Gitlab -- Multiple Vulnerabilities

Gitlab reports: Unauthorized access to grafana metrics Update Mattermost dependency...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: Path traversal with potential remote code execution Private objects exposed through project import Disclosure of notes via Elasticsearch integration Disclosure of comments via Elasticsearch integration DNS Rebind SSRF in various chat notifications Disclosure of vulnerability statu...

Django -- multiple vulnerabilities

Django release reports: CVE-2019-19118: Privilege escalation in the Django admin. Since Django 2.1, a Django model admin displaying a parent model with related model inlines, where the user has view-only permissions to a parent model but edit permissions to the inline model, would display a...

gitea -- multiple vulnerabilities

The Gitea Team reports: Hide credentials when submitting migration Never allow an empty password to validate Prevent redirect to Host Hide public repos owned by private orgs...

phpmyadmin -- multiple vulnerabilities

the phpmyadmin team reports: This security fix is part of an ongoing effort to improve the security of the Designer feature and is designated PMASA-2019-5. There is also an improvement for how we sanitize git version information shown on the home page...

unbound -- parsing vulnerability

Unbound Security Advisories: Recent versions of Unbound contain a vulnerability that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with --enable-ipsecmod support, and ipsecmod is enabled and used in the...

gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.11.0: Never allow an empty password to validate 9682 9683 Prevent redirect to Host 9678 9679 Swagger hide search field 9554 Add "search" to reserved usernames 9063 Switch to fomantic-ui 9374 Only serve attachments when linked to issue/release and if accessible...

Python -- Regular Expression DoS attack against client

Ben Caller and Matt Schwager reports: Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service ReDoS attacks against a client because of urllib.request.AbstractBasicAuthHandler...

gitea -- multiple vulnerabilities

The Gitea Team reports: This release contains five security fixes, so we recommend updating: Fix issue with user.fullname Ignore mentions for users with no access Be more strict with git arguments Extract the username and password from the mirror url Reserve .well-known username...

FreeBSD -- Intel CPU Microcode Update

Starting with version 1.26, the devcpu-data port/package includes updates and mitigations for the following technical and security advisories depending on CPU model. Intel TSX Updates TAA CVE-2019-11135 Voltage Modulation Vulnerability CVE-2019-11139 MDCLEAR Operations CVE-2018-12126 CVE-2018-121...

libssh -- Unsanitized location in scp could lead to unwanted command execution

The libssh team reports: In an environment where a user is only allowed to copy files and not to execute applications, it would be possible to pass a location which contains commands to be executed in additon. When the libssh SCP client connects to a server, the scp command, which includes a...

FreeBSD -- Machine Check Exception on Page Size Change

Intel discovered a previously published erratum on some Intel platforms can be exploited by malicious software to potentially cause a denial of service by triggering a machine check that will crash or hang the system. Malicious guest operating systems may be able to crash the host...

libidn2 -- roundtrip check vulnerability

CVE list: GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except fo...

py-psutil -- double free vulnerability

ret2libc reports: psutil aka python-psutil through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object...

drm graphics drivers -- Local privilege escalation and denial of service

Intel reports: As part of IPU 2019.2, INTEL-SA-00242 advises that insufficient access control may allow an authenticated user to potentially enable escalation of privilege via local access. INTEL-SA-00260 advises that insufficient access control may allow an authenticated user to potentially enab...

tnef -- An attacker may be able to write to the victim's .ssh/authorized_keys file via an e-mail message

[email protected] reports: In tnef before 1.4.18, an attacker may be able to write to the victim's .ssh/authorizedkeys file via an e-mail message with a crafted winmail.dat application/ms-tnef attachment, because of a heap-based buffer over-read involving strdup...

webkit2-gtk3 -- Multiple vulnerabilities

The WebKitGTK project reports multiple vulnerabilities...

asterisk -- Re-invite with T.38 and malformed SDP causes crash

The Asterisk project reports: If Asterisk receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a crash will occur...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: Four security issues were fixed, including: 1021723 Various fixes from internal audits, fuzzing and other initiatives...

GNU cpio -- multiple vulnerabilities

Sergey Poznyakoff reports: This stable release fixes several potential vulnerabilities CVE-2015-1197: cpio, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive. CVE-2016-2037: The cpiosafernamesuffix function i...

squid -- Vulnerable to HTTP Digest Authentication

Squid Team reports: Problem Description: Due to incorrect data management Squid is vulnerable to a information disclosure when processing HTTP Digest Authentication. Severity: Nonce tokens contain the raw byte value of a pointer which sits within heap memory allocation. This information reduces...

Gitlab -- Disclosure Vulnerabilities

Gitlab reports: Source branch of a MR could be removed by an unauthorised user Private group members could be listed Disclosure of System Notes via Elasticsearch integration Disclosure of Private Comments via Elasticsearch integration Confirm existence of private repositories Private group...

RabbitMQ-C -- integer overflow leads to heap corruption

alanxz reports: When parsing a frame header, validate that the framesize is less than or equal to INT32MAX. Given framemax is limited between 0 and INT32MAX in amqplogin and friends, this does not change the API. This prevents a potential buffer overflow when a malicious client sends a framesize...

py-matrix-synapse -- missing signature checks on some federation APIs

Matrix developers report: Make sure that ... events sent over /sendjoin, /sendleave, and /invite, are correctly signed and come from the expected servers...

webkit2-gtk3 -- Multiple vulnerabilities

The WebKitGTK project reports multiple vulnerabilities...

Mbed TLS -- Side channel attack on ECDSA

Janos Follath reports: Our bignum implementation is not constant time/constant trace, so side channel attacks can retrieve the blinded value, factor it as it is smaller than RSA keys and not guaranteed to have only large prime factors, and then, by brute force, recover the key...

php -- env_path_info underflow in fpm_main.c can lead to RCE

The PHP project reports: The PHP development team announces the immediate availability of PHP 7.3.11. This is a security release which also contains several bug fixes. The PHP development team announces the immediate availability of PHP 7.2.24. This is a security release which also contains sever...

Python -- multiple vulnerabilities

Python reports: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager...

Python -- CRLF injection via the host part of the url passed to urlopen()

Python reports: An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the host component...

Loofah -- XSS vulnerability

GitHub issue: This issue has been created for public disclosure of an XSS vulnerability that was responsibly reported by https://hackerone.com/vxhex In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished...

varnish -- Information Disclosure Vulnerability

Varnish Software reports: A bug has been discovered in Varnish Cache where we fail to clear a pointer between the handling of one client requests and the next on the same connection. This can under specific circumstances lead to information being leaked from the connection workspace...

asterisk -- SIP request can change address of a SIP peer

The Asterisk project reports: A SIP request can be sent to Asterisk that can change a SIP peers IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peers name; authentication details such as passwords do not need to be...

MySQL -- Multiple vulerabilities

Oracle reports: This Critical Patch Update contains 31 new security fixes for Oracle MySQL. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials...

sudo -- Potential bypass of Runas user restrictions

Todd C. Miller reports: When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295. This can be used by a user with sufficient sudo privileges to run...

wordpress -- multiple issues

wordpress developers reports: Props to Evan Ricafort for finding an issue where stored XSS cross-site scripting could be added via the Customizer. rops to J.D. Grimes who found and disclosed a method of viewing unauthenticated posts. Props to Weston Ruter for finding a way to create a stored XSS ...

cacti -- multiple vulnerabilities

The cacti developers reports: When viewing graphs, some input variables are not properly checked SQL injection possible. Multiple instances of lib/functions.php are affected by unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence...

asterisk -- AMI user could execute system commands

The Asterisk project reports: A remote authenticated Asterisk Manager Interface AMI user without system authorization could use a specially crafted Originate AMI request to execute arbitrary system commands...

libntlm -- buffer overflow vulnerability

NVD reports: Libntlm through 1.5 relies on a fixed buffer size for tSmbNtlmAuthRequest, tSmbNtlmAuthChallenge, and tSmbNtlmAuthResponse read and write operations, as demonstrated by a stack-based buffer over-read in buildSmbNtlmAuthRequest in smbutil.c for a crafted NTLM request...

security/py-ecdsa -- multiple issues

py-ecdsa developers report: Fix CVE-2019-14853 - possible DoS caused by malformed signature decoding. Fix CVE-2019-14859 - signature malleability caused by insufficient checks of DER encoding...

unbound -- parsing vulnerability

Unbound Security Advisories: Due to an error in parsing NOTIFY queries, it is possible for Unbound to continue processing malformed queries and may ultimately result in a pointer dereference in uninitialized memory. This results in a crash of the Unbound daemon...

Gitlab -- Disclosure Vulnerabilities

Gitlab reports: Disclosure of Private Code, Merge Requests and Commits via Elasticsearch integration...

ksh93 -- certain environment variables interpreted as arithmetic expressions on startup, leading to code injection

Upstream ksh93 maintainer Siteshwar Vashisht reports: A flaw was found in the way ksh evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated...

Xpdf -- Multiple Vulnerabilities

Xpdf 4.02 fixes two vulnerabilities. Both fixes have been backported to 3.04. An invalid memory access vulnerability in TextPage::findGaps in Xpdf 4.01 through a crafted PDF document can cause a segfault. An out of bounds write exists in TextPage::findGaps of Xpdf 4.01.01...

ruby -- multiple vulnerabilities

Ruby news: This release includes security fixes. Please check the topics below for details. CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch? A NUL injection vulnerability of Ruby built-in methods File.fnmatch and File.fnmatch? was found. An attacker who has the...

Gitlab -- Multiple Vulnerabilities

The GitLab Team reports: XSS in Markdown Preview Using Mermaid Bypass Email Verification using Salesforce Authentication Account Takeover using SAML Uncontrolled Resource Consumption in Markdown using Mermaid Disclosure of Private Project Path and Labels Disclosure of Assignees via Milestones...

samba -- multiple vulnerabilities

The samba project reports: Malicious servers can cause Samba client code to return filenames containing path separators to calling code. When the password contains multi-byte non-ASCII characters, the check password script does not receive the full password string. Users with the "get changes"...

Exim -- heap-based buffer overflow in string_vformat leading to RCE

Exim developers team report: There is a heap overflow in stringvformat.Using a EHLO message, remote code execution seems to be possible...

gitea -- information disclosure

The Gitea Team reports: When a comment in an issue or PR mentions a user using @username, the mentioned user receives a mail notification even if they don't have permission to see the originating repository...

go -- invalid headers are normalized, allowing request smuggling

The Go project reports: net/http through net/textproto used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind a reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse pro...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description Medium SECURITY-1498 / CVE-2019-10401 Stored XSS vulnerability in expandable textbox form control Medium SECURITY-1525 / CVE-2019-10402 XSS vulnerability in combobox form control Medium SECURITY-1537 1 / CVE-2019-10403 Stored XSS vulnerability in SCM tag...