[ASA-201801-10] intel-ucode: access restriction bypass

Arch Linux Security Advisory ASA-201801-10 ========================================== Severity: High Date : 2018-01-10 CVE-ID : CVE-2017-5715 Package : intel-ucode Type : access restriction bypass Remote : No Link : https://security.archlinux.org/AVG-582 Summary ======= The package intel-ucode...

[ASA-201711-37] lib32-libcurl-gnutls: multiple issues

Arch Linux Security Advisory ASA-201711-37 ========================================== Severity: High Date : 2017-11-30 CVE-ID : CVE-2017-8816 CVE-2017-8817 CVE-2017-8818 Package : lib32-libcurl-gnutls Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-523 Summary ======...

dropbear: command injection

A vulnerability was found in a way dropbear processed X11 forwarding input. By using a specially crafted request, an attacker could bypass the authorizedkeys command restrictions. xauth is run under the user's privilege, so this vulnerability offers no additional access to unrestricted accounts,...

libssh2: out-of-bounds read

When negotiating a new SSH session with a remote server, one of libssh2's functions for doing the key exchange kexagreemethods was naively reading data from the incoming packet and using it without doing sufficient range checks. The SSHMSGKEXINIT packet arrives to libssh2 with a set of strings,...

chrony: denial of service

CVE-2015-1853 denial of service: This issue is similiar to the "ntp CVE-2015-1799"-issue. An attacker knowing that NTP hosts A and B are peering with each other symmetric association can send a packet to host A with source address of B which will set the NTP state variables on A to the values sen...

jenkins: multiple issues

SECURITY-87/CVE-2014-3661 anonymous DoS attack through CLI handshake This vulnerability allows unauthenticated users with access to Jenkins' HTTP/HTTPS port to mount a DoS attack on Jenkins through thread exhaustion. - SECURITY-110/CVE-2014-3662 User name discovery Anonymous users can test if the...

[ASA-202403-1] xz: arbitrary code execution

Arch Linux Security Advisory ASA-202403-1 ========================================= Severity: Critical Date : 2024-03-29 CVE-ID : CVE-2024-3094 Package : xz Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-2851 Summary ======= The package xz before version...

[ASA-201908-13] nginx: denial of service

Arch Linux Security Advisory ASA-201908-13 ========================================== Severity: Medium Date : 2019-08-16 CVE-ID : CVE-2019-9511 CVE-2019-9513 CVE-2019-9516 Package : nginx Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1023 Summary ======= The...

[ASA-201610-14] linux: privilege escalation

Arch Linux Security Advisory ASA-201610-14 ========================================== Severity: High Date : 2016-10-22 CVE-ID : CVE-2016-5195 Package : linux Type : privilege escalation Remote : No Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package linux before version...

linux-lts: information disclosure

A security issue has been found in the Linux kernel's implementation of challenge ACKs as specified in RFC 5961. An attacker which knows a connection's client IP, server IP and server port can abuse the challenge ACK mechanism to determine the accuracy of a normally 'blind' attack on the client o...

[ASA-201610-11] linux-lts: privilege escalation

Arch Linux Security Advisory ASA-201610-11 ========================================== Severity: High Date : 2016-10-21 CVE-ID : CVE-2016-5195 Package : linux-lts Type : privilege escalation Remote : No Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package linux-lts before...

php: multiple issues

CVE-2016-7411 arbitrary code execution A memory Corruption vulnerability was found in php's unserialize method. This happened during the deserialized-object Destruction. - CVE-2016-7412 arbitrary code execution Php's mysqlnd extension assumes the flags returned for a BIT field necessarily...

openssh: command injection

Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth. Injection of xauth commands grants the ability to read arbitrary files under the authenticated user's privilege. Other xauth commands allow limited information...

jre8-openjdk-headless: multiple issues

CVE-2015-4734 information disclosure It was discovered that the JGSS component of OpenJDK did not properly hide Kerberos realm information from all error exceptions when running under Security Manager. An untrusted Java application or applet could use this flaw to obtain certain information about...

jre7-openjdk: multiple issues

CVE-2015-4734 information disclosure It was discovered that the JGSS component of OpenJDK did not properly hide Kerberos realm information from all error exceptions when running under Security Manager. An untrusted Java application or applet could use this flaw to obtain certain information about...

jasper: arbitrary code execution

CVE-2014-8157 arbitrary code execution Off-by-one error in the jpcdecprocesssot function allows remote attackers to cause a denial of service crash or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow. - CVE-2014-8158 arbitrary code...

jre7-openjdk: multiple issues

CVE-2014-3566 man-in-the-middle Nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. - CVE-2014-6585 out-of-bounds read Allows remote attackers to affect confidentiality via font parsing...

[ASA-202010-3] linux-zen: multiple issues

Arch Linux Security Advisory ASA-202010-3 ========================================= Severity: High Date : 2020-10-18 CVE-ID : CVE-2020-12351 CVE-2020-12352 CVE-2020-24490 Package : linux-zen Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1249 Summary ======= The...

[ASA-201801-31] zathura-pdf-mupdf: arbitrary code execution

Arch Linux Security Advisory ASA-201801-31 ========================================== Severity: High Date : 2018-01-30 CVE-ID : CVE-2017-17858 Package : zathura-pdf-mupdf Type : arbitrary code execution Remote : No Link : https://security.archlinux.org/AVG-600 Summary ======= The package...

[ASA-201711-36] lib32-curl: multiple issues

Arch Linux Security Advisory ASA-201711-36 ========================================== Severity: High Date : 2017-11-30 CVE-ID : CVE-2017-8816 CVE-2017-8817 CVE-2017-8818 Package : lib32-curl Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-521 Summary ======= The...

[ASA-201703-3] firefox: multiple issues

Arch Linux Security Advisory ASA-201703-3 ========================================= Severity: Critical Date : 2017-03-10 CVE-ID : CVE-2017-5398 CVE-2017-5399 CVE-2017-5400 CVE-2017-5401 CVE-2017-5402 CVE-2017-5403 CVE-2017-5404 CVE-2017-5405 CVE-2017-5406 CVE-2017-5407 CVE-2017-5408 CVE-2017-5410...

[ASA-201610-16] linux-grsec: privilege escalation

Arch Linux Security Advisory ASA-201610-16 ========================================== Severity: High Date : 2016-10-24 CVE-ID : CVE-2016-5195 Package : linux-grsec Type : privilege escalation Remote : No Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package linux-grsec befor...

libxml2: multiple issues

CVE-2016-1762 denial of service A vulnerability has been discovered that allows remote attackers to cause a denial of service memory corruption via a crafted XML document. - CVE-2016-1833 denial of service A maliciously crafted file could cause the application to crash due to a heap-based...

jre7-openjdk-headless: multiple issues

CVE-2015-4734 information disclosure It was discovered that the JGSS component of OpenJDK did not properly hide Kerberos realm information from all error exceptions when running under Security Manager. An untrusted Java application or applet could use this flaw to obtain certain information about...

[ASA-202204-1] postgresql: man-in-the-middle

Arch Linux Security Advisory ASA-202204-1 ========================================= Severity: High Date : 2022-04-04 CVE-ID : CVE-2021-23214 Package : postgresql Type : man-in-the-middle Remote : Yes Link : https://security.archlinux.org/AVG-2546 Summary ======= The package postgresql before...

[ASA-202002-10] webkit2gtk: multiple issues

Arch Linux Security Advisory ASA-202002-10 ========================================== Severity: High Date : 2020-02-17 CVE-ID : CVE-2020-3862 CVE-2020-3864 CVE-2020-3865 CVE-2020-3867 CVE-2020-3868 Package : webkit2gtk Type : multiple issues Remote : Yes Link :...

[ASA-201910-9] sudo: privilege escalation

Arch Linux Security Advisory ASA-201910-9 ========================================= Severity: High Date : 2019-10-16 CVE-ID : CVE-2019-14287 Package : sudo Type : privilege escalation Remote : No Link : https://security.archlinux.org/AVG-1047 Summary ======= The package sudo before version 1.8.28...

[ASA-201612-20] openssh: multiple issues

Arch Linux Security Advisory ASA-201612-20 ========================================== Severity: Medium Date : 2016-12-22 CVE-ID : CVE-2016-10009 CVE-2016-10010 CVE-2016-10011 CVE-2016-10012 Package : openssh Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-110 Summary...

openssl: multiple issues

CVE-2016-2105 buffer overflow: An overflow can occur in the EVPEncodeUpdate function which is used for Base64 encoding of binary data. If an attacker is able to supply very large amounts of input data then a length check can overflow resulting in a heap corruption. Internally to OpenSSL the...

wireshark-cli: denial of service

CVE-2015-8742 denial of service The dissectCPMSetBindings function in epan/dissectors/packet-mswsp.c in the MS-WSP dissector in Wireshark 2.0.x before 2.0.1 does not validate the column size, which allows remote attackers to cause a denial of service memory consumption or application crash via a...

openssh: XSECURITY restrictions bypass

When forwarding X11 connections with ForwardX11Trusted=no, connections made after ForwardX11Timeout expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ssh coupled with "fail open" behaviour in the X11 server when clients attempted...

openssl: multiple issues

CVE-2015-1788 denial of service When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. This can be used to perform denial of service against any system which processes public keys, certificate...

thunderbird: multiple issues

CVE-2014-8634 arbitrary remote code execution Christian Holler and Patrick McManus reported memory safety problems and crashes that affect Firefox ESR 31.3 and Firefox 34. - CVE-2014-8635 arbitrary remote code execution Christoph Diehl, Christian Holler, Gary Kwong, Jesse Ruderman, Byron Campen,...

[ASA-202204-12] vim: arbitrary code execution

Arch Linux Security Advisory ASA-202204-12 ========================================== Severity: High Date : 2022-04-15 CVE-ID : CVE-2022-1154 CVE-2022-1160 Package : vim Type : arbitrary code execution Remote : No Link : https://security.archlinux.org/AVG-2662 Summary ======= The package vim befo...

[ASA-202110-7] chromium: multiple issues

Arch Linux Security Advisory ASA-202110-7 ========================================= Severity: High Date : 2021-10-29 CVE-ID : CVE-2021-37997 CVE-2021-37998 CVE-2021-37999 CVE-2021-38000 CVE-2021-38001 CVE-2021-38002 CVE-2021-38003 Package : chromium Type : multiple issues Remote : Yes Link :...

[ASA-202009-8] libvirt: privilege escalation

Arch Linux Security Advisory ASA-202009-8 ========================================= Severity: High Date : 2020-09-22 CVE-ID : CVE-2020-14339 Package : libvirt Type : privilege escalation Remote : No Link : https://security.archlinux.org/AVG-1232 Summary ======= The package libvirt before version...

[ASA-201909-1] webkit2gtk: multiple issues

Arch Linux Security Advisory ASA-201909-1 ========================================= Severity: Critical Date : 2019-09-04 CVE-ID : CVE-2019-8644 CVE-2019-8649 CVE-2019-8658 CVE-2019-8669 CVE-2019-8678 CVE-2019-8680 CVE-2019-8683 CVE-2019-8684 CVE-2019-8688 Package : webkit2gtk Type : multiple issu...

[ASA-201710-24] linux-zen: privilege escalation

Arch Linux Security Advisory ASA-201710-24 ========================================== Severity: High Date : 2017-10-16 CVE-ID : CVE-2017-5123 Package : linux-zen Type : privilege escalation Remote : No Link : https://security.archlinux.org/AVG-445 Summary ======= The package linux-zen before...

flashplugin: arbitrary code execution

CVE-2016-1096: Memory corruption. Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero. - CVE-2016-1097: Use-after-free. Wen Guanxing from Pangu LAB, working with the Chromium Vulnerability Rewards Program . - CVE-2016-1098: Memory corruption. Wen Guanxing from Pangu LAB. -...

lib32-flashplugin: arbitrary code execution

CVE-2016-1096: Memory corruption. Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero. - CVE-2016-1097: Use-after-free. Wen Guanxing from Pangu LAB, working with the Chromium Vulnerability Rewards Program . - CVE-2016-1098: Memory corruption. Wen Guanxing from Pangu LAB. -...

openssl lib32-openssl: multiple issues

CVE-2015-3193 insecure private key in connection with DHE There is a carry propagating bug in the x8664 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not...

[ASA-202110-6] nodejs-lts-erbium: multiple issues

Arch Linux Security Advisory ASA-202110-6 ========================================= Severity: High Date : 2021-10-21 CVE-ID : CVE-2021-22939 CVE-2021-22940 CVE-2021-22959 CVE-2021-22960 Package : nodejs-lts-erbium Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2285...

[ASA-202011-5] gdm: privilege escalation

Arch Linux Security Advisory ASA-202011-5 ========================================= Severity: High Date : 2020-11-10 CVE-ID : CVE-2020-16125 Package : gdm Type : privilege escalation Remote : No Link : https://security.archlinux.org/AVG-1264 Summary ======= The package gdm before version 3.38.2-1...

[ASA-201911-4] python2: information disclosure

Arch Linux Security Advisory ASA-201911-4 ========================================= Severity: High Date : 2019-11-03 CVE-ID : CVE-2019-9636 Package : python2 Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-978 Summary ======= The package python2 before version...

jre7-openjdk-headless: multiple issues

CVE-2016-3458 sandbox restriction bypass It was discovered that the CORBA component of OpenJDK did not sufficiently restrict the use of custom ValueHandler when performing object deserialization. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox...

ntp: multiple issues

CVE-2015-7871 authentication bypass An error handling logic error exists within ntpd that manifests due to improper error condition handling associated with certain crypto-NAK packets. An unauthenticated, off-path attacker can force ntpd processes on targeted servers to peer with time sources of...

[ASA-201901-14] apache: multiple issues

Arch Linux Security Advisory ASA-201901-14 ========================================== Severity: High Date : 2019-01-24 CVE-ID : CVE-2018-17189 CVE-2018-17199 CVE-2019-0190 Package : apache Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-857 Summary ======= The packag...

[ASA-201610-9] gdk-pixbuf2: arbitrary code execution

Arch Linux Security Advisory ASA-201610-9 ========================================= Severity: Critical Date : 2016-10-13 CVE-ID : CVE-2016-6352 Package : gdk-pixbuf2 Type : arbitrary code execution Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package gdk-pixbuf...

linux-zen: information disclosure

A security issue has been found in the Linux kernel's implementation of challenge ACKs as specified in RFC 5961. An attacker which knows a connection's client IP, server IP and server port can abuse the challenge ACK mechanism to determine the accuracy of a normally 'blind' attack on the client o...

clamav: multiple issues

CVE-2015-2170 denial of service A flaw has been found in the UPX decoder with crafted files. During unpacking there are two range checks which are implemented "manually". Those checks lack the detection of overflows which are considered by the CLIISCONTAINED macro. - CVE-2015-2221 denial of...