Node.js -- February 2021 Security Releases

Node.js reports: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion Critical CVE-2021-22883 Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file...

redis -- Integer overflow on 32-bit systems

Redis Development team reports: Redis 4.0 or newer uses a configurable limit for the maximum supported bulk input size. By default, it is 512MB which is a safe value for all platforms. If the limit is significantly increased, receiving a large request from a client may trigger several integer...

asterisk -- Crash when negotiating T.38 with a zero port

The Asterisk project reports: When Asterisk sends a re-invite initiating T.38 faxing and the endpoint responds with a m=image line and zero port, a crash will occur in Asterisk. This is a reoccurrence of AST-2019-004...

jenkins -- Privilege escalation vulnerability in bundled Spring Security library

Jenkins Security Advisory: Description high SECURITY-2195 / CVE-2021-22112 Privilege escalation vulnerability in bundled Spring Security library...

asterisk -- Remote attacker could prematurely tear down SRTP calls

The Asterisk project reports: An unauthenticated remote attacker could replay SRTP packets which could cause an Asterisk instance configured without strict RTP validation to tear down calls prematurely...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 10 security fixes, including: 1138143 High CVE-2021-21149: Stack overflow in Data Transfer. Reported by Ryoya Tsukasaki on 2020-10-14 1172192 High CVE-2021-21150: Use after free in Downloads. Reported by Woojin Oh@pwnexpoit of STEALIEN on 2021-01-29...

OpenSSL -- Multiple vulnerabilities

The OpenSSL project reports: Null pointer deref in X509issuerandserialhash CVE-2021-23841Moderate The OpenSSL public API function X509issuerandserialhash attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to...

openexr, ilmbase -- security fixes related to reading corrupted input files

Cary Phillips reports: Patch release with various bug/sanitizer/security fixes, primarily related to reading corrupted input files...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: Improper Certificate Validation for Fortinet OTP Denial of Service Attack on gitlab-shell Resource exhaustion due to pending jobs Confidential issue titles were exposed Improper access control allowed demoted project members to access authored merge requests Improper access contro...

asterisk -- An unsuspecting user could crash Asterisk with multiple hold/unhold requests

The Asterisk project reports: Due to a signedness comparison mismatch, an authenticated WebRTC client could cause a stack overflow and Asterisk crash by sending multiple hold/unhold requests in quick succession...

Rails -- multiple vulnerabilities

Ruby on Rails blog: Rails version 5.2.4.5, 6.0.3.5 and 6.1.2.1 have been released! Those version are security releases and addresses two issues: CVE-2021-22880: Possible DoS Vulnerability in Active Record PostgreSQL adapter. CVE-2021-22881: Possible Open Redirect in Host Authorization Middleware...

zeek -- Remote crash vulnerability

Jon Siwek of Corelight reports: Fix ASCII Input reader's treatment of input files containing null-bytes. An input file containing null-bytes could lead to a buffer-over-read, crash Zeek, and be exploited to cause Denial of Service...

Carrierwave -- Multiple vulnerabilities

Community reports: Fix Code Injection vulnerability in CarrierWave::RMagick Fix SSRF vulnerability in the remote file download feature...

asterisk -- Remote Crash Vulnerability in PJSIP channel driver

The Asterisk project reports: Given a scenario where an outgoing call is placed from Asterisk to a remote SIP server it is possible for a crash to occur...

jasper -- multiple vulnerabilities

JasPer Releases: - Fix memory-related bugs in the JPEG-2000 codec resulting from attempting to decode invalid code streams. 264, 265 This fix is associated with CVE-2021-26926 and CVE-2021-26927. - Fix wrong return value under some compilers 260 - Fix CVE-2021-3272 heap buffer overflow in jp2deco...

asterisk -- Remote crash possible when negotiating T.38

The Asterisk project reports: When re-negotiating for T.38 if the initial remote response was delayed just enough Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream then Asterisk would crash...

chromium -- heap buffer overflow in V8

Chrome Releases reports: 1170176 High CVE-2021-21148: Heap buffer overflow in V8. Reported by Mattias Buelens on 2021-01-24. Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild...

www/chromium -- multiple vulnerabilities

Chrome Releases reports: This update include 6 security fixes: 1169317 Critical CVE-2021-21142: Use after free in Payments. Reported by Khalil Zhani on 2021-01-21 1163504 High CVE-2021-21143: Heap buffer overflow in Extensions. Reported by Allen Parker and Alex Morgan of MU on 2021-01-06 1163845...

oauth2-proxy -- domain whitelist could be used as redirect

The oauth2-proxy Team reports: In OAuth2 Proxy before version 7.0.0, for users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect...

Gitlab -- Multiple vulnerabilities

Gitlab reports: Stored XSS in merge request Stored XSS in epic's pages Sensitive GraphQL variables exposed in structured log Guest user can see tag names in private projects Information disclosure via error message DNS rebinding protection bypass Validate existence of private project...

h2o -- uninitialised memory access in HTTP3

Emil Lerner reports: When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. When h2o is used as a reverse proxy, an attacker can abuse this vulnerability to send internal state ...

FreeBSD -- Xen guests can triger backend Out Of Memory

Problem Description: Some OSes including Linux, FreeBSD, and NetBSD are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbound, a guest may be able to trigger a OOM in the backend...

mod_dav_svn -- server crash

Subversion project reports: Subversion's modauthzsvn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL...

minio -- Server Side Request Forgery

Minio developers report: Thanks to @phith0n from our community upon a code review, discovered an SSRF Server Side Request Forgery in our Browser API implementation. We have not observed this report/attack in the wild or reported elsewhere in the community at large. All users are advised to upgrad...

FreeBSD -- Uninitialized kernel stack leaks in several file systems

Problem Description: Several file systems were not properly initializing the doff field of the dirent structures returned by VOPREADDIR. In particular, tmpfs5, smbfs5, autofs5 and mqueuefs5 were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by...

sudo -- Multiple vulnerabilities

Todd C. Miller reports: When invoked as sudoedit, the same set of command line options are now accepted as for sudo -e. The -H and -P options are now rejected for sudoedit and sudo -e which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156. Fixed a potential buffer overflow...

jenkins -- Arbitrary file read vulnerability in workspace browsers

Jenkins Security Advisory: Description Medium SECURITY-2197 / CVE-2021-21615 Arbitrary file read vulnerability in workspace browsers...

All versions of Apache OpenOffice through 4.1.9 can open non-http(s) hyperlinks. If the link is specifically crafted this could lead to untrusted code execution.

The Apache Openofffice project reports: The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-https hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code...

pngcheck -- Buffer-overrun vulnerability

The libpng project reports: pngcheck versions 3.0.0 and earlier have a pair of buffer-overrun bugs related to the sPLT and PPLT chunks the latter is a MNG-only chunk, but it gets noticed even in PNG files if the -s option is used. Both bugs are fixed in version 3.0.1, released on 24 January 2021...

MySQL -- Multiple vulnerabilities

Oracle reports: This Critical Patch Update contains 34 new security patches for Oracle MySQL Server and 4 for MySQL Client. The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 6.8...

nokogiri -- Security vulnerability

Nokogiri reports: In Nokogiri versions = 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema were trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks...

python -- Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

David Schwörer reports: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk directory traversal vulnerability. Moreover, even source code of Python modules can contain sensitive data like passwords...

pysaml2 -- multiple vulnerabilities

pysaml2 Releases: Fix processing of invalid SAML XML documents - CVE-2021-21238 Fix unspecified xmlsec1 key-type preference - CVE-2021-21239...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 36 security fixes, including: 1137179 Critical CVE-2021-21117: Insufficient policy enforcement in Cryptohome. Reported by Rory McNamara on 2020-10-10 1161357 High CVE-2021-21118: Insufficient data validation in V8. Reported by Tyler Nighswander...

mutt -- denial of service

Tavis Ormandy reports: rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service mailbox unavailability by sending email messages with sequences of semicolon characters in RFC822 address fields aka terminators of empty groups. A small email message from the attacker can...

Gitlab -- vulnerability

The GitLab Team reports: Ability to steal a user's API access token through GitLab Pages...

cloud-init -- Wrong access permissions of authorized keys

cloud-init reports: cloud-init release 20.4.1 is now available. This is a hotfix release, that contains a single patch to address a security issue in cloud-init 20.4. Briefly, for users who provide more than one unique SSH key to cloud-init and have a shared AuthorizedKeysFile configured in...

go -- cmd/go: packages using cgo can cause arbitrary code execution at build time; crypto/elliptic: incorrect operations on the P-224 curve

The Go project reports: The go command may execute arbitrary code at build time when cgo is in use on Windows. This may occur when running "go get", or any other command that builds code. Only users who build untrusted code and don't execute it are affected. In addition to Windows users, this can...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description Medium SECURITY-1452 / CVE-2021-21602 Arbitrary file read vulnerability in workspace browsers High SECURITY-1889 / CVE-2021-21603 XSS vulnerability in notification bar High SECURITY-1923 / CVE-2021-21604 Improper handling of REST API XML deserialization erro...

sudo -- Potential information leak in sudoedit

Todd C. Miller reports: A potential information leak in sudoedit that could be used to test for the existence of directories not normally accessible to the user in certain circumstances. When creating a new file, sudoedit checks to make sure the parent directory of the new file exists before...

gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.2: Prevent panic on fuzzer provided string Add secure/httpOnly attributes to the lang cookie...

gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.3: Turn default hash password algorithm back to pbkdf2 from argon2 until we find a better one The Gitea Team reports for release 1.13.4: Fix issue popups...

Gitlab -- multiple vulnerabilities

Gitlab reports: Ability to steal a user's API access token through GitLab Pages Prometheus denial of service via HTTP request with custom method Unauthorized user is able to access private repository information under specific conditions Regular expression denial of service in NuGet API Regular...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release includes 16 security fixes, including: 1148749 High CVE-2021-21106: Use after free in autofill. Reported by Weipeng Jiang @Krace from Codesafe Team of Legendsec at Qi'anxin Group on 2020-11-13 1153595 High CVE-2021-21107: Use after free in drag and drop...

asterisk -- Remote crash in res_pjsip_diversion

The Asterisk project reports: If a registered user is tricked into dialing a malicious number that sends lots of 181 responses to Asterisk, each one will cause a 181 to be sent back to the original caller with an increasing number of entries in the "Supported" header. Eventually the number of...

Node.js -- January 2021 Security Releases

Node.js reports: use-after-free in TLSWrap High CVE-2020-8265 Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first...

Security Vulnerability found in ExifTool

Debian Security Advisory reports: A vulnerability was discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed...

CairoSVG -- Regular Expression Denial of Service vulnerability

CairoSVG security advisories: When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service REDoS. If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time...

wavpack -- integer overflow in pack_utils.c

The wavpack project reports: src/packutils.c - issue 91: fix integer overflows resulting in buffer overruns CVE-2020-35738 - sanitize configuration parameters better improves clarity and aids debugging...

nexus2-oss -- Apache ActiveMQ JMX vulnerability

Sonatype reports: CVE-2020-13920: Apache ActiveMQ JMX is vulnerable to a MITM attack...