6585 matches found
subversion -- Arbitrary code execution vulnerability
subversion team reports: A Subversion client sometimes connects to URLs provided by the repository. This happens in two primary cases: during 'checkout', 'export', 'update', and 'switch', when the tree being downloaded contains svn:externals properties; and when using 'svnsync sync' with one URL...
chromium -- multiple vulnerabilities
Google Chrome releases reports: 40 security fixes in this release Please reference CVE/URL list for details...
FreeBSD -- heimdal KDC-REP service name validation vulnerability
Problem Description: There is a programming error in the Heimdal implementation that used an unauthenticated, plain-text version of the KDC-REP service name found in a ticket. Impact: An attacker who has control of the network between a client and the service it talks to will be able to impersona...
irssi -- multiple vulnerabilities
irssi reports: When receiving messages with invalid time stamps, Irssi would try to dereference a NULL pointer. While updating the internal nick list, Irssi may incorrectly use the GHashTable interface and free the nick while updating it. This will then result in use-after-free conditions on each...
exim -- Privilege escalation via multiple memory leaks
Qualsys reports: Exim supports the use of multiple "-p" command line arguments which are malloc'ed and never free'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has...
python -- possible integer overflow vulnerability
Python issue: There is a possible integer overflow in PyStringDecodeEscape function of the file stringobject.c, which can be abused to gain a heap overflow, possibly leading to arbitrary code execution...
strongswan -- multiple vulnerabilities
strongSwan security team reports: RSA public keys passed to the gmp plugin aren't validated sufficiently before attempting signature verification, so that invalid input might lead to a floating point exception. CVE-2017-9022 ASN.1 CHOICE types are not correctly handled by the ASN.1 parser when...
BIND -- multiple vulnerabilities
ISC reports: A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other...
xen-tools -- cirrus_bitblt_cputovideo does not check if memory region is safe
The Xen Project reports: In CIRRUSBLTMODEMEMSYSSRC mode the bitblit copy routine cirrusbitbltcputovideo fails to check whether the specified memory region is safe. A malicious guest administrator can cause an out of bounds memory write, very likely exploitable as a privilege escalation...
libevent -- multiple vulnerabilities
Debian Security reports: CVE-2016-10195: The nameparse function in evdns.c in libevent before 2.1.6-beta allows remote attackers to have unspecified impact via vectors involving the labellen variable, which triggers an out-of-bounds stack read. CVE-2016-10196: Stack-based buffer overflow in the...
PuTTY -- integer overflow permits memory overwrite by forwarded ssh-agent connections
Simon G. Tatham reports: Many versions of PuTTY prior to 0.68 have a heap-corrupting integer overflow bug in the sshagentchanneldata function which processes messages sent by remote SSH clients to a forwarded agent connection. ... This bug is only exploitable at all if you have enabled SSH agent...
FreeBSD -- link_ntoa(3) buffer overflow
Problem Description: A specially crafted argument can trigger a static buffer overflow in the library, with possibility to rewrite following static buffers that belong to other library functions. Impact: Due to very limited use of the function in the existing applications, and limited length of t...
wget -- Access List Bypass / Race Condition
Dawid Golunski reports: GNU wget in version 1.17 and earlier, when used in mirroring/recursive mode, is affected by a Race Condition vulnerability that might allow remote attackers to bypass intended wget access list restrictions specified with -A parameter...
wireshark -- multiple vulnerabilities
Wireshark project reports: Wireshark project is releasing Wireshark 2.2.2, which addresses: wnpa-sec-2016-58: Profinet I/O long loop - CVE-2016-9372 wnpa-sec-2016-59: AllJoyn crash - CVE-2016-9374 wnpa-sec-2016-60: OpenFlow crash - CVE-2016-9376 wnpa-sec-2016-61: DCERPC crash - CVE-2016-9373...
py-cryptography -- vulnerable HKDF key generation
Alex Gaynor reports: Fixed a bug where HKDF would return an empty byte-string if used with a length less than algorithm.digestsize...
node.js -- ares_create_query single byte out of buffer write
Node.js has released new versions containing the following security fix: The following releases all contain fixes for CVE-2016-5180 "arescreatequery single byte out of buffer write": Node.js v0.10.48 Maintenance, Node.js v0.12.17 Maintenance, Node.js v4.6.1 LTS "Argon" While this is not a critica...
xen-kernel -- x86 HVM: Overflow of sh_ctxt->seg_reg[]
The Xen Project reports: x86 HVM guests running with shadow paging use a subset of the x86 emulator to handle the guest writing to its own pagetables. There are situations a guest can provoke which result in exceeding the space allocated for internal state. A malicious HVM guest administrator can...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 10 security fixes in this release, including: 629542 High CVE-2016-5141 Address bar spoofing. Credit to anonymous 626948 High CVE-2016-5142 Use-after-free in Blink. Credit to anonymous 625541 High CVE-2016-5139 Heap overflow in pdfium. Credit to GiWan Go of Stealie...
Apache OpenOffice 4.1.2 -- Memory Corruption Vulnerability (Impress Presentations)
The Apache OpenOffice Project reports: An OpenDocument Presentation .ODP or Presentation Template .OTP file can contain invalid presentation elements that lead to memory corruption when the document is loaded in Apache OpenOffice Impress. The defect may cause the document to appear as corrupted a...
NSS -- multiple vulnerabilities
Mozilla Foundation reports: Mozilla has updated the version of Network Security Services NSS library used in Firefox to NSS 3.23. This addresses four moderate rated networking security issues reported by Mozilla engineers Tyson Smith and Jed Davis...
ikiwiki -- XSS vulnerability
Mitre reports: Cross-site scripting XSS vulnerability in the cgierror function in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message...
Bugzilla security issues
Bugzilla Security Advisory A specially crafted bug summary could trigger XSS in dependency graphs. Due to an incorrect parsing of the image map generated by the dot script, a specially crafted bug summary could trigger XSS in dependency graphs...
firefox -- Same-origin-policy violation using Service Workers with plugins
The Mozilla Foundation reports: MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a servic...
flash -- multiple vulnerabilities
Adobe reports: These updates resolve a type confusion vulnerability that could lead to code execution CVE-2016-0985. These updates resolve use-after-free vulnerabilities that could lead to code execution CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984. The...
hive -- authorization logic vulnerability
Sushanth Sowmyan reports: Some partition-level operations exist that do not explicitly also authorize privileges of the parent table. This can lead to issues when the parent table would have denied the operation, but no denial occurs because the partition-level privilege is not checked by the...
FreeBSD -- TCP MD5 signature denial of service
Problem Description: A programming error in processing a TCP connection with both TCPMD5SIG and TCPNOOPT socket options may lead to kernel crash. Impact: A local attacker can crash the kernel, resulting in a denial-of-service. A remote attack is theoretically possible, if server has a listening...
qemu -- denial of service vulnerability in Rocker switch emulation
Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmittx descriptors in 'txconsume' routine, if a descriptor was to have more than allowed ROCKERTXFRAGSMAX=16...
owncloud -- multiple vulnerabilities
Owncloud reports: Reflected XSS in OCS provider discovery oC-SA-2016-001 Information Exposure Through Directory Listing in the file scanner oC-SA-2016-002 Disclosure of files that begin with ".v" due to unchecked return value oC-SA-2016-003...
xen-kernel -- leak of main per-domain vcpu pointer array
The Xen Project reports: A domain's primary array of vcpu pointers can be allocated by a toolstack exactly once in the lifetime of a domain via the XENDOMCTLmaxvcpus hypercall. This array is leaked on domain teardown. This memory leak could -- over time -- exhaust the host's memory. A domain give...
p5-HTML-Scrubber -- XSS vulnerability
MITRE reports: Cross-site scripting XSS vulnerability in the HTML-Scrubber module before 0.15 for Perl, when the comment feature is enabled, allows remote attackers to inject arbitrary web script or HTML via a crafted comment...
wolfssl -- DDoS amplification in DTLS
Sebastian Ramacher identified an error in wolfSSL's implementation of the server side of the DTLS handshake, which could be abused for DDoS amplification or a DoS on the DTLS server itself...
ZendFramework1 -- SQL injection vulnerability
Zend Framework developers report: The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection...
screen -- stack overflow
Kuang-che Wu reports: screen will recursively call MScrollV to depth n/256. This is time consuming and will overflow stack if n is huge...
go -- multiple vulnerabilities
Jason Buberel, Go Product Manager, reports: CVE-2015-5739 - "Content Length" treated as valid header CVE-2015-5740 - Double content-length headers does not return 400 error CVE-2015-5741 - Additional hardening, not sending Content-Length w/Transfer-Encoding, Closing connections...
cups-filters -- buffer overflow in texttopdf size allocation
Stefan Cornelius from Red Hat reports: A heap-based buffer overflow was discovered in the way the texttopdf utility of cups-filters processed print jobs with a specially crafted line size. An attacker being able to submit print jobs could exploit this flaw to crash texttopdf or, possibly, execute...
xen-kernel -- GNTTABOP_swap_grant_ref operation misbehavior
The Xen Project reports: With the introduction of version 2 grant table operations, a version check became necessary for most grant table related hypercalls. The GNTTABOPswapgrantref call was lacking such a check. As a result, the subsequent code behaved as if version 2 was in use, when a guest...
tidy -- heap-buffer-overflow
Geoff McLane reports: tidy is affected by a write out of bounds when processing malformed html files. This issue could be abused on server side applications that use php-tidy extension with user input. The issue was confirmed, analyzed, and fixed by the tidy5 maintainer...
libssh -- null pointer dereference
Andreas Schneider reports: libssh versions 0.5.1 and above have a logical error in the handling of a SSHMSGNEWKEYS and SSHMSGKEXDHREPLY package. A detected error did not set the session into the error state correctly and further processed the packet which leads to a null pointer dereference. This...
qemu -- Heap overflow in QEMU PCNET controller, allowing guest to host escape (CVE-2015-3209)
The QEMU security team reports: A guest which has access to an emulated PCNET network device e.g. with "model=pcnet" in their VIF configuration can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process...
PostgreSQL -- minor security problems.
PostgreSQL project reports: This update fixes three security vulnerabilities reported in PostgreSQL over the past few months. Nether of these issues is seen as particularly urgent. However, users should examine them in case their installations are vulnerable:. CVE-2015-3165 Double "free" after...
xen-kernel -- arm: vgic-v2: GICD_SGIR is not properly emulated
The Xen Project reports: When decoding a guest write to a specific register in the virtual interrupt controller Xen would treat an invalid value as a critical error and crash the host. By writing an invalid value to the GICD.SGIR register a guest can crash the host, resulting in a Denial of Servi...
xen-kernel -- arm: vgic: incorrect rate limiting of guest triggered logging
The Xen Project reports: On ARM systems the code which deals with virtualizing the GIC distributor would, under various circumstances, log messages on a guest accessible code path without appropriate rate limiting. A malicious guest could cause repeated logging to the hypervisor console, leading ...
FreeBSD -- SCTP SCTP_SS_VALUE kernel memory corruption and disclosure
Problem Description: Due to insufficient validation of the SCTP stream ID, which serves as an array index, a local unprivileged attacker can read or write 16-bits of kernel memory. Impact: An unprivileged process can read or modify 16-bits of memory which belongs to the kernel. This may lead to...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 62 security fixes in this release, including: 430353 High CVE-2014-7923: Memory corruption in ICU. Credit to yangdingning. 435880 High CVE-2014-7924: Use-after-free in IndexedDB. Credit to Collin Payne. 434136 High CVE-2014-7925: Use-after-free in WebAudio. Credit ...
WebKit-gtk -- Multiple vulnerabilities
Webkit release team reports: This release fixes the following security issues: CVE-2014-1344, CVE-2014-1384, CVE-2014-1385, CVE-2014-1386, CVE-2014-1387, CVE-2014-1388, CVE-2014-1389, CVE-2014-1390...
freetype -- Out of bounds stack-based read/write
Werner LEMBERG reports: The fix for CVE-2014-2240 was not 100% complete to fix the issue from the CVE completly...
Bugzilla multiple security issues
Bugzilla Security Advisory Unauthorized Account Creation An attacker creating a new Bugzilla account can override certain parameters when finalizing the account creation that can lead to the user being created with a different email address than originally requested. The overridden login name cou...
www/chromium -- multiple vulnerabilities
Google Chrome Releases reports: 4 security fixes in this release, including: 401362 High CVE-2014-3178: Use-after-free in rendering. Credit to miaubiz. 411014 CVE-2014-3179: Various fixes from internal audits, fuzzing and other initiatives...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 50 security fixes in this release, including: 386988 Critical CVE-2014-3176, CVE-2014-3177: A special reward to lokihardt@asrt for a combination of bugs in V8, IPC, sync, and extensions that can lead to remote code execution outside of the sandbox. 369860 High...
e2fsprogs -- buffer overflow if s_first_meta_bg too big
Theodore Ts'o reports: If sfirstmetabg is greater than the of number block group descriptor blocks, then reading or writing the block group descriptors will end up overruning the memory buffer allocated for the descriptors. The finding is credited to a vulnerability report from Jose Duart of Goog...