jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description Low SECURITY-1721 / CVE-2021-21639 Lack of type validation in agent related REST API Medium SECURITY-1871 / CVE-2021-21640 View name validation bypass...

gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.7: Update to bluemonday-1.0.6 Clusterfuzz found another way...

clamav -- Multiple vulnerabilites

Micah Snyder reports: CVE-2021-1252 Excel XLM parser infinite loop CVE-2021-1404 PDF parser buffer over-read; possible crash. CVE-2021-1405 Mail parser NULL-dereference crash...

syncthing -- crash due to malformed relay protocol message

syncthing developers report: syncthing can be caused to crash and exit if sent a malformed relay protocol message message with a negative length field. The relay server strelaysrv can be caused to crash and exit if sent a malformed relay protocol message with a negative length field...

FreeBSD -- double free in accept_filter(9) socket configuration interface

Problem Description: An unprivileged process can configure an accept filter on a listening socket. This is done using the setsockopt2 system call. The process supplies the name of the accept filter which is to be attached to the socket, as well as a string containing filter-specific information. ...

asterisk -- Remote Crash Vulnerability in PJSIP channel driver

The Asterisk project reports: When Asterisk receives a re-INVITE without SDP after having sent a BYE request a crash will occur. This occurs due to the Asterisk channel no longer being present while code assumes it is...

FreeBSD -- Memory disclosure by stale virtual memory mapping

Problem Description: A particular case of memory sharing is mishandled in the virtual memory system. It is possible and legal to establish a relationship where multiple descendant processes share a mapping which shadows memory of an ancestor process. In this scenario, when one process modifies...

FreeBSD -- jail escape possible by mounting over jail root

Problem Description: Due to a race condition between lookup of ".." and remounting a filesystem, a process running inside a jail might access filesystem hierarchy outside of jail. Impact: A process with superuser privileges running inside a jail configured with the allow.mount permission not...

Node.js -- April 2021 Security Releases

Node.js reports: OpenSSL - CA certificate check bypass with X509VFLAGX509STRICT High CVE-2021-3450 This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt OpenSSL - NULL pointer deref in...

OpenDMARC - Multiple vulnerabilities

OpenDMARC releases prior to 1.4.1 are susceptible to the following vulnerabilities: CVE-2019-16378 OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 is prone to a signature-bypass vulnerability with multiple From: addresses, which might affect applications that consider a domain name to be...

ruby -- XML round-trip vulnerability in REXML

Juho Nurminen reports: When parsing and serializing a crafted XML document, REXML gem including the one bundled with Ruby can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in...

Apache Maven -- multiple vulnerabilities

The Apache Maven project reports: We received a report from Jonathan Leitschuh about a vulnerability of custom repositories in dependency POMs. We've split this up into three separate issues: Possible Man-In-The-Middle-Attack due to custom repositories using HTTP. More and more repositories use...

Pillow -- multiple vulnerabilities

python-pillow reports: This release fixes several vulnerabilities found with OSS-Fuzz. CVE-2021-25288: Fix OOB read in Jpeg2KDecode. This dates to Pillow 2.4.0. CVE-2021-28675: Fix DOS in PsdImagePlugin. This dates to the PIL fork. CVE-2021-28676: Fix FLI DOS. This dates to the PIL fork...

mdbook -- XSS in mdBook's search page

Rust Security Response Working Group reports: The search feature of mdBook introduced in version 0.1.4 was affected by a cross site scripting vulnerability that allowed an attacker to execute arbitrary JavaScript code on an user's browser by tricking the user into typing a malicious search query,...

zeek -- null-pointer dereference vulnerability

Jon Siwek of Corelight reports: Fix null-pointer dereference when encountering an invalid enum name in a config/input file that tries to read it into a setenum. For those that have such an input feed whose contents may come from external/remote sources, this is a potential DoS vulnerability...

Gitlab -- Multiple vulnerabilities

Gitlab reports: Arbitrary File Read During Project Import Kroki Arbitrary File Read/Write Stored Cross-Site-Scripting in merge requests Access data of an internal project through a public project fork as an anonymous user Incident metric images can be deleted by any user Infinite Loop When a User...

curl -- TLS 1.3 session ticket proxy host mixup

Daniel Stenberg reports: Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arriv...

curl -- Automatic referer leaks credentials

Daniel Stenberg reports: libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. libcurl...

chromium -- multiple vulnerabilities

Chrome Releases reports: This update contains 8 security fixes, including: 1181228 High CVE-2021-21194: Use after free in screen capture. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-02-23 1182647 High CVE-2021-21195: Use after free in V8. Reported by Bohan Liu @P4nda20371774 and...

OpenSSL -- Multiple vulnerabilities

The OpenSSL project reports: High: CA certificate check bypass with X509VFLAGX509STRICT CVE-2021-3450The X509VFLAGX509STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. High: NULL pointer deref in signaturealgorithms...

tomcat -- Remote Denial of Service in multiple versions

rbeaudry reports: A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. Thi...

samba -- Multiple Vulnerabilities

The Samba Team reports: CVE-2020-27840: An anonymous attacker can crash the Samba AD DC LDAP server by sending easily crafted DNs as part of a bind request. More serious heap corruption is likely also possible. CVE-2021-20277: User-controlled LDAP filter strings against the AD DC LDAP server may...

spamassassin -- Malicious rule configuration (.cf) files can be configured to run system commands

The Apache SpamAssassin project reports: Apache SpamAssassin 3.4.5 was recently released 1, and fixes an issue of security note where malicious rule configuration .cf files can be configured to run system commands. In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of...

dovecot -- multiple vulnerabilities

Dovecot team reports: CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens in some configurations. This requires attacker to be able to write files to local disk. CVE-2021-33515: On-path attacker...

gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.6: Fix bug on avatar middleware Fix another clusterfuzz identified issue...

nettle 3.7.2 -- fix serious ECDSA signature verify bug

Niels Möller reports: I've prepared a new bug-fix release of Nettle, a low-level cryptographics library, to fix a serious bug in the function to verify ECDSA signatures. Implications include an assertion failure, which could be used for denial-of-service, when verifying signatures on the secp224r...

gitea -- quoting in markdown text

The Gitea Team reports for release 1.13.5: Update to goldmark 1.3.3...

minio -- MITM attack

minio developer report: This is a security issue because it enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipp...

dnsmasq -- cache poisoning vulnerability in certain configurations

Simon Kelley reports: In configurations where the forwarding server address contains an @ character for specifying a sending interface or source address, the random source port behavior was disabled, making cache poisoning attacks possible. This only affects configurations of the form...

Gitlab -- Multiple vulnerabilities

Gigtlab reports: Remote code execution via unsafe user-controlled markdown rendering options...

py-pygments -- multiple DoS vulnerabilities

Red Hat reports: An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML SML source file, as demonstrated by input that only contains the "exception" keyword. Ben Caller reports: In pygments 1.1+, fixed in...

LibreSSL -- use-after-free

OpenBSD reports: A TLS client using session resumption may cause a use-after-free...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release includes 5 security fixes, including: 1167357 High CVE-2021-21191: Use after free in WebRTC. Reported by raven @raidakame on 2021-01-15 1181387 High CVE-2021-21192: Heap buffer overflow in tab groups. Reported by Abdulrahman Alqabandi, Microsoft Browser...

upnp -- stack overflow vulnerability

Mitre reports: A stack overflow in pupnp 1.16.1 can cause the denial of service through the ParserparseDocument function. ixmlNodefree will release a child node recursively, which will consume stack space and lead to a crash...

gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.14.0: Validate email in external authenticator registration form Ensure validation occurs on clone addresses too...

Python -- multiple vulnerabilities

Python reports: bpo-43434: Creating a sqlite3.Connection object now also produces a sqlite3.connect auditing event. Previously this event was only produced by sqlite3.connect calls. Patch by Erlend E. Aasland. bpo-43882: The presence of newline or tab characters in parts of a URL could allow some...

go -- encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader; archive/zip: panic when calling Reader.Open

The Go project reports: The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element. The Reader.Open API, new in Go 1.16, will panic wh...

Gitlab -- Multiple vulnerabilities

Gitlab reports: JWT token leak via Workhorse Stored XSS in wiki pages Group Maintainers are able to use the Group CI/CD Variables API Insecure storage of GitLab session keys...

OpenSSH -- Double-free memory corruption in ssh-agent

OpenBSD Project reports: ssh-agent1: fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provid...

py-markdown2 -- regular expression denial of service vulnerability

Ben Caller reports: markdown2 =1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time...

ircII -- denial of service

Michael Ortmann reports: ircii has a bug in parsing CTCP UTC messages. Its unknown if this could also be used for arbitrary code execution...

openvpn -- deferred authentication can be bypassed in specific circumstances

Gert Döring reports: OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release includes 47 security fixes, including the below. Google is aware of reports that an exploit for CVE-2021-21166 exists in the wild. Please see URL for details...

vault -- unauthenticated license read

vault developers report: Limited Unauthenticated License Read: We addressed a security vulnerability that allowed for the unauthenticated reading of Vault licenses from DR Secondaries...

aiohttp -- open redirect vulnerability

Sviatoslav Sydorenko reports: Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.webmiddlewares.normalizepathmiddleware middleware...

salt -- multiple vulnerabilities

SaltStack reports multiple security vulnerabilities in Salt CVE-2021-3197: The Salt-API.s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via sshoptions provided in an API request. CVE-2021-25281: The Salt-API does not have eAuth credentials for the...

FreeBSD -- jail_remove(2) fails to kill all jailed processes

Problem Description: Due to a race condition in the jailremove2 implementation, it may fail to kill some of the processes. Impact: A process running inside a jail can avoid being killed during jail termination. If a jail is subsequently started with the same root path, a lingering jailed process...

FreeBSD -- Xen grant mapping error handling issues

Problem Description: Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on...

FreeBSD -- jail_attach(2) relies on the caller to change the cwd

Problem Description: When a process, such as jexec8 or killall1, calls jailattach2 to enter a jail, the jailed root can attach to it using ptrace2 before the current working directory is changed. Impact: A process with superuser privileges running inside a jail could change the root directory...

FreeBSD -- login.access fails to apply rules

Problem Description: A regression in the login.access5 rule processor has the effect of causing rules to fail to match even when they should not. This means that rules denying access may be ignored. Impact: The configuration in login.access5 may not be applied, permitting login access to users ev...