spamassassin -- Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings

the Apache Spamassassin project reports: nefarious rule configuration .cf files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings...

sudo -- Potential bypass of Runas user restrictions

Todd C. Miller reports: Sudo's pwfeedback option can be used to provide visual feedback when the user is inputting their password. For each key press, an asterisk is printed. This option was added in response to user confusion over how the standard Password: prompt disables the echoing of key...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: Path Traversal to Arbitrary File Read User Permissions Not Validated in ProjectExportWorker XSS Vulnerability in File API Package and File Disclosure through GitLab Workhorse XSS Vulnerability in Create Groups Issue and Merge Request Activity Counts Exposed Email Confirmation Bypa...

tauthon -- Regular Expression Denial of Service

The :class:urllib.request.AbstractBasicAuthHandler class of the :mod:urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description High SECURITY-1682 / CVE-2020-2099 Inbound TCP Agent Protocol/3 authentication bypass Medium SECURITY-1641 / CVE-2020-2100 Jenkins vulnerable to UDP amplification reflection attack Medium SECURITY-1659 / CVE-2020-2101 Non-constant time comparison of inbound...

spamassassin -- Nefarious rule configuration files can run system commands

The Apache SpamAssassin project reports: A nefarious rule configuration .cf files can be configured to run system commands. This issue is less stealthy and attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug...

OpenSMTPd -- critical LPE / RCE vulnerability

OpenSMTPD developers report: An incorrect check allows an attacker to trick mbox delivery into executing arbitrary commands as root and lmtp delivery into executing arbitrary commands as an unprivileged user...

FreeBSD -- kernel stack data disclosure

Problem Description: Due to incorrect initialization of a stack data structure, up to 20 bytes of kernel data stored previously stored on the stack will be exposed to a crashing user process. Impact: Sensitive kernel data may be disclosed...

MariaDB -- Vulnerability in C API

MariaDB reports: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client...

FreeBSD -- Missing IPsec anti-replay window check

Problem Description: A missing check means that an attacker can reinject an old packet and it will be accepted and processed by the IPsec endpoint. Impact: The impact depends on the higher-level protocols in use over IPsec. For example, an attacker who can capture and inject packets could cause a...

FreeBSD -- libfetch buffer overflow

Problem Description: A programming error allows an attacker who can specify a URL with a username and/or password components to overflow libfetch3 buffers. Impact: An attacker in control of the URL to be fetched possibly via HTTP redirect may cause a heap buffer overflow, resulting in program...

pkg -- vulnerability in libfetch

A programming error allows an attacker who can specify a URL with a username and/or password components to overflow libfetch3 buffers...

Client/server denial of service when handling AES-CTR ciphers

The libssh team reports originally reported by Yasheng Yang from Google: A malicious client or server could crash the counterpart implemented with libssh AES-CTR ciphers are used and don't get fully initialized. It will crash when it tries to cleanup the AES-CTR ciphers when closing the connectio...

webkit-gtk3 -- Multiple vulnerabilities

The WebKitGTK project reports multiple vulnerabilities...

libxml -- multiple vulnerabilities

CVE mitre reports: CVE-2019-20388 xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak. CVE-2020-7595 xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. CVE-2020-24977 GNOME project libxml2...

FreeBSD -- Insufficient cryptodev MAC key length check

Problem Description: Requests to create cryptography sessions using a MAC did not validate the user-supplied MAC key length. The cryptodev module allocates a buffer whose size is this user-suppled length. Impact: An unprivileged process can trigger a kernel panic...

FreeBSD -- Use after free in cryptodev module

Problem Description: A race condition permitted a data structure in the kernel to be used after it was freed by the cryptodev module. Impact: An unprivileged process can overwrite arbitrary kernel memory...

x11/cde -- Local privilege escalation via CDE dtsession

Marco Ivaldi marco.ivaldi mediaservice net reports: A buffer overflow in the CheckMonitor function in the Common Desktop Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle Solaris 10 1/13 Update 11 and earlier, allows local users to gain root privileges via a long palet...

salt -- salt-api vulnerability

SaltStack reports: With the Salt NetAPI enabled in addition to having a SSH roster defined, unauthenticated access is possible when specifying the client as SSH. Additionally, when the rawshell option is specified any arbitrary command may be run on the Salt master when specifying SSH options...

dovecot -- multiple vulnerabilities

Aki Tuomi reports: lib-smtp doesn't handle truncated command parameters properly, resulting in infinite loop taking 100% CPU for the process. This happens for LMTP where it doesn't matter so much and also for submission-login where unauthenticated users can trigger it. Aki also reports: Snippet...

samba -- multiple vulnerabilities

The Samba Team reports: CVE-2019-14902 The implementation of ACL inheritance in the Samba AD DC was not complete, and so absent a 'full-sync' replication, ACLs could get out of sync between domain controllers. CVE-2019-14907 When processing untrusted string input Samba can read past the end of th...

MySQL -- Multiple vulerabilities

Oracle reports: This Critical Patch Update contains 17 new security fixes for Oracle MySQL. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials...

drm graphics drivers -- potential information disclusure via local access

Intel reports: .A potential security vulnerability in IntelR Processor Graphics may allow information disclosure. Intel is releasing software updates to mitigate this potential vulnerability. Description: Insufficient control flow in certain data structures for some IntelR Processors with IntelR...

Payara -- path trasversal flaw via either loc/con parameters in Eclipse Mojarra

Payara Releases reports: The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases: CVE-2020-6950 Eclipse Mojarra vulnerable to path trasversal flaw via either loc/con parameters...

Gitlab -- Private objects exposed through project import

Gitlab reports: Private objects exposed through project importi...

MongoDB -- Ensure RoleGraph can serialize authentication restrictions to BSON

reports: Improper serialization of MongoDB Server's internal authorization state permits a user with valid credentials to bypass IP source address protection mechanisms following administrative action. Credit Discovered by Tony Yesudas...

phpMyAdmin -- SQL injection

The phpMyAdmin development team reports: A SQL injection flaw has been discovered in the user accounts page...

glpi -- Public GLPIKEY can be used to decrypt any data

MITRE Corporation reports: GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on...

Gitlab -- Multiple Vulnerabilities

The GitLab Team reports: Group Maintainers Can Update/Delete Group Runners Using API GraphQL Queries Can Hang the Application Unauthorized Users Have Access to Milestones of Releases Private Group Name Revealed Through Protected Tags API Users Can Publish Reviews on Locked Merge Requests DoS in t...

samba -- Unauthenticated domain takeover via netlogon

The Samba Team reports: An unauthenticated attacker on the network can gain administrator access by exploiting a netlogon protocol flaw...

Solr -- multiple vulnerabilities

Community reports: 8.1.1 and 8.2.0 users check ENABLEREMOTEJMXOPTS setting Apache Solr RCE vulnerability due to bad config default Apache Solr RCE through VelocityResponseWriter...

mybb -- multible vulnerabilities

mybb Team reports: High risk: Installer RCE on settings file write Medium risk: Arbitrary upload paths and Local File Inclusion RCE Medium risk: XSS via insufficient HTML sanitization of Blog feed and Extend data Low risk: Open redirect on login Low risk: SCEditor reflected XSS...

cyrus-sasl -- Fix off by one error

Cyrus SASL 2.1.x Release Notes New in 2.1.28 reports: Fix off by one error...

Pillow -- Multiple vulnerabilities

Pillow developers report: This release addresses several security problems, as well as addressing CVE-2019-19911. CVE-2019-19911 is regarding FPX images. If an image reports that it has a large number of bands, a large amount of resources will be used when trying to process the image. This is fix...

drupal -- Drupal Core - Multiple Vulnerabilities

Drupal Security Team reports: A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt. Drupal 8 core's filesaveupload function does not strip the leading and trailing dot '.' from filenames, like Drupal 7 did. Users with th...

NPM -- Multiple vulnerabilities

NPM reports: Global nodemodules Binary Overwrite Symlink reference outside of nodemodules Arbitrary File Write...

e2fsprogs -- rehash.c/pass 3a mutate_name() code execution vulnerability

Lilith of Cisco Talos reports: A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger...

py-matrix-synapse -- multiple vulnerabilities

Matrix developers report: The synapse 1.7.1 release includes several security fixes as well as a fix to a bug exposed by the security fixes. All previous releases of Synapse are affected. Administrators are encouraged to upgrade as soon as possible. Fix a bug which could cause room events to be...

typo3 -- multiple vulnerabilities

Typo3 core team reports: It has been discovered that the output of field validation errors in the Form Framework is vulnerable to cross-site scripting. It has been discovered that t3:// URL handling and typolink functionality are vulnerable to cross-site scripting. Not only regular backend forms...

Template::Toolkit -- Directory traversal on write

Art Manion and Will Dormann report: By using an older and less-secure form of open, it is possible for untrusted template files to cause reads/writes outside of the template directories. This vulnerability is a component of the recent Citrix exploit...

wordpress -- multiple issues

wordpress developers reports: Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so youll want to upgrade. If you havent yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues. -Props to Daniel Bachhuber for findi...

spamassassin -- multiple vulnerabilities

the Apache Spamassassin project reports: An input validation error of user-supplied input parsing multipart emails. Specially crafted emails can consume all resources on the system. A local user is able to execute arbitrary shell commands through specially crafted nefarious CF files...

NGINX -- HTTP request smuggling

NGINX Team reports: NGINX before 1.17.7, with certain errorpage configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer...

samba -- multiple vulnerabilities

The Samba Team reports: CVE-2019-14861: An authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name. CVE-2019-14870: The DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: Path traversal with potential remote code execution Disclosure of private code via Elasticsearch integration Update Git dependency...

dovecot -- null pointer deref in notify with empty headers

Aki Tuomi reports Mail with group address as sender will cause a signal 11 crash in push notification drivers. Group address as recipient can cause crash in some drivers...

grub2-bhyve -- multiple privilege escalations

Reno Robert reports: FreeBSD uses a two-process model for running a VM. For booting non-FreeBSD guests, a modified grub-emu is used grub-bhyve. Grub-bhyve executes command from guest grub.cfg file. This is a security problem because grub was never written to handle inputs from OS as untrusted. In...

rack -- information leak / session hijack vulnerability

National Vulnerability Database: There's a possible information leak / session hijack vulnerability in Rack RubyGem rack. This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are...

OpenSSL -- Overflow vulnerability

The OpenSSL project reports: rsaz512sqr overflow bug on x8664 CVE-2019-1551 Low There is an overflow bug in the x6464 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, a...

py-matrix-synapse -- incomplete cleanup of 3rd-party-IDs on user deactivation

Matrix developers report: Clean up local threepids from user on account deactivation...