FreeBSD -- Memory disclosure vulnerability in libalias

Problem Description: The FTP packet handler in libalias incorrectly calculates some packet lengths. This may result in disclosing small amounts of memory from the kernel for the in-kernel NAT implementation or from the process space for natd for the userspace implementation. Impact: A malicious...

clamav -- multiple vulnerabilities

Micah Snyder reports: CVE-2020-3327: Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.2 that could cause a denial-of-service condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash. Special thanks to Daehui Chang and...

Apache Tomcat Remote Code Execution via session persistence

The Apache Software Foundation reports: Under certain circumstances an attacker will be able to trigger remote code execution via deserialization of the file under their control...

typo3 -- multiple vulnerabilities

Typo3 News: CVE-2020-11063: TYPO3-CORE-SA-2020-001: Information Disclosure in Password Reset It has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to verify whether a backend user account with a given email...

zeek -- Various vulnerabilities

Jon Siwek of Corelight reports: This release fixes the following security issues: Fix buffer over-read in Ident analyzer Fix SSL scripting error leading to uninitialized field access and memory leak Fix POP3 analyzer global buffer over-read Fix potential stack overflows due to use of...

Wagtail -- potential timing attack vulnerability

Wagtail release notes: CVE-2020-11037: Potential timing attack on password-protected private pages This release addresses a potential timing attack on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through ...

zeek -- Various vulnerabilities

Jon Siwek of Corelight reports: This release fixes the following security issues: Fix potential stack overflow in NVT analyzer Fix NVT analyzer memory leak from multiple telnet authn name options Fix multiple content-transfer-encoding headers causing a memory leak Fix potential leak of Analyzers...

json-c -- integer overflow and out-of-bounds write via a large JSON file

Tobias Stöckmann reports: I have discovered a way to trigger an out of boundary write while parsing a huge json file through a malicious input source. It can be triggered if an attacker has control over the input stream or if a huge load during filesystem operations can be triggered...

qutebrowser -- Reloading page with certificate errors shows a green URL

Qutebrowser developers report: After a certificate error was overridden by the user, qutebrowser displays the URL as yellow colors.statusbar.url.warn.fg. However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green colors.statusbar.url.successhttps...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: Path Traversal in NuGet Package Registry Workhorse Bypass Leads to File Disclosure OAuth Application Client Secrets Revealed Code Owners Approval Rules Are Not Updated for Existing Merge Requests When Source Branch Changes Code Owners Protection Not Enforced from Web UI Repository...

salt -- multiple vulnerabilities in salt-master process

F-Secure reports: CVE-2020-11651 - Authentication bypass vulnerabilities The ClearFuncs class processes unauthenticated requests and unintentionally exposes the sendpub method, which can be used to queue messages directly on the master publish server. Such messages can be used to trigger minions ...

samba -- multiple vulnerabilities

The Samba Team reports: CVE-2020-10700 A client combining the 'ASQ' and 'Paged Results' LDAP controls can cause a use-after-free in Samba's AD DC LDAP server. CVE-2020-10704 A deeply nested filter in an un-authenticated LDAP search can exhaust the LDAP server's stack memory causing a SIGSEGV...

Apache OpenOffice -- Unrestricted actions leads to arbitrary code execution in crafted documents

The Apache Openofffice project reports: CVE-2020-13958 Unrestricted actions leads to arbitrary code execution in crafted documents Description A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the...

CUPS -- memory corruption

Apple reports: CVE-2019-8842: The ippReadIO function may under-read an extension. CVE-2020-3898: The ppdOpen function did not handle invalid UI constraint. ppdcSource::getresolution function did not handle invalid resolution strings. An application may be able to gain elevated privileges...

nested filters leads to stack overflow

Howard Chu reports: nested filters leads to stack overflow...

mail/dovecot -- multiple vulnerabilities

Aki Tuomi reports: Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory.. Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash...

kaminari -- potential XSS vulnerability

Kaminari Security Advisories: There was a vulnerability in versions of Kaminari that would allow an attacker to inject arbitrary code into pages with pagination links. The 1.2.1 gem including the patch has already been released. All past released versions are affected by this vulnerability...

FreeBSD -- ipfw invalid mbuf handling

Problem Description: Incomplete packet data validation may result in accessing out-of-bounds memory CVE-2019-5614 or may access memory after it has been freed CVE-2019-15874. Impact: Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results...

OpenSSL remote denial of service vulnerability

Problem Description: Server or client applications that call the SSLcheckchain function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signaturealgorithmscert" TLS extension. The crash occurs if an invalid or unrecognized...

malicious URLs can cause git to send a stored credential to wrong server

git security advisory reports: Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to se...

mailman -- arbitrary content injection vulnerability via options or private archive login pages

Mark Sapiro reports: A content injection vulnerability via the options login page has been discovered and reported by Vishal Singh. An issue similar to CVE-2018-13796 exists at different endpoint & param. It can lead to a phishing attack. added 2020-05-07 This is essentially the same as...

py-markdown2 -- XSS vulnerability

TheGrandPew reports: python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute...

bftpd -- Multiple vulnerabilities

Bftpd project reports: Bftpd is vulnerable to out of bounds memory access, file descriptor leak and a potential buffer overflow...

cacti -- XSS exposure

Cacti developer reports: Lack of escaping of color items can lead to XSS exposure...

webkit2-gtk3 -- Denial of service

The WebKitGTK project reports the following vulnerability. Processing maliciously crafted web content may lead to arbitrary code execution or application crash denial of service. Description: A memory corruption issue use-after-free was addressed with improved memory handling...

chromium -- use after free

Google Chrome Releases reports: 1067851 Critical CVE-2020-6457: Use after free in speech recognizer. Reported by Leecraso and Guang Gong of Alpha Lab, Qihoo 360 on 2020-04-04...

Zabbix -- Remote code execution

Zabbix reports: Fixed security vulnerability cve-2020-11800 remote code execution. ZBX-17600...

MySQL Client -- Multiple vulerabilities

Oracle reports: This Critical Patch Update contains 45 new security patches for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials...

zeek -- Remote crash vulnerability

Jon Siwek of Corelight reports: This release fixes the following security issue: An attacker can crash Zeek remotely via crafted packet sequence...

Mbed TLS -- Side channel attack on ECDSA

Manuel Pégourié-Gonnard reports: An attacker with access to precise enough timing and memory access information typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world can fully recover an ECDSA private key after observing a number of signature...

malicious URLs may present credentials to wrong server

git security advisory reports: Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: NuGet Package and File Disclosure through GitLab Workhorse Job Artifact Uploads and File Disclosure through GitLab Workhorse Incorrect membership following group removal Logging of Praefect tokens Update Rack dependency Update OpenSSL dependency...

MySQL Server -- Multiple vulerabilities

Oracle reports: This Critical Patch Update contains 45 new security patches for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. MariaDB reports 4 of these vulnerabilities exist i...

openvpn -- illegal client float can break VPN session for other users

Lev Stipakov and Gert Doering report: There is a time frame between allocating peer-id and initializing data channel key which is performed on receiving push request or on async push-reply in which the existing peer-id float checks do not work right. If a "rogue" data channel packet arrives durin...

FreeRDP -- multiple vulnerabilities

The FreeRDP changelog reports 14 CVEs addressed after 2.0.0-rc4...

dbus file descriptor leak

GitHub Security Lab reports: D-Bus has a file descriptor leak, which can lead to denial of service when the dbus-daemon runs out of file descriptors. An unprivileged local attacker can use this to attack the system dbus-daemon, leading to denial of service for all users of the machine...

ceph14 -- multiple security issues

RedHat reports: ceph: secure mode of msgr2 breaks both confidentiality and integrity aspects for long-lived sessions. ceph: header-splitting in RGW GetObject has a possible XSS...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: This updates includes 32 security fixes, including: 1019161 High CVE-2020-6454: Use after free in extensions. Reported by Leecraso and Guang Gong of Alpha Lab, Qihoo 360 on 2019-10-29 1043446 High CVE-2020-6423: Use after free in audio. Reported by Anonymous on...

Wagtail -- XSS vulnerability

Wagtail release notes: CVE-2020-11001: Possible XSS attack via page revision comparison view This release addresses a cross-site scripting XSS vulnerability on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail adm...

mediawiki -- multiple vulnerabilities

Mediawikwi reports: T285159, CVE-2023-PENDING SECURITY: X-Forwarded-For header allows brute-forcing autoblocked IP addresses. T326946, CVE-2020-36649 SECURITY: Bundled PapaParse copy in VisualEditor has known ReDos. T330086, CVE-2023-PENDING SECURITY: OATHAuth allows replay attacks when MediaWiki...

Dovecot -- Multiple vulnerabilities

Aki Tuomi reports: Vulnerability Details: Sending malformed NOOP command causes crash in submission, submission-login or lmtp service. Risk: Remote attacker can keep submission-login service down, causing denial of service attack. For lmtp the risk is neglible, as lmtp is usually behind a trusted...

HAproxy -- serious vulnerability affecting the HPACK decoder used for HTTP/2

The HAproxy Project reports: The main driver for this release is that it contains a fix for a serious vulnerability that was responsibly reported last week by Felix Wilhelm from Google Project Zero, affecting the HPACK decoder used for HTTP/2. CVE-2020-11100 was assigned to this issue...

vlc -- Multiple vulnerabilities fixed in VLC media player

VideoLAN reports: Details A remote user could: Create a specifically crafted image file that could trigger an out of bounds read Send a specifically crafter request to the microdns service discovery, potentially triggering various memory management issues Impact If successful, a malicious third...

Apache -- Multiple vulnerabilities

Apache Team reports: SECURITY: CVE-2020-1934 modproxyftp: Use of uninitialized value with malicious backend FTP server. SECURITY: CVE-2020-1927 rewrite, core: Set PCREDOTALL flag by default to avoid unpredictable matches and substitutions with encoded line break characters. The fix for...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: This update contains 8 security fixes. 1062247 High CVE-2020-6450: Use after free in WebAudio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-03-17 1061018 High CVE-2020-6451: Use after free in WebAudio. Reported by Man Yue Mo of Semmle Security...

GnuTLS -- flaw in DTLS protocol implementation

The GnuTLS project reports: It was found that GnuTLS 3.6.3 introduced a regression in the DTLS protocol implementation. This caused the DTLS client to not contribute any randomness to the DTLS negotiation breaking the security guarantees of the DTLS protocol...

glpi -- Improve encryption algorithm

MITRE Corporation reports: In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure...

glpi -- Remote Code Execution (RCE) via the backup functionality

MITRE Corporation reports: In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only...

glpi -- multiple related stored XSS vulnerabilities

MITRE Corporation reports: In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "alert1" reproduces the attack. This can be exploited by a user with...

glpi -- bypass of the open redirect protection

MITRE Corporation reports: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6...