not a bad idea.</p> | |
<p>What is the risk of the update? Regressions. The easiest | |
way to validate TLS certificates was to upgrade WebKit; it | |
seems to work but I don't have accounts with the online | |
services it supports, so I don't know if photo publishing | |
still works properly on all the services.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://mail.gnome.org/archives/distributor-list/2016-January/msg00000.html</url> | |
</references> | |
<dates> | |
<discovery>2016-01-06</discovery> | |
<entry>2016-02-05</entry> | |
</dates> | |
</vuln> | |
<vuln vid="1091d2d1-cb2e-11e5-b14b-bcaec565249c"> | |
<topic>webkit -- UI spoof</topic> | |
<affects> | |
<package> | |
<name>webkit-gtk2</name> | |
<name>webkit-gtk3</name> | |
<range><lt>2.4.9_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>webkit reports:</p> | |
<blockquote cite="http://webkitgtk.org/security/WSA-2015-0002.html"> | |
<p>The ScrollView::paint function in platform/scroll/ScrollView.cpp | |
in Blink, as used in Google Chrome before 35.0.1916.114, allows | |
remote attackers to spoof the UI by extending scrollbar painting | |
into the parent frame.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-1748</cvename> | |
<url>http://webkitgtk.org/security/WSA-2015-0002.html</url> | |
</references> | |
<dates> | |
<discovery>2015-12-28</discovery> | |
<entry>2016-02-04</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e78bfc9d-cb1e-11e5-b251-0050562a4d7b"> | |
<topic>py-rsa -- Bleichenbacher'06 signature forgery vulnerability</topic> | |
<affects> | |
<package> | |
<name>py27-rsa</name> | |
<name>py32-rsa</name> | |
<name>py33-rsa</name> | |
<name>py34-rsa</name> | |
<name>py35-rsa</name> | |
<range><lt>3.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Filippo Valsorda reports:</p> | |
<blockquote cite="https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/"> | |
<p> | |
python-rsa is vulnerable to a straightforward variant of the | |
Bleichenbacher'06 attack against RSA signature verification | |
with low public exponent.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1494</cvename> | |
<url>https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/</url> | |
<url>https://bitbucket.org/sybren/python-rsa/pull-requests/14/security-fix-bb06-attack-in-verify-by</url> | |
<url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1494</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/01/05/3</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/01/05/1</url> | |
</references> | |
<dates> | |
<discovery>2016-01-05</discovery> | |
<entry>2016-02-04</entry> | |
</dates> | |
</vuln> | |
<vuln vid="559f3d1b-cb1d-11e5-80a4-001999f8d30b"> | |
<topic>asterisk -- Multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>asterisk</name> | |
<range><lt>1.8.32.3_5</lt></range> | |
</package> | |
<package> | |
<name>asterisk11</name> | |
<range><lt>11.21.1</lt></range> | |
</package> | |
<package> | |
<name>asterisk13</name> | |
<range><lt>13.7.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Asterisk project reports:</p> | |
<blockquote cite="http://www.asterisk.org/downloads/security-advisories"> | |
<p>AST-2016-001 - BEAST vulnerability in HTTP server</p> | |
<p>AST-2016-002 - File descriptor exhaustion in chan_sip</p> | |
<p>AST-2016-003 - Remote crash vulnerability when receiving UDPTL FAX data</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://downloads.asterisk.org/pub/security/AST-2016-001.html</url> | |
<cvename>CVE-2011-3389</cvename> | |
<url>http://downloads.asterisk.org/pub/security/AST-2016-002.html</url> | |
<cvename>CVE-2016-2316</cvename> | |
<url>http://downloads.asterisk.org/pub/security/AST-2016-003.html</url> | |
<cvename>CVE-2016-2232</cvename> | |
</references> | |
<dates> | |
<discovery>2016-02-03</discovery> | |
<entry>2016-02-04</entry> | |
<modified>2016-03-07</modified> | |
</dates> | |
</vuln> | |
<vuln vid="0652005e-ca96-11e5-96d6-14dae9d210b8"> | |
<topic>salt -- code execution</topic> | |
<affects> | |
<package> | |
<name>py27-salt</name> | |
<name>py32-salt</name> | |
<name>py33-salt</name> | |
<name>py34-salt</name> | |
<name>py35-salt</name> | |
<range><ge>2015.8.0</ge><lt>2015.8.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>SaltStack reports:</p> | |
<blockquote cite="https://docs.saltstack.com/en/latest/topics/releases/2015.8.4.html"> | |
<p>Improper handling of clear messages on the minion, which | |
could result in executing commands not sent by the master.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://docs.saltstack.com/en/latest/topics/releases/2015.8.4.html</url> | |
<url>https://github.com/saltstack/salt/pull/30613/files</url> | |
<cvename>CVE-2016-1866</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-25</discovery> | |
<entry>2016-02-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="bb0ef21d-0e1b-461b-bc3d-9cba39948888"> | |
<topic>rails -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>rubygem-actionpack</name> | |
<range><lt>3.2.22.1</lt></range> | |
</package> | |
<package> | |
<name>rubygem-actionpack4</name> | |
<range><lt>4.2.5.1</lt></range> | |
</package> | |
<package> | |
<name>rubygem-actionview</name> | |
<range><lt>4.2.5.1</lt></range> | |
</package> | |
<package> | |
<name>rubygem-activemodel4</name> | |
<range><lt>4.2.5.1</lt></range> | |
</package> | |
<package> | |
<name>rubygem-activerecord</name> | |
<range><lt>3.2.22.1</lt></range> | |
</package> | |
<package> | |
<name>rubygem-activerecord4</name> | |
<range><lt>4.2.5.1</lt></range> | |
</package> | |
<package> | |
<name>rubygem-rails</name> | |
<range><lt>3.2.22.1</lt></range> | |
</package> | |
<package> | |
<name>rubygem-rails-html-sanitizer</name> | |
<range><lt>1.0.3</lt></range> | |
</package> | |
<package> | |
<name>rubygem-rails4</name> | |
<range><lt>4.2.5.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Ruby on Rails blog:</p> | |
<blockquote cite="http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/"> | |
<p>Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, and 3.2.22.1 have been | |
released! These contain important security fixes, and it is | |
recommended that users upgrade as soon as possible.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7576</cvename> | |
<cvename>CVE-2015-7577</cvename> | |
<cvename>CVE-2015-7581</cvename> | |
<cvename>CVE-2016-0751</cvename> | |
<cvename>CVE-2016-0752</cvename> | |
<cvename>CVE-2016-0753</cvename> | |
<url>https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ</url> | |
<url>https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ</url> | |
<url>https://groups.google.com/d/msg/rubyonrails-security/dthJ5wL69JE/YzPnFelbFQAJ</url> | |
<url>https://groups.google.com/d/msg/rubyonrails-security/9oLY_FCzvoc/w9oI9XxbFQAJ</url> | |
<url>https://groups.google.com/d/msg/rubyonrails-security/335P1DcLG00/OfB9_LhbFQAJ</url> | |
<url>https://groups.google.com/d/msg/rubyonrails-security/6jQVC1geukQ/8oYETcxbFQAJ</url> | |
<url>http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/</url> | |
</references> | |
<dates> | |
<discovery>2016-01-25</discovery> | |
<entry>2016-02-02</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a52a7172-c92e-11e5-96d6-14dae9d210b8"> | |
<topic>socat -- diffie hellman parameter was not prime</topic> | |
<affects> | |
<package> | |
<name>socat</name> | |
<range><ge>1.7.2.5</ge><lt>1.7.3.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>socat reports:</p> | |
<blockquote cite="http://www.dest-unreach.org/socat/contrib/socat-secadv7.html"> | |
<p>In the OpenSSL address implementation the hard coded 1024 | |
bit DH p parameter was not prime. The effective cryptographic strength | |
of a key exchange using these parameters was weaker than the one one | |
could get by using a prime p. Moreover, since there is no indication of | |
how these parameters were chosen, the existence of a trapdoor that makes | |
possible for an eavesdropper to recover the shared secret from a key | |
exchange that uses them cannot be ruled out.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.dest-unreach.org/socat/contrib/socat-secadv7.html</url> | |
</references> | |
<dates> | |
<discovery>2016-02-01</discovery> | |
<entry>2016-02-01</entry> | |
</dates> | |
</vuln> | |
<vuln vid="4f00dac0-1e18-4481-95af-7aaad63fd303"> | |
<topic>mozilla -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>firefox</name> | |
<name>linux-firefox</name> | |
<range><lt>44.0,1</lt></range> | |
</package> | |
<package> | |
<name>seamonkey</name> | |
<name>linux-seamonkey</name> | |
<range><lt>2.41</lt></range> | |
</package> | |
<package> | |
<name>firefox-esr</name> | |
<range><lt>38.6.0,1</lt></range> | |
</package> | |
<package> | |
<name>libxul</name> | |
<name>thunderbird</name> | |
<name>linux-thunderbird</name> | |
<range><lt>38.6.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mozilla Foundation reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox44"> | |
<p>MFSA 2016-01 Miscellaneous memory safety hazards (rv:44.0 | |
/ rv:38.6)</p> | |
<p>MFSA 2016-02 Out of Memory crash when parsing GIF format | |
images</p> | |
<p>MFSA 2016-03 Buffer overflow in WebGL after out of memory | |
allocation</p> | |
<p>MFSA 2016-04 Firefox allows for control characters to be | |
set in cookie names</p> | |
<p>MFSA 2016-06 Missing delay following user click events in | |
protocol handler dialog</p> | |
<p>MFSA 2016-09 Addressbar spoofing attacks</p> | |
<p>MFSA 2016-10 Unsafe memory manipulation found through | |
code inspection</p> | |
<p>MFSA 2016-11 Application Reputation service disabled in | |
Firefox 43</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7208</cvename> | |
<cvename>CVE-2016-1930</cvename> | |
<cvename>CVE-2016-1931</cvename> | |
<cvename>CVE-2016-1933</cvename> | |
<cvename>CVE-2016-1935</cvename> | |
<cvename>CVE-2016-1937</cvename> | |
<cvename>CVE-2016-1939</cvename> | |
<cvename>CVE-2016-1942</cvename> | |
<cvename>CVE-2016-1943</cvename> | |
<cvename>CVE-2016-1944</cvename> | |
<cvename>CVE-2016-1945</cvename> | |
<cvename>CVE-2016-1946</cvename> | |
<cvename>CVE-2016-1947</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-01/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-02/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-03/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-04/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-06/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-09/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-10/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2016-11/</url> | |
</references> | |
<dates> | |
<discovery>2016-01-26</discovery> | |
<entry>2016-02-01</entry> | |
<modified>2016-03-08</modified> | |
</dates> | |
</vuln> | |
<vuln vid="e00d8b94-c88a-11e5-b5fe-002590263bf5"> | |
<topic>gdcm -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>gdcm</name> | |
<range><lt>2.6.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>CENSUS S.A. reports:</p> | |
<blockquote cite="http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/"> | |
<p>GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are | |
prone to an integer overflow vulnerability which leads to a buffer | |
overflow and potentially to remote code execution.</p> | |
</blockquote> | |
<blockquote cite="http://census-labs.com/news/2016/01/11/gdcm-out-bounds-read-jpeglscodec-decodeextent/"> | |
<p>GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are | |
prone to an out-of-bounds read vulnerability due to missing checks. | |
</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8396</cvename> | |
<cvename>CVE-2015-8397</cvename> | |
<url>http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/</url> | |
<url>http://census-labs.com/news/2016/01/11/gdcm-out-bounds-read-jpeglscodec-decodeextent/</url> | |
</references> | |
<dates> | |
<discovery>2015-12-23</discovery> | |
<entry>2016-02-01</entry> | |
</dates> | |
</vuln> | |
<vuln vid="c1c18ee1-c711-11e5-96d6-14dae9d210b8"> | |
<topic>nginx -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>nginx</name> | |
<range><lt>1.8.1,2</lt></range> | |
</package> | |
<package> | |
<name>nginx-devel</name> | |
<range><lt>1.9.10</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Maxim Dounin reports:</p> | |
<blockquote cite="http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html"> | |
<p>Several problems in nginx resolver were identified, which | |
might allow an attacker to cause worker process crash, or might have | |
potential other impact if the "resolver" directive | |
is used in a configuration file.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html</url> | |
<cvename>CVE-2016-0742</cvename> | |
<cvename>CVE-2016-0746</cvename> | |
<cvename>CVE-2016-0747</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-26</discovery> | |
<entry>2016-01-30</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a0d77bc8-c6a7-11e5-96d6-14dae9d210b8"> | |
<topic>typo3 -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>typo3</name> | |
<range><lt>7.6.1</lt></range> | |
</package> | |
<package> | |
<name>typo3-lts</name> | |
<range><lt>6.2.16</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>TYPO3 Security Team reports:</p> | |
<blockquote cite="http://lists.typo3.org/pipermail/typo3-announce/2015/000351.html"> | |
<p>It has been discovered that TYPO3 CMS is susceptible to | |
Cross-Site Scripting and Cross-Site Flashing.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://lists.typo3.org/pipermail/typo3-announce/2015/000351.html</url> | |
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-010/</url> | |
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-011/</url> | |
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-012/</url> | |
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-013/</url> | |
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-014/</url> | |
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-015/</url> | |
</references> | |
<dates> | |
<discovery>2015-12-15</discovery> | |
<entry>2016-01-29</entry> | |
</dates> | |
</vuln> | |
<vuln vid="93eadedb-c6a6-11e5-96d6-14dae9d210b8"> | |
<topic>nghttp2 -- use after free</topic> | |
<affects> | |
<package> | |
<name>nghttp2</name> | |
<range><lt>1.6.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>nghttp2 reports:</p> | |
<blockquote cite="https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/"> | |
<p>This release fixes heap-use-after-free bug in idle stream | |
handling code. We strongly recommend to upgrade the older installation | |
to this latest version as soon as possible.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/</url> | |
<cvename>CVE-2015-8659</cvename> | |
</references> | |
<dates> | |
<discovery>2015-12-23</discovery> | |
<entry>2016-01-29</entry> | |
</dates> | |
</vuln> | |
<vuln vid="3166222b-c6a4-11e5-96d6-14dae9d210b8"> | |
<topic>owncloud -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>owncloud</name> | |
<range><lt>8.2.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Owncloud reports:</p> | |
<blockquote cite="https://owncloud.org/blog/owncloud-8-2-2-8-1-5-8-0-10-and-7-0-12-here-with-sharing-ldap-fixes/"> | |
<ul> | |
<li><p>Reflected XSS in OCS provider discovery | |
(oC-SA-2016-001)</p></li> | |
<li><p>Information Exposure Through Directory Listing in the | |
file scanner (oC-SA-2016-002)</p></li> | |
<li><p>Disclosure of files that begin with ".v" due to | |
unchecked return value (oC-SA-2016-003)</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://owncloud.org/blog/owncloud-8-2-2-8-1-5-8-0-10-and-7-0-12-here-with-sharing-ldap-fixes/</url> | |
<url>https://owncloud.org/security/advisory/?id=oc-sa-2016-001</url> | |
<url>https://owncloud.org/security/advisory/?id=oc-sa-2016-002</url> | |
<url>https://owncloud.org/security/advisory/?id=oc-sa-2016-003</url> | |
<cvename>CVE-2016-1498</cvename> | |
<cvename>CVE-2016-1499</cvename> | |
<cvename>CVE-2016-1500</cvename> | |
</references> | |
<dates> | |
<discovery>2015-12-23</discovery> | |
<entry>2016-01-29</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ff824eea-c69c-11e5-96d6-14dae9d210b8"> | |
<topic>radicale -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>py27-radicale</name> | |
<name>py32-radicale</name> | |
<name>py33-radicale</name> | |
<name>py34-radicale</name> | |
<range><lt>1.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Radicale reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/06/4"> | |
<p>The multifilesystem backend allows access to arbitrary | |
files on all platforms.</p> | |
<p>Prevent regex injection in rights management.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openwall.com/lists/oss-security/2016/01/06/4</url> | |
<cvename>CVE-2015-8747</cvename> | |
<cvename>CVE-2015-8748</cvename> | |
</references> | |
<dates> | |
<discovery>2015-12-24</discovery> | |
<entry>2016-01-29</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7a59e283-c60b-11e5-bf36-6805ca0b3d42"> | |
<topic>phpmyadmin -- XSS vulnerability in SQL editor</topic> | |
<affects> | |
<package> | |
<name>phpmyadmin</name> | |
<range><ge>4.5.0</ge><lt>4.5.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The phpMyAdmin development team reports:</p> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-9/"> | |
<p>With a crafted SQL query, it is possible to trigger an | |
XSS attack in the SQL editor.</p> | |
<p>We consider this vulnerability to be non-critical.</p> | |
<p>This vulnerability can be triggered only by someone who is | |
logged in to phpMyAdmin, as the usual token protection | |
prevents non-logged-in users from accessing the required | |
pages.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-9/</url> | |
<cvename>CVE-2016-2045</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-28</discovery> | |
<entry>2016-01-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="78b4ebfb-c60b-11e5-bf36-6805ca0b3d42"> | |
<topic>phpmyadmin -- Full path disclosure vulnerability in SQL parser</topic> | |
<affects> | |
<package> | |
<name>phpmyadmin</name> | |
<range><ge>4.5.0</ge><lt>4.5.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The phpMyAdmin development team reports:</p> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-8/"> | |
<p>By calling a particular script that is part of phpMyAdmin | |
in an unexpected way, it is possible to trigger phpMyAdmin | |
to display a PHP error message which contains the full path | |
of the directory where phpMyAdmin is installed.</p> | |
<p>We consider this vulnerability to be non-critical.</p> | |
<p>This path disclosure is possible on servers where the | |
recommended setting of the PHP configuration directive | |
display_errors is set to on, which is against the | |
recommendations given in the PHP manual for a production | |
server.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-8/</url> | |
<cvename>CVE-2016-2044</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-28</discovery> | |
<entry>2016-01-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7694927f-c60b-11e5-bf36-6805ca0b3d42"> | |
<topic>phpmyadmin -- XSS vulnerability in normalization page</topic> | |
<affects> | |
<package> | |
<name>phpmyadmin</name> | |
<range><ge>4.5.0</ge><lt>4.5.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The phpMyAdmin development team reports:</p> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-7/"> | |
<p>With a crafted table name it is possible to trigger an | |
XSS attack in the database normalization page.</p> | |
<p>We consider this vulnerability to be non-critical.</p> | |
<p>This vulnerability can be triggered only by someone who is | |
logged in to phpMyAdmin, as the usual token protection | |
prevents non-logged-in users from accessing the required page.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-7/</url> | |
<cvename>CVE-2016-2043</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-28</discovery> | |
<entry>2016-01-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="740badcb-c60b-11e5-bf36-6805ca0b3d42"> | |
<topic>phpmyadmin -- Multiple full path disclosure vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>phpmyadmin</name> | |
<range><ge>4.5.0</ge><lt>4.5.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The phpMyAdmin development team reports:</p> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-6/"> | |
<p>By calling some scripts that are part of phpMyAdmin in an | |
unexpected way, it is possible to trigger phpMyAdmin to | |
display a PHP error message which contains the full path of | |
the directory where phpMyAdmin is installed.</p> | |
<p>We consider these vulnerabilities to be non-critical.</p> | |
<p>This path disclosure is possible on servers where the | |
recommended setting of the PHP configuration directive | |
display_errors is set to on, which is against the | |
recommendations given in the PHP manual for a production | |
server.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-6/</url> | |
<cvename>CVE-2016-2042</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-28</discovery> | |
<entry>2016-01-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="71b24d99-c60b-11e5-bf36-6805ca0b3d42"> | |
<topic>phpmyadmin -- Unsafe comparison of XSRF/CSRF token</topic> | |
<affects> | |
<package> | |
<name>phpmyadmin</name> | |
<range><ge>4.5.0</ge><lt>4.5.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The phpMyAdmin development team reports:</p> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-5/"> | |
<p>The comparison of the XSRF/CSRF token parameter with the | |
value saved in the session is vulnerable to timing | |
attacks. Moreover, the comparison could be bypassed if the | |
XSRF/CSRF token matches a particular pattern.</p> | |
<p>We consider this vulnerability to be serious.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-5/</url> | |
<cvename>CVE-2016-2041</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-28</discovery> | |
<entry>2016-01-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6f0c2d1b-c60b-11e5-bf36-6805ca0b3d42"> | |
<topic>phpmyadmin -- Insecure password generation in JavaScript</topic> | |
<affects> | |
<package> | |
<name>phpmyadmin</name> | |
<range><ge>4.5.0</ge><lt>4.5.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The phpMyAdmin development team reports:</p> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-4/"> | |
<p>Password suggestion functionality uses Math.random() | |
which does not provide cryptographically secure random | |
numbers.</p> | |
<p>We consider this vulnerability to be non-critical.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-4/</url> | |
<cvename>CVE-2016-1927</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-28</discovery> | |
<entry>2016-01-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6cc06eec-c60b-11e5-bf36-6805ca0b3d42"> | |
<topic>phpmyadmin -- Multiple XSS vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>phpmyadmin</name> | |
<range><ge>4.5.0</ge><lt>4.5.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The phpMyAdmin development team reports:</p> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-3/"> | |
<ul> | |
<li>With a crafted table name it is possible to trigger | |
an XSS attack in the database search page.</li> | |
<li>With a crafted SET value or a crafted search query, it | |
is possible to trigger an XSS attacks in the zoom search | |
page.</li> | |
<li>With a crafted hostname header, it is possible to | |
trigger an XSS attacks in the home page.</li> | |
</ul> | |
<p>We consider these vulnerabilities to be non-critical.</p> | |
<p>These vulnerabilities can be triggered only by someone | |
who is logged in to phpMyAdmin, as the usual token | |
protection prevents non-logged-in users from accessing the | |
required pages.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-3/</url> | |
<cvename>CVE-2016-2040</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-28</discovery> | |
<entry>2016-01-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="60ab0e93-c60b-11e5-bf36-6805ca0b3d42"> | |
<topic>phpmyadmin -- Unsafe generation of XSRF/CSRF token</topic> | |
<affects> | |
<package> | |
<name>phpmyadmin</name> | |
<range><ge>4.5.0</ge><lt>4.5.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The phpMyAdmin development team reports:</p> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-2/"> | |
<p>The XSRF/CSRF token is generated with a weak algorithm | |
using functions that do not return cryptographically secure | |
values.</p> | |
<p>We consider this vulnerability to be non-critical.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-2/</url> | |
<cvename>CVE-2016-2039</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-28</discovery> | |
<entry>2016-01-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="5d6a204f-c60b-11e5-bf36-6805ca0b3d42"> | |
<topic>phpmyadmin -- Multiple full path disclosure vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>phpmyadmin</name> | |
<range><ge>4.5.0</ge><lt>4.5.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The phpMyAdmin development team reports:</p> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-1/"> | |
<p>By calling some scripts that are part of phpMyAdmin in an | |
unexpected way, it is possible to trigger phpMyAdmin to | |
display a PHP error message which contains the full path of | |
the directory where phpMyAdmin is installed.</p> | |
<p>We consider these vulnerabilities to be non-critical.</p> | |
<p>This path disclosure is possible on servers where the | |
recommended setting of the PHP configuration directive | |
display_errors is set to on, which is against the | |
recommendations given in the PHP manual for a production | |
server.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.phpmyadmin.net/security/PMASA-2016-1/</url> | |
<cvename>CVE-2016-2038</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-28</discovery> | |
<entry>2016-01-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="50394bc9-c5fa-11e5-96a5-d93b343d1ff7"> | |
<topic>prosody -- user impersonation vulnerability</topic> | |
<affects> | |
<package> | |
<name>prosody</name> | |
<range><lt>0.9.10</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Prosody team reports:</p> | |
<blockquote cite="https://prosody.im/security/advisory_20160127/"> | |
<p>Adopt key generation algorithm from XEP-0185, to | |
prevent impersonation attacks (CVE-2016-0756)</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/206707</freebsdpr> | |
<cvename>CVE-2016-0756</cvename> | |
<url>https://prosody.im/security/advisory_20160127/</url> | |
</references> | |
<dates> | |
<discovery>2016-01-27</discovery> | |
<entry>2016-01-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="3679fd10-c5d1-11e5-b85f-0018fe623f2b"> | |
<topic>openssl -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>openssl</name> | |
<range><lt>1.0.2_7</lt></range> | |
</package> | |
<package> | |
<name>mingw32-openssl</name> | |
<range><ge>1.0.1</ge><lt>1.0.2f</lt></range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.2</ge><lt>10.2_12</lt></range> | |
<range><ge>10.1</ge><lt>10.1_29</lt></range> | |
<range><ge>9.3</ge><lt>9.3_36</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>OpenSSL project reports:</p> | |
<blockquote cite="https://www.openssl.org/news/secadv/20160128.txt"> | |
<ol> | |
<li>Historically OpenSSL only ever generated DH parameters based on "safe" | |
primes. More recently (in version 1.0.2) support was provided for | |
generating X9.42 style parameter files such as those required for RFC 5114 | |
support. The primes used in such files may not be "safe". Where an | |
application is using DH configured with parameters based on primes that are | |
not "safe" then an attacker could use this fact to find a peer's private | |
DH exponent. This attack requires that the attacker complete multiple | |
handshakes in which the peer uses the same private DH exponent. For example | |
this could be used to discover a TLS server's private DH exponent if it's | |
reusing the private DH exponent or it's using a static DH ciphersuite. | |
OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in | |
TLS. It is not on by default. If the option is not set then the server | |
reuses the same private DH exponent for the life of the server process and | |
would be vulnerable to this attack. It is believed that many popular | |
applications do set this option and would therefore not be at risk. | |
(CVE-2016-0701)</li> | |
<li>A malicious client can negotiate SSLv2 ciphers that have been disabled on | |
the server and complete SSLv2 handshakes even if all SSLv2 ciphers have | |
been disabled, provided that the SSLv2 protocol was not also disabled via | |
SSL_OP_NO_SSLv2. | |
(CVE-2015-3197)</li> | |
</ol> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdsa>SA-16:11.openssl</freebsdsa> | |
<cvename>CVE-2016-0701</cvename> | |
<cvename>CVE-2015-3197</cvename> | |
<url>https://www.openssl.org/news/secadv/20160128.txt</url> | |
</references> | |
<dates> | |
<discovery>2016-01-22</discovery> | |
<entry>2016-01-28</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="8b27f1bc-c509-11e5-a95f-b499baebfeaf"> | |
<topic>curl -- Credentials not checked</topic> | |
<affects> | |
<package> | |
<name>curl</name> | |
<range><ge>7.10.0</ge><lt>7.47.0</lt></range> | |
</package> | |
<package> | |
<name>linux-c6-curl</name> | |
<name>linux-c6_64-curl</name> | |
<range><ge>7.10.0</ge></range> | |
</package> | |
<package> | |
<name>linux-f10-curl</name> | |
<range><ge>0</ge></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The cURL project reports:</p> | |
<blockquote cite="http://curl.haxx.se/docs/adv_20160127A.html"> | |
<p>libcurl will reuse NTLM-authenticated proxy connections | |
without properly making sure that the connection was | |
authenticated with the same credentials as set for this | |
transfer.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://curl.haxx.se/docs/adv_20160127A.html</url> | |
<cvename>CVE-2016-0755</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-27</discovery> | |
<entry>2016-01-27</entry> | |
<modified>2016-02-02</modified> | |
</dates> | |
</vuln> | |
<vuln vid="fb754341-c3e2-11e5-b5fe-002590263bf5"> | |
<topic>wordpress -- XSS vulnerability</topic> | |
<affects> | |
<package> | |
<name>wordpress</name> | |
<range><lt>4.4.1,1</lt></range> | |
</package> | |
<package> | |
<name>de-wordpress</name> | |
<name>ja-wordpress</name> | |
<name>ru-wordpress</name> | |
<name>zh-wordpress-zh_CN</name> | |
<name>zh-wordpress-zh_TW</name> | |
<range><lt>4.4.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Aaron Jorbin reports:</p> | |
<blockquote cite="https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/"> | |
<p>WordPress 4.4.1 is now available. This is a security release for | |
all previous versions and we strongly encourage you to update your | |
sites immediately.</p> | |
<p>WordPress versions 4.4 and earlier are affected by a cross-site | |
scripting vulnerability that could allow a site to be compromised. | |
This was reported by Crtc4L.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1564</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2016/01/08/3</url> | |
<url>https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/</url> | |
</references> | |
<dates> | |
<discovery>2016-01-06</discovery> | |
<entry>2016-01-26</entry> | |
<modified>2016-03-08</modified> | |
</dates> | |
</vuln> | |
<vuln vid="a763a0e7-c3d9-11e5-b5fe-002590263bf5"> | |
<topic>privoxy -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>privoxy</name> | |
<range><lt>3.0.24</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Privoxy Developers reports:</p> | |
<blockquote cite="http://www.privoxy.org/3.0.24/user-manual/whatsnew.html"> | |
<p>Prevent invalid reads in case of corrupt chunk-encoded content. | |
CVE-2016-1982. Bug discovered with afl-fuzz and AddressSanitizer. | |
</p> | |
<p>Remove empty Host headers in client requests. Previously they | |
would result in invalid reads. CVE-2016-1983. Bug discovered with | |
afl-fuzz and AddressSanitizer.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1982</cvename> | |
<cvename>CVE-2016-1983</cvename> | |
<freebsdpr>ports/206504</freebsdpr> | |
<url>http://www.privoxy.org/3.0.24/user-manual/whatsnew.html</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/01/21/4</url> | |
</references> | |
<dates> | |
<discovery>2016-01-22</discovery> | |
<entry>2016-01-26</entry> | |
</dates> | |
</vuln> | |
<vuln vid="d9e1b569-c3d8-11e5-b5fe-002590263bf5"> | |
<topic>privoxy -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>privoxy</name> | |
<range><lt>3.0.23</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Privoxy Developers reports:</p> | |
<blockquote cite="http://www.privoxy.org/3.0.23/user-manual/whatsnew.html"> | |
<p>Fixed a DoS issue in case of client requests with incorrect | |
chunk-encoded body. When compiled with assertions enabled (the | |
default) they could previously cause Privoxy to abort(). Reported | |
by Matthew Daley. CVE-2015-1380.</p> | |
<p>Fixed multiple segmentation faults and memory leaks in the pcrs | |
code. This fix also increases the chances that an invalid pcrs | |
command is rejected as such. Previously some invalid commands would | |
be loaded without error. Note that Privoxy's pcrs sources (action | |
and filter files) are considered trustworthy input and should not be | |
writable by untrusted third-parties. CVE-2015-1381.</p> | |
<p>Fixed an 'invalid read' bug which could at least theoretically | |
cause Privoxy to crash. So far, no crashes have been observed. | |
CVE-2015-1382.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-1380</cvename> | |
<cvename>CVE-2015-1381</cvename> | |
<cvename>CVE-2015-1382</cvename> | |
<freebsdpr>ports/197089</freebsdpr> | |
<url>http://www.privoxy.org/3.0.23/user-manual/whatsnew.html</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/01/26/4</url> | |
</references> | |
<dates> | |
<discovery>2015-01-26</discovery> | |
<entry>2016-01-26</entry> | |
</dates> | |
</vuln> | |
<vuln vid="89d4ed09-c3d7-11e5-b5fe-002590263bf5"> | |
<topic>privoxy -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>privoxy</name> | |
<range><lt>3.0.22</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Privoxy Developers reports:</p> | |
<blockquote cite="http://www.privoxy.org/3.0.22/user-manual/whatsnew.html"> | |
<p>Fixed a memory leak when rejecting client connections due to the | |
socket limit being reached (CID 66382). This affected Privoxy 3.0.21 | |
when compiled with IPv6 support (on most platforms this is the | |
default).</p> | |
<p>Fixed an immediate-use-after-free bug (CID 66394) and two | |
additional unconfirmed use-after-free complaints made by Coverity | |
scan (CID 66391, CID 66376).</p> | |
</blockquote> | |
<p>MITRE reports:</p> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1201"> | |
<p>Privoxy before 3.0.22 allows remote attackers to cause a denial | |
of service (file descriptor consumption) via unspecified vectors. | |
</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-1030</cvename> | |
<cvename>CVE-2015-1031</cvename> | |
<cvename>CVE-2015-1201</cvename> | |
<freebsdpr>ports/195468</freebsdpr> | |
<url>http://www.privoxy.org/3.0.22/user-manual/whatsnew.html</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/01/11/1</url> | |
</references> | |
<dates> | |
<discovery>2015-01-10</discovery> | |
<entry>2016-01-26</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ad82b0e9-c3d6-11e5-b5fe-002590263bf5"> | |
<topic>privoxy -- malicious server spoofing as proxy vulnerability</topic> | |
<affects> | |
<package> | |
<name>privoxy</name> | |
<range><lt>3.0.21</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Privoxy Developers reports:</p> | |
<blockquote cite="http://www.privoxy.org/3.0.21/user-manual/whatsnew.html"> | |
<p>Proxy authentication headers are removed unless the new directive | |
enable-proxy-authentication-forwarding is used. Forwarding the | |
headers potentially allows malicious sites to trick the user into | |
providing them with login information. Reported by Chris John Riley. | |
</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2013-2503</cvename> | |
<freebsdpr>ports/176813</freebsdpr> | |
<url>http://www.privoxy.org/3.0.21/user-manual/whatsnew.html</url> | |
</references> | |
<dates> | |
<discovery>2013-03-07</discovery> | |
<entry>2016-01-26</entry> | |
</dates> | |
</vuln> | |
<vuln vid="2e8cdd36-c3cc-11e5-b5fe-002590263bf5"> | |
<topic>sudo -- potential privilege escalation via symlink misconfiguration</topic> | |
<affects> | |
<package> | |
<name>sudo</name> | |
<range><lt>1.8.15</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>MITRE reports:</p> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5602"> | |
<p>sudoedit in Sudo before 1.8.15 allows local users to gain | |
privileges via a symlink attack on a file whose full path is defined | |
using multiple wildcards in /etc/sudoers, as demonstrated by | |
"/home/*/*/file.txt."</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5602</cvename> | |
<freebsdpr>ports/206590</freebsdpr> | |
<url>https://www.exploit-db.com/exploits/37710/</url> | |
<url>https://bugzilla.sudo.ws/show_bug.cgi?id=707</url> | |
<url>http://www.sudo.ws/stable.html#1.8.15</url> | |
</references> | |
<dates> | |
<discovery>2015-11-17</discovery> | |
<entry>2016-01-26</entry> | |
</dates> | |
</vuln> | |
<vuln vid="99d3a8a5-c13c-11e5-96d6-14dae9d210b8"> | |
<topic>imlib2 -- denial of service vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>imlib2</name> | |
<range><lt>1.4.7</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Enlightenment reports:</p> | |
<blockquote cite="https://git.enlightenment.org/legacy/imlib2.git/tree/ChangeLog"> | |
<p>GIF loader: Fix segv on images without colormap</p> | |
<p>Prevent division-by-zero crashes.</p> | |
<p>Fix segfault when opening input/queue/id:000007,src:000000,op:flip1,pos:51 with feh</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://git.enlightenment.org/legacy/imlib2.git/tree/ChangeLog</url> | |
<url>http://seclists.org/oss-sec/2016/q1/162</url> | |
<cvename>CVE-2014-9762</cvename> | |
<cvename>CVE-2014-9763</cvename> | |
<cvename>CVE-2014-9764</cvename> | |
</references> | |
<dates> | |
<discovery>2013-12-21</discovery> | |
<entry>2016-01-22</entry> | |
</dates> | |
</vuln> | |
<vuln vid="b4578647-c12b-11e5-96d6-14dae9d210b8"> | |
<topic>bind -- denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>bind99</name> | |
<range><lt>9.9.8P3</lt></range> | |
</package> | |
<package> | |
<name>bind910</name> | |
<range><lt>9.10.3P3</lt></range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>9.3</ge><lt>9.3_35</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ISC reports:</p> | |
<blockquote cite="https://kb.isc.org/article/AA-01335"> | |
<p>Specific APL data could trigger an INSIST in apl_42.c</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://kb.isc.org/article/AA-01335</url> | |
<cvename>CVE-2015-8704</cvename> | |
<freebsdsa>SA-16:08.bind</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-01-19</discovery> | |
<entry>2016-01-22</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="371bbea9-3836-4832-9e70-e8e928727f8c"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>48.0.2564.82</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.de/2016/01/stable-channel-update_20.html"> | |
<p>This update includes 37 security fixes, including:</p> | |
<ul> | |
<li>[497632] High CVE-2016-1612: Bad cast in V8.</li> | |
<li>[572871] High CVE-2016-1613: Use-after-free in PDFium.</li> | |
<li>[544691] Medium CVE-2016-1614: Information leak in Blink.</li> | |
<li>[468179] Medium CVE-2016-1615: Origin confusion in Omnibox.</li> | |
<li>[541415] Medium CVE-2016-1616: URL Spoofing.</li> | |
<li>[544765] Medium CVE-2016-1617: History sniffing with HSTS and | |
CSP.</li> | |
<li>[552749] Medium CVE-2016-1618: Weak random number generator in | |
Blink.</li> | |
<li>[557223] Medium CVE-2016-1619: Out-of-bounds read in | |
PDFium.</li> | |
<li>[579625] CVE-2016-1620: Various fixes from internal audits, | |
fuzzing and other initiatives.</li> | |
<li>Multiple vulnerabilities in V8 fixed at the tip of the 4.8 | |
branch.</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1612</cvename> | |
<cvename>CVE-2016-1613</cvename> | |
<cvename>CVE-2016-1614</cvename> | |
<cvename>CVE-2016-1615</cvename> | |
<cvename>CVE-2016-1616</cvename> | |
<cvename>CVE-2016-1617</cvename> | |
<cvename>CVE-2016-1618</cvename> | |
<cvename>CVE-2016-1619</cvename> | |
<cvename>CVE-2016-1620</cvename> | |
<url>http://googlechromereleases.blogspot.de/2016/01/stable-channel-update_20.html</url> | |
</references> | |
<dates> | |
<discovery>2016-01-20</discovery> | |
<entry>2016-01-21</entry> | |
</dates> | |
</vuln> | |
<vuln vid="5237f5d7-c020-11e5-b397-d050996490d0"> | |
<topic>ntp -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>ntp</name> | |
<range><lt>4.2.8p6</lt></range> | |
</package> | |
<package> | |
<name>ntp-devel</name> | |
<range><lt>4.3.90</lt></range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.2</ge><lt>10.2_11</lt></range> | |
<range><ge>10.1</ge><lt>10.1_28</lt></range> | |
<range><ge>9.3</ge><lt>9.3_35</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Network Time Foundation reports:</p> | |
<blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit"> | |
<p>NTF's NTP Project has been notified of the following low- | |
and medium-severity vulnerabilities that are fixed in | |
ntp-4.2.8p6, released on Tuesday, 19 January 2016:</p> | |
<ul> | |
<li>Bug 2948 / CVE-2015-8158: Potential Infinite Loop | |
in ntpq. Reported by Cisco ASIG.</li> | |
<li>Bug 2945 / CVE-2015-8138: origin: Zero Origin | |
Timestamp Bypass. Reported by Cisco ASIG.</li> | |
<li>Bug 2942 / CVE-2015-7979: Off-path Denial of | |
Service (DoS) attack on authenticated broadcast | |
mode. Reported by Cisco ASIG.</li> | |
<li>Bug 2940 / CVE-2015-7978: Stack exhaustion in | |
recursive traversal of restriction list. | |
Reported by Cisco ASIG.</li> | |
<li>Bug 2939 / CVE-2015-7977: reslist NULL pointer | |
dereference. Reported by Cisco ASIG.</li> | |
<li>Bug 2938 / CVE-2015-7976: ntpq saveconfig command | |
allows dangerous characters in filenames. | |
Reported by Cisco ASIG.</li> | |
<li>Bug 2937 / CVE-2015-7975: nextvar() missing length | |
check. Reported by Cisco ASIG.</li> | |
<li>Bug 2936 / CVE-2015-7974: Skeleton Key: Missing | |
key check allows impersonation between authenticated | |
peers. Reported by Cisco ASIG.</li> | |
<li>Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on | |
authenticated broadcast mode. Reported by Cisco ASIG.</li> | |
</ul> | |
<p>Additionally, mitigations are published for the following | |
two issues:</p> | |
<ul> | |
<li>Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay | |
attacks. Reported by Cisco ASIG.</li> | |
<li>Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, | |
disclose origin. Reported by Cisco ASIG.</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdsa>SA-16:09.ntp</freebsdsa> | |
<cvename>CVE-2015-7973</cvename> | |
<cvename>CVE-2015-7974</cvename> | |
<cvename>CVE-2015-7975</cvename> | |
<cvename>CVE-2015-7976</cvename> | |
<cvename>CVE-2015-7977</cvename> | |
<cvename>CVE-2015-7978</cvename> | |
<cvename>CVE-2015-7979</cvename> | |
<cvename>CVE-2015-8138</cvename> | |
<cvename>CVE-2015-8139</cvename> | |
<cvename>CVE-2015-8140</cvename> | |
<cvename>CVE-2015-8158</cvename> | |
<url>http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit</url> | |
</references> | |
<dates> | |
<discovery>2016-01-20</discovery> | |
<entry>2016-01-21</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="62c0dbbd-bfce-11e5-b5fe-002590263bf5"> | |
<topic>cgit -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>cgit</name> | |
<range><lt>0.12</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jason A. Donenfeld reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/14/6"> | |
<p>Reflected Cross Site Scripting and Header Injection in Mimetype | |
Query String.</p> | |
<p>Stored Cross Site Scripting and Header Injection in Filename | |
Parameter.</p> | |
<p>Integer Overflow resulting in Buffer Overflow.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1899</cvename> | |
<cvename>CVE-2016-1900</cvename> | |
<cvename>CVE-2016-1901</cvename> | |
<freebsdpr>ports/206417</freebsdpr> | |
<url>http://lists.zx2c4.com/pipermail/cgit/2016-January/002817.html</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/01/14/6</url> | |
</references> | |
<dates> | |
<discovery>2016-01-14</discovery> | |
<entry>2016-01-20</entry> | |
</dates> | |
</vuln> | |
<vuln vid="314830d8-bf91-11e5-96d6-14dae9d210b8"> | |
<topic>bind -- denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>bind910</name> | |
<range><lt>9.10.3P3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ISC reports:</p> | |
<blockquote cite="https://kb.isc.org/article/AA-01336"> | |
<p>Problems converting OPT resource records and ECS options to | |
text format can cause BIND to terminate</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://kb.isc.org/article/AA-01336</url> | |
<cvename>CVE-2015-8705</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-19</discovery> | |
<entry>2016-01-20</entry> | |
<modified>2016-01-22</modified> | |
</dates> | |
</vuln> | |
<vuln vid="51358314-bec8-11e5-82cd-bcaec524bf84"> | |
<topic>claws-mail -- no bounds checking on the output buffer in conv_jistoeuc, conv_euctojis, conv_sjistoeuc</topic> | |
<affects> | |
<package> | |
<name>claws-mail</name> | |
<range><lt>3.13.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>DrWhax reports:</p> | |
<blockquote cite="http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557"> | |
<p>So in codeconv.c there is a function for japanese character set | |
conversion called conv_jistoeuc(). There is no bounds checking on | |
the output buffer, which is created on the stack with alloca() | |
Bug can be triggered by sending an email to TAILS_luser@riseup.net | |
or whatever. | |
Since my C is completely rusty, you might be able to make a better | |
judgement on the severity of this issue. Marking critical for now.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8614</cvename> | |
<url>https://security-tracker.debian.org/tracker/CVE-2015-8614</url> | |
</references> | |
<dates> | |
<discovery>2015-11-04</discovery> | |
<entry>2016-01-19</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7c63775e-be31-11e5-b5fe-002590263bf5"> | |
<topic>libarchive -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>libarchive</name> | |
<range><lt>3.1.2_5,1</lt></range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.3</ge><lt>10.3_4</lt></range> | |
<range><ge>10.2</ge><lt>10.2_18</lt></range> | |
<range><ge>10.1</ge><lt>10.1_35</lt></range> | |
<range><ge>9.3</ge><lt>9.3_43</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>MITRE reports:</p> | |
<blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0211"> | |
<p>Integer signedness error in the archive_write_zip_data function in | |
archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when | |
running on 64-bit machines, allows context-dependent attackers to | |
cause a denial of service (crash) via unspecified vectors, which | |
triggers an improper conversion between unsigned and signed types, | |
leading to a buffer overflow.</p> | |
</blockquote> | |
<blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304"> | |
<p>Absolute path traversal vulnerability in bsdcpio in libarchive | |
3.1.2 and earlier allows remote attackers to write to arbitrary | |
files via a full pathname in an archive.</p> | |
</blockquote> | |
<p>Libarchive issue tracker reports:</p> | |
<blockquote cite="https://github.com/libarchive/libarchive/issues/502"> | |
<p>Using a crafted tar file bsdtar can perform an out-of-bounds memory | |
read which will lead to a SEGFAULT. The issue exists when the | |
executable skips data in the archive. The amount of data to skip is | |
defined in byte offset [16-19] If ASLR is disabled, the issue can | |
lead to an infinite loop.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2013-0211</cvename> | |
<cvename>CVE-2015-2304</cvename> | |
<freebsdpr>ports/200176</freebsdpr> | |
<freebsdsa>SA-16:22.libarchive</freebsdsa> | |
<freebsdsa>SA-16:23.libarchive</freebsdsa> | |
<url>https://github.com/libarchive/libarchive/pull/110</url> | |
<url>https://github.com/libarchive/libarchive/commit/5935715</url> | |
<url>https://github.com/libarchive/libarchive/commit/2253154</url> | |
<url>https://github.com/libarchive/libarchive/issues/502</url> | |
<url>https://github.com/libarchive/libarchive/commit/3865cf2</url> | |
<url>https://github.com/libarchive/libarchive/commit/e6c9668</url> | |
<url>https://github.com/libarchive/libarchive/commit/24f5de6</url> | |
</references> | |
<dates> | |
<discovery>2012-12-06</discovery> | |
<entry>2016-01-18</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="6809c6db-bdeb-11e5-b5fe-002590263bf5"> | |
<topic>go -- information disclosure vulnerability</topic> | |
<affects> | |
<package> | |
<name>go</name> | |
<range><ge>1.5,1</ge><lt>1.5.3,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jason Buberel reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/13/7"> | |
<p>A security-related issue has been reported in Go's math/big | |
package. The issue was introduced in Go 1.5. We recommend that all | |
users upgrade to Go 1.5.3, which fixes the issue. Go programs must | |
be recompiled with Go 1.5.3 in order to receive the fix.</p> | |
<p>The Go team would like to thank Nick Craig-Wood for identifying the | |
issue.</p> | |
<p>This issue can affect RSA computations in crypto/rsa, which is used | |
by crypto/tls. TLS servers on 32-bit systems could plausibly leak | |
their RSA private key due to this issue. Other protocol | |
implementations that create many RSA signatures could also be | |
impacted in the same way.</p> | |
<p>Specifically, incorrect results in one part of the RSA Chinese | |
Remainder computation can cause the result to be incorrect in such a | |
way that it leaks one of the primes. While RSA blinding should | |
prevent an attacker from crafting specific inputs that trigger the | |
bug, on 32-bit systems the bug can be expected to occur at random | |
around one in 2^26 times. Thus collecting around 64 million | |
signatures (of known data) from an affected server should be enough | |
to extract the private key used.</p> | |
<p>On 64-bit systems, the frequency of the bug is so low (less than | |
one in 2^50) that it would be very difficult to exploit. | |
Nonetheless, everyone is strongly encouraged to upgrade.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8618</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2016/01/13/7</url> | |
<url>https://go-review.googlesource.com/#/c/17672/</url> | |
<url>https://go-review.googlesource.com/#/c/18491/</url> | |
</references> | |
<dates> | |
<discovery>2016-01-13</discovery> | |
<entry>2016-01-18</entry> | |
</dates> | |
</vuln> | |
<vuln vid="05eeb7e9-b987-11e5-83ef-14dae9d210b8"> | |
<topic>isc-dhcpd -- Denial of Service</topic> | |
<affects> | |
<package> | |
<name>isc-dhcp41-server</name> | |
<range><lt>4.1.e_10,2</lt></range> | |
</package> | |
<package> | |
<name>isc-dhcp41-client</name> | |
<range><lt>4.1.e_3,2</lt></range> | |
</package> | |
<package> | |
<name>isc-dhcp41-relay</name> | |
<range><lt>4.1.e_6,2</lt></range> | |
</package> | |
<package> | |
<name>isc-dhcp42-client</name> | |
<name>isc-dhcp42-server</name> | |
<name>isc-dhcp42-relay</name> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>isc-dhcp43-client</name> | |
<name>isc-dhcp43-server</name> | |
<name>isc-dhcp43-relay</name> | |
<range><lt>4.3.3.p1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ISC reports:</p> | |
<blockquote cite="https://kb.isc.org/article/AA-01334"> | |
<p>A badly formed packet with an invalid IPv4 UDP length field | |
can cause a DHCP server, client, or relay program to terminate | |
abnormally.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://kb.isc.org/article/AA-01334</url> | |
<cvename>CVE-2015-8605</cvename> | |
</references> | |
<dates> | |
<discovery>2016-01-05</discovery> | |
<entry>2016-01-12</entry> | |
</dates> | |
</vuln> | |
<vuln vid="3b5c2362-bd07-11e5-b7ef-5453ed2e2b49"> | |
<topic>libproxy -- stack-based buffer overflow</topic> | |
<affects> | |
<!-- libproxy-python is not affected. It only installs a .py file that | |
dlopen()s libproxy.so. --> | |
<package> | |
<name>libproxy</name> | |
<range><ge>0.4.0</ge><lt>0.4.6_1</lt></range> | |
</package> | |
<package> | |
<name>libproxy-gnome</name> | |
<range><ge>0.4.0</ge><lt>0.4.6_2</lt></range> | |
</package> | |
<package> | |
<name>libproxy-kde</name> | |
<range><ge>0.4.0</ge><lt>0.4.6_6</lt></range> | |
</package> | |
<package> | |
<name>libproxy-perl</name> | |
<range><ge>0.4.0</ge><lt>0.4.6_3</lt></range> | |
</package> | |
<package> | |
<name>libproxy-webkit</name> | |
<range><ge>0.4.0</ge><lt>0.4.6_4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Tomas Hoger reports:</p> | |
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=864417#c0"> | |
<p>A buffer overflow flaw was discovered in the libproxy's | |
url::get_pac() used to download proxy.pac proxy auto-configuration | |
file. A malicious host hosting proxy.pac, or a man in the middle | |
attacker, could use this flaw to trigger a stack-based buffer | |
overflow in an application using libproxy, if proxy configuration | |
instructed it to download proxy.pac file from a remote HTTP | |
server.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2012-4504</cvename> | |
<url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4504</url> | |
<mlist>http://www.openwall.com/lists/oss-security/2012/10/12/1</mlist> | |
<url>https://github.com/libproxy/libproxy/commit/c440553c12836664afd24a24fb3a4d10a2facd2c</url> | |
<url>https://bugzilla.redhat.com/show_bug.cgi?id=864417</url> | |
<mlist>https://groups.google.com/forum/?fromgroups=#!topic/libproxy/VxZ8No7mT0E</mlist> | |
</references> | |
<dates> | |
<discovery>2012-10-10</discovery> | |
<entry>2016-01-17</entry> | |
<modified>2016-01-18</modified> | |
</dates> | |
</vuln> | |
<vuln vid="046fedd1-bd01-11e5-bbf4-5404a68ad561"> | |
<topic>ffmpeg -- remote attacker can access local files</topic> | |
<affects> | |
<package> | |
<name>ffmpeg</name> | |
<range> | |
<gt>2.0,1</gt> | |
<lt>2.8.5,1</lt> | |
</range> | |
</package> | |
<package> | |
<name>mplayer</name> | |
<name>mencoder</name> | |
<range> | |
<lt>1.2.r20151219_2</lt> | |
</range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Arch Linux reports:</p> | |
<blockquote cite="https://bugs.archlinux.org/task/47738"> | |
<p>ffmpeg has a vulnerability in the current version that allows the | |
attacker to create a specially crafted video file, downloading which | |
will send files from a user PC to a remote attacker server. The | |
attack does not even require the user to open that file — for | |
example, KDE Dolphin thumbnail generation is enough.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1897</cvename> | |
<cvename>CVE-2016-1898</cvename> | |
<freebsdpr>ports/206282</freebsdpr> | |
<url>https://www.ffmpeg.org/security.html</url> | |
</references> | |
<dates> | |
<discovery>2016-01-13</discovery> | |
<entry>2016-01-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6c808811-bb9a-11e5-a65c-485d605f4717"> | |
<topic>h2o -- directory traversal vulnerability</topic> | |
<affects> | |
<package> | |
<name>h2o</name> | |
<range><lt>1.6.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Yakuzo OKU reports:</p> | |
<blockquote cite="http://h2o.examp1e.net/vulnerabilities.html"> | |
<p>When redirect directive is used, this flaw allows a remote | |
attacker to inject response headers into an HTTP redirect response.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1133</cvename> | |
<url>https://h2o.examp1e.net/vulnerabilities.html</url> | |
</references> | |
<dates> | |
<discovery>2016-01-13</discovery> | |
<entry>2016-01-15</entry> | |
</dates> | |
</vuln> | |
<vuln vid="dfe0cdc1-baf2-11e5-863a-b499baebfeaf"> | |
<topic>openssh -- information disclosure</topic> | |
<affects> | |
<package> | |
<name>openssh-portable</name> | |
<range> | |
<gt>5.4.p0,1</gt> | |
<lt>7.1.p2,1</lt> | |
</range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.2</ge><lt>10.2_10</lt></range> | |
<range><ge>10.1</ge><lt>10.1_27</lt></range> | |
<range><ge>9.3</ge><lt>9.3_34</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>OpenSSH reports:</p> | |
<blockquote cite="http://www.openssh.com/security.html"> | |
<p>OpenSSH clients between versions 5.4 and 7.1 are vulnerable to | |
information disclosure that may allow a malicious server to retrieve | |
information including under some circumstances, user's private keys.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openssh.com/security.html</url> | |
<cvename>CVE-2016-0777</cvename> | |
<cvename>CVE-2016-0778</cvename> | |
<freebsdsa>SA-16:07</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2016-01-14</discovery> | |
<entry>2016-01-14</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="842cd117-ba54-11e5-9728-002590263bf5"> | |
<topic>prosody -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>prosody</name> | |
<range><lt>0.9.9</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Prosody Team reports:</p> | |
<blockquote cite="http://blog.prosody.im/prosody-0-9-9-security-release/"> | |
<p>Fix path traversal vulnerability in mod_http_files | |
(CVE-2016-1231)</p> | |
<p>Fix use of weak PRNG in generation of dialback secrets | |
(CVE-2016-1232)</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1231</cvename> | |
<cvename>CVE-2016-1232</cvename> | |
<freebsdpr>ports/206150</freebsdpr> | |
<url>http://blog.prosody.im/prosody-0-9-9-security-release/</url> | |
</references> | |
<dates> | |
<discovery>2016-01-08</discovery> | |
<entry>2016-01-14</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a7a4e96c-ba50-11e5-9728-002590263bf5"> | |
<topic>kibana4 -- XSS vulnerability</topic> | |
<affects> | |
<package> | |
<name>kibana4</name> | |
<name>kibana41</name> | |
<range><lt>4.1.4</lt></range> | |
</package> | |
<package> | |
<name>kibana42</name> | |
<range><lt>4.2.2</lt></range> | |
</package> | |
<package> | |
<name>kibana43</name> | |
<range><lt>4.3.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Elastic reports:</p> | |
<blockquote cite="https://www.elastic.co/blog/kibana-4-3-1-and-4-2-2-and-4-1-4"> | |
<p>Fixes XSS vulnerability (CVE pending) - Thanks to Vladimir Ivanov | |
for responsibly reporting.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/205961</freebsdpr> | |
<freebsdpr>ports/205962</freebsdpr> | |
<freebsdpr>ports/205963</freebsdpr> | |
<url>https://www.elastic.co/blog/kibana-4-3-1-and-4-2-2-and-4-1-4</url> | |
</references> | |
<dates> | |
<discovery>2015-12-17</discovery> | |
<entry>2016-01-13</entry> | |
</dates> | |
</vuln> | |
<vuln vid="333f655a-b93a-11e5-9efa-5453ed2e2b49"> | |
<topic>p5-PathTools -- File::Spec::canonpath loses taint</topic> | |
<affects> | |
<package> | |
<name>p5-PathTools</name> | |
<range> | |
<gt>3.4000</gt> | |
<lt>3.6200</lt> | |
</range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Ricardo Signes reports:</p> | |
<blockquote> | |
<p>Beginning in PathTools 3.47 and/or perl 5.20.0, the | |
File::Spec::canonpath() routine returned untained strings even if | |
passed tainted input. This defect undermines the guarantee of taint | |
propagation, which is sometimes used to ensure that unvalidated | |
user input does not reach sensitive code.</p> | |
<p>This defect was found and reported by David Golden of MongoDB.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8607</cvename> | |
<url>https://rt.perl.org/Public/Bug/Display.html?id=126862</url> | |
</references> | |
<dates> | |
<discovery>2016-01-11</discovery> | |
<entry>2016-01-12</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6b771fe2-b84e-11e5-92f9-485d605f4717"> | |
<topic>php -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>php55</name> | |
<name>php55-gd</name> | |
<name>php55-wddx</name> | |
<name>php55-xmlrpc</name> | |
<range><lt>5.5.31</lt></range> | |
</package> | |
<package> | |
<name>php56</name> | |
<name>php56-gd</name> | |
<name>php56-soap</name> | |
<name>php56-wddx</name> | |
<name>php56-xmlrpc</name> | |
<range><lt>5.6.17</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>PHP reports:</p> | |
<blockquote cite="http://www.php.net/ChangeLog-5.php#5.5.31"> | |
<ul><li>Core: | |
<ul> | |
<li>Fixed bug #70755 (fpm_log.c memory leak and buffer overflow).</li> | |
</ul></li> | |
<li>GD: | |
<ul> | |
<li>Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array | |
Index Out of Bounds).</li> | |
</ul></li> | |
<li>SOAP: | |
<ul> | |
<li>Fixed bug #70900 (SoapClient systematic out of memory error).</li> | |
</ul></li> | |
<li>Wddx | |
<ul> | |
<li>Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet | |
Deserialization).</li> | |
<li>Fixed bug #70741 (Session WDDX Packet Deserialization Type | |
Confusion Vulnerability).</li> | |
</ul></li> | |
<li>XMLRPC: | |
<ul> | |
<li>Fixed bug #70728 (Type Confusion Vulnerability in | |
PHP_to_XMLRPC_worker()).</li> | |
</ul></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.php.net/ChangeLog-5.php#5.5.31</url> | |
<url>http://www.php.net/ChangeLog-5.php#5.6.17</url> | |
</references> | |
<dates> | |
<discovery>2016-01-07</discovery> | |
<entry>2016-01-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="5f276780-b6ce-11e5-9731-5453ed2e2b49"> | |
<topic>pygments -- shell injection vulnerability</topic> | |
<affects> | |
<package> | |
<name>py27-pygments</name> | |
<name>py32-pygments</name> | |
<name>py33-pygments</name> | |
<name>py34-pygments</name> | |
<name>py35-pygments</name> | |
<range><lt>2.0.2_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>NVD reports:</p> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8557"> | |
<p>The FontManager._get_nix_font_path function in formatters/img.py | |
in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute | |
arbitrary commands via shell metacharacters in a font name.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8557</cvename> | |
<mlist>http://seclists.org/fulldisclosure/2015/Oct/4</mlist> | |
<url>https://bitbucket.org/birkenfeld/pygments-main/commits/0036ab1c99e256298094505e5e92fdacdfc5b0a8</url> | |
</references> | |
<dates> | |
<discovery>2015-09-28</discovery> | |
<entry>2016-01-09</entry> | |
</dates> | |
</vuln> | |
<vuln vid="631fc042-b636-11e5-83ef-14dae9d210b8"> | |
<topic>polkit -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>polkit</name> | |
<range><lt>0.113</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Colin Walters reports:</p> | |
<blockquote cite="http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html"> | |
<ul> | |
<li><p>Integer overflow in the | |
authentication_agent_new_cookie function in PolicyKit (aka polkit) | |
before 0.113 allows local users to gain privileges by creating a large | |
number of connections, which triggers the issuance of a duplicate cookie | |
value.</p></li> | |
<li><p>The authentication_agent_new function in | |
polkitbackend/polkitbackendinteractiveauthority.c in PolicyKit (aka | |
polkit) before 0.113 allows local users to cause a denial of service | |
(NULL pointer dereference and polkitd daemon crash) by calling | |
RegisterAuthenticationAgent with an invalid object path.</p></li> | |
<li><p>The polkit_backend_action_pool_init function in | |
polkitbackend/polkitbackendactionpool.c in PolicyKit (aka polkit) before | |
0.113 might allow local users to gain privileges via duplicate action | |
IDs in action descriptions.</p></li> | |
<li><p>PolicyKit (aka polkit) before 0.113 allows local | |
users to cause a denial of service (memory corruption and polkitd daemon | |
crash) and possibly gain privileges via unspecified vectors, related to | |
"javascript rule evaluation."</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html</url> | |
<cvename>CVE-2015-4625</cvename> | |
<cvename>CVE-2015-3218</cvename> | |
<cvename>CVE-2015-3255</cvename> | |
<cvename>CVE-2015-3256</cvename> | |
</references> | |
<dates> | |
<discovery>2015-06-03</discovery> | |
<entry>2016-01-08</entry> | |
</dates> | |
</vuln> | |
<vuln vid="b22b016b-b633-11e5-83ef-14dae9d210b8"> | |
<topic>librsync -- collision vulnerability</topic> | |
<affects> | |
<package> | |
<name>librsync</name> | |
<range><lt>1.0.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Michael Samuel reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2014/07/28/1"> | |
<p>librsync before 1.0.0 uses a truncated MD4 checksum to | |
match blocks, which makes it easier for remote attackers to modify | |
transmitted data via a birthday attack.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openwall.com/lists/oss-security/2014/07/28/1</url> | |
<cvename>CVE-2014-8242</cvename> | |
</references> | |
<dates> | |
<discovery>2014-07-28</discovery> | |
<entry>2016-01-08</entry> | |
</dates> | |
</vuln> | |
<vuln vid="4eae4f46-b5ce-11e5-8a2b-d050996490d0"> | |
<topic>ntp -- denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>ntp</name> | |
<range><lt>4.2.8p5</lt></range> | |
</package> | |
<package> | |
<name>ntp-devel</name> | |
<range><lt>4.3.78</lt></range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.2</ge><lt>10.2_9</lt></range> | |
<range><ge>10.1</ge><lt>10.1_26</lt></range> | |
<range><ge>9.3</ge><lt>9.3_33</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Network Time Foundation reports:</p> | |
<blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p5_Securit"> | |
<p>NTF's NTP Project has been notified of the following | |
1 medium-severity vulnerability that is fixed in | |
ntp-4.2.8p5, released on Thursday, 7 January 2016:</p> | |
<p>NtpBug2956: Small-step/Big-step CVE-2015-5300</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdsa>SA-16:02.ntp</freebsdsa> | |
<cvename>CVE-2015-5300</cvename> | |
<url>https://www.cs.bu.edu/~goldbe/NTPattack.html</url> | |
<url>http://support.ntp.org/bin/view/Main/NtpBug2956</url> | |
<url>http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p5_Securit</url> | |
</references> | |
<dates> | |
<discovery>2015-10-21</discovery> | |
<entry>2016-01-08</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="df587aa2-b5a5-11e5-9728-002590263bf5"> | |
<topic>dhcpcd -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>dhcpcd</name> | |
<range><lt>6.10.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Nico Golde reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/07/3"> | |
<p>heap overflow via malformed dhcp responses later in print_option | |
(via dhcp_envoption1) due to incorrect option length values. | |
Exploitation is non-trivial, but I'd love to be proven wrong.</p> | |
<p>invalid read/crash via malformed dhcp responses. not exploitable | |
beyond DoS as far as I can judge.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2016-1503</cvename> | |
<cvename>CVE-2016-1504</cvename> | |
<freebsdpr>ports/206015</freebsdpr> | |
<url>http://roy.marples.name/projects/dhcpcd/info/76a1609352263bd9def1300d7ba990679571fa30</url> | |
<url>http://roy.marples.name/projects/dhcpcd/info/595883e2a431f65d8fabf33059aa4689cca17403</url> | |
<url>http://www.openwall.com/lists/oss-security/2016/01/07/3</url> | |
</references> | |
<dates> | |
<discovery>2016-01-04</discovery> | |
<entry>2016-01-08</entry> | |
</dates> | |
</vuln> | |
<vuln vid="4084168e-b531-11e5-a98c-0011d823eebd"> | |
<topic>mbedTLS/PolarSSL -- SLOTH attack on TLS 1.2 server authentication</topic> | |
<affects> | |
<package> | |
<name>polarssl13</name> | |
<range><lt>1.3.16</lt></range> | |
</package> | |
<package> | |
<name>mbedtls</name> | |
<range><lt>2.2.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ARM Limited reports:</p> | |
<blockquote cite="https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released"> | |
<p>MD5 handshake signatures in TLS 1.2 are vulnerable to the SLOTH attack | |
on TLS 1.2 server authentication. They have been disabled by default. | |
Other attacks from the SLOTH paper do not apply to any version of mbed | |
TLS or PolarSSL.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released</url> | |
</references> | |
<dates> | |
<discovery>2016-01-04</discovery> | |
<entry>2016-01-07</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6aa2d135-b40e-11e5-9728-002590263bf5"> | |
<topic>xen-kernel -- ioreq handling possibly susceptible to multiple read issue</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><lt>4.5.2_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-166.html"> | |
<p>Single memory accesses in source code can be translated to multiple | |
ones in machine code by the compiler, requiring special caution when | |
accessing shared memory. Such precaution was missing from the | |
hypervisor code inspecting the state of I/O requests sent to the | |
device model for assistance.</p> | |
<p>Due to the offending field being a bitfield, it is however believed | |
that there is no issue in practice, since compilers, at least when | |
optimizing (which is always the case for non-debug builds), should find | |
it more expensive to extract the bit field value twice than to keep the | |
calculated value in a register.</p> | |
<p>This vulnerability is exposed to malicious device models. In | |
conventional Xen systems this means the qemu which service an HVM | |
domain. On such systems this vulnerability can only be exploited if | |
the attacker has gained control of the device model qemu via another | |
vulnerability.</p> | |
<p>Privilege escalation, host crash (Denial of Service), and leaked | |
information all cannot be excluded.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/205841</freebsdpr> | |
<url>http://xenbits.xen.org/xsa/advisory-166.html</url> | |
</references> | |
<dates> | |
<discovery>2015-12-17</discovery> | |
<entry>2016-01-06</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e839ca04-b40d-11e5-9728-002590263bf5"> | |
<topic>xen-kernel -- information leak in legacy x86 FPU/XMM initialization</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><lt>4.5.2_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-165.html"> | |
<p>When XSAVE/XRSTOR are not in use by Xen to manage guest extended | |
register state, the initial values in the FPU stack and XMM | |
registers seen by the guest upon first use are those left there by | |
the previous user of those registers.</p> | |
<p>A malicious domain may be able to leverage this to obtain sensitive | |
information such as cryptographic keys from another domain.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8555</cvename> | |
<freebsdpr>ports/205841</freebsdpr> | |
<url>http://xenbits.xen.org/xsa/advisory-165.html</url> | |
</references> | |
<dates> | |
<discovery>2015-12-17</discovery> | |
<entry>2016-01-06</entry> | |
</dates> | |
</vuln> | |
<vuln vid="5d1d4473-b40d-11e5-9728-002590263bf5"> | |
<topic>xen-tools -- libxl leak of pv kernel and initrd on error</topic> | |
<affects> | |
<package> | |
<name>xen-tools</name> | |
<range><ge>4.1</ge><lt>4.5.2_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-160.html"> | |
<p>When constructing a guest which is configured to use a PV | |
bootloader which runs as a userspace process in the toolstack domain | |
(e.g. pygrub) libxl creates a mapping of the files to be used as | |
kernel and initial ramdisk when building the guest domain.</p> | |
<p>However if building the domain subsequently fails these mappings | |
would not be released leading to a leak of virtual address space in | |
the calling process, as well as preventing the recovery of the | |
temporary disk files containing the kernel and initial ramdisk.</p> | |
<p>For toolstacks which manage multiple domains within the same | |
process, an attacker who is able to repeatedly start a suitable | |
domain (or many such domains) can cause an out-of-memory condition in the | |
toolstack process, leading to a denial of service.</p> | |
<p>Under the same circumstances an attacker can also cause files to | |
accumulate on the toolstack domain filesystem (usually under /var in | |
dom0) used to temporarily store the kernel and initial ramdisk, | |
perhaps leading to a denial of service against arbitrary other | |
services using that filesystem.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8341</cvename> | |
<freebsdpr>ports/205841</freebsdpr> | |
<url>http://xenbits.xen.org/xsa/advisory-160.html</url> | |
</references> | |
<dates> | |
<discovery>2015-12-08</discovery> | |
<entry>2016-01-06</entry> | |
</dates> | |
</vuln> | |
<vuln vid="bcad3faa-b40c-11e5-9728-002590263bf5"> | |
<topic>xen-kernel -- XENMEM_exchange error handling issues</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><lt>4.5.2_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-159.html"> | |
<p>Error handling in the operation may involve handing back pages to | |
the domain. This operation may fail when in parallel the domain gets | |
torn down. So far this failure unconditionally resulted in the host | |
being brought down due to an internal error being assumed. This is | |
CVE-2015-8339.</p> | |
<p>Furthermore error handling so far wrongly included the release of a | |
lock. That lock, however, was either not acquired or already released | |
on all paths leading to the error handling sequence. This is | |
CVE-2015-8340.</p> | |
<p>A malicious guest administrator may be able to deny service by | |
crashing the host or causing a deadlock.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8339</cvename> | |
<cvename>CVE-2015-8340</cvename> | |
<freebsdpr>ports/205841</freebsdpr> | |
<url>http://xenbits.xen.org/xsa/advisory-159.html</url> | |
</references> | |
<dates> | |
<discovery>2015-12-08</discovery> | |
<entry>2016-01-06</entry> | |
</dates> | |
</vuln> | |
<vuln vid="b65e4914-b3bc-11e5-8255-5453ed2e2b49"> | |
<topic>tiff -- out-of-bounds read in CIE Lab image format</topic> | |
<affects> | |
<package> | |
<name>tiff</name> | |
<range><le>4.0.6</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>zzf of Alibaba discovered an out-of-bounds vulnerability in the code | |
processing the LogLUV and CIE Lab image format files. An attacker | |
could create a specially-crafted TIFF file that could cause libtiff | |
to crash.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8683</cvename> | |
<mlist>http://www.openwall.com/lists/oss-security/2015/12/25/2</mlist> | |
</references> | |
<dates> | |
<discovery>2015-12-25</discovery> | |
<entry>2016-01-05</entry> | |
</dates> | |
</vuln> | |
<vuln vid="bd349f7a-b3b9-11e5-8255-5453ed2e2b49"> | |
<topic>tiff -- out-of-bounds read in tif_getimage.c</topic> | |
<affects> | |
<package> | |
<name>tiff</name> | |
<range><le>4.0.6</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>LMX of Qihoo 360 Codesafe Team discovered an out-of-bounds read in | |
tif_getimage.c. An attacker could create a specially-crafted TIFF | |
file that could cause libtiff to crash.</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8665</cvename> | |
<mlist>http://www.openwall.com/lists/oss-security/2015/12/24/2</mlist> | |
</references> | |
<dates> | |
<discovery>2015-12-24</discovery> | |
<entry>2016-01-05</entry> | |
</dates> | |
</vuln> | |
<vuln vid="86c3c66e-b2f5-11e5-863a-b499baebfeaf"> | |
<topic>unzip -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>unzip</name> | |
<range><lt>6.0_7</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Gustavo Grieco reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/07/4"> | |
<p>Two issues were found in unzip 6.0:</p> | |
<p> * A heap overflow triggered by unzipping a file with password | |
(e.g unzip -p -P x sigsegv.zip).</p> | |
<p> * A denegation of service with a file that never finishes unzipping | |
(e.g. unzip sigxcpu.zip).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openwall.com/lists/oss-security/2015/09/07/4</url> | |
<freebsdpr>ports/204413</freebsdpr> | |
<cvename>CVE-2015-7696</cvename> | |
<cvename>CVE-2015-7697</cvename> | |
</references> | |
<dates> | |
<discovery>2015-09-26</discovery> | |
<entry>2016-01-04</entry> | |
</dates> | |
</vuln> | |
<vuln vid="bb961ff3-b3a4-11e5-8255-5453ed2e2b49"> | |
<topic>cacti -- SQL injection vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>cacti</name> | |
<range><le>0.8.8f_1</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>NVD reports:</p> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8369"> | |
<p>SQL injection vulnerability in include/top_graph_header.php in | |
Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary | |
SQL commands via the rra_id parameter in a properties action to | |
graph.php.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8369</cvename> | |
<url>http://bugs.cacti.net/view.php?id=2646</url> | |
<url>http://svn.cacti.net/viewvc?view=rev&revision=7767</url> | |
<mlist>http://seclists.org/fulldisclosure/2015/Dec/8</mlist> | |
</references> | |
<dates> | |
<discovery>2015-12-05</discovery> | |
<entry>2016-01-05</entry> | |
</dates> | |
</vuln> | |
<vuln vid="59e7eb28-b309-11e5-af83-80ee73b5dcf5"> | |
<topic>kea -- unexpected termination while handling a malformed packet</topic> | |
<affects> | |
<package> | |
<name>kea</name> | |
<range><ge>0.9.2</ge><lt>1.0.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ISC Support reports:</p> | |
<blockquote cite="https://kb.isc.org/article/AA-01318/0/CVE-2015-8373-ISC-Kea%3A-unexpected-termination-while-handling-a-malformed-packet.html"> | |
<p>ISC Kea may terminate unexpectedly (crash) while handling | |
a malformed client packet. Related defects in the kea-dhcp4 | |
and kea-dhcp6 servers can cause the server to crash during | |
option processing if a client sends a malformed packet. | |
An attacker sending a crafted malformed packet can cause | |
an ISC Kea server providing DHCP services to IPv4 or IPv6 | |
clients to exit unexpectedly.</p> | |
<ul> | |
<li><p>The kea-dhcp4 server is vulnerable only in versions | |
0.9.2 and 1.0.0-beta, and furthermore only when logging | |
at debug level 40 or higher. Servers running kea-dhcp4 | |
versions 0.9.1 or lower, and servers which are not | |
logging or are logging at debug level 39 or below are | |
not vulnerable.</p></li> | |
<li><p>The kea-dhcp6 server is vulnerable only in versions | |
0.9.2 and 1.0.0-beta, and furthermore only when | |
logging at debug level 45 or higher. Servers running | |
kea-dhcp6 versions 0.9.1 or lower, and servers | |
which are not logging or are logging at debug level 44 | |
or below are not vulnerable.</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8373</cvename> | |
<url>https://kb.isc.org/article/AA-01318/0/CVE-2015-8373-ISC-Kea%3A-unexpected-termination-while-handling-a-malformed-packet.html</url> | |
</references> | |
<dates> | |
<discovery>2015-12-15</discovery> | |
<entry>2016-01-04</entry> | |
<modified>2016-01-05</modified> | |
</dates> | |
</vuln> | |
<vuln vid="84dc49b0-b267-11e5-8a5b-00262d5ed8ee"> | |
<topic>mini_httpd -- buffer overflow via snprintf</topic> | |
<affects> | |
<package> | |
<name>mini_httpd</name> | |
<range><lt>1.23</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ACME Updates reports:</p> | |
<blockquote cite="https://cxsecurity.com/acveshow/CVE-2015-1548"> | |
<p>mini_httpd 1.21 and earlier allows remote attackers to obtain | |
sensitive information from process memory via an HTTP request with | |
a long protocol string, which triggers an incorrect response size | |
calculation and an out-of-bounds read.</p> | |
<p>(rene) ACME, the author, claims that the vulnerability is fixed | |
*after* version 1.22, released on 2015-12-28</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-1548</cvename> | |
<url>https://cxsecurity.com/cveshow/CVE-2015-1548</url> | |
<url>http://acme.com/updates/archive/192.html</url> | |
</references> | |
<dates> | |
<discovery>2015-02-10</discovery> | |
<entry>2016-01-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="1384f2fd-b1be-11e5-9728-002590263bf5"> | |
<topic>qemu -- denial of service vulnerability in Rocker switch emulation</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.5.50</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.5.50.g20160213</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/28/6"> | |
<p>Qemu emulator built with the Rocker switch emulation support is | |
vulnerable to an off-by-one error. It happens while processing | |
transmit(tx) descriptors in 'tx_consume' routine, if a descriptor | |
was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. | |
</p> | |
<p>A privileged user inside guest could use this flaw to cause memory | |
leakage on the host or crash the Qemu process instance resulting in | |
DoS issue.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8701</cvename> | |
<freebsdpr>ports/205813</freebsdpr> | |
<freebsdpr>ports/205814</freebsdpr> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/28/6</url> | |
<url>https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04629.html</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=007cd223de527b5f41278f2d886c1a4beb3e67aa</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/007cd223de527b5f41278f2d886c1a4beb3e67aa</url> | |
</references> | |
<dates> | |
<discovery>2015-12-28</discovery> | |
<entry>2016-01-03</entry> | |
<modified>2016-07-06</modified> | |
</dates> | |
</vuln> | |
<vuln vid="152acff3-b1bd-11e5-9728-002590263bf5"> | |
<topic>qemu -- denial of service vulnerability in Q35 chipset emulation</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.5.50</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.5.50.g20151224</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/24/1"> | |
<p>Qemu emulator built with the Q35 chipset based pc system emulator | |
is vulnerable to a heap based buffer overflow. It occurs during VM | |
guest migration, as more(16 bytes) data is moved into allocated | |
(8 bytes) memory area.</p> | |
<p>A privileged guest user could use this issue to corrupt the VM | |
guest image, potentially leading to a DoS. This issue affects q35 | |
machine types.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8666</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/24/1</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=d9a3b33d2c9f996537b7f1d0246dee2d0120cefb</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/d9a3b33d2c9f996537b7f1d0246dee2d0120cefb</url> | |
</references> | |
<dates> | |
<discovery>2015-11-19</discovery> | |
<entry>2016-01-03</entry> | |
<modified>2016-07-06</modified> | |
</dates> | |
</vuln> | |
<vuln vid="62ab8707-b1bc-11e5-9728-002590263bf5"> | |
<topic>qemu -- denial of service vulnerability in Human Monitor Interface support</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.5.0</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.5.50.g20160213</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/22/8"> | |
<p>Qemu emulator built with the Human Monitor Interface(HMP) support | |
is vulnerable to an OOB write issue. It occurs while processing | |
'sendkey' command in hmp_sendkey routine, if the command argument is | |
longer than the 'keyname_buf' buffer size.</p> | |
<p>A user/process could use this flaw to crash the Qemu process | |
instance resulting in DoS.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8619</cvename> | |
<freebsdpr>ports/205813</freebsdpr> | |
<freebsdpr>ports/205814</freebsdpr> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/22/8</url> | |
<url>https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02930.html</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=64ffbe04eaafebf4045a3ace52a360c14959d196</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/64ffbe04eaafebf4045a3ace52a360c14959d196</url> | |
</references> | |
<dates> | |
<discovery>2015-12-23</discovery> | |
<entry>2016-01-03</entry> | |
<modified>2016-07-06</modified> | |
</dates> | |
</vuln> | |
<vuln vid="b3f9f8ef-b1bb-11e5-9728-002590263bf5"> | |
<topic>qemu -- denial of service vulnerability in MegaRAID SAS HBA emulation</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.5.0</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.5.50.g20160213</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/21/7"> | |
<p>Qemu emulator built with the SCSI MegaRAID SAS HBA emulation | |
support is vulnerable to a stack buffer overflow issue. It occurs | |
while processing the SCSI controller's CTRL_GET_INFO command. A | |
privileged guest user could use this flaw to crash the Qemu process | |
instance resulting in DoS.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8613</cvename> | |
<freebsdpr>ports/205813</freebsdpr> | |
<freebsdpr>ports/205814</freebsdpr> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/21/7</url> | |
<url>https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03737.html</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=36fef36b91f7ec0435215860f1458b5342ce2811</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/36fef36b91f7ec0435215860f1458b5342ce2811</url> | |
</references> | |
<dates> | |
<discovery>2015-12-21</discovery> | |
<entry>2016-01-03</entry> | |
<modified>2016-07-06</modified> | |
</dates> | |
</vuln> | |
<vuln vid="9ad8993e-b1ba-11e5-9728-002590263bf5"> | |
<topic>qemu -- denial of service vulnerability in VMWARE VMXNET3 NIC support</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.5.0</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.5.50.g20160213</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/15/4"> | |
<p>Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator | |
support is vulnerable to a memory leakage flaw. It occurs when a | |
guest repeatedly tries to activate the vmxnet3 device.</p> | |
<p>A privileged guest user could use this flaw to leak host memory, | |
resulting in DoS on the host.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8567</cvename> | |
<cvename>CVE-2015-8568</cvename> | |
<freebsdpr>ports/205813</freebsdpr> | |
<freebsdpr>ports/205814</freebsdpr> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/15/4</url> | |
<url>https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=aa4a3dce1c88ed51b616806b8214b7c8428b7470</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/aa4a3dce1c88ed51b616806b8214b7c8428b7470</url> | |
</references> | |
<dates> | |
<discovery>2015-12-15</discovery> | |
<entry>2016-01-03</entry> | |
<modified>2016-07-06</modified> | |
</dates> | |
</vuln> | |
<vuln vid="60cb2055-b1b8-11e5-9728-002590263bf5"> | |
<topic>qemu -- denial of service vulnerability in USB EHCI emulation support</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.5.0</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.5.50.g20151224</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/14/9"> | |
<p>Qemu emulator built with the USB EHCI emulation support is | |
vulnerable to an infinite loop issue. It occurs during communication | |
between host controller interface(EHCI) and a respective device | |
driver. These two communicate via a isochronous transfer descriptor | |
list(iTD) and an infinite loop unfolds if there is a closed loop in | |
this list.</p> | |
<p>A privileges user inside guest could use this flaw to consume | |
excessive CPU cycles & resources on the host.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8558</cvename> | |
<freebsdpr>ports/205814</freebsdpr> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/14/9</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=156a2e4dbffa85997636a7a39ef12da6f1b40254</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/156a2e4dbffa85997636a7a39ef12da6f1b40254</url> | |
</references> | |
<dates> | |
<discovery>2015-12-14</discovery> | |
<entry>2016-01-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="3fb06284-b1b7-11e5-9728-002590263bf5"> | |
<topic>qemu -- denial of service vulnerability in MSI-X support</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.5.0</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.5.50.g20151224</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/14/2"> | |
<p>Qemu emulator built with the PCI MSI-X support is vulnerable to | |
null pointer dereference issue. It occurs when the controller | |
attempts to write to the pending bit array(PBA) memory region. | |
Because the MSI-X MMIO support did not define the .write method.</p> | |
<p>A privileges used inside guest could use this flaw to crash the | |
Qemu process resulting in DoS issue.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7549</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/14/2</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=43b11a91dd861a946b231b89b7542856ade23d1b</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/43b11a91dd861a946b231b89b7542856ade23d1b</url> | |
</references> | |
<dates> | |
<discovery>2015-06-26</discovery> | |
<entry>2016-01-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="67feba97-b1b5-11e5-9728-002590263bf5"> | |
<topic>qemu -- denial of service vulnerability in VNC</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.5.0</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.5.50.g20151224</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/08/4"> | |
<p>Qemu emulator built with the VNC display driver support is | |
vulnerable to an arithmetic exception flaw. It occurs on the VNC | |
server side while processing the 'SetPixelFormat' messages from a | |
client.</p> | |
<p>A privileged remote client could use this flaw to crash the guest | |
resulting in DoS.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8504</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/08/4</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3</url> | |
</references> | |
<dates> | |
<discovery>2015-12-08</discovery> | |
<entry>2016-01-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="405446f4-b1b3-11e5-9728-002590263bf5"> | |
<topic>qemu and xen-tools -- denial of service vulnerabilities in AMD PC-Net II NIC support</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.5.0</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.5.50.g20151224</lt></range> | |
</package> | |
<package> | |
<name>xen-tools</name> | |
<range><lt>4.5.2_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/30/2"> | |
<p>Qemu emulator built with the AMD PC-Net II Ethernet Controller | |
support is vulnerable to a heap buffer overflow flaw. While | |
receiving packets in the loopback mode, it appends CRC code to the | |
receive buffer. If the data size given is same as the receive buffer | |
size, the appended CRC code overwrites 4 bytes beyond this | |
's->buffer' array.</p> | |
<p>A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw | |
to crash the Qemu instance resulting in DoS or potentially execute | |
arbitrary code with privileges of the Qemu process on the host.</p> | |
</blockquote> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/30/3"> | |
<p>The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets | |
from a remote host(non-loopback mode), fails to validate the | |
received data size, thus resulting in a buffer overflow issue. It | |
could potentially lead to arbitrary code execution on the host, with | |
privileges of the Qemu process. It requires the guest NIC to have | |
larger MTU limit.</p> | |
<p>A remote user could use this flaw to crash the guest instance | |
resulting in DoS or potentially execute arbitrary code on a remote | |
host with privileges of the Qemu process.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7504</cvename> | |
<cvename>CVE-2015-7512</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/11/30/2</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/11/30/3</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=837f21aacf5a714c23ddaadbbc5212f9b661e3f7</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=8b98a2f07175d46c3f7217639bd5e03f2ec56343</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/837f21aacf5a714c23ddaadbbc5212f9b661e3f7</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/8b98a2f07175d46c3f7217639bd5e03f2ec56343</url> | |
<url>http://xenbits.xen.org/xsa/advisory-162.html</url> | |
</references> | |
<dates> | |
<discovery>2015-11-30</discovery> | |
<entry>2016-01-03</entry> | |
<modified>2016-01-06</modified> | |
</dates> | |
</vuln> | |
<vuln vid="b56fe6bb-b1b1-11e5-9728-002590263bf5"> | |
<topic>qemu -- denial of service vulnerabilities in eepro100 NIC support</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.5.50</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.5.50.g20160213</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/25/3"> | |
<p>Qemu emulator built with the i8255x (PRO100) emulation support is | |
vulnerable to an infinite loop issue. It could occur while | |
processing a chain of commands located in the Command Block List | |
(CBL). Each Command Block(CB) points to the next command in the | |
list. An infinite loop unfolds if the link to the next CB points | |
to the same block or there is a closed loop in the chain.</p> | |
<p>A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw | |
to crash the Qemu instance resulting in DoS.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8345</cvename> | |
<freebsdpr>ports/205813</freebsdpr> | |
<freebsdpr>ports/205814</freebsdpr> | |
<url>http://www.openwall.com/lists/oss-security/2015/11/25/3</url> | |
<url>https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=00837731d254908a841d69298a4f9f077babaf24</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/00837731d254908a841d69298a4f9f077babaf24</url> | |
</references> | |
<dates> | |
<discovery>2015-10-16</discovery> | |
<entry>2016-01-03</entry> | |
<modified>2016-07-06</modified> | |
</dates> | |
</vuln> | |
<vuln vid="42cbd1e8-b152-11e5-9728-002590263bf5"> | |
<topic>qemu -- denial of service vulnerability in virtio-net support</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.4.1</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.5.50.g20151224</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/18/5"> | |
<p>Qemu emulator built with the Virtual Network Device(virtio-net) | |
support is vulnerable to a DoS issue. It could occur while receiving | |
large packets over the tuntap/macvtap interfaces and when guest's | |
virtio-net driver did not support big/mergeable receive buffers.</p> | |
<p>An attacker on the local network could use this flaw to disable | |
guest's networking by sending a large number of jumbo frames to the | |
guest, exhausting all receive buffers and thus leading to a DoS | |
situation.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7295</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/09/18/5</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=696317f1895e836d53b670c7b77b7be93302ba08</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/0cf33fb6b49a19de32859e2cdc6021334f448fb3</url> | |
</references> | |
<dates> | |
<discovery>2015-09-18</discovery> | |
<entry>2016-01-02</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6aa3322f-b150-11e5-9728-002590263bf5"> | |
<topic>qemu -- denial of service vulnerabilities in NE2000 NIC support</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.4.0.1</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.5.50.g20151224</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/15/2"> | |
<p>Qemu emulator built with the NE2000 NIC emulation support is | |
vulnerable to an infinite loop issue. It could occur when receiving | |
packets over the network.</p> | |
<p>A privileged user inside guest could use this flaw to crash the | |
Qemu instance resulting in DoS.</p> | |
</blockquote> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/15/3"> | |
<p>Qemu emulator built with the NE2000 NIC emulation support is | |
vulnerable to a heap buffer overflow issue. It could occur when | |
receiving packets over the network.</p> | |
<p>A privileged user inside guest could use this flaw to crash the | |
Qemu instance or potentially execute arbitrary code on the host.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5278</cvename> | |
<cvename>CVE-2015-5279</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/09/15/2</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/09/15/3</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=5a1ccdfe44946e726b4c6fda8a4493b3931a68c1</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/737d2b3c41d59eb8f94ab7eb419b957938f24943</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/9bbdbc66e5765068dce76e9269dce4547afd8ad4</url> | |
</references> | |
<dates> | |
<discovery>2015-09-15</discovery> | |
<entry>2016-01-02</entry> | |
</dates> | |
</vuln> | |
<vuln vid="bbc97005-b14e-11e5-9728-002590263bf5"> | |
<topic>qemu -- denial of service vulnerability in IDE disk/CD/DVD-ROM emulation</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.4.1</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.5.50.g20151224</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/10/1"> | |
<p>Qemu emulator built with the IDE disk and CD/DVD-ROM emulation | |
support is vulnerable to a divide by zero issue. It could occur | |
while executing an IDE command WIN_READ_NATIVE_MAX to determine | |
the maximum size of a drive.</p> | |
<p>A privileged user inside guest could use this flaw to crash the | |
Qemu instance resulting in DoS.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-6855</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/09/10/1</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=63d761388d6fea994ca498c6e7a210851a99ad93</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/d9033e1d3aa666c5071580617a57bd853c5d794a</url> | |
</references> | |
<dates> | |
<discovery>2015-09-09</discovery> | |
<entry>2016-01-02</entry> | |
</dates> | |
</vuln> | |
<vuln vid="10bf8eed-b14d-11e5-9728-002590263bf5"> | |
<topic>qemu -- denial of service vulnerability in e1000 NIC support</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.4.0.1</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.5.50.g20151224</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/04/4"> | |
<p>Qemu emulator built with the e1000 NIC emulation support is | |
vulnerable to an infinite loop issue. It could occur while | |
processing transmit descriptor data when sending a network packet. | |
</p> | |
<p>A privileged user inside guest could use this flaw to crash the | |
Qemu instance resulting in DoS.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-6815</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/09/04/4</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=3a56af1fbc17ff453f6e90fb08ce0c0e6fd0b61b</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/b947ac2bf26479e710489739c465c8af336599e7</url> | |
</references> | |
<dates> | |
<discovery>2015-09-04</discovery> | |
<entry>2016-01-02</entry> | |
</dates> | |
</vuln> | |
<vuln vid="8a560bcf-b14b-11e5-9728-002590263bf5"> | |
<topic>qemu -- denial of service vulnerability in VNC</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.1.0</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.2.50.g20141230</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/02/7"> | |
<p>Qemu emulator built with the VNC display driver is vulnerable to an | |
infinite loop issue. It could occur while processing a | |
CLIENT_CUT_TEXT message with specially crafted payload message.</p> | |
<p>A privileged guest user could use this flaw to crash the Qemu | |
process on the host, resulting in DoS.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5239</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/09/02/7</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=f9a70e79391f6d7c2a912d785239ee8effc1922d</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/f9a70e79391f6d7c2a912d785239ee8effc1922d</url> | |
</references> | |
<dates> | |
<discovery>2014-06-30</discovery> | |
<entry>2016-01-02</entry> | |
</dates> | |
</vuln> | |
<vuln vid="2b3b4c27-b0c7-11e5-8d13-bc5ff45d0f28"> | |
<topic>qemu -- buffer overflow vulnerability in VNC</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.4.0.1</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.4.50.g20151011</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/08/21/6"> | |
<p>Qemu emulator built with the VNC display driver support is | |
vulnerable to a buffer overflow flaw leading to a heap memory | |
corruption issue. It could occur while refreshing the server | |
display surface via routine vnc_refresh_server_surface().</p> | |
<p>A privileged guest user could use this flaw to corrupt the heap | |
memory and crash the Qemu process instance OR potentially use it | |
to execute arbitrary code on the host.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5225</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/08/21/6</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=efec4dcd2552e85ed57f276b58f09fc385727450</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/eb8934b0418b3b1d125edddc4fc334a54334a49b</url> | |
</references> | |
<dates> | |
<discovery>2015-08-17</discovery> | |
<entry>2016-01-01</entry> | |
</dates> | |
</vuln> | |
<vuln vid="21e5abe3-b0c6-11e5-8d13-bc5ff45d0f28"> | |
<topic>qemu -- buffer overflow vulnerability in virtio-serial message exchanges</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.4.0</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.4.50.g20150814</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/08/06/3"> | |
<p>Qemu emulator built with the virtio-serial vmchannel support is | |
vulnerable to a buffer overflow issue. It could occur while | |
exchanging virtio control messages between guest and the host.</p> | |
<p>A malicious guest could use this flaw to corrupt few bytes of Qemu | |
memory area, potentially crashing the Qemu process.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5745</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/08/06/5</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=7882080388be5088e72c425b02223c02e6cb4295</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/7882080388be5088e72c425b02223c02e6cb4295</url> | |
</references> | |
<dates> | |
<discovery>2015-08-06</discovery> | |
<entry>2016-01-01</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a267cd6c-b0c4-11e5-8d13-bc5ff45d0f28"> | |
<topic>qemu -- stack buffer overflow while parsing SCSI commands</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.4.0</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.4.50.g20150814</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> | |
<blockquote cite="http://openwall.com/lists/oss-security/2015/07/23/6"> | |
<p>Qemu emulator built with the SCSI device emulation support is | |
vulnerable to a stack buffer overflow issue. It could occur while | |
parsing SCSI command descriptor block with an invalid operation | |
code.</p> | |
<p>A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw | |
to crash the Qemu instance resulting in DoS.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5158</cvename> | |
<url>http://openwall.com/lists/oss-security/2015/07/23/6</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=c170aad8b057223b1139d72e5ce7acceafab4fa9</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/c170aad8b057223b1139d72e5ce7acceafab4fa9</url> | |
</references> | |
<dates> | |
<discovery>2015-07-23</discovery> | |
<entry>2016-01-01</entry> | |
</dates> | |
</vuln> | |
<vuln vid="aea8d90e-b0c1-11e5-8d13-bc5ff45d0f28"> | |
<topic>qemu -- code execution on host machine</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><lt>2.4.0</lt></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.4.50.g20150814</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Petr Matousek of Red Hat Inc. reports:</p> | |
<blockquote cite="http://openwall.com/lists/oss-security/2015/06/17/5"> | |
<p>Due converting PIO to the new memory read/write api we no longer | |
provide separate I/O region lenghts for read and write operations. | |
As a result, reading from PIT Mode/Command register will end with | |
accessing pit->channels with invalid index and potentially cause | |
memory corruption and/or minor information leak.</p> | |
<p>A privileged guest user in a guest with QEMU PIT emulation enabled | |
could potentially (tough unlikely) use this flaw to execute | |
arbitrary code on the host with the privileges of the hosting QEMU | |
process.</p> | |
<p>Please note that by default QEMU/KVM guests use in-kernel (KVM) PIT | |
emulation and are thus not vulnerable to this issue.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-3214</cvename> | |
<url>http://openwall.com/lists/oss-security/2015/06/17/5</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=d4862a87e31a51de9eb260f25c9e99a75efe3235</url> | |
<url>https://github.com/seanbruno/qemu-bsd-user/commit/d4862a87e31a51de9eb260f25c9e99a75efe3235</url> | |
</references> | |
<dates> | |
<discovery>2015-06-17</discovery> | |
<entry>2016-01-01</entry> | |
</dates> | |
</vuln> | |
<vuln vid="4b3a7e70-afce-11e5-b864-14dae9d210b8"> | |
<topic>mono -- DoS and code execution</topic> | |
<affects> | |
<package> | |
<name>mono</name> | |
<range><lt>4.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>NCC Group reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2015/q4/543"> | |
<p>An attacker who can cause a carefully-chosen string to be | |
converted to a floating-point number can cause a crash and potentially | |
induce arbitrary code execution.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://seclists.org/oss-sec/2015/q4/543</url> | |
<cvename>CVE-2009-0689</cvename> | |
</references> | |
<dates> | |
<discovery>2015-12-19</discovery> | |
<entry>2015-12-31</entry> | |
</dates> | |
</vuln> | |
<vuln vid="84c7ea88-bf04-4bdc-973b-36744bf540ab"> | |
<topic>flash -- multiple vulnabilities</topic> | |
<affects> | |
<package> | |
<name>linux-c6-flashplugin</name> | |
<name>linux-f10-flashplugin</name> | |
<name>linux-c6_64-flashplugin</name> | |
<range><lt>11.2r202.559</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adobe reports:</p> | |
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-01.html"> | |
<p>These updates resolve a type confusion vulnerability that | |
could lead to code execution (CVE-2015-8644).</p> | |
<p>These updates resolve an integer overflow vulnerability | |
that could lead to code execution (CVE-2015-8651).</p> | |
<p>These updates resolve use-after-free vulnerabilities that | |
could lead to code execution (CVE-2015-8634, CVE-2015-8635, | |
CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641, | |
CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647, | |
CVE-2015-8648, CVE-2015-8649, CVE-2015-8650).</p> | |
<p>These updates resolve memory corruption vulnerabilities | |
that could lead to code execution (CVE-2015-8459, | |
CVE-2015-8460, CVE-2015-8636, CVE-2015-8645).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8459</cvename> | |
<cvename>CVE-2015-8460</cvename> | |
<cvename>CVE-2015-8634</cvename> | |
<cvename>CVE-2015-8636</cvename> | |
<cvename>CVE-2015-8638</cvename> | |
<cvename>CVE-2015-8639</cvename> | |
<cvename>CVE-2015-8640</cvename> | |
<cvename>CVE-2015-8641</cvename> | |
<cvename>CVE-2015-8642</cvename> | |
<cvename>CVE-2015-8643</cvename> | |
<cvename>CVE-2015-8644</cvename> | |
<cvename>CVE-2015-8645</cvename> | |
<cvename>CVE-2015-8646</cvename> | |
<cvename>CVE-2015-8647</cvename> | |
<cvename>CVE-2015-8648</cvename> | |
<cvename>CVE-2015-8649</cvename> | |
<cvename>CVE-2015-8650</cvename> | |
<cvename>CVE-2015-8651</cvename> | |
<url>https://helpx.adobe.com/security/products/flash-player/apsb16-01.html</url> | |
</references> | |
<dates> | |
<discovery>2015-12-28</discovery> | |
<entry>2015-12-29</entry> | |
</dates> | |
</vuln> | |
<vuln vid="b808c3a8-ae30-11e5-b864-14dae9d210b8"> | |
<topic>inspircd -- DoS</topic> | |
<affects> | |
<package> | |
<name>inspircd</name> | |
<range><lt>2.0.19</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Inspircd reports:</p> | |
<blockquote cite="http://www.inspircd.org/2015/04/16/v2019-released.html"> | |
<p>This release fixes the issues discovered since 2.0.18, | |
containing multiple important stability and correctness related | |
improvements, including a fix for a bug which allowed malformed DNS | |
records to cause netsplits on a network.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.inspircd.org/2015/04/16/v2019-released.html</url> | |
<url>https://github.com/inspircd/inspircd/commit/6058483d9fbc1b904d5ae7cfea47bfcde5c5b559</url> | |
<url>http://comments.gmane.org/gmane.comp.security.oss.general/18464</url> | |
<cvename>CVE-2015-8702</cvename> | |
</references> | |
<dates> | |
<discovery>2015-04-16</discovery> | |
<entry>2015-12-29</entry> | |
<modified>2015-12-29</modified> | |
</dates> | |
</vuln> | |
<vuln vid="4bae544d-06a3-4352-938c-b3bcbca89298"> | |
<topic>ffmpeg -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>libav</name> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>gstreamer-ffmpeg</name> | |
<!-- gst-ffmpeg-0.10.13 has libav-0.7.2 (0.7.7 in freebsd port) --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>handbrake</name> | |
<!-- handbrake-0.10.2 has libav-10.1 --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>ffmpeg</name> | |
<range><ge>2.8,1</ge><lt>2.8.4,1</lt></range> | |
<range><lt>2.7.4,1</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg26</name> | |
<range><lt>2.6.6</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg25</name> | |
<range><lt>2.5.9</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg24</name> | |
<range><lt>2.4.12</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg-devel</name> | |
<name>ffmpeg23</name> | |
<name>ffmpeg2</name> | |
<name>ffmpeg1</name> | |
<name>ffmpeg-011</name> | |
<name>ffmpeg0</name> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>avidemux</name> | |
<name>avidemux2</name> | |
<name>avidemux26</name> | |
<!-- avidemux-2.6.10 has ffmpeg-2.6.1 --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>kodi</name> | |
<!-- kodi-15.2 has ffmpeg-2.6.4 --> | |
<range><lt>16.0</lt></range> | |
</package> | |
<package> | |
<name>mplayer</name> | |
<name>mencoder</name> | |
<!-- mplayer-1.2.r20151219 has ffmpeg-2.8.3 --> | |
<range><lt>1.2.r20151219_1</lt></range> | |
</package> | |
<package> | |
<name>mythtv</name> | |
<name>mythtv-frontend</name> | |
<!-- mythtv-0.27.0.20140121 has ffmpeg-1.2.2+ (snapshot, f9c8726) --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>plexhometheater</name> | |
<!-- plexhometheater-1.4.1 has ffmpeg-0.10.2 fork --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>NVD reports:</p> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8662"> | |
<p>The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in | |
FFmpeg before 2.8.4 does not validate the number of | |
decomposition levels before proceeding with Discrete Wavelet | |
Transform decoding, which allows remote attackers to cause a | |
denial of service (out-of-bounds array access) or possibly | |
have unspecified other impact via crafted JPEG 2000 | |
data.</p> | |
</blockquote> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8663"> | |
<p>The ff_get_buffer function in libavcodec/utils.c in | |
FFmpeg before 2.8.4 preserves width and height values after | |
a failure, which allows remote attackers to cause a denial | |
of service (out-of-bounds array access) or possibly have | |
unspecified other impact via a crafted .mov file.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8662</cvename> | |
<cvename>CVE-2015-8663</cvename> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=75422280fbcdfbe9dc56bde5525b4d8b280f1bc5</url> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=abee0a1c60612e8638640a8a3738fffb65e16dbf</url> | |
<url>https://ffmpeg.org/security.html</url> | |
</references> | |
<dates> | |
<discovery>2015-12-20</discovery> | |
<entry>2015-12-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="10f7bc76-0335-4a88-b391-0b05b3a8ce1c"> | |
<topic>NSS -- MD5 downgrade in TLS 1.2 signatures</topic> | |
<affects> | |
<package> | |
<name>nss</name> | |
<name>linux-c6-nss</name> | |
<range><ge>3.20</ge><lt>3.20.2</lt></range> | |
<range><lt>3.19.2.2</lt></range> | |
</package> | |
<package> | |
<name>linux-firefox</name> | |
<range><lt>43.0.2,1</lt></range> | |
</package> | |
<package> | |
<name>linux-thunderbird</name> | |
<range><lt>38.5.1</lt></range> | |
</package> | |
<package> | |
<name>linux-seamonkey</name> | |
<range><lt>2.40</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Mozilla Project reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/"> | |
<p>Security researcher Karthikeyan Bhargavan reported an | |
issue in Network Security Services (NSS) where MD5 | |
signatures in the server signature within the TLS 1.2 | |
ServerKeyExchange message are still accepted. This is an | |
issue since NSS has officially disallowed the accepting MD5 | |
as a hash algorithm in signatures since 2011. This issues | |
exposes NSS based clients such as Firefox to theoretical | |
collision-based forgery attacks.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7575</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-150/</url> | |
<url>https://hg.mozilla.org/projects/nss/rev/94e1157f3fbb</url> | |
</references> | |
<dates> | |
<discovery>2015-12-22</discovery> | |
<entry>2015-12-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="88f75070-abcf-11e5-83d3-6805ca0b3d42"> | |
<topic>phpMyAdmin -- path disclosure vulnerability</topic> | |
<affects> | |
<package> | |
<name>phpMyAdmin</name> | |
<range><ge>4.5.0</ge><lt>4.5.3.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The phpMyAdmin development team reports:</p> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2015-6/"> | |
<p>By calling some scripts that are part of phpMyAdmin in an | |
unexpected way, it is possible to trigger phpMyAdmin to | |
display a PHP error message which contains the full path of | |
the directory where phpMyAdmin is installed.</p> | |
<p>We consider these vulnerabilities to be non-critical.</p> | |
<p>This path disclosure is possible on servers where the | |
recommended setting of the PHP configuration directive | |
display_errors is set to on, which is against the | |
recommendations given in the PHP manual for a production | |
server.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.phpmyadmin.net/security/PMASA-2015-6/</url> | |
<cvename>CVE-2015-8669</cvename> | |
</references> | |
<dates> | |
<discovery>2015-12-25</discovery> | |
<entry>2015-12-26</entry> | |
</dates> | |
</vuln> | |
<vuln vid="876768aa-ab1e-11e5-8a30-5453ed2e2b49"> | |
<topic>dpkg -- stack-based buffer overflow</topic> | |
<affects> | |
<package> | |
<name>dpkg</name> | |
<range><lt>1.16.17</lt></range> | |
<range><lt>1.17.26</lt></range> | |
<range><lt>1.18.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Salvatore Bonaccorso reports:</p> | |
<blockquote cite="https://lists.debian.org/debian-security-announce/2015/msg00312.html"> | |
<p>Hanno Boeck discovered a stack-based buffer overflow in the | |
dpkg-deb component of dpkg, the Debian package management system. | |
This flaw could potentially lead to arbitrary code execution if a | |
user or an automated system were tricked into processing a specially | |
crafted Debian binary package (.deb) in the old style Debian binary | |
package format.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-0860</cvename> | |
<url>http://openwall.com/lists/oss-security/2015/11/26/3</url> | |
<url>https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?id=f1aac7d933819569bf6f347c3c0d5a64a90bbce0</url> | |
</references> | |
<dates> | |
<discovery>2015-11-26</discovery> | |
<entry>2015-12-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e1b5318c-aa4d-11e5-8f5c-002590263bf5"> | |
<topic>mantis -- information disclosure vulnerability</topic> | |
<affects> | |
<package> | |
<name>mantis</name> | |
<range><lt>1.2.19_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mantis reports:</p> | |
<blockquote cite="https://mantisbt.org/bugs/view.php?id=19873"> | |
<p>CVE-2015-5059: documentation in private projects can be seen by | |
every user</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5059</cvename> | |
<freebsdpr>ports/201106</freebsdpr> | |
<url>https://mantisbt.org/bugs/view.php?id=19873</url> | |
<url>http://openwall.com/lists/oss-security/2015/06/25/3</url> | |
</references> | |
<dates> | |
<discovery>2015-06-23</discovery> | |
<entry>2015-12-24</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f36bbd66-aa44-11e5-8f5c-002590263bf5"> | |
<topic>mediawiki -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>mediawiki123</name> | |
<range><lt>1.23.12</lt></range> | |
</package> | |
<package> | |
<name>mediawiki124</name> | |
<range><lt>1.24.5</lt></range> | |
</package> | |
<package> | |
<name>mediawiki125</name> | |
<range><lt>1.25.4</lt></range> | |
</package> | |
<package> | |
<name>mediawiki126</name> | |
<range><lt>1.26.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>MediaWiki reports:</p> | |
<blockquote cite="https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html"> | |
<p>(T117899) SECURITY: $wgArticlePath can no longer be set to relative | |
paths that do not begin with a slash. This enabled trivial XSS | |
attacks. Configuration values such as "http://my.wiki.com/wiki/$1" | |
are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is | |
not and will now throw an error.</p> | |
<p>(T119309) SECURITY: Use hash_compare() for edit token comparison. | |
</p> | |
<p>(T118032) SECURITY: Don't allow cURL to interpret POST parameters | |
starting with '@' as file uploads.</p> | |
<p>(T115522) SECURITY: Passwords generated by User::randomPassword() | |
can no longer be shorter than $wgMinimalPasswordLength.</p> | |
<p>(T97897) SECURITY: Improve IP parsing and trimming. Previous | |
behavior could result in improper blocks being issued.</p> | |
<p>(T109724) SECURITY: Special:MyPage, Special:MyTalk, | |
Special:MyContributions and related pages no longer use HTTP | |
redirects and are now redirected by MediaWiki.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8622</cvename> | |
<cvename>CVE-2015-8623</cvename> | |
<cvename>CVE-2015-8624</cvename> | |
<cvename>CVE-2015-8625</cvename> | |
<cvename>CVE-2015-8626</cvename> | |
<cvename>CVE-2015-8627</cvename> | |
<cvename>CVE-2015-8628</cvename> | |
<url>https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html</url> | |
<url>https://phabricator.wikimedia.org/T117899</url> | |
<url>https://phabricator.wikimedia.org/T119309</url> | |
<url>https://phabricator.wikimedia.org/T118032</url> | |
<url>https://phabricator.wikimedia.org/T115522</url> | |
<url>https://phabricator.wikimedia.org/T97897</url> | |
<url>https://phabricator.wikimedia.org/T109724</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/23/7</url> | |
</references> | |
<dates> | |
<discovery>2015-12-18</discovery> | |
<entry>2015-12-24</entry> | |
</dates> | |
</vuln> | |
<vuln vid="3b50881d-1860-4721-aab1-503290e23f6c"> | |
<topic>Ruby -- unsafe tainted string vulnerability</topic> | |
<affects> | |
<package> | |
<name>ruby</name> | |
<range><ge>2.0.0,1</ge><lt>2.0.0.648,1</lt></range> | |
<range><ge>2.1.0,1</ge><lt>2.1.8,1</lt></range> | |
<range><ge>2.2.0,1</ge><lt>2.2.4,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Ruby developer reports:</p> | |
<blockquote cite="https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/"> | |
<p>There is an unsafe tainted string vulnerability in Fiddle and DL. | |
This issue was originally reported and fixed with CVE-2009-5147 in | |
DL, but reappeared after DL was reimplemented using Fiddle and | |
libffi.</p> | |
<p>And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not | |
fixed at other branches, then rubies which bundled DL except Ruby | |
1.9.1 are still vulnerable.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/</url> | |
<cvename>CVE-2015-7551</cvename> | |
</references> | |
<dates> | |
<discovery>2015-12-16</discovery> | |
<entry>2015-12-23</entry> | |
</dates> | |
</vuln> | |
<vuln vid="54075861-a95a-11e5-8b40-20cf30e32f6d"> | |
<topic>Bugzilla security issues</topic> | |
<affects> | |
<package> | |
<name>bugzilla44</name> | |
<range><lt>4.4.11</lt></range> | |
</package> | |
<package> | |
<name>bugzilla50</name> | |
<range><lt>5.0.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Bugzilla Security Advisory</p> | |
<blockquote cite="https://www.bugzilla.org/security/4.2.15/"> | |
<p>During the generation of a dependency graph, the code for | |
the HTML image map is generated locally if a local dot | |
installation is used. With escaped HTML characters in a bug | |
summary, it is possible to inject unfiltered HTML code in | |
the map file which the CreateImagemap function generates. | |
This could be used for a cross-site scripting attack.</p> | |
<p>If an external HTML page contains a <script> element with | |
its src attribute pointing to a buglist in CSV format, some | |
web browsers incorrectly try to parse the CSV file as valid | |
JavaScript code. As the buglist is generated based on the | |
privileges of the user logged into Bugzilla, the external | |
page could collect confidential data contained in the CSV | |
file.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8508</cvename> | |
<cvename>CVE-2015-8509</cvename> | |
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=1221518</url> | |
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=1232785</url> | |
</references> | |
<dates> | |
<discovery>2015-12-22</discovery> | |
<entry>2015-12-23</entry> | |
</dates> | |
</vuln> | |
<vuln vid="d6c51737-a84b-11e5-8f5c-002590263bf5"> | |
<topic>librsvg2 -- denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>librsvg2</name> | |
<range><lt>2.40.12</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adam Maris, Red Hat Product Security, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/21/5"> | |
<p>CVE-2015-7558: Stack exhaustion due to cyclic dependency causing to | |
crash an application was found in librsvg2 while parsing SVG file. | |
It has been fixed in 2.40.12 by many commits that has rewritten the | |
checks for cyclic references.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7558</cvename> | |
<freebsdpr>ports/205502</freebsdpr> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/21/5</url> | |
<url>https://bugzilla.redhat.com/1268243</url> | |
</references> | |
<dates> | |
<discovery>2015-10-02</discovery> | |
<entry>2015-12-22</entry> | |
</dates> | |
</vuln> | |
<vuln vid="da634091-a84a-11e5-8f5c-002590263bf5"> | |
<topic>librsvg2 -- denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>librsvg2</name> | |
<range><lt>2.40.7</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adam Maris, Red Hat Product Security, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/21/5"> | |
<p>CVE-2015-7557: Out-of-bounds heap read in librsvg2 was found when | |
parsing SVG file.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7557</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/21/5</url> | |
<url>https://git.gnome.org/browse/librsvg/commit/rsvg-shapes.c?id=40af93e6eb1c94b90c3b9a0b87e0840e126bb8df</url> | |
</references> | |
<dates> | |
<discovery>2015-02-06</discovery> | |
<entry>2015-12-22</entry> | |
</dates> | |
</vuln> | |
<vuln vid="9e7306b9-a5c3-11e5-b864-14dae9d210b8"> | |
<topic>quassel -- remote denial of service</topic> | |
<affects> | |
<package> | |
<name>quassel</name> | |
<range><lt>0.12.2_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Pierre Schweitzer reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/12/1"> | |
<p>Any client sending the command "/op *" in a query will | |
cause the Quassel core to crash.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/12/1</url> | |
<cvename>CVE-2015-8547</cvename> | |
</references> | |
<dates> | |
<discovery>2015-11-22</discovery> | |
<entry>2015-12-18</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f714b4c9-a6c1-11e5-88d7-047d7b492d07"> | |
<topic>libvirt -- ACL bypass using ../ to access beyond storage pool</topic> | |
<affects> | |
<package> | |
<name>libvirt</name> | |
<range><ge>1.1.0</ge><lt>1.2.19_2</lt></range> | |
<range><ge>1.2.20</ge><lt>1.3.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Libvit development team reports:</p> | |
<blockquote cite="http://security.libvirt.org/2015/0004.html"> | |
<p>Various virStorageVol* API operate on user-supplied volume names by | |
concatenating the volume name to the pool location. Note that the | |
virStoragePoolListVolumes API, when used on a storage pool backed by | |
a directory in a file system, will only list volumes immediately in | |
that directory (there is no traversal into subdirectories). However, | |
other APIs such as virStorageVolCreateXML were not checking if a | |
potential volume name represented one of the volumes that could be | |
returned by virStoragePoolListVolumes; because they were not rejecting | |
the use of '/' in a volume name.</p> | |
<p>Because no checking was done on volume names, a user could supply | |
a potential volume name of something like '../../../etc/passwd' to | |
attempt to access a file not belonging to the storage pool. When | |
fine-grained Access Control Lists (ACL) are in effect, a user with | |
storage_vol:create ACL permission but lacking domain:write permssion | |
could thus abuse virStorageVolCreateXML and similar APIs to gain | |
access to files not normally permitted to that user. Fortunately, it | |
appears that the only APIs that could leak information or corrupt | |
files require read-write connection to libvirtd; and when ACLs are not | |
in use (the default without any further configuration), a user with | |
read-write access can already be considered to have full access to the | |
machine, and without an escalation of privilege there is no security | |
problem.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5313</cvename> | |
<url>http://security.libvirt.org/2015/0004.html</url> | |
</references> | |
<dates> | |
<discovery>2015-10-30</discovery> | |
<entry>2015-12-20</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ef434839-a6a4-11e5-8275-000c292e4fd8"> | |
<topic>samba -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>samba36</name> | |
<range><ge>3.6.0</ge><lt>3.6.25_2</lt></range> | |
</package> | |
<package> | |
<name>samba4</name> | |
<range><ge>4.0.0</ge><le>4.0.26</le></range> | |
</package> | |
<package> | |
<name>samba41</name> | |
<range><ge>4.1.0</ge><lt>4.1.22</lt></range> | |
</package> | |
<package> | |
<name>samba42</name> | |
<range><ge>4.2.0</ge><lt>4.2.7</lt></range> | |
</package> | |
<package> | |
<name>samba43</name> | |
<range><ge>4.3.0</ge><lt>4.3.3</lt></range> | |
</package> | |
<package> | |
<name>ldb</name> | |
<range><ge>1.0.0</ge><lt>1.1.24</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Samba team reports:</p> | |
<blockquote cite="https://www.samba.org/samba/latest_news.html#4.3.3"> | |
<p>[CVE-2015-3223] Malicious request can cause Samba LDAP server to hang, spinning using CPU.</p> | |
<p>[CVE-2015-5330] Malicious request can cause Samba LDAP server | |
to return uninitialized memory that should not be part of the reply.</p> | |
<p>[CVE-2015-5296] Requesting encryption should also request | |
signing when setting up the connection to protect against man-in-the-middle attacks.</p> | |
<p>[CVE-2015-5299] A missing access control check in the VFS | |
shadow_copy2 module could allow unauthorized users to access snapshots.</p> | |
<p>[CVE-2015-7540] Malicious request can cause Samba LDAP server to return crash.</p> | |
<p>[CVE-2015-8467] Samba can expose Windows DCs to MS15-096 | |
Denial of service via the creation of multiple machine accounts(The Microsoft issue is CVE-2015-2535).</p> | |
<p>[CVE-2015-5252] Insufficient symlink verification could allow data access outside share path.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-3223</cvename> | |
<url>https://www.samba.org/samba/security/CVE-2015-3223.html</url> | |
<cvename>CVE-2015-5252</cvename> | |
<url>https://www.samba.org/samba/security/CVE-2015-5252.html</url> | |
<cvename>CVE-2015-5296</cvename> | |
<url>https://www.samba.org/samba/security/CVE-2015-5296.html</url> | |
<cvename>CVE-2015-5299</cvename> | |
<url>https://www.samba.org/samba/security/CVE-2015-5299.html</url> | |
<cvename>CVE-2015-5330</cvename> | |
<url>https://www.samba.org/samba/security/CVE-2015-5330.html</url> | |
<cvename>CVE-2015-7540</cvename> | |
<url>https://www.samba.org/samba/security/CVE-2015-7540.html</url> | |
<cvename>CVE-2015-8467</cvename> | |
<url>https://www.samba.org/samba/security/CVE-2015-8467.html</url> | |
</references> | |
<dates> | |
<discovery>2015-12-16</discovery> | |
<entry>2015-12-19</entry> | |
<modified>2016-02-05</modified> | |
</dates> | |
</vuln> | |
<vuln vid="bb7d4791-a5bf-11e5-a0e5-00262d5ed8ee"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>47.0.2526.106</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.nl/2015/12/stable-channel-update_15.html"> | |
<p>2 security fixes in this release, including:</p> | |
<ul> | |
<li>[569486] CVE-2015-6792: Fixes from internal audits and | |
fuzzing.</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-6792</cvename> | |
<url>http://googlechromereleases.blogspot.nl/2015/12/stable-channel-update_15.html</url> | |
</references> | |
<dates> | |
<discovery>2015-12-16</discovery> | |
<entry>2015-12-18</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7329938b-a4e6-11e5-b864-14dae9d210b8"> | |
<topic>cups-filters -- code execution</topic> | |
<affects> | |
<package> | |
<name>cups-filters</name> | |
<range><lt>1.4.0</lt></range> | |
</package> | |
<package> | |
<name>foomatic-filters</name> | |
<range><lt>4.0.17_4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Till Kamppeter reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/14/13"> | |
<p>Cups Filters/Foomatic Filters does not consider semicolon | |
as an illegal escape character.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/14/13</url> | |
<cvename>CVE-2015-8560</cvename> | |
</references> | |
<dates> | |
<discovery>2015-12-12</discovery> | |
<entry>2015-12-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6dbae1a8-a4e6-11e5-b864-14dae9d210b8"> | |
<topic>cups-filters -- code execution</topic> | |
<affects> | |
<package> | |
<name>cups-filters</name> | |
<range><lt>1.2.0</lt></range> | |
</package> | |
<package> | |
<name>foomatic-filters</name> | |
<range><lt>4.0.17_4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Salvatore Bonaccorso reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/13/2"> | |
<p>Cups Filters/Foomatic Filters does not consider backtick | |
as an illegal escape character.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/13/2</url> | |
<cvename>CVE-2015-8327</cvename> | |
</references> | |
<dates> | |
<discovery>2015-10-30</discovery> | |
<entry>2015-12-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="1fbd6db1-a4e4-11e5-b864-14dae9d210b8"> | |
<topic>py-amf -- input sanitization errors</topic> | |
<affects> | |
<package> | |
<name>py27-amf</name> | |
<name>py32-amf</name> | |
<name>py33-amf</name> | |
<name>py34-amf</name> | |
<range><lt>0.8.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>oCERT reports:</p> | |
<blockquote cite="http://www.ocert.org/advisories/ocert-2015-011.html"> | |
<p>A specially crafted AMF payload, containing malicious | |
references to XML external entities, can be used to trigger Denial of | |
Service (DoS) conditions or arbitrarily return the contents of files | |
that are accessible with the running application privileges.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.ocert.org/advisories/ocert-2015-011.html</url> | |
<cvename>CVE-2015-8549</cvename> | |
</references> | |
<dates> | |
<discovery>2015-12-01</discovery> | |
<entry>2015-12-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a9f60ce8-a4e0-11e5-b864-14dae9d210b8"> | |
<topic>joomla -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>joomla3</name> | |
<range><lt>3.4.6</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Joomla! reports:</p> | |
<blockquote cite="https://www.joomla.org/announcements/release-news/5641-joomla-3-4-6-released.html"> | |
<p>Joomla! 3.4.6 is now available. This is a security release | |
for the 3.x series of Joomla which addresses a critical security | |
vulnerability and 4 low level security vulnerabilities. We strongly | |
recommend that you update your sites immediately.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.joomla.org/announcements/release-news/5641-joomla-3-4-6-released.html</url> | |
<cvename>CVE-2015-8562</cvename> | |
<cvename>CVE-2015-8563</cvename> | |
<cvename>CVE-2015-8564</cvename> | |
<cvename>CVE-2015-8565</cvename> | |
</references> | |
<dates> | |
<discovery>2015-12-14</discovery> | |
<entry>2015-12-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a8ec4db7-a398-11e5-85e9-14dae9d210b8"> | |
<topic>bind -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>bind99</name> | |
<range><lt>9.9.8P2</lt></range> | |
</package> | |
<package> | |
<name>bind910</name> | |
<range><lt>9.10.3P2</lt></range> | |
</package> | |
<package> | |
<name>bind9-devel</name> | |
<range><lt>9.11.0.a20151215</lt></range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>9.3</ge><lt>9.3_32</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ISC reports:</p> | |
<blockquote cite="https://kb.isc.org/article/AA-01328/0/BIND-9.10.3-P2-Release-Notes.html"> | |
<p>Named is potentially vulnerable to the OpenSSL vulnerabilty described in CVE-2015-3193.</p> | |
<p>Incorrect reference counting could result in an INSIST | |
failure if a socket error occurred while performing a lookup. This flaw | |
is disclosed in CVE-2015-8461. [RT#40945]</p> | |
<p>Insufficient testing when parsing a message allowed records | |
with an incorrect class to be be accepted, triggering a REQUIRE failure | |
when those records were subsequently cached. This flaw is disclosed in | |
CVE-2015-8000. [RT #40987]</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://kb.isc.org/article/AA-01328/0/BIND-9.10.3-P2-Release-Notes.html</url> | |
<url>https://kb.isc.org/article/AA-01317/0/CVE-2015-8000%3A-Responses-with-a-malformed-class-attribute-can-trigger-an-assertion-failure-in-db.c.html</url> | |
<url>https://kb.isc.org/article/AA-01319/0/CVE-2015-8461%3A-A-race-condition-when-handling-socket-errors-can-lead-to-an-assertion-failure-in-resolver.c.html</url> | |
<cvename>CVE-2015-3193</cvename> | |
<cvename>CVE-2015-8000</cvename> | |
<cvename>CVE-2015-8461</cvename> | |
<freebsdsa>SA-15:27.bind</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2015-11-24</discovery> | |
<entry>2015-12-16</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="2c2d1c39-1396-459a-91f5-ca03ee7c64c6"> | |
<topic>mozilla -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>firefox</name> | |
<range><lt>43.0,1</lt></range> | |
</package> | |
<package> | |
<name>linux-firefox</name> | |
<range><lt>43.0,1</lt></range> | |
</package> | |
<package> | |
<name>seamonkey</name> | |
<range><lt>2.40</lt></range> | |
</package> | |
<package> | |
<name>linux-seamonkey</name> | |
<range><lt>2.40</lt></range> | |
</package> | |
<package> | |
<name>firefox-esr</name> | |
<range><lt>38.5.0,1</lt></range> | |
</package> | |
<package> | |
<name>libxul</name> | |
<range><lt>38.5.0</lt></range> | |
</package> | |
<package> | |
<name>thunderbird</name> | |
<range><lt>38.5.0</lt></range> | |
</package> | |
<package> | |
<name>linux-thunderbird</name> | |
<range><lt>38.5.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Mozilla Project reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/"> | |
<p>MFSA 2015-134 Miscellaneous memory safety hazards | |
(rv:43.0 / rv:38.5)</p> | |
<p>MFSA 2015-135 Crash with JavaScript variable assignment | |
with unboxed objects</p> | |
<p>MFSA 2015-136 Same-origin policy violation using | |
perfomance.getEntries and history navigation</p> | |
<p>MFSA 2015-137 Firefox allows for control characters to be | |
set in cookies</p> | |
<p>MFSA 2015-138 Use-after-free in WebRTC when datachannel | |
is used after being destroyed</p> | |
<p>MFSA 2015-139 Integer overflow allocating extremely large | |
textures</p> | |
<p>MFSA 2015-140 Cross-origin information leak through web | |
workers error events</p> | |
<p>MFSA 2015-141 Hash in data URI is incorrectly parsed</p> | |
<p>MFSA 2015-142 DOS due to malformed frames in HTTP/2</p> | |
<p>MFSA 2015-143 Linux file chooser crashes on malformed | |
images due to flaws in Jasper library</p> | |
<p>MFSA 2015-144 Buffer overflows found through code | |
inspection</p> | |
<p>MFSA 2015-145 Underflow through code inspection</p> | |
<p>MFSA 2015-146 Integer overflow in MP4 playback in 64-bit | |
versions</p> | |
<p>MFSA 2015-147 Integer underflow and buffer overflow | |
processing MP4 metadata in libstagefright</p> | |
<p>MFSA 2015-148 Privilege escalation vulnerabilities in | |
WebExtension APIs</p> | |
<p>MFSA 2015-149 Cross-site reading attack through data and | |
view-source URIs</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7201</cvename> | |
<cvename>CVE-2015-7202</cvename> | |
<cvename>CVE-2015-7203</cvename> | |
<cvename>CVE-2015-7204</cvename> | |
<cvename>CVE-2015-7205</cvename> | |
<cvename>CVE-2015-7207</cvename> | |
<cvename>CVE-2015-7208</cvename> | |
<cvename>CVE-2015-7210</cvename> | |
<cvename>CVE-2015-7211</cvename> | |
<cvename>CVE-2015-7212</cvename> | |
<cvename>CVE-2015-7213</cvename> | |
<cvename>CVE-2015-7214</cvename> | |
<cvename>CVE-2015-7215</cvename> | |
<cvename>CVE-2015-7216</cvename> | |
<cvename>CVE-2015-7217</cvename> | |
<cvename>CVE-2015-7218</cvename> | |
<cvename>CVE-2015-7219</cvename> | |
<cvename>CVE-2015-7220</cvename> | |
<cvename>CVE-2015-7221</cvename> | |
<cvename>CVE-2015-7222</cvename> | |
<cvename>CVE-2015-7223</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-134/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-135/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-136/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-137/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-138/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-139/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-140/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-141/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-142/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-143/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-144/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-145/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-146/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-147/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-148/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-149/</url> | |
</references> | |
<dates> | |
<discovery>2015-12-15</discovery> | |
<entry>2015-12-15</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a5934ba8-a376-11e5-85e9-14dae9d210b8"> | |
<topic>java -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>openjdk8</name> | |
<name>openjdk8-jre</name> | |
<range><lt>8.66.17</lt></range> | |
</package> | |
<package> | |
<name>openjdk7</name> | |
<name>openjdk7-jre</name> | |
<range><lt>7.91.02,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Oracle reports:</p> | |
<blockquote cite="http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA"> | |
<p>This Critical Patch Update contains 25 new security fixes | |
for Oracle Java SE. 24 of these vulnerabilities may be remotely | |
exploitable without authentication, i.e., may be exploited over a | |
network without the need for a username and password.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA</url> | |
<cvename>CVE-2015-4835</cvename> | |
<cvename>CVE-2015-4881</cvename> | |
<cvename>CVE-2015-4843</cvename> | |
<cvename>CVE-2015-4883</cvename> | |
<cvename>CVE-2015-4860</cvename> | |
<cvename>CVE-2015-4805</cvename> | |
<cvename>CVE-2015-4844</cvename> | |
<cvename>CVE-2015-4901</cvename> | |
<cvename>CVE-2015-4868</cvename> | |
<cvename>CVE-2015-4810</cvename> | |
<cvename>CVE-2015-4806</cvename> | |
<cvename>CVE-2015-4871</cvename> | |
<cvename>CVE-2015-4902</cvename> | |
<cvename>CVE-2015-4840</cvename> | |
<cvename>CVE-2015-4882</cvename> | |
<cvename>CVE-2015-4842</cvename> | |
<cvename>CVE-2015-4734</cvename> | |
<cvename>CVE-2015-4903</cvename> | |
<cvename>CVE-2015-4803</cvename> | |
<cvename>CVE-2015-4893</cvename> | |
<cvename>CVE-2015-4911</cvename> | |
<cvename>CVE-2015-4872</cvename> | |
<cvename>CVE-2015-4906</cvename> | |
<cvename>CVE-2015-4916</cvename> | |
<cvename>CVE-2015-4908</cvename> | |
</references> | |
<dates> | |
<discovery>2015-10-20</discovery> | |
<entry>2015-12-15</entry> | |
<modified>2016-01-08</modified> | |
</dates> | |
</vuln> | |
<vuln vid="daadef86-a366-11e5-8b40-20cf30e32f6d"> | |
<topic>subversion -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>subversion17</name> | |
<range><ge>1.7.0</ge><lt>1.7.22_1</lt></range> | |
</package> | |
<package> | |
<name>subversion18</name> | |
<range><ge>1.8.0</ge><lt>1.8.15</lt></range> | |
</package> | |
<package> | |
<name>subversion</name> | |
<range><ge>1.9.0</ge><lt>1.9.3</lt></range> | |
</package> | |
<package> | |
<name>mod_dav_svn</name> | |
<range><ge>1.7.0</ge><lt>1.7.22_1</lt></range> | |
<range><ge>1.8.0</ge><lt>1.8.15</lt></range> | |
<range><ge>1.9.0</ge><lt>1.9.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Subversion Project reports:</p> | |
<blockquote cite="http://subversion.apache.org/security/"> | |
<p>Remotely triggerable heap overflow and out-of-bounds read caused | |
by integer overflow in the svn:// protocol parser.</p> | |
<p>Remotely triggerable heap overflow and out-of-bounds read in | |
mod_dav_svn caused by integer overflow when parsing skel-encoded | |
request bodies.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5343</cvename> | |
<url>http://subversion.apache.org/security/CVE-2015-5343-advisory.txt</url> | |
<cvename>CVE-2015-5259</cvename> | |
<url>http://subversion.apache.org/security/CVE-2015-5259-advisory.txt</url> | |
</references> | |
<dates> | |
<discovery>2015-11-14</discovery> | |
<entry>2015-12-15</entry> | |
</dates> | |
</vuln> | |
<vuln vid="72c145df-a1e0-11e5-8ad0-00262d5ed8ee"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<!--pcbsd--> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>47.0.2526.80</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.nl/2015/12/stable-channel-update_8.html"> | |
<p>7 security fixes in this release, including:</p> | |
<ul> | |
<li>[548273] High CVE-2015-6788: Type confusion in extensions. | |
Credit to anonymous.</li> | |
<li>[557981] High CVE-2015-6789: Use-after-free in Blink. Credit to | |
cloudfuzzer.</li> | |
<li>[542054] Medium CVE-2015-6790: Escaping issue in saved pages. | |
Credit to Inti De Ceukelaire.</li> | |
<li>[567513] CVE-2015-6791: Various fixes from internal audits, | |
fuzzing and other initiatives.</li> | |
<li>Multiple vulnerabilities in V8 fixed at the tip of the 4.7 | |
branch (currently 4.7.80.23).</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-6788</cvename> | |
<cvename>CVE-2015-6789</cvename> | |
<cvename>CVE-2015-6790</cvename> | |
<cvename>CVE-2015-6791</cvename> | |
<url>http://googlechromereleases.blogspot.nl/2015/12/stable-channel-update_8.html</url> | |
</references> | |
<dates> | |
<discovery>2015-12-08</discovery> | |
<entry>2015-12-13</entry> | |
</dates> | |
</vuln> | |
<vuln vid="33459061-a1d6-11e5-8794-bcaec565249c"> | |
<topic>freeimage -- multiple integer overflows</topic> | |
<affects> | |
<package> | |
<name>freeimage</name> | |
<range><lt>3.16.0_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Pcheng pcheng reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/08/28/1"> | |
<p>An integer overflow issue in the FreeImage project was | |
reported and fixed recently.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-0852</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/08/28/1</url> | |
</references> | |
<dates> | |
<discovery>2015-08-28</discovery> | |
<entry>2015-12-13</entry> | |
</dates> | |
</vuln> | |
<vuln vid="21bc4d71-9ed8-11e5-8f5c-002590263bf5"> | |
<topic>redmine -- information leak vulnerability</topic> | |
<affects> | |
<package> | |
<name>redmine</name> | |
<range><lt>2.6.9</lt></range> | |
<range><ge>3.0.0</ge><lt>3.0.7</lt></range> | |
<range><ge>3.1.0</ge><lt>3.1.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Redmine reports:</p> | |
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories"> | |
<p>Data disclosure in atom feed.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8537</cvename> | |
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url> | |
</references> | |
<dates> | |
<discovery>2015-12-05</discovery> | |
<entry>2015-12-10</entry> | |
<modified>2015-12-11</modified> | |
</dates> | |
</vuln> | |
<vuln vid="be63533c-9ed7-11e5-8f5c-002590263bf5"> | |
<topic>redmine -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>redmine</name> | |
<range><lt>2.6.8</lt></range> | |
<range><ge>3.0.0</ge><lt>3.0.6</lt></range> | |
<range><ge>3.1.0</ge><lt>3.1.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Redmine reports:</p> | |
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories"> | |
<p>Potential changeset message disclosure in issues API.</p> | |
<p>Data disclosure on the time logging form</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8346</cvename> | |
<cvename>CVE-2015-8473</cvename> | |
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/11/25/12</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/03/7</url> | |
</references> | |
<dates> | |
<discovery>2015-11-14</discovery> | |
<entry>2015-12-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="3ec2e0bc-9ed7-11e5-8f5c-002590263bf5"> | |
<topic>redmine -- open redirect vulnerability</topic> | |
<affects> | |
<package> | |
<name>redmine</name> | |
<range><ge>2.5.1</ge><lt>2.6.7</lt></range> | |
<range><ge>3.0.0</ge><lt>3.0.5</lt></range> | |
<range><eq>3.1.0</eq></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Redmine reports:</p> | |
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories"> | |
<p>Open Redirect vulnerability.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8474</cvename> | |
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/04/1</url> | |
</references> | |
<dates> | |
<discovery>2015-09-20</discovery> | |
<entry>2015-12-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="939a7086-9ed6-11e5-8f5c-002590263bf5"> | |
<topic>redmine -- potential XSS vulnerability</topic> | |
<affects> | |
<package> | |
<name>redmine</name> | |
<range><lt>2.6.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Redmine reports:</p> | |
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories"> | |
<p>Potential XSS vulnerability when rendering some flash messages.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8477</cvename> | |
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/05/6</url> | |
</references> | |
<dates> | |
<discovery>2015-02-19</discovery> | |
<entry>2015-12-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="49def4b7-9ed6-11e5-8f5c-002590263bf5"> | |
<topic>redmine -- information leak vulnerability</topic> | |
<affects> | |
<package> | |
<name>redmine</name> | |
<range><lt>2.4.6</lt></range> | |
<range><ge>2.5.0</ge><lt>2.5.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Redmine reports:</p> | |
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories"> | |
<p>Potential data leak (project names) in the invalid form | |
authenticity token error screen.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url> | |
</references> | |
<dates> | |
<discovery>2014-07-06</discovery> | |
<entry>2015-12-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="c2efcd46-9ed5-11e5-8f5c-002590263bf5"> | |
<topic>redmine -- open redirect vulnerability</topic> | |
<affects> | |
<package> | |
<name>redmine</name> | |
<range><lt>2.4.5</lt></range> | |
<range><eq>2.5.0</eq></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Redmine reports:</p> | |
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories"> | |
<p>Open Redirect vulnerability</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-1985</cvename> | |
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url> | |
<url>https://jvn.jp/en/jp/JVN93004610/index.html</url> | |
</references> | |
<dates> | |
<discovery>2014-03-29</discovery> | |
<entry>2015-12-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="66ba5931-9ed5-11e5-8f5c-002590263bf5"> | |
<topic>redmine -- XSS vulnerability</topic> | |
<affects> | |
<package> | |
<name>redmine</name> | |
<range><ge>2.1.0</ge><lt>2.1.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Redmine reports:</p> | |
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories"> | |
<p>XSS vulnerability</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url> | |
</references> | |
<dates> | |
<discovery>2012-09-30</discovery> | |
<entry>2015-12-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0e0385d1-9ed5-11e5-8f5c-002590263bf5"> | |
<topic>redmine -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>redmine</name> | |
<range><lt>1.3.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Redmine reports:</p> | |
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories"> | |
<p>Mass-assignemnt vulnerability that would allow an attacker to | |
bypass part of the security checks.</p> | |
<p>Persistent XSS vulnerability</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2012-0327</cvename> | |
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url> | |
<url>http://jvn.jp/en/jp/JVN93406632/</url> | |
</references> | |
<dates> | |
<discovery>2012-03-11</discovery> | |
<entry>2015-12-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ae377aeb-9ed4-11e5-8f5c-002590263bf5"> | |
<topic>redmine -- CSRF protection bypass</topic> | |
<affects> | |
<package> | |
<name>redmine</name> | |
<range><lt>1.3.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Redmine reports:</p> | |
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories"> | |
<p>Vulnerability that would allow an attacker to bypass the CSRF | |
protection.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url> | |
</references> | |
<dates> | |
<discovery>2011-12-10</discovery> | |
<entry>2015-12-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="23af0425-9eac-11e5-b937-00e0814cab4e"> | |
<topic>jenkins -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>jenkins</name> | |
<range><le>1.641</le></range> | |
</package> | |
<package> | |
<name>jenkins-lts</name> | |
<range><le>1.625.3</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jenkins Security Advisory:</p> | |
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09"> | |
<h1>Description</h1> | |
<h5>SECURITY-95 / CVE-2015-7536 (Stored XSS vulnerability through workspace files and archived artifacts)</h5> | |
<p>In certain configurations, low privilege users were able to | |
create e.g. HTML files in workspaces and archived artifacts that | |
could result in XSS when accessed by other users. Jenkins now sends | |
Content-Security-Policy headers that enables sandboxing and | |
prohibits script execution by default.</p> | |
<h5>SECURITY-225 / CVE-2015-7537 (CSRF vulnerability in some administrative actions)</h5> | |
<p>Several administration/configuration related URLs could be | |
accessed using GET, which allowed attackers to circumvent CSRF | |
protection.</p> | |
<h5>SECURITY-233 / CVE-2015-7538 (CSRF protection ineffective)</h5> | |
<p>Malicious users were able to circumvent CSRF protection on any | |
URL by sending specially crafted POST requests.</p> | |
<h5>SECURITY-234 / CVE-2015-7539 (Jenkins plugin manager vulnerable to MITM attacks)</h5> | |
<p>While the Jenkins update site data is digitally signed, and the | |
signature verified by Jenkins, Jenkins did not verify the provided | |
SHA-1 checksums for the plugin files referenced in the update site | |
data. This enabled MITM attacks on the plugin manager, resulting | |
in installation of attacker-provided plugins.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09</url> | |
</references> | |
<dates> | |
<discovery>2015-12-09</discovery> | |
<entry>2015-12-09</entry> | |
</dates> | |
</vuln> | |
<vuln vid="c8842a84-9ddd-11e5-8c2f-c485083ca99c"> | |
<topic>flash -- multiple vulnabilities</topic> | |
<affects> | |
<package> | |
<name>linux-c6-flashplugin</name> | |
<name>linux-f10-flashplugin</name> | |
<name>linux-c6_64-flashplugin</name> | |
<range><lt>11.2r202.554</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adobe reports:</p> | |
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-32.html"> | |
<p> | |
These updates resolve heap buffer overflow vulnerabilities that | |
could lead to code execution (CVE-2015-8438, CVE-2015-8446).</p> | |
<p> | |
These updates resolve memory corruption vulnerabilities that | |
could lead to code execution (CVE-2015-8444, CVE-2015-8443, | |
CVE-2015-8417, CVE-2015-8416, CVE-2015-8451, CVE-2015-8047, | |
CVE-2015-8053, CVE-2015-8045, CVE-2015-8051, CVE-2015-8060, | |
CVE-2015-8419, CVE-2015-8408).</p> | |
<p> | |
These updates resolve security bypass vulnerabilities | |
(CVE-2015-8453, CVE-2015-8440, CVE-2015-8409).</p> | |
<p> | |
These updates resolve a stack overflow vulnerability that | |
could lead to code execution (CVE-2015-8407).</p> | |
<p> | |
These updates resolve a type confusion vulnerability that | |
could lead to code execution (CVE-2015-8439).</p> | |
<p> | |
These updates resolve an integer overflow vulnerability | |
that could lead to code execution (CVE-2015-8445).</p> | |
<p> | |
These updates resolve a buffer overflow vulnerability that | |
could lead to code execution (CVE-2015-8415).</p> | |
<p> | |
These updates resolve use-after-free vulnerabilities that | |
could lead to code execution (CVE-2015-8050, CVE-2015-8049, | |
CVE-2015-8437, CVE-2015-8450, CVE-2015-8449, CVE-2015-8448, | |
CVE-2015-8436, CVE-2015-8452, CVE-2015-8048, CVE-2015-8413, | |
CVE-2015-8412, CVE-2015-8410, CVE-2015-8411, CVE-2015-8424, | |
CVE-2015-8422, CVE-2015-8420, CVE-2015-8421, CVE-2015-8423, | |
CVE-2015-8425, CVE-2015-8433, CVE-2015-8432, CVE-2015-8431, | |
CVE-2015-8426, CVE-2015-8430, CVE-2015-8427, CVE-2015-8428, | |
CVE-2015-8429, CVE-2015-8434, CVE-2015-8435, CVE-2015-8414, | |
CVE-2015-8052, CVE-2015-8059, CVE-2015-8058, CVE-2015-8055, | |
CVE-2015-8057, CVE-2015-8056, CVE-2015-8061, CVE-2015-8067, | |
CVE-2015-8066, CVE-2015-8062, CVE-2015-8068, CVE-2015-8064, | |
CVE-2015-8065, CVE-2015-8063, CVE-2015-8405, CVE-2015-8404, | |
CVE-2015-8402, CVE-2015-8403, CVE-2015-8071, CVE-2015-8401, | |
CVE-2015-8406, CVE-2015-8069, CVE-2015-8070, CVE-2015-8441, | |
CVE-2015-8442, CVE-2015-8447).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-32.html</url> | |
<cvename>CVE-2015-8045</cvename> | |
<cvename>CVE-2015-8047</cvename> | |
<cvename>CVE-2015-8048</cvename> | |
<cvename>CVE-2015-8049</cvename> | |
<cvename>CVE-2015-8050</cvename> | |
<cvename>CVE-2015-8051</cvename> | |
<cvename>CVE-2015-8052</cvename> | |
<cvename>CVE-2015-8053</cvename> | |
<cvename>CVE-2015-8054</cvename> | |
<cvename>CVE-2015-8055</cvename> | |
<cvename>CVE-2015-8056</cvename> | |
<cvename>CVE-2015-8057</cvename> | |
<cvename>CVE-2015-8058</cvename> | |
<cvename>CVE-2015-8059</cvename> | |
<cvename>CVE-2015-8060</cvename> | |
<cvename>CVE-2015-8061</cvename> | |
<cvename>CVE-2015-8062</cvename> | |
<cvename>CVE-2015-8063</cvename> | |
<cvename>CVE-2015-8064</cvename> | |
<cvename>CVE-2015-8065</cvename> | |
<cvename>CVE-2015-8066</cvename> | |
<cvename>CVE-2015-8067</cvename> | |
<cvename>CVE-2015-8068</cvename> | |
<cvename>CVE-2015-8069</cvename> | |
<cvename>CVE-2015-8070</cvename> | |
<cvename>CVE-2015-8071</cvename> | |
<cvename>CVE-2015-8401</cvename> | |
<cvename>CVE-2015-8402</cvename> | |
<cvename>CVE-2015-8403</cvename> | |
<cvename>CVE-2015-8404</cvename> | |
<cvename>CVE-2015-8405</cvename> | |
<cvename>CVE-2015-8406</cvename> | |
<cvename>CVE-2015-8407</cvename> | |
<cvename>CVE-2015-8408</cvename> | |
<cvename>CVE-2015-8409</cvename> | |
<cvename>CVE-2015-8410</cvename> | |
<cvename>CVE-2015-8411</cvename> | |
<cvename>CVE-2015-8412</cvename> | |
<cvename>CVE-2015-8413</cvename> | |
<cvename>CVE-2015-8414</cvename> | |
<cvename>CVE-2015-8415</cvename> | |
<cvename>CVE-2015-8416</cvename> | |
<cvename>CVE-2015-8417</cvename> | |
<cvename>CVE-2015-8419</cvename> | |
<cvename>CVE-2015-8420</cvename> | |
<cvename>CVE-2015-8421</cvename> | |
<cvename>CVE-2015-8422</cvename> | |
<cvename>CVE-2015-8423</cvename> | |
<cvename>CVE-2015-8424</cvename> | |
<cvename>CVE-2015-8425</cvename> | |
<cvename>CVE-2015-8426</cvename> | |
<cvename>CVE-2015-8427</cvename> | |
<cvename>CVE-2015-8428</cvename> | |
<cvename>CVE-2015-8429</cvename> | |
<cvename>CVE-2015-8430</cvename> | |
<cvename>CVE-2015-8431</cvename> | |
<cvename>CVE-2015-8432</cvename> | |
<cvename>CVE-2015-8433</cvename> | |
<cvename>CVE-2015-8434</cvename> | |
<cvename>CVE-2015-8435</cvename> | |
<cvename>CVE-2015-8436</cvename> | |
<cvename>CVE-2015-8437</cvename> | |
<cvename>CVE-2015-8438</cvename> | |
<cvename>CVE-2015-8439</cvename> | |
<cvename>CVE-2015-8440</cvename> | |
<cvename>CVE-2015-8441</cvename> | |
<cvename>CVE-2015-8442</cvename> | |
<cvename>CVE-2015-8443</cvename> | |
<cvename>CVE-2015-8444</cvename> | |
<cvename>CVE-2015-8445</cvename> | |
<cvename>CVE-2015-8446</cvename> | |
<cvename>CVE-2015-8447</cvename> | |
<cvename>CVE-2015-8448</cvename> | |
<cvename>CVE-2015-8449</cvename> | |
<cvename>CVE-2015-8450</cvename> | |
<cvename>CVE-2015-8451</cvename> | |
<cvename>CVE-2015-8452</cvename> | |
<cvename>CVE-2015-8453</cvename> | |
</references> | |
<dates> | |
<discovery>2015-12-08</discovery> | |
<entry>2015-12-08</entry> | |
</dates> | |
</vuln> | |
<vuln vid="215e740e-9c56-11e5-90e7-b499baebfeaf"> | |
<topic>libressl -- NULL pointer dereference</topic> | |
<affects> | |
<package> | |
<name>libressl</name> | |
<range><lt>2.2.5</lt></range> | |
<range><ge>2.3.0</ge><lt>2.3.1_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The OpenBSD project reports:</p> | |
<blockquote cite="https://marc.info/?l=openbsd-announce&t=144920914600002"> | |
<p>A NULL pointer deference could be triggered by a crafted | |
certificate sent to services configured to verify client | |
certificates on TLS/SSL connections. | |
</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://marc.info/?l=openbsd-announce&t=144920914600002</url> | |
<cvename>CVE-2015-3194</cvename> | |
</references> | |
<dates> | |
<discovery>2015-12-03</discovery> | |
<entry>2015-12-08</entry> | |
</dates> | |
</vuln> | |
<vuln vid="918a5d1f-9d40-11e5-8f5c-002590263bf5"> | |
<topic>KeePassX -- information disclosure</topic> | |
<affects> | |
<package> | |
<name>KeePassX</name> | |
<range><lt>0.4.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Yves-Alexis Perez reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/30/4"> | |
<p>Starting an export (using File / Export to / KeepassX XML file) and | |
cancelling it leads to KeepassX saving a cleartext XML file in | |
~/.xml without any warning.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8378</cvename> | |
<freebsdpr>ports/205105</freebsdpr> | |
<url>http://www.openwall.com/lists/oss-security/2015/11/30/4</url> | |
</references> | |
<dates> | |
<discovery>2015-07-08</discovery> | |
<entry>2015-12-08</entry> | |
</dates> | |
</vuln> | |
<vuln vid="84fdd1bb-9d37-11e5-8f5c-002590263bf5"> | |
<topic>passenger -- client controlled header overwriting</topic> | |
<affects> | |
<package> | |
<name>rubygem-passenger</name> | |
<range><ge>5.0.0</ge><lt>5.0.22</lt></range> | |
<range><lt>4.0.60</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Daniel Knoppel reports:</p> | |
<blockquote cite="https://blog.phusion.nl/2015/12/07/cve-2015-7519/"> | |
<p>It was discovered by the SUSE security team that it was possible, | |
in some cases, for clients to overwrite headers set by the server, | |
resulting in a medium level security issue. CVE-2015-7519 has been | |
assigned to this issue.</p> | |
<p>Affected use-cases:</p> | |
<p>Header overwriting may occur if all of the following conditions are met:</p> | |
<ul> | |
<li>Apache integration mode, or standalone+builtin engine without | |
a filtering proxy</li> | |
<li>Ruby or Python applications only (Passenger 5); or any | |
application (Passenger 4)</li> | |
<li>The app depends on a request header containing a dash (-)</li> | |
<li>The header is supposed to be trusted (set by the server)</li> | |
<li>The client correctly guesses the header name</li> | |
</ul> | |
<p>This vulnerability has been fixed by filtering out client headers | |
that do not consist of alphanumeric/dash characters (Nginx already | |
did this, so Passenger+Nginx was not affected). If your application | |
depends on headers that don't conform to this, you can add a | |
workaround in Apache specifically for those to convert them to a | |
dash-based format.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7519</cvename> | |
<url>https://blog.phusion.nl/2015/12/07/cve-2015-7519/</url> | |
</references> | |
<dates> | |
<discovery>2015-12-07</discovery> | |
<entry>2015-12-07</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e6b974ab-9d35-11e5-8f5c-002590263bf5"> | |
<topic>Salt -- information disclosure</topic> | |
<affects> | |
<package> | |
<name>py27-salt</name> | |
<range><lt>2015.8.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Salt release notes report:</p> | |
<blockquote cite="https://docs.saltstack.com/en/latest/topics/releases/2015.8.3.html"> | |
<p>CVE-2015-8034: Saving state.sls cache data to disk with insecure | |
permissions</p> | |
<p>This affects users of the state.sls function. The state run cache | |
on the minion was being created with incorrect permissions. This | |
file could potentially contain sensitive data that was inserted via | |
jinja into the state SLS files. The permissions for this file are | |
now being set correctly. Thanks to @zmalone for bringing this issue | |
to our attention.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8034</cvename> | |
<url>https://docs.saltstack.com/en/latest/topics/releases/2015.8.3.html</url> | |
</references> | |
<dates> | |
<discovery>2015-11-25</discovery> | |
<entry>2015-12-07</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6bc6eed2-9cca-11e5-8c2b-c335fa8985d7"> | |
<topic>libraw -- memory objects not properly initialized</topic> | |
<affects> | |
<package> | |
<name>libraw</name> | |
<range><lt>0.17.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ChenQin reports:</p> | |
<blockquote cite="http://seclists.org/fulldisclosure/2015/Nov/108"> | |
<p>The LibRaw raw image decoder has multiple vulnerabilities that can | |
cause memory errors which may lead to code execution or other | |
problems.</p> | |
<p>In CVE-2015-8367, LibRaw's phase_one_correct function does not | |
handle memory initialization correctly, which may cause other | |
problems.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.libraw.org/news/libraw-0-17-1</url> | |
<url>https://github.com/LibRaw/LibRaw/commit/490ef94d1796f730180039e80997efe5c58db780</url> | |
<mlist>http://seclists.org/fulldisclosure/2015/Nov/108</mlist> | |
<cvename>CVE-2015-8367</cvename> | |
</references> | |
<dates> | |
<discovery>2015-11-30</discovery> | |
<entry>2015-12-07</entry> | |
</dates> | |
</vuln> | |
<vuln vid="db04bf07-9cc8-11e5-8c2b-c335fa8985d7"> | |
<topic>libraw -- index overflow in smal_decode_segment</topic> | |
<affects> | |
<package> | |
<name>libraw</name> | |
<range><lt>0.17.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ChenQin reports:</p> | |
<blockquote cite="http://seclists.org/fulldisclosure/2015/Nov/108"> | |
<p>The LibRaw raw image decoder has multiple vulnerabilities that can | |
cause memory errors which may lead to code execution or other | |
problems.</p> | |
<p>In CVE-2015-8366, LibRaw's smal_decode_segment function does not | |
handle indexes carefully, which can cause an index overflow.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.libraw.org/news/libraw-0-17-1</url> | |
<url>https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2</url> | |
<mlist>http://seclists.org/fulldisclosure/2015/Nov/108</mlist> | |
<cvename>CVE-2015-8366</cvename> | |
</references> | |
<dates> | |
<discovery>2015-11-30</discovery> | |
<entry>2015-12-07</entry> | |
</dates> | |
</vuln> | |
<vuln vid="4c8d1d72-9b38-11e5-aece-d050996490d0"> | |
<topic>openssl -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>openssl</name> | |
<range><lt>1.0.2_5</lt></range> | |
</package> | |
<package> | |
<name>mingw32-openssl</name> | |
<range><ge>1.0.1</ge><lt>1.0.2e</lt></range> | |
</package> | |
<package> | |
<name>linux-c6-openssl</name> | |
<range><lt>1.0.1e_7</lt></range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.2</ge><lt>10.2_8</lt></range> | |
<range><ge>10.1</ge><lt>10.1_25</lt></range> | |
<range><ge>9.3</ge><lt>9.3_31</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>OpenSSL project reports:</p> | |
<blockquote cite="https://www.openssl.org/news/secadv/20151203.txt"> | |
<ol> | |
<li>BN_mod_exp may produce incorrect results on x86_64 | |
(CVE-2015-3193)</li> | |
<li>Certificate verify crash with missing PSS parameter | |
(CVE-2015-3194)</li> | |
<li>X509_ATTRIBUTE memory leak (CVE-2015-3195)</li> | |
<li>Race condition handling PSK identify hint | |
(CVE-2015-3196)</li> | |
<li>Anon DH ServerKeyExchange with 0 p parameter | |
(CVE-2015-1794)</li> | |
</ol> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdsa>SA-15:26.openssl</freebsdsa> | |
<cvename>CVE-2015-1794</cvename> | |
<cvename>CVE-2015-3193</cvename> | |
<cvename>CVE-2015-3194</cvename> | |
<cvename>CVE-2015-3195</cvename> | |
<cvename>CVE-2015-3196</cvename> | |
<url>https://www.openssl.org/news/secadv/20151203.txt</url> | |
</references> | |
<dates> | |
<discovery>2015-12-03</discovery> | |
<entry>2015-12-05</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="8a90dc87-89f9-11e5-a408-00248c0c745d"> | |
<topic>PHPmailer -- SMTP injection vulnerability</topic> | |
<affects> | |
<package> | |
<name>phpmailer</name> | |
<range><lt>5.2.14</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>PHPMailer changelog reports:</p> | |
<blockquote cite="https://github.com/PHPMailer/PHPMailer/blob/v5.2.14/changelog.md"> | |
<p>Fix vulnerability that allowed email addresses with | |
line breaks (valid in RFC5322) to pass to SMTP, permitting | |
message injection at the SMTP level. Mitigated in both | |
the address validator and in the lower-level SMTP class. | |
Thanks to Takeshi Terada.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://github.com/PHPMailer/PHPMailer/blob/v5.2.14/changelog.md</url> | |
</references> | |
<dates> | |
<discovery>2015-11-05</discovery> | |
<entry>2015-12-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="b0da85af-21a3-4c15-a137-fe9e4bc86002"> | |
<topic>ffmpeg -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>libav</name> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>gstreamer-ffmpeg</name> | |
<!-- gst-ffmpeg-0.10.13 has libav-0.7.2 (0.7.7 in freebsd port) --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>handbrake</name> | |
<!-- handbrake-0.10.2 has libav-10.1 --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>ffmpeg</name> | |
<range><ge>2.8,1</ge><lt>2.8.3,1</lt></range> | |
<range><lt>2.7.3,1</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg26</name> | |
<range><lt>2.6.5</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg25</name> | |
<range><lt>2.5.9</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg24</name> | |
<range><lt>2.4.12</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg-devel</name> | |
<name>ffmpeg23</name> | |
<name>ffmpeg2</name> | |
<name>ffmpeg1</name> | |
<name>ffmpeg-011</name> | |
<name>ffmpeg0</name> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>avidemux</name> | |
<name>avidemux2</name> | |
<name>avidemux26</name> | |
<!-- avidemux-2.6.10 has ffmpeg-2.6.1 --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>kodi</name> | |
<!-- kodi-15.2 has ffmpeg-2.6.4 --> | |
<range><lt>16.0</lt></range> | |
</package> | |
<package> | |
<name>mplayer</name> | |
<name>mencoder</name> | |
<!-- mplayer-1.1.r20150822_6 has ffmpeg-2.8.2 --> | |
<range><lt>1.1.r20150822_7</lt></range> | |
</package> | |
<package> | |
<name>mythtv</name> | |
<name>mythtv-frontend</name> | |
<!-- mythtv-0.27.0.20140121 has ffmpeg-1.2.2+ (snapshot, f9c8726) --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>plexhometheater</name> | |
<!-- plexhometheater-1.4.1 has ffmpeg-0.10.2 fork --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>NVD reports:</p> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6761"> | |
<p>The update_dimensions function in libavcodec/vp8.c in | |
FFmpeg through 2.8.1, as used in Google Chrome before | |
46.0.2490.71 and other products, relies on a | |
coefficient-partition count during multi-threaded operation, | |
which allows remote attackers to cause a denial of service | |
(race condition and memory corruption) or possibly have | |
unspecified other impact via a crafted WebM file.</p> | |
</blockquote> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8216"> | |
<p>The ljpeg_decode_yuv_scan function in | |
libavcodec/mjpegdec.c in FFmpeg before 2.8.2 omits certain | |
width and height checks, which allows remote attackers to | |
cause a denial of service (out-of-bounds array access) or | |
possibly have unspecified other impact via crafted MJPEG | |
data.</p> | |
</blockquote> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8217"> | |
<p>The ff_hevc_parse_sps function in libavcodec/hevc_ps.c in | |
FFmpeg before 2.8.2 does not validate the Chroma Format | |
Indicator, which allows remote attackers to cause a denial | |
of service (out-of-bounds array access) or possibly have | |
unspecified other impact via crafted High Efficiency Video | |
Coding (HEVC) data.</p> | |
</blockquote> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8218"> | |
<p>The decode_uncompressed function in libavcodec/faxcompr.c | |
in FFmpeg before 2.8.2 does not validate uncompressed runs, | |
which allows remote attackers to cause a denial of service | |
(out-of-bounds array access) or possibly have unspecified | |
other impact via crafted CCITT FAX data.</p> | |
</blockquote> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8219"> | |
<p>The init_tile function in libavcodec/jpeg2000dec.c in | |
FFmpeg before 2.8.2 does not enforce minimum-value and | |
maximum-value constraints on tile coordinates, which allows | |
remote attackers to cause a denial of service (out-of-bounds | |
array access) or possibly have unspecified other impact via | |
crafted JPEG 2000 data.</p> | |
</blockquote> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8363"> | |
<p>The jpeg2000_read_main_headers function in | |
libavcodec/jpeg2000dec.c in FFmpeg before 2.6.5, 2.7.x | |
before 2.7.3, and 2.8.x through 2.8.2 does not enforce | |
uniqueness of the SIZ marker in a JPEG 2000 image, which | |
allows remote attackers to cause a denial of service | |
(out-of-bounds heap-memory access) or possibly have | |
unspecified other impact via a crafted image with two or | |
more of these markers.</p> | |
</blockquote> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8364"> | |
<p>Integer overflow in the ff_ivi_init_planes function in | |
libavcodec/ivi.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, | |
and 2.8.x through 2.8.2 allows remote attackers to cause a | |
denial of service (out-of-bounds heap-memory access) or | |
possibly have unspecified other impact via crafted image | |
dimensions in Indeo Video Interactive data.</p> | |
</blockquote> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8365"> | |
<p>The smka_decode_frame function in libavcodec/smacker.c in | |
FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through | |
2.8.2 does not verify that the data size is consistent with | |
the number of channels, which allows remote attackers to | |
cause a denial of service (out-of-bounds array access) or | |
possibly have unspecified other impact via crafted Smacker | |
data.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-6761</cvename> | |
<cvename>CVE-2015-8216</cvename> | |
<cvename>CVE-2015-8217</cvename> | |
<cvename>CVE-2015-8218</cvename> | |
<cvename>CVE-2015-8219</cvename> | |
<cvename>CVE-2015-8363</cvename> | |
<cvename>CVE-2015-8364</cvename> | |
<cvename>CVE-2015-8365</cvename> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=dabea74d0e82ea80cd344f630497cafcb3ef872c</url> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d24888ef19ba38b787b11d1ee091a3d94920c76a</url> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=93f30f825c08477fe8f76be00539e96014cc83c8</url> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d4a731b84a08f0f3839eaaaf82e97d8d9c67da46</url> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=43492ff3ab68a343c1264801baa1d5a02de10167</url> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=44a7f17d0b20e6f8d836b2957e3e357b639f19a2</url> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=df91aa034b82b77a3c4e01791f4a2b2ff6c82066</url> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=4a9af07a49295e014b059c1ab624c40345af5892</url> | |
<url>https://ffmpeg.org/security.html</url> | |
</references> | |
<dates> | |
<discovery>2015-11-27</discovery> | |
<entry>2015-12-02</entry> | |
<modified>2015-12-28</modified> | |
</dates> | |
</vuln> | |
<vuln vid="548f74bd-993c-11e5-956b-00262d5ed8ee"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<!--pcbsd--> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>47.0.2526.73</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.nl/2015/12/stable-channel-update.html"> | |
<p>41 security fixes in this release, inclduding:</p> | |
<ul> | |
<li>[558589] Critical CVE-2015-6765: Use-after-free in AppCache. | |
Credit to anonymous.</li> | |
<li>[551044] High CVE-2015-6766: Use-after-free in AppCache. | |
Credit to anonymous.</li> | |
<li>[554908] High CVE-2015-6767: Use-after-free in AppCache. | |
Credit to anonymous.</li> | |
<li>[556724] High CVE-2015-6768: Cross-origin bypass in DOM. | |
Credit to Mariusz Mlynski.</li> | |
<li>[534923] High CVE-2015-6769: Cross-origin bypass in core. | |
Credit to Mariusz Mlynski.</li> | |
<li>[541206] High CVE-2015-6770: Cross-origin bypass in DOM. | |
Credit to Mariusz Mlynski.</li> | |
<li>[544991] High CVE-2015-6771: Out of bounds access in v8. | |
Credit to anonymous.</li> | |
<li>[546545] High CVE-2015-6772: Cross-origin bypass in DOM. | |
Credit to Mariusz Mlynski.</li> | |
<li>[554946] High CVE-2015-6764: Out of bounds access in v8. | |
Credit to Guang Gong of Qihoo 360 via pwn2own.</li> | |
<li>[491660] High CVE-2015-6773: Out of bounds access in Skia. | |
Credit to cloudfuzzer.</li> | |
<li>[549251] High CVE-2015-6774: Use-after-free in Extensions. | |
Credit to anonymous.</li> | |
<li>[529012] High CVE-2015-6775: Type confusion in PDFium. | |
Credit to Atte Kettunen of OUSPG.</li> | |
<li>[457480] High CVE-2015-6776: Out of bounds access in PDFium. | |
Credit to Hanno Böck.</li> | |
<li>[544020] High CVE-2015-6777: Use-after-free in DOM. | |
Credit to Long Liu of Qihoo 360Vulcan Team.</li> | |
<li>[514891] Medium CVE-2015-6778: Out of bounds access in PDFium. | |
Credit to Karl Skomski.</li> | |
<li>[528505] Medium CVE-2015-6779: Scheme bypass in PDFium. | |
Credit to Til Jasper Ullrich.</li> | |
<li>[490492] Medium CVE-2015-6780: Use-after-free in Infobars. | |
Credit to Khalil Zhani.</li> | |
<li>[497302] Medium CVE-2015-6781: Integer overflow in Sfntly. | |
Credit to miaubiz.</li> | |
<li>[536652] Medium CVE-2015-6782: Content spoofing in Omnibox. | |
Credit to Luan Herrera.</li> | |
<li>[537205] Medium CVE-2015-6783: Signature validation issue in | |
Android Crazy Linker. Credit to Michal Bednarski.</li> | |
<li>[503217] Low CVE-2015-6784: Escaping issue in saved pages. | |
Credit to Inti De Ceukelaire.</li> | |
<li>[534542] Low CVE-2015-6785: Wildcard matching issue in CSP. | |
Credit to Michael Ficarra / Shape Security.</li> | |
<li>[534570] Low CVE-2015-6786: Scheme bypass in CSP. Credit to | |
Michael Ficarra / Shape Security.</li> | |
<li>[563930] CVE-2015-6787: Various fixes from internal audits, | |
fuzzing and other initiatives.</li> | |
<li> Multiple vulnerabilities in V8 fixed at the tip of the 4.7 | |
branch (currently 4.7.80.23).</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-6765</cvename> | |
<cvename>CVE-2015-6766</cvename> | |
<cvename>CVE-2015-6767</cvename> | |
<cvename>CVE-2015-6768</cvename> | |
<cvename>CVE-2015-6769</cvename> | |
<cvename>CVE-2015-6770</cvename> | |
<cvename>CVE-2015-6771</cvename> | |
<cvename>CVE-2015-6772</cvename> | |
<cvename>CVE-2015-6773</cvename> | |
<cvename>CVE-2015-6774</cvename> | |
<cvename>CVE-2015-6775</cvename> | |
<cvename>CVE-2015-6776</cvename> | |
<cvename>CVE-2015-6777</cvename> | |
<cvename>CVE-2015-6778</cvename> | |
<cvename>CVE-2015-6779</cvename> | |
<cvename>CVE-2015-6780</cvename> | |
<cvename>CVE-2015-6781</cvename> | |
<cvename>CVE-2015-6782</cvename> | |
<cvename>CVE-2015-6783</cvename> | |
<cvename>CVE-2015-6784</cvename> | |
<cvename>CVE-2015-6785</cvename> | |
<cvename>CVE-2015-6786</cvename> | |
<cvename>CVE-2015-6787</cvename> | |
<url>http://googlechromereleases.blogspot.nl/2015/12/stable-channel-update.html</url> | |
</references> | |
<dates> | |
<discovery>2015-12-01</discovery> | |
<entry>2015-12-02</entry> | |
</dates> | |
</vuln> | |
<vuln vid="11351c82-9909-11e5-a9c8-14dae9d5a9d2"> | |
<topic>piwik -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>piwik</name> | |
<range><lt>2.15.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Piwik changelog reports:</p> | |
<blockquote cite="http://piwik.org/changelog/piwik-2-15-0/"> | |
<p>This release is rated critical. | |
We are grateful for Security researchers who disclosed | |
security issues privately to the Piwik Security Response | |
team: Elamaran Venkatraman, Egidio Romano and Dmitriy | |
Shcherbatov. The following vulnerabilities were fixed: | |
XSS, CSRF, possible file inclusion in older PHP versions | |
(low impact), possible Object Injection Vulnerability | |
(low impact).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7815</cvename> | |
<cvename>CVE-2015-7816</cvename> | |
<url>http://piwik.org/changelog/piwik-2-15-0/</url> | |
</references> | |
<dates> | |
<discovery>2015-11-17</discovery> | |
<entry>2015-12-02</entry> | |
</dates> | |
</vuln> | |
<vuln vid="d62ec98e-97d8-11e5-8c0e-080027b00c2e"> | |
<topic>cyrus-imapd -- integer overflow in the start_octet addition</topic> | |
<affects> | |
<package> | |
<name>cyrus-imapd25</name> | |
<range><ge>2.5.0</ge><lt>2.5.7</lt></range> | |
</package> | |
<package> | |
<name>cyrus-imapd24</name> | |
<range><ge>2.4.0</ge><lt>2.4.18_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Cyrus IMAP 2.5.7 Release Note states:</p> | |
<blockquote cite="https://docs.cyrus.foundation/imap/release-notes/2.5/x/2.5.7.html"> | |
<p>CVE-2015-8077, CVE-2015-8078: protect against integer overflow in urlfetch range checks</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8078</cvename> | |
<url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8078</url> | |
<url>http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8078.html</url> | |
<url>https://security-tracker.debian.org/tracker/CVE-2015-8078</url> | |
<cvename>CVE-2015-8077</cvename> | |
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8077</url> | |
<url>http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8077.html</url> | |
<url>https://security-tracker.debian.org/tracker/CVE-2015-8077</url> | |
</references> | |
<dates> | |
<discovery>2015-11-04</discovery> | |
<entry>2015-12-01</entry> | |
</dates> | |
</vuln> | |
<vuln vid="11c52bc6-97aa-11e5-b8df-14dae9d210b8"> | |
<topic>django -- information leak vulnerability</topic> | |
<affects> | |
<package> | |
<name>py27-django</name> | |
<name>py32-django</name> | |
<name>py33-django</name> | |
<name>py34-django</name> | |
<range><lt>1.8.7</lt></range> | |
</package> | |
<package> | |
<name>py27-django18</name> | |
<name>py32-django18</name> | |
<name>py33-django18</name> | |
<name>py34-django18</name> | |
<range><lt>1.8.7</lt></range> | |
</package> | |
<package> | |
<name>py27-django17</name> | |
<name>py32-django17</name> | |
<name>py33-django17</name> | |
<name>py34-django17</name> | |
<range><lt>1.7.11</lt></range> | |
</package> | |
<package> | |
<name>py27-django-devel</name> | |
<name>py32-django-devel</name> | |
<name>py33-django-devel</name> | |
<name>py34-django-devel</name> | |
<range><le>20150709,1</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Tim Graham reports:</p> | |
<blockquote cite="https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/"> | |
<p>If an application allows users to specify an unvalidated | |
format for dates and passes this format to the date filter, e.g. {{ | |
last_updated|date:user_date_format }}, then a malicious user could | |
obtain any secret in the application's settings by specifying a settings | |
key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/</url> | |
<cvename>CVE-2015-8213</cvename> | |
</references> | |
<dates> | |
<discovery>2015-11-24</discovery> | |
<entry>2015-11-30</entry> | |
<modified>2015-12-24</modified> | |
</dates> | |
</vuln> | |
<vuln vid="fb2475c2-9125-11e5-bd18-002590263bf5"> | |
<topic>kibana4 -- CSRF vulnerability</topic> | |
<affects> | |
<package> | |
<name>kibana4</name> | |
<name>kibana41</name> | |
<range><ge>4.0.0</ge><lt>4.1.3</lt></range> | |
</package> | |
<package> | |
<name>kibana42</name> | |
<range><ge>4.2.0</ge><lt>4.2.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Elastic reports:</p> | |
<blockquote cite="https://www.elastic.co/community/security/"> | |
<p>Vulnerability Summary: Kibana versions prior to 4.1.3 and 4.2.1 | |
are vulnerable to a CSRF attack.</p> | |
<p>Remediation Summary: Users should upgrade to 4.1.3 or 4.2.1.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8131</cvename> | |
<url>https://www.elastic.co/community/security/</url> | |
</references> | |
<dates> | |
<discovery>2015-11-17</discovery> | |
<entry>2015-11-22</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e359051d-90bd-11e5-bd18-002590263bf5"> | |
<topic>a2ps -- format string vulnerability</topic> | |
<affects> | |
<package> | |
<name>a2ps</name> | |
<range><lt>4.13b_8</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jong-Gwon Kim reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/16/4"> | |
<p>When user runs a2ps with malicious crafted pro(a2ps prologue) file, | |
an attacker can execute arbitrary code.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8107</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/11/16/4</url> | |
</references> | |
<dates> | |
<discovery>2015-11-16</discovery> | |
<entry>2015-11-22</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ecc268f2-8fc2-11e5-918c-bcaec565249c"> | |
<topic>libxslt -- DoS vulnability due to type confusing error</topic> | |
<affects> | |
<package> | |
<name>libsxlt</name> | |
<range><lt>1.1.28_8</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>libxslt maintainer reports:</p> | |
<blockquote cite="https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617"> | |
<p>CVE-2015-7995: | |
http://www.openwall.com/lists/oss-security/2015/10/27/10 | |
We need to check that the parent node is an element before | |
dereferencing its namespace.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7995</cvename> | |
<url>https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617</url> | |
</references> | |
<dates> | |
<discovery>2015-10-29</discovery> | |
<entry>2015-11-20</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e5423caf-8fb8-11e5-918c-bcaec565249c"> | |
<topic>libxml2 -- multiple vulnabilities</topic> | |
<affects> | |
<package> | |
<name>libxml2</name> | |
<range><lt>2.9.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>reports:</p> | |
<blockquote cite="http://xmlsoft.org/news.html"> | |
<p>CVE-2015-5312 Another entity expansion issue (David Drysdale).</p> | |
<p>CVE-2015-7497 Avoid an heap buffer overflow in | |
xmlDictComputeFastQKey (David Drysdale).</p> | |
<p>CVE-2015-7498 Avoid processing entities after encoding | |
conversion failures (Daniel Veillard).</p> | |
<p>CVE-2015-7499 (1) Add xmlHaltParser() to stop the parser | |
(Daniel Veillard).</p> | |
<p>CVE-2015-7499 (2) Detect incoherency on GROW (Daniel | |
Veillard).</p> | |
<p>CVE-2015-7500 Fix memory access error due to incorrect | |
entities boundaries (Daniel Veillard).</p> | |
<p>CVE-2015-7941 (1) Stop parsing on entities boundaries | |
errors (Daniel Veillard).</p> | |
<p>CVE-2015-7941 (2) Cleanup conditional section error | |
handling (Daniel Veillard).</p> | |
<p>CVE-2015-7942 Another variation of overflow in | |
Conditional sections (Daniel Veillard).</p> | |
<p>CVE-2015-7942 (2) Fix an error in previous Conditional | |
section patch (Daniel Veillard).</p> | |
<p>CVE-2015-8035 Fix XZ compression support loop | |
(Daniel Veillard).</p> | |
<p>CVE-2015-8242 Buffer overead with HTML parser in push | |
mode (Hugh Davenport)</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5312</cvename> | |
<cvename>CVE-2015-7497</cvename> | |
<cvename>CVE-2015-7498</cvename> | |
<cvename>CVE-2015-7499</cvename> | |
<cvename>CVE-2015-7500</cvename> | |
<cvename>CVE-2015-7941</cvename> | |
<cvename>CVE-2015-7942</cvename> | |
<cvename>CVE-2015-8035</cvename> | |
<cvename>CVE-2015-8241</cvename> | |
<cvename>CVE-2015-8242</cvename> | |
<url>http://xmlsoft.org/news.html</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/11/18/23</url> | |
</references> | |
<dates> | |
<discovery>2015-11-20</discovery> | |
<entry>2015-11-20</entry> | |
</dates> | |
</vuln> | |
<vuln vid="9d04936c-75f1-4a2c-9ade-4c1708be5df9"> | |
<topic>mozilla -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>nspr</name> | |
<range><lt>4.10.10</lt></range> | |
</package> | |
<package> | |
<name>linux-c6-nspr</name> | |
<range><lt>4.10.10</lt></range> | |
</package> | |
<package> | |
<name>nss</name> | |
<range><ge>3.20</ge><lt>3.20.1</lt></range> | |
<range><ge>3.19.3</ge><lt>3.19.4</lt></range> | |
<range><lt>3.19.2.1</lt></range> | |
</package> | |
<package> | |
<name>firefox</name> | |
<range><lt>42.0,1</lt></range> | |
</package> | |
<package> | |
<name>linux-firefox</name> | |
<range><lt>42.0,1</lt></range> | |
</package> | |
<package> | |
<name>seamonkey</name> | |
<range><lt>2.39</lt></range> | |
</package> | |
<package> | |
<name>linux-seamonkey</name> | |
<range><lt>2.39</lt></range> | |
</package> | |
<package> | |
<name>firefox-esr</name> | |
<range><lt>38.4.0,1</lt></range> | |
</package> | |
<package> | |
<name>libxul</name> | |
<range><lt>38.4.0</lt></range> | |
</package> | |
<package> | |
<name>thunderbird</name> | |
<range><lt>38.4.0</lt></range> | |
</package> | |
<package> | |
<name>linux-thunderbird</name> | |
<range><lt>38.4.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Mozilla Project reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/"> | |
<p>MFSA 2015-133 NSS and NSPR memory corruption issues</p> | |
<p>MFSA 2015-132 Mixed content WebSocket policy bypass | |
through workers</p> | |
<p>MFSA 2015-131 Vulnerabilities found through code | |
inspection</p> | |
<p>MFSA 2015-130 JavaScript garbage collection crash with | |
Java applet</p> | |
<p>MFSA 2015-129 Certain escaped characters in host of | |
Location-header are being treated as non-escaped</p> | |
<p>MFSA 2015-128 Memory corruption in libjar through zip | |
files</p> | |
<p>MFSA 2015-127 CORS preflight is bypassed when | |
non-standard Content-Type headers are received</p> | |
<p>MFSA 2015-126 Crash when accessing HTML tables with | |
accessibility tools on OS X</p> | |
<p>MFSA 2015-125 XSS attack through intents on Firefox for | |
Android</p> | |
<p>MFSA 2015-124 Android intents can be used on Firefox for | |
Android to open privileged files</p> | |
<p>MFSA 2015-123 Buffer overflow during image interactions | |
in canvas</p> | |
<p>MFSA 2015-122 Trailing whitespace in IP address hostnames | |
can bypass same-origin policy</p> | |
<p>MFSA 2015-121 Disabling scripts in Add-on SDK panels has | |
no effect</p> | |
<p>MFSA 2015-120 Reading sensitive profile files through | |
local HTML file on Android</p> | |
<p>MFSA 2015-119 Firefox for Android addressbar can be | |
removed after fullscreen mode</p> | |
<p>MFSA 2015-118 CSP bypass due to permissive Reader mode | |
whitelist</p> | |
<p>MFSA 2015-117 Information disclosure through NTLM | |
authentication</p> | |
<p>MFSA 2015-116 Miscellaneous memory safety hazards | |
(rv:42.0 / rv:38.4)</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4513</cvename> | |
<cvename>CVE-2015-4514</cvename> | |
<cvename>CVE-2015-4515</cvename> | |
<cvename>CVE-2015-4518</cvename> | |
<cvename>CVE-2015-7181</cvename> | |
<cvename>CVE-2015-7182</cvename> | |
<cvename>CVE-2015-7183</cvename> | |
<cvename>CVE-2015-7185</cvename> | |
<cvename>CVE-2015-7186</cvename> | |
<cvename>CVE-2015-7187</cvename> | |
<cvename>CVE-2015-7188</cvename> | |
<cvename>CVE-2015-7189</cvename> | |
<cvename>CVE-2015-7190</cvename> | |
<cvename>CVE-2015-7191</cvename> | |
<cvename>CVE-2015-7192</cvename> | |
<cvename>CVE-2015-7193</cvename> | |
<cvename>CVE-2015-7194</cvename> | |
<cvename>CVE-2015-7195</cvename> | |
<cvename>CVE-2015-7196</cvename> | |
<cvename>CVE-2015-7197</cvename> | |
<cvename>CVE-2015-7198</cvename> | |
<cvename>CVE-2015-7199</cvename> | |
<cvename>CVE-2015-7200</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-116/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-117/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-118/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-119/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-120/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-121/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-122/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-123/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-124/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-125/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-126/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-127/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-128/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-129/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-130/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-131/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-132/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-133/</url> | |
</references> | |
<dates> | |
<discovery>2015-11-03</discovery> | |
<entry>2015-11-19</entry> | |
<modified>2016-04-13</modified> | |
</dates> | |
</vuln> | |
<vuln vid="68847b20-8ddc-11e5-b69c-c86000169601"> | |
<topic>gdm -- lock screen bypass when holding escape key</topic> | |
<affects> | |
<package> | |
<name>gdm</name> | |
<range><lt>3.16.2_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Ray Strode reports:</p> | |
<blockquote cite="https://mail.gnome.org/archives/ftp-release-list/2015-November/msg00074.html"> | |
<p>CVE-2015-7496 - lock screen bypass when holding escape key.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7496</cvename> | |
<url>https://mail.gnome.org/archives/ftp-release-list/2015-November/msg00074.html</url> | |
<url>https://bugzilla.gnome.org/show_bug.cgi?id=758032</url> | |
</references> | |
<dates> | |
<discovery>2015-11-12</discovery> | |
<entry>2015-11-18</entry> | |
</dates> | |
</vuln> | |
<vuln vid="3eb0ccc2-8c6a-11e5-8519-005056ac623e"> | |
<topic>strongswan -- authentication bypass vulnerability in the eap-mschapv2 plugin</topic> | |
<affects> | |
<package> | |
<name>strongswan</name> | |
<range><lt>5.3.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Strongswan Release Notes reports:</p> | |
<blockquote cite="https://github.com/strongswan/strongswan/blob/master/NEWS"> | |
<p>Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that | |
was caused by insufficient verification of the internal state when handling | |
MSCHAPv2 Success messages received by the client. | |
This vulnerability has been registered as CVE-2015-8023.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8023</cvename> | |
<url>https://github.com/strongswan/strongswan/commit/453e204ac40dfff2e0978e8f84a5f8ff0cbc45e2</url> | |
</references> | |
<dates> | |
<discovery>2015-11-16</discovery> | |
<entry>2015-11-16</entry> | |
</dates> | |
</vuln> | |
<vuln vid="82b3ca2a-8c07-11e5-bd18-002590263bf5"> | |
<topic>moodle -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>moodle27</name> | |
<range><lt>2.7.11</lt></range> | |
</package> | |
<package> | |
<name>moodle28</name> | |
<range><lt>2.8.9</lt></range> | |
</package> | |
<package> | |
<name>moodle29</name> | |
<range><lt>2.9.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Moodle Release Notes report:</p> | |
<blockquote cite="https://docs.moodle.org/dev/Moodle_2.9.3_release_notes"> | |
<p>MSA-15-0037 Possible to send a message to a user who blocked | |
messages from non contacts</p> | |
<p>MSA-15-0038 DDoS possibility in Atto</p> | |
<p>MSA-15-0039 CSRF in site registration form</p> | |
<p>MSA-15-0040 Student XSS in survey</p> | |
<p>MSA-15-0041 XSS in flash video player</p> | |
<p>MSA-15-0042 CSRF in lesson login form</p> | |
<p>MSA-15-0043 Web service core_enrol_get_enrolled_users does not | |
respect course group mode</p> | |
<p>MSA-15-0044 Capability to view available badges is not | |
respected</p> | |
<p>MSA-15-0045 SCORM module allows to bypass access restrictions based | |
on date</p> | |
<p>MSA-15-0046 Choice module closing date can be bypassed</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://docs.moodle.org/dev/Moodle_2.7.11_release_notes</url> | |
<url>https://docs.moodle.org/dev/Moodle_2.8.9_release_notes</url> | |
<url>https://docs.moodle.org/dev/Moodle_2.9.3_release_notes</url> | |
</references> | |
<dates> | |
<discovery>2015-11-09</discovery> | |
<entry>2015-11-16</entry> | |
<modified>2015-12-21</modified> | |
</dates> | |
</vuln> | |
<vuln vid="2cabfbab-8bfb-11e5-bd18-002590263bf5"> | |
<topic>xen-kernel -- CPU lockup during exception delivery</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><lt>4.5.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-156.html"> | |
<p>A malicious HVM guest administrator can cause a denial of service. | |
Specifically, prevent use of a physical CPU for a significant, | |
perhaps indefinite period. If a host watchdog (Xen or dom0) is in | |
use, this can lead to a watchdog timeout and consequently a reboot | |
of the host. If another, innocent, guest, is configured with a | |
watchdog, this issue can lead to a reboot of such a guest.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5307</cvename> | |
<cvename>CVE-2015-8104</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-156.html</url> | |
</references> | |
<dates> | |
<discovery>2015-11-10</discovery> | |
<entry>2015-11-16</entry> | |
</dates> | |
</vuln> | |
<vuln vid="1886e195-8b87-11e5-90e7-b499baebfeaf"> | |
<topic>libpng buffer overflow in png_set_PLTE</topic> | |
<affects> | |
<package> | |
<name>png</name> | |
<range><lt>1.6.20</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>libpng reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/12/2"> | |
<p>CVE for a vulnerability in libpng, all versions, in the | |
png_set_PLTE/png_get_PLTE functions. These functions failed to check for | |
an out-of-range palette when reading or writing PNG files with a bit_depth | |
less than 8. Some applications might read the bit depth from the IHDR | |
chunk and allocate memory for a 2^N entry palette, while libpng can return | |
a palette with up to 256 entries even when the bit depth is less than 8.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openwall.com/lists/oss-security/2015/11/12/2</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/03/6</url> | |
<cvename>CVE-2015-8126</cvename> | |
<cvename>CVE-2015-8472</cvename> | |
</references> | |
<dates> | |
<discovery>2015-11-15</discovery> | |
<entry>2015-11-15</entry> | |
<modified>2015-12-08</modified> | |
</dates> | |
</vuln> | |
<vuln vid="547fbd98-8b1f-11e5-b48b-bcaec565249c"> | |
<topic>flash -- multiple vulnabilities</topic> | |
<affects> | |
<package> | |
<name>linux-c6-flashplugin</name> | |
<name>linux-f10-flashplugin</name> | |
<name>linux-c6_64-flashplugin</name> | |
<range><lt>11.2r202.548</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adobe reports:</p> | |
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-28.html"> | |
<p>These updates resolve a type confusion vulnerability that | |
could lead to code execution (CVE-2015-7659).</p> | |
<p>These updates resolve a security bypass vulnerability that | |
could be exploited to write arbitrary data to the file | |
system under user permissions (CVE-2015-7662).</p> | |
<p>These updates resolve use-after-free vulnerabilities that | |
could lead to code execution (CVE-2015-7651, CVE-2015-7652, | |
CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, | |
CVE-2015-7657, CVE-2015-7658, CVE-2015-7660, CVE-2015-7661, | |
CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, | |
CVE-2015-8046).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-28.html</url> | |
<cvename>CVE-2015-7651</cvename> | |
<cvename>CVE-2015-7652</cvename> | |
<cvename>CVE-2015-7653</cvename> | |
<cvename>CVE-2015-7654</cvename> | |
<cvename>CVE-2015-7655</cvename> | |
<cvename>CVE-2015-7656</cvename> | |
<cvename>CVE-2015-7657</cvename> | |
<cvename>CVE-2015-7658</cvename> | |
<cvename>CVE-2015-7659</cvename> | |
<cvename>CVE-2015-7660</cvename> | |
<cvename>CVE-2015-7661</cvename> | |
<cvename>CVE-2015-7662</cvename> | |
<cvename>CVE-2015-7663</cvename> | |
<cvename>CVE-2015-8043</cvename> | |
<cvename>CVE-2015-8044</cvename> | |
<cvename>CVE-2015-8046</cvename> | |
</references> | |
<dates> | |
<discovery>2015-11-10</discovery> | |
<entry>2015-11-14</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f0b9049f-88c4-11e5-aed7-00262d5ed8ee"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<!--pcbsd--> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>46.0.2490.86</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.nl/2015/11/stable-channel-update.html"> | |
<p>[520422] High CVE-2015-1302: Information leak in PDF viewer. | |
Credit to Rob Wu.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-1302</cvename> | |
<url>http://googlechromereleases.blogspot.nl/2015/11/stable-channel-update.html</url> | |
</references> | |
<dates> | |
<discovery>2015-11-10</discovery> | |
<entry>2015-11-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="851a0eea-88aa-11e5-90e7-b499baebfeaf"> | |
<topic>MySQL - Multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>mariadb-client</name> | |
<range><lt>5.3.13</lt></range> | |
</package> | |
<package> | |
<name>mariadb-server</name> | |
<range><lt>5.3.13</lt></range> | |
</package> | |
<package> | |
<name>mariadb55-client</name> | |
<range><lt>5.5.46</lt></range> | |
</package> | |
<package> | |
<name>mariadb55-server</name> | |
<range><lt>5.5.46</lt></range> | |
</package> | |
<package> | |
<name>mariadb100-client</name> | |
<range><lt>10.0.22</lt></range> | |
</package> | |
<package> | |
<name>mariadb100-server</name> | |
<range><lt>10.0.22</lt></range> | |
</package> | |
<package> | |
<name>mysql55-client</name> | |
<range><lt>5.5.46</lt></range> | |
</package> | |
<package> | |
<name>mysql55-server</name> | |
<range><lt>5.5.46</lt></range> | |
</package> | |
<package> | |
<name>mysql56-client</name> | |
<range><lt>5.6.27</lt></range> | |
</package> | |
<package> | |
<name>mysql56-server</name> | |
<range><lt>5.6.27</lt></range> | |
</package> | |
<package> | |
<name>percona55-client</name> | |
<range><lt>5.5.46</lt></range> | |
</package> | |
<package> | |
<name>percona55-server</name> | |
<range><lt>5.5.46</lt></range> | |
</package> | |
<package> | |
<name>percona56-client</name> | |
<range><lt>5.6.27</lt></range> | |
</package> | |
<package> | |
<name>percona56-server</name> | |
<range><lt>5.6.27</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Oracle reports:</p> | |
<blockquote cite="http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"> | |
<p>Critical Patch Update: MySQL Server, version(s) 5.5.45 and prior, 5.6.26 and prior</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html</url> | |
<cvename>CVE-2015-4802</cvename> | |
<cvename>CVE-2015-4807</cvename> | |
<cvename>CVE-2015-4815</cvename> | |
<cvename>CVE-2015-4826</cvename> | |
<cvename>CVE-2015-4830</cvename> | |
<cvename>CVE-2015-4836</cvename> | |
<cvename>CVE-2015-4858</cvename> | |
<cvename>CVE-2015-4861</cvename> | |
<cvename>CVE-2015-4870</cvename> | |
<cvename>CVE-2015-4913</cvename> | |
<cvename>CVE-2015-4792</cvename> | |
<url>https://mariadb.com/kb/en/mariadb/mariadb-5546-release-notes/</url> | |
<url>https://mariadb.com/kb/en/mariadb/mariadb-10022-release-notes/</url> | |
<url>https://www.percona.com/doc/percona-server/5.5/release-notes/Percona-Server-5.5.46-37.5.html</url> | |
<url>https://www.percona.com/doc/percona-server/5.6/release-notes/Percona-Server-5.6.27-75.0.html</url> | |
</references> | |
<dates> | |
<discovery>2015-11-10</discovery> | |
<entry>2015-11-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="b665668a-91db-4f13-8113-9e4b5b0e47f7"> | |
<topic>jenkins -- remote code execution via unsafe deserialization</topic> | |
<affects> | |
<package> | |
<name>jenkins</name> | |
<range><lt>1.638</lt></range> | |
</package> | |
<package> | |
<name>jenkins-lts</name> | |
<range><lt>1.625.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jenkins Developers report:</p> | |
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"> | |
<p>Unsafe deserialization allows unauthenticated remote attackers to | |
run arbitrary code on the Jenkins master.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11</url> | |
<url>https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli</url> | |
<url>http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#thefix</url> | |
</references> | |
<dates> | |
<discovery>2015-11-06</discovery> | |
<entry>2015-11-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="71af4ded-8864-11e5-af1b-001999f8d30b"> | |
<topic>owncloudclient -- Improper validation of certificates when using self-signed certificates</topic> | |
<affects> | |
<package> | |
<name>owncloudclient</name> | |
<range><lt>2.0.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>owncloud.org reports:</p> | |
<blockquote cite="https://owncloud.org/security/advisory/?id=oc-sa-2015-016"> | |
<p>The ownCloud Desktop Client was vulnerable against MITM attacks until version 2.0.0 in combination with self-signed certificates.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://owncloud.org/security/advisory/?id=oc-sa-2015-016</url> | |
<cvename>CVE-2015-7298</cvename> | |
</references> | |
<dates> | |
<discovery>2015-09-21</discovery> | |
<entry>2015-11-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="c0e76d33-8821-11e5-ab94-002590263bf5"> | |
<topic>xen-tools -- populate-on-demand balloon size inaccuracy can crash guests</topic> | |
<affects> | |
<package> | |
<name>xen-tools</name> | |
<range><ge>3.4</ge><lt>4.5.1_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-153.html"> | |
<p>Guests configured with PoD might be unstable, especially under | |
load. In an affected guest, an unprivileged guest user might be | |
able to cause a guest crash, perhaps simply by applying load so | |
as to cause heavy memory pressure within the guest.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7972</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-153.html</url> | |
</references> | |
<dates> | |
<discovery>2015-10-29</discovery> | |
<entry>2015-11-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e4848ca4-8820-11e5-ab94-002590263bf5"> | |
<topic>xen-kernel -- some pmu and profiling hypercalls log without rate limiting</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><ge>3.2</ge><lt>4.5.1_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-152.html"> | |
<p>HYPERCALL_xenoprof_op and HYPERVISOR_xenpmu_op log some errors and | |
attempts at invalid operations. These log messages are not | |
rate-limited, even though they can be triggered by guests.</p> | |
<p>A malicious guest could cause repeated logging to the hypervisor | |
console, leading to a Denial of Service attack.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7971</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-152.html</url> | |
</references> | |
<dates> | |
<discovery>2015-10-29</discovery> | |
<entry>2015-11-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e3792855-881f-11e5-ab94-002590263bf5"> | |
<topic>xen-kernel -- leak of per-domain profiling-related vcpu pointer array</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><ge>4.0</ge><lt>4.5.1_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-151.html"> | |
<p>A domain's xenoprofile state contains an array of per-vcpu | |
information... This array is leaked on domain teardown. This memory | |
leak could -- over time -- exhaust the host's memory.</p> | |
<p>The following parties can mount a denial of service attack | |
affecting the whole system:</p> | |
<ul> | |
<li>A malicious guest administrator via XENOPROF_get_buffer.</li> | |
<li>A domain given suitable privilege over another domain via | |
XENOPROF_set_passive (this would usually be a domain being | |
used to profile another domain, eg with the xenoprof tool).</li> | |
</ul> | |
<p>The ability to also restart or create suitable domains is also | |
required to fully exploit the issue. Without this the leak is | |
limited to a small multiple of the maximum number of vcpus for the | |
domain.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7969</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-151.html</url> | |
</references> | |
<dates> | |
<discovery>2015-10-29</discovery> | |
<entry>2015-11-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="83350009-881e-11e5-ab94-002590263bf5"> | |
<topic>xen-kernel -- Long latency populate-on-demand operation is not preemptible</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><ge>3.4</ge><lt>4.5.1_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-150.html"> | |
<p>When running an HVM domain in Populate-on-Demand mode, Xen would | |
sometimes search the domain for memory to reclaim, in response to | |
demands for population of other pages in the same domain. This | |
search runs without preemption. The guest can, by suitable | |
arrangement of its memory contents, create a situation where this | |
search is a time-consuming linear scan of the guest's address | |
space.</p> | |
<p>A malicious HVM guest administrator can cause a denial of service. | |
Specifically, prevent use of a physical CPU for a significant | |
period.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7970</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-150.html</url> | |
</references> | |
<dates> | |
<discovery>2015-10-29</discovery> | |
<entry>2015-11-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="fc1f8795-881d-11e5-ab94-002590263bf5"> | |
<topic>xen-kernel -- leak of main per-domain vcpu pointer array</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><lt>4.5.1_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-149.html"> | |
<p>A domain's primary array of vcpu pointers can be allocated by a | |
toolstack exactly once in the lifetime of a domain via the | |
XEN_DOMCTL_max_vcpus hypercall. This array is leaked on domain | |
teardown. This memory leak could -- over time -- exhaust the host's | |
memory.</p> | |
<p>A domain given partial management control via XEN_DOMCTL_max_vcpus | |
can mount a denial of service attack affecting the whole system. The | |
ability to also restart or create suitable domains is also required | |
to fully exploit the issue. Without this the leak is limited to a | |
small multiple of the maximum number of vcpus for the domain. The | |
maximum leak is 64kbytes per domain (re)boot (less on ARM).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7969</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-149.html</url> | |
</references> | |
<dates> | |
<discovery>2015-10-29</discovery> | |
<entry>2015-11-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="3d9f6260-881d-11e5-ab94-002590263bf5"> | |
<topic>xen-kernel -- Uncontrolled creation of large page mappings by PV guests</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><ge>3.4</ge><lt>4.5.1_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-148.html"> | |
<p>The code to validate level 2 page table entries is bypassed when | |
certain conditions are satisfied. This means that a PV guest can | |
create writeable mappings using super page mappings. Such writeable | |
mappings can violate Xen intended invariants for pages which Xen is | |
supposed to keep read-only. This is possible even if the | |
"allowsuperpage" command line option is not used.</p> | |
<p>Malicious PV guest administrators can escalate privilege so as to | |
control the whole system.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7835</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-148.html</url> | |
</references> | |
<dates> | |
<discovery>2015-10-29</discovery> | |
<entry>2015-11-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="301b04d7-881c-11e5-ab94-002590263bf5"> | |
<topic>xen-tools -- libxl fails to honour readonly flag on disks with qemu-xen</topic> | |
<affects> | |
<package> | |
<name>xen-tools</name> | |
<range><ge>4.1</ge><lt>4.5.1_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-142.html"> | |
<p>Callers of libxl can specify that a disk should be read-only to the | |
guest. However, there is no code in libxl to pass this information | |
to qemu-xen (the upstream-based qemu); and indeed there is no way in | |
qemu to make a disk read-only.</p> | |
<p>The vulnerability is exploitable only via devices emulated by the | |
device model, not the parallel PV devices for supporting PVHVM. | |
Normally the PVHVM device unplug protocol renders the emulated | |
devices inaccessible early in boot.</p> | |
<p>Malicious guest administrators or (in some situations) users may be | |
able to write to supposedly read-only disk images.</p> | |
<p>CDROM devices (that is, devices specified to be presented to the | |
guest as CDROMs, regardless of the nature of the backing storage on | |
the host) are not affected.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7311</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-142.html</url> | |
</references> | |
<dates> | |
<discovery>2015-09-22</discovery> | |
<entry>2015-11-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="2f7f4db2-8819-11e5-ab94-002590263bf5"> | |
<topic>p5-HTML-Scrubber -- XSS vulnerability</topic> | |
<affects> | |
<package> | |
<name>p5-HTML-Scrubber</name> | |
<range><lt>0.15</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>MITRE reports:</p> | |
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5667"> | |
<p>Cross-site scripting (XSS) vulnerability in the HTML-Scrubber | |
module before 0.15 for Perl, when the comment feature is enabled, | |
allows remote attackers to inject arbitrary web script or HTML via | |
a crafted comment.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5667</cvename> | |
<url>https://metacpan.org/release/HTML-Scrubber</url> | |
<url>http://jvndb.jvn.jp/jvndb/JVNDB-2015-000171</url> | |
<url>http://jvn.jp/en/jp/JVN53973084/index.html</url> | |
</references> | |
<dates> | |
<discovery>2015-10-10</discovery> | |
<entry>2015-11-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6ca7eddd-d436-486a-b169-b948436bcf14"> | |
<topic>libvpx -- buffer overflow in vp9_init_context_buffers</topic> | |
<affects> | |
<package> | |
<name>libvpx</name> | |
<range><lt>1.4.0.488_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Mozilla Project reports:</p> | |
<blockquote cite="https://www.mozilla.org/security/advisories/mfsa2015-101/"> | |
<p>Security researcher Khalil Zhani reported that a | |
maliciously crafted vp9 format video could be used to | |
trigger a buffer overflow while parsing the file. This leads | |
to a potentially exploitable crash due to a flaw in the | |
libvpx library.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4506</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-101/</url> | |
</references> | |
<dates> | |
<discovery>2015-09-22</discovery> | |
<entry>2015-11-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="56665ccb-8723-11e5-9b13-14dae9d210b8"> | |
<topic>powerdns -- Denial of Service</topic> | |
<affects> | |
<package> | |
<name>powerdns</name> | |
<range><ge>3.4.4</ge><lt>3.4.7</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>PowerDNS reports:</p> | |
<blockquote cite="https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/"> | |
<p>A bug was found using afl-fuzz in our packet parsing code. | |
This bug, when exploited, causes an assertion error and consequent | |
termination of the the pdns_server process, causing a Denial of Service.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/</url> | |
<cvename>CVE-2015-5311</cvename> | |
</references> | |
<dates> | |
<discovery>2015-11-03</discovery> | |
<entry>2015-11-09</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0cb0afd9-86b8-11e5-bf60-080027ef73ec"> | |
<topic>PuTTY -- memory corruption in terminal emulator's erase character handling</topic> | |
<affects> | |
<package> | |
<name>putty</name> | |
<range><ge>0.54</ge><lt>0.66</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Ben Harris reports:</p> | |
<blockquote cite="http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html"> | |
<p>Versions of PuTTY and pterm between 0.54 and 0.65 inclusive have a | |
potentially memory-corrupting integer overflow in the handling of | |
the ECH (erase characters) control sequence in the terminal | |
emulator.</p> | |
<p>To exploit a vulnerability in the terminal emulator, an attacker | |
must be able to insert a carefully crafted escape sequence into the | |
terminal stream. For a PuTTY SSH session, this must be before | |
encryption, so the attacker likely needs access to the server you're | |
connecting to. For instance, an attacker on a multi-user machine | |
that you connect to could trick you into running cat on a file they | |
control containing a malicious escape sequence. (Unix write(1) is | |
not a vector for this, if implemented correctly.)</p> | |
<p>Only PuTTY, PuTTYtel, and pterm are affected; other PuTTY tools do | |
not include the terminal emulator, so cannot be exploited this | |
way.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html</url> | |
<cvename>CVE-2015-5309</cvename> | |
</references> | |
<dates> | |
<discovery>2015-11-06</discovery> | |
<entry>2015-11-09</entry> | |
</dates> | |
</vuln> | |
<vuln vid="18b3c61b-83de-11e5-905b-ac9e174be3af"> | |
<topic>OpenOffice 4.1.1 -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>apache-openoffice</name> | |
<range><lt>4.1.2</lt></range> | |
</package> | |
<package> | |
<name>apache-openoffice-devel</name> | |
<range><lt>4.2.1705368,3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Apache OpenOffice Project reports:</p> | |
<blockquote cite="http://www.openoffice.org/security/cves/CVE-2015-4551.html"> | |
<p>A vulnerability in OpenOffice settings of OpenDocument Format | |
files and templates allows silent access to files that are | |
readable from an user account, over-riding the user's default | |
configuration settings. Once these files are imported into a | |
maliciously-crafted document, the data can be silently hidden | |
in the document and possibly exported to an external party | |
without being observed. </p> | |
</blockquote> | |
<p>The Apache OpenOffice Project reports:</p> | |
<blockquote cite="http://www.openoffice.org/security/cves/CVE-2015-5212.html"> | |
<p>A crafted ODF document can be used to create a buffer that is | |
too small for the amount of data loaded into it, allowing an | |
attacker to cause denial of service (memory corruption and | |
application crash) and possible execution of arbitrary code.</p> | |
</blockquote> | |
<p>The Apache OpenOffice Project reports:</p> | |
<blockquote cite="http://www.openoffice.org/security/cves/CVE-2015-5213.html"> | |
<p>A crafted Microsoft Word DOC file can be used to specify a | |
document buffer that is too small for the amount of data | |
provided for it. Failure to detect the discrepancy allows an | |
attacker to cause denial of service (memory corruption and | |
application crash) and possible execution of arbitrary code.</p> | |
</blockquote> | |
<p>The Apache OpenOffice Project reports:</p> | |
<blockquote cite="http://www.openoffice.org/security/cves/CVE-2015-5214.html"> | |
<p>A crafted Microsoft Word DOC can contain invalid bookmark | |
positions leading to memory corruption when the document is | |
loaded or bookmarks are manipulated. The defect allows an | |
attacker to cause denial of service (memory corruption and | |
application crash) and possible execution of arbitrary code.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4551</cvename> | |
<url>http://www.openoffice.org/security/cves/CVE-2015-4551.html</url> | |
<cvename>CVE-2015-5212</cvename> | |
<url>http://www.openoffice.org/security/cves/CVE-2015-5212.html</url> | |
<cvename>CVE-2015-5213</cvename> | |
<url>http://www.openoffice.org/security/cves/CVE-2015-5213.html</url> | |
<cvename>CVE-2015-5214</cvename> | |
<url>http://www.openoffice.org/security/cves/CVE-2015-5214.html</url> | |
</references> | |
<dates> | |
<discovery>2015-11-04</discovery> | |
<entry>2015-11-05</entry> | |
<modified>2015-11-05</modified> | |
</dates> | |
</vuln> | |
<vuln vid="698403a7-803d-11e5-ab94-002590263bf5"> | |
<topic>codeigniter -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>codeigniter</name> | |
<range><lt>2.2.6</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The CodeIgniter changelog reports:</p> | |
<blockquote cite="https://codeigniter.com/userguide2/changelog.html"> | |
<p>Fixed an XSS attack vector in Security Library method | |
xss_clean().</p> | |
<p>Changed Config Library method base_url() to fallback to | |
``$_SERVER['SERVER_ADDR']`` in order to avoid Host header | |
injections.</p> | |
<p>Changed CAPTCHA Helper to try to use the operating system's PRNG | |
first.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/203403</freebsdpr> | |
<url>https://codeigniter.com/userguide2/changelog.html</url> | |
</references> | |
<dates> | |
<discovery>2015-10-31</discovery> | |
<entry>2015-11-01</entry> | |
</dates> | |
</vuln> | |
<vuln vid="017a493f-7db6-11e5-a762-14dae9d210b8"> | |
<topic>openafs -- information disclosure</topic> | |
<affects> | |
<package> | |
<name>openafs</name> | |
<range><lt>1.6.15</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The OpenAFS development team reports:</p> | |
<blockquote cite="http://openafs.org/pages/security/OPENAFS-SA-2015-007.txt"> | |
<p>When constructing an Rx acknowledgment (ACK) packet, Andrew-derived Rx | |
implementations do not initialize three octets of data that are padding | |
in the C language structure and were inadvertently included in the wire | |
protocol (CVE-2015-7762). Additionally, OpenAFS Rx in versions 1.5.75 | |
through 1.5.78, 1.6.0 through 1.6.14, and 1.7.0 through 1.7.32 include | |
a variable-length padding at the end of the ACK packet, in an attempt to | |
detect the path MTU, but only four octets of the additional padding are | |
initialized (CVE-2015-7763).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://openafs.org/pages/security/OPENAFS-SA-2015-007.txt</url> | |
<cvename>CVE-2015-7762</cvename> | |
<cvename>CVE-2015-7763</cvename> | |
</references> | |
<dates> | |
<discovery>2015-10-28</discovery> | |
<entry>2015-10-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="4b9393b8-7c0c-11e5-a010-080027ddead3"> | |
<topic>xscreensaver - lock bypass</topic> | |
<affects> | |
<package> | |
<name>xscreensaver</name> | |
<name>xscreensaver-gnome</name> | |
<name>xscreensaver-gnome-hacks</name> | |
<range><lt>5.34</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>RedHat bugzilla reports:</p> | |
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=1274452"> | |
<p>In dual screen configurations, unplugging one screen will cause | |
xscreensaver to crash, leaving the screen unlocked.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.jwz.org/xscreensaver/changelog.html</url> | |
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1274452</url> | |
<cvename>CVE-2015-8025</cvename> | |
</references> | |
<dates> | |
<discovery>2015-10-24</discovery> | |
<entry>2015-10-27</entry> | |
<modified>2015-11-04</modified> | |
</dates> | |
</vuln> | |
<vuln vid="2a4a112a-7c1b-11e5-bd77-0800275369e2"> | |
<topic>lldpd -- Buffer overflow/Denial of service</topic> | |
<affects> | |
<package> | |
<name>lldpd</name> | |
<range><ge>0.5.6</ge><lt>0.7.19</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The lldpd developer Vincent Bernat reports:</p> | |
<blockquote cite="https://github.com/vincentbernat/lldpd/raw/0.7.19/NEWS"> | |
<p>A buffer overflow may allow arbitrary code execution | |
only if hardening was disabled.</p> | |
</blockquote> | |
<blockquote cite="https://github.com/vincentbernat/lldpd/commit/793526f8884455f43daecd0a2c46772388417a00"> | |
<p>Malformed packets should not make lldpd crash. Ensure we can | |
handle them by not using assert() in this part.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8011</cvename> | |
<cvename>CVE-2015-8012</cvename> | |
<url>https://github.com/vincentbernat/lldpd/raw/0.7.19/NEWS</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/10/30/2</url> | |
</references> | |
<dates> | |
<discovery>2015-10-04</discovery> | |
<entry>2015-10-26</entry> | |
<modified>2015-11-10</modified> | |
</dates> | |
</vuln> | |
<vuln vid="24e4d383-7b3e-11e5-a250-68b599b52a02"> | |
<topic>wireshark -- Pcapng file parser crash</topic> | |
<affects> | |
<package> | |
<name>wireshark</name> | |
<name>wireshark-lite</name> | |
<name>wireshark-qt5</name> | |
<name>tshark</name> | |
<name>tshark-lite</name> | |
<range><lt>1.12.8</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Wireshark development team reports:</p> | |
<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-1.12.8.html"> | |
<p>The following vulnerability has been fixed.</p> | |
<ul> | |
<li><p>wnpa-sec-2015-30</p> | |
<p>Pcapng file parser crash. (Bug 11455)</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.wireshark.org/docs/relnotes/wireshark-1.12.8.html</url> | |
<cvename>CVE-2015-7830</cvename> | |
</references> | |
<dates> | |
<discovery>2015-10-14</discovery> | |
<entry>2015-10-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0ebc6e78-7ac6-11e5-b35a-002590263bf5"> | |
<topic>Joomla! -- Core - SQL Injection/ACL Violation vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>joomla3</name> | |
<range><ge>3.2.0</ge><lt>3.4.5</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The JSST and the Joomla! Security Center report:</p> | |
<blockquote cite="http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html"> | |
<h2>[20151001] - Core - SQL Injection</h2> | |
<p>Inadequate filtering of request data leads to a SQL Injection | |
vulnerability.</p> | |
</blockquote> | |
<blockquote cite="http://developer.joomla.org/security-centre/629-20151002-core-acl-violations.html"> | |
<h2>[20151002] - Core - ACL Violations</h2> | |
<p>Inadequate ACL checks in com_contenthistory provide potential read | |
access to data which should be access restricted.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7297</cvename> | |
<cvename>CVE-2015-7857</cvename> | |
<cvename>CVE-2015-7858</cvename> | |
<cvename>CVE-2015-7859</cvename> | |
<url>http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html</url> | |
<url>http://developer.joomla.org/security-centre/629-20151002-core-acl-violations.html</url> | |
<url>https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html</url> | |
</references> | |
<dates> | |
<discovery>2015-10-22</discovery> | |
<entry>2015-10-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="03e54e42-7ac6-11e5-b35a-002590263bf5"> | |
<topic>Joomla! -- Core - ACL Violation vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>joomla3</name> | |
<range><ge>3.0.0</ge><lt>3.4.5</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The JSST and the Joomla! Security Center report:</p> | |
<blockquote cite="http://developer.joomla.org/security-centre/630-20151003-core-acl-violations.html"> | |
<h2>[20151003] - Core - ACL Violations</h2> | |
<p>Inadequate ACL checks in com_content provide potential read access | |
to data which should be access restricted.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7899</cvename> | |
<url>http://developer.joomla.org/security-centre/630-20151003-core-acl-violations.html</url> | |
<url>https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html</url> | |
</references> | |
<dates> | |
<discovery>2015-10-22</discovery> | |
<entry>2015-10-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f8c37915-7ac5-11e5-b35a-002590263bf5"> | |
<topic>Joomla! -- Core - XSS Vulnerability</topic> | |
<affects> | |
<package> | |
<name>joomla3</name> | |
<range><ge>3.4.0</ge><lt>3.4.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The JSST and the Joomla! Security Center report:</p> | |
<blockquote cite="http://developer.joomla.org/security-centre/626-20150908-core-xss-vulnerability.html"> | |
<h2>[20150908] - Core - XSS Vulnerability</h2> | |
<p>Inadequate escaping leads to XSS vulnerability in login module.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-6939</cvename> | |
<url>http://developer.joomla.org/security-centre/626-20150908-core-xss-vulnerability.html</url> | |
<url>https://www.joomla.org/announcements/release-news/5628-joomla-3-4-4-released.html</url> | |
</references> | |
<dates> | |
<discovery>2015-09-08</discovery> | |
<entry>2015-10-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ec2d1cfd-7ac5-11e5-b35a-002590263bf5"> | |
<topic>Joomla! -- Core - CSRF Protection vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>joomla3</name> | |
<range><ge>3.2.0</ge><lt>3.4.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The JSST and the Joomla! Security Center report:</p> | |
<blockquote cite="http://developer.joomla.org/security-centre/618-20150602-core-remote-code-execution.html"> | |
<h2>[20150602] - Core - CSRF Protection</h2> | |
<p>Lack of CSRF checks potentially enabled uploading malicious code. | |
</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5397</cvename> | |
<url>http://developer.joomla.org/security-centre/618-20150602-core-remote-code-execution.html</url> | |
<url>https://www.joomla.org/announcements/release-news/5589-joomla-3-4-2-released.html</url> | |
</references> | |
<dates> | |
<discovery>2015-06-30</discovery> | |
<entry>2015-10-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="deaba148-7ac5-11e5-b35a-002590263bf5"> | |
<topic>Joomla! -- Core - Open Redirect vulnerability</topic> | |
<affects> | |
<package> | |
<name>joomla3</name> | |
<range><ge>3.0.0</ge><lt>3.4.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The JSST and the Joomla! Security Center report:</p> | |
<blockquote cite="http://developer.joomla.org/security-centre/617-20150601-core-open-redirect.html"> | |
<h2>[20150601] - Core - Open Redirect</h2> | |
<p>Inadequate checking of the return value allowed to redirect to an | |
external page.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5608</cvename> | |
<url>http://developer.joomla.org/security-centre/617-20150601-core-open-redirect.html</url> | |
<url>https://www.joomla.org/announcements/release-news/5589-joomla-3-4-2-released.html</url> | |
</references> | |
<dates> | |
<discovery>2015-06-30</discovery> | |
<entry>2015-10-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="cec4d01a-7ac5-11e5-b35a-002590263bf5"> | |
<topic>Joomla! -- Core - Remote File Execution/Denial of Service vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>joomla3</name> | |
<range><lt>3.2.6</lt></range> | |
<range><ge>3.3.0</ge><lt>3.3.5</lt></range> | |
</package> | |
<package> | |
<name>joomla2</name> | |
<range><ge>2.5.4</ge><lt>2.5.26</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The JSST and the Joomla! Security Center report:</p> | |
<blockquote cite="http://developer.joomla.org/security-centre/595-20140903-core-remote-file-inclusion.html"> | |
<h2>[20140903] - Core - Remote File Inclusion</h2> | |
<p>Inadequate checking allowed the potential for remote files to be | |
executed.</p> | |
</blockquote> | |
<blockquote cite="http://developer.joomla.org/security-centre/596-20140904-core-denial-of-service.html"> | |
<h2>[20140904] - Core - Denial of Service</h2> | |
<p>Inadequate checking allowed the potential for a denial of service | |
attack.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-7228</cvename> | |
<cvename>CVE-2014-7229</cvename> | |
<url>http://developer.joomla.org/security-centre/595-20140903-core-remote-file-inclusion.html</url> | |
<url>http://developer.joomla.org/security-centre/596-20140904-core-denial-of-service.html</url> | |
<url>https://www.joomla.org/announcements/release-news/5567-joomla-3-3-5-released.html</url> | |
<url>https://www.joomla.org/announcements/release-news/5566-joomla-2-5-26-released.html</url> | |
</references> | |
<dates> | |
<discovery>2014-09-30</discovery> | |
<entry>2015-10-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="beb3d5fc-7ac5-11e5-b35a-002590263bf5"> | |
<topic>Joomla! -- Core - Unauthorised Login vulnerability</topic> | |
<affects> | |
<package> | |
<name>joomla3</name> | |
<range><lt>3.2.5</lt></range> | |
<range><ge>3.3.0</ge><lt>3.3.4</lt></range> | |
</package> | |
<package> | |
<name>joomla2</name> | |
<range><lt>2.5.25</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The JSST and the Joomla! Security Center report:</p> | |
<blockquote cite="http://developer.joomla.org/security-centre/594-20140902-core-unauthorised-logins.html"> | |
<h2>[20140902] - Core - Unauthorised Logins</h2> | |
<p>Inadequate checking allowed unauthorised logins via LDAP | |
authentication.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-6632</cvename> | |
<url>http://developer.joomla.org/security-centre/594-20140902-core-unauthorised-logins.html</url> | |
<url>https://www.joomla.org/announcements/release-news/5564-joomla-3-3-4-released.html</url> | |
<url>https://www.joomla.org/announcements/release-news/5563-joomla-2-5-25-released.html</url> | |
</references> | |
<dates> | |
<discovery>2014-09-23</discovery> | |
<entry>2015-10-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="adbb32d9-7ac5-11e5-b35a-002590263bf5"> | |
<topic>Joomla! -- Core - XSS Vulnerability</topic> | |
<affects> | |
<package> | |
<name>joomla3</name> | |
<range><ge>3.2.0</ge><lt>3.2.5</lt></range> | |
<range><ge>3.3.0</ge><lt>3.3.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The JSST and the Joomla! Security Center report:</p> | |
<blockquote cite="http://developer.joomla.org/security-centre/593-20140901-core-xss-vulnerability.html"> | |
<h2>[20140901] - Core - XSS Vulnerability</h2> | |
<p>Inadequate escaping leads to XSS vulnerability in com_media.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-6631</cvename> | |
<url>http://developer.joomla.org/security-centre/593-20140901-core-xss-vulnerability.html</url> | |
<url>https://www.joomla.org/announcements/release-news/5564-joomla-3-3-4-released.html</url> | |
</references> | |
<dates> | |
<discovery>2014-09-23</discovery> | |
<entry>2015-10-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="75f39413-7a00-11e5-a2a1-002590263bf5"> | |
<topic>drupal -- open redirect vulnerability</topic> | |
<affects> | |
<package> | |
<name>drupal7</name> | |
<range><lt>7.41</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Drupal development team reports:</p> | |
<blockquote cite="https://www.drupal.org/SA-CORE-2015-004"> | |
<p>The Overlay module in Drupal core displays administrative pages | |
as a layer over the current page (using JavaScript), rather than | |
replacing the page in the browser window. The Overlay module does | |
not sufficiently validate URLs prior to displaying their contents, | |
leading to an open redirect vulnerability.</p> | |
<p>This vulnerability is mitigated by the fact that it can only be | |
used against site users who have the "Access the administrative | |
overlay" permission, and that the Overlay module must be enabled. | |
</p> | |
<p>An incomplete fix for this issue was released as part of | |
SA-CORE-2015-002.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7943</cvename> | |
<url>https://www.drupal.org/SA-CORE-2015-004</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/10/23/6</url> | |
</references> | |
<dates> | |
<discovery>2015-10-21</discovery> | |
<entry>2015-10-24</entry> | |
</dates> | |
</vuln> | |
<vuln vid="08d11134-79c5-11e5-8987-6805ca0b3d42"> | |
<topic>phpMyAdmin -- Content spoofing vulnerability</topic> | |
<affects> | |
<package> | |
<name>phpMyAdmin</name> | |
<range><ge>4.4.0</ge><lt>4.4.15.1</lt></range> | |
<range><ge>4.5.0</ge><lt>4.5.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The phpMyAdmin development team reports:</p> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2015-5/"> | |
<p>This vulnerability allows an attacker to perform a | |
content spoofing attack using the phpMyAdmin's redirection | |
mechanism to external sites.</p> | |
<p>We consider this vulnerability to be non critical since | |
the spoofed content is escaped and no HTML injection is | |
possible.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.phpmyadmin.net/security/PMASA-2015-5/</url> | |
<cvename>CVE-2015-7873</cvename> | |
</references> | |
<dates> | |
<discovery>2015-10-23</discovery> | |
<entry>2015-10-23</entry> | |
</dates> | |
</vuln> | |
<vuln vid="b973a763-7936-11e5-a2a1-002590263bf5"> | |
<topic>mediawiki -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>mediawiki123</name> | |
<range><lt>1.23.11</lt></range> | |
</package> | |
<package> | |
<name>mediawiki124</name> | |
<range><lt>1.24.4</lt></range> | |
</package> | |
<package> | |
<name>mediawiki125</name> | |
<range><lt>1.25.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>MediaWiki reports:</p> | |
<blockquote cite="https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000181.html"> | |
<p>Wikipedia user RobinHood70 reported two issues in the chunked | |
upload API. The API failed to correctly stop adding new chunks to | |
the upload when the reported size was exceeded (T91203), allowing | |
a malicious users to upload add an infinite number of chunks for a | |
single file upload. Additionally, a malicious user could upload | |
chunks of 1 byte for very large files, potentially creating a very | |
large number of files on the server's filesystem (T91205).</p> | |
<p>Internal review discovered that it is not possible to throttle file | |
uploads.</p> | |
<p>Internal review discovered a missing authorization check when | |
removing suppression from a revision. This allowed users with the | |
'viewsuppressed' user right but not the appropriate | |
'suppressrevision' user right to unsuppress revisions.</p> | |
<p>Richard Stanway from teamliquid.net reported that thumbnails of PNG | |
files generated with ImageMagick contained the local file path in | |
the image metadata.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-8001</cvename> | |
<cvename>CVE-2015-8002</cvename> | |
<cvename>CVE-2015-8003</cvename> | |
<cvename>CVE-2015-8004</cvename> | |
<cvename>CVE-2015-8005</cvename> | |
<cvename>CVE-2015-8006</cvename> | |
<cvename>CVE-2015-8007</cvename> | |
<cvename>CVE-2015-8008</cvename> | |
<cvename>CVE-2015-8009</cvename> | |
<url>https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000181.html</url> | |
<url>https://phabricator.wikimedia.org/T91203</url> | |
<url>https://phabricator.wikimedia.org/T91205</url> | |
<url>https://phabricator.wikimedia.org/T91850</url> | |
<url>https://phabricator.wikimedia.org/T95589</url> | |
<url>https://phabricator.wikimedia.org/T108616</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/10/29/14</url> | |
</references> | |
<dates> | |
<discovery>2015-10-16</discovery> | |
<entry>2015-10-23</entry> | |
<modified>2015-12-24</modified> | |
</dates> | |
</vuln> | |
<vuln vid="c4a18a12-77fc-11e5-a687-206a8a720317"> | |
<topic>ntp -- 13 low- and medium-severity vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>ntp</name> | |
<range><lt>4.2.8p4</lt></range> | |
</package> | |
<package> | |
<name>ntp-devel</name> | |
<range><lt>4.3.76</lt></range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.2</ge><lt>10.2_7</lt></range> | |
<range><ge>10.1</ge><lt>10.1_24</lt></range> | |
<range><ge>9.3</ge><lt>9.3_30</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ntp.org reports:</p> | |
<blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities"> | |
<p>NTF's NTP Project has been notified of the following 13 low- | |
and medium-severity vulnerabilities that are fixed in | |
ntp-4.2.8p4, released on Wednesday, 21 October 2015:</p> | |
<ul> | |
<li>Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric | |
association authentication bypass via crypto-NAK | |
(Cisco ASIG)</li> | |
<li>Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch | |
instead of returning FAIL on some bogus values (IDA)</li> | |
<li>Bug 2921 CVE-2015-7854 Password Length Memory Corruption | |
Vulnerability. (Cisco TALOS)</li> | |
<li>Bug 2920 CVE-2015-7853 Invalid length data provided by a | |
custom refclock driver could cause a buffer overflow. | |
(Cisco TALOS)</li> | |
<li>Bug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption | |
Vulnerability. (Cisco TALOS)</li> | |
<li>Bug 2918 CVE-2015-7851 saveconfig Directory Traversal | |
Vulnerability. (OpenVMS) (Cisco TALOS)</li> | |
<li>Bug 2917 CVE-2015-7850 remote config logfile-keyfile. | |
(Cisco TALOS)</li> | |
<li>Bug 2916 CVE-2015-7849 trusted key use-after-free. | |
(Cisco TALOS)</li> | |
<li>Bug 2913 CVE-2015-7848 mode 7 loop counter underrun. | |
(Cisco TALOS)</li> | |
<li>Bug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. | |
(Tenable)</li> | |
<li>Bug 2902 : CVE-2015-7703 configuration directives "pidfile" | |
and "driftfile" should only be allowed locally. (RedHat)</li> | |
<li>Bug 2901 : CVE-2015-7704, CVE-2015-7705 Clients that | |
receive a KoD should validate the origin timestamp field. | |
(Boston University)</li> | |
<li>Bug 2899 : CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 | |
Incomplete autokey data packet length checks. (Tenable)</li> | |
</ul> | |
<p>The only generally-exploitable bug in the above list is the | |
crypto-NAK bug, which has a CVSS2 score of 6.4.</p> | |
<p>Additionally, three bugs that have already been fixed in | |
ntp-4.2.8 but were not fixed in ntp-4.2.6 as it was EOL'd | |
have a security component, but are all below 1.8 CVSS score, | |
so we're reporting them here:</p> | |
<ul> | |
<li>Bug 2382 : Peer precision < -31 gives division by zero</li> | |
<li>Bug 1774 : Segfaults if cryptostats enabled when built | |
without OpenSSL</li> | |
<li>Bug 1593 : ntpd abort in free() with logconfig syntax error</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdsa>SA-15:25.ntp</freebsdsa> | |
<cvename>CVE-2015-7691</cvename> | |
<cvename>CVE-2015-7692</cvename> | |
<cvename>CVE-2015-7701</cvename> | |
<cvename>CVE-2015-7702</cvename> | |
<cvename>CVE-2015-7703</cvename> | |
<cvename>CVE-2015-7704</cvename> | |
<cvename>CVE-2015-7705</cvename> | |
<cvename>CVE-2015-7848</cvename> | |
<cvename>CVE-2015-7849</cvename> | |
<cvename>CVE-2015-7850</cvename> | |
<cvename>CVE-2015-7851</cvename> | |
<cvename>CVE-2015-7852</cvename> | |
<cvename>CVE-2015-7853</cvename> | |
<cvename>CVE-2015-7854</cvename> | |
<cvename>CVE-2015-7855</cvename> | |
<cvename>CVE-2015-7871</cvename> | |
<url>http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities</url> | |
</references> | |
<dates> | |
<discovery>2015-10-21</discovery> | |
<entry>2015-10-21</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="95602550-76cf-11e5-a2a1-002590263bf5"> | |
<topic>codeigniter -- multiple XSS vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>codeigniter</name> | |
<range><lt>2.2.5</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The CodeIgniter changelog reports:</p> | |
<blockquote cite="https://codeigniter.com/userguide2/changelog.html"> | |
<p>Fixed a number of XSS attack vectors in Security Library method | |
xss_clean (thanks to Frans Rosén from Detectify.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/203403</freebsdpr> | |
<url>https://codeigniter.com/userguide2/changelog.html</url> | |
</references> | |
<dates> | |
<discovery>2015-10-08</discovery> | |
<entry>2015-10-20</entry> | |
</dates> | |
</vuln> | |
<vuln vid="7f645ee5-7681-11e5-8519-005056ac623e"> | |
<topic>Git -- Execute arbitrary code</topic> | |
<affects> | |
<package> | |
<name>git</name> | |
<range><lt>2.6.1</lt></range> | |
</package> | |
<package> | |
<name>git-gui</name> | |
<range><lt>2.6.1</lt></range> | |
</package> | |
<package> | |
<name>git-lite</name> | |
<range><lt>2.6.1</lt></range> | |
</package> | |
<package> | |
<name>git-subversion</name> | |
<range><lt>2.6.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Git release notes:</p> | |
<blockquote cite="https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.1.txt"> | |
<p>Some protocols (like git-remote-ext) can execute arbitrary code | |
found in the URL. The URLs that submodules use may come from | |
arbitrary sources (e.g., .gitmodules files in a remote | |
repository), and can hurt those who blindly enable recursive | |
fetch. Restrict the allowed protocols to well known and safe | |
ones.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7545</cvename> | |
<url>https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.1.txt</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/12/11/7</url> | |
</references> | |
<dates> | |
<discovery>2015-09-23</discovery> | |
<entry>2015-10-19</entry> | |
<modified>2015-12-12</modified> | |
</dates> | |
</vuln> | |
<vuln vid="3934cc60-f0fa-4eca-be09-c8bd7ae42871"> | |
<topic>Salt -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>py27-salt</name> | |
<range><lt>2015.8.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Salt release notes:</p> | |
<blockquote cite="https://docs.saltstack.com/en/latest/topics/releases/2015.8.1.html"> | |
<p>CVE-2015-6918 - Git modules leaking HTTPS auth credentials to debug log</p> | |
<p>Updated the Git state and execution modules to no longer display HTTPS basic | |
authentication credentials in loglevel debug output on the Salt master. These | |
credentials are now replaced with REDACTED in the debug output. Thanks to | |
Andreas Stieger for bringing this to our attention.</p> | |
<p>CVE-2015-6941 - win_useradd module and salt-cloud display passwords in debug | |
log</p> | |
<p>Updated the win_useradd module return data to no longer include the password | |
of the newly created user. The password is now replaced with the string | |
XXX-REDACTED-XXX. Updated the Salt Cloud debug output to no longer display | |
win_password and sudo_password authentication credentials. Also updated the | |
Linode driver to no longer display authentication credentials in debug logs. | |
These credentials are now replaced with REDACTED in the debug output.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://docs.saltstack.com/en/latest/topics/releases/2015.8.1.html</url> | |
<cvename>CVE-2015-6918</cvename> | |
<cvename>CVE-2015-6941</cvename> | |
</references> | |
<dates> | |
<discovery>2015-10-16</discovery> | |
<entry>2015-10-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="79c68ef7-c8ae-4ade-91b4-4b8221b7c72a"> | |
<topic>firefox -- Cross-origin restriction bypass using Fetch</topic> | |
<affects> | |
<package> | |
<name>firefox</name> | |
<range><lt>41.0.2,1</lt></range> | |
</package> | |
<package> | |
<name>linux-firefox</name> | |
<range><lt>41.0.2,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Firefox Developers report:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2015-115/"> | |
<p>Security researcher Abdulrahman Alqabandi reported that the fetch() | |
API did not correctly implement the Cross-Origin Resource Sharing | |
(CORS) specification, allowing a malicious page to access private | |
data from other origins. Mozilla developer Ben Kelly independently reported the | |
same issue. | |
</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2015-115/</url> | |
<cvename>CVE-2015-7184</cvename> | |
</references> | |
<dates> | |
<discovery>2015-10-15</discovery> | |
<entry>2015-10-16</entry> | |
</dates> | |
</vuln> | |
<vuln vid="84147b46-e876-486d-b746-339ee45a8bb9"> | |
<topic>flash -- remote code execution</topic> | |
<affects> | |
<package> | |
<name>linux-c6-flashplugin</name> | |
<name>linux-f10-flashplugin</name> | |
<name>linux-c6_64-flashplugin</name> | |
<range><lt>11.2r202.540</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adobe reports:</p> | |
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-27.html"> | |
<p>These updates resolve type confusion vulnerabilities that | |
could lead to code execution (CVE-2015-7645, CVE-2015-7647, | |
CVE-2015-7648).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7645</cvename> | |
<cvename>CVE-2015-7647</cvename> | |
<cvename>CVE-2015-7648</cvename> | |
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-27.html</url> | |
</references> | |
<dates> | |
<discovery>2015-10-16</discovery> | |
<entry>2015-10-16</entry> | |
</dates> | |
</vuln> | |
<vuln vid="e75a96df-73ca-11e5-9b45-b499baebfeaf"> | |
<topic>LibreSSL -- Memory leak and buffer overflow</topic> | |
<affects> | |
<package> | |
<name>libressl</name> | |
<range><lt>2.2.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Qualys reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/10/16/1"> | |
<p>During the code review of OpenSMTPD a memory leak and buffer overflow | |
(an off-by-one, usually stack-based) were discovered in LibreSSL's | |
OBJ_obj2txt() function. This function is called automatically during | |
a TLS handshake (both client-side, unless an anonymous mode is used, | |
and server-side, if client authentication is requested).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://marc.info/?l=openbsd-announce&m=144495690528446</url> | |
<cvename>CVE-2015-5333</cvename> | |
<cvename>CVE-2015-5334</cvename> | |
</references> | |
<dates> | |
<discovery>2015-10-15</discovery> | |
<entry>2015-10-16</entry> | |
<modified>2015-10-26</modified> | |
</dates> | |
</vuln> | |
<vuln vid="07a1a76c-734b-11e5-ae81-14dae9d210b8"> | |
<topic>mbedTLS/PolarSSL -- DoS and possible remote code execution</topic> | |
<affects> | |
<package> | |
<name>polarssl</name> | |
<range><ge>1.2.0</ge><lt>1.2.17</lt></range> | |
</package> | |
<package> | |
<name>polarssl13</name> | |
<range><ge>1.3.0</ge><lt>1.3.14</lt></range> | |
</package> | |
<package> | |
<name>mbedtls</name> | |
<range><lt>2.1.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ARM Limited reports:</p> | |
<blockquote cite="https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"> | |
<p>When the client creates its ClientHello message, due to | |
insufficient bounds checking it can overflow the heap-based buffer | |
containing the message while writing some extensions. Two extensions in | |
particular could be used by a remote attacker to trigger the overflow: | |
the session ticket extension and the server name indication (SNI) | |
extension.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01</url> | |
<cvename>CVE-2015-5291</cvename> | |
</references> | |
<dates> | |
<discovery>2015-10-05</discovery> | |
<entry>2015-10-15</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ea1d2530-72ce-11e5-a2a1-002590263bf5"> | |
<topic>magento -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>magento</name> | |
<range><lt>1.9.2.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Magento, Inc. reports:</p> | |
<blockquote cite="https://www.magentocommerce.com/download"> | |
<p>SUPEE-6482 - This patch addresses two issues related to APIs and | |
two cross-site scripting risks.</p> | |
<p>SUPEE-6285 - This patch provides protection against several types | |
of security-related issues, including information leaks, request | |
forgeries, and cross-site scripting.</p> | |
<p>SUPEE-5994 - This patch addresses multiple security | |
vulnerabilities in Magento Community Edition software, including | |
issues that can put customer information at risk.</p> | |
<p>SUPEE-5344 - Addresses a potential remote code execution | |
exploit.</p> | |
<p>SUPEE-1533 - Addresses two potential remote code execution | |
exploits.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/201709</freebsdpr> | |
<url>https://www.magentocommerce.com/download</url> | |
<url>http://merch.docs.magento.com/ce/user_guide/Magento_Community_Edition_User_Guide.html#magento/release-notes-ce-1.9.2.html</url> | |
<url>http://merch.docs.magento.com/ce/user_guide/Magento_Community_Edition_User_Guide.html#magento/release-notes-ce-1.9.2.1.html</url> | |
</references> | |
<dates> | |
<discovery>2014-10-03</discovery> | |
<entry>2015-10-14</entry> | |
</dates> | |
</vuln> | |
<vuln vid="705b759c-7293-11e5-a371-14dae9d210b8"> | |
<topic>pear-twig -- remote code execution</topic> | |
<affects> | |
<package> | |
<name>pear-twig-twig</name> | |
<range><lt>1.20.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Fabien Potencier reports:</p> | |
<blockquote cite="http://symfony.com/blog/security-release-twig-1-20-0"> | |
<p>End users can craft valid Twig code that allows them to | |
execute arbitrary code (RCEs) via the _self variable, which is always | |
available, even in sandboxed templates.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://symfony.com/blog/security-release-twig-1-20-0</url> | |
<cvename>CVE-2015-7809</cvename> | |
</references> | |
<dates> | |
<discovery>2015-08-12</discovery> | |
<entry>2015-10-14</entry> | |
</dates> | |
</vuln> | |
<vuln vid="06fefd2f-728f-11e5-a371-14dae9d210b8"> | |
<topic>miniupnpc -- buffer overflow</topic> | |
<affects> | |
<package> | |
<name>miniupnpc</name> | |
<range><ge>1.9.1</ge><lt>1.9.20150917</lt></range> | |
<range><lt>1.9_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Talos reports:</p> | |
<blockquote cite="http://talosintel.com/reports/TALOS-2015-0035/"> | |
<p>An exploitable buffer overflow vulnerability exists in the | |
XML parser functionality of the MiniUPnP library. A specially crafted | |
XML response can lead to a buffer overflow on the stack resulting in | |
remote code execution. An attacker can set up a server on the local | |
network to trigger this vulnerability.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-6031</cvename> | |
<url>http://talosintel.com/reports/TALOS-2015-0035/</url> | |
<url>https://github.com/miniupnp/miniupnp/commit/79cca974a4c2ab1199786732a67ff6d898051b78</url> | |
</references> | |
<dates> | |
<discovery>2015-09-15</discovery> | |
<entry>2015-10-14</entry> | |
<modified>2015-10-14</modified> | |
</dates> | |
</vuln> | |
<vuln vid="a63f2c06-726b-11e5-a12b-bcaec565249c"> | |
<topic>flash -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>linux-c6-flashplugin</name> | |
<name>linux-f10-flashplugin</name> | |
<name>linux-c6_64-flashplugin</name> | |
<range><lt>11.2r202.535</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adobe reports:</p> | |
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-25.html"> | |
<p>These updates resolve a vulnerability that could be exploited | |
to bypass the same-origin-policy and lead to information | |
disclosure (CVE-2015-7628).</p> | |
<p>These updates include a defense-in-depth feature in the Flash | |
broker API (CVE-2015-5569).</p> | |
<p>These updates resolve use-after-free vulnerabilities that | |
could lead to code execution (CVE-2015-7629, CVE-2015-7631, | |
CVE-2015-7643, CVE-2015-7644).</p> | |
<p>These updates resolve a buffer overflow vulnerability that | |
could lead to code execution (CVE-2015-7632).</p> | |
<p>These updates resolve memory corruption vulnerabilities that | |
could lead to code execution (CVE-2015-7625, CVE-2015-7626, | |
CVE-2015-7627, CVE-2015-7630, CVE-2015-7633, CVE-2015-7634).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5569</cvename> | |
<cvename>CVE-2015-7625</cvename> | |
<cvename>CVE-2015-7626</cvename> | |
<cvename>CVE-2015-7627</cvename> | |
<cvename>CVE-2015-7628</cvename> | |
<cvename>CVE-2015-7629</cvename> | |
<cvename>CVE-2015-7630</cvename> | |
<cvename>CVE-2015-7631</cvename> | |
<cvename>CVE-2015-7632</cvename> | |
<cvename>CVE-2015-7633</cvename> | |
<cvename>CVE-2015-7634</cvename> | |
<cvename>CVE-2015-7643</cvename> | |
<cvename>CVE-2015-7644</cvename> | |
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-25.html</url> | |
</references> | |
<dates> | |
<discovery>2015-10-13</discovery> | |
<entry>2015-10-14</entry> | |
</dates> | |
</vuln> | |
<vuln vid="8301c04d-71df-11e5-9fcb-00262d5ed8ee"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<!--pcbsd--> | |
<name>chromium-npapi</name> | |
<name>chromium-pulse</name> | |
<range><lt>46.0.2490.71</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.nl/2015/10/stable-channel-update.html"> | |
<p>24 security fixes in this release, including:</p> | |
<ul> | |
<li>[519558] High CVE-2015-6755: Cross-origin bypass in Blink. | |
Credit to Mariusz Mlynski.</li> | |
<li>[507316] High CVE-2015-6756: Use-after-free in PDFium. Credit | |
to anonymous.</li> | |
<li>[529520] High CVE-2015-6757: Use-after-free in ServiceWorker. | |
Credit to Collin Payne.</li> | |
<li>[522131] High CVE-2015-6758: Bad-cast in PDFium. Credit to Atte | |
Kettunen of OUSPG.</li> | |
<li>[514076] Medium CVE-2015-6759: Information leakage in | |
LocalStorage. Credit to Muneaki Nishimura (nishimunea).</li> | |
<li>[519642] Medium CVE-2015-6760: Improper error handling in | |
libANGLE. Credit to lastland.net.</li> | |
<li>[447860,532967] Medium CVE-2015-6761: Memory corruption in | |
FFMpeg. Credit to Aki Helin of OUSPG and anonymous.</li> | |
<li>[512678] Low CVE-2015-6762: CORS bypass via CSS fonts. Credit | |
to Muneaki Nishimura (nishimunea).</li> | |
<li> [542517] CVE-2015-6763: Various fixes from internal audits, | |
fuzzing and other initiatives.</li> | |
<li>Multiple vulnerabilities in V8 fixed at the tip of the 4.6 | |
branch (currently 4.6.85.23).</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-6755</cvename> | |
<cvename>CVE-2015-6756</cvename> | |
<cvename>CVE-2015-6757</cvename> | |
<cvename>CVE-2015-6758</cvename> | |
<cvename>CVE-2015-6759</cvename> | |
<cvename>CVE-2015-6760</cvename> | |
<cvename>CVE-2015-6761</cvename> | |
<cvename>CVE-2015-6762</cvename> | |
<cvename>CVE-2015-6763</cvename> | |
<url>http://googlechromereleases.blogspot.nl/2015/10/stable-channel-update.html</url> | |
</references> | |
<dates> | |
<discovery>2015-10-13</discovery> | |
<entry>2015-10-13</entry> | |
</dates> | |
</vuln> | |
<vuln vid="00dadbf0-6f61-11e5-a2a1-002590263bf5"> | |
<topic>p5-UI-Dialog -- shell command execution vulnerability</topic> | |
<affects> | |
<package> | |
<name>p5-UI-Dialog</name> | |
<range><lt>1.09_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Matthijs Kooijman reports:</p> | |
<blockquote cite="https://rt.cpan.org/Public/Bug/Display.html?id=107364"> | |
<p>It seems that the whiptail, cdialog and kdialog backends apply | |
some improper escaping in their shell commands, causing special | |
characters present in menu item titles to be interpreted by the | |
shell. This includes the backtick evaluation operator, so this | |
constitutues a security issue, allowing execution of arbitrary | |
commands if an attacker has control over the text displayed in | |
a menu.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2008-7315</cvename> | |
<freebsdpr>ports/203667</freebsdpr> | |
<url>https://rt.cpan.org/Public/Bug/Display.html?id=107364</url> | |
<url>https://bugs.debian.org/496448</url> | |
<url>https://github.com/kckrinke/UI-Dialog/commit/6adc44cc636c615d76297d86835e1a997681eb61</url> | |
</references> | |
<dates> | |
<discovery>2008-08-24</discovery> | |
<entry>2015-10-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="290351c9-6f5c-11e5-a2a1-002590263bf5"> | |
<topic>devel/ipython -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>ipython</name> | |
<range><lt>3.2.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Matthias Bussonnier reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/02/3"> | |
<p>Summary: Local folder name was used in HTML templates without | |
escaping, allowing XSS in said pages by carefully crafting folder | |
name and URL to access it.</p> | |
<p>URI with issues:</p> | |
<ul> | |
<li>GET /tree/**</li> | |
</ul> | |
</blockquote> | |
<p>Benjamin RK reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/16/3"> | |
<p>Vulnerability: A maliciously forged file opened for editing can | |
execute javascript, specifically by being redirected to /files/ due | |
to a failure to treat the file as plain text.</p> | |
<p>URI with issues:</p> | |
<ul> | |
<li>GET /edit/**</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/203668</freebsdpr> | |
<cvename>CVE-2015-6938</cvename> | |
<cvename>CVE-2015-7337</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/09/02/3</url> | |
<url>https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/09/16/3</url> | |
<url>https://github.com/ipython/ipython/commit/0a8096adf165e2465550bd5893d7e352544e5967</url> | |
</references> | |
<dates> | |
<discovery>2015-09-01</discovery> | |
<entry>2015-10-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a0182578-6e00-11e5-a90c-0026551a22dc"> | |
<topic>PostgreSQL -- minor security problems.</topic> | |
<affects> | |
<package> | |
<name>postgresql90-server</name> | |
<range><ge>9.0.0</ge><lt>9.0.22</lt></range> | |
</package> | |
<package> | |
<name>postgresql91-server</name> | |
<range><ge>9.1.0</ge><lt>9.1.18</lt></range> | |
</package> | |
<package> | |
<name>postgresql92-server</name> | |
<range><ge>9.2.0</ge><lt>9.2.13</lt></range> | |
</package> | |
<package> | |
<name>postgresql93-server</name> | |
<range><ge>9.3.0</ge><lt>9.3.9</lt></range> | |
</package> | |
<package> | |
<name>postgresql94-server</name> | |
<range><ge>9.4.0</ge><lt>9.4.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>PostgreSQL project reports:</p> | |
<blockquote cite="http://www.postgresql.org/about/news/1615/"> | |
<p> | |
Two security issues have been fixed in this release which affect | |
users of specific PostgreSQL features. | |
</p> | |
<ul> | |
<li>CVE-2015-5289 json or jsonb input values constructed from | |
arbitrary user input can crash the PostgreSQL server and cause a denial of | |
service. | |
</li> | |
<li>CVE-2015-5288: The crypt() function included with the optional pgCrypto | |
extension could be exploited to read a few additional bytes of memory. | |
No working exploit for this issue has been developed. | |
</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5289</cvename> | |
<cvename>CVE-2015-5288</cvename> | |
</references> | |
<dates> | |
<discovery>2015-10-08</discovery> | |
<entry>2015-10-08</entry> | |
</dates> | |
</vuln> | |
<vuln vid="d3324fdb-6bf0-11e5-bc5e-00505699053e"> | |
<topic>ZendFramework1 -- SQL injection vulnerability</topic> | |
<affects> | |
<package> | |
<name>ZendFramework1</name> | |
<range><lt>1.12.16</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Zend Framework developers report:</p> | |
<blockquote cite="http://framework.zend.com/security/advisory/ZF2015-08"> | |
<p>The PDO adapters of Zend Framework 1 do not filter null bytes values | |
in SQL statements. A PDO adapter can treat null bytes in a query as a | |
string terminator, allowing an attacker to add arbitrary SQL | |
following a null byte, and thus create a SQL injection.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7695</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/09/30/6</url> | |
<url>http://framework.zend.com/security/advisory/ZF2015-08</url> | |
</references> | |
<dates> | |
<discovery>2015-09-15</discovery> | |
<entry>2015-10-06</entry> | |
<modified>2015-10-12</modified> | |
</dates> | |
</vuln> | |
<vuln vid="42852f72-6bd3-11e5-9909-002590263bf5"> | |
<topic>OpenSMTPD -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>opensmtpd</name> | |
<range><lt>5.7.3,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>OpenSMTPD developers report:</p> | |
<blockquote cite="https://www.opensmtpd.org/announces/release-5.7.3.txt"> | |
<p>fix an mda buffer truncation bug which allows a user to create | |
forward files that pass session checks but fail delivery later down | |
the chain, within the user mda</p> | |
<p>fix remote buffer overflow in unprivileged pony process</p> | |
<p>reworked offline enqueue to better protect against hardlink | |
attacks</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openwall.com/lists/oss-security/2015/10/04/2</url> | |
<url>https://www.opensmtpd.org/announces/release-5.7.3.txt</url> | |
</references> | |
<dates> | |
<discovery>2015-10-04</discovery> | |
<entry>2015-10-06</entry> | |
</dates> | |
</vuln> | |
<vuln vid="5d280761-6bcf-11e5-9909-002590263bf5"> | |
<topic>mbedTLS/PolarSSL -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>polarssl</name> | |
<range><ge>1.2.0</ge><lt>1.2.16</lt></range> | |
</package> | |
<package> | |
<name>polarssl13</name> | |
<range><ge>1.3.0</ge><lt>1.3.13</lt></range> | |
</package> | |
<package> | |
<name>mbedtls</name> | |
<range><lt>2.1.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ARM Limited reports:</p> | |
<blockquote cite="https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.1-and-1.3.13-and-polarssl-1.2.16-released"> | |
<p>Florian Weimar from Red Hat published on Lenstra's RSA-CRT attach | |
for PKCS#1 v1.5 signatures. These releases include countermeasures | |
against that attack.</p> | |
<p>Fabian Foerg of Gotham Digital Science found a possible client-side | |
NULL pointer dereference, using the AFL Fuzzer. This dereference can | |
only occur when misusing the API, although a fix has still been | |
implemented.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.1-and-1.3.13-and-polarssl-1.2.16-released</url> | |
</references> | |
<dates> | |
<discovery>2015-09-18</discovery> | |
<entry>2015-10-06</entry> | |
</dates> | |
</vuln> | |
<vuln vid="953aaa57-6bce-11e5-9909-002590263bf5"> | |
<topic>mbedTLS/PolarSSL -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>polarssl</name> | |
<range><ge>1.2.0</ge><lt>1.2.15</lt></range> | |
</package> | |
<package> | |
<name>polarssl13</name> | |
<range><ge>1.3.0</ge><lt>1.3.12</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ARM Limited reports:</p> | |
<blockquote cite="https://tls.mbed.org/tech-updates/releases/polarssl-1.2.15-and-mbedtls-1.3.12-released"> | |
<p>In order to strengthen the minimum requirements for connections and | |
to protect against the Logjam attack, the minimum size of | |
Diffie-Hellman parameters accepted by the client has been increased | |
to 1024 bits.</p> | |
<p>In addition the default size for the Diffie-Hellman parameters on | |
the server are increased to 2048 bits. This can be changed with | |
ssl_set_dh_params() in case this is necessary.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://tls.mbed.org/tech-updates/releases/polarssl-1.2.15-and-mbedtls-1.3.12-released</url> | |
</references> | |
<dates> | |
<discovery>2015-08-11</discovery> | |
<entry>2015-10-06</entry> | |
</dates> | |
</vuln> | |
<vuln vid="9272a5b0-6b40-11e5-bd7f-bcaec565249c"> | |
<topic>gdk-pixbuf2 -- head overflow and DoS</topic> | |
<affects> | |
<package> | |
<name>gdk-pixbuf2</name> | |
<range><lt>2.32.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/10/02/9"> | |
<p>We found a heap overflow and a DoS in the gdk-pixbuf | |
implementation triggered by the scaling of tga file.</p> | |
</blockquote> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/10/02/10"> | |
<p>We found a heap overflow in the gdk-pixbuf implementation | |
triggered by the scaling of gif file.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-7673</cvename> | |
<cvename>CVE-2015-7674</cvename> | |
<url>https://mail.gnome.org/archives/ftp-release-list/2015-September/msg00201.html</url> | |
<url>https://mail.gnome.org/archives/ftp-release-list/2015-September/msg00287.html</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/10/02/9</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/10/02/10</url> | |
</references> | |
<dates> | |
<discovery>2015-10-02</discovery> | |
<entry>2015-10-05</entry> | |
</dates> | |
</vuln> | |
<vuln vid="6b3374d4-6b0b-11e5-9909-002590263bf5"> | |
<topic>plone -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>plone</name> | |
<range><lt>4.3.7</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Plone.org reports:</p> | |
<blockquote cite="https://plone.org/products/plone/security/advisories/20150910-announcement"> | |
<p>Versions Affected: All current Plone versions.</p> | |
<p>Versions Not Affected: None.</p> | |
<p>Nature of vulnerability: Allows creation of members by anonymous | |
users on sites that have self-registration enabled, allowing bypass | |
of CAPTCHA and similar protections against scripted attacks.</p> | |
<p>The patch can be added to buildouts as Products.PloneHotfix20150910 | |
(available from PyPI) or downloaded from Plone.org.</p> | |
<p>Immediate Measures You Should Take: Disable self-registration until | |
you have applied the patch.</p> | |
</blockquote> | |
<blockquote cite="https://plone.org/security/20150910/non-persistent-xss-in-plone"> | |
<p>Plone's URL checking infrastructure includes a method for checking | |
if URLs valid and located in the Plone site. By passing HTML into | |
this specially crafted url, XSS can be achieved.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/203255</freebsdpr> | |
<url>https://plone.org/products/plone-hotfix/releases/20150910</url> | |
<url>https://plone.org/products/plone/security/advisories/20150910-announcement</url> | |
<url>https://plone.org/security/20150910/non-persistent-xss-in-plone</url> | |
<url>https://github.com/plone/Products.CMFPlone/commit/3da710a2cd68587f0bf34f2e7ea1167d6eeee087</url> | |
</references> | |
<dates> | |
<discovery>2015-09-10</discovery> | |
<entry>2015-10-05</entry> | |
</dates> | |
</vuln> | |
<vuln vid="c1da8b75-6aef-11e5-9909-002590263bf5"> | |
<topic>php -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>php5-phar</name> | |
<range><le>5.4.45</le></range> | |
</package> | |
<package> | |
<name>php55-phar</name> | |
<range><lt>5.5.30</lt></range> | |
</package> | |
<package> | |
<name>php56-phar</name> | |
<range><lt>5.6.14</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>PHP reports:</p> | |
<blockquote cite="http://php.net/ChangeLog-5.php#5.5.30"> | |
<p>Phar:</p> | |
<ul> | |
<li>Fixed bug #69720 (Null pointer dereference in | |
phar_get_fp_offset()).</li> | |
<li>Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream | |
when zip entry filename is "/").</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/203541</freebsdpr> | |
<cvename>CVE-2015-7803</cvename> | |
<cvename>CVE-2015-7804</cvename> | |
<url>http://php.net/ChangeLog-5.php#5.5.30</url> | |
<url>http://php.net/ChangeLog-5.php#5.6.14</url> | |
</references> | |
<dates> | |
<discovery>2015-10-01</discovery> | |
<entry>2015-10-04</entry> | |
<modified>2015-10-12</modified> | |
</dates> | |
</vuln> | |
<vuln vid="ee7bdf7f-11bb-4eea-b054-c692ab848c20"> | |
<topic>OpenSMTPD -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>opensmtpd</name> | |
<range><lt>5.7.2,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>OpenSMTPD developers report:</p> | |
<blockquote cite="https://www.opensmtpd.org/announces/release-5.7.2.txt"> | |
<p>an oversight in the portable version of fgetln() that allows | |
attackers to read and write out-of-bounds memory</p> | |
<p>multiple denial-of-service vulnerabilities that allow local users | |
to kill or hang OpenSMTPD</p> | |
<p>a stack-based buffer overflow that allows local users to crash | |
OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd | |
user</p> | |
<p>a hardlink attack (or race-conditioned symlink attack) that allows | |
local users to unset the chflags() of arbitrary files</p> | |
<p>a hardlink attack that allows local users to read the first line of | |
arbitrary files (for example, root's hash from /etc/master.passwd) | |
</p> | |
<p>a denial-of-service vulnerability that allows remote attackers to | |
fill OpenSMTPD's queue or mailbox hard-disk partition</p> | |
<p>an out-of-bounds memory read that allows remote attackers to crash | |
OpenSMTPD, or leak information and defeat the ASLR protection</p> | |
<p>a use-after-free vulnerability that allows remote attackers to | |
crash OpenSMTPD, or execute arbitrary code as the non-chrooted | |
_smtpd user</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.opensmtpd.org/announces/release-5.7.2.txt</url> | |
<cvename>CVE-2015-7687</cvename> | |
</references> | |
<dates> | |
<discovery>2015-10-02</discovery> | |
<entry>2015-10-04</entry> | |
<modified>2015-10-06</modified> | |
</dates> | |
</vuln> | |
<vuln vid="be3069c9-67e7-11e5-9909-002590263bf5"> | |
<topic>james -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>james</name> | |
<range><lt>2.3.2.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Apache James Project reports:</p> | |
<blockquote cite="http://james.apache.org/download.cgi#Apache_James_Server"> | |
<p>This release has many enhancements and bug fixes over the previous | |
release. See the Release Notes for a detailed list of changes. Some | |
of the earlier defects could turn a James mail server into an Open | |
Relay and allow files to be written on disk. All users of James | |
Server are urged to upgrade to version v2.3.2.1 as soon as | |
possible.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/203461</freebsdpr> | |
<certvu>988628</certvu> | |
<cvename>CVE-2015-7611</cvename> | |
<url>http://james.apache.org/download.cgi#Apache_James_Server</url> | |
<url>https://blogs.apache.org/james/entry/apache_james_server_2_3</url> | |
</references> | |
<dates> | |
<discovery>2015-09-30</discovery> | |
<entry>2015-10-01</entry> | |
<modified>2015-10-04</modified> | |
</dates> | |
</vuln> | |
<vuln vid="1e7f0c11-673a-11e5-98c8-60a44c524f57"> | |
<topic>otrs -- Scheduler Process ID File Access</topic> | |
<affects> | |
<package> | |
<name>otrs</name> | |
<range><gt>3.2.*</gt><lt>3.2.18</lt></range> | |
<range><gt>3.3.*</gt><lt>3.3.15</lt></range> | |
<range><gt>4.0.*</gt><lt>4.0.13</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The OTRS project reports:</p> | |
<blockquote cite="https://www.otrs.com/security-advisory-2015-02-scheduler-process-id-file-access/"> | |
<p>An attacker with valid LOCAL credentials could access and | |
manipulate the process ID file for bin/otrs.schduler.pl from the | |
CLI.</p> | |
<p>The Proc::Daemon module 0.14 for Perl uses world-writable | |
permissions for a file that stores a process ID, which allows local | |
users to have an unspecified impact by modifying this file.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.otrs.com/security-advisory-2015-02-scheduler-process-id-file-access/</url> | |
<cvename>CVE-2015-6842</cvename> | |
<cvename>CVE-2013-7135</cvename> | |
</references> | |
<dates> | |
<discovery>2015-09-17</discovery> | |
<entry>2015-09-30</entry> | |
</dates> | |
</vuln> | |
<vuln vid="4e3e8a50-65c1-11e5-948e-bcaec565249c"> | |
<topic>flash -- multiple vulnabilities</topic> | |
<affects> | |
<package> | |
<name>linux-c6-flashplugin</name> | |
<name>linux-f10-flashplugin</name> | |
<name>linux-c6_64-flashplugin</name> | |
<range><lt>11.2r202.521</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adobe reports:</p> | |
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-23.html"> | |
<p>These updates resolve a type confusion vulnerability that could | |
lead to code execution (CVE-2015-5573).</p> | |
<p>These updates resolve use-after-free vulnerabilities that could | |
lead to code execution (CVE-2015-5570, CVE-2015-5574, CVE-2015-5581, CVE-2015-5584, CVE-2015-6682).</p> | |
<p>These updates resolve buffer overflow vulnerabilities that could | |
lead to code execution (CVE-2015-6676, CVE-2015-6678).</p> | |
<p>These updates resolve memory corruption vulnerabilities that | |
could lead to code execution (CVE-2015-5575, CVE-2015-5577, | |
CVE-2015-5578, CVE-2015-5580, CVE-2015-5582, CVE-2015-5588, | |
CVE-2015-6677).</p> | |
<p>These updates include additional validation checks to ensure | |
that Flash Player rejects malicious content from vulnerable | |
JSONP callback APIs (CVE-2015-5571).</p> | |
<p>These updates resolve a memory leak vulnerability | |
(CVE-2015-5576).</p> | |
<p>These updates include further hardening to a mitigation to | |
defend against vector length corruptions (CVE-2015-5568).</p> | |
<p>These updates resolve stack corruption vulnerabilities that | |
could lead to code execution (CVE-2015-5567, CVE-2015-5579).</p> | |
<p>These updates resolve a stack overflow vulnerability that could | |
lead to code execution (CVE-2015-5587).</p> | |
<p>These updates resolve a security bypass vulnerability that could | |
lead to information disclosure (CVE-2015-5572).</p> | |
<p>These updates resolve a vulnerability that could be exploited to | |
bypass the same-origin-policy and lead to information disclosure | |
(CVE-2015-6679).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5567</cvename> | |
<cvename>CVE-2015-5568</cvename> | |
<cvename>CVE-2015-5570</cvename> | |
<cvename>CVE-2015-5571</cvename> | |
<cvename>CVE-2015-5572</cvename> | |
<cvename>CVE-2015-5573</cvename> | |
<cvename>CVE-2015-5574</cvename> | |
<cvename>CVE-2015-5575</cvename> | |
<cvename>CVE-2015-5576</cvename> | |
<cvename>CVE-2015-5577</cvename> | |
<cvename>CVE-2015-5578</cvename> | |
<cvename>CVE-2015-5588</cvename> | |
<cvename>CVE-2015-6676</cvename> | |
<cvename>CVE-2015-6677</cvename> | |
<cvename>CVE-2015-6678</cvename> | |
<cvename>CVE-2015-6679</cvename> | |
<cvename>CVE-2015-6682</cvename> | |
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-23.html</url> | |
</references> | |
<dates> | |
<discovery>2015-09-21</discovery> | |
<entry>2015-09-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="5114cd11-6571-11e5-9909-002590263bf5"> | |
<topic>codeigniter -- SQL injection vulnerability</topic> | |
<affects> | |
<package> | |
<name>codeigniter</name> | |
<range><lt>2.2.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The CodeIgniter changelog reports:</p> | |
<blockquote cite="https://codeigniter.com/userguide2/changelog.html"> | |
<p>Security: Fixed an SQL injection vulnerability in Active Record | |
method offset().</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/203401</freebsdpr> | |
<url>https://codeigniter.com/userguide2/changelog.html</url> | |
</references> | |
<dates> | |
<discovery>2015-08-20</discovery> | |
<entry>2015-09-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="01bce4c6-6571-11e5-9909-002590263bf5"> | |
<topic>codeigniter -- mysql database driver vulnerability</topic> | |
<affects> | |
<package> | |
<name>codeigniter</name> | |
<range><lt>2.2.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The CodeIgniter changelog reports:</p> | |
<blockquote cite="https://codeigniter.com/userguide2/changelog.html"> | |
<p>Security: Removed a fallback to mysql_escape_string() in the mysql | |
database driver (escape_str() method) when there's no active database | |
connection.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/203401</freebsdpr> | |
<url>https://codeigniter.com/userguide2/changelog.html</url> | |
</references> | |
<dates> | |
<discovery>2015-07-15</discovery> | |
<entry>2015-09-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="c21f4e61-6570-11e5-9909-002590263bf5"> | |
<topic>codeigniter -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>codeigniter</name> | |
<range><lt>2.2.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The CodeIgniter changelog reports:</p> | |
<blockquote cite="https://codeigniter.com/userguide2/changelog.html"> | |
<p>Security: Added HTTP "Host" header character validation to prevent | |
cache poisoning attacks when base_url auto-detection is used.</p> | |
<p>Security: Added FSCommand and seekSegmentTime to the "evil | |
attributes" list in CI_Security::xss_clean().</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/203401</freebsdpr> | |
<url>https://codeigniter.com/userguide2/changelog.html</url> | |
</references> | |
<dates> | |
<discovery>2015-04-15</discovery> | |
<entry>2015-09-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f838dcb4-656f-11e5-9909-002590263bf5"> | |
<topic>codeigniter -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>codeigniter</name> | |
<range><lt>2.2.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The CodeIgniter changelog reports:</p> | |
<blockquote cite="https://codeigniter.com/userguide2/changelog.html"> | |
<p>Security: The xor_encode() method in the Encrypt Class has been | |
removed. The Encrypt Class now requires the Mcrypt extension to be | |
installed.</p> | |
<p>Security: The Session Library now uses HMAC authentication instead | |
of a simple MD5 checksum.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/203401</freebsdpr> | |
<url>https://codeigniter.com/userguide2/changelog.html</url> | |
</references> | |
<dates> | |
<discovery>2014-06-05</discovery> | |
<entry>2015-09-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="b7d785ea-656d-11e5-9909-002590263bf5"> | |
<topic>codeigniter -- SQL injection vulnerability</topic> | |
<affects> | |
<package> | |
<name>codeigniter</name> | |
<range><lt>2.0.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The CodeIgniter changelog reports:</p> | |
<blockquote cite="https://codeigniter.com/userguide2/changelog.html"> | |
<p>An improvement was made to the MySQL and MySQLi drivers to prevent | |
exposing a potential vector for SQL injection on sites using | |
multi-byte character sets in the database client connection.</p> | |
<p>An incompatibility in PHP versions < 5.2.3 and MySQL > 5.0.7 | |
with mysql_set_charset() creates a situation where using multi-byte | |
character sets on these environments may potentially expose a SQL | |
injection attack vector. Latin-1, UTF-8, and other "low ASCII" | |
character sets are unaffected on all environments.</p> | |
<p>If you are running or considering running a multi-byte character | |
set for your database connection, please pay close attention to the | |
server environment you are deploying on to ensure you are not | |
vulnerable.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/156486</freebsdpr> | |
<url>https://codeigniter.com/userguide2/changelog.html</url> | |
</references> | |
<dates> | |
<discovery>2011-08-20</discovery> | |
<entry>2015-09-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0e425bb7-64f2-11e5-b2fd-00262d5ed8ee"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<range><lt>45.0.2454.101</lt></range> | |
</package> | |
<package> | |
<!-- pcbsd --> | |
<name>chromium-npapi</name> | |
<range><lt>45.0.2454.101</lt></range> | |
</package> | |
<package> | |
<!-- pcbsd --> | |
<name>chromium-pulse</name> | |
<range><lt>45.0.2454.101</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.nl/2015/09/stable-channel-update_24.html"> | |
<p>Two vulnerabilities were fixed in this release:</p> | |
<ul> | |
<li>[530301] High CVE-2015-1303: Cross-origin bypass in DOM. Credit | |
to Mariusz Mlynski.</li> | |
<li>[531891] High CVE-2015-1304: Cross-origin bypass in V8. Credit | |
to Mariusz Mlynski.</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-1303</cvename> | |
<cvename>CVE-2015-1304</cvename> | |
<url>http://googlechromereleases.blogspot.nl/2015/09/stable-channel-update_24.html</url> | |
</references> | |
<dates> | |
<discovery>2015-09-24</discovery> | |
<entry>2015-09-27</entry> | |
</dates> | |
</vuln> | |
<vuln vid="9770d6ac-614d-11e5-b379-14dae9d210b8"> | |
<topic>libssh2 -- denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>libssh2</name> | |
<range><lt>1.5.0,2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mariusz Ziulek reports:</p> | |
<blockquote cite="http://www.libssh2.org/adv_20150311.html"> | |
<p>A malicious attacker could man in the middle a real server | |
and cause libssh2 using clients to crash (denial of service) or | |
otherwise read and use completely unintended memory areas in this | |
process.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.libssh2.org/adv_20150311.html</url> | |
<url>https://trac.libssh2.org/ticket/294</url> | |
<cvename>CVE-2015-1782</cvename> | |
</references> | |
<dates> | |
<discovery>2015-01-25</discovery> | |
<entry>2015-09-22</entry> | |
<modified>2015-09-22</modified> | |
</dates> | |
</vuln> | |
<vuln vid="2d56c7f4-b354-428f-8f48-38150c607a05"> | |
<topic>mozilla -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>firefox</name> | |
<range><lt>41.0,1</lt></range> | |
</package> | |
<package> | |
<name>linux-firefox</name> | |
<range><lt>41.0,1</lt></range> | |
</package> | |
<package> | |
<name>seamonkey</name> | |
<range><lt>2.38</lt></range> | |
</package> | |
<package> | |
<name>linux-seamonkey</name> | |
<range><lt>2.38</lt></range> | |
</package> | |
<package> | |
<name>firefox-esr</name> | |
<range><lt>38.3.0,1</lt></range> | |
</package> | |
<package> | |
<name>libxul</name> | |
<range><lt>38.3.0</lt></range> | |
</package> | |
<package> | |
<name>thunderbird</name> | |
<range><lt>38.3.0</lt></range> | |
</package> | |
<package> | |
<name>linux-thunderbird</name> | |
<range><lt>38.3.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Mozilla Project reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/"> | |
<p>MFSA 2015-96 Miscellaneous memory safety hazards (rv:41.0 | |
/ rv:38.3)</p> | |
<p>MFSA 2015-97 Memory leak in mozTCPSocket to servers</p> | |
<p>MFSA 2015-98 Out of bounds read in QCMS library with ICC | |
V4 profile attributes</p> | |
<p>MFSA 2015-99 Site attribute spoofing on Android by | |
pasting URL with unknown scheme</p> | |
<p>MFSA 2015-100 Arbitrary file manipulation by local user | |
through Mozilla updater</p> | |
<p>MFSA 2015-101 Buffer overflow in libvpx while parsing vp9 | |
format video</p> | |
<p>MFSA 2015-102 Crash when using debugger with SavedStacks | |
in JavaScript</p> | |
<p>MFSA 2015-103 URL spoofing in reader mode</p> | |
<p>MFSA 2015-104 Use-after-free with shared workers and | |
IndexedDB</p> | |
<p>MFSA 2015-105 Buffer overflow while decoding WebM | |
video</p> | |
<p>MFSA 2015-106 Use-after-free while manipulating HTML | |
media content</p> | |
<p>MFSA 2015-107 Out-of-bounds read during 2D canvas display | |
on Linux 16-bit color depth systems</p> | |
<p>MFSA 2015-108 Scripted proxies can access inner | |
window</p> | |
<p>MFSA 2015-109 JavaScript immutable property enforcement | |
can be bypassed</p> | |
<p>MFSA 2015-110 Dragging and dropping images exposes final | |
URL after redirects</p> | |
<p>MFSA 2015-111 Errors in the handling of CORS preflight | |
request headers</p> | |
<p>MFSA 2015-112 Vulnerabilities found through code | |
inspection</p> | |
<p>MFSA 2015-113 Memory safety errors in libGLES in the | |
ANGLE graphics library</p> | |
<p>MFSA 2015-114 Information disclosure via the High | |
Resolution Time API</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4476</cvename> | |
<cvename>CVE-2015-4500</cvename> | |
<cvename>CVE-2015-4501</cvename> | |
<cvename>CVE-2015-4502</cvename> | |
<cvename>CVE-2015-4503</cvename> | |
<cvename>CVE-2015-4504</cvename> | |
<cvename>CVE-2015-4505</cvename> | |
<cvename>CVE-2015-4506</cvename> | |
<cvename>CVE-2015-4507</cvename> | |
<cvename>CVE-2015-4508</cvename> | |
<cvename>CVE-2015-4509</cvename> | |
<cvename>CVE-2015-4510</cvename> | |
<cvename>CVE-2015-4512</cvename> | |
<cvename>CVE-2015-4516</cvename> | |
<cvename>CVE-2015-4517</cvename> | |
<cvename>CVE-2015-4519</cvename> | |
<cvename>CVE-2015-4520</cvename> | |
<cvename>CVE-2015-4521</cvename> | |
<cvename>CVE-2015-4522</cvename> | |
<cvename>CVE-2015-7174</cvename> | |
<cvename>CVE-2015-7175</cvename> | |
<cvename>CVE-2015-7176</cvename> | |
<cvename>CVE-2015-7177</cvename> | |
<cvename>CVE-2015-7178</cvename> | |
<cvename>CVE-2015-7179</cvename> | |
<cvename>CVE-2015-7180</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-96/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-97/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-98/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-99/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-100/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-101/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-102/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-103/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-104/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-105/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-106/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-107/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-108/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-109/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-110/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-111/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-112/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-113/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-114/</url> | |
</references> | |
<dates> | |
<discovery>2015-09-22</discovery> | |
<entry>2015-09-22</entry> | |
</dates> | |
</vuln> | |
<vuln vid="3d950687-b4c9-4a86-8478-c56743547af8"> | |
<topic>ffmpeg -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>libav</name> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>gstreamer1-libav</name> | |
<!-- gst-libav-1.4.5 has libav-10.5 --> | |
<range><lt>1.5.90</lt></range> | |
</package> | |
<package> | |
<name>gstreamer-ffmpeg</name> | |
<!-- gst-ffmpeg-0.10.13 has libav-0.7.2 (0.7.7 in freebsd port) --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>handbrake</name> | |
<!-- handbrake-0.10.2 has libav-10.1 --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>ffmpeg</name> | |
<range><lt>2.7.2,1</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg26</name> | |
<range><lt>2.6.4</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg25</name> | |
<range><lt>2.5.8</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg24</name> | |
<range><lt>2.4.11</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg-devel</name> | |
<name>ffmpeg23</name> | |
<name>ffmpeg2</name> | |
<name>ffmpeg1</name> | |
<name>ffmpeg-011</name> | |
<name>ffmpeg0</name> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>avidemux</name> | |
<name>avidemux2</name> | |
<name>avidemux26</name> | |
<!-- avidemux-2.6.10 has ffmpeg-2.6.1 --> | |
<range><lt>2.6.11</lt></range> | |
</package> | |
<package> | |
<name>kodi</name> | |
<!-- kodi-14.2 has ffmpeg-2.4.6 --> | |
<range><lt>15.1</lt></range> | |
</package> | |
<package> | |
<name>mplayer</name> | |
<name>mencoder</name> | |
<!-- mplayer-1.1.r20150403 has ffmpeg-2.7.0+ (snapshot, c299fbb) --> | |
<range><lt>1.1.r20150822</lt></range> | |
</package> | |
<package> | |
<name>mythtv</name> | |
<name>mythtv-frontend</name> | |
<!-- mythtv-0.27.0.20140121 has ffmpeg-1.2.2+ (snapshot, f9c8726) --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>plexhometheater</name> | |
<!-- plexhometheater-1.4.1 has ffmpeg-0.10.2 fork --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>NVD reports:</p> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6818"> | |
<p>The decode_ihdr_chunk function in libavcodec/pngdec.c in | |
FFmpeg before 2.7.2 does not enforce uniqueness of the IHDR | |
(aka image header) chunk in a PNG image, which allows remote | |
attackers to cause a denial of service (out-of-bounds array | |
access) or possibly have unspecified other impact via a | |
crafted image with two or more of these chunks.</p> | |
</blockquote> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6819"> | |
<p>Multiple integer underflows in the ff_mjpeg_decode_frame | |
function in libavcodec/mjpegdec.c in FFmpeg before 2.7.2 | |
allow remote attackers to cause a denial of service | |
(out-of-bounds array access) or possibly have unspecified | |
other impact via crafted MJPEG data.</p> | |
</blockquote> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6820"> | |
<p>The ff_sbr_apply function in libavcodec/aacsbr.c in | |
FFmpeg before 2.7.2 does not check for a matching AAC frame | |
syntax element before proceeding with Spectral Band | |
Replication calculations, which allows remote attackers to | |
cause a denial of service (out-of-bounds array access) or | |
possibly have unspecified other impact via crafted AAC | |
data.</p> | |
</blockquote> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6821"> | |
<p>The ff_mpv_common_init function in libavcodec/mpegvideo.c | |
in FFmpeg before 2.7.2 does not properly maintain the | |
encoding context, which allows remote attackers to cause a | |
denial of service (invalid pointer access) or possibly have | |
unspecified other impact via crafted MPEG data.</p> | |
</blockquote> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6822"> | |
<p>The destroy_buffers function in libavcodec/sanm.c in | |
FFmpeg before 2.7.2 does not properly maintain height and | |
width values in the video context, which allows remote | |
attackers to cause a denial of service (segmentation | |
violation and application crash) or possibly have | |
unspecified other impact via crafted LucasArts Smush video | |
data.</p> | |
</blockquote> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6823"> | |
<p>The allocate_buffers function in libavcodec/alac.c in | |
FFmpeg before 2.7.2 does not initialize certain context | |
data, which allows remote attackers to cause a denial of | |
service (segmentation violation) or possibly have | |
unspecified other impact via crafted Apple Lossless Audio | |
Codec (ALAC) data.</p> | |
</blockquote> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6824"> | |
<p>The sws_init_context function in libswscale/utils.c in | |
FFmpeg before 2.7.2 does not initialize certain pixbuf data | |
structures, which allows remote attackers to cause a denial | |
of service (segmentation violation) or possibly have | |
unspecified other impact via crafted video data.</p> | |
</blockquote> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6825"> | |
<p>The ff_frame_thread_init function in | |
libavcodec/pthread_frame.c in FFmpeg before 2.7.2 mishandles | |
certain memory-allocation failures, which allows remote | |
attackers to cause a denial of service (invalid pointer | |
access) or possibly have unspecified other impact via a | |
crafted file, as demonstrated by an AVI file.</p> | |
</blockquote> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6826"> | |
<p>The ff_rv34_decode_init_thread_copy function in | |
libavcodec/rv34.c in FFmpeg before 2.7.2 does not initialize | |
certain structure members, which allows remote attackers to | |
cause a denial of service (invalid pointer access) or | |
possibly have unspecified other impact via crafted (1) RV30 | |
or (2) RV40 RealVideo data.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-6818</cvename> | |
<cvename>CVE-2015-6819</cvename> | |
<cvename>CVE-2015-6820</cvename> | |
<cvename>CVE-2015-6821</cvename> | |
<cvename>CVE-2015-6822</cvename> | |
<cvename>CVE-2015-6823</cvename> | |
<cvename>CVE-2015-6824</cvename> | |
<cvename>CVE-2015-6825</cvename> | |
<cvename>CVE-2015-6826</cvename> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=47f4e2d8960ca756ca153ab8e3e93d80449b8c91</url> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=84afc6b70d24fc0bf686e43138c96cf60a9445fe</url> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=79a98294da6cd85f8c86b34764c5e0c43b09eea3</url> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=b160fc290cf49b516c5b6ee0730fd9da7fc623b1</url> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=39bbdebb1ed8eb9c9b0cd6db85afde6ba89d86e4</url> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f7068bf277a37479aecde2832208d820682b35e6</url> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a5d44d5c220e12ca0cb7a4eceb0f74759cb13111</url> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f1a38264f20382731cf2cc75fdd98f4c9a84a626</url> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3197c0aa87a3b7190e17d49e6fbc7b554e4b3f0a</url> | |
<url>https://ffmpeg.org/security.html</url> | |
</references> | |
<dates> | |
<discovery>2015-09-05</discovery> | |
<entry>2015-09-20</entry> | |
<modified>2015-09-20</modified> | |
</dates> | |
</vuln> | |
<vuln vid="c2fcbec2-5daa-11e5-9909-002590263bf5"> | |
<topic>moodle -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>moodle27</name> | |
<range><lt>2.7.10</lt></range> | |
</package> | |
<package> | |
<name>moodle28</name> | |
<range><lt>2.8.8</lt></range> | |
</package> | |
<package> | |
<name>moodle29</name> | |
<range><lt>2.9.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Moodle Release Notes report:</p> | |
<blockquote cite="https://docs.moodle.org/dev/Moodle_2.7.10_release_notes"> | |
<p>MSA-15-0030: Students can re-attempt answering questions in the | |
lesson (CVE-2015-5264)</p> | |
<p>MSA-15-0031: Teacher in forum can still post to "all participants" | |
and groups they are not members of (CVE-2015-5272 - 2.7.10 only)</p> | |
<p>MSA-15-0032: Users can delete files uploaded by other users in wiki | |
(CVE-2015-5265)</p> | |
<p>MSA-15-0033: Meta course synchronization enrolls suspended students | |
as managers for a short period of time (CVE-2015-5266)</p> | |
<p>MSA-15-0034: Vulnerability in password recovery mechanism | |
(CVE-2015-5267)</p> | |
<p>MSA-15-0035: Rating component does not check separate groups | |
(CVE-2015-5268)</p> | |
<p>MSA-15-0036: XSS in grouping description (CVE-2015-5269)</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5264</cvename> | |
<cvename>CVE-2015-5272</cvename> | |
<cvename>CVE-2015-5265</cvename> | |
<cvename>CVE-2015-5266</cvename> | |
<cvename>CVE-2015-5267</cvename> | |
<cvename>CVE-2015-5268</cvename> | |
<cvename>CVE-2015-5269</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/09/21/1</url> | |
<url>https://docs.moodle.org/dev/Moodle_2.7.10_release_notes</url> | |
<url>https://docs.moodle.org/dev/Moodle_2.8.8_release_notes</url> | |
<url>https://docs.moodle.org/dev/Moodle_2.9.2_release_notes</url> | |
</references> | |
<dates> | |
<discovery>2015-09-14</discovery> | |
<entry>2015-09-18</entry> | |
<modified>2015-09-24</modified> | |
</dates> | |
</vuln> | |
<vuln vid="d3a98c2d-5da1-11e5-9909-002590263bf5"> | |
<topic>squid -- TLS/SSL parser denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>squid</name> | |
<range><ge>3.5.0.1</ge><lt>3.5.9</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Amos Jeffries, release manager of the Squid-3 series, reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/18/1"> | |
<p>Vulnerable versions are 3.5.0.1 to 3.5.8 (inclusive), which are | |
built with OpenSSL and configured for "SSL-Bump" decryption.</p> | |
<p>Integer overflows can lead to invalid pointer math reading from | |
random memory on some CPU architectures. In the best case this leads | |
to wrong TLS extensiosn being used for the client, worst-case a | |
crash of the proxy terminating all active transactions.</p> | |
<p>Incorrect message size checks and assumptions about the existence | |
of TLS extensions in the SSL/TLS handshake message can lead to very | |
high CPU consumption (up to and including 'infinite loop' | |
behaviour).</p> | |
<p>The above can be triggered remotely. Though there is one layer of | |
authorization applied before this processing to check that the | |
client is allowed to use the proxy, that check is generally weak. MS | |
Skype on Windows XP is known to trigger some of these.</p> | |
</blockquote> | |
<p>The FreeBSD port does not use SSL by default and is not vulnerable | |
in the default configuration.</p> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/203186</freebsdpr> | |
<url>http://www.squid-cache.org/Advisories/SQUID-2015_3.txt</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/09/18/1</url> | |
</references> | |
<dates> | |
<discovery>2015-09-18</discovery> | |
<entry>2015-09-18</entry> | |
<modified>2016-02-18</modified> | |
</dates> | |
</vuln> | |
<vuln vid="b55ecf12-5d98-11e5-9909-002590263bf5"> | |
<topic>remind -- buffer overflow with malicious reminder file input</topic> | |
<affects> | |
<package> | |
<name>remind</name> | |
<range><lt>3.1.15</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Dianne Skoll reports:</p> | |
<blockquote cite="http://lists.roaringpenguin.com/pipermail/remind-fans/2015/003172.html"> | |
<p>BUG FIX: Fix a buffer overflow found by Alexander Keller.</p> | |
</blockquote> | |
<p>The bug can be manifested by an extended DUMP command using a system | |
variable (that is a special variable whose name begins with '$')</p> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5957</cvename> | |
<freebsdpr>ports/202942</freebsdpr> | |
<url>http://lists.roaringpenguin.com/pipermail/remind-fans/2015/003172.html</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/08/07/1</url> | |
</references> | |
<dates> | |
<discovery>2015-07-27</discovery> | |
<entry>2015-09-18</entry> | |
</dates> | |
</vuln> | |
<vuln vid="d45ad7ae-5d56-11e5-9ad8-14dae9d210b8"> | |
<topic>shutter -- arbitrary code execution</topic> | |
<affects> | |
<package> | |
<name>shutter</name> | |
<range><ge>0.80</ge><lt>0.93.1_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Luke Farone reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2015/q3/541"> | |
<p>In the "Shutter" screenshot application, I discovered that using the | |
"Show in folder" menu option while viewing a file with a | |
specially-crafted path allows for arbitrary code execution with the | |
permissions of the user running Shutter.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://seclists.org/oss-sec/2015/q3/541</url> | |
<url>https://bugs.launchpad.net/shutter/+bug/1495163</url> | |
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798862</url> | |
<cvename>CVE-2015-0854</cvename> | |
</references> | |
<dates> | |
<discovery>2015-09-13</discovery> | |
<entry>2015-09-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a233d51f-5d4c-11e5-9ad8-14dae9d210b8"> | |
<topic>openjpeg -- use-after-free vulnerability</topic> | |
<affects> | |
<package> | |
<name>openjpeg</name> | |
<range><lt>2.1.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Feist Josselin reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2015/q3/550"> | |
<p>Use-after-free was found in openjpeg. The vuln is fixed in | |
version 2.1.1 and was located in opj_j2k_write_mco function.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://seclists.org/oss-sec/2015/q3/550</url> | |
<url>https://github.com/uclouvain/openjpeg/issues/563</url> | |
</references> | |
<dates> | |
<discovery>2015-08-14</discovery> | |
<entry>2015-09-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="bab05188-5d4b-11e5-9ad8-14dae9d210b8"> | |
<topic>optipng -- use-after-free vulnerability</topic> | |
<affects> | |
<package> | |
<name>optipng</name> | |
<range><le>0.6.5</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Gustavo Grieco reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2015/q3/556"> | |
<p>We found a use-after-free causing an invalid/double free in | |
optipng 0.6.4.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://seclists.org/oss-sec/2015/q3/556</url> | |
<cvename>CVE-2015-7801</cvename> | |
</references> | |
<dates> | |
<discovery>2015-09-16</discovery> | |
<entry>2015-09-17</entry> | |
<modified>2015-10-14</modified> | |
</dates> | |
</vuln> | |
<vuln vid="3c259621-5d4a-11e5-9ad8-14dae9d210b8"> | |
<topic>openslp -- denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>openslp</name> | |
<range><lt>2.0.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Qinghao Tang reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2015/q3/559"> | |
<p>The function ParseExtension() in openslp 1.2.1 exists a | |
vulnerability , an attacher can cause a denial of service | |
(infinite loop) via a packet with crafted "nextoffset" | |
value and "extid" value.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://seclists.org/oss-sec/2015/q3/559</url> | |
<cvename>CVE-2015-5155</cvename> | |
</references> | |
<dates> | |
<discovery>2015-09-16</discovery> | |
<entry>2015-09-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="8f5c9dd6-5cac-11e5-9ad8-14dae9d210b8"> | |
<topic>p7zip -- directory traversal vulnerability</topic> | |
<affects> | |
<package> | |
<name>p7zip</name> | |
<range><lt>9.38.1_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Alexander Cherepanov reports:</p> | |
<blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660"> | |
<p>7z (and 7zr) is susceptible to a directory traversal vulnerability. | |
While extracting an archive, it will extract symlinks and then follow | |
them if they are referenced in further entries. This can be exploited by | |
a rogue archive to write files outside the current directory.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/01/11/2</url> | |
<url>http://sourceforge.net/p/p7zip/bugs/147/</url> | |
<cvename>CVE-2015-1038</cvename> | |
</references> | |
<dates> | |
<discovery>2015-01-05</discovery> | |
<entry>2015-09-16</entry> | |
</dates> | |
</vuln> | |
<vuln vid="31ea7f73-5c55-11e5-8607-74d02b9a84d5"> | |
<topic>h2o -- directory traversal vulnerability</topic> | |
<affects> | |
<package> | |
<name>h2o</name> | |
<range><lt>1.4.5</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Yakuzo reports:</p> | |
<blockquote cite="https://h2o.examp1e.net/vulnerabilities.html"> | |
<p>H2O (up to version 1.4.4 / 1.5.0-beta1) contains a flaw in its URL | |
normalization logic.</p> | |
<p>When file.dir directive is used, this flaw | |
allows a remote attacker to retrieve arbitrary files that exist | |
outside the directory specified by the directive.</p> | |
<p>H2O version 1.4.5 and version 1.5.0-beta2 have been released | |
to address this vulnerability.</p> | |
<p>Users are advised to upgrade their servers immediately.</p> | |
<p>The vulnerability was reported by: Yusuke OSUMI.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5638</cvename> | |
<url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5638</url> | |
</references> | |
<dates> | |
<discovery>2015-09-14</discovery> | |
<entry>2015-09-16</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f4ce64c2-5bd4-11e5-9040-3c970e169bc2"> | |
<topic>wordpress -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>wordpress</name> | |
<range><lt>4.3.1,1</lt></range> | |
</package> | |
<package> | |
<name>de-wordpress</name> | |
<name>ja-wordpress</name> | |
<name>ru-wordpress</name> | |
<name>zh-wordpress-zh_CN</name> | |
<name>zh-wordpress-zh_TW</name> | |
<range><lt>4.3.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Samuel Sidler reports:</p> | |
<blockquote cite="https://wordpress.org/news/2015/09/wordpress-4-3-1/"> | |
<p>WordPress 4.3.1 is now available. This is a security | |
release for all previous versions and we strongly | |
encourage you to update your sites immediately.</p> | |
<ul> | |
<li>WordPress versions 4.3 and earlier are vulnerable | |
to a cross-site scripting vulnerability when processing | |
shortcode tags (CVE-2015-5714). Reported by Shahar Tal | |
and Netanel Rubin of <a href="http://checkpoint.com/">Check Point</a>.</li> | |
<li>A separate cross-site scripting vulnerability was found | |
in the user list table. Reported by Ben Bidner of the | |
WordPress security team.</li> | |
<li>Finally, in certain cases, users without proper | |
permissions could publish private posts and make | |
them sticky (CVE-2015-5715). Reported by Shahar Tal | |
and Netanel Rubin of <a href="http://checkpoint.com/">Check Point</a>.</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5714</cvename> | |
<cvename>CVE-2015-5715</cvename> | |
<cvename>CVE-2015-7989</cvename> | |
<url>http://www.openwall.com/lists/oss-security/2015/10/28/1</url> | |
<url>https://wordpress.org/news/2015/09/wordpress-4-3-1/</url> | |
</references> | |
<dates> | |
<discovery>2015-09-15</discovery> | |
<entry>2015-09-15</entry> | |
<modified>2015-10-29</modified> | |
</dates> | |
</vuln> | |
<vuln vid="ea893f06-5a92-11e5-98c0-20cf30e32f6d"> | |
<topic>Bugzilla security issues</topic> | |
<affects> | |
<package> | |
<name>bugzilla44</name> | |
<range><lt>4.4.10</lt></range> | |
</package> | |
<package> | |
<name>bugzilla50</name> | |
<range><lt>5.0.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Bugzilla Security Advisory</p> | |
<blockquote cite="https://www.bugzilla.org/security/4.2.14/"> | |
<p>Login names (usually an email address) longer than 127 | |
characters are silently truncated in MySQL which could | |
cause the domain name of the email address to be | |
corrupted. An attacker could use this vulnerability to | |
create an account with an email address different from the | |
one originally requested. The login name could then be | |
automatically added to groups based on the group's regular | |
expression setting.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4499</cvename> | |
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=1202447</url> | |
</references> | |
<dates> | |
<discovery>2015-09-10</discovery> | |
<entry>2015-09-14</entry> | |
</dates> | |
</vuln> | |
<vuln vid="4910d161-58a4-11e5-9ad8-14dae9d210b8"> | |
<topic>openldap -- denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>openldap-server</name> | |
<range><lt>2.4.42_1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Denis Andzakovic reports:</p> | |
<blockquote cite="http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240"> | |
<p>By sending a crafted packet, an attacker may cause the | |
OpenLDAP server to reach an assert(9 9 statement, crashing the daemon.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240</url> | |
<url>http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=6fe51a9ab04fd28bbc171da3cf12f1c1040d6629</url> | |
<cvename>CVE-2015-6908</cvename> | |
</references> | |
<dates> | |
<discovery>2015-09-09</discovery> | |
<entry>2015-09-12</entry> | |
<modified>2015-09-13</modified> | |
</dates> | |
</vuln> | |
<vuln vid="a35f415d-572a-11e5-b0a4-f8b156b6dcc8"> | |
<topic>vorbis-tools, opus-tools -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>vorbis-tools</name> | |
<range><lt>1.4.0_10,3</lt></range> | |
</package> | |
<package> | |
<name>opus-tools</name> | |
<range><lt>0.1.9_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Paris Zoumpouloglou reports:</p> | |
<blockquote cite="https://trac.xiph.org/ticket/2136"> | |
<p>I discovered an integer overflow issue in oggenc, | |
related to the number of channels in the input WAV file. | |
The issue triggers an out-of-bounds memory access which | |
causes oggenc to crash.</p> | |
</blockquote> | |
<p>Paris Zoumpouloglou reports:</p> | |
<blockquote cite="https://trac.xiph.org/ticket/2136"> | |
<p>A crafted WAV file with number of channels set to 0 | |
will cause oggenc to crash due to a division by zero | |
issue.</p> | |
</blockquote> | |
<p>pengsu reports:</p> | |
<blockquote cite="https://trac.xiph.org/ticket/2212"> | |
<p>I discovered an buffer overflow issue in oggenc/audio.c | |
when it tries to open invalid aiff file.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/202941</freebsdpr> | |
<url>https://trac.xiph.org/ticket/2136</url> | |
<cvename>CVE-2014-9639</cvename> | |
<url>https://trac.xiph.org/ticket/2137</url> | |
<cvename>CVE-2014-9638</cvename> | |
<url>https://trac.xiph.org/ticket/2212</url> | |
<cvename>CVE-2015-6749</cvename> | |
</references> | |
<dates> | |
<discovery>2015-08-08</discovery> | |
<entry>2015-09-09</entry> | |
<modified>2015-09-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="d76961da-56f6-11e5-934b-002590263bf5"> | |
<topic>pgbouncer -- failed auth_query lookup leads to connection as auth_user</topic> | |
<affects> | |
<package> | |
<name>pgbouncer</name> | |
<range><eq>1.6.0</eq></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>PgBouncer reports:</p> | |
<blockquote cite="http://pgbouncer.github.io/2015/09/pgbouncer-1-6-1/"> | |
<p>New auth_user functionality introduced in 1.6 allows login as | |
auth_user when client presents unknown username. It's quite likely | |
auth_user is superuser. Affects only setups that have enabled | |
auth_user in their config.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-6817</cvename> | |
<url>https://pgbouncer.github.io/2015/09/pgbouncer-1-6-1/</url> | |
<url>https://github.com/pgbouncer/pgbouncer/issues/69</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/09/04/3</url> | |
</references> | |
<dates> | |
<discovery>2015-09-03</discovery> | |
<entry>2015-09-09</entry> | |
</dates> | |
</vuln> | |
<vuln vid="3904f759-5659-11e5-a207-6805ca0b3d42"> | |
<topic>phpMyAdmin -- reCaptcha bypass</topic> | |
<affects> | |
<package> | |
<name>phpMyAdmin</name> | |
<range><ge>4.4.0</ge><lt>4.4.14.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The phpMyAdmin development team reports:</p> | |
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2015-4/"> | |
<p>This vulnerability allows to complete the reCaptcha test | |
and subsequently perform a brute force attack to guess user | |
credentials without having to complete further reCaptcha | |
tests.</p> | |
<p>We consider this vulnerability to be non critical since | |
reCaptcha is an additional opt-in security measure.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.phpmyadmin.net/security/PMASA-2015-4/</url> | |
<cvename>CVE-2015-6830</cvename> | |
</references> | |
<dates> | |
<discovery>2015-09-08</discovery> | |
<entry>2015-09-08</entry> | |
</dates> | |
</vuln> | |
<vuln vid="3d675519-5654-11e5-9ad8-14dae9d210b8"> | |
<topic>php -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>php5</name> | |
<name>php5-soap</name> | |
<name>php5-xsl</name> | |
<range><lt>5.4.45</lt></range> | |
</package> | |
<package> | |
<name>php55</name> | |
<name>php55-soap</name> | |
<name>php55-xsl</name> | |
<range><lt>5.5.29</lt></range> | |
</package> | |
<package> | |
<name>php56</name> | |
<name>php56-soap</name> | |
<name>php56-xsl</name> | |
<range><lt>5.6.13</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>PHP reports:</p> | |
<blockquote cite="http://php.net/ChangeLog-5.php#5.4.45"> | |
<ul><li>Core: | |
<ul> | |
<li>Fixed bug #70172 (Use After Free Vulnerability in unserialize()).</li> | |
<li>Fixed bug #70219 (Use after free vulnerability in session deserializer).</li> | |
</ul></li> | |
<li>EXIF: | |
<ul> | |
<li>Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes).</li> | |
</ul></li> | |
<li>hash: | |
<ul> | |
<li>Fixed bug #70312 (HAVAL gives wrong hashes in specific cases).</li> | |
</ul></li> | |
<li>PCRE: | |
<ul> | |
<li>Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions).</li> | |
</ul></li> | |
<li>SOAP: | |
<ul> | |
<li>Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE).</li> | |
</ul></li> | |
<li>SPL: | |
<ul> | |
<li>Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage).</li> | |
<li>Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList).</li> | |
</ul></li> | |
<li>XSLT: | |
<ul> | |
<li>Fixed bug #69782 (NULL pointer dereference).</li> | |
</ul></li> | |
<li>ZIP: | |
<ul> | |
<li>Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories).</li> | |
</ul></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://php.net/ChangeLog-5.php#5.4.45</url> | |
<url>http://php.net/ChangeLog-5.php#5.5.29</url> | |
<url>http://php.net/ChangeLog-5.php#5.6.13</url> | |
<cvename>CVE-2015-6834</cvename> | |
<cvename>CVE-2015-6835</cvename> | |
<cvename>CVE-2015-6836</cvename> | |
<cvename>CVE-2015-6837</cvename> | |
<cvename>CVE-2015-6838</cvename> | |
</references> | |
<dates> | |
<discovery>2015-09-03</discovery> | |
<entry>2015-09-08</entry> | |
<modified>2015-09-08</modified> | |
</dates> | |
</vuln> | |
<vuln vid="d68df01b-564e-11e5-9ad8-14dae9d210b8"> | |
<topic>ganglia-webfrontend -- auth bypass</topic> | |
<affects> | |
<package> | |
<name>ganglia-webfrontend</name> | |
<range><lt>3.7.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Ivan Novikov reports:</p> | |
<blockquote cite="https://github.com/ganglia/ganglia-web/issues/267"> | |
<p>It's easy to bypass auth by using boolean serialization...</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://github.com/ganglia/ganglia-web/issues/267</url> | |
<cvename>CVE-2015-6816</cvename> | |
</references> | |
<dates> | |
<discovery>2015-09-04</discovery> | |
<entry>2015-09-08</entry> | |
<modified>2015-09-08</modified> | |
</dates> | |
</vuln> | |
<vuln vid="9bdd8eb5-564a-11e5-9ad8-14dae9d210b8"> | |
<topic>wireshark -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>wireshark</name> | |
<name>wireshark-lite</name> | |
<name>wireshark-qt5</name> | |
<name>tshark</name> | |
<name>tshark-lite</name> | |
<range><lt>1.12.7</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Wireshark development team reports:</p> | |
<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-1.12.7.html"> | |
<p>The following vulnerabilities have been fixed.</p> | |
<ul> | |
<li><p>wnpa-sec-2015-21</p> | |
<p>Protocol tree crash. (Bug 11309)</p></li> | |
<li><p>wnpa-sec-2015-22</p> | |
<p>Memory manager crash. (Bug 11373)</p></li> | |
<li><p>wnpa-sec-2015-23</p> | |
<p>Dissector table crash. (Bug 11381)</p></li> | |
<li><p>wnpa-sec-2015-24</p> | |
<p>ZigBee crash. (Bug 11389)</p></li> | |
<li><p>wnpa-sec-2015-25</p> | |
<p>GSM RLC/MAC infinite loop. (Bug 11358)</p></li> | |
<li><p>wnpa-sec-2015-26</p> | |
<p>WaveAgent crash. (Bug 11358)</p></li> | |
<li><p>wnpa-sec-2015-27</p> | |
<p>OpenFlow infinite loop. (Bug 11358)</p></li> | |
<li><p>wnpa-sec-2015-28</p> | |
<p>Ptvcursor crash. (Bug 11358)</p></li> | |
<li><p>wnpa-sec-2015-29</p> | |
<p>WCCP crash. (Bug 11358)</p></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.wireshark.org/docs/relnotes/wireshark-1.12.7.html</url> | |
<cvename>CVE-2015-6241</cvename> | |
<cvename>CVE-2015-6242</cvename> | |
<cvename>CVE-2015-6243</cvename> | |
<cvename>CVE-2015-6244</cvename> | |
<cvename>CVE-2015-6245</cvename> | |
<cvename>CVE-2015-6246</cvename> | |
<cvename>CVE-2015-6247</cvename> | |
<cvename>CVE-2015-6248</cvename> | |
<cvename>CVE-2015-6249</cvename> | |
</references> | |
<dates> | |
<discovery>2015-08-12</discovery> | |
<entry>2015-09-08</entry> | |
<modified>2015-09-08</modified> | |
</dates> | |
</vuln> | |
<vuln vid="98092444-5645-11e5-9ad8-14dae9d210b8"> | |
<topic>screen -- stack overflow</topic> | |
<affects> | |
<package> | |
<name>screen</name> | |
<range><lt>4.3.1_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Kuang-che Wu reports:</p> | |
<blockquote cite="https://savannah.gnu.org/bugs/?45713"> | |
<p>screen will recursively call MScrollV to depth n/256. This | |
is time consuming and will overflow stack if n is huge.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://savannah.gnu.org/bugs/?45713</url> | |
<cvename>CVE-2015-6806</cvename> | |
</references> | |
<dates> | |
<discovery>2015-08-07</discovery> | |
<entry>2015-09-08</entry> | |
</dates> | |
</vuln> | |
<vuln vid="b5e654c3-5644-11e5-9ad8-14dae9d210b8"> | |
<topic>libvncserver -- memory corruption</topic> | |
<affects> | |
<package> | |
<name>libvncserver</name> | |
<range><lt>0.9.8</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Petr Pisar reports:</p> | |
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=706087"> | |
<p>libvncserver/tight.c:rfbTightCleanup() frees a buffer without zeroing freed pointer.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://bugzilla.redhat.com/show_bug.cgi?id=706087</url> | |
<url>https://github.com/LibVNC/libvncserver/commit/804335f9d296440bb708ca844f5d89b58b50b0c6</url> | |
</references> | |
<dates> | |
<discovery>2011-05-19</discovery> | |
<entry>2015-09-08</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ed0ecad5-531d-11e5-9850-bcaec565249c"> | |
<topic>gdk-pixbuf2 -- integer overflows</topic> | |
<affects> | |
<package> | |
<name>gdk-pixbuf2</name> | |
<range><lt>2.31.7</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Matthias Clasen reports:</p> | |
<blockquote cite="https://mail.gnome.org/archives/ftp-release-list/2015-September/msg00013.html"> | |
<p>Fix several integer overflows.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://mail.gnome.org/archives/ftp-release-list/2015-September/msg00013.html</url> | |
</references> | |
<dates> | |
<discovery>2015-09-01</discovery> | |
<entry>2015-09-04</entry> | |
</dates> | |
</vuln> | |
<vuln vid="2c5e7e23-5248-11e5-9ad8-14dae9d210b8"> | |
<topic>bind -- denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>bind99</name> | |
<range><ge>9.9.7</ge><lt>9.9.7P3</lt></range> | |
</package> | |
<package> | |
<name>bind910</name> | |
<range><lt>9.10.2P4</lt></range> | |
</package> | |
<package> | |
<name>bind910-base</name> | |
<name>bind99-base</name> | |
<range><gt>0</gt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ISC reports:</p> | |
<blockquote cite="https://www.isc.org/blogs/cve-2015-5986-an-incorrect-boundary-check-can-trigger-a-require-assertion-failure-in-openpgpkey_61-c/"> | |
<p>An incorrect boundary check in openpgpkey_61.c can cause | |
named to terminate due to a REQUIRE assertion failure. This defect can | |
be deliberately exploited by an attacker who can provide a maliciously | |
constructed response in answer to a query.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.isc.org/blogs/cve-2015-5986-an-incorrect-boundary-check-can-trigger-a-require-assertion-failure-in-openpgpkey_61-c/</url> | |
<cvename>CVE-2015-5986</cvename> | |
</references> | |
<dates> | |
<discovery>2015-08-19</discovery> | |
<entry>2015-09-03</entry> | |
</dates> | |
</vuln> | |
<vuln vid="eaf3b255-5245-11e5-9ad8-14dae9d210b8"> | |
<topic>bind -- denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>bind99</name> | |
<range><lt>9.9.7P3</lt></range> | |
</package> | |
<package> | |
<name>bind910</name> | |
<range><ge>9.10.2</ge><lt>9.10.2P4</lt></range> | |
</package> | |
<package> | |
<name>bind910-base</name> | |
<name>bind99-base</name> | |
<range><gt>0</gt></range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>9.3</ge><lt>9.3_25</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ISC reports:</p> | |
<blockquote cite="https://www.isc.org/blogs/cve-2015-5722-parsing-malformed-keys-may-cause-bind-to-exit-due-to-a-failed-assertion-in-buffer-c/"> | |
<p>Parsing a malformed DNSSEC key can cause a validating | |
resolver to exit due to a failed assertion in buffer.c. It is possible | |
for a remote attacker to deliberately trigger this condition, for | |
example by using a query which requires a response from a zone | |
containing a deliberately malformed key.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.isc.org/blogs/cve-2015-5722-parsing-malformed-keys-may-cause-bind-to-exit-due-to-a-failed-assertion-in-buffer-c/</url> | |
<cvename>CVE-2015-5722</cvename> | |
<freebsdsa>SA-15:23.bind</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2015-08-19</discovery> | |
<entry>2015-09-03</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="a9350df8-5157-11e5-b5c1-e8e0b747a45a"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<range><lt>45.0.2454.85</lt></range> | |
</package> | |
<package> | |
<!--pcbsd--> | |
<name>chromium-npapi</name> | |
<range><lt>45.0.2454.85</lt></range> | |
</package> | |
<package> | |
<!--pcbsd--> | |
<name>chromium-pulse</name> | |
<range><lt>45.0.2454.85</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.nl"> | |
<p>29 security fixes in this release, including:</p> | |
<ul> | |
<li>[516377] High CVE-2015-1291: Cross-origin bypass in DOM. Credit | |
to anonymous.</li> | |
<li>[522791] High CVE-2015-1292: Cross-origin bypass in | |
ServiceWorker. Credit to Mariusz Mlynski.</li> | |
<li>[524074] High CVE-2015-1293: Cross-origin bypass in DOM. Credit | |
to Mariusz Mlynski.</li> | |
<li>[492263] High CVE-2015-1294: Use-after-free in Skia. Credit | |
to cloudfuzzer.</li> | |
<li>[502562] High CVE-2015-1295: Use-after-free in Printing. Credit | |
to anonymous.</li> | |
<li>[421332] High CVE-2015-1296: Character spoofing in omnibox. | |
Credit to zcorpan.</li> | |
<li>[510802] Medium CVE-2015-1297: Permission scoping error in | |
Webrequest. Credit to Alexander Kashev.</li> | |
<li>[518827] Medium CVE-2015-1298: URL validation error in | |
extensions. Credit to Rob Wu.</li> | |
<li>[416362] Medium CVE-2015-1299: Use-after-free in Blink. Credit | |
to taro.suzuki.dev.</li> | |
<li>[511616] Medium CVE-2015-1300: Information leak in Blink. Credit | |
to cgvwzq.</li> | |
<li>[526825] CVE-2015-1301: Various fixes from internal audits, | |
fuzzing and other initiatives.</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-1291</cvename> | |
<cvename>CVE-2015-1292</cvename> | |
<cvename>CVE-2015-1293</cvename> | |
<cvename>CVE-2015-1294</cvename> | |
<cvename>CVE-2015-1295</cvename> | |
<cvename>CVE-2015-1296</cvename> | |
<cvename>CVE-2015-1297</cvename> | |
<cvename>CVE-2015-1298</cvename> | |
<cvename>CVE-2015-1299</cvename> | |
<cvename>CVE-2015-1300</cvename> | |
<cvename>CVE-2015-1301</cvename> | |
<url>http://googlechromereleases.blogspot.nl</url> | |
</references> | |
<dates> | |
<discovery>2015-09-01</discovery> | |
<entry>2015-09-02</entry> | |
</dates> | |
</vuln> | |
<vuln vid="55c43f5b-5190-11e5-9ad8-14dae9d210b8"> | |
<topic>powerdns -- denial of service</topic> | |
<affects> | |
<package> | |
<name>powerdns</name> | |
<range><ge>3.4.0</ge><lt>3.4.6</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>PowerDNS reports:</p> | |
<blockquote cite="https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/"> | |
<p>A bug was found in our DNS packet parsing/generation code, | |
which, when exploited, can cause individual threads (disabling service) | |
or whole processes (allowing a supervisor to restart them) to crash with | |
just one or a few query packets.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/</url> | |
<cvename>CVE-2015-5230</cvename> | |
</references> | |
<dates> | |
<discovery>2015-09-02</discovery> | |
<entry>2015-09-02</entry> | |
</dates> | |
</vuln> | |
<vuln vid="fc1f6658-4f53-11e5-934b-002590263bf5"> | |
<topic>ghostscript -- denial of service (crash) via crafted Postscript files</topic> | |
<affects> | |
<package> | |
<name>ghostscript7</name> | |
<name>ghostscript7-nox11</name> | |
<name>ghostscript7-base</name> | |
<name>ghostscript7-x11</name> | |
<range><lt>7.07_32</lt></range> | |
</package> | |
<package> | |
<name>ghostscript8</name> | |
<name>ghostscript8-nox11</name> | |
<name>ghostscript8-base</name> | |
<name>ghostscript8-x11</name> | |
<range><lt>8.71_19</lt></range> | |
</package> | |
<package> | |
<name>ghostscript9</name> | |
<name>ghostscript9-nox11</name> | |
<name>ghostscript9-base</name> | |
<name>ghostscript9-x11</name> | |
<range><lt>9.06_11</lt></range> | |
</package> | |
<package> | |
<name>ghostscript9-agpl</name> | |
<name>ghostscript9-agpl-nox11</name> | |
<range><lt>9.15_2</lt></range> | |
</package> | |
<package> | |
<name>ghostscript9-agpl-base</name> | |
<name>ghostscript9-agpl-x11</name> | |
<range><lt>9.16_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>MITRE reports:</p> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3228"> | |
<p>Integer overflow in the gs_heap_alloc_bytes function in | |
base/gsmalloc.c in Ghostscript 9.15 and earlier allows remote | |
attackers to cause a denial of service (crash) via a crafted | |
Postscript (ps) file, as demonstrated by using the ps2pdf command, | |
which triggers an out-of-bounds read or write.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-3228</cvename> | |
<url>http://bugs.ghostscript.com/show_bug.cgi?id=696041</url> | |
<url>http://bugs.ghostscript.com/show_bug.cgi?id=696070</url> | |
<url>http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0c0b0859</url> | |
</references> | |
<dates> | |
<discovery>2015-06-17</discovery> | |
<entry>2015-09-01</entry> | |
<modified>2015-09-02</modified> | |
</dates> | |
</vuln> | |
<vuln vid="80c66af0-d1c5-449e-bd31-63b12525ff88"> | |
<topic>ffmpeg -- out-of-bounds array access</topic> | |
<affects> | |
<package> | |
<name>libav</name> | |
<range><ge>11.0</ge><lt>11.4</lt></range> | |
<range><lt>10.7</lt></range> | |
</package> | |
<package> | |
<name>gstreamer1-libav</name> | |
<!-- gst-libav-1.4.5 has libav-10.5 --> | |
<range><lt>1.5.1</lt></range> | |
</package> | |
<package> | |
<name>handbrake</name> | |
<!-- handbrake-0.10.2 has libav-10.1 --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>ffmpeg</name> | |
<range><ge>2.2.0,1</ge><lt>2.2.15,1</lt></range> | |
<range><lt>2.0.7,1</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg26</name> | |
<range><lt>2.6.2</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg25</name> | |
<range><lt>2.5.6</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg24</name> | |
<range><lt>2.4.8</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg23</name> | |
<!-- just in case: f7e1367 wasn't cherry-picked --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>ffmpeg1</name> | |
<!-- just in case: f7e1367 wasn't cherry-picked --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>avidemux</name> | |
<name>avidemux26</name> | |
<!-- avidemux-2.6.10 has ffmpeg-2.6.1 --> | |
<range><lt>2.6.11</lt></range> | |
</package> | |
<package> | |
<name>kodi</name> | |
<!-- kodi-14.2 has ffmpeg-2.4.6 --> | |
<range><lt>15.1</lt></range> | |
</package> | |
<package> | |
<name>mplayer</name> | |
<name>mencoder</name> | |
<!-- mplayer-1.1.r20141223 has ffmpeg-2.5.1+ (snapshot, 03b84f2) --> | |
<range><lt>1.1.r20150403</lt></range> | |
</package> | |
<package> | |
<name>mythtv</name> | |
<name>mythtv-frontend</name> | |
<!-- mythtv-0.27.0.20140121 has ffmpeg-1.2.2+ (snapshot, f9c8726) --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>NVD reports:</p> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3395"> | |
<p>The msrle_decode_pal4 function in msrledec.c in Libav | |
before 10.7 and 11.x before 11.4 and FFmpeg before 2.0.7, | |
2.2.x before 2.2.15, 2.4.x before 2.4.8, 2.5.x before 2.5.6, | |
and 2.6.x before 2.6.2 allows remote attackers to have | |
unspecified impact via a crafted image, related to a pixel | |
pointer, which triggers an out-of-bounds array access.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-3395</cvename> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f7e1367f58263593e6cee3c282f7277d7ee9d553</url> | |
<url>https://git.libav.org/?p=libav.git;a=commit;h=5ecabd3c54b7c802522dc338838c9a4c2dc42948</url> | |
<url>https://ffmpeg.org/security.html</url> | |
<url>https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.4</url> | |
</references> | |
<dates> | |
<discovery>2015-04-12</discovery> | |
<entry>2015-09-01</entry> | |
<modified>2015-09-20</modified> | |
</dates> | |
</vuln> | |
<vuln vid="da434a78-e342-4d9a-87e2-7497e5f117ba"> | |
<topic>ffmpeg -- use-after-free</topic> | |
<affects> | |
<package> | |
<name>libav</name> | |
<range><ge>11.0</ge><lt>11.4</lt></range> | |
<range><lt>10.7</lt></range> | |
</package> | |
<package> | |
<name>gstreamer1-libav</name> | |
<!-- gst-libav-1.4.5 has libav-10.5 --> | |
<range><lt>1.5.0</lt></range> | |
</package> | |
<package> | |
<name>handbrake</name> | |
<!-- handbrake-0.10.2 has libav-10.1 --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
<package> | |
<name>ffmpeg</name> | |
<range><ge>2.2.0,1</ge><lt>2.2.12,1</lt></range> | |
<range><ge>2.1.0,1</ge><lt>2.1.7,1</lt></range> | |
<range><lt>2.0.7,1</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg25</name> | |
<range><lt>2.5.2</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg24</name> | |
<range><lt>2.4.5</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg23</name> | |
<range><lt>2.3.6</lt></range> | |
</package> | |
<package> | |
<name>ffmpeg1</name> | |
<range><lt>1.2.11</lt></range> | |
</package> | |
<package> | |
<name>mythtv</name> | |
<name>mythtv-frontend</name> | |
<!-- mythtv-0.27.0.20140121 has ffmpeg-1.2.2+ (snapshot, f9c8726) --> | |
<!-- no known fixed version --> | |
<range><ge>0</ge></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>NVD reports:</p> | |
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3417"> | |
<p>Use-after-free vulnerability in the ff_h264_free_tables | |
function in libavcodec/h264.c in FFmpeg before 2.3.6 allows | |
remote attackers to cause a denial of service or possibly | |
have unspecified other impact via crafted H.264 data in an | |
MP4 file, as demonstrated by an HTML VIDEO element that | |
references H.264 data.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-3417</cvename> | |
<!-- ffmpeg and libav fixes are different --> | |
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=e8714f6f93d1a32f4e4655209960afcf4c185214</url> | |
<url>https://git.libav.org/?p=libav.git;a=commitdiff;h=3b69f245dbe6e2016659a45c4bfe284f6c5ac57e</url> | |
<url>https://ffmpeg.org/security.html</url> | |
<url>https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.4</url> | |
</references> | |
<dates> | |
<discovery>2014-12-19</discovery> | |
<entry>2015-09-01</entry> | |
</dates> | |
</vuln> | |
<vuln vid="5300711b-4e61-11e5-9ad8-14dae9d210b8"> | |
<topic>graphviz -- format string vulnerability</topic> | |
<affects> | |
<package> | |
<name>graphviz</name> | |
<range><lt>2.38.0_7</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Joshua Rogers reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2014/q4/784"> | |
<p>A format string vulnerability has been found in `graphviz'.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://seclists.org/oss-sec/2014/q4/784</url> | |
<url>https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081</url> | |
</references> | |
<dates> | |
<discovery>2014-11-24</discovery> | |
<entry>2015-08-29</entry> | |
</dates> | |
</vuln> | |
<vuln vid="237a201c-888b-487f-84d3-7d92266381d6"> | |
<topic>mozilla -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>firefox</name> | |
<range><lt>40.0.3,1</lt></range> | |
</package> | |
<package> | |
<name>linux-firefox</name> | |
<range><lt>40.0.3,1</lt></range> | |
</package> | |
<package> | |
<name>firefox-esr</name> | |
<range><lt>38.2.1,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Mozilla Project reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/"> | |
<p>MFSA 2015-95 Add-on notification bypass through data URLs</p> | |
<p>MFSA 2015-94 Use-after-free when resizing canvas element | |
during restyling</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4497</cvename> | |
<cvename>CVE-2015-4498</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-94/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-95/</url> | |
</references> | |
<dates> | |
<discovery>2015-08-27</discovery> | |
<entry>2015-08-28</entry> | |
</dates> | |
</vuln> | |
<vuln vid="4464212e-4acd-11e5-934b-002590263bf5"> | |
<topic>go -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>go</name> | |
<range><lt>1.4.3,1</lt></range> | |
</package> | |
<package> | |
<name>go14</name> | |
<range><lt>1.4.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jason Buberel, Go Product Manager, reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2015/q3/237"> | |
<p>CVE-2015-5739 - "Content Length" treated as valid header</p> | |
<p>CVE-2015-5740 - Double content-length headers does not return 400 | |
error</p> | |
<p>CVE-2015-5741 - Additional hardening, not sending Content-Length | |
w/Transfer-Encoding, Closing connections</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5739</cvename> | |
<cvename>CVE-2015-5740</cvename> | |
<cvename>CVE-2015-5741</cvename> | |
<url>https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9</url> | |
<url>https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e</url> | |
<url>https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f</url> | |
<url>http://seclists.org/oss-sec/2015/q3/237</url> | |
</references> | |
<dates> | |
<discovery>2015-07-29</discovery> | |
<entry>2015-08-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="40497e81-fee3-4e54-9d5f-175a5c633b73"> | |
<topic>libtremor -- memory corruption</topic> | |
<affects> | |
<package> | |
<name>libtremor</name> | |
<range><lt>1.2.0.s20120120</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Mozilla Project reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2012-07/"> | |
<p>Security researcher regenrecht reported via | |
TippingPoint's Zero Day Initiative the possibility of memory | |
corruption during the decoding of Ogg Vorbis files. This can | |
cause a crash during decoding and has the potential for | |
remote code execution.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2012-0444</cvename> | |
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=719612</url> | |
<url>https://git.xiph.org/?p=tremor.git;a=commitdiff;h=3daa274</url> | |
</references> | |
<dates> | |
<discovery>2012-01-31</discovery> | |
<entry>2015-08-25</entry> | |
<modified>2015-08-25</modified> | |
</dates> | |
</vuln> | |
<vuln vid="3dac84c9-bce1-4199-9784-d68af1eb7b2e"> | |
<topic>libtremor -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>libtremor</name> | |
<range><lt>1.2.0.s20101013</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The RedHat Project reports:</p> | |
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=438125"> | |
<p>Will Drewry of the Google Security Team reported multiple | |
issues in OGG Vorbis and Tremor libraries, that could cause | |
application using those libraries to crash (NULL pointer | |
dereference or divide by zero), enter an infinite loop or | |
cause heap overflow caused by integer overflow.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2008-1418</cvename> | |
<cvename>CVE-2008-1419</cvename> | |
<cvename>CVE-2008-1420</cvename> | |
<cvename>CVE-2008-1423</cvename> | |
<cvename>CVE-2008-2009</cvename> | |
<url>http://redpig.dataspill.org/2008/05/multiple-vulnerabilities-in-ogg-tremor.html</url> | |
<url>https://git.xiph.org/?p=tremor.git;a=commitdiff;h=7e94eea</url> | |
<url>https://git.xiph.org/?p=tremor.git;a=commitdiff;h=1d1f93e</url> | |
<url>https://git.xiph.org/?p=tremor.git;a=commitdiff;h=159efc4</url> | |
</references> | |
<dates> | |
<discovery>2008-03-19</discovery> | |
<entry>2015-08-25</entry> | |
<modified>2015-08-25</modified> | |
</dates> | |
</vuln> | |
<vuln vid="6900e6f1-4a79-11e5-9ad8-14dae9d210b8"> | |
<topic>pcre -- heap overflow vulnerability</topic> | |
<affects> | |
<package> | |
<name>pcre</name> | |
<range><lt>8.37_4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Guanxing Wen reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2015/q3/295"> | |
<p>PCRE library is prone to a vulnerability which leads to | |
Heap Overflow. | |
During the compilation of a malformed regular expression, more data is | |
written on the malloced block than the expected size output by | |
compile_regex(). | |
The Heap Overflow vulnerability is caused by the following regular | |
expression.</p> | |
<p>/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/</p> | |
<p>A dry run of this particular regular expression with pcretest will | |
reports "double free or corruption (!prev)". | |
But it is actually a heap overflow problem. | |
The overflow only affects pcre 8.x branch, pcre2 branch is not affected.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://seclists.org/oss-sec/2015/q3/295</url> | |
<url>https://bugs.exim.org/show_bug.cgi?id=1672</url> | |
</references> | |
<dates> | |
<discovery>2015-08-21</discovery> | |
<entry>2015-08-24</entry> | |
</dates> | |
</vuln> | |
<vuln vid="9393213d-489b-11e5-b8c7-d050996490d0"> | |
<topic>drupal -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>drupal6</name> | |
<range><lt>6.37</lt></range> | |
</package> | |
<package> | |
<name>drupal7</name> | |
<range><lt>7.39</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Drupal development team reports:</p> | |
<blockquote cite="https://www.drupal.org/SA-CORE-2015-003"> | |
<p>This security advisory fixes multiple vulnerabilities. | |
See below for a list.</p> | |
<h3>Cross-site Scripting - Ajax system - Drupal 7</h3> | |
<p>A vulnerability was found that allows a malicious | |
user to perform a cross-site scripting attack by | |
invoking Drupal.ajax() on a whitelisted HTML element.</p> | |
<p>This vulnerability is mitigated on sites that do not | |
allow untrusted users to enter HTML.</p> | |
<h3>Cross-site Scripting - Autocomplete system - Drupal 6 and 7</h3> | |
<p>A cross-site scripting vulnerability was found in | |
the autocomplete functionality of forms. The | |
requested URL is not sufficiently sanitized.</p> | |
<p>This vulnerability is mitigated by the fact that | |
the malicious user must be allowed to upload files.</p> | |
<h3>SQL Injection - Database API - Drupal 7</h3> | |
<p>A vulnerability was found in the SQL comment | |
filtering system which could allow a user with | |
elevated permissions to inject malicious code in | |
SQL comments.</p> | |
<p>This vulnerability is mitigated by the fact that | |
only one contributed module that the security team | |
found uses the comment filtering system in a way | |
that would trigger the vulnerability. That module | |
requires you to have a very high level of access | |
in order to perform the attack.</p> | |
<h3>Cross-site Request Forgery - Form API - Drupal 6 and 7</h3> | |
<p>A vulnerability was discovered in Drupal's form API | |
that could allow file upload value callbacks to run | |
with untrusted input, due to form token validation | |
not being performed early enough. This vulnerability | |
could allow a malicious user to upload files to the | |
site under another user's account.</p> | |
<p>This vulnerability is mitigated by the fact that | |
the uploaded files would be temporary, and Drupal | |
normally deletes temporary files automatically | |
after 6 hours.</p> | |
<h3>Information Disclosure in Menu Links - Access system - Drupal 6 and 7</h3> | |
<p>Users without the "access content" permission | |
can see the titles of nodes that they do not have | |
access to, if the nodes are added to a menu on the | |
site that the users have access to.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.drupal.org/SA-CORE-2015-003</url> | |
</references> | |
<dates> | |
<discovery>2015-08-19</discovery> | |
<entry>2015-08-22</entry> | |
</dates> | |
</vuln> | |
<vuln vid="2920c449-4850-11e5-825f-c80aa9043978"> | |
<topic>OpenSSH -- PAM vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>openssh-portable</name> | |
<range><lt>7.0.p1,1</lt></range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.2</ge><lt>10.2_2</lt></range> | |
<range><ge>10.1</ge><lt>10.1_19</lt></range> | |
<range><ge>9.3</ge><lt>9.3_24</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<blockquote cite="http://www.openssh.com/txt/release-7.0"> | |
<p>OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable. | |
Local attackers may be able to write arbitrary messages to | |
logged-in users, including terminal escape sequences. Reported | |
by Nikolay Edigaryev.</p> | |
<p>Fixed a privilege separation | |
weakness related to PAM support. Attackers who could successfully | |
compromise the pre-authentication process for remote code | |
execution and who had valid credentials on the host could | |
impersonate other users.</p> | |
<p>Fixed a use-after-free bug | |
related to PAM support that was reachable by attackers who could | |
compromise the pre-authentication process for remote code | |
execution.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openssh.com/txt/release-7.0</url> | |
<cvename>CVE-2015-6563</cvename> | |
<cvename>CVE-2015-6564</cvename> | |
<cvename>CVE-2015-6565</cvename> | |
<freebsdsa>SA-15:22.openssh</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2015-08-11</discovery> | |
<entry>2015-08-21</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="27fed73e-484f-11e5-825f-c80aa9043978"> | |
<topic>OpenSSH -- PermitRootLogin may allow password connections with 'without-password'</topic> | |
<affects> | |
<package> | |
<name>openssh-portable</name> | |
<range><eq>7.0.p1,1</eq></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<blockquote cite="http://www.openssh.com/txt/release-7.1"> | |
<p>OpenSSH 7.0 contained a logic error in PermitRootLogin= | |
prohibit-password/without-password that could, depending on | |
compile-time configuration, permit password authentication to | |
root while preventing other forms of authentication. This problem | |
was reported by Mantas Mikulenas. | |
</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openssh.com/txt/release-7.1</url> | |
</references> | |
<dates> | |
<discovery>2015-08-20</discovery> | |
<entry>2015-08-21</entry> | |
</dates> | |
</vuln> | |
<vuln vid="2fe40238-480f-11e5-adde-14dae9d210b8"> | |
<topic>tarsnap -- buffer overflow and local DoS</topic> | |
<affects> | |
<package> | |
<name>tarsnap</name> | |
<range><lt>1.0.36</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Colin Percival reports:</p> | |
<blockquote cite="http://mail.tarsnap.com/tarsnap-announce/msg00032.html"> | |
<p>1. SECURITY FIX: When constructing paths of objects being archived, a buffer | |
could overflow by one byte upon encountering 1024, 2048, 4096, etc. byte | |
paths. Theoretically this could be exploited by an unprivileged user whose | |
files are being archived; I do not believe it is exploitable in practice, | |
but I am offering a $1000 bounty for the first person who can prove me wrong: | |
http://www.daemonology.net/blog/2015-08-21-tarsnap-1000-exploit-bounty.html</p> | |
<p>2. SECURITY FIX: An attacker with a machine's write keys, or with read keys | |
and control of the tarsnap service, could make tarsnap allocate a large | |
amount of memory upon listing archives or reading an archive the attacker | |
created; on 32-bit machines, tarsnap can be caused to crash under the | |
aforementioned conditions.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://mail.tarsnap.com/tarsnap-announce/msg00032.html</url> | |
<url>http://www.daemonology.net/blog/2015-08-21-tarsnap-1000-exploit-bounty.html</url> | |
</references> | |
<dates> | |
<discovery>2015-08-21</discovery> | |
<entry>2015-08-21</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a0a4e24c-4760-11e5-9391-3c970e169bc2"> | |
<topic>vlc -- arbitrary pointer dereference vulnerability</topic> | |
<affects> | |
<package> | |
<name>vlc</name> | |
<range><lt>2.2.1_5,4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>oCERT reports:</p> | |
<blockquote cite="https://www.ocert.org/advisories/ocert-2015-009.html"> | |
<p>The stable VLC version suffers from an arbitrary pointer | |
dereference vulnerability.</p> | |
<p>The vulnerability affects the 3GP file format parser, | |
insufficient restrictions on a writable buffer can be | |
exploited to execute arbitrary code via the heap memory. | |
A specific 3GP file can be crafted to trigger the | |
vulnerability.</p> | |
<p>Credit: vulnerability reported by Loren Maggiore of | |
Trail of Bits.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5949</cvename> | |
<url>https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=ce91452460a75d7424b165c4dc8db98114c3cbd9;hp=9e12195d3e4316278af1fa4bcb6a705ff27456fd</url> | |
<url>https://www.ocert.org/advisories/ocert-2015-009.html</url> | |
</references> | |
<dates> | |
<discovery>2015-08-20</discovery> | |
<entry>2015-08-20</entry> | |
</dates> | |
</vuln> | |
<vuln vid="9a71953a-474a-11e5-adde-14dae9d210b8"> | |
<topic>libpgf -- use-after-free</topic> | |
<affects> | |
<package> | |
<name>libpgf</name> | |
<range><le>6.14.12</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Pengsu Cheng reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2015/q3/404"> | |
<p>An use-after-free issue in Decoder.cpp was reported to | |
upstream. The problem is due to lack of validation of ColorTableSize.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://seclists.org/oss-sec/2015/q3/404</url> | |
<url>https://sourceforge.net/p/libpgf/code/147/</url> | |
<url>https://sourceforge.net/p/libpgf/code/148/</url> | |
<cvename>CVE-2015-6673</cvename> | |
</references> | |
<dates> | |
<discovery>2015-08-08</discovery> | |
<entry>2015-08-20</entry> | |
<modified>2015-08-26</modified> | |
</dates> | |
</vuln> | |
<vuln vid="f5b8b670-465c-11e5-a49d-bcaec565249c"> | |
<topic>gdk-pixbuf2 -- heap overflow and DoS</topic> | |
<affects> | |
<package> | |
<name>gdk-pixbuf2</name> | |
<range><lt>2.31.6</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Gustavo Grieco reports:</p> | |
<blockquote cite="https://bugzilla.gnome.org/show_bug.cgi?id=752297"> | |
<p>We found a heap overflow and a DoS in the gdk-pixbuf | |
implementation triggered by the scaling of a malformed bmp.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4491</cvename> | |
<url>https://bugzilla.gnome.org/show_bug.cgi?id=752297</url> | |
</references> | |
<dates> | |
<discovery>2015-07-12</discovery> | |
<entry>2015-08-19</entry> | |
</dates> | |
</vuln> | |
<vuln vid="b0e54dc1-45d2-11e5-adde-14dae9d210b8"> | |
<topic>django -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>py27-django</name> | |
<name>py32-django</name> | |
<name>py33-django</name> | |
<name>py34-django</name> | |
<range><lt>1.8.4</lt></range> | |
</package> | |
<package> | |
<name>py27-django17</name> | |
<name>py32-django17</name> | |
<name>py33-django17</name> | |
<name>py34-django17</name> | |
<range><lt>1.7.10</lt></range> | |
</package> | |
<package> | |
<name>py27-django14</name> | |
<name>py32-django14</name> | |
<name>py33-django14</name> | |
<name>py34-django14</name> | |
<range><lt>1.4.22</lt></range> | |
</package> | |
<package> | |
<name>py27-django-devel</name> | |
<name>py32-django-devel</name> | |
<name>py33-django-devel</name> | |
<name>py34-django-devel</name> | |
<range><le>20150709,1</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Tim Graham reports:</p> | |
<blockquote cite="https://www.djangoproject.com/weblog/2015/aug/18/security-releases/"> | |
<p>Denial-of-service possibility in logout() view by filling | |
session store</p> | |
<p>Previously, a session could be created when anonymously | |
accessing the django.contrib.auth.views.logout view | |
(provided it wasn't decorated with django.contrib.auth.decorators.login_required | |
as done in the admin). This could allow an attacker to | |
easily create many new session records by sending repeated | |
requests, potentially filling up the session store or | |
causing other users' session records to be evicted.</p> | |
<p>The django.contrib.sessions.middleware.SessionMiddleware | |
has been modified to no longer create empty session records.</p> | |
<p>This portion of the fix has been assigned CVE-2015-5963.</p> | |
<p>Additionally, on the 1.4 and 1.7 series only, the | |
contrib.sessions.backends.base.SessionBase.flush() and | |
cache_db.SessionStore.flush() methods have been modified | |
to avoid creating a new empty session. Maintainers of | |
third-party session backends should check if the same | |
vulnerability is present in their backend and correct | |
it if so.</p> | |
<p>This portion of the fix has been assigned CVE-2015-5964. | |
Anyone reporting a similar vulnerability in a third-party | |
session backend should not use this CVE ID.</p> | |
<p>Thanks Lin Hua Cheng for reporting the issue.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.djangoproject.com/weblog/2015/aug/18/security-releases/</url> | |
<cvename>CVE-2015-5963</cvename> | |
<cvename>CVE-2015-5964</cvename> | |
</references> | |
<dates> | |
<discovery>2015-08-18</discovery> | |
<entry>2015-08-18</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0ecc1f55-45d0-11e5-adde-14dae9d210b8"> | |
<topic>unreal -- denial of service</topic> | |
<affects> | |
<package> | |
<name>Unreal</name> | |
<range><ge>3.2.10</ge><lt>3.2.10.5</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Unreal reports:</p> | |
<blockquote cite="https://www.unrealircd.org/txt/unrealsecadvisory.20150816.txt"> | |
<p>Summary: If SASL support is enabled in UnrealIRCd (this is | |
not the default) and is also enabled in your services | |
package then a malicious user with a services account can cause | |
UnrealIRCd to crash.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.unrealircd.org/txt/unrealsecadvisory.20150816.txt</url> | |
<url>http://seclists.org/oss-sec/2015/q3/367</url> | |
</references> | |
<dates> | |
<discovery>2015-08-13</discovery> | |
<entry>2015-08-18</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f1692469-45ce-11e5-adde-14dae9d210b8"> | |
<topic>jasper -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>jasper</name> | |
<range><lt>1.900.1_16</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Martin Prpic reports:</p> | |
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=1254242#c0"> | |
<p>A double free flaw was found in the way JasPer's | |
jasper_image_stop_load() function parsed certain JPEG 2000 image files. | |
A specially crafted file could cause an application using JasPer to | |
crash.</p> | |
</blockquote> | |
<p>Feist Josselin reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2015/q3/408"> | |
<p>A new use-after-free was found in Jasper JPEG-200. The | |
use-after-free appears in the function mif_process_cmpt of the | |
src/libjasper/mif/mif_cod.c file.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1254242#c0</url> | |
<url>http://seclists.org/oss-sec/2015/q3/366</url> | |
<url>http://seclists.org/oss-sec/2015/q3/408</url> | |
<cvename>CVE-2015-5203</cvename> | |
<cvename>CVE-2015-5221</cvename> | |
</references> | |
<dates> | |
<discovery>2015-08-17</discovery> | |
<entry>2015-08-18</entry> | |
<modified>2016-02-24</modified> | |
</dates> | |
</vuln> | |
<vuln vid="a59e263a-45cd-11e5-adde-14dae9d210b8"> | |
<topic>freexl -- integer overflow</topic> | |
<affects> | |
<package> | |
<name>freexl</name> | |
<range><lt>1.0.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Stefan Cornelius reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/07/06/7"> | |
<p>There's an integer overflow in the allocate_cells() function | |
when trying to allocate the memory for worksheet with specially | |
crafted row/column dimensions. This can be exploited to cause a | |
heap memory corruption. The most likely outcome of this is a crash | |
when trying to initialize the cells later in the function.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openwall.com/lists/oss-security/2015/07/06/7</url> | |
</references> | |
<dates> | |
<discovery>2015-07-06</discovery> | |
<entry>2015-08-18</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ac98d090-45cc-11e5-adde-14dae9d210b8"> | |
<topic>freexl -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>freexl</name> | |
<range><lt>1.0.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jodie Cunningham reports:</p> | |
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/03/25/1"> | |
<p>#1: A flaw was found in the way FreeXL reads sectors from | |
the input file. A specially crafted file could possibly | |
result in stack corruption near freexl.c:3752.</p> | |
<p>#2: A flaw was found in the function allocate_cells(). A | |
specially crafted file with invalid workbook dimensions | |
could possibly result in stack corruption near freexl.c:1074</p> | |
<p>#3: A flaw was found in the way FreeXL handles a premature EOF. A | |
specially crafted input file could possibly result in stack corruption | |
near freexl.c:1131</p> | |
<p>#4: FreeXL 1.0.0g did not properly check requests for workbook memory | |
allocation. A specially crafted input file could cause a Denial of | |
Service, or possibly write onto the stack.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.openwall.com/lists/oss-security/2015/03/25/1</url> | |
<cvename>CVE-2015-2776</cvename> | |
</references> | |
<dates> | |
<discovery>2015-03-24</discovery> | |
<entry>2015-08-18</entry> | |
</dates> | |
</vuln> | |
<vuln vid="47aa4343-44fa-11e5-9daa-14dae9d210b8"> | |
<topic>mod_jk -- information disclosure</topic> | |
<affects> | |
<package> | |
<name>ap22-mod_jk</name> | |
<name>ap24-mod_jk</name> | |
<range><lt>1.2.41,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>NIST reports:</p> | |
<blockquote cite="http://www.cvedetails.com/cve/CVE-2014-8111/"> | |
<p>Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores | |
JkUnmount rules for subtrees of previous JkMount rules, which allows | |
remote attackers to access otherwise restricted artifacts via | |
unspecified vectors. </p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://www.mail-archive.com/users@tomcat.apache.org/msg118949.html</url> | |
<url>http://readlist.com/lists/tomcat.apache.org/users/27/135512.html</url> | |
<url>http://www.cvedetails.com/cve/CVE-2014-8111/</url> | |
<cvename>CVE-2014-8111</cvename> | |
</references> | |
<dates> | |
<discovery>2015-01-15</discovery> | |
<entry>2015-08-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f06f20dc-4347-11e5-93ad-002590263bf5"> | |
<topic>qemu, xen-tools -- QEMU leak of uninitialized heap memory in rtl8139 device model</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><le>0.11.1_20</le></range> | |
<range><ge>0.12</ge><le>2.3.0_2</le></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.4.50.g20150814</lt></range> | |
</package> | |
<package> | |
<name>xen-tools</name> | |
<range><lt>4.5.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-140.html"> | |
<p>The QEMU model of the RTL8139 network card did not sufficiently | |
validate inputs in the C+ mode offload emulation. This results in | |
uninitialised memory from the QEMU process's heap being leaked to | |
the domain as well as to the network.</p> | |
<p>A guest may be able to read sensitive host-level data relating to | |
itself which resides in the QEMU process.</p> | |
<p>Such information may include things such as information relating to | |
real devices backing emulated devices or passwords which the host | |
administrator does not intend to share with the guest admin.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5165</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-140.html</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=2a3612ccc1fa9cea77bd193afbfe21c77e7e91ef</url> | |
</references> | |
<dates> | |
<discovery>2015-08-03</discovery> | |
<entry>2015-08-17</entry> | |
<modified>2015-08-19</modified> | |
</dates> | |
</vuln> | |
<vuln vid="ee99899d-4347-11e5-93ad-002590263bf5"> | |
<topic>qemu, xen-tools -- use-after-free in QEMU/Xen block unplug protocol</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><le>0.11.1_20</le></range> | |
<range><ge>0.12</ge><le>2.3.0_2</le></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.4.50.g20150814</lt></range> | |
</package> | |
<package> | |
<name>xen-tools</name> | |
<range><lt>4.5.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-139.html"> | |
<p>When unplugging an emulated block device the device was not fully | |
unplugged, meaning a second unplug attempt would attempt to unplug | |
the device a second time using a previously freed pointer.</p> | |
<p>An HVM guest which has access to an emulated IDE disk device may be | |
able to exploit this vulnerability in order to take over the qemu | |
process elevating its privilege to that of the qemu process.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5166</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-139.html</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=260425ab405ea76c44dd59744d05176d4f579a52</url> | |
</references> | |
<dates> | |
<discovery>2015-08-03</discovery> | |
<entry>2015-08-17</entry> | |
<modified>2015-08-19</modified> | |
</dates> | |
</vuln> | |
<vuln vid="787ef75e-44da-11e5-93ad-002590263bf5"> | |
<topic>php5 -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>php5</name> | |
<name>php5-openssl</name> | |
<name>php5-phar</name> | |
<name>php5-soap</name> | |
<range><lt>5.4.44</lt></range> | |
</package> | |
<package> | |
<name>php55</name> | |
<name>php55-openssl</name> | |
<name>php55-phar</name> | |
<name>php55-soap</name> | |
<range><lt>5.5.28</lt></range> | |
</package> | |
<package> | |
<name>php56</name> | |
<name>php56-openssl</name> | |
<name>php56-phar</name> | |
<name>php56-soap</name> | |
<range><lt>5.6.12</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The PHP project reports:</p> | |
<blockquote cite="http://php.net/ChangeLog-5.php"> | |
<p>Core:</p> | |
<ul> | |
<li>Fixed bug #69793 (Remotely triggerable stack exhaustion via | |
recursive method calls).</li> | |
<li>Fixed bug #70121 (unserialize() could lead to unexpected methods | |
execution / NULL pointer deref).</li> | |
</ul> | |
<p>OpenSSL:</p> | |
<ul> | |
<li>Fixed bug #70014 (openssl_random_pseudo_bytes() is not | |
cryptographically secure).</li> | |
</ul> | |
<p>Phar:</p> | |
<ul> | |
<li>Improved fix for bug #69441.</li> | |
<li>Fixed bug #70019 (Files extracted from archive may be placed | |
outside of destination directory).</li> | |
</ul> | |
<p>SOAP:</p> | |
<ul> | |
<li>Fixed bug #70081 (SoapClient info leak / null pointer | |
dereference via multiple type confusions).</li> | |
</ul> | |
<p>SPL:</p> | |
<ul> | |
<li>Fixed bug #70068 (Dangling pointer in the unserialization of | |
ArrayObject items).</li> | |
<li>Fixed bug #70166 (Use After Free Vulnerability in unserialize() | |
with SPLArrayObject).</li> | |
<li>Fixed bug #70168 (Use After Free Vulnerability in unserialize() | |
with SplObjectStorage).</li> | |
<li>Fixed bug #70169 (Use After Free Vulnerability in unserialize() | |
with SplDoublyLinkedList).</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://php.net/ChangeLog-5.php#5.4.44</url> | |
<url>http://php.net/ChangeLog-5.php#5.5.28</url> | |
<url>http://php.net/ChangeLog-5.php#5.6.12</url> | |
<cvename>CVE-2015-6831</cvename> | |
<cvename>CVE-2015-6832</cvename> | |
<cvename>CVE-2015-6833</cvename> | |
</references> | |
<dates> | |
<discovery>2015-08-06</discovery> | |
<entry>2015-08-17</entry> | |
<modified>2015-09-08</modified> | |
</dates> | |
</vuln> | |
<vuln vid="6241b5df-42a1-11e5-93ad-002590263bf5"> | |
<topic>mediawiki -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>mediawiki123</name> | |
<range><lt>1.23.10</lt></range> | |
</package> | |
<package> | |
<name>mediawiki124</name> | |
<range><lt>1.24.3</lt></range> | |
</package> | |
<package> | |
<name>mediawiki125</name> | |
<range><lt>1.25.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>MediaWiki reports:</p> | |
<blockquote cite="https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-August/000179.html"> | |
<p>Internal review discovered that Special:DeletedContributions did | |
not properly protect the IP of autoblocked users. This fix makes | |
the functionality of Special:DeletedContributions consistent with | |
Special:Contributions and Special:BlockList.</p> | |
<p>Internal review discovered that watchlist anti-csrf tokens were not | |
being compared in constant time, which could allow various timing | |
attacks. This could allow an attacker to modify a user's watchlist | |
via csrf</p> | |
<p>John Menerick reported that MediaWiki's thumb.php failed to sanitize | |
various error messages, resulting in xss.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-6727</cvename> | |
<cvename>CVE-2013-7444</cvename> | |
<cvename>CVE-2015-6728</cvename> | |
<cvename>CVE-2015-6729</cvename> | |
<cvename>CVE-2015-6730</cvename> | |
<cvename>CVE-2015-6731</cvename> | |
<cvename>CVE-2015-6733</cvename> | |
<cvename>CVE-2015-6734</cvename> | |
<cvename>CVE-2015-6735</cvename> | |
<cvename>CVE-2015-6736</cvename> | |
<cvename>CVE-2015-6737</cvename> | |
<url>https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-August/000179.html</url> | |
<url>https://phabricator.wikimedia.org/T106893</url> | |
<url>https://phabricator.wikimedia.org/T94116</url> | |
<url>https://phabricator.wikimedia.org/T97391</url> | |
<url>http://www.openwall.com/lists/oss-security/2015/08/27/6</url> | |
</references> | |
<dates> | |
<discovery>2015-08-10</discovery> | |
<entry>2015-08-14</entry> | |
<modified>2015-12-24</modified> | |
</dates> | |
</vuln> | |
<vuln vid="0c2c4d84-42a2-11e5-9daa-14dae9d210b8"> | |
<topic>freeradius3 -- insufficient validation on packets</topic> | |
<affects> | |
<package> | |
<name>freeradius3</name> | |
<range><lt>3.0.8</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jouni Malinen reports:</p> | |
<blockquote cite="http://freeradius.org/security.html#eap-pwd-2015"> | |
<p>The EAP-PWD module performed insufficient validation on | |
packets received from an EAP peer. This module is not enabled in the | |
default configuration. Administrators must manually enable it for their | |
server to be vulnerable. Only versions 3.0 up to 3.0.8 are affected.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://freeradius.org/security.html#eap-pwd-2015</url> | |
</references> | |
<dates> | |
<discovery>2015-04-04</discovery> | |
<entry>2015-08-14</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ec6a2a1e-429d-11e5-9daa-14dae9d210b8"> | |
<topic>gnutls -- double free in certificate DN decoding</topic> | |
<affects> | |
<package> | |
<name>gnutls</name> | |
<range><lt>3.3.17</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>gnutls.org reports:</p> | |
<blockquote cite="http://www.gnutls.org/security.html#GNUTLS-SA-2015-3"> | |
<p>Kurt Roeckx reported that decoding a specific certificate with very | |
long DistinguishedName (DN) entries leads to double free, which may | |
result to a denial of service. Since the DN decoding occurs in almost | |
all applications using certificates it is recommended to upgrade the | |
latest GnuTLS version fixing the issue. Recommendation: Upgrade to | |
GnuTLS 3.4.4, or 3.3.17.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.gnutls.org/security.html#GNUTLS-SA-2015-3</url> | |
<mlist>http://seclists.org/oss-sec/2015/q3/308</mlist> | |
<url>https://gitlab.com/gnutls/gnutls/commit/272854367efc130fbd4f1a51840d80c630214e12</url> | |
<cvename>CVE-2015-6251</cvename> | |
</references> | |
<dates> | |
<discovery>2015-07-20</discovery> | |
<entry>2015-08-14</entry> | |
<modified>2015-08-18</modified> | |
</dates> | |
</vuln> | |
<vuln vid="3de36a19-429d-11e5-9daa-14dae9d210b8"> | |
<topic>gnutls -- MD5 downgrade in TLS signatures</topic> | |
<affects> | |
<package> | |
<name>gnutls</name> | |
<range><lt>3.3.15</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Karthikeyan Bhargavan reports:</p> | |
<blockquote cite="http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/8132"> | |
<p>GnuTLS does not by default support MD5 signatures. Indeed the RSA-MD5 | |
signature-hash algorithm needs to be explicitly enabled using the | |
priority option VERIFY_ALLOW_SIGN_RSA_MD5. In the NORMAL and SECURE | |
profiles, GnuTLS clients do not offer RSA-MD5 in the signature | |
algorithms extension. However, we find that all GnuTLS clients still | |
accept RSA-MD5 in the ServerKeyExchange and GnuTLS servers still | |
accept RSA-MD5 in the ClientCertificateVerify.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<mlist>http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/8132</mlist> | |
<url>http://www.gnutls.org/security.html#GNUTLS-SA-2015-2</url> | |
<mlist>http://seclists.org/oss-sec/2015/q2/367</mlist> | |
</references> | |
<dates> | |
<discovery>2015-04-25</discovery> | |
<entry>2015-08-14</entry> | |
</dates> | |
</vuln> | |
<vuln vid="9ee72858-4159-11e5-93ad-002590263bf5"> | |
<topic>froxlor -- database password information leak</topic> | |
<affects> | |
<package> | |
<name>froxlor</name> | |
<range><lt>0.9.33.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>oss-security-list@demlak.de reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2015/q3/238"> | |
<p>An unauthenticated remote attacker is able to get the database | |
password via webaccess due to wrong file permissions of the /logs/ | |
folder in froxlor version 0.9.33.1 and earlier. The plain SQL | |
password and username may be stored in the /logs/sql-error.log file. | |
This directory is publicly reachable under the default | |
configuration/setup.</p> | |
</blockquote> | |
<p>Note that froxlor 0.9.33.2 prevents future logging of passwords but | |
does not retroactively remove passwords already logged. Michael | |
Kaufmann, the Froxlor lead developer reports:</p> | |
<blockquote cite="http://forum.froxlor.org/index.php/topic/13054-important-bugfix-release-09332/#entry30025"> | |
<p>Removing all .log files from the directory should do the job, | |
alternatively just use the class.ConfigIO.php from Github</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5959</cvename> | |
<freebsdpr>ports/202262</freebsdpr> | |
<url>http://seclists.org/oss-sec/2015/q3/238</url> | |
<url>https://forum.froxlor.org/index.php/topic/13054-important-bugfix-release-09332/</url> | |
</references> | |
<dates> | |
<discovery>2015-07-29</discovery> | |
<entry>2015-08-13</entry> | |
</dates> | |
</vuln> | |
<vuln vid="83b38a2c-413e-11e5-bfcf-6805ca0b3d42"> | |
<topic>RT -- two XSS vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>rt42</name> | |
<range><ge>4.2.0</ge><lt>4.2.12</lt></range> | |
</package> | |
<package> | |
<name>rt40</name> | |
<range><ge>4.0.0</ge><lt>4.0.24</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Best Practical reports:</p> | |
<blockquote cite="http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html"> | |
<p>RT 4.0.0 and above are vulnerable to a cross-site | |
scripting (XSS) attack via the user and group rights | |
management pages. This vulnerability is assigned | |
CVE-2015-5475. It was discovered and reported by Marcin | |
Kopec at Data Reliance Shared Service Center.</p> | |
<p>RT 4.2.0 and above are vulnerable to a cross-site | |
scripting (XSS) attack via the cryptography interface. | |
This vulnerability could allow an attacker with a | |
carefully-crafted key to inject JavaScript into RT's user | |
interface. Installations which use neither GnuPG nor | |
S/MIME are unaffected.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5475</cvename> | |
<cvename>CVE-2015-6506</cvename> | |
<url>http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html</url> | |
</references> | |
<dates> | |
<discovery>2015-08-12</discovery> | |
<entry>2015-08-12</entry> | |
<modified>2015-08-18</modified> | |
</dates> | |
</vuln> | |
<vuln vid="09fff0d9-4126-11e5-9f01-14dae9d210b8"> | |
<topic>py-foolscap -- local file inclusion</topic> | |
<affects> | |
<package> | |
<name>py27-foolscap</name> | |
<name>py32-foolscap</name> | |
<name>py33-foolscap</name> | |
<name>py34-foolscap</name> | |
<range><lt>0.7.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Brian Warner reports:</p> | |
<blockquote cite="https://github.com/warner/foolscap/blob/a17218e18e01c05a9655863cd507b80561692c14/NEWS"> | |
<p>The "flappserver" feature was found to have a vulnerability in the | |
service-lookup code which, when combined with an attacker who has the ability | |
to write files to a location where the flappserver process could read them, | |
would allow that attacker to obtain control of the flappserver process.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://github.com/warner/foolscap/blob/a17218e18e01c05a9655863cd507b80561692c14/NEWS</url> | |
<url>http://foolscap.lothar.com/trac/ticket/226</url> | |
</references> | |
<dates> | |
<discovery>2014-09-23</discovery> | |
<entry>2015-08-12</entry> | |
</dates> | |
</vuln> | |
<vuln vid="42c98cef-62b1-4b8b-9065-f4621e08d526"> | |
<topic>libvpx -- out-of-bounds write</topic> | |
<affects> | |
<package> | |
<name>libvpx</name> | |
<range><lt>1.4.0</lt></range> | |
</package> | |
<package> | |
<name>firefox</name> | |
<range><lt>33.0,1</lt></range> | |
</package> | |
<package> | |
<name>firefox-esr</name> | |
<range><lt>31.1.2,1</lt></range> | |
</package> | |
<package> | |
<name>linux-firefox</name> | |
<range><lt>33.0,1</lt></range> | |
</package> | |
<package> | |
<name>linux-seamonkey</name> | |
<range><lt>2.30</lt></range> | |
</package> | |
<package> | |
<name>linux-thunderbird</name> | |
<range><lt>31.1.2</lt></range> | |
</package> | |
<package> | |
<name>seamonkey</name> | |
<range><lt>2.30</lt></range> | |
</package> | |
<package> | |
<name>thunderbird</name> | |
<range><lt>31.1.2</lt></range> | |
</package> | |
<package> | |
<name>libxul</name> | |
<range><lt>31.1.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Mozilla Project reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2014-77/"> | |
<p>Using the Address Sanitizer tool, security researcher | |
Abhishek Arya (Inferno) of the Google Chrome Security Team | |
found an out-of-bounds write when buffering WebM format | |
video containing frames with invalid tile sizes. This can | |
lead to a potentially exploitable crash during WebM video | |
playback.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2014-1578</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2014-77/</url> | |
<url>https://hg.mozilla.org/releases/mozilla-esr31/rev/6023f0b4f8ba</url> | |
</references> | |
<dates> | |
<discovery>2014-10-14</discovery> | |
<entry>2015-08-12</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f3778328-d288-4b39-86a4-65877331eaf7"> | |
<topic>Adobe Flash Player -- critical vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>linux-c6-flashplugin</name> | |
<name>linux-c6_64-flashplugin</name> | |
<range><lt>11.2r202.508</lt></range> | |
</package> | |
<package> | |
<name>linux-f10-flashplugin</name> | |
<range><lt>11.2r202.508</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adobe reports:</p> | |
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-19.html"> | |
<p>Adobe has released security updates for Adobe Flash Player. | |
These updates address critical vulnerabilities that could | |
potentially allow an attacker to take control of the affected | |
system.</p> | |
<p>These updates resolve type confusion vulnerabilities that could | |
lead to code execution (CVE-2015-5128, CVE-2015-5554, | |
CVE-2015-5555, CVE-2015-5558, CVE-2015-5562).</p> | |
<p>These updates include further hardening to a mitigation | |
introduced in version 18.0.0.209 to defend against vector | |
length corruptions (CVE-2015-5125).</p> | |
<p>These updates resolve use-after-free vulnerabilities that could | |
lead to code execution (CVE-2015-5550, CVE-2015-5551, | |
CVE-2015-3107, CVE-2015-5556, CVE-2015-5130, CVE-2015-5134, | |
CVE-2015-5539, CVE-2015-5540, CVE-2015-5557, CVE-2015-5559, | |
CVE-2015-5127, CVE-2015-5563, CVE-2015-5561, CVE-2015-5124, | |
CVE-2015-5564).</p> | |
<p>These updates resolve heap buffer overflow vulnerabilities | |
that could lead to code execution (CVE-2015-5129, | |
CVE-2015-5541).</p> | |
<p>These updates resolve buffer overflow vulnerabilities that | |
could lead to code execution (CVE-2015-5131, CVE-2015-5132, | |
CVE-2015-5133).</p> | |
<p>These updates resolve memory corruption vulnerabilities that | |
could lead to code execution (CVE-2015-5544, CVE-2015-5545, | |
CVE-2015-5546, CVE-2015-5547, CVE-2015-5548, CVE-2015-5549, | |
CVE-2015-5552, CVE-2015-5553).</p> | |
<p>These updates resolve an integer overflow vulnerability that | |
could lead to code execution (CVE-2015-5560).</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-3107</cvename> | |
<cvename>CVE-2015-5124</cvename> | |
<cvename>CVE-2015-5125</cvename> | |
<cvename>CVE-2015-5127</cvename> | |
<cvename>CVE-2015-5128</cvename> | |
<cvename>CVE-2015-5129</cvename> | |
<cvename>CVE-2015-5130</cvename> | |
<cvename>CVE-2015-5131</cvename> | |
<cvename>CVE-2015-5132</cvename> | |
<cvename>CVE-2015-5133</cvename> | |
<cvename>CVE-2015-5134</cvename> | |
<cvename>CVE-2015-5539</cvename> | |
<cvename>CVE-2015-5540</cvename> | |
<cvename>CVE-2015-5541</cvename> | |
<cvename>CVE-2015-5544</cvename> | |
<cvename>CVE-2015-5545</cvename> | |
<cvename>CVE-2015-5546</cvename> | |
<cvename>CVE-2015-5547</cvename> | |
<cvename>CVE-2015-5548</cvename> | |
<cvename>CVE-2015-5549</cvename> | |
<cvename>CVE-2015-5550</cvename> | |
<cvename>CVE-2015-5551</cvename> | |
<cvename>CVE-2015-5552</cvename> | |
<cvename>CVE-2015-5553</cvename> | |
<cvename>CVE-2015-5554</cvename> | |
<cvename>CVE-2015-5555</cvename> | |
<cvename>CVE-2015-5556</cvename> | |
<cvename>CVE-2015-5557</cvename> | |
<cvename>CVE-2015-5558</cvename> | |
<cvename>CVE-2015-5559</cvename> | |
<cvename>CVE-2015-5560</cvename> | |
<cvename>CVE-2015-5561</cvename> | |
<cvename>CVE-2015-5562</cvename> | |
<cvename>CVE-2015-5563</cvename> | |
<cvename>CVE-2015-5564</cvename> | |
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-19.html</url> | |
</references> | |
<dates> | |
<discovery>2015-08-11</discovery> | |
<entry>2015-08-12</entry> | |
</dates> | |
</vuln> | |
<vuln vid="34e60332-2448-4ed6-93f0-12713749f250"> | |
<topic>libvpx -- multiple buffer overflows</topic> | |
<affects> | |
<package> | |
<name>libvpx</name> | |
<range><lt>1.4.0.488</lt></range> | |
</package> | |
<package> | |
<name>firefox</name> | |
<range><lt>40.0,1</lt></range> | |
</package> | |
<package> | |
<name>linux-firefox</name> | |
<range><lt>40.0,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Mozilla Project reports:</p> | |
<blockquote cite="https://www.mozilla.org/security/advisories/mfsa2015-89/"> | |
<p>Security researcher Abhishek Arya (Inferno) of the Google | |
Chrome Security Team used the Address Sanitizer tool to | |
discover two buffer overflow issues in the Libvpx library | |
used for WebM video when decoding a malformed WebM video | |
file. These buffer overflows result in potentially | |
exploitable crashes.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4485</cvename> | |
<cvename>CVE-2015-4486</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-89/</url> | |
</references> | |
<dates> | |
<discovery>2015-08-11</discovery> | |
<entry>2015-08-11</entry> | |
<modified>2015-08-14</modified> | |
</dates> | |
</vuln> | |
<vuln vid="c66a5632-708a-4727-8236-d65b2d5b2739"> | |
<topic>mozilla -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>firefox</name> | |
<range><lt>40.0,1</lt></range> | |
</package> | |
<package> | |
<name>linux-firefox</name> | |
<range><lt>40.0,1</lt></range> | |
</package> | |
<package> | |
<name>seamonkey</name> | |
<range><ge>2.36</ge><lt>2.37</lt></range> | |
<!-- seamonkey-2.35 milestone.txt: 38.2.0esrpre --> | |
<range><lt>2.35</lt></range> | |
</package> | |
<package> | |
<name>linux-seamonkey</name> | |
<range><ge>2.36</ge><lt>2.37</lt></range> | |
<!-- seamonkey-2.35 milestone.txt: 38.2.0esrpre --> | |
<range><lt>2.35</lt></range> | |
</package> | |
<package> | |
<name>firefox-esr</name> | |
<range><lt>38.2.0,1</lt></range> | |
</package> | |
<package> | |
<name>libxul</name> | |
<range><lt>38.2.0</lt></range> | |
</package> | |
<package> | |
<name>thunderbird</name> | |
<range><lt>38.2.0</lt></range> | |
</package> | |
<package> | |
<name>linux-thunderbird</name> | |
<range><lt>38.2.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Mozilla Project reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/"> | |
<p>MFSA 2015-79 Miscellaneous memory safety hazards (rv:40.0 | |
/ rv:38.2)</p> | |
<p>MFSA 2015-80 Out-of-bounds read with malformed MP3 | |
file</p> | |
<p>MFSA 2015-81 Use-after-free in MediaStream playback</p> | |
<p>MFSA 2015-82 Redefinition of non-configurable JavaScript object properties</p> | |
<p>MFSA 2015-83 Overflow issues in libstagefright</p> | |
<p>MFSA 2015-84 Arbitrary file overwriting through Mozilla | |
Maintenance Service with hard links</p> | |
<p>MFSA 2015-85 Out-of-bounds write with Updater and | |
malicious MAR file</p> | |
<p>MFSA 2015-86 Feed protocol with POST bypasses mixed | |
content protections</p> | |
<p>MFSA 2015-87 Crash when using shared memory in | |
JavaScript</p> | |
<p>MFSA 2015-88 Heap overflow in gdk-pixbuf when scaling | |
bitmap images</p> | |
<p>MFSA 2015-90 Vulnerabilities found through code | |
inspection</p> | |
<p>MFSA 2015-91 Mozilla Content Security Policy allows for | |
asterisk wildcards in violation of CSP specification</p> | |
<p>MFSA 2015-92 Use-after-free in XMLHttpRequest with shared | |
workers</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4473</cvename> | |
<cvename>CVE-2015-4474</cvename> | |
<cvename>CVE-2015-4475</cvename> | |
<cvename>CVE-2015-4477</cvename> | |
<cvename>CVE-2015-4478</cvename> | |
<cvename>CVE-2015-4479</cvename> | |
<cvename>CVE-2015-4480</cvename> | |
<cvename>CVE-2015-4481</cvename> | |
<cvename>CVE-2015-4482</cvename> | |
<cvename>CVE-2015-4483</cvename> | |
<cvename>CVE-2015-4484</cvename> | |
<cvename>CVE-2015-4487</cvename> | |
<cvename>CVE-2015-4488</cvename> | |
<cvename>CVE-2015-4489</cvename> | |
<cvename>CVE-2015-4490</cvename> | |
<cvename>CVE-2015-4491</cvename> | |
<cvename>CVE-2015-4492</cvename> | |
<cvename>CVE-2015-4493</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-79/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-80/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-81/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-82/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-83/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-84/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-85/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-86/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-87/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-88/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-90/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-91/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-92/</url> | |
</references> | |
<dates> | |
<discovery>2015-08-11</discovery> | |
<entry>2015-08-11</entry> | |
<modified>2015-08-22</modified> | |
</dates> | |
</vuln> | |
<vuln vid="dd7f29cc-3ee9-11e5-93ad-002590263bf5"> | |
<topic>lighttpd -- Log injection vulnerability in mod_auth</topic> | |
<affects> | |
<package> | |
<name>lighttpd</name> | |
<range><lt>1.4.36</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>MITRE reports:</p> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3200"> | |
<p>mod_auth in lighttpd before 1.4.36 allows remote attackers to | |
inject arbitrary log entries via a basic HTTP authentication string | |
without a colon character, as demonstrated by a string containing a | |
NULL and new line character.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-3200</cvename> | |
<url>http://redmine.lighttpd.net/issues/2646</url> | |
</references> | |
<dates> | |
<discovery>2015-05-25</discovery> | |
<entry>2015-08-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ff0acfb4-3efa-11e5-93ad-002590263bf5"> | |
<topic>pcre -- heap overflow vulnerability in '(?|' situations</topic> | |
<affects> | |
<package> | |
<name>pcre</name> | |
<range><le>8.37_2</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Venustech ADLAB reports:</p> | |
<blockquote cite="https://bugs.exim.org/show_bug.cgi?id=1667"> | |
<p>PCRE library is prone to a vulnerability which leads to Heap | |
Overflow. During the compilation of a malformed regular expression, | |
more data is written on the malloced block than the expected size | |
output by compile_regex. Exploits with advanced Heap Fengshui | |
techniques may allow an attacker to execute arbitrary code in the | |
context of the user running the affected application.</p> | |
<p>Latest version of PCRE is prone to a Heap Overflow vulnerability | |
which could caused by the following regular expression.</p> | |
<p>/(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdpr>ports/202209</freebsdpr> | |
<url>https://bugs.exim.org/show_bug.cgi?id=1667</url> | |
</references> | |
<dates> | |
<discovery>2015-08-05</discovery> | |
<entry>2015-08-10</entry> | |
</dates> | |
</vuln> | |
<vuln vid="8eee06d4-c21d-4f07-a669-455151ff426f"> | |
<topic>mozilla -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>firefox</name> | |
<range><lt>39.0.3,1</lt></range> | |
</package> | |
<package> | |
<name>linux-firefox</name> | |
<range><lt>39.0.3,1</lt></range> | |
</package> | |
<package> | |
<name>firefox-esr</name> | |
<range><lt>38.1.1,1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Mozilla Project reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/"> | |
<p>MFSA 2015-78 Same origin violation and local file | |
stealing via PDF reader</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4495</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-78/</url> | |
</references> | |
<dates> | |
<discovery>2015-08-06</discovery> | |
<entry>2015-08-07</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ac5ec8e3-3c6c-11e5-b921-00a0986f28c4"> | |
<topic>wordpress -- Multiple vulnerability</topic> | |
<affects> | |
<package> | |
<name>wordpress</name> | |
<range><lt>4.2.4,1</lt></range> | |
</package> | |
<package> | |
<name>de-wordpress</name> | |
<name>ja-wordpress</name> | |
<name>ru-wordpress</name> | |
<name>zh-wordpress-zh_CN</name> | |
<name>zh-wordpress-zh_TW</name> | |
<range><lt>4.2.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Gary Pendergast reports:</p> | |
<blockquote cite="https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/"> | |
<p>WordPress 4.2.4 fixes three cross-site scripting vulnerabilities | |
and a potential SQL injection that could be used to compromise a | |
site.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/</url> | |
<cvename>CVE-2015-2213</cvename> | |
<cvename>CVE-2015-5730</cvename> | |
<cvename>CVE-2015-5731</cvename> | |
<cvename>CVE-2015-5732</cvename> | |
<cvename>CVE-2015-5733</cvename> | |
<cvename>CVE-2015-5734</cvename> | |
</references> | |
<dates> | |
<discovery>2015-08-04</discovery> | |
<entry>2015-08-06</entry> | |
<modified>2015-09-15</modified> | |
</dates> | |
</vuln> | |
<vuln vid="57bb5e3d-3c4f-11e5-a4d4-001e8c75030d"> | |
<topic>subversion -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>subversion</name> | |
<range><ge>1.8.0</ge><lt>1.8.14</lt></range> | |
<range><ge>1.7.0</ge><lt>1.7.21</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Subversion reports:</p> | |
<blockquote cite="http://svn.haxx.se/dev/archive-2015-08/0024.shtml"> | |
<p>CVE-2015-3184:<br/> | |
Subversion's mod_authz_svn does not properly restrict anonymous access | |
in some mixed anonymous/authenticated environments when | |
using Apache httpd 2.4.</p> | |
<p>CVE-2015-3187:<br/> | |
Subversion servers, both httpd and svnserve, will reveal some | |
paths that should be hidden by path-based authz.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-3184</cvename> | |
<url>http://subversion.apache.org/security/CVE-2015-3184-advisory.txt</url> | |
<cvename>CVE-2015-3187</cvename> | |
<url>http://subversion.apache.org/security/CVE-2015-3187-advisory.txt</url> | |
</references> | |
<dates> | |
<discovery>2015-07-27</discovery> | |
<entry>2015-08-06</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ae8c09cb-32da-11e5-a4a5-002590263bf5"> | |
<topic>elasticsearch -- directory traversal attack via snapshot API</topic> | |
<affects> | |
<package> | |
<name>elasticsearch</name> | |
<range><ge>1.0.0</ge><lt>1.6.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Elastic reports:</p> | |
<blockquote cite="https://www.elastic.co/community/security"> | |
<p>Vulnerability Summary: Elasticsearch versions from 1.0.0 to 1.6.0 | |
are vulnerable to a directory traversal attack.</p> | |
<p>Remediation Summary: Users should upgrade to 1.6.1 or later, or | |
constrain access to the snapshot API to trusted sources.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5531</cvename> | |
<freebsdpr>ports/201834</freebsdpr> | |
<url>https://www.elastic.co/community/security</url> | |
</references> | |
<dates> | |
<discovery>2015-07-16</discovery> | |
<entry>2015-08-05</entry> | |
</dates> | |
</vuln> | |
<vuln vid="fb3668df-32d7-11e5-a4a5-002590263bf5"> | |
<topic>elasticsearch -- remote code execution via transport protocol</topic> | |
<affects> | |
<package> | |
<name>elasticsearch</name> | |
<range><lt>1.6.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Elastic reports:</p> | |
<blockquote cite="https://www.elastic.co/community/security"> | |
<p>Vulnerability Summary: Elasticsearch versions prior to 1.6.1 are | |
vulnerable to an attack that can result in remote code execution.</p> | |
<p>Remediation Summary: Users should upgrade to 1.6.1 or 1.7.0. | |
Alternately, ensure that only trusted applications have access to | |
the transport protocol port.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5377</cvename> | |
<freebsdpr>ports/201834</freebsdpr> | |
<url>https://www.elastic.co/community/security</url> | |
</references> | |
<dates> | |
<discovery>2015-07-16</discovery> | |
<entry>2015-08-05</entry> | |
</dates> | |
</vuln> | |
<vuln vid="da451130-365d-11e5-a4a5-002590263bf5"> | |
<topic>qemu, xen-tools -- QEMU heap overflow flaw with certain ATAPI commands</topic> | |
<affects> | |
<package> | |
<name>qemu</name> | |
<name>qemu-devel</name> | |
<range><le>0.11.1_20</le></range> | |
<range><ge>0.12</ge><le>2.3.0_2</le></range> | |
</package> | |
<package> | |
<name>qemu-sbruno</name> | |
<name>qemu-user-static</name> | |
<range><lt>2.4.50.g20150814</lt></range> | |
</package> | |
<package> | |
<name>xen-tools</name> | |
<range><lt>4.5.0_9</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-138.html"> | |
<p>A heap overflow flaw was found in the way QEMU's IDE subsystem | |
handled I/O buffer access while processing certain ATAPI | |
commands.</p> | |
<p>A privileged guest user in a guest with CDROM drive enabled could | |
potentially use this flaw to execute arbitrary code on the host | |
with the privileges of the host's QEMU process corresponding to | |
the guest.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5154</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-138.html</url> | |
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=e40db4c6d391419c0039fe274c74df32a6ca1a28</url> | |
</references> | |
<dates> | |
<discovery>2015-07-27</discovery> | |
<entry>2015-08-04</entry> | |
<modified>2015-08-19</modified> | |
</dates> | |
</vuln> | |
<vuln vid="4622635f-37a1-11e5-9970-14dae9d210b8"> | |
<topic>net-snmp -- snmptrapd crash</topic> | |
<affects> | |
<package> | |
<name>net-snmp</name> | |
<range><ge>5.7.0</ge><le>5.7.2.1</le></range> | |
<range><ge>5.6.0</ge><le>5.6.2.1</le></range> | |
<range><ge>5.5.0</ge><le>5.5.2.1</le></range> | |
<range><ge>5.4.0</ge><le>5.4.4</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Murray McAllister reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2014/q3/473"> | |
<p>A remote denial-of-service flaw was found in the way | |
snmptrapd handled certain SNMP traps when started with the | |
"-OQ" option. If an attacker sent an SNMP trap containing a | |
variable with a NULL type where an integer variable type was | |
expected, it would cause snmptrapd to crash.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://seclists.org/oss-sec/2014/q3/473</url> | |
<url>http://sourceforge.net/p/net-snmp/code/ci/7f4a7b891332899cea26e95be0337aae01648742/</url> | |
<url>https://sourceforge.net/p/net-snmp/official-patches/48/</url> | |
<cvename>CVE-2014-3565</cvename> | |
</references> | |
<dates> | |
<discovery>2014-07-31</discovery> | |
<entry>2015-07-31</entry> | |
</dates> | |
</vuln> | |
<vuln vid="381183e8-3798-11e5-9970-14dae9d210b8"> | |
<topic>net-snmp -- snmp_pdu_parse() function incomplete initialization</topic> | |
<affects> | |
<package> | |
<name>net-snmp</name> | |
<range><le>5.7.3_7</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Qinghao Tang reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2015/q2/116"> | |
<p>Incompletely initialized vulnerability exists in the function | |
‘snmp_pdu_parse()’ of ‘snmp_api.c', and remote attackers can cause memory | |
leak, DOS and possible command executions by sending malicious packets.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://seclists.org/oss-sec/2015/q2/116</url> | |
<url>http://sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791/</url> | |
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1212408</url> | |
<cvename>CVE-2015-5621</cvename> | |
</references> | |
<dates> | |
<discovery>2015-04-11</discovery> | |
<entry>2015-07-31</entry> | |
</dates> | |
</vuln> | |
<vuln vid="731cdeaa-3564-11e5-9970-14dae9d210b8"> | |
<topic>bind -- denial of service vulnerability</topic> | |
<affects> | |
<package> | |
<name>bind910</name> | |
<range><lt>9.10.2P3</lt></range> | |
</package> | |
<package> | |
<name>bind99</name> | |
<range><lt>9.9.7P2</lt></range> | |
</package> | |
<package> | |
<name>bind910-base</name> | |
<name>bind99-base</name> | |
<range><gt>0</gt></range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>9.3</ge><lt>9.3_21</lt></range> | |
<range><ge>8.4</ge><lt>8.4_35</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>ISC reports:</p> | |
<blockquote cite="https://kb.isc.org/article/AA-01272/"> | |
<p>An error in the handling of TKEY queries can be exploited | |
by an attacker for use as a denial-of-service vector, as a constructed | |
packet can use the defect to trigger a REQUIRE assertion failure, | |
causing BIND to exit.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<freebsdsa>SA-15:17.bind</freebsdsa> | |
<cvename>CVE-2015-5477</cvename> | |
<url>https://kb.isc.org/article/AA-01272/</url> | |
</references> | |
<dates> | |
<discovery>2015-07-21</discovery> | |
<entry>2015-07-28</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="5b74a5bc-348f-11e5-ba05-c80aa9043978"> | |
<topic>OpenSSH -- MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices</topic> | |
<affects> | |
<package> | |
<name>openssh-portable</name> | |
<range><lt>6.9.p1_2,1</lt></range> | |
</package> | |
<package> | |
<name>FreeBSD</name> | |
<range><ge>10.1</ge><lt>10.1_16</lt></range> | |
<range><ge>9.3</ge><lt>9.3_21</lt></range> | |
<range><ge>8.4</ge><lt>8.4_36</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<blockquote cite="https://access.redhat.com/security/cve/CVE-2015-5600"> | |
<p>It was discovered that the OpenSSH sshd daemon did not check the | |
list of keyboard-interactive authentication methods for duplicates. | |
A remote attacker could use this flaw to bypass the MaxAuthTries | |
limit, making it easier to perform password guessing attacks.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://access.redhat.com/security/cve/CVE-2015-5600</url> | |
<cvename>CVE-2015-5600</cvename> | |
<freebsdsa>SA-15:16.openssh</freebsdsa> | |
</references> | |
<dates> | |
<discovery>2015-07-21</discovery> | |
<entry>2015-07-27</entry> | |
<modified>2016-08-09</modified> | |
</dates> | |
</vuln> | |
<vuln vid="c470bcc7-33fe-11e5-a4a5-002590263bf5"> | |
<topic>logstash -- SSL/TLS vulnerability with Lumberjack input</topic> | |
<affects> | |
<package> | |
<name>logstash</name> | |
<range><lt>1.4.4</lt></range> | |
<range><ge>1.5.0</ge><lt>1.5.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Elastic reports:</p> | |
<blockquote cite="https://www.elastic.co/community/security"> | |
<p>Vulnerability Summary: All Logstash versions prior to 1.5.2 that | |
use Lumberjack input (in combination with Logstash Forwarder agent) | |
are vulnerable to a SSL/TLS security issue called the FREAK attack. | |
This allows an attacker to intercept communication and access secure | |
data. Users should upgrade to 1.5.3 or 1.4.4.</p> | |
<p>Remediation Summary: Users that do not want to upgrade can address | |
the vulnerability by disabling the Lumberjack input.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5378</cvename> | |
<url>https://www.elastic.co/community/security</url> | |
</references> | |
<dates> | |
<discovery>2015-07-22</discovery> | |
<entry>2015-07-27</entry> | |
</dates> | |
</vuln> | |
<vuln vid="9d732078-32c7-11e5-b263-00262d5ed8ee"> | |
<topic>chromium -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>chromium</name> | |
<range><lt>44.0.2403.89</lt></range> | |
</package> | |
<package> | |
<!-- pcbsd --> | |
<name>chromium-npapi</name> | |
<range><lt>44.0.2403.89</lt></range> | |
</package> | |
<package> | |
<!-- pcbsd --> | |
<name>chromium-pulse</name> | |
<range><lt>44.0.2403.89</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Google Chrome Releases reports:</p> | |
<blockquote cite="http://googlechromereleases.blogspot.nl/"> | |
<p>43 security fixes in this release, including:</p> | |
<ul> | |
<li>[446032] High CVE-2015-1271: Heap-buffer-overflow in pdfium. | |
Credit to cloudfuzzer.</li> | |
<li>[459215] High CVE-2015-1273: Heap-buffer-overflow in pdfium. | |
Credit to makosoft.</li> | |
<li>[461858] High CVE-2015-1274: Settings allowed executable files | |
to run immediately after download. Credit to andrewm.bpi.</li> | |
<li>[462843] High CVE-2015-1275: UXSS in Chrome for Android. Credit | |
to WangTao(neobyte) of Baidu X-Team.</li> | |
<li>[472614] High CVE-2015-1276: Use-after-free in IndexedDB. | |
Credit to Collin Payne.</li> | |
<li>[483981] High CVE-2015-1279: Heap-buffer-overflow in pdfium. | |
Credit to mlafon.</li> | |
<li>[486947] High CVE-2015-1280: Memory corruption in skia. Credit | |
to cloudfuzzer.</li> | |
<li>[487155] High CVE-2015-1281: CSP bypass. Credit to Masato | |
Kinugawa.</li> | |
<li>[487928] High CVE-2015-1282: Use-after-free in pdfium. Credit | |
to Chamal de Silva.</li> | |
<li>[492052] High CVE-2015-1283: Heap-buffer-overflow in expat. | |
Credit to sidhpurwala.huzaifa.</li> | |
<li>[493243] High CVE-2015-1284: Use-after-free in blink. Credit to | |
Atte Kettunen of OUSPG.</li> | |
<li>[504011] High CVE-2015-1286: UXSS in blink. Credit to | |
anonymous.</li> | |
<li>[505374] High CVE-2015-1290: Memory corruption in V8. Credit to | |
Yongjun Liu of NSFOCUS Security Team.</li> | |
<li>[419383] Medium CVE-2015-1287: SOP bypass with CSS. Credit to | |
filedescriptor.</li> | |
<li>[444573] Medium CVE-2015-1270: Uninitialized memory read in | |
ICU. Credit to Atte Kettunen of OUSPG.</li> | |
<li>[451456] Medium CVE-2015-1272: Use-after-free related to | |
unexpected GPU process termination. Credit to Chamal de | |
Silva.</li> | |
<li>[479743] Medium CVE-2015-1277: Use-after-free in accessibility. | |
Credit to SkyLined.</li> | |
<li>[482380] Medium CVE-2015-1278: URL spoofing using pdf files. | |
Credit to Chamal de Silva.</li> | |
<li>[498982] Medium CVE-2015-1285: Information leak in XSS auditor. | |
Credit to gazheyes.</li> | |
<li>[479162] Low CVE-2015-1288: Spell checking dictionaries fetched | |
over HTTP. Credit to mike@michaelruddy.com.</li> | |
<li>[512110] CVE-2015-1289: Various fixes from internal audits, | |
fuzzing and other initiatives.</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-1270</cvename> | |
<cvename>CVE-2015-1271</cvename> | |
<cvename>CVE-2015-1272</cvename> | |
<cvename>CVE-2015-1273</cvename> | |
<cvename>CVE-2015-1274</cvename> | |
<cvename>CVE-2015-1275</cvename> | |
<cvename>CVE-2015-1276</cvename> | |
<cvename>CVE-2015-1277</cvename> | |
<cvename>CVE-2015-1278</cvename> | |
<cvename>CVE-2015-1279</cvename> | |
<cvename>CVE-2015-1280</cvename> | |
<cvename>CVE-2015-1281</cvename> | |
<cvename>CVE-2015-1282</cvename> | |
<cvename>CVE-2015-1283</cvename> | |
<cvename>CVE-2015-1284</cvename> | |
<cvename>CVE-2015-1285</cvename> | |
<cvename>CVE-2015-1286</cvename> | |
<cvename>CVE-2015-1287</cvename> | |
<cvename>CVE-2015-1288</cvename> | |
<cvename>CVE-2015-1289</cvename> | |
<cvename>CVE-2015-1290</cvename> | |
<url>http://googlechromereleases.blogspot.nl/</url> | |
</references> | |
<dates> | |
<discovery>2015-07-21</discovery> | |
<entry>2015-07-25</entry> | |
</dates> | |
</vuln> | |
<vuln vid="b202e4ce-3114-11e5-aa32-0026551a22dc"> | |
<topic>shibboleth-sp -- DoS vulnerability</topic> | |
<affects> | |
<package> | |
<name>xmltooling</name> | |
<range><lt>1.5.5</lt></range> | |
</package> | |
<package> | |
<name>opensaml2</name> | |
<range><lt>2.5.5</lt></range> | |
</package> | |
<package> | |
<name>shibboleth-sp</name> | |
<range><lt>2.5.5</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Shibboleth consortium reports:</p> | |
<blockquote cite="http://shibboleth.net/community/advisories/secadv_20150721.txt"> | |
<p> | |
Shibboleth SP software crashes on well-formed but invalid XML. | |
</p> | |
<p> | |
The Service Provider software contains a code path with an uncaught | |
exception that can be triggered by an unauthenticated attacker by | |
supplying well-formed but schema-invalid XML in the form of SAML | |
metadata or SAML protocol messages. The result is a crash and so | |
causes a denial of service. | |
</p> | |
<p> | |
You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or | |
later. The easiest way to do so is to update the whole chain including | |
shibboleth-2.5.5 an opensaml2.5.5. | |
</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://shibboleth.net/community/advisories/secadv_20150721.txt</url> | |
<cvename>CVE-2015-2684</cvename> | |
</references> | |
<dates> | |
<discovery>2015-07-21</discovery> | |
<entry>2015-07-23</entry> | |
</dates> | |
</vuln> | |
<vuln vid="c80b27a2-3165-11e5-8a1d-14dae9d210b8"> | |
<topic>wordpress -- XSS vulnerability</topic> | |
<affects> | |
<package> | |
<name>wordpress</name> | |
<range><lt>4.2.3,1</lt></range> | |
</package> | |
<package> | |
<name>de-wordpress</name> | |
<name>ja-wordpress</name> | |
<name>ru-wordpress</name> | |
<name>zh-wordpress-zh_CN</name> | |
<name>zh-wordpress-zh_TW</name> | |
<range><lt>4.2.3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Gary Pendergast reports:</p> | |
<blockquote cite="https://wordpress.org/news/2015/07/wordpress-4-2-3/"> | |
<p>WordPress versions 4.2.2 and earlier are affected by a | |
cross-site scripting vulnerability, which could allow users with the | |
Contributor or Author role to compromise a site. This was reported by | |
Jon Cave and fixed by Robert Chapin, both of the WordPress security | |
team.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://wordpress.org/news/2015/07/wordpress-4-2-3/</url> | |
<cvename>CVE-2015-5622</cvename> | |
<cvename>CVE-2015-5623</cvename> | |
</references> | |
<dates> | |
<discovery>2015-07-23</discovery> | |
<entry>2015-07-23</entry> | |
<modified>2015-09-15</modified> | |
</dates> | |
</vuln> | |
<vuln vid="4caf01e2-30e6-11e5-a4a5-002590263bf5"> | |
<topic>libidn -- out-of-bounds read issue with invalid UTF-8 input</topic> | |
<affects> | |
<package> | |
<name>libidn</name> | |
<range><lt>1.31</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Simon Josefsson reports:</p> | |
<blockquote cite="http://git.savannah.gnu.org/cgit/libidn.git/plain/NEWS?id=libidn-1-31"> | |
<p>stringprep_utf8_to_ucs4 now rejects invalid UTF-8. This function | |
has always been documented to not validate that the input UTF-8 | |
string is actually valid UTF-8... | |
</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-2059</cvename> | |
<url>http://git.savannah.gnu.org/cgit/libidn.git/plain/NEWS?id=libidn-1-31</url> | |
</references> | |
<dates> | |
<discovery>2015-02-09</discovery> | |
<entry>2015-07-23</entry> | |
<modified>2015-08-03</modified> | |
</dates> | |
</vuln> | |
<vuln vid="9dd761ff-30cb-11e5-a4a5-002590263bf5"> | |
<topic>sox -- memory corruption vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>sox</name> | |
<range><le>14.4.2</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Michele Spagnuolo, Google Security Team, reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2015/q3/167"> | |
<p>The write heap buffer overflows are related to ADPCM handling in | |
WAV files, while the read heap buffer overflow is while opening a | |
.VOC.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://seclists.org/oss-sec/2015/q3/167</url> | |
</references> | |
<dates> | |
<discovery>2015-07-22</discovery> | |
<entry>2015-07-23</entry> | |
</dates> | |
</vuln> | |
<vuln vid="92cda470-30cb-11e5-a4a5-002590263bf5"> | |
<topic>sox -- input sanitization errors</topic> | |
<affects> | |
<package> | |
<name>sox</name> | |
<range><lt>14.4.2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>oCERT reports:</p> | |
<blockquote cite="http://www.ocert.org/advisories/ocert-2014-010.html"> | |
<p>The sox command line tool is affected by two heap-based buffer | |
overflows, respectively located in functions start_read() and | |
AdpcmReadBlock().</p> | |
<p>A specially crafted wav file can be used to trigger the | |
vulnerabilities.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<bid>71774</bid> | |
<cvename>CVE-2014-8145</cvename> | |
<url>http://www.ocert.org/advisories/ocert-2014-010.html</url> | |
</references> | |
<dates> | |
<discovery>2014-11-20</discovery> | |
<entry>2015-07-23</entry> | |
</dates> | |
</vuln> | |
<vuln vid="95eee71d-3068-11e5-a9b5-bcaec565249c"> | |
<topic>gdk-pixbuf2 -- heap overflow and DoS affecting Firefox and other programs</topic> | |
<affects> | |
<package> | |
<name>gdk-pixbuf2</name> | |
<range><lt>2.31.2_2</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>gustavo.grieco@imag.fr reports:</p> | |
<blockquote cite="https://bugzilla.gnome.org/show_bug.cgi?id=752297"> | |
<p>We found a heap overflow and a DoS in the gdk-pixbuf | |
implementation triggered by the scaling of a malformed bmp.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://bugzilla.gnome.org/show_bug.cgi?id=752297</url> | |
</references> | |
<dates> | |
<discovery>2015-07-12</discovery> | |
<entry>2015-07-22</entry> | |
</dates> | |
</vuln> | |
<vuln vid="8a1d0e63-1e07-11e5-b43d-002590263bf5"> | |
<topic>pcre -- Heap Overflow Vulnerability in find_fixedlength()</topic> | |
<affects> | |
<package> | |
<name>pcre</name> | |
<range><le>8.37_1</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Venustech ADLAB reports:</p> | |
<blockquote cite="https://bugs.exim.org/show_bug.cgi?id=1651"> | |
<p>PCRE library is prone to a vulnerability which leads to Heap | |
Overflow. During subpattern calculation of a malformed regular | |
expression, an offset that is used as an array index is fully | |
controlled and can be large enough so that unexpected heap | |
memory regions are accessed.</p> | |
<p>One could at least exploit this issue to read objects nearby of | |
the affected application's memory.</p> | |
<p>Such information disclosure may also be used to bypass memory | |
protection method such as ASLR.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5073</cvename> | |
<url>https://bugs.exim.org/show_bug.cgi?id=1651</url> | |
<url>http://vcs.pcre.org/pcre?view=revision&revision=1571</url> | |
<mlist>http://www.openwall.com/lists/oss-security/2015/06/26/1</mlist> | |
</references> | |
<dates> | |
<discovery>2015-06-23</discovery> | |
<entry>2015-06-29</entry> | |
</dates> | |
</vuln> | |
<vuln vid="0bfda05f-2e6f-11e5-a4a5-002590263bf5"> | |
<topic>cacti -- Multiple XSS and SQL injection vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>cacti</name> | |
<range><lt>0.8.8e</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Cacti Group, Inc. reports:</p> | |
<blockquote cite="http://www.cacti.net/release_notes_0_8_8e.php"> | |
<p>Important Security Fixes</p> | |
<ul> | |
<li>Multiple XSS and SQL injection vulnerabilities</li> | |
<li>CVE-2015-4634 - SQL injection in graphs.php</li> | |
</ul> | |
<p>Changelog</p> | |
<ul> | |
<li>bug: Fixed various SQL Injection vectors</li> | |
<li>bug#0002574: SQL Injection Vulnerabilities in graph items and | |
graph template items</li> | |
<li>bug#0002577: CVE-2015-4634 - SQL injection in graphs.php</li> | |
<li>bug#0002579: SQL Injection Vulnerabilities in data sources</li> | |
<li>bug#0002580: SQL Injection in cdef.php</li> | |
<li>bug#0002582: SQL Injection in data_templates.php</li> | |
<li>bug#0002583: SQL Injection in graph_templates.php</li> | |
<li>bug#0002584: SQL Injection in host_templates.php</li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4634</cvename> | |
<freebsdpr>ports/201702</freebsdpr> | |
<url>http://www.cacti.net/release_notes_0_8_8e.php</url> | |
<mlist>http://seclists.org/oss-sec/2015/q3/150</mlist> | |
</references> | |
<dates> | |
<discovery>2015-07-12</discovery> | |
<entry>2015-07-20</entry> | |
</dates> | |
</vuln> | |
<vuln vid="8b1f53f3-2da5-11e5-86ff-14dae9d210b8"> | |
<topic>php-phar -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>php56-phar</name> | |
<range><lt>5.6.11</lt></range> | |
</package> | |
<package> | |
<name>php55-phar</name> | |
<range><lt>5.5.27</lt></range> | |
</package> | |
<package> | |
<name>php5-phar</name> | |
<range><lt>5.4.43</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p> reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2015/q3/141"> | |
<p>Segfault in Phar::convertToData on invalid file.</p> | |
<p>Buffer overflow and stack smashing error in phar_fix_filepath.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<mlist>http://seclists.org/oss-sec/2015/q3/141</mlist> | |
<url>https://bugs.php.net/bug.php?id=69958</url> | |
<url>http://git.php.net/?p=php-src.git;a=commit;h=bf58162ddf970f63502837f366930e44d6a992cf</url> | |
<url>https://bugs.php.net/bug.php?id=69923</url> | |
<url>http://git.php.net/?p=php-src.git;a=commit;h=6dedeb40db13971af45276f80b5375030aa7e76f</url> | |
<cvename>CVE-2015-5589</cvename> | |
<cvename>CVE-2015-5590</cvename> | |
</references> | |
<dates> | |
<discovery>2015-06-24</discovery> | |
<entry>2015-07-18</entry> | |
<modified>2015-12-18</modified> | |
</dates> | |
</vuln> | |
<vuln vid="43891162-2d5e-11e5-a4a5-002590263bf5"> | |
<topic>moodle -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>moodle27</name> | |
<range><lt>2.7.9</lt></range> | |
</package> | |
<package> | |
<name>moodle28</name> | |
<range><lt>2.8.7</lt></range> | |
</package> | |
<package> | |
<name>moodle29</name> | |
<range><lt>2.9.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Marina Glancy reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2015/q3/94"> | |
<p>MSA-15-0026: Possible phishing when redirecting to external site | |
using referer header. (CVE-2015-3272)</p> | |
<p>MSA-15-0027: Capability 'mod/forum:canposttomygroups' is not | |
respected when using 'Post a copy to all groups' in forum | |
(CVE-2015-3273)</p> | |
<p>MSA-15-0028: Possible XSS through custom text profile fields in Web | |
Services (CVE-2015-3274)</p> | |
<p>MSA-15-0029: Javascript injection in SCORM module (CVE-2015-3275) | |
</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-3272</cvename> | |
<cvename>CVE-2015-3273</cvename> | |
<cvename>CVE-2015-3274</cvename> | |
<cvename>CVE-2015-3275</cvename> | |
<mlist>http://seclists.org/oss-sec/2015/q3/94</mlist> | |
<url>https://docs.moodle.org/dev/Moodle_2.7.9_release_notes</url> | |
<url>https://docs.moodle.org/dev/Moodle_2.8.7_release_notes</url> | |
<url>https://docs.moodle.org/dev/Moodle_2.9.1_release_notes</url> | |
</references> | |
<dates> | |
<discovery>2015-07-06</discovery> | |
<entry>2015-07-18</entry> | |
<modified>2015-07-19</modified> | |
</dates> | |
</vuln> | |
<vuln vid="29083f8e-2ca8-11e5-86ff-14dae9d210b8"> | |
<topic>apache22 -- chunk header parsing defect</topic> | |
<affects> | |
<package> | |
<name>apache22</name> | |
<name>apache22-event-mpm</name> | |
<name>apache22-itk-mpm</name> | |
<name>apache22-peruser-mpm</name> | |
<name>apache22-worker-mpm</name> | |
<range><le>2.2.29_5</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Apache Foundation reports:</p> | |
<blockquote cite="http://www.apache.org/dist/httpd/Announcement2.2.html"> | |
<p>CVE-2015-3183 core: Fix chunk header parsing defect. Remove | |
apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN | |
filter, parse chunks in a single pass with zero copy. Limit accepted | |
chunk-size to 2^63-1 and be strict about chunk-ext authorized | |
characters.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.apache.org/dist/httpd/Announcement2.2.html</url> | |
<url>https://github.com/apache/httpd/commit/29779fd08c18b18efc5e640d74cbe297c7ec007e</url> | |
<cvename>CVE-2015-3183</cvename> | |
</references> | |
<dates> | |
<discovery>2015-06-24</discovery> | |
<entry>2015-07-17</entry> | |
</dates> | |
</vuln> | |
<vuln vid="5c399624-2bef-11e5-86ff-14dae9d210b8"> | |
<topic>zenphoto -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>zenphoto</name> | |
<range><lt>1.4.9</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>zenphoto reports:</p> | |
<blockquote cite="http://www.zenphoto.org/news/zenphoto-1.4.9"> | |
<p>Fixes several SQL Injection, XSS and path traversal | |
security issues</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>http://www.zenphoto.org/news/zenphoto-1.4.9</url> | |
<mlist>http://seclists.org/oss-sec/2015/q3/123</mlist> | |
<url>https://github.com/zenphoto/zenphoto/pull/935</url> | |
<cvename>CVE-2015-5591</cvename> | |
<cvename>CVE-2015-5592</cvename> | |
<cvename>CVE-2015-5593</cvename> | |
<cvename>CVE-2015-5594</cvename> | |
<cvename>CVE-2015-5595</cvename> | |
</references> | |
<dates> | |
<discovery>2015-05-24</discovery> | |
<entry>2015-07-16</entry> | |
<modified>2015-07-18</modified> | |
</dates> | |
</vuln> | |
<vuln vid="67b3fef2-2bea-11e5-86ff-14dae9d210b8"> | |
<topic>groovy -- remote execution of untrusted code</topic> | |
<affects> | |
<package> | |
<name>groovy</name> | |
<range><ge>1.7.0</ge><lt>2.4.4</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Cédric Champeau reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2015/q3/121"> | |
<p>Description</p> | |
<p>When an application has Groovy on the classpath and that | |
it uses standard Java serialization mechanim to communicate | |
between servers, or to store local data, it is possible for | |
an attacker to bake a special serialized object that will | |
execute code directly when deserialized. All applications | |
which rely on serialization and do not isolate the code which | |
deserializes objects are subject to this vulnerability.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<mlist>http://seclists.org/oss-sec/2015/q3/121</mlist> | |
<url>http://groovy-lang.org/security.html</url> | |
<url>https://issues.apache.org/jira/browse/GROOVY-7504</url> | |
<cvename>CVE-2015-3253</cvename> | |
</references> | |
<dates> | |
<discovery>2015-07-09</discovery> | |
<entry>2015-07-16</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a928960a-2bdc-11e5-86ff-14dae9d210b8"> | |
<topic>libav -- divide by zero</topic> | |
<affects> | |
<package> | |
<name>libav</name> | |
<range><le>11.3_2</le></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Agostino Sarubbo reports:</p> | |
<blockquote cite="https://blogs.gentoo.org/ago/2015/07/16/libav-divide-by-zero-in-ff_h263_decode_mba/"> | |
<p>libav: divide-by-zero in ff_h263_decode_mba()</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://blogs.gentoo.org/ago/2015/07/16/libav-divide-by-zero-in-ff_h263_decode_mba/</url> | |
<url>https://git.libav.org/?p=libav.git;a=commitdiff;h=0a49a62f998747cfa564d98d36a459fe70d3299b;hp=6f4cd33efb5a9ec75db1677d5f7846c60337129f</url> | |
<cvename>CVE-2015-5479</cvename> | |
</references> | |
<dates> | |
<discovery>2015-06-21</discovery> | |
<entry>2015-07-16</entry> | |
</dates> | |
</vuln> | |
<vuln vid="44d9daee-940c-4179-86bb-6e3ffd617869"> | |
<topic>mozilla -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>firefox</name> | |
<range><lt>39.0,1</lt></range> | |
</package> | |
<package> | |
<name>linux-firefox</name> | |
<range><lt>39.0,1</lt></range> | |
</package> | |
<package> | |
<name>seamonkey</name> | |
<!-- seamonkey-2.35 milestone.txt: 38.2.0esrpre --> | |
<range><lt>2.35</lt></range> | |
</package> | |
<package> | |
<name>linux-seamonkey</name> | |
<!-- seamonkey-2.35 milestone.txt: 38.2.0esrpre --> | |
<range><lt>2.35</lt></range> | |
</package> | |
<package> | |
<name>firefox-esr</name> | |
<range><lt>31.8.0,1</lt></range> | |
<range><ge>38.0,1</ge><lt>38.1.0,1</lt></range> | |
</package> | |
<package> | |
<name>libxul</name> | |
<range><lt>31.8.0</lt></range> | |
<range><ge>38.0</ge><lt>38.1.0</lt></range> | |
</package> | |
<package> | |
<name>thunderbird</name> | |
<range><lt>31.8.0</lt></range> | |
<range><ge>38.0</ge><lt>38.1.0</lt></range> | |
</package> | |
<package> | |
<name>linux-thunderbird</name> | |
<range><lt>31.8.0</lt></range> | |
<range><ge>38.0</ge><lt>38.1.0</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Mozilla Project reports:</p> | |
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/"> | |
<p>MFSA 2015-59 Miscellaneous memory safety hazards (rv:39.0 | |
/ rv:31.8 / rv:38.1)</p> | |
<p>MFSA 2015-60 Local files or privileged URLs in pages can | |
be opened into new tabs</p> | |
<p>MFSA 2015-61 Type confusion in Indexed Database | |
Manager</p> | |
<p>MFSA 2015-62 Out-of-bound read while computing an | |
oscillator rendering range in Web Audio</p> | |
<p>MFSA 2015-63 Use-after-free in Content Policy due to | |
microtask execution error</p> | |
<p>MFSA 2015-64 ECDSA signature validation fails to handle | |
some signatures correctly</p> | |
<p>MFSA 2015-65 Use-after-free in workers while using | |
XMLHttpRequest</p> | |
<p>MFSA 2015-66 Vulnerabilities found through code | |
inspection</p> | |
<p>MFSA 2015-67 Key pinning is ignored when overridable | |
errors are encountered</p> | |
<p>MFSA 2015-68 OS X crash reports may contain entered key | |
press information</p> | |
<p>MFSA 2015-69 Privilege escalation through internal | |
workers</p> | |
<p>MFSA 2015-70 NSS accepts export-length DHE keys with | |
regular DHE cipher suites</p> | |
<p>MFSA 2015-71 NSS incorrectly permits skipping of | |
ServerKeyExchange</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-2721</cvename> | |
<cvename>CVE-2015-2722</cvename> | |
<cvename>CVE-2015-2724</cvename> | |
<cvename>CVE-2015-2725</cvename> | |
<cvename>CVE-2015-2726</cvename> | |
<cvename>CVE-2015-2727</cvename> | |
<cvename>CVE-2015-2728</cvename> | |
<cvename>CVE-2015-2729</cvename> | |
<cvename>CVE-2015-2730</cvename> | |
<cvename>CVE-2015-2731</cvename> | |
<cvename>CVE-2015-2733</cvename> | |
<cvename>CVE-2015-2734</cvename> | |
<cvename>CVE-2015-2735</cvename> | |
<cvename>CVE-2015-2736</cvename> | |
<cvename>CVE-2015-2737</cvename> | |
<cvename>CVE-2015-2738</cvename> | |
<cvename>CVE-2015-2739</cvename> | |
<cvename>CVE-2015-2740</cvename> | |
<cvename>CVE-2015-2741</cvename> | |
<cvename>CVE-2015-2742</cvename> | |
<cvename>CVE-2015-2743</cvename> | |
<cvename>CVE-2015-4000</cvename> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-59/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-60/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-61/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-62/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-63/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-64/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-65/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-66/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-67/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-68/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-69/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-70/</url> | |
<url>https://www.mozilla.org/security/advisories/mfsa2015-71/</url> | |
</references> | |
<dates> | |
<discovery>2015-07-02</discovery> | |
<entry>2015-07-16</entry> | |
<modified>2015-09-22</modified> | |
</dates> | |
</vuln> | |
<vuln vid="d3216606-2b47-11e5-a668-080027ef73ec"> | |
<topic>PolarSSL -- Security Fix Backports</topic> | |
<affects> | |
<package> | |
<name>polarssl</name> | |
<range><lt>1.2.14</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Paul Bakker reports:</p> | |
<blockquote cite="https://tls.mbed.org/tech-updates/releases/polarssl-1.2.14-released"> | |
<p>PolarSSL 1.2.14 fixes one remotely-triggerable issues that was | |
found by the Codenomicon Defensics tool, one potential remote crash | |
and countermeasures against the "Lucky 13 strikes back" cache-based | |
attack.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://tls.mbed.org/tech-updates/releases/polarssl-1.2.14-released</url> | |
</references> | |
<dates> | |
<discovery>2015-06-26</discovery> | |
<entry>2015-07-15</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ca139c7f-2a8c-11e5-a4a5-002590263bf5"> | |
<topic>libwmf -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>libwmf</name> | |
<range><lt>0.2.8.4_14</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Mitre reports:</p> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0941"> | |
<p>Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 | |
and earlier may allow remote attackers to execute arbitrary code via | |
malformed image files that trigger the overflows due to improper | |
calls to the gdMalloc function, a different set of vulnerabilities | |
than CVE-2004-0990.</p> | |
</blockquote> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455"> | |
<p>Buffer overflow in the gdImageStringFTEx function in gdft.c in GD | |
Graphics Library 2.0.33 and earlier allows remote attackers to cause | |
a denial of service (application crash) and possibly execute | |
arbitrary code via a crafted string with a JIS encoded font.</p> | |
</blockquote> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756"> | |
<p>The gdPngReadData function in libgd 2.0.34 allows user-assisted | |
attackers to cause a denial of service (CPU consumption) via a | |
crafted PNG image with truncated data, which causes an infinite loop | |
in the png_read_info function in libpng.</p> | |
</blockquote> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3472"> | |
<p>Integer overflow in gdImageCreateTrueColor function in the GD | |
Graphics Library (libgd) before 2.0.35 allows user-assisted remote | |
attackers to have unspecified attack vectors and impact.</p> | |
</blockquote> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3473"> | |
<p>The gdImageCreateXbm function in the GD Graphics Library (libgd) | |
before 2.0.35 allows user-assisted remote attackers to cause a | |
denial of service (crash) via unspecified vectors involving a | |
gdImageCreate failure.</p> | |
</blockquote> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3477"> | |
<p>The (a) imagearc and (b) imagefilledarc functions in GD Graphics | |
Library (libgd) before 2.0.35 allow attackers to cause a denial of | |
service (CPU consumption) via a large (1) start or (2) end angle | |
degree value.</p> | |
</blockquote> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546"> | |
<p>The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before | |
5.3.1, and the GD Graphics Library 2.x, does not properly verify a | |
certain colorsTotal structure member, which might allow remote | |
attackers to conduct buffer overflow or buffer over-read attacks via | |
a crafted GD file, a different vulnerability than CVE-2009-3293. | |
NOTE: some of these details are obtained from third party | |
information.</p> | |
</blockquote> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848"> | |
<p>Heap-based buffer overflow in libwmf 0.2.8.4 allows remote | |
attackers to cause a denial of service (crash) or possibly execute | |
arbitrary code via a crafted BMP image.</p> | |
</blockquote> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4695"> | |
<p>meta.h in libwmf 0.2.8.4 allows remote attackers to cause a denial | |
of service (out-of-bounds read) via a crafted WMF file.</p> | |
</blockquote> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4696"> | |
<p>Use-after-free vulnerability in libwmf 0.2.8.4 allows remote | |
attackers to cause a denial of service (crash) via a crafted WMF | |
file to the (1) wmf2gd or (2) wmf2eps command.</p> | |
</blockquote> | |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588"> | |
<p>Heap-based buffer overflow in the DecodeImage function in libwmf | |
0.2.8.4 allows remote attackers to cause a denial of service (crash) | |
or possibly execute arbitrary code via a crafted "run-length count" | |
in an image in a WMF file.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<bid>11663</bid> | |
<bid>22289</bid> | |
<bid>24089</bid> | |
<bid>24651</bid> | |
<bid>36712</bid> | |
<freebsdpr>ports/201513</freebsdpr> | |
<cvename>CVE-2004-0941</cvename> | |
<cvename>CVE-2007-0455</cvename> | |
<cvename>CVE-2007-2756</cvename> | |
<cvename>CVE-2007-3472</cvename> | |
<cvename>CVE-2007-3473</cvename> | |
<cvename>CVE-2007-3477</cvename> | |
<cvename>CVE-2009-3546</cvename> | |
<cvename>CVE-2015-0848</cvename> | |
<cvename>CVE-2015-4695</cvename> | |
<cvename>CVE-2015-4696</cvename> | |
<cvename>CVE-2015-4588</cvename> | |
</references> | |
<dates> | |
<discovery>2004-10-12</discovery> | |
<entry>2015-07-15</entry> | |
</dates> | |
</vuln> | |
<vuln vid="a12494c1-2af4-11e5-86ff-14dae9d210b8"> | |
<topic>apache24 -- multiple vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>apache24</name> | |
<range><lt>2.4.16</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Jim Jagielski reports:</p> | |
<blockquote cite="https://mail-archives.apache.org/mod_mbox/www-announce/201507.mbox/%3CAA5C882C-A9C3-46B9-9320-5040A2152E83@apache.org%3E"> | |
<p>CVE-2015-3183 (cve.mitre.org) | |
core: Fix chunk header parsing defect. | |
Remove apr_brigade_flatten(), buffering and duplicated code from | |
the HTTP_IN filter, parse chunks in a single pass with zero copy. | |
Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext | |
authorized characters.</p> | |
<p>CVE-2015-3185 (cve.mitre.org) | |
Replacement of ap_some_auth_required (unusable in Apache httpd 2.4) | |
with new ap_some_authn_required and ap_force_authn hook.</p> | |
<p>CVE-2015-0253 (cve.mitre.org) | |
core: Fix a crash with ErrorDocument 400 pointing to a local URL-path | |
with the INCLUDES filter active, introduced in 2.4.11. PR 57531.</p> | |
<p>CVE-2015-0228 (cve.mitre.org) | |
mod_lua: A maliciously crafted websockets PING after a script | |
calls r:wsupgrade() can cause a child process crash.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<mlist>https://mail-archives.apache.org/mod_mbox/www-announce/201507.mbox/%3CAA5C882C-A9C3-46B9-9320-5040A2152E83@apache.org%3E</mlist> | |
<cvename>CVE-2015-3183</cvename> | |
<cvename>CVE-2015-3185</cvename> | |
<cvename>CVE-2015-0253</cvename> | |
<cvename>CVE-2015-0228</cvename> | |
</references> | |
<dates> | |
<discovery>2015-02-04</discovery> | |
<entry>2015-07-15</entry> | |
</dates> | |
</vuln> | |
<vuln vid="8d2d6bbd-2a02-11e5-a0af-bcaec565249c"> | |
<topic>Adobe Flash Player -- critical vulnerabilities</topic> | |
<affects> | |
<package> | |
<name>linux-c6-flashplugin</name> | |
<range><lt>11.2r202.491</lt></range> | |
</package> | |
<package> | |
<name>linux-f10-flashplugin</name> | |
<range><lt>11.2r202.491</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Adobe reports:</p> | |
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-18.html"> | |
<p>Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have | |
been identified. Successful exploitation could cause a crash | |
and potentially allow an attacker to take control of the | |
affected system. Adobe is aware of reports that exploits | |
targeting these vulnerabilities have been published publicly.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5122</cvename> | |
<cvename>CVE-2015-5123</cvename> | |
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-18.html</url> | |
</references> | |
<dates> | |
<discovery>2015-07-10</discovery> | |
<entry>2015-07-14</entry> | |
<modified>2015-07-16</modified> | |
</dates> | |
</vuln> | |
<vuln vid="3d39e927-29a2-11e5-86ff-14dae9d210b8"> | |
<topic>php -- use-after-free vulnerability</topic> | |
<affects> | |
<package> | |
<name>php56-sqlite3</name> | |
<range><lt>5.6.11</lt></range> | |
</package> | |
<package> | |
<name>php55-sqlite3</name> | |
<range><lt>5.5.27</lt></range> | |
</package> | |
<package> | |
<name>php5-sqlite3</name> | |
<range><lt>5.4.43</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Symeon Paraschoudis reports:</p> | |
<blockquote cite="https://bugs.php.net/bug.php?id=69972"> | |
<p>Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://bugs.php.net/bug.php?id=69972</url> | |
</references> | |
<dates> | |
<discovery>2015-06-30</discovery> | |
<entry>2015-07-13</entry> | |
</dates> | |
</vuln> | |
<vuln vid="af7fbd91-29a1-11e5-86ff-14dae9d210b8"> | |
<topic>php -- use-after-free vulnerability</topic> | |
<affects> | |
<package> | |
<name>php56</name> | |
<range><lt>5.6.11</lt></range> | |
</package> | |
<package> | |
<name>php55</name> | |
<range><lt>5.5.27</lt></range> | |
</package> | |
<package> | |
<name>php5</name> | |
<range><lt>5.4.43</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Symeon Paraschoudis reports:</p> | |
<blockquote cite="https://bugs.php.net/bug.php?id=69970"> | |
<p>Use-after-free vulnerability in spl_recursive_it_move_forward_ex()</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://bugs.php.net/bug.php?id=69970</url> | |
</references> | |
<dates> | |
<discovery>2015-06-30</discovery> | |
<entry>2015-07-13</entry> | |
</dates> | |
</vuln> | |
<vuln vid="5a1d5d74-29a0-11e5-86ff-14dae9d210b8"> | |
<topic>php -- arbitrary code execution</topic> | |
<affects> | |
<package> | |
<name>php56</name> | |
<range><lt>5.6.11</lt></range> | |
</package> | |
<package> | |
<name>php55</name> | |
<range><lt>5.5.27</lt></range> | |
</package> | |
<package> | |
<name>php5</name> | |
<range><lt>5.4.43</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>cmb reports:</p> | |
<blockquote cite="https://bugs.php.net/bug.php?id=69768"> | |
<p>When delayed variable substitution is enabled (can be set in the | |
Registry, for instance), !ENV! works similar to %ENV%, and the | |
value of the environment variable ENV will be subsituted.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://bugs.php.net/bug.php?id=69768</url> | |
</references> | |
<dates> | |
<discovery>2015-06-07</discovery> | |
<entry>2015-07-13</entry> | |
</dates> | |
</vuln> | |
<vuln vid="36bd352d-299b-11e5-86ff-14dae9d210b8"> | |
<topic>mysql -- SSL Downgrade</topic> | |
<affects> | |
<package> | |
<name>php56-mysql</name> | |
<name>php56-mysqli</name> | |
<range><lt>5.6.11</lt></range> | |
</package> | |
<package> | |
<name>php55-mysql</name> | |
<name>php55-mysqli</name> | |
<range><lt>5.5.27</lt></range> | |
</package> | |
<package> | |
<name>php5-mysql</name> | |
<name>php5-mysqli</name> | |
<range><lt>5.4.43</lt></range> | |
</package> | |
<package> | |
<name>mariadb55-client</name> | |
<range><lt>5.5.44</lt></range> | |
</package> | |
<package> | |
<name>mariadb100-client</name> | |
<range><lt>10.0.20</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Duo Security reports:</p> | |
<blockquote cite="https://www.duosecurity.com/blog/backronym-mysql-vulnerability"> | |
<p>Researchers have identified a serious vulnerability in some | |
versions of Oracle’s MySQL database product that allows an attacker to | |
strip SSL/TLS connections of their security wrapping transparently.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<url>https://bugs.php.net/bug.php?id=69669</url> | |
<url>https://www.duosecurity.com/blog/backronym-mysql-vulnerability</url> | |
<url>http://www.ocert.org/advisories/ocert-2015-003.html</url> | |
<url>https://mariadb.atlassian.net/browse/MDEV-7937</url> | |
<url>https://mariadb.com/kb/en/mariadb/mariadb-10020-changelog/</url> | |
<url>https://mariadb.com/kb/en/mariadb/mariadb-5544-changelog/</url> | |
<cvename>CVE-2015-3152</cvename> | |
</references> | |
<dates> | |
<discovery>2015-03-20</discovery> | |
<entry>2015-07-13</entry> | |
<modified>2015-07-18</modified> | |
</dates> | |
</vuln> | |
<vuln vid="81326883-2905-11e5-a4a5-002590263bf5"> | |
<topic>devel/ipython -- CSRF possible remote execution vulnerability</topic> | |
<affects> | |
<package> | |
<name>ipython</name> | |
<range><ge>0.12</ge><lt>3.2.1</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>Kyle Kelley reports:</p> | |
<blockquote cite="http://seclists.org/oss-sec/2015/q3/92"> | |
<p>Summary: POST requests exposed via the IPython REST API are | |
vulnerable to cross-site request forgery (CSRF). Web pages on | |
different domains can make non-AJAX POST requests to known IPython | |
URLs, and IPython will honor them. The user's browser will | |
automatically send IPython cookies along with the requests. The | |
response is blocked by the Same-Origin Policy, but the request | |
isn't.</p> | |
<p>API paths with issues:</p> | |
<ul> | |
<li>POST /api/contents/<path>/<file></li> | |
<li>POST /api/contents/<path>/<file>/checkpoints</li> | |
<li>POST /api/contents/<path>/<file>/checkpoints/<checkpoint_id></li> | |
<li>POST /api/kernels</li> | |
<li>POST /api/kernels/<kernel_id>/<action></li> | |
<li>POST /api/sessions</li> | |
<li>POST /api/clusters/<cluster_id>/<action></li> | |
</ul> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-5607</cvename> | |
<url>http://seclists.org/oss-sec/2015/q3/92</url> | |
<url>http://ipython.org/ipython-doc/3/whatsnew/version3.html#ipython-3-2-1</url> | |
</references> | |
<dates> | |
<discovery>2015-07-12</discovery> | |
<entry>2015-07-13</entry> | |
<modified>2015-07-22</modified> | |
</dates> | |
</vuln> | |
<vuln vid="379788f3-2900-11e5-a4a5-002590263bf5"> | |
<topic>freeradius -- insufficent CRL application vulnerability</topic> | |
<affects> | |
<package> | |
<name>freeradius2</name> | |
<range><lt>2.2.8</lt></range> | |
</package> | |
<package> | |
<name>freeradius3</name> | |
<range><lt>3.0.9</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>oCERT reports:</p> | |
<blockquote cite="http://www.ocert.org/advisories/ocert-2015-008.html"> | |
<p>The FreeRADIUS server relies on OpenSSL to perform certificate | |
validation, including Certificate Revocation List (CRL) checks. The | |
FreeRADIUS usage of OpenSSL, in CRL application, limits the checks | |
to leaf certificates, therefore not detecting revocation of | |
intermediate CA certificates.</p> | |
<p>An unexpired client certificate, issued by an intermediate CA with | |
a revoked certificate, is therefore accepted by FreeRADIUS.</p> | |
<p>Specifically sets the X509_V_FLAG_CRL_CHECK flag for leaf | |
certificate CRL checks, but does not use X509_V_FLAG_CRL_CHECK_ALL | |
for CRL checks on the complete trust chain.</p> | |
<p>The FreeRADIUS project advises that the recommended configuration | |
is to use self-signed CAs for all EAP-TLS methods.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4680</cvename> | |
<freebsdpr>ports/201058</freebsdpr> | |
<freebsdpr>ports/201059</freebsdpr> | |
<url>http://www.ocert.org/advisories/ocert-2015-008.html</url> | |
<url>http://freeradius.org/security.html</url> | |
</references> | |
<dates> | |
<discovery>2015-06-22</discovery> | |
<entry>2015-07-13</entry> | |
</dates> | |
</vuln> | |
<vuln vid="f1deed23-27ec-11e5-a4a5-002590263bf5"> | |
<topic>xen-tools -- xl command line config handling stack overflow</topic> | |
<affects> | |
<package> | |
<name>xen-tools</name> | |
<range><ge>4.1</ge><lt>4.5.0_8</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-137.html"> | |
<p>The xl command line utility mishandles long configuration values | |
when passed as command line arguments, with a buffer overrun.</p> | |
<p>A semi-trusted guest administrator or controller, who is intended | |
to be able to partially control the configuration settings for a | |
domain, can escalate their privileges to that of the whole host.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-3259</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-137.html</url> | |
</references> | |
<dates> | |
<discovery>2015-07-07</discovery> | |
<entry>2015-07-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="8c31b288-27ec-11e5-a4a5-002590263bf5"> | |
<topic>xen-kernel -- vulnerability in the iret hypercall handler</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><ge>3.1</ge><lt>4.5.0_3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-136.html"> | |
<p>A buggy loop in Xen's compat_iret() function iterates the wrong way | |
around a 32-bit index. Any 32-bit PV guest kernel can trigger this | |
vulnerability by attempting a hypercall_iret with EFLAGS.VM set.</p> | |
<p>Given the use of __get/put_user(), and that the virtual addresses | |
in question are contained within the lower canonical half, the guest | |
cannot clobber any hypervisor data. Instead, Xen will take up to | |
2^33 pagefaults, in sequence, effectively hanging the host.</p> | |
<p>Malicious guest administrators can cause a denial of service | |
affecting the whole system.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4164</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-136.html</url> | |
</references> | |
<dates> | |
<discovery>2015-06-11</discovery> | |
<entry>2015-07-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="80e846ff-27eb-11e5-a4a5-002590263bf5"> | |
<topic>xen-kernel -- GNTTABOP_swap_grant_ref operation misbehavior</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><ge>4.2</ge><lt>4.5.0_3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-134.html"> | |
<p>With the introduction of version 2 grant table operations, a | |
version check became necessary for most grant table related | |
hypercalls. The GNTTABOP_swap_grant_ref call was lacking such a | |
check. As a result, the subsequent code behaved as if version 2 was | |
in use, when a guest issued this hypercall without a prior | |
GNTTABOP_setup_table or GNTTABOP_set_version.</p> | |
<p>The effect is a possible NULL pointer dereferences. However, this | |
cannot be exploited to elevate privileges of the attacking domain, | |
as the maximum memory address that can be wrongly accessed this way | |
is bounded to far below the start of hypervisor memory.</p> | |
<p>Malicious or buggy guest domain kernels can mount a denial of | |
service attack which, if successful, can affect the whole system.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4163</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-134.html</url> | |
</references> | |
<dates> | |
<discovery>2015-06-11</discovery> | |
<entry>2015-07-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="ce658051-27ea-11e5-a4a5-002590263bf5"> | |
<topic>xen-kernel -- Information leak through XEN_DOMCTL_gettscinfo</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><ge>4.0</ge><lt>4.5.0_3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-132.html"> | |
<p>The handler for XEN_DOMCTL_gettscinfo failed to initialize a | |
padding field subsequently copied to guest memory.</p> | |
<p>A similar leak existed in XEN_SYSCTL_getdomaininfolist, which is | |
being addressed here regardless of that operation being declared | |
unsafe for disaggregation by XSA-77.</p> | |
<p>Malicious or buggy stub domain kernels or tool stacks otherwise | |
living outside of Domain0 may be able to read sensitive data | |
relating to the hypervisor or other guests not under the control of | |
that domain.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-3340</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-132.html</url> | |
</references> | |
<dates> | |
<discovery>2015-04-20</discovery> | |
<entry>2015-07-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="3d657340-27ea-11e5-a4a5-002590263bf5"> | |
<topic>xen-tools -- Unmediated PCI register access in qemu</topic> | |
<affects> | |
<package> | |
<name>xen-tools</name> | |
<range><ge>3.3</ge><lt>4.5.0_6</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-131.html"> | |
<p>Qemu allows guests to not only read, but also write all parts of | |
the PCI config space (but not extended config space) of passed | |
through PCI devices not explicitly dealt with for (partial) | |
emulation purposes.</p> | |
<p>Since the effect depends on the specific purpose of the the config | |
space field, it's not possbile to give a general statement about the | |
exact impact on the host or other guests. Privilege escalation, | |
host crash (Denial of Service), and leaked information all cannot be | |
excluded.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4106</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-131.html</url> | |
</references> | |
<dates> | |
<discovery>2015-06-02</discovery> | |
<entry>2015-07-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="cbe1a0f9-27e9-11e5-a4a5-002590263bf5"> | |
<topic>xen-tools -- Guest triggerable qemu MSI-X pass-through error messages</topic> | |
<affects> | |
<package> | |
<name>xen-tools</name> | |
<range><ge>3.3</ge><lt>4.5.0_6</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-130.html"> | |
<p>Device model code dealing with guest PCI MSI-X interrupt management | |
activities logs messages on certain (supposedly) invalid guest | |
operations.</p> | |
<p>A buggy or malicious guest repeatedly invoking such operations may | |
result in the host disk to fill up, possibly leading to a Denial of | |
Service.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4105</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-130.html</url> | |
</references> | |
<dates> | |
<discovery>2015-06-02</discovery> | |
<entry>2015-07-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="4db8a0f4-27e9-11e5-a4a5-002590263bf5"> | |
<topic>xen-tools -- PCI MSI mask bits inadvertently exposed to guests</topic> | |
<affects> | |
<package> | |
<name>xen-tools</name> | |
<range><ge>3.3</ge><lt>4.5.0_6</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-129.html"> | |
<p>The mask bits optionally available in the PCI MSI capability | |
structure are used by the hypervisor to occasionally suppress | |
interrupt delivery. Unprivileged guests were, however, nevertheless | |
allowed direct control of these bits.</p> | |
<p>Interrupts may be observed by Xen at unexpected times, which may | |
lead to a host crash and therefore a Denial of Service.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4104</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-129.html</url> | |
</references> | |
<dates> | |
<discovery>2015-06-02</discovery> | |
<entry>2015-07-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="af38cfec-27e7-11e5-a4a5-002590263bf5"> | |
<topic>xen-tools -- Potential unintended writes to host MSI message data field via qemu</topic> | |
<affects> | |
<package> | |
<name>xen-tools</name> | |
<range><ge>3.3</ge><lt>4.5.0_6</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-128.html"> | |
<p>Logic is in place to avoid writes to certain host config space | |
fields when the guest must nevertheless be able to access their | |
virtual counterparts. A bug in how this logic deals with accesses | |
spanning multiple fields allows the guest to write to the host MSI | |
message data field.</p> | |
<p>While generally the writes write back the values previously read, | |
their value in config space may have got changed by the host between | |
the qemu read and write. In such a case host side interrupt handling | |
could become confused, possibly losing interrupts or allowing | |
spurious interrupt injection into other guests.</p> | |
<p>Certain untrusted guest administrators may be able to confuse host | |
side interrupt handling, leading to a Denial of Service.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-4103</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-128.html</url> | |
</references> | |
<dates> | |
<discovery>2015-06-02</discovery> | |
<entry>2015-07-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="103a47d5-27e7-11e5-a4a5-002590263bf5"> | |
<topic>xen-kernel -- Certain domctl operations may be abused to lock up the host</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><ge>4.3</ge><lt>4.5.0_3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-127.html"> | |
<p>XSA-77 put the majority of the domctl operations on a list | |
excepting them from having security advisories issued for them if | |
any effects their use might have could hamper security. Subsequently | |
some of them got declared disaggregation safe, but for a small | |
subset this was not really correct: Their (mis-)use may result in | |
host lockups.</p> | |
<p>As a result, the potential security benefits of toolstack | |
disaggregation are not always fully realised.</p> | |
<p>Domains deliberately given partial management control may be able | |
to deny service to the entire host.</p> | |
<p>As a result, in a system designed to enhance security by radically | |
disaggregating the management, the security may be reduced. But, | |
the security will be no worse than a non-disaggregated design.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-2751</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-127.html</url> | |
</references> | |
<dates> | |
<discovery>2015-03-31</discovery> | |
<entry>2015-07-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="79f401cd-27e6-11e5-a4a5-002590263bf5"> | |
<topic>xen-tools -- Unmediated PCI command register access in qemu</topic> | |
<affects> | |
<package> | |
<name>xen-tools</name> | |
<range><ge>3.3</ge><lt>4.5.0_6</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-126.html"> | |
<p>HVM guests are currently permitted to modify the memory and I/O | |
decode bits in the PCI command register of devices passed through to | |
them. Unless the device is an SR-IOV virtual function, after | |
disabling one or both of these bits subsequent accesses to the MMIO | |
or I/O port ranges would - on PCI Express devices - lead to | |
Unsupported Request responses. The treatment of such errors is | |
platform specific.</p> | |
<p>Furthermore (at least) devices under control of the Linux pciback | |
driver in the host are handed to guests with the aforementioned bits | |
turned off. This means that such accesses can similarly lead to | |
Unsupported Request responses until these flags are set as needed by | |
the guest.</p> | |
<p>In the event that the platform surfaces aforementioned UR responses | |
as Non-Maskable Interrupts, and either the OS is configured to treat | |
NMIs as fatal or (e.g. via ACPI's APEI) the platform tells the OS to | |
treat these errors as fatal, the host would crash, leading to a | |
Denial of Service.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-2756</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-126.html</url> | |
</references> | |
<dates> | |
<discovery>2015-03-31</discovery> | |
<entry>2015-07-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="d40c66cb-27e4-11e5-a4a5-002590263bf5"> | |
<topic>xen-kernel and xen-tools -- Long latency MMIO mapping operations are not preemptible</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><lt>4.5.0_3</lt></range> | |
</package> | |
<package> | |
<name>xen-tools</name> | |
<range><lt>4.5.0_6</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-125.html"> | |
<p>The XEN_DOMCTL_memory_mapping hypercall allows long running | |
operations without implementing preemption.</p> | |
<p>This hypercall is used by the device model as part of the emulation | |
associated with configuration of PCI devices passed through to HVM | |
guests and is therefore indirectly exposed to those guests.</p> | |
<p>This can cause a physical CPU to become busy for a significant | |
period, leading to a host denial of service in some cases.</p> | |
<p>If a host denial of service is not triggered then it may instead be | |
possible to deny service to the domain running the device model, | |
e.g. domain 0.</p> | |
<p>This hypercall is also exposed more generally to all toolstacks. | |
However the uses of it in libxl based toolstacks are not believed | |
to open up any avenue of attack from an untrusted guest. Other | |
toolstacks may be vulnerable however.</p> | |
<p>The vulnerability is exposed via HVM guests which have a PCI device | |
assigned to them. A malicious HVM guest in such a configuration can | |
mount a denial of service attack affecting the whole system via its | |
associated device model (qemu-dm).</p> | |
<p>A guest is able to trigger this hypercall via operations which it | |
is legitimately expected to perform, therefore running the device | |
model as a stub domain does not offer protection against the host | |
denial of service issue. However it does offer some protection | |
against secondary issues such as denial of service against dom0.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-2752</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-125.html</url> | |
</references> | |
<dates> | |
<discovery>2015-03-31</discovery> | |
<entry>2015-07-11</entry> | |
</dates> | |
</vuln> | |
<vuln vid="83a28417-27e3-11e5-a4a5-002590263bf5"> | |
<topic>xen-kernel -- Hypervisor memory corruption due to x86 emulator flaw</topic> | |
<affects> | |
<package> | |
<name>xen-kernel</name> | |
<range><lt>4.5.0_3</lt></range> | |
</package> | |
</affects> | |
<description> | |
<body xmlns="http://www.w3.org/1999/xhtml"> | |
<p>The Xen Project reports:</p> | |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-123.html"> | |
<p>Instructions with register operands ignore eventual segment | |
overrides encoded for them. Due to an insufficiently conditional | |
assignment such a bogus segment override can, however, corrupt a | |
pointer used subsequently to store the result of the instruction.</p> | |
<p>A malicious guest might be able to read sensitive data relating to | |
other guests, or to cause denial of service on the host. Arbitrary | |
code execution, and therefore privilege escalation, cannot be | |
excluded.</p> | |
</blockquote> | |
</body> | |
</description> | |
<references> | |
<cvename>CVE-2015-2151</cvename> | |
<url>http://xenbits.xen.org/xsa/advisory-123.html</url> | |
</references> | |
<dates> | |
<discovery>2015-03-10</discovery> | |
<entry>2015-07-11</entry> | |
</dates> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment