Gitlab -- Gitlab

Gitlab reports: Stored XSS in Mermaid when viewing Markdown files Stored XSS in default branch name Perform Git actions with an impersonation token even if impersonation is disabled Tag and branch name confusion allows Developer to access protected CI variables New subscriptions generate OAuth...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 10 security fixes, including: 1227777 High CVE-2021-30590: Heap buffer overflow in Bookmarks. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-07-09 1229298 High CVE-2021-30591: Use after free in File System API. Reported by SorryMybad...

mod_auth_mellon -- Redirect URL validation bypass

Jakub Hrozek reports: Version 0.17.0 and older of modauthmellon allows the redirect URL validation to be bypassed by specifying an URL formatted as ///fishing-site.example.com/logout.html...

Node.js -- July 2021 Security Releases (2)

Node.js reports: Use after free on close http2 on stream canceling High CVE-2021-22930 Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior...

powerdns -- remotely triggered crash

powerdns reports: PowerDNS Security Advisory 2021-01: Specific query crashes Authoritative Server...

gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.14.6: Bump github.com/markbates/goth from v1.67.1 to v1.68.0 16538 16540 Switch to maintained JWT lib 16532 16535 Upgrade to latest version of golang-jwt as forked for 1.14 16590 16607...

pjsip -- Race condition in SSL socket server

pjsip reports: There are a couple of issues found in the SSL socket: A race condition between callback and destroy, due to the accepted socket having no group lock. SSL socket parent/listener may get destroyed during handshake...

Prosody -- Remote Information Disclosure

A Prosody XMPP server advisory reports: It was discovered that Prosody allows any entity to access the list of admins, members, owners and banned entities of any federated XMPP group chat of which they know the address...

cURL -- Multiple vulnerabilities

The cURL project reports: CURLOPTSSLCERT mixup with Secure Transport CVE-2021-22926 TELNET stack contents disclosure again CVE-2021-22925 Bad connection reuse due to flawed path name checks CVE-2021-92254 Metalink download sends credentials CVE-2021-92253 Wrong content via metalink not discarded...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 35 security fixes, including: 1210985 High CVE-2021-30565: Out of bounds write in Tab Groups. Reported by David Erceg on 2021-05-19 1202661 High CVE-2021-30566: Stack buffer overflow in Printing. Reported by Leecraso and Guang Gong of 360 Alpha Lab o...

MySQL -- Multiple vulnerabilities

Oracle reports: This Critical Patch Update contains 41 new security patches for Oracle MySQL. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The highest CVSS v3.1 Base Score of vulnerabiliti...

fail2ban -- possible RCE vulnerability in mailing action using mailutils

Jakub Żoczek reports: Command mail from mailutils package used in mail actions like mail-whois can execute command if unescaped sequences \n are available in "foreign" input for instance in whois output...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 8 security fixes, including: 1219082 High CVE-2021-30559: Out of bounds write in ANGLE. Reported by Seong-Hwan Park SeHwa of SecunologyLab on 2021-06-11 1214842 High CVE-2021-30541: Use after free in V8. Reported by Richard Wheeldon on 2021-05-31...

Bacula-Web -- Multiple Vulnerabilities

Bacula-Web reports: Address Smarty CVE...

go -- crypto/tls: clients can panic when provided a certificate of the wrong type for the negotiated parameters

The Go project reports: crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker in a privileged network position without access to the server...

fetchmail -- 6.4.19 and older denial of service or information disclosure

Matthias Andree reports: When a log message exceeds c. 2 kByte in size, for instance, with very long header contents, and depending on verbosity option, fetchmail can crash or misreport each first log message that requires a buffer reallocation...

Ruby -- multiple vulnerabilities

Ruby news: This release includes security fixes. Please check the topics below for details. CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP CVE-2021-31799: A command injection vulnerability in RDoc...

Gitlab -- vulnerability

Gitlab reports: Arbitrary file read via design feature...

redis -- Integer overflow issues with BITFIELD command on 32-bit systems

Huang Zhw reports: On 32-bit versions, Redis BITFIELD command is vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves constructing specially crafted bit commands which overfl...

Node.js -- July 2021 Security Releases

Node.js reports: libuv upgrade - Out of bounds read Medium CVE-2021-22918 Node.js is vulnerable to out-of-bounds read in libuv's uvidnatoascii function which is used to convert strings to ASCII. This is called by Node's dns module's lookup function and can lead to information disclosures or...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: DoS using Webhook connections CSRF on GraphQL API allows executing mutations through GET requests Private projects information disclosure Denial of service of user profile page Single sign-on users not getting blocked Some users can push to Protected Branch with Deploy keys A...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description Medium SECURITY-2278 / CVE-2021-21670 Improper permission checks allow canceling queue items and aborting builds High SECURITY-2371 / CVE-2021-21671 Session fixation vulnerability...

Ansible -- Ansible user credentials disclosure in ansible-connection module

Red Hat reports: A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality...

mediawiki -- multiple vulnerabilities

Mediawiki reports: T285515, CVE-2021-41798 SECURITY: XSS vulnerability in Special:Search. T290379, CVE-2021-41799 SECURITY: ApiQueryBacklinks can cause a full table scan. T284419, CVE-2021-41800 SECURITY: fix PoolCounter protection of Special:Contributions. T279090, CVE-2021-41801 SECURITY:...

PuppetDB -- SQL Injection

Puppet reports: Fixed an issue where someone with the ability to query PuppetDB could arbitrarily write, update, or delete data CVE-2021-27021 PDB-5138...

go -- net/http: panic due to racy read of persistConn after handler panic

The Go project reports: A net/http/httputil ReverseProxy can panic due to a race condition if its Handler aborts with ErrAbortHandler, for example due to an error in copying the response body. An attacker might be able to force the conditions leading to the race condition...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release includes 4 security fixes, including: 1219857 High CVE-2021-30554: Use after free in WebGL. Reported by anonymous on 2021-06-15 1215029 High CVE-2021-30555: Use after free in Sharing. Reported by David Erceg on 2021-06-01 1212599 High CVE-2021-30556: Use afte...

py39-pycares -- domain hijacking vulnerability

Philipp Jeitner and Haya Shulman report: A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS Domain Name Servers can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability ...

Ansible -- Templating engine bug

Ansible developers report: Templating engine fix for not preserving usnafe status when trying to preserve newlines...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 14 security fixes, including: 1212618 Critical CVE-2021-30544: Use after free in BFCache. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-05-24 1201031 High CVE-2021-30545: Use after free in Extensions. Reported by kkwon with everpall a...

py-ansible -- data leak vulnerability

Tapas jena reports: A flaw was found in Ansible where the secret information present in asyncfiles are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async status file will be readable by a malicious user on that system. This flaw...

OpenDMARC - Remote denial of service

OpenDMARC 1.4.1 and 1.4.1.1 will dereference a NULL pointer when encountering a multi-value From: header field. A remote attacker can send a specially crafted message resulting in a denial of service...

Apache httpd -- Multiple vulnerabilities

The Apache httpd reports: moderate: modproxywstunnel tunneling of non Upgraded connections CVE-2019-17567 moderate: Improper Handling of Insufficient Privileges CVE-2020-13938 low: modproxyhttp NULL pointer dereference CVE-2020-13950 low: modauthdigest possible stack overflow by one nul byte...

dino -- Path traversal in Dino file transfers

Dino team reports: It was discovered that when a user receives and downloads a file in Dino, URI-encoded path separators in the file name will be decoded, allowing an attacker to traverse directories and create arbitrary files in the context of the user...

openexr v3.0.5 -- fixes miscellaneous security issues

Cary Phillips reports: 1038 fix/extend part number validation in MultiPart methods 1037 verify data size in deepscanlines with NOCOMPRESSION 1036 detect buffer overflows in RleUncompress...

polkit -- local privilege escalation using polkit_system_bus_name_get_creds_sync

Cedric Buissart reports: The function polkitsystembusnamegetcredssync is used to get the uid and pid of the process requesting the action. It does this by sending the unique bus name of the requesting process, which is typically something like ":1.96", to dbus-daemon. These unique names are...

SOGo -- SAML user authentication impersonation

sogo.nu reports: SOGo was not validating the signatures of any SAML assertions it received. This means any actor with network access to the deployment could impersonate users when SAML was the authentication method...

lasso -- signature checking failure

entrouvert reports: When AuthnResponse messages are not signed which is permitted by the specifiation, all assertion's signatures should be checked, but currently after the first signed assertion is checked all following assertions are accepted without checking their signature, and the last one i...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: Stealing GitLab OAuth access tokens using XSLeaks in Safari Denial of service through recursive triggered pipelines Unauthenticated CI lint API may lead to information disclosure and SSRF Server-side DoS through rendering crafted Markdown documents Issue and merge request length...

pglogical -- shell command injection in pglogical.create_subscription()

2ndQuadrant reports: Fix pgdump/pgrestore execution CVE-2021-3515 Correctly escape the connection string for both pgdump and pgrestore so that exotic database and user names are handled correctly. Reported by Pedro Gallegos...

redis -- integer overflow

Redis development team reports: An integer overflow bug in Redis version 6.0 or newer can be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix by CVE-2021-29477...

FreeBSD -- Missing message validation in libradius(3)

Problem Description: libradius did not perform sufficient validation of received messages. radgetattr3 did not verify that the attribute length is valid before subtracting the length of the Type and Length fields. As a result, it could return success while also providing a bogus length of SIZETMA...

FreeBSD-kernel -- SMAP bypass

Problem Description: The FreeBSD kernel enables SMAP during boot when the CPU reports that the SMAP capability is present. Subroutines such as copyin and copyout are responsible for disabling SMAP around the sections of code that perform user memory accesses. Such subroutines must handle page...

isc-dhcp -- remotely exploitable vulnerability

Michael McNally reports: Program code used by the ISC DHCP package to read and parse stored leases has a defect that can be exploited by an attacker to cause one of several undesirable outcomes...

cyrus-imapd -- multiple-minute daemon hang via input that is mishandled during hash-table interaction

Cyrus IMAP 3.4.2 Release Notes states: Fixed CVE-2021-33582: Certain user inputs are used as hash table keys during processing. A poorly chosen string hashing algorithm meant that the user could control which bucket their data was stored in, allowing a malicious user to direct many inputs to a...

NGINX -- 1-byte memory overwrite in resolver

NGINX team reports: 1-byte memory overwrite might occur during DNS server response processing if the "resolver" directive was used, allowing an attacker who is able to forge UDP packets from the DNS server to cause worker process crash or, potentially, arbitrary code execution...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 32 security fixes, including: 1208721 High CVE-2021-30521: Heap buffer overflow in Autofill. Reported by ZhanJia Song on 2021-05-13 1176218 High CVE-2021-30522: Use after free in WebAudio. Reported by Piotr Bania of Cisco Talos on 2021-02-09 1187797...

dragonfly -- argument injection

NVD reports: An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verifyurl option is disabled. This may lead to code execution. The problem occurs because the generate and process...

PG Partition Manager -- arbitrary code execution

PG Partition Manager reports: In the pgpartman aka PG Partition Manager extension before 4.5.1 for PostgreSQL, arbitrary code execution can be achieved via SECURITY DEFINER functions because an explicit searchpath is not set...

py-numpy -- Missing return-value validation of the function PyArray_DescrNew

Numpy reports: At most call-sites for PyArrayDescrNew, there are no validations of its return, but an invalid address may be returned...