PostgresSQL -- TYPE in pg_temp execute arbitrary SQL during `SECURITY DEFINER` execution

The PostgreSQL project reports: Versions Affected: 9.4 - 11 Given a suitable SECURITY DEFINER function, an attacker can execute arbitrary SQL under the identity of the function owner. An attack requires EXECUTE permission on the function, which must itself contain a function call having inexact...

KDE Frameworks -- malicious .desktop files execute code

The KDE Community has released a security announcement: The syntax Key$e=$shell command in .desktop files, .directory files, and configuration files typically found in /.config was an intentional feature of KConfig, to allow flexible configuration. This could however be abused by malicious people...

asterisk -- Remote Crash Vulnerability in audio transcoding

The Asterisk project reports: When audio frames are given to the audio transcoding support in Asterisk the number of samples are examined and as part of this a message is output to indicate that no samples are present. A change was done to suppress this message for a particular scenario in which...

FreeBSD -- Insufficient validation of guest-supplied data (e1000 device)

Problem Description: The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload "TSO". The e1000 device model uses an...

FreeBSD -- ICMPv6 / MLDv2 out-of-bounds memory access

Problem Description: The ICMPv6 input path incorrectly handles cases where an MLDv2 listener query packet is internally fragmented across multiple mbufs. Impact: A remote attacker may be able to cause an out-of-bounds read or write that may cause the kernel to attempt to access an unmapped page a...

mongodb -- Attach IDs to users

Mitch Wasson of Cisco's Advanced Malware Protection Group reports: After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones...

mongodb -- Our init scripts check /proc/[pid]/stat should validate that `(${procname})` is the process' command name.

Sicheng Liu of Beijing DBSEC Technology Co., Ltd reports: Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init...

mongodb -- Bump Windows package dependencies

Rich Mirch reports: An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server versions less than 4.0.11, 3.6.14, and 3.4.22 to run attacker defined code as the user running the utili...

FreeBSD -- Insufficient message length validation in bsnmp library

Problem Description: A function extracting the length from type-length-value encoding is not properly validating the submitted length. Impact: A remote user could cause, for example, an out-of-bounds read, decoding of unrelated data, or trigger a crash of the software such as bsnmpd resulting in ...

FreeBSD -- Multiple vulnerabilities in bzip2

Problem Description: The decompressor used in bzip2 contains a bug which can lead to an out-of-bounds write when processing a specially crafted bzip21 file. bzip2recover contains a heap use-after-free bug which can be triggered when processing a specially crafted bzip21 file. Impact: An attacker...

asterisk -- Crash when negotiating for T.38 with a declined stream

The Asterisk project reports: When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint responds with a declined media stream a crash will then occur in Asterisk...

glpi -- Account takeover vulnerability

MITRE Corporation reports: GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an...

doas -- Prevent passing of environment variables

Jesse Smith upstream author of the doas program reported: Previous versions of "doas" transferred most environment variables, such as USER, HOME, and PATH from the original user to the target user. Passing these variables could cause files in the wrong path or home directory to be read or written...

Django -- multiple vulnerabilities

Django release notes: CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator If django.utils.text.Truncator's chars and words methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a...

gitea -- multiple vulnerabilities

The Gitea Team reports: This release contains two security fixes, so we highly recommend updating...

gitea -- multiple vulnerabilities

The Gitea Team reports: This version of Gitea contains security fixes that could not be backported to 1.8. For this reason, we strongly recommend updating...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: GitHub Integration SSRF Trigger Token Impersonation Build Status Disclosure SSRF Mitigation Bypass Information Disclosure New Issue ID IDOR Label Name Enumeration Persistent XSS Wiki Pages User Revokation Bypass with Mattermost Integration Arbitrary File Upload via Import Project...

nsd -- Stack-based Buffer Overflow

Frederic Cambus reports: nsd-checkzone in NLnet Labs NSD 4.2.0 has a Stack-based Buffer Overflow in the dnameconcatenate function in dname.c...

py-matrix-synapse -- multiple vulnerabilities

Matrix developers report: The matrix team releases Synapse 1.2.1 as a critical security update. It contains patches relating to redactions and event federation: Prevent an attack where a federated server could send redactions for arbitrary events in v1 and v2 rooms. Prevent a denial-of-service...

mcpp -- Heap-based buffer overflow

[email protected] reports: MCPP 2.7.2 has a heap-based buffer overflow in the domsg function in support.c...

FreeBSD -- Bhyve out-of-bounds read in XHCI device

Problem Description: The pcixhcidevicedoorbell function does not validate the 'epid' and 'streamid' provided by the guest, leading to an out-of-bounds read. Impact: A misbehaving bhyve guest could crash the system or access memory that it should not be able to...

FreeBSD -- pts(4) write-after-free

Problem Description: The code which handles a close2 of a descriptor created by posixopenpt2 fails to undo the configuration which causes SIGIO to be raised. This bug can lead to a write-after-free of kernel memory. Impact: The bug permits malicious code to trigger a write-after-free, which may b...

FreeBSD -- telnet(1) client multiple vulnerabilities

Problem Description: Insufficient validation of environment variables in the telnet client supplied in FreeBSD can lead to stack-based buffer overflows. A stack- based overflow is present in the handling of environment variables when connecting via the telnet client to remote telnet servers. This...

FreeBSD -- Reference count overflow in mqueue filesystem

Problem Description: System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file. Impact: A local user can use this flaw to obtain access...

FreeBSD -- File description reference count leak

Problem Description: If a process attempts to transmit rights over a UNIX-domain socket and an error causes the attempt to fail, references acquired on the rights are not released and are leaked. This bug can be used to cause the reference counter to wrap around and free the corresponding file...

FreeBSD -- Kernel memory disclosure in freebsd32_ioctl

Problem Description: Due to insufficient initialization of memory copied to userland in the components listed above small amounts of kernel memory may be disclosed to userland processes. Impact: A user who can invoke 32-bit FreeBSD ioctls may be able to read the contents of small portions of kern...

xymon-server -- multiple vulnerabilities

Japheth Cleaver reports: Several buffer overflows were reported by University of Cambridge Computer Security Incident Response Team...

pango -- buffer overflow

Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pangolog2visgetembeddinglevels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when...

Exim -- RCE in ${sort} expansion

Exim team report: A local or remote attacker can execute programs with root privileges - if you've an unusual configuration. If your configuration uses the $sort expansion for items that can be controlled by an attacker e.g. $localpart, $domain. The default config, as shipped by the Exim...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description Medium SECURITY-1424 / CVE-2019-10352 Arbitrary file write vulnerability using file parameter definitions High SECURITY-626 / CVE-2019-10353 CSRF protection tokens did not expire Medium SECURITY-534 / CVE-2019-10354 Unauthorized view fragment access...

drupal -- Drupal core - Access bypass

Drupal Security Team reports: In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4...

MySQL -- Multiple vulerabilities

Oracle reports: This Critical Patch Update contains 45 new security fixes for Oracle MySQL. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials...

vlc -- multiple vulnerabilities

The VLC project reports: Security: Fix a buffer overflow in the MKV demuxer CVE-2019-14970 Fix a read buffer overflow in the avcodec decoder CVE-2019-13962 Fix a read buffer overflow in the FAAD decoder Fix a read buffer overflow in the OGG demuxer CVE-2019-14437, CVE-2019-14438 Fix a read buffer...

PuTTY 0.72 -- buffer overflow in SSH-1 and integer overflow in SSH client

Simon Tatham reports: Vulnerabilities fixed in this release include: A malicious SSH-1 server could trigger a buffer overrun by sending extremely short RSA keys, or certain bad packet length fields. Either of these could happen before host key verification, so even if you trust the server you...

mozilla -- multiple vulnerabilities

Mozilla Foundation reports: CVE-2019-9811: Sandbox escape via installation of malicious language pack CVE-2019-11711: Script injection within domain through inner window reuse CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects CVE-2019-11713:...

oniguruma -- multiple vulnerabilities

A use-after-free in onignewdeluxe in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte...

GnuPG -- denial of service

From the GnuPG 2.2.17 changelog: gpg: Ignore all key-signatures received from keyservers. This change is required to mitigate a DoS due to keys flooded with faked key-signatures...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: Ability to Write a Note to a Private Snippet Recent Pipeline Information Disclosed to Unauthorised Users Resource Exhaustion Attack Error Caused by Encoded Characters in Comments Authorization Issues in GraphQL Number of Merge Requests was Accessible Enabling One of the Service...

FreeBSD -- Kernel stack disclosure in UFS/FFS

Problem Description: A bug causes up to three bytes of kernel stack memory to be written to disk as uninitialized directory entry padding. This data can be viewed by any user with read access to the directory. Additionally, a malicious user with write access to a directory can cause up to 254 byt...

SDL2_image -- multiple vulnerabilities

SDLimage developers report: Fixed a number of security issues: TALOS-2019-0820 TALOS-2019-0821 TALOS-2019-0841 TALOS-2019-0842 TALOS-2019-0843 TALOS-2019-0844...

FreeBSD -- Privilege escalation in cd(4) driver

Problem Description: To implement one particular ioctl, the Linux emulation code used a special interface present in the cd4 driver which allows it to copy subchannel information directly to a kernel address. This interface was erroneously made accessible to userland, allowing users with read...

FreeBSD -- iconv buffer overflow

Problem Description: With certain inputs, iconv may write beyond the end of the output buffer. Impact: Depending on the way in which iconv is used, an attacker may be able to create a denial of service, provoke incorrect program behavior, or induce a remote code execution. iconv is a libc library...

ettercap -- out-of-bound read vulnerability

Ettercap GitHub issue: Etterfilter results in an invalid read of 8 bytes when parsing a crafted file...

Django -- Incorrect HTTP detection with reverse-proxy connecting via HTTPS

Django security releases issued: When deployed behind a reverse-proxy connecting to Django via HTTPS, django.http.HttpRequest.scheme would incorrectly detect client requests made via HTTP as using HTTPS. This entails incorrect results for issecure, and buildabsoluteuri, and that HTTP requests wou...

irssi -- Use after free when sending SASL login to the server

Irssi reports: Use after free when sending SASL login to the server found by ilbelkyr. CWE-416, CWE-825...

TYPO3 -- multiple vulnerabilities

TYPO3 news: Please read the corresponding Security Advisories for details...

asterisk -- Remote Crash Vulnerability in chan_sip channel driver

The Asterisk project reports: When T.38 faxing is done in Asterisk a T.38 reinvite may be sent to an endpoint to switch it to T.38. If the endpoint responds with an improperly formatted SDP answer including both a T.38 UDPTL stream and an audio or video stream containing only codecs not allowed o...

libzmq4 -- Stack overflow

Fang-Pen Lin reports: A remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running...

bzip2 -- multiple issues

bzip2 developers reports: CVE-2016-3189 - Fix use-after-free in bzip2recover Jakub Martisko CVE-2019-12900 - Detect out-of-range nSelectors in corrupted files Albert Astals Cid. Found through fuzzing karchive...

bro -- Null pointer dereference and Signed integer overflow

Jon Siwek of Corelight reports: This is a security patch release to address potential Denial of Service vulnerabilities: Null pointer dereference in the RPC analysis code. RPC analyzers e.g. MOUNT or NFS are not enabled in the default configuration. Signed integer overflow in BinPAC-generated...