6585 matches found
libgcrypt -- side-channel attack on RSA secret keys
GnuPG reports: Mitigate a flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster"...
heimdal -- bypass of capath policy
Viktor Dukhovni reports: Commit f469fc6 2010-10-02 inadvertently caused the previous hop realm to not be added to the transit path of issued tickets. This may, in some cases, enable bypass of capath policy in Heimdal versions 1.5 through 7.2. Note, this may break sites that rely on the bug. With...
samba -- symlink race allows access outside share definition
Samba team reports: A time-of-check, time-of-use race condition can allow clients to access non-exported parts of the file system via symlinks...
GnuTLS -- Memory corruption vulnerabilities
The GnuTLS project reports: It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted OpenPGP certificate could lead to heap and stack overflows. GNUTLS-SA-2017-2 It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted X.509 certificat...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 4 security fixes in this release, including: 643948 High CVE-2016-5199: Heap corruption in FFmpeg. Credit to Paul Mehta 658114 High CVE-2016-5200: Out of bounds memory access in V8. Credit to Choongwoo Han 660678 Medium CVE-2016-5201: Info leak in extensions. Credi...
xen-kernel -- use after free in FIFO event channel code
The Xen Project reports: When the EVTCHNOPinitcontrol operation is called with a bad guest frame number, it takes an error path which frees a control structure without also clearing the corresponding pointer. Certain subsequent operations EVTCHNOPexpandarray or another EVTCHNOPinitcontrol, upon...
gnupg -- attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output
Werner Koch reports: There was a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions...
xen-kernel -- x86: Privilege escalation in PV guests
The Xen Project reports: The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases e.g. clearing only Access/Dirty bits. The bits considered safe were too broad, and not actually safe. A malicious PV guest administrato...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 3 security fixes in this release, including: 620742 CVE-2016-1704: Various fixes from internal audits, fuzzing and other initiatives...
p7zip -- heap overflow vulnerability
Cisco Talos reports: An exploitable heap overflow vulnerability exists in the NArchive::NHfs::CHandler::ExtractZlibFile method functionality of 7zip that can lead to arbitrary code execution...
cacti -- multiple vulnerabilities
The Cacti Group, Inc. reports: Changelog bug:0002667: Cacti SQL Injection Vulnerability bug:0002673: CVE-2016-3659 - Cacti graphview.php SQL Injection Vulnerability bug:0002656: Authentication using web authentication as a user not in the cacti database allows complete access regression...
pcre -- stack buffer overflow
Philip Hazel reports: PCRE does not validate that handling the ACCEPT verb will occur within the bounds of the cworkspace stack buffer, leading to a stack buffer overflow...
phpmyadmin -- XSS vulnerability in normalization page
The phpMyAdmin development team reports: With a crafted table name it is possible to trigger an XSS attack in the database normalization page. We consider this vulnerability to be non-critical. This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token...
radicale -- multiple vulnerabilities
Radicale reports: The multifilesystem backend allows access to arbitrary files on all platforms. Prevent regex injection in rights management...
kea -- unexpected termination while handling a malformed packet
ISC Support reports: ISC Kea may terminate unexpectedly crash while handling a malformed client packet. Related defects in the kea-dhcp4 and kea-dhcp6 servers can cause the server to crash during option processing if a client sends a malformed packet. An attacker sending a crafted malformed packe...
libpng buffer overflow in png_set_PLTE
libpng reports: CVE for a vulnerability in libpng, all versions, in the pngsetPLTE/pnggetPLTE functions. These functions failed to check for an out-of-range palette when reading or writing PNG files with a bitdepth less than 8. Some applications might read the bit depth from the IHDR chunk and...
wireshark -- Pcapng file parser crash
Wireshark development team reports: The following vulnerability has been fixed. wnpa-sec-2015-30 Pcapng file parser crash. Bug 11455...
optipng -- multiple vulnerabilities
ifread.c in gif2png, as used in OptiPNG before 0.7.6, allows remote attackers to cause a denial of service uninitialized memory read via a crafted GIF file. The bmpreadrows function in pngxtern/pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service invalid memory...
libvpx -- multiple buffer overflows
The Mozilla Project reports: Security researcher Abhishek Arya Inferno of the Google Chrome Security Team used the Address Sanitizer tool to discover two buffer overflow issues in the Libvpx library used for WebM video when decoding a malformed WebM video file. These buffer overflows result in...
vorbis-tools, opus-tools -- multiple vulnerabilities
Paris Zoumpouloglou reports: I discovered an integer overflow issue in oggenc, related to the number of channels in the input WAV file. The issue triggers an out-of-bounds memory access which causes oggenc to crash. Paris Zoumpouloglou reports: A crafted WAV file with number of channels set to 0...
FreeBSD -- shell injection vulnerability in patch(1)
Problem Description: Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch1 to pass certain ed1 scripts to the ed1 editor, which would run commands. Impact: This issue could be exploited to execute arbitrary commands as the user invoking patch1...
subversion -- multiple vulnerabilities
Subversion reports: CVE-2015-3184: Subversion's modauthzsvn does not properly restrict anonymous access in some mixed anonymous/authenticated environments when using Apache httpd 2.4. CVE-2015-3187: Subversion servers, both httpd and svnserve, will reveal some paths that should be hidden by...
bind -- denial of service vulnerability
ISC reports: An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit...
www/chromium -- multiple vulnerabilities
Google Chrome Releases reports: 4 security fixes in this release: 464922 High CVE-2015-1266: Scheme validation error in WebUI. Credit to anonymous. 494640 High CVE-2015-1268: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. 497507 Medium CVE-2015-1267: Cross-origin bypass in Blink. Credit...
devel/ipython -- remote execution
Kyle Kelley reports: Summary: JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack. This affects use...
logstash -- Directory traversal vulnerability in the file output plugin
Elastic reports: An attacker could use the File output plugin with dynamic field references in the path option to traverse paths outside of Logstash directory. This technique could also be used to overwrite any files which can be accessed with permissions associated with Logstash user. This relea...
suricata -- TLS/DER Parser Bug (DoS)
OISF Development Team reports: The OISF development team is pleased to announce Suricata 2.0.8. This release fixes a number of issues in the 2.0 series. The most important issue is a bug in the DER parser which is used to decode SSL/TLS certificates could crash Suricata. This issue was reported b...
asterisk -- TLS Certificate Common name NULL byte exploit
The Asterisk project reports: When Asterisk registers to a SIP TLS device and and verifies the server, Asterisk will accept signed certificates that match a common name other than the one Asterisk is expecting if the signed certificate has a common name containing a null byte after the portion of...
rest-client -- session fixation vulnerability
Andy Brody reports: When Ruby rest-client processes an HTTP redirection response, it blindly passes along the values from any Set-Cookie headers to the redirection target, regardless of domain, path, or expiration...
Bugzilla multiple security issues
Bugzilla Security Advisory Command Injection Some code in Bugzilla does not properly utilize 3 arguments form for open and it is possible for an account with editcomponents permissions to inject commands into product names and other attributes. Information Leak Using the WebServices API, a user c...
mozilla -- multiple vulnerabilities
The Mozilla Project reports: MFSA-2015-01 Miscellaneous memory safety hazards rv:35.0 / rv:31.4 MFSA-2015-02 Uninitialized memory use during bitmap rendering MFSA-2015-03 sendBeacon requests lack an Origin header MFSA-2015-04 Cookie injection through Proxy Authenticate responses MFSA-2015-05 Read...
Adobe Flash Player -- multiple vulnerabilities
Adobe reports: These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system...
mozilla -- multiple vulnerabilities
The Mozilla Project reports: MFSA 2014-74 Miscellaneous memory safety hazards rv:33.0 / rv:31.2 MFSA 2014-75 Buffer overflow during CSS manipulation MFSA 2014-76 Web Audio memory corruption issues with custom waveforms MFSA 2014-78 Further uninitialized memory use during GIF MFSA 2014-79...
twiki -- remote Perl code execution
TWiki developers report: The debugenableplugins request parameter allows arbitrary Perl code execution. Using an HTTP GET request towards a TWiki server, add a specially crafted debugenableplugins request parameter to TWiki's view script typically port 80/TCP. Prior authentication may or may not ...
bugzilla -- Cross Site Request Forgery
A Bugzilla Security Advisory reports: Adobe does not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery CSRF attacks against Bugzilla's JSONP endpoint, possibly obtaining sensitive bug information, via a crafted OBJECT element with SWF conte...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 26 security fixes in this release, including 380885 Medium CVE-2014-3160: Same-Origin-Policy bypass in SVG. Credit to Christian Schneider. 393765 CVE-2014-3162: Various fixes from internal audits, fuzzing and other initiatives...
libssh -- PRNG state reuse on forking servers
Aris Adamantiadis reports: When accepting a new connection, the server forks and the child process handles the request. The RANDbytes function of openssl doesn't reset its state after the fork, but simply adds the current process id getpid to the PRNG state, which is not guaranteed to be unique...
gnutls -- multiple certificate verification issues
GnuTLS project reports: A vulnerability was discovered that affects the certificate verification functions of all gnutls versions. A specially crafted certificate could bypass certificate validation checks. The vulnerability was discovered during an audit of GnuTLS for Red Hat. Suman Jana reporte...
linux-flashplugin -- multiple vulnerabilities
Adobe reports: These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 50 security fixes in this release, including: 223962270758271161284785284786 Medium CVE-2013-2906: Races in Web Audio. Credit to Atte Kettunen of OUSPG. 260667 Medium CVE-2013-2907: Out of bounds read in Window.prototype object. Credit to Boris Zbarsky. 265221 Medi...
polarssl -- Timing attack against protected RSA-CRT implementation
PolarSSL Project reports: The researchers Cyril Arnaud and Pierre-Alain Fouque investigated the PolarSSL RSA implementation and discovered a bias in the implementation of the Montgomery multiplication that we used. For which they then show that it can be used to mount an attack on the RSA key...
FreeBSD -- Privilege escalation via mmap
Due to insufficient permission checks in the virtual memory system, a tracing process such as a debugger may be able to modify portions of the traced process's address space to which the traced process itself does not have write access...
ruby -- Object taint bypassing in DL and Fiddle in Ruby
Ruby Developers report: There is a vulnerability in DL and Fiddle in Ruby where tainted strings can be used by system calls regardless of the $SAFE level set in Ruby. Native functions exposed to Ruby with DL or Fiddle do not check the taint values set on the objects passed in. This can result in...
Joomla! -- XXS and DDoS vulnerabilities
The JSST and the Joomla! Security Center report: 20130405 - Core - XSS Vulnerability Inadequate filtering leads to XSS vulnerability in Voting plugin. 20130403 - Core - XSS Vulnerability Inadequate filtering allows possibility of XSS exploit in some circumstances. 20130402 - Core - Information...
puppet26 -- multiple vulnerabilities
Moses Mendoza reports: A vulnerability found in Puppet could allow an authenticated client to cause the master to execute arbitrary code while responding to a catalog request. Specifically, in order to exploit the vulnerability, the puppet master must be made to invoke the 'template' or...
linux-flashplugin -- multiple vulnerabilities
Adobe reports: These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system...
libjpeg-turbo -- heap-based buffer overflow
The Changelog for version 1.2.1 says: Fixed a regression caused by 1.2.06 in which decompressing corrupt JPEG images specifically, images in which the component count was erroneously set to a large value would cause libjpeg-turbo to segfault. A Heap-based buffer overflow was found in the way...
OpenSSL -- DTLS and TLS 1.1, 1.2 denial of service
OpenSSL security team reports: A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and DTLS can be exploited in a denial of service attack on both clients and servers...
rssh -- arbitrary command execution
Derek Martin rssh maintainer reports: Henrik Erkkonen has discovered that, through clever manipulation of environment variables on the ssh command line, it is possible to circumvent rssh. As far as I can tell, there is no way to effect a root compromise, except of course if the root account is th...
libtasn1 -- ASN.1 length decoding vulnerability
Mu Dynamics, Inc. reports: Various functions using the ASN.1 length decoding logic in Libtasn1 were incorrectly assuming that the return value from asn1getlengthder is always less than the length of the enclosing ASN.1 structure, which is only true for valid structures and not for intentionally...