CVE-2019-12822

In http.c in Embedthis GoAhead before 4.1.1 and 5.x before 5.0.1, a header parsing vulnerability causes a memory assertion, out-of-bounds memory reference, and potential DoS, as demonstrated by a colon on a line by itself...

CVE-2019-12822

CVE-2019-12822 affects Embedthis GoAhead, specifically http.c, where a header parsing vulnerability in GoAhead before 4.1.1 and 5.x before 5.0.1 leads to a memory assertion, out-of-bounds memory reference, and potential DoS (demonstrated by a colon on a line by itself). Connected documents corrob...

CVE-2019-12822

In http.c in Embedthis GoAhead before 4.1.1 and 5.x before 5.0.1, a header parsing vulnerability causes a memory assertion, out-of-bounds memory reference, and potential DoS, as demonstrated by a colon on a line by itself...

openSUSE Security Update : bind (openSUSE-2019-1532)

This update for bind fixes the following issues : Security issues fixed : - CVE-2018-5740: Fixed a denial of service vulnerability in the 'deny-answer-aliases' feature bsc1104129. - CVE-2019-6465: Fixed an issue where controls for zone transfers may not be properly applied to Dynamically Loadable...

picketlink: URL injection via xinclude parameter

It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks...

Denial Of Service (DoS)

PyYAML is vulnerable to denial of service. An assertion failure resulting in a crash occurs when a context-dependent attackers enters input containing malicious line-wrapping...

SUSE SLES11 Security Update : bind (SUSE-SU-2019:14074-1)

This update for bind fixes the following issues : Security issues fixed : CVE-2018-5740: Fixed a denial of service vulnerability in the 'deny-answer-aliases' feature bsc1104129. CVE-2018-5743: Limiting simultaneous TCP clients is ineffective. bsc1133185 CVE-2018-5745: An assertion failure can occ...

Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation

While fuzzing Spidermonkey, I encountered the following commented and modified JavaScript program which crashes debug builds of the latest release version of Spidermonkey from commit https://github.com/mozilla/gecko-dev/commit/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c: function O1 this.s = 'foobar...

Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation

Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation While fuzzing Spidermonkey, I encountered the following commented and modified JavaScript program which crashes debug builds of the latest release version of Spidermonkey from commit...

JavaScript V8 Turbofan Out-Of-Bounds Read Exploit

V8: Turbofan may read a Map pointer out-of-bounds when optimizing Reflect.construct The following JavaScript program found through fuzzing triggers an assertion failure in debug builds of the latest v8 and the current release branch, 7.2.502.28: function farg const o =...

Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation Exploit

Spidermonkey IonMonkey suffers from an issue where an unexpected ObjectGroup in the ObjectGroupDispatch operation might lead to potentially unsafe code being executed. Spidermonkey: IonMonkey: unexpected ObjectGroup in ObjectGroupDispatch operation might lead to potentially unsafe code being...

CVE-2019-12312

In Libreswan 3.27 an assertion failure can lead to a pluto IKE daemon restart. An attacker can trigger a NULL pointer dereference by initiating an IKEv2 IKESAINIT exchange, followed by a bogus INFORMATIONAL exchange instead of the normallly expected IKEAUTH exchange. This affects...

CVE-2019-12312

In Libreswan 3.27 an assertion failure can lead to a pluto IKE daemon restart. An attacker can trigger a NULL pointer dereference by initiating an IKEv2 IKESAINIT exchange, followed by a bogus INFORMATIONAL exchange instead of the normallly expected IKEAUTH exchange. This affects...

CVE-2019-12312

In Libreswan 3.27 an assertion failure can lead to a pluto IKE daemon restart. An attacker can trigger a NULL pointer dereference by initiating an IKEv2 IKESAINIT exchange, followed by a bogus INFORMATIONAL exchange instead of the normallly expected IKEAUTH exchange. This affects...

CVE-2019-12312

CVE-2019-12312 affects Libreswan 3.27, where an assertion failure in send_v2N_spi_response_from_state (ikev2_send.c) can be triggered by an IKEv2 SA_INIT followed by a bogus INFORMATIONAL exchange, causing a NULL pointer dereference and a restart of the pluto IKE daemon. The issue is documented a...

CVE-2019-12312

In Libreswan 3.27 an assertion failure can lead to a pluto IKE daemon restart. An attacker can trigger a NULL pointer dereference by initiating an IKEv2 IKESAINIT exchange, followed by a bogus INFORMATIONAL exchange instead of the normallly expected IKEAUTH exchange. This affects...

CVE-2019-12312

In Libreswan 3.27 an assertion failure can lead to a pluto IKE daemon restart. An attacker can trigger a NULL pointer dereference by initiating an IKEv2 IKESAINIT exchange, followed by a bogus INFORMATIONAL exchange instead of the normallly expected IKEAUTH exchange. This affects...

CVE-2019-12312

In Libreswan 3.27 an assertion failure can lead to a pluto IKE daemon restart. An attacker can trigger a NULL pointer dereference by initiating an IKEv2 IKESAINIT exchange, followed by a bogus INFORMATIONAL exchange instead of the normallly expected IKEAUTH exchange. This affects...

Apple macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free

See also https://bugs.chromium.org/p/project-zero/issues/detail?id=1699 for a similar issue. The DFG JIT compiler attempts to determine whether a DFG IR operation could cause garbage collection GC during its execution 1. With this, it is then possible for the compiler to determine whether there...

Apple macOS 10.14.5 iOS 12.3 DFG JIT Compiler - HasIndexedProperty Use-After-Free

Apple macOS 10.14.5 iOS 12.3 DFG JIT Compiler - HasIndexedProperty Use-After-Free See also https://bugs.chromium.org/p/project-zero/issues/detail?id=1699 for a similar issue. The DFG JIT compiler attempts to determine whether a DFG IR operation could cause garbage collection GC during its executi...