6585 matches found
PostgreSQL vulnerabilities
The PostgreSQL project reports: CVE-2017-15098: Memory disclosure in JSON functions CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges...
irssi -- multiple vulnerabilities
Irssi reports: When installing themes with unterminated colour formatting sequences, Irssi may access data beyond the end of the string. While waiting for the channel synchronisation, Irssi may incorrectly fail to remove destroyed channels from the query list, resulting in use after free conditio...
OpenVPN -- out-of-bounds write in legacy key-method 1
Steffan Karger reports: The bounds check in readkey was performed after using the value, instead of before. If 'key-method 1' is used, this allowed an attacker to send a malformed packet to trigger a stack buffer overflow. ... Note that 'key-method 1' has been replaced by 'key method 2' as the...
libzip -- denial of service
libzip developers report: The zipreadeocd64 function in zipopen.c in libzip before 1.3.0 mishandles EOCD records, which allows remote attackers to cause a denial of service memory allocation failure in zipcdirgrow in zipdirent.c via a crafted ZIP archive...
salt -- Maliciously crafted minion IDs can cause unwanted directory traversals on the Salt-master
SaltStack reports: Correct a flaw in minion id validation which could allow certain minions to authenticate to a master despite not having the correct credentials. To exploit the vulnerability, an attacker must create a salt-minion with an ID containing characters that will cause a directory...
tor -- security regression
The Tor Project reports: Tor 0.3.0.9 fixes a path selection bug that would allow a client to use a guard that was in the same network family as a chosen exit relay. This is a security regression; all clients running earlier versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or 0.3.1.4-alpha...
codeigniter -- input validation bypass
The CodeIgniter changelog reports: Form Validation Library rule validemail could be bypassed if idntoascii is available...
irssi -- remote DoS
Joseph Bisch reports: When receiving a DCC message without source nick/host, Irssi would attempt to dereference a NULL pointer. When receiving certain incorrectly quoted DCC files, Irssi would try to find the terminating quote one byte before the allocated memory...
libsndfile -- out-of-bounds read memory access
Laurent Delosieres, Secunia Research at Flexera Software reports: Secunia Research has discovered a vulnerability in libsndfile, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an error in the "aiffreadchanmap" function...
SquirrelMail -- post-authentication access privileges
Florian Grunow reports: An attacker able to exploit this vulnerability can extract files of the server the application is running on. This may include configuration files, log files and additionally all files that are readable for all users on the system. This issue is post-authentication. That...
NVIDIA UNIX driver -- multiple vulnerabilities in the kernel mode layer handler
NVIDIA Unix security team reports: NVIDIA GPU Display Driver contains vulnerabilities in the kernel mode layer handler where not correctly validated user input, NULL pointer dereference, and incorrect access control may lead to denial of service or potential escalation of privileges...
xen-tools -- Cirrus VGA Heap overflow via display refresh
The Xen Project reports: A privileged user within the guest VM can cause a heap overflow in the device model process, potentially escalating their privileges to that of the device model process...
wavpack -- multiple invalid memory reads
David Bryant reports: global buffer overread in readcode / readwords.c heap out of bounds read in WriteCaffHeader / caff.c heap out of bounds read in unreorderchannels / wvunpack.c heap oob read in readnewconfiginfo / openutils.c...
xen-kernel -- x86 task switch to VM86 mode mis-handled
The Xen Project reports: LDTR, just like TR, is purely a protected mode facility. Hence even when switching to a VM86 mode task, LDTR loading needs to follow protected mode semantics. This was violated by the code. On SVM AMD hardware: a malicious unprivileged guest process can escalate its...
mozilla -- multiple vulnerabilities
Mozilla Foundation reports: CVE-2016-5287: Crash in nsTArraybase::SwapArrayElements CVE-2016-5288: Web content can read cache entries...
file-roller -- path traversal vulnerability
reports: File Roller 3.5.4 through 3.20.2 was affected by a path traversal bug that could result in deleted files if a user were tricked into opening a malicious archive...
FreeBSD -- Buffer overflow in keyboard driver
Problem Description: Incorrect signedness comparison in the ioctl2 handler allows a malicious local user to overwrite a portion of the kernel memory. Impact: A local user may crash the kernel, read a portion of kernel memory and execute arbitrary code in kernel context. The result of executing an...
openafs -- local DoS vulnerability
The OpenAFS development team reports: Avoid a potential denial of service issue, by fixing a bug in pioctl logic that allowed a local user to overrun a kernel buffer with a single NUL byte...
django -- multiple vulnerabilities
Tim Graham reports: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth User enumeration through timing difference on password hasher work factor upgrade...
ffmpeg -- remote denial of service in JPEG2000 decoder
FFmpeg security reports: FFmpeg 2.8.6 fixes the following vulnerabilities: CVE-2016-2213...
bind -- denial of service vulnerability
ISC reports: Specific APL data could trigger an INSIST in apl42.c...
moodle -- multiple vulnerabilities
Marina Glancy reports: MSA-16-0001: Two enrolment-related web services don't check course visibility MSA-16-0002: XSS Vulnerability in course management search...
passenger -- client controlled header overwriting
Daniel Knoppel reports: It was discovered by the SUSE security team that it was possible, in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue. CVE-2015-7519 has been assigned to this issue. Affected use-cases: Header overwriting may occur ...
libsrtp -- DoS via crafted RTP header vulnerability
libsrtp reports: Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length. Credit goes to Randell Jesup and the Firefox team for reporting this issue...
drupal -- open redirect vulnerability
Drupal development team reports: The Overlay module in Drupal core displays administrative pages as a layer over the current page using JavaScript, rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents,...
firefox -- Cross-origin restriction bypass using Fetch
Firefox Developers report: Security researcher Abdulrahman Alqabandi reported that the fetch API did not correctly implement the Cross-Origin Resource Sharing CORS specification, allowing a malicious page to access private data from other origins. Mozilla developer Ben Kelly independently reporte...
PostgreSQL -- minor security problems.
PostgreSQL project reports: Two security issues have been fixed in this release which affect users of specific PostgreSQL features. CVE-2015-5289 json or jsonb input values constructed from arbitrary user input can crash the PostgreSQL server and cause a denial of service. CVE-2015-5288: The cryp...
librsvg2 -- denial of service vulnerability
Adam Maris, Red Hat Product Security, reports: CVE-2015-7558: Stack exhaustion due to cyclic dependency causing to crash an application was found in librsvg2 while parsing SVG file. It has been fixed in 2.40.12 by many commits that has rewritten the checks for cyclic references...
pygments -- shell injection vulnerability
NVD reports: The FontManager.getnixfontpath function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name...
qemu -- denial of service vulnerability in IDE disk/CD/DVD-ROM emulation
Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the IDE disk and CD/DVD-ROM emulation support is vulnerable to a divide by zero issue. It could occur while executing an IDE command WINREADNATIVEMAX to determine the maximum size of a drive. A privileged user insid...
powerdns -- denial of service
PowerDNS reports: A bug was found in our DNS packet parsing/generation code, which, when exploited, can cause individual threads disabling service or whole processes allowing a supervisor to restart them to crash with just one or a few query packets...
froxlor -- database password information leak
[email protected] reports: An unauthenticated remote attacker is able to get the database password via webaccess due to wrong file permissions of the /logs/ folder in froxlor version 0.9.33.1 and earlier. The plain SQL password and username may be stored in the /logs/sql-error.log file...
FreeBSD -- shell injection vulnerability in patch(1)
Problem Description: Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch1 to run commands in addition to the desired SCCS or RCS commands. Impact: This issue could be exploited to execute arbitrary commands as the user invoking patch1 against...
qemu, xen-tools -- QEMU heap overflow flaw with certain ATAPI commands
The Xen Project reports: A heap overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the...
xen-tools -- xl command line config handling stack overflow
The Xen Project reports: The xl command line utility mishandles long configuration values when passed as command line arguments, with a buffer overrun. A semi-trusted guest administrator or controller, who is intended to be able to partially control the configuration settings for a domain, can...
php -- use-after-free vulnerability
Symeon Paraschoudis reports: Use-after-free vulnerability in splrecursiveitmoveforwardex...
cURL -- sensitive HTTP server headers also sent to proxies
cURL reports: libcurl provides applications a way to set custom HTTP headers to be sent to the server by using CURLOPTHTTPHEADER. A similar option is available for the curl command-line tool with the '--header' option. When the connection passes through an HTTP proxy the same set of headers is se...
FreeBSD -- Denial of Service with IPv6 Router Advertisements
Problem Description: The Neighbor Discover Protocol allows a local router to advertise a suggested Current Hop Limit value of a link, which will replace Current Hop Limit on an interface connected to the link on the FreeBSD system. Impact: When the Current Hop Limit similar to IPv4's TTL is small...
cpio -- multiple vulnerabilities
From the Debian Security Team: Heap-based buffer overflow in the processcopyin function in GNU Cpio 2.11 allows remote attackers to cause a denial of service via a large block value in a cpio archive. cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitra...
cabextract -- directory traversal with UTF-8 symbols in filenames
Cabextract ChangeLog reports: It was possible for cabinet files to extract to absolute file locations, and it was possible on Cygwin to get around cabextract's absolute and relative path protections by using backslashes...
privoxy -- multiple vulnerabilities
Privoxy Developers reports: Fixed a DoS issue in case of client requests with incorrect chunk-encoded body. When compiled with assertions enabled the default they could previously cause Privoxy to abort. Reported by Matthew Daley. CVE-2015-1380. Fixed multiple segmentation faults and memory leaks...
libssh2 -- denial of service vulnerability
Mariusz Ziulek reports: A malicious attacker could man in the middle a real server and cause libssh2 using clients to crash denial of service or otherwise read and use completely unintended memory areas in this process...
kde-runtime -- incorrect CBC encryption handling
Valentin Rusu reports: Until KDE Applications 14.12.0, kwalletd incorrectly handled CBC encryption blocks when encrypting secrets in kwl files. The secrets were still encrypted, but the result binary data corresponded to an ECB encrypted block instead of CBC. The ECB encryption algorithm, even if...
libmspack -- frame_end overflow which could cause infinite loop
There is a denial of service vulnerability in libmspack. The libmspack code is built into cabextract, so it is also vulnerable. MITRE reports: Integer overflow in the qtmddecompress function in libmspack 0.4 allows remote attackers to cause a denial of service hang via a crafted CAB file, which...
Konversation -- out-of-bounds read on a heap-allocated array
Konversation developers report: Konversation's Blowfish ECB encryption support assumes incoming blocks to be the expected 12 bytes. The lack of a sanity-check for the actual size can cause a denial of service and an information leak to the local user...
phpMyAdmin -- XSS vulnerabilities in SQL debug output and server monitor page.
The phpMyAdmin development team reports: With a crafted database or table name it is possible to trigger an XSS in SQL debug output when enabled and in server monitor page when viewing and analysing executed queries. This vulnerability can be triggered only by someone who is logged in to...
Xymon -- buffer overrun
Debian reports: web/acknowledge.c uses a string twice in a format string, but only allocates memory for one copy...
dbus -- multiple vulnerabilities
Simon McVittie reports: Alban Crequy at Collabora Ltd. discovered a bug in dbus-daemon's support for file descriptor passing. A malicious process could force system services or user applications to be disconnected from the D-Bus system bus by sending them a message containing a file descriptor,...
otrs -- multiple vulnerabilities
The OTRS Project reports: SQL injection issue An attacker that managed to take over the session of a logged in customer could create tickets and/or send follow-ups to existing tickets due to missing challenge token checks...
strongswan -- multiple DoS vulnerabilities
strongSwan Project reports: A DoS vulnerability triggered by crafted IKEv1 fragmentation payloads was discovered in strongSwan's IKE daemon charon. All versions since 5.0.2 are affected. A DoS vulnerability and potential authorization bypass triggered by a crafted IDDERASN1DN ID payload was...