PostgreSQL -- two vulnerabilities

The PostgreSQL project reports: CVE-2018-10915: Certain host connection parameters defeat client-side security defenses libpq, the client connection API for PostgreSQL that is also used by other connection libraries, had an internal issue where it did not reset all of its connection state variabl...

wpa_supplicant -- unauthenticated encrypted EAPOL-Key data

SO-AND-SO reports: A vulnerability was found in how wpasupplicant processes EAPOL-Key frames. It is possible for an attacker to modify the frame in a way that makes wpasupplicant decrypt the Key Data field without requiring a valid MIC value in the frame, i.e., without the frame being...

FreeBSD -- Resource exhaustion in TCP reassembly

Problem Description: One of the data structures that holds TCP segments uses an inefficient algorithm to reassemble the data. This causes the CPU time spent on segment processing to grow linearly with the number of segments in the reassembly queue. Impact: An attacker who has the ability to send...

pango -- remote DoS vulnerability

libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service application crash or possibly have unspecified other impact via crafted text with invalid Unicode sequences...

gogs -- open redirect vulnerability

bluecatli Tencent's Xuanwu Lab reports: The function isValidRedirect in gogs/routes/user/auth.go is used in login action to validate if url is on the same site. If the Location header startswith /, it will be transformed to // by browsers...

xml-security-c -- crashes on malformed KeyInfo content

The shibboleth project reports: SAML messages, assertions, and metadata all commonly make use of the XML Signature KeyInfo construct, which expresses information about keys and certificates used in signing or encrypting XML. The Apache Santuario XML Security for C++ library contained code paths a...

cgit -- directory traversal vulnerability

Jann Horn reports: cgitcloneobjects in CGit before 1.2.1 has a directory traversal vulnerability when enable-http-clone=1 is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request...

Plex Media Server -- Information Disclosure Vulnerability

Chris reports: The XML parsing engine for Plex Media Server's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing XXE attack. Unauthenticated attackers on the same LAN can use this vulnerability to: Access arbitrary files from the filesystem with the same permission as the...

advancecomp -- multiple vulnerabilities

Joonun Jang reports: heap buffer overflow running advzip with "-l poc" option Running 'advzip -l poc' with the attached file raises heap buffer overflow which may allow a remote attacker to cause unspecified impact including denial-of-service attack. I expected the program to terminate without...

Gitlab -- multiple vulnerabilities

Gitlab reports: Markdown DoS Information Disclosure Prometheus Metrics CSRF in System Hooks Persistent XSS Pipeline Tooltip Persistent XSS in Branch Name via Web IDE Persistent XSS in Branch Name via Web IDE...

mbed TLS -- plaintext recovery vulnerabilities

Simon Butcher reports: When using a CBC based ciphersuite, a remote attacker can partially recover the plaintext. When using a CBC based ciphersuite, an attacker with the ability to execute arbitrary code on the machine under attack can partially recover the plaintext by use of cache based...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 42 security fixes in this release, including: 850350 High CVE-2018-6153: Stack buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-06-07 848914 High CVE-2018-6154: Heap buffer overflow in WebGL. Reported by Omair on 2018-06-01 842265 Hig...

Fix a buffer overflow in the tiff reader

libvips reports: A buffer overflow was found and fixed in the libvips code...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description High SECURITY-897 / CVE-2018-1999001 Users without Overall/Read permission can have Jenkins reset parts of global configuration on the next restart High SECURITY-914 / CVE-2018-1999002 Arbitrary file read vulnerability Medium SECURITY-891 / CVE-2018-1999003...

Apache httpd -- multiple vulnerabilities

The Apache project reports: DoS for HTTP/2 connections by crafted requests CVE-2018-1333. By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. low modmd, DoS via Coredumps on specially crafted...

py-cryptography -- tag forgery vulnerability

The Python Cryptographic Authority PyCA project reports: finalizewithtag allowed tag truncation by default which can allow tag forgery in some cases. The method now enforces the mintaglength provided to the GCM constructor...

Gitlab -- Remote Code Execution Vulnerability in GitLab Projects Import

Gitlab reports: Remote Code Execution Vulnerability in GitLab Projects Import...

MySQL -- multiple vulnerabilities

Oracle reports: Multiple vulnerabilities have been disclosed by Oracle without further detail. CVSS scores 7.1 - 2.7...

Memory leak in different components

MITRE reports: bsixel 1.8.1 has a memory leak in sixeldecoderdecode in decoder.c, imagebufferresize in fromsixel.c, sixeldecoderaw in fromsixel.c and sixelallocatornew in allocator.c...

mutt -- remote code injection and path traversal vulnerability

Kevin J. McCarthy reports: Fixes a remote code injection vulnerability when "subscribing" to an IMAP mailbox, either via $imapchecksubscribed, or via the function in the browser menu. Mutt was generating a "mailboxes" command and sending that along to the muttrc parser. However, it was not escapi...

znc -- multiple vulnerabilities

Mitre reports: ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming from the network, allowing a non-admin user to escalate his privilege and inject rogue values into znc.conf. ZNC before 1.7.1-rc1 is prone to a path traversal flaw via ../ in a web skin name to access files...

wesnoth -- Code Injection vulnerability

shadowm reports: A severe bug was found in the game client which could allow a malicious user to execute arbitrary code through the Lua engine by using specially-crafted code in add-ons, saves, replays, or networked games. This issue affects all platforms and all existing releases since Wesnoth...

AccountsService -- Insufficient path check in user_change_icon_file_authorized_cb()

NVD reports: Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in userchangeiconfileauthorizedcb in user.c...

rubygem-doorkeeper -- token revocation vulnerability

NVD reports: Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry...

mantis -- multiple vulnerabilities

mantis reports: Teun Beijers reported a cross-site scripting XSS vulnerability in the Edit Filter page which allows execution of arbitrary code if CSP settings permit it when displaying a filter with a crafted name. Prevent the attack by sanitizing the filter name before display. Ömer Cıtak,...

typo3 -- multiple vulnerabilities

Typo3 core team reports: It has been discovered that TYPO3’s Salted Password system extension which is a mandatory system component is vulnerable to Authentication Bypass when using hashing methods which are related by PHP class inheritance. In standard TYPO3 core distributions stored passwords...

qutebrowser -- Remote code execution due to CSRF

qutebrowser team reports: Due to a CSRF vulnerability affecting the qute://settings page, it was possible for websites to modify qutebrowser settings. Via settings like editor.command, this possibly allowed websites to execute arbitrary code...

curl -- SMTP send heap buffer overflow

Peter Wu reports: curl might overflow a heap based memory buffer when sending data over SMTP and using a reduced read buffer...

mutt/neomutt -- multiple vulnerabilities

NeoMutt report: Description CVE-2018-14349NO Response Heap Overflow CVE-2018-14350INTERNALDATE Stack Overflow CVE-2018-14351STATUS Literal Length relative write CVE-2018-14352imapquotestring off-by-one stack overflow CVE-2018-14353imapquotestring int underflow CVE-2018-14354imapsubscribe Remote...

Flash Player -- multiple vulnerabilities

Adobe reports: This update resolves an out-of-bounds read vulnerability that could lead to information disclosure CVE-2018-5008. This update resolves a type confusion vulnerability that could lead to arbitrary code execution CVE-2018-5007...

Information disclosure - Gitea leaks email addresses

The Gitea project reports: Privacy Gitea leaks hidden email addresses 4417 A fix has been implemented in Gitea 1.5.1...

clamav -- multiple vulnerabilities

Joel Esler reports: 3 security fixes in this release: CVE-2017-16932: Vulnerability in libxml2 dependency affects ClamAV on Windows only. CVE-2018-0360: HWP integer overflow, infinite loop vulnerability. Reported by Secunia Research at Flexera. CVE-2018-0361: ClamAV PDF object length check,...

mailman -- content spoofing with invalid list names in web UI

Mark Sapiro reports: A URL with a very long text listname such as http://www.example.com/mailman/listinfo/Thisisalongstringwithsomephishingtext will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site...

Libgit2 -- multiple vulnerabilities

The Git community reports: Out-of-bounds reads when reading objects from a packfile...

wordpress -- multiple issues

wordpressdevelopers reports: Taxonomy: Improve cache handling for term queries. Posts, Post Types: Clear post password cookie when logging out. Widgets: Allow basic HTML tags in sidebar descriptions on Widgets admin screen. Community Events Dashboard: Always show the nearest WordCamp if one is...

mybb -- vulnerabilities

mybb Team reports: High risk: Image and URL MyCode Persistent XSS Medium risk: Multipage Reflected XSS Low risk: ACP logs XSS Low risk: Arbitrary file deletion via ACP’s Settings Low risk: Login CSRF Low risk: Non-video content embedding via Video MyCode...

Several Security Defects in the Bouncy Castle Crypto APIs

The Legion of the Bouncy Castle reports: Release 1.60 is now available for download. CVE-2018-1000180: issue around primality tests for RSA key pair generation if done using only the low-level API. CVE-2018-1000613: lack of class checking in deserialization of XMSS/XMSS^MT private keys with BDS...

py-yaml -- arbitrary code execution

pyyaml reports: the PyYAML.load function could be easily exploited to call any Python function. That means it could call any system command using os.system...

www/py-requests -- Information disclosure vulnerability

The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network...

mozilla -- multiple vulnerabilities

Mozilla Foundation reports: CVE-2018-12359: Buffer overflow using computed size of canvas element CVE-2018-12360: Use-after-free when using focus CVE-2018-12361: Integer overflow in SwizzleData CVE-2018-12358: Same-origin bypass using service worker and redirection CVE-2018-12362: Integer overflo...

Gitlab -- multiple vulnerabilities

Gitlab reports: Wiki XSS Sanitize gem updates XSS in urlforparams Content injection via username Activity feed publicly displaying internal project names Persistent XSS in charts...

GraphicsMagick -- SVG/Rendering vulnerability

GraphicsMagick News: Fix heap write overflow of PrimitiveInfo and PointInfo arrays. This is another manefestation of CVE-2016-2317, which should finally be fixed correctly due to active detection/correction of pending overflow rather than using estimation...

FreeBSD -- Lazy FPU State Restore Information Disclosure

Problem Description: A subset of Intel processors can allow a local thread to infer data from another thread through a speculative execution side channel when Lazy FPU state restore is used. Impact: Any local thread can potentially read FPU state information from other threads running on the host...

phpmyadmin -- remote code inclusion and XSS scripting

The phpMyAdmin development team reports: Summary XSS in Designer feature Description A Cross-Site Scripting vulnerability was found in the Designer feature, where an attacker can deliver a payload to a user through a specially-crafted database name. Severity We consider this attack to be of...

password-store -- GPG parsing vulnerabilities

Jason A. Donenfeld reports: Markus Brinkmann discovered that the parsing of gpg command line output with regexes isn't anchored to the beginning of the line, which means an attacker can generate a malicious key that simply has the verification string as part of its username. This has a number of...

botan2 -- ECDSA side channel

botan2 developers report: A side channel in the ECDSA signature operation could allow a local attacker to recover the secret key. Found by Keegan Ryan of NCC Group. Bug introduced in 2.5.0, fixed in 2.7.0. The 1.10 branch is not affected...

libgcrypt -- side-channel attack vulnerability

GnuPG reports: Mitigate a local side-channel attack on ECDSA signature as described in the white paper "Return on the Hidden Number Problem"...

OpenSSL -- Client DoS due to large DH parameter

The OpenSSL project reports: During key agreement in a TLS handshake using a DHE based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until...

node.js -- multiple vulnerabilities

Node.js reports: Denial of Service Vulnerability in HTTP/2 CVE-2018-7161 All versions of 8.x and later are vulnerable and the severity is HIGH. An attacker can cause a denial of service DoS by causing a node server providing an http2 server to crash. This can be accomplished by interacting with t...

asterisk -- PJSIP endpoint presence disclosure when using ACL

The Asterisk project reports: When endpoint specific ACL rules block a SIP request they respond with a 403 forbidden. However, if an endpoint is not identified then a 401 unauthorized response is sent. This vulnerability just discloses which requests hit a defined endpoint. The ACL rules cannot b...