firefox: cross-origin restriction bypass

Security researcher Abdulrahman Alqabandi reported that the fetch API did not correctly implement the Cross-Origin Resource Sharing CORS specification, allowing a malicious page to access private data from other origins. Mozilla developer Ben Kelly independently reported the same issue...

mbedtls: arbitrary code execution

When the client creates its ClientHello message, due to insufficient bounds checking it can overflow the heap-based buffer containing the message while writing some extensions. Two extensions in particular could be used by a remote attacker to trigger the overflow: the session ticket extension an...

chromium: multiple issues

CVE-2015-6755 cross-origin bypass: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. - CVE-2015-6756 use-after-free: Use-after-free in PDFium. - CVE-2015-6757 use-after-free: Use-after-free in ServiceWorker. Credit to Collin Payne. - CVE-2015-6758: Bad-cast in PDFium. Credit to Atte...

flashplugin: multiple issues

CVE-2015-5569 information leak, insufficient hardening These updates include a defense-in-depth feature in the Flash broker API. - CVE-2015-7625 CVE-2015-7626 CVE-2015-7627 CVE-2015-7630 CVE-2015-7633 CVE-2015-7634 arbitrary code execution These updates resolve memory corruption vulnerabilities...

gdk-pixbuf2: multiple issues

CVE-2015-7673 denial of service It has been discovered that under certain circumstances while scaling a tga file a heap memory allocation may fail which is later used and leads to a denial of service. - CVE-2015-7673 heap buffer overflow It has been discovered that under certain circumstances...

opensmtpd: multiple issues

an oversight in the portable version of fgetln that allows attackers to read and write out-of-bounds memory - multiple denial-of-service vulnerabilities that allow local users to kill or hang OpenSMTPD - a stack-based buffer overflow that allows local users to crash OpenSMTPD, or execute...

bugzilla: unauthorized account creation

Login names usually an email address longer than 127 characters are silently truncated in MySQL which could cause the domain name of the email address to be corrupted. An attacker could use this vulnerability to create an account with an email address different from the one originally requested...

nodejs: denial of service

A vulnerability has been discovered in the HTTP pipeline handling that is leading to an application crash. This problem is caused by out-of-order responses being sent to the client within a single pipelined connection...

hostapd: denial of service

CVE-2015-4141 denial of service A vulnerability was found in the WPS UPnP function shared by hostapd WPS AP and wpasupplicant WPS external registrar. This may allow a possible denial of service attack through - CVE-2015-4142 denial of service A vulnerability was found in WMM Action frame...

libunwind: denial of service

CVE-2015-3239 Unspecified Impact: Off-by-one error in the dwarftounwregnum function in include/dwarfi.h in libunwind 1.1 allows local users to have unspecified impact via invalid dwarf opcodes...

chromium: cross-origin bypass

CVE-2015-1303: Cross-origin bypass in DOM. Credit to Mariusz Mlynski. - CVE-2015-1304: Cross-origin bypass in V8. Credit to Mariusz Mlynski...

rpcbind: denial of service

A use-after-free vulnerability has been found in rpcbind, leading to memory corruption then crash in the svcdodestroy function while trying to free a corrupted xprt-xpnetid pointer...

firefox: multiple issues

CVE-2015-4500 Memory safety bugs fixed in Firefox ESR 38.3 and Firefox 41: Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David Major, Andrew McCreight and Cameron McCormack reported memory safety problems and crashes that affect Firefox ESR 38.2 and Firefox 40. Some of these...

flashplugin: multiple issues

CVE-2015-5573 arbitrary code execution These updates resolve a type confusion vulnerability that could lead to code execution. - CVE-2015-5570 CVE-2015-5574 CVE-2015-5581 CVE-2015-5584 CVE-2015-6682 arbitrary code execution These updates resolve use-after-free vulnerabilities that could lead to...

wordpress: multiple issues

CVE-2015-5714 cross-side scripting A cross-site scripting vulnerability has been discovered when processing shortcode tags. - CVE-2015-5715 permission bypass It has been discovered that users without proper permissions could publish private posts and make them sticky...

icedtea-web: multiple issues

CVE-2015-5234 unexpected permanent authorization of unsigned applets It was discovered that IcedTea-Web did not properly sanitize applet URLs when storing applet trust settings. A malicious web page could use this flaw to inject trust-settings configuration, and cause applets to be executed...

libvdpau lib32vdpau: multiple issues

CVE-2015-5198 Local Privilege Escalation When used in a setuid or setgid application, libvdpau/lib32-libvdpau allows local users to gain privileges via unspecified vectors, related to the VDPAUDRIVERPATH environment variable. - CVE-2015-5199 Directory Traversal Directory traversal vulnerability...

openldap: denial of service

By sending a crafted packet, an attacker can cause the OpenLDAP daemon to crash with a SIGABRT. This is due to an assert call within the bergetnext method io.c line 682 that is hit when decoding tampered BER data. The following proof of concept exploit can be used to trigger the condition: echo...

powerdns: denial of service

A bug was found in the PowerDNS Authoritative Server DNS packet parsing/generation code, which, when exploited, can cause individual threads disabling service or whole processes allowing a supervisor to restart them to crash with just one or a few query packets...

bind: denial of service

CVE-2015-5722 Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c: Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c. It is possible for a remote attacker to deliberately trigger this condition, for example...

chromium: multiple issues

CVE-2015-1291, CVE-2015-1293: Cross-origin bypass in DOM. - CVE-2015-1292: Cross-origin bypass in ServiceWorker. - CVE-2015-1294: Use-after-free in Skia. - CVE-2015-1295: Use-after-free in Printing. - CVE-2015-1296: Character spoofing in omnibox. - CVE-2015-1297: Permission scoping error in...

firefox: multiple issues

CVE-2015-4497 use-after-free when resizing canvas element during restyling: Mozilla community member Jean-Max Reymond discovered a use-after-free vulnerability with a canvas element on a page. This occurs when a resize event is triggered in concert with style changes but the canvas references...

pcre: arbitrary code execution

A heap overflow has been discovered when compiling certain regular expressions with named references. This issue may lead to arbitrary code execution...

jasper: denial of service

A double free issue has been discovered in the function jasperimagestopload. This vulnerability can be triggered by loading a specially crafted image through jasper...

gnutls: denial of service

Kurt Roeckx reported that decoding a specific certificate with very long DistinguishedName DN entries leads to double free, which may result to a denial of service. Since the DN decoding occurs in almost all applications using certificates it is recommended to upgrade the latest GnuTLS version...

python-django, python2-django: denial of service

Previously, a session could be created when anonymously accessing the django.contrib.auth.views.logout view provided it wasn't decorated with django.contrib.auth.decorators.loginrequired as done in the admin. This could allow an attacker to easily create many new session records by sending repeat...

glibc: denial of service

It was found that the files backend of Name Service Switch NSS did not isolate iteration over an entire database from key-based look-up API calls. An application performing look-ups on a database while iterating over it could enter an infinite loop, leading to a denial of service...

subversion: authentication bypass

CVE-2015-3184: Subversion's modauthzsvn does not properly restrict anonymous access in some mixed anonymous/authenticated environments when using Apache httpd 2.4. The result is that anonymous access may be possible to files for which only authenticated access should be possible. - CVE-2015-3187:...

freeradius: insufficient CRL validation

The FreeRADIUS server relies on OpenSSL to perform certificate validation, including Certificate Revocation List CRL checks. The FreeRADIUS usage of OpenSSL, in CRL application, limits the checks to leaf certificates, therefore not detecting revocation of intermediate CA certificates. An unexpire...

firefox: multiple issues

CVE-2015-4473 Memory safety bugs fixed in Firefox ESR 38.2 and Firefox 40: Gary Kwong, Christian Holler, and Byron Campen reported memory safety problems and crashes that affect Firefox ESR 38.1 and Firefox 39. - CVE-2015-4474 Memory safety bugs fixed in Firefox 40: Tyson Smith, Bobby Holley,...

ppp: denial of service

A buffer overflow has been found in the rcmksid function in plugins/radius/util.c in Paul's PPP Package ppp. When the PID of the pppd process is greater than 65535, the computation of a start accounting message to the RADIUS server will crash the pppd server...

wordpress: multiple issues

CVE-2015-2213: SQL injection in comments ID. - CVE-2015-5730: Timing attack in widgets. - CVE-2015-5731: Denial of service by locking a post from being edited. - CVE-2015-5732, CVE-2015-5733 CVE-2015-5734: XSS...

firefox: local file stealing via PDF reader

Security researcher Cody Crews reported on a way to violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim's computer. Mozilla has received reports that an exploit...

bind: denial of service

A flaw was found in the way BIND handled requests for TKEY DNS resource records. A remote attacker could use this flaw to make named functioning as an authoritative DNS server or a DNS resolver exit unexpectedly with an assertion failure via a specially crafted DNS request packet leading to denia...

qemu: multiple issues

CVE-2015-3214 information disclosure, arbitrary code execution An out-of-bounds memory access flaw, leading to memory corruption or possibly an information leak, was found in QEMU's pitioportread function. A privileged guest user in a QEMU guest, which had QEMU PIT emulation enabled, could...

pacman: silent downgrade

A flaw has been discovered in pacman that is leading to possible silent package downgrade when exploited. While loading each package it was not ensured that the internal version matches the expected database version, leading to the possibility to circumvent the version check. This issue can be us...

crypto++: private key recovery

Evgeny Sidorov discovered that it is possible to recover the private key when using Rabin-Williams signatures due to a bad interaction with the blinding value used to mask private key operations. The bad interaction had to do with the random value not meeting certain Jacobi requirements, which...

libuser: multiple issues

CVE-2015-3245 denial of service It was found that libuser, as used by the chfn userhelper functionality, did not properly filter out newline characters in GECOS fields. A local, authenticated user could use this flaw to corrupt the /etc/passwd file, resulting in a denial-of-service on the system...

openssh: authentication limits bypass

The OpenSSH server normally wouldn't allow successive authentications that exceed the MaxAuthTries setting in sshdconfig, however when using kbd-interactive challenge-response authentication the allowed login retries can be extended limited only by the LoginGraceTime setting, that can be more tha...

chromium: multiple issues

CVE-2015-1270: Uninitialized memory read in ICU. - CVE-2015-1271: Heap overflow in pdfium. - CVE-2015-1272, CVE-2015-1273, CVE-2015-1279: Use-after-free related to unexpected GPU process termination. - CVE-2015-1274: Settings allowed executable files to run immediately after download. -...

jre7-openjdk: multiple issues

CVE-2015-2590 deserialization issue in ObjectInputStream.readSerialData: ObjectInputStream's readSerialData could, in certain cases, incorrectly perform deserialization of data from serialized input. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions...

apache: multiple issues

CVE-2015-0228 denial of service: modlua: A maliciously crafted websockets PING after a script calls r:wsupgrade can cause a child process crash. - CVE-2015-0253 denial of service: Fix a crash with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active, introduced in...

lib32-flashplugin: arbitrary code execution

CVE-2015-5122 arbitrary code execution Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 AS3 implementation allows remote attackers to execute arbitrary code or cause a denial of service memory corruption via crafted Flash content that leverages improper handling of...

flashplugin: arbitrary code execution

CVE-2015-5122 arbitrary code execution Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 AS3 implementation allows remote attackers to execute arbitrary code or cause a denial of service memory corruption via crafted Flash content that leverages improper handling of...

lib32-openssl: man-in-the-middle

During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the ...

krb5: multiple issues

CVE-2014-5355 denial of service When a server process uses the krb5recvauth function, an unauthenticated remote attacker can cause a NULL dereference by sending a zero-byte version string, or a read beyond the end of allocated storage by sending a non-null-terminated version string. The example...

lib32-krb5: multiple issues

CVE-2014-5355 denial of service When a server process uses the krb5recvauth function, an unauthenticated remote attacker can cause a NULL dereference by sending a zero-byte version string, or a read beyond the end of allocated storage by sending a non-null-terminated version string. The example...

thunderbird: multiple issues

CVE-2015-2724, CVE-2015-2725, CVE-2015-2726 Miscellaneous memory safety hazards: Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under...

openssl: man-in-the-middle

During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the ...

flashplugin: remote code execution

A critical vulnerability use-after-free in the AS3 ByteArray class has been identified in Adobe Flash Player 18.0.0.194 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Adob...