powerdns-recursor -- cache pollution

PowerDNS Team reports: CVE-2020-25829: An issue has been found in PowerDNS Recursor where a remote attacker can cause the cached records for a given name to be updated to the ‘Bogus’ DNSSEC validation state, instead of their actual DNSSEC ‘Secure’ state, via a DNS ANY query. This results in a...

Flash Player -- arbitrary code execution

Adobe reports: This update resolves a NULL pointer dereference vulnerability that could lead to arbitrary code execution CVE-2020-9746...

MariaDB -- Undisclosed vulnerability

The MariaDB project reports: Details of this vulnerability have not yet been disclosed...

Rails -- Possible XSS vulnerability

Ruby on Rails blog: Rails version 6.0.3.4 has been released! This version is a security release and addresses one possible XSS attack vector in Actionable Exceptions...

chromium -- multiple vulnerabilities

Chrome releases reports: This release contains 35 security fixes, including: 1127322 Critical CVE-2020-15967: Use after free in payments. Reported by Man Yue Mo of GitHub Security Lab on 2020-09-11 1126424 High CVE-2020-15968: Use after free in Blink. Reported by Anonymous on 2020-09-09 1124659...

python 3.9 -- end of life, not receiving security support

Unsupported versions: ... End of life: 2025-10-31...

py-ansible -- multiple vulnerabilities

abeluck reports: A flaw was found in Ansible Base when using the awsssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality. A flaw was found in Ansible Base...

motion -- Denial of Service

cxsecurity.com reports: A Denial of Service condition in Motion-Project Motion 3.2 through 4.3.1 allows remote unauthenticated users to cause a webu.c segmentation fault and kill the main process via a crafted HTTP request...

kdeconnect -- packet manipulation can be exploited in a Denial of Service attack

Albert Astals Cid reports: KDE Project Security Advisory Title KDE Connect: packet manipulation can be exploited in a Denial of Service attack Risk Rating Important CVE CVE-2020-26164 Versions kdeconnect Date 2 October 2020 Overview An attacker on your local network could send maliciously crafted...

glpi -- Any CalDAV calendars is read-only for every authenticated user

MITRE Corporation reports: In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. This issue is fixed in version 9.5.3. As a workaround, one can remove the caldav.php file to block access to CalDAV server...

py-matrix-synapse -- XSS vulnerability

Matrix developers reports: The fallback authentication endpoint served via Synapse were vulnerable to cross-site scripting XSS attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities,...

Gitlab -- multiple vulnerabilities

Gitlab reports: Potential Denial Of Service Via Update Release Links API Insecure Storage of Session Key In Redis Improper Access Expiration Date Validation Cross-Site Scripting in Multiple Pages Unauthorized Users Can View Custom Project Template Cross-Site Scripting in SVG Image Preview...

zeek -- Vulnerability due to memory leak

Jon Siwek of Corelight reports: This release fixes the following security issue: A memory leak in multipart MIME code has potential for remote exploitation and cause for Denial of Service via resource exhaustion...

dovecot-pigeonhole -- Sieve excessive resource usage

Dovecot team reports reports: Sieve interpreter is not protected against abusive scripts that claim excessive resource usage. Fixed by limiting the user CPU time per single script execution and cumulatively over several script runs within a configurable timeout period. Sufficiently large CPU time...

powerdns -- Leaking uninitialised memory through crafted zone records

PowerDNS Team reports CVE-2020-17482: An issue has been found in PowerDNS Authoritative Server before 4.3.1 where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory. Such a user could be a customer inserting data via...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release fixes 10 security issues, including: 1100136 High CVE-2020-15960: Out of bounds read in storage. Reported by Anonymous on 2020-06-28 1114636 High CVE-2020-15961: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-08-10 1121836 High...

drupal -- Multiple Vulnerabilities

Drupal Security Team reports: The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting...

py-matrix-synapse -- malformed events may prevent users from joining federated rooms

Problem Description: Affected Synapse versions assume that all events have an "origin" field set. If an event without the "origin" field is sent into a federated room, servers not already joined to the room will be unable to do so due to failing to fetch the malformed event. Impact: An attacker...

dnsmasq -- DNS cache poisoning, and DNSSEC buffer overflow, vulnerabilities

Simon Kelley reports: There are broadly two sets of problems. The first is subtle errors in dnsmasq's protections against the chronic weakness of the DNS protocol to cache-poisoning attacks; the Birthday attack, Kaminsky, etc.... the second set of errors is a good old fashioned buffer overflow in...

FreeBSD -- ure device driver susceptible to packet-in-packet attack

Problem Description: A programming error in the ure4 device driver caused some Realtek USB Ethernet interfaces to incorrectly report packets with more than 2048 bytes in a single USB transfer as having a length of only 2048 bytes. An adversary can exploit this to cause the driver to misinterpret...

tt-rss -- multiple vulnerabilities

tt-rss project reports: The cachedurl feature mishandles JavaScript inside an SVG document. imgproxy in plugins/afproxyhttp/init.php mishandles $REQUEST"url" in an error message. It does not validate all URLs before requesting them. Allows remote attackers to execute arbitrary PHP code via a...

FreeBSD -- ftpd privilege escalation via ftpchroot feature

Problem Description: A ftpd8 bug in the implementation of the file system sandbox, combined with capabilities available to an authenticated FTP user, can be used to escape the file system restriction configured in ftpchroot5. Moreover, the bug allows a malicious client to gain root privileges...

FreeBSD -- bhyve SVM guest escape

Problem Description: A number of AMD virtualization instructions operate on host physical addresses, are not subject to nested page table translation, and guest use of these instructions was not trapped. Impact: From kernel mode a malicious guest can write to arbitrary host memory with some...

FreeBSD -- bhyve privilege escalation via VMCS access

Problem Description: AMD and Intel CPUs support hardware virtualization using specialized data structures that control various aspects of guest operation. These are the Virtual Machine Control Structure VMCS on Intel CPUs, and the Virtual Machine Control Block VMCB on AMD CPUs. Insufficient acces...

mantis -- multiple vulnerabilities

Mantis 2.24.3 release reports: This release fixes 3 security issues: 0027039: CVE-2020-25781: Access to private bug note attachments 0027275: CVE-2020-25288: HTML Injection on bugupdatepage.php 0027304: CVE-2020-25830: HTML Injection in bugactiongrouppage.php...

Rails -- Potential XSS vulnerability

Ruby on Rails blog: Rails 5.2.4.4 and 6.0.3.3 have been released! These releases contain an important security fix, so please upgrade when you can. Both releases contain the following fix: CVE-2020-15169 Potential XSS vulnerability in Action View...

chromium -- multiple vulnerabilities

Chrome Releases reports: This release contains 5 security fixes: 1116304 High CVE-2020-6573: Use after free in video. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-08-14 1102196 High CVE-2020-6574: Insufficient policy enforcement in installer. Reported by...

Node.js -- September 2020 Security Releases

Node.js reports: Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues. HTTP Request Smuggling due to CR-to-Hyphen conversion High CVE-2020-8201 Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing...

libzmq4 -- Denial of Service

Google's oss-fuzz project reports: Denial-of-Service on CURVE/ZAP-protected servers by unauthenticated clients. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete...

GnuTLS -- null pointer dereference

The GnuTLS project reports: It was found by oss-fuzz that the server sending a "norenegotiation" alert in an unexpected timing, followed by an invalid second handshake can cause a TLS 1.3 client to crash via a null-pointer dereference. The crash happens in the application's error handling path,...

Multi-link PPP protocol daemon MPD5 remotely exploitable crash

Version 5.9 contains security fix for L2TP clients and servers. Insufficient validation of incoming L2TP control packet specially crafted by unauthenticated user might lead to unexpected termination of the process. The problem affects mpd versions since 4.0 that brought in initial support for L2T...

gnupg -- AEAD key import overflow

Importing an OpenPGP key having a preference list for AEAD algorithms will lead to an array overflow and thus often to a crash or other undefined behaviour. Importing an arbitrary key can often easily be triggered by an attacker and thus triggering this bug. Exploiting the bug aside from crashes ...

Gitlab -- multiple vulnerabilities

Gitlab reports: Vendor Cross-Account Assume-Role Attack Stored XSS on the Vulnerability Page Outdated Job Token Can Be Reused to Access Unauthorized Resources File Disclosure Via Workhorse File Upload Bypass Unauthorized Maintainer Can Edit Group Badge Denial of Service Within Wiki Functionality...

FreeBSD -- dhclient heap overflow

Problem Description: When parsing option 119 data, dhclient8 computes the uncompressed domain list length so that it can allocate an appropriately sized buffer to store the uncompressed list. The code to compute the length failed to handle certain malformed input, resulting in a heap overflow whe...

FreeBSD -- SCTP socket use-after-free bug

Problem Description: Due to improper handling in the kernel, a use-after-free bug can be triggered by sending large user messages from multiple threads on the same socket. Impact: Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic...

FreeBSD -- IPv6 Hop-by-Hop options use-after-free bug

Problem Description: Due to improper mbuf handling in the kernel, a use-after-free bug might be triggered by sending IPv6 Hop-by-Hop options over the loopback interface. Impact: Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic...

Mbed TLS -- Local side channel attack on classical CBC decryption in (D)TLS

Manuel Pégourié-Gonnard reports: When decrypting/authenticating DTLS record in a connection using a CBC ciphersuite without the Encrypt-then-Mac extension RFC 7366, Mbed TLS used dummy rounds of the compression function associated with the hash used for HMAC in order to hide the length of the...

Mbed TLS -- Local side channel attack on RSA and static Diffie-Hellman

Manuel Pégourié-Gonnard reports: An attacker with access to precise enough timing and memory access information typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world can recover the private keys used in RSA or static finite-field Diffie-Hellm...

Django -- multiple vulnerabilities

Django Release notes: CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+ On Python 3.7+, FILEUPLOADDIRECTORYPERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static...

py-Flask-Cors -- directory traversal vulnerability

praetorian-colby-morgan reports: An issue was discovered in Flask-CORS aka CORS Middleware for Flask before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format...

zeek -- Various vulnerabilities

Jon Siwek of Corelight reports: This release fixes the following security issue: The AYIYA and GTPv1 parsing/decapsulation logic may leak memory -- These leaks have potential for remote exploitation to cause Denial of Service via resource exhaustion...

ark -- extraction outside of extraction directory

Albert Astals Cid reports: Overview A maliciously crafted TAR archive containing symlink entries would install files anywhere in the user's home directory upon extraction. Proof of concept For testing, an example of malicious archive can be found at dirsymlink.tar Impact Users can unwillingly...

powerdns -- Various issues in GSS-TSIG support

PowerDNS developers report: A remote, unauthenticated attacker can trigger a race condition leading to a crash, or possibly arbitrary code execution, by sending crafted queries with a GSS-TSIG signature. A remote, unauthenticated attacker can cause a denial of service by sending crafted queries...

libX11 -- Doublefree in locale handlng code

The X.org project reports: There is an integer overflow and a double free vulnerability in the way LibX11 handles locales. The integer overflow is a necessary precursor to the double free...

xorg-server -- Multiple input validation failures in X server extensions

The X.org project reports: All theses issuses can lead to local privileges elevation on systems where the X server is running privileged. The handler for the XkbSetNames request does not validate the request length before accessing its contents. An integer underflow exists in the handler for the...

chromium -- multiple vulnerabilities

Chrome Releases reports: This update includes 20 security fixes, including: 1109120 High CVE-2020-6558: Insufficient policy enforcement in iOS. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-24 1116706 High CVE-2020-6559: Use after free in presentation API. Report...

go -- net/http/cgi, net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified

The Go project reports: When a Handler does not explicitly set the Content-Type header, both CGI implementations default to “text/html”. If an attacker can make a server generate content under their control e.g. a JSON containing user data or an uploaded image file this might be mistakenly return...

textproc/elasticsearch6 -- field disclosure flaw

Elastic reports: A field disclosure flaw was found in Elasticsearch when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker...

Python -- multiple vulnerabilities

Python reports: bpo-39603: Prevent http header injection by rejecting control characters in http.client.putrequest…. bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded CVE-2020-15523. bpo-41004: CVE-2020-14422: The hash methods of ipaddress.IPv4Interface and...

Icinga Web 2 -- directory traversal vulnerability

Icinga development team reports: CVE-2020-24368 Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4,...