Apache httpd -- Path Traversal and Remote Code Execution

The Apache http server project reports: critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 incomplete fix of CVE-2021-41773 CVE-2021-42013. It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 4 security fixes, including: 1252878 High CVE-2021-37977: Use after free in Garbage Collection. Reported by Anonymous on 2021-09-24 1236318 High CVE-2021-37978: Heap buffer overflow in Blink. Reported by Yangkang @dnpushme of 360 ATA on 2021-08-04...

go -- misc/wasm, cmd/link: do not let command line arguments overwrite global data

The Go project reports: When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments. If using wasmexec.js to execute WASM modules, users will need to replace their copy aft...

jenkins -- Jenkins core bundles vulnerable version of the commons-httpclient library

Jenkins Security Advisory: Description Medium SECURITY-2475 / CVE-2014-3577 Jenkins core bundles vulnerable version of the commons-httpclient library...

Apache httpd -- Multiple vulnerabilities

The Apache http server project reports: moderate: null pointer dereference in h2 fuzzing CVE-2021-41524 important: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 CVE-2021-41773...

strongswan - denial-of-service vulnerability in the gmp plugin/denial-of-service vulnerability in the in-memory certificate cache

Strongswan Release Notes reports: Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990. Fixed a denial-of-service vulnerability ...

hiredis -- integer/buffer overflow

hiredis maintainers report: Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted RESP mult-bulk protocol data. When parsing multi-bulk array-like replies, hiredis fails to check if count sizeofredisReply can be represented in SIZEMAX. If it can not, and the callo...

redis -- multiple vulnerabilities

The Redis Team reports: CVE-2021-41099 Integer to heap buffer overflow handling certain string commands and network payloads, when proto-max-bulk-len is manually configured. CVE-2021-32762 Integer to heap buffer overflow issue in redis-cli and redis-sentinel parsing large multi-bulk replies on so...

chromium -- multiple vulnerabilities

Chrome Releases/Stable updates reports: This release contains 4 security fixes, including: 1245578 High CVE-2021-37974: Use after free in Safe Browsing. Reported by Weipeng Jiang @Krace from Codesafe Team of Legendsec at Qi'anxin Group on 2021-09-01 1252918 High CVE-2021-37975: Use after free in...

Gitlab -- vulnerabilities

Gitlab reports: Stored XSS in merge request creation page Denial-of-service attack in Markdown parser Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown DNS Rebinding vulnerability in Gitea importer Exposure of trigger tokens on project exports Improper access control for...

Cleartext leak in libudisks

From libudisks 2.9.4 NEWS: udiskslinuxblock: Fix leaking cleartext block interface...

libmysoft -- Heap-based buffer overflow vulnerability

Zhengjie Du reports: There are some heap-buffer-overflows in mysofa2json of libmysofa. They are in function loudness, mysofacheck and readOHDRHeaderMessageDataLayout...

OpenSSH -- OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand

OpenBSD Project reports: sshd8 from OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as ...

chromium -- use after free in Portals

Chrome Releases reports: 1251727 High CVE-2021-37973 : Use after free in Portals. Reported by Clement Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero on 2021-09-21 Google is aware that an exploit for CVE-2021-37973 exists in the wild...

chromium -- multiple vulnerabilities

Chrome Releases reports: This update contains 19 security fixes, including: 1243117 High CVE-2021-37956: Use after free in Offline use. Reported by Huyna at Viettel Cyber Security on 2021-08-24 1242269 High CVE-2021-37957: Use after free in WebGPU. Reported by Looben Yang on 2021-08-23 1223290 Hi...

webkit2-gtk3 -- multiple vulnerabilities

The WebKitGTK project reports vulnerabilities: CVE-2021-30858: Processing maliciously crafted web content may lead to arbitrary code execution...

Apache httpd -- multiple vulnerabilities

The Apache project reports: moderate: Request splitting via HTTP/2 method injection and modproxy CVE-2021-33193 moderate: NULL pointer dereference in httpd core CVE-2021-34798 moderate: modproxyuwsgi out of bound read CVE-2021-36160 low: apescapequotes buffer overflow CVE-2021-39275 high: modprox...

Grafana -- Snapshot authentication bypass

Grafana Labs reports: Unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key If the snapshot "publicmode" configuration setting is set to true vs default of false,...

seatd-launch -- privilege escalation with SUID

Kenny Levinsen reports: seatd-launch used execlp, which reads the PATH environment variable to search for the requested executable, to execute seatd. This meant that the caller could freely control what executable was loaded by adding a user-writable directory to PATH. If seatd-launch had the SUI...

cURL -- Multiple vulnerabilities

The cURL project reports: UAF and double-free in MQTT sending CVE-2021-22945 Protocol downgrade required TLS bypassed CVE-2021-22946 STARTTLS protocol injection via MITM CVE-2021-22945...

tcpslice -- heap-based use-after-free in extract_slice()

The Tcpdump Group reports: heap-based use-after-free in extractslice...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release includes 11 security fixes, including: 1237533 High CVE-2021-30625: Use after free in Selection API. Reported by Marcin Towalski of Cisco Talos on 2021-08-06 1241036 High CVE-2021-30626: Out of bounds memory access in ANGLE. Reported by Jeonghoon Shin of Theo...

py39-rencode -- infinite loop that could lead to Denial of Service

NIST reports: The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding such as via ;\x2f\x7f, enabling a remote attack that consumes CPU and memory...

cryptopp -- ElGamal implementation allows plaintext recovery

Crypto++ 8.6 release notes reports: The ElGamal implementation in Crypto++ through 8.5 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the...

MPD5 PPPoE Server remotely exploitable crash

Version 5.92 contains security fix for PPPoE servers. Insufficient validation of incoming PPPoE Discovery request specially crafted by unauthenticated user might lead to unexpected termination of the process. The problem affects mpd versions since 5.0. Installations not using PPPoE server...

WeeChat -- Crash when decoding a malformed websocket frame in relay plugin.

The WeeChat project reports: Crash when decoding a malformed websocket frame in relay plugin...

Pillow -- Regular Expression Denial of Service (ReDoS)

GitHub Advisory Database reports: Uncontrolled Resource Consumption in pillow. The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service ReDoS via the getrgb function. References: https://nvd.nist.gov/vuln/detail/CVE-2021-23437...

Node.js -- August 2021 Security Releases (2)

Node.js reports: npm 6 update - node-tar, arborist, npm cli modules These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal...

py-matrix-synapse -- several vulnerabilities

Matrix developers report: This release patches two moderate severity issues which could reveal metadata about private rooms: CVE-2021-39164: Enumerating a private room's list of members and their display names. CVE-2021-39163: Disclosing a private room's name, avatar, topic, and number of members...

Gitlab -- Vulnerabilities

Gitlab reports: Stored XSS in DataDog Integration Invited group members continue to have project access even after invited group is deleted Specially crafted requests to apollouploadserver middleware leads to denial of service Privilege escalation of an external user through project token Missing...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 27 security fixes, including: 1233975 High CVE-2021-30606: Use after free in Blink. Reported by Nan Wang @eternalsakura13 and koocola @alocook of 360 Alpha Lab on 2021-07-28 1235949 High CVE-2021-30607: Use after free in Permissions. Reported by...

Python -- multiple vulnerabilities

Python reports: bpo-42278: Replaced usage of tempfile.mktemp with TemporaryDirectory to avoid a potential race condition. bpo-44394: Update the vendored copy of libexpat to 2.4.1 from 2.2.8 to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and...

Python -- multiple vulnerabilities

Python reports: bpo-44394: Update the vendored copy of libexpat to 2.4.1 from 2.2.8 to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS. bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n...

Python -- multiple vulnerabilities

Python reports: bpo-42278: Replaced usage of tempfile.mktemp with TemporaryDirectory to avoid a potential race condition. bpo-41180: Add auditing events to the marshal module, and stop raising code.init events for every unmarshalled code object. Directly instantiated code objects will continue to...

consul -- rpc: authorize raft requests

Hashicorp reports: HashiCorp Consul Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation...

zeek -- several vulnerabilities

Tim Wojtulewicz of Corelight reports: Paths from log stream make it into system unchecked, potentially leading to commands being run on the system unintentionally. This requires either bad scripting or a malicious package to be installed, and is considered low severity. Fix potential unbounded...

libssh -- possible heap-buffer overflow vulnerability

libssh security advisories: The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secrethash and and the other sessionid. Initially, both of them are the same, but after key re-exchange, previous sessionid is kept and used as an input to new...

py-tflite -- denial of service vulnerability

Yakun Zhang of Baidu Security reports: An attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service...

FreeBSD -- libfetch out of bounds read

Problem Description: The passive mode in FTP communication allows an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for p == '\0' one byte too late because...

FreeBSD -- Remote code execution in ggatec(8)

Problem Description: The ggatec8 daemon does not validate the size of a response before writing it to a fixed-sized buffer. This allows to overwrite the stack of ggatec8. Impact: A malicious ggated8 or an attacker in a priviledged network position can overwrite the stack with crafted content and...

FreeBSD -- Missing error handling in bhyve(8) device models

Problem Description: Certain VirtIO-based device models failed to handle errors when fetching I/O descriptors. Such errors could be triggered by a malicious guest. As a result, the device model code could be tricked into operating on uninitialized I/O vectors, leading to memory corruption. Impact...

OpenSSL -- multiple vulnerabilities

The OpenSSL project reports: SM2 Decryption Buffer Overflow CVE-2021-3711: High Read buffer overruns processing ASN.1 strings CVE-2021-3712: Moderate...

Matrix clients -- several vulnerabilities

Matrix developers report: Today we are disclosing a critical security issue affecting multiple Matrix clients and libraries including Element Web/Desktop/Android, FluffyChat, Nheko, Cinny, and SchildiChat. Specifically, in certain circumstances it may be possible to trick vulnerable clients into...

go -- archive/zip: overflow in preallocation check can cause OOM panic

The Go project reports: An oversight in the previous fix still allows for an OOM panic when the indicated directory size in the archive header is so large that subtracting it from the archive size overflows a uint64, effectively bypassing the check that the number of files in the archive is...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 9 security fixes, including: 1234764 High CVE-2021-30598: Type Confusion in V8. Reported by Manfred Paul on 2021-07-30 1234770 High CVE-2021-30599: Type Confusion in V8. Reported by Manfred Paul on 2021-07-30 1231134 High CVE-2021-30600: Use after fr...

PostgreSQL server -- Memory disclosure in certain queries

The PostgreSQL Project reports: A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include...

Node.js -- August 2021 Security Releases

Node.js reports: cares upgrade - Improper handling of untypical characters in domain names High CVE-2021-22931 Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of host names returned by Domain Name Servers in the Node.js DNS library which c...

fetchmail -- STARTTLS bypass vulnerabilities

Problem: In certain circumstances, fetchmail 6.4.21 and older would not encrypt the session using STARTTLS/STLS, and might not have cleared session state across the TLS negotiation...

couchdb -- user privilege escalation

Cory Sabol reports: A malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will ...

lynx -- SSL certificate validation error

Axel Beckert reports: ... I was able to capture the password given on the commandline in traffic of an TLS handshake using tcpdump and analysing it with Wireshark:...