liveMedia -- potential remote code execution

Talos reports: An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library. A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerabili...

OpenEXR -- heap buffer overflow, and out-of-memory bugs

Cary Phillips reports: OpenEXR IlmBase v2.4.0 fixes the following security vulnerabilities: CVE-2018-18444 Issue 351 Out of Memory CVE-2018-18443 Issue 350 heap-buffer-overflow The relevant patches have been backported to the FreeBSD ports...

drupal -- Drupal Core - Multiple Vulnerabilities

Drupal Security Team reports: he path module allows users with the 'administer paths' to create pretty URLs for content. In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.The issue is mitigated by the fact that the user needs the...

ruby -- multiple vulnerabilities

Ruby news: CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly An instance of OpenSSL::X509::Name contains entities such as CN, C and so on. Some two instances of OpenSSL::X509::Name are equal only when all entities are exactly equal. However, there is a bug that the equali...

libssh -- authentication bypass vulnerability

gladiac reports: libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2MSGUSERAUTHSUCCESS message in place of the SSH2MSGUSERAUTHREQUEST message which the server would expect to initiate authentication, the attacker could...

MySQL -- multiple vulnerabilities

Oracle reports: Please reference CVE/URL list for details...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description Low SECURITY-867 Path traversal vulnerability in Stapler allowed accessing internal data Medium SECURITY-1074 Arbitrary file write vulnerability using file parameter definitions Medium SECURITY-1129 Reflected XSS vulnerability Medium SECURITY-1162 Ephemeral...

tinc -- Buffer overflow

tinc-vpn.org reports: The authentication protocol allows an oracle attack that could potentially be exploited. If a man-in-the-middle has intercepted the TCP connection it might be able to force plaintext UDP packets between two nodes for up to a PingInterval period...

Libgit2 -- multiple vulnerabilities

The Git community reports: Multiple vulnerabilities...

Gitlab -- multiple vulnerabilities

Gitlab reports: Merge request information disclosure Private project namespace information disclosure Gitlab Flavored Markdown API information disclosure...

clamav -- multiple vulnerabilities

Joel Esler reports: CVE-2018-15378: Vulnerability in ClamAV's MEW unpacking feature that could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. Reported by Secunia Research at Flexera. Fix for a 2-byte buffer over-read bug in ClamAV&s PDF...

mozilla -- multiple vulnerabilities

Mozilla Foundation reports: CVE-2018-12386: Type confusion in JavaScript A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered...

Django -- password hash disclosure

Django release notes: CVE-2018-16984: Password hash disclosure to "view only" admin users If an admin user has the change permission to the user model, only part of the password hash is displayed in the change form. Admin users with the view but not change permission to the user model were...

gitea -- multiple vulnerabilities

Gitea project reports: CSRF Vulnerability on API. Enforce token on api routes...

Gitlab -- multiple vulnerabilities

Gitlab reports: SSRF GCP access token disclosure Persistent XSS on issue details Diff formatter DoS in Sidekiq jobs Confidential information disclosure in events API endpoint validatelocalhost function in urlblocker.rb could be bypassed Slack integration CSRF Oauth2 GRPC::Unknown logging token...

Memory leak bug in Toxcore

The Tox project blog reports: A memory leak bug was discovered in Toxcore that can be triggered remotely to exhaust one’s system memory, resulting in a denial of service attack. The bug is present in the TCP Server module of Toxcore and therefore it affects mostly bootstrap nodes. Regular Tox...

Apache -- Denial of service vulnerability in HTTP/2

The Apache httpd project reports: low: DoS for HTTP/2 connections by continuous SETTINGS By sending continous SETTINGS frames of maximum size an ongoing HTTP/2 connection could be kept busy and would never time out. This can be abused for a DoS on the server. This only affect a server that has...

firefox -- Crash in TransportSecurityInfo due to cached data

The Mozilla Foundation reports: A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profile directory. This issue is only exploitable in combination with another vulnerability allowing an attacker to write data into...

Serendipity -- multiple vulnerabilities

Serendipity reports: Security: Fix XSS for pagination, when multi-category selection is used...

smart_proxy_dynflow -- authentication bypass vulnerability

MITRE reports: An authentication bypass flaw was found in the smartproxydynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context...

bitcoin -- Denial of Service and Possible Mining Inflation

Bitcoin Core reports: CVE-2018-17144, a fix for which was released on September 18th in Bitcoin Core versions 0.16.3 and 0.17.0rc4, includes both a Denial of Service component and a critical inflation vulnerability. It was originally reported to several developers working on Bitcoin Core, as well...

spamassassin -- multiple vulnerabilities

the Apache Spamassassin project reports: In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the "open" event is immediately followed by a "close" event - even if the tag does not close in the HTML being parsed. Because ...

FreeBSD -- Improper ELF header parsing

Problem Description: Insufficient validation was performed in the ELF header parser, and malformed or otherwise invalid ELF binaries were not rejected as they should be. Impact: Execution of a malicious ELF binary may result in a kernel crash or may disclose kernel memory...

Flash Player -- information disclosure

Adobe reports: This update resolves a privilege escalation vulnerability that could lead to information disclosure CVE-2018-15967...

mybb -- vulnerabilities

mybb Team reports: High risk: Email field SQL Injection. Medium risk: Video MyCode Persistent XSS in Visual Editor. Low risk: Insufficient permission check in User CP’s attachment management. Low risk: Insufficient email address verification...

curl -- password overflow vulnerability

curl security problems: CVE-2018-14618: NTLM password overflow via integer overflow The internal function Curlntlmcoremknthash multiplies the length of the password by two SUM to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to...

moodle -- multiple vulnerabilities

moodle reports: Moodle XML import of ddwtos could lead to intentional remote code execution QuickForm library remote code vulnerability upstream Boost theme - blog search GET parameter insufficiently filtered...

mozilla -- multiple vulnerabilities

Mozilla Foundation reports: CVE-2018-12377: Use-after-free in refresh driver timers CVE-2018-12378: Use-after-free in IndexedDB CVE-2018-12379: Out-of-bounds write with malicious MAR file CVE-2017-16541: Proxy bypass using automount and autofs CVE-2018-12381: Dragging and dropping Outlook email...

mantis -- XSS vulnerability

Brian Carpenter reports: Reflected XSS in viewfilterspage.php via core/filterformapi.php...

mediawiki -- multiple vulnerabilities

Mediawiki reports: Security fixes: T169545: $wgRateLimits entry for 'user' overrides 'newbie'. T194605: BotPasswords can bypass CentralAuth's account lock. T187638: When a log event is partially hidden Special:Redirect/logid can link to the incorrect log and reveal hidden T193237:...

bro -- array bounds and potential DOS issues

Corelight reports: Bro 2.5.5 primarily addresses security issues: Fix array bounds checking in BinPAC: for arrays that are fields within a record, the bounds check was based on a pointer to the start of the record rather than the start of the array field, potentially resulting in a buffer...

Gitlab -- multiple vulnerabilities

Gitlab reports: Persistent XSS in Pipeline Tooltip GitLab.com GCP Endpoints Exposure Persistent XSS in Merge Request Changes View Sensitive Data Disclosure in Sidekiq Logs Missing CSRF in System Hooks Orphaned Upload Files Exposure Missing Authorization Control API Repository Storage...

lighttpd - use-after-free vulnerabilities

Lighttpd Project reports: Security fixes for Lighttpd: security: process headers after combining folded headers...

comms/hylafax -- Malformed fax sender remote code execution in JPEG support

A malicious sender that sets both JPEG and MH,MR,MMR or JBIG in the same DCS signal or sends a large JPEG page could lead to remote code execution...

joomla3 -- vulnerabilitiesw

JSST reports: Multiple low-priority Vulnerabilities Inadequate checks in the InputFilter class could allow specifically prepared PHAR files to pass the upload filter. Inadequate output filtering on the user profile page could lead to a stored XSS attack. Inadequate checks regarding disabled field...

mybb -- vulnerabilities

mybb Team reports: High risk: Image MyCode “alt” attribute persistent XSS. Medium risk: RSS Atom 1.0 item title persistent XSS...

phpmyadmin -- XSS in the import dialog

The phpMyAdmin development team reports: Description A Cross-Site Scripting vulnerability was found in the file import feature, where an attacker can deliver a payload to a user through importing a specially-crafted file. Severity We consider this attack to be of moderate severity...

Ghostscript -- arbitrary code execution

CERT reports: Ghostscript contains an optional -dSAFER option, which is supposed to prevent unsafe PostScript operations. Multiple PostScript operations bypass the protections provided by -dSAFER, which can allow an attacker to execute arbitrary commands with arbitrary arguments. This vulnerabili...

libX11 -- Multiple vulnerabilities

The freedesktop.org project reports: The functions XGetFontPath, XListExtensions, and XListFonts are vulnerable to an off-by-one override on malicious server responses. The server replies consist of chunks consisting of a length byte followed by actual string, which is not NUL-terminated. While...

grafana -- LDAP and OAuth login vulnerability

Grafana Labs reports: On the 20th of August at 1800 CEST we were contacted about a potential security issue with the “remember me” cookie Grafana sets upon login. The issue targeted users without a local Grafana password LDAP & OAuth users and enabled a potential attacker to generate a valid cook...

Containous Traefik -- exposes the configuration and secret

MITRE reports: Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable...

asterisk -- Remote crash vulnerability in HTTP websocket upgrade

The Asterisk project reports: There is a stack overflow vulnerability in the reshttpwebsocket.so module of Asterisk that allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket. The attackers request causes Asterisk to run out of stack...

node.js -- multiple vulnerabilities

Node.js reports: OpenSSL: Client DoS due to large DH parameter This fixes a potential denial of service DoS attack against client connections by a malicious server. During a TLS communication handshake, where both client and server agree to use a cipher-suite using DH or DHE Diffie-Hellman, in bo...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description Low SECURITY-637 Jenkins allowed deserialization of URL objects with host components Medium SECURITY-672 Ephemeral user record was created on some invalid authentication attempts Medium SECURITY-790 Cron expression form validation could enter infinite loop,...

FreeBSD -- Unauthenticated EAPOL-Key Decryption Vulnerability

Problem Description: When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC flag set, the data field was decrypted first without verifying the MIC. When the dta field was encrypted using RC4, for example, when negotiating TKIP as a pairwise cipher, the unauthenticated but...

FreeBSD -- L1 Terminal Fault (L1TF) Kernel Information Disclosure

Problem Description: On certain Intel 64-bit x86 systems there is a period of time during terminal fault handling where the CPU may use speculative execution to try to load data. The CPU may speculatively access the level 1 data cache L1D. Data which would otherwise be protected may then be...

samba -- multiple vulnerabilities

The samba project reports: All versions of Samba from 4.0.0 onwards are vulnerable to infinite query recursion caused by CNAME loops. Any dns record can be added via ldap by an unprivileged user using the ldbadd tool, so this is a security issue. When configured to accept smart-card authenticatio...

FreeBSD -- Resource exhaustion in IP fragment reassembly

Problem Description: A researcher has notified us of a DoS attack applicable to another operating system. While FreeBSD may not be vulnerable to that exact attack, we have identified several places where inadequate DoS protection could allow an attacker to consume system resources. It is not...

samba -- multiple vulnerabilities

The samba project reports: Samba releases 4.7.0 to 4.8.3 inclusive contain an error which allows authentication using NTLMv1 over an SMB1 transport either directory or via NETLOGON SamLogon calls from a member server, even when NTLMv1 is explicitly disabled on the server. Missing input sanitizati...

Flash Player -- multiple vulnerabilities

Adobe reports: This update resolves out-of-bounds read vulnerabilities that could lead to information disclosure CVE-2018-12824, CVE-2018-12826, CVE-2018-12827. This update resolves a security bypass vulnerability that could lead to security mitigation bypass CVE-2018-12825. This update resolves ...