MGASA-2021-0340 Updated guile1.8 packages fix security vulnerabilities

The mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777. Th...

Updated binutils packages fix security vulnerabilities

This update provides binutils 2.36.1 and fixes at least the following security issues: There's a flaw in the BFD library of binutils in versions before 2.36. An attacker who supplies a crafted file to an application linked with BFD, and using the DWARF functionality, could cause an impact to syst...

Updated guile1.8 packages fix security vulnerabilities

The mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777. Th...

GNU Chess: Buffer overflow

Background GNU Chess is a console based chess interfae. Description The cmdpgnload and cmdpgnreplay functions in cmd.cc in GNU Chess to not sufficiently validate PGN file input, potentially resulting in a buffer overflow. Impact A remote attacker could entice a user to open a specially crafted PG...

Binutils: Multiple vulnerabilities

Background The GNU Binutils are a collection of tools to create, modify and analyse binary files. Many of the files use BFD, the Binary File Descriptor library, to do low-level manipulation. Description Multiple vulnerabilities have been discovered in Binutils. Please review the CVE identifiers...

Huawei EulerOS: Security Advisory for bindutils (EulerOS-SA-2021-2128)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Moodle < 3.8.9, 3.9.x < 3.9.7, 3.10.x < 3.10.4 XSS Vulnerability

Moodle is prone to a cross-site scripting XSS vulnerability. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software;...

Fedora: Security Advisory for libgcrypt (FEDORA-2021-31fdc84207)

The remote host is missing an update for the Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

glibc: Multiple vulnerabilities

Background glibc is a package that contains the GNU C library. Description Multiple vulnerabilities have been discovered in glibc. Please review the CVE identifiers referenced below for details. Impact An attacker could cause a possible Denial of Service condition. Workaround There is no known...

Advisory ROSA-SA-2021-1996

Software: wget 1.14 OS: Cobalt 7.9 CVE-ID: CVE-2016-7098 CVE-Crit: HIGH CVE-DESC: The race condition in wget 1.17 and earlier, when used in recursive or mirror mode to download a single file, may allow remote servers to bypass perceived access list restrictions by leaving the HTTP connection open...

Advisory ROSA-SA-2021-1946

Software: path 2.7.1 OS: Cobalt 7.9 CVE-ID: CVE-2014-9637 CVE-Crit: MEDIUM CVE-DESC: GNU patch 2.7.2 and earlier allows remote attackers to cause a denial of service memory consumption and segmentation error with a crafted diff file. CVE-STATUS: default CVE-REV: default CVE-ID: CVE-2015-1196...

Advisory ROSA-SA-2021-1924

Software: mpfr 3.1.1 OS: Cobalt 7.9 CVE-ID: CVE-2014-9474 CVE-Crit: CRITICAL CVE-DESC: Buffer overflow in mpfrstrtofr function in GNU MPFR before 3.1.2-p11 allows context-sensitive attackers to have undefined impact via vectors associated with incorrect documentation for mpnsetstr. CVE-STATUS:...

Advisory ROSA-SA-2021-1913

Software: mailman 2.1.15 OS: Cobalt 7.9 CVE-ID: CVE-2016-6893 CVE-Crit: HIGH CVE-DESC: A cross-site request forgery CSRF vulnerability in the user parameter page in GNU Mailman 2.1.x through 2.1.23 allows remote attackers to intercept arbitrary user authentication for requests that modify a...

Advisory ROSA-SA-2021-1861

Software: less 458 OS: Cobalt 7.9 CVE-ID: CVE-2014-9488 CVE-Crit: CRITICAL. CVE-DESC: The isutf8wellformed function in GNU less to 475 allows remote attackers to have undefined impact using garbled UTF-8 characters, causing reads outside the valid range. CVE-STATUS: default CVE-REV: default...

Advisory ROSA-SA-2021-1828

Software: emacs 24.3 OS: Cobalt 7.9 CVE-ID: CVE-2014-3421 CVE-Crit: CRITICAL CVE-DESC: lisp / gnus / gnus-fun.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files using a symbolic link attack on the temporary file /tmp/gnus.face.ppm. CVE-STATUS: default CVE-REV: defaul...

Advisory ROSA-SA-2021-1826

Software: ed 1.9 OS: Cobalt 7.9 CVE-ID: CVE-2015-2987 CVE-Crit: MEDIUM CVE-DESC: Type74 ED before 4.0 incorrectly uses 128-bit ECB encryption for small files, making it easier for attackers to obtain plaintext data by differential cryptanalysis of a file with an original length of less than 128...

Advisory ROSA-SA-2021-1814

Software: coreutils 8.22 OS: Cobalt 7.9 CVE-ID: CVE-2017-18018 CVE-Crit: MEDIUM CVE-DESC: In GNU Coreutils before 8.29, chown-core.c in chown and chgrp does not prevent replacing a simple file with a symbolic link while using POSIX "-R -L" parameters, allowing local users to change ownership of...

Advisory ROSA-SA-2021-1802

Software: bash 4.2.46 OS: Cobalt 7.9 CVE-ID: CVE-2012-6711 CVE-Crit: HIGH CVE-DESC: A heap-based buffer overflow exists in GNU Bash before 4.3, when broad characters not supported by the current language standard set in the LCCTYPE environment variable are printed using the built-in echo function...

GNU LibreDWG Resource Management Error Vulnerability

GNU LibreDWG is a C library for processing DWG files from the GNU community. GNU LibreDWG is vulnerable due to a double-free in bitchainfree from dwg encodeMTEXT and dwgencodeaddobject calls. No detailed vulnerability details are currently available...

Invoke-DNSteal - Simple And Customizable DNS Data Exfiltrator

Invoke-DNSteal is a Simple & Customizable DNS Data Exfiltrator. This tool helps you to exfiltrate data through DNS protocol over UDP and TCP, and lets you control the size of queries using random delay. Also, allows you to avoid detections by using random domains in each of your queries and you c...