mbed TLS (PolarSSL) -- remote code execution

Simon Butcher reports: When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet can be used to selectively corrupt 6 bytes on the peer's heap, potentially leading to a crash or remote code execution. This can be triggered remotely from either side in bo...

exim -- a buffer overflow vulnerability, remote code execution

Exim developers report: There is a buffer overflow in base64d, if some pre-conditions are met. Using a handcrafted message, remote code execution seems to be possible...

Django -- information leakage

Django release notes: CVE-2018-6188: Information leakage in AuthenticationForm A regression in Django 1.11.8 made AuthenticationForm run its confirmloginallowed method even if an incorrect password is entered. This can leak information about a user, depending on what messages confirmloginallowed...

p5-Mojolicious -- cookie-handling vulnerability

Upstream commit: Vulnerabilities existed in cookie handling...

strongswan - Insufficient input validation in RSASSA-PSS signature parser

Strongswan Release Notes reports: Fixed a DoS vulnerability in the parser for PKCS1 RSASSA-PSS signatures that was caused by insufficient input validation. One of the configurable parameters in algorithm identifier structures for RSASSA-PSS signatures is the mask generation function MGF. Only MGF...

quagga -- several security issues

Quagga reports: The Quagga BGP daemon, bgpd, does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid. Arbitrary data from the bgpd process may be sent over the network to a peer and/or it may crash. The Quagga BGP daemon, bgpd, can double-free memor...

Flash Player -- multiple vulnerabilities

Adobe reports: This update resolves use-after-free vulnerabilities that could lead to remote code execution CVE-2018-4877, CVE-2018-4878...

firefox -- Arbitrary code execution through unsanitized browser UI

The Mozilla Foundation reports: Mozilla developer Johann Hofmann reported that unsanitized output in the browser UI can lead to arbitrary code execution...

mpv -- arbitrary code execution via crafted website

mpv developers report: mpv through 0.28.0 allows remote attackers to execute arbitrary code via a crafted web site, because it reads HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdlhook.lua. For example, an...

electrum -- JSONRPC vulnerability

MITRE reports: JSONRPC vulnerability...

chromium -- vulnerability

Google Chrome Releases reports: 1 security fix in this release: 806388 High CVE-2018-6056: Incorrect derived class instantiation in V8. Reported by lokihardt of Google Project Zero on 2018-01-26...

w3m - multiple vulnerabilities

Tatsuya Kinoshita reports: CVE-2018-6196 table.c: Prevent negative indent value in feedtableblocktag. CVE-2018-6197 form.c: Prevent invalid columnPos call in formUpdateBuffer. CVE-2018-6198 config.h.dist, config.h.in, configure, configure.ac, main.c, rc.c: Make temporary directory safely when /.w...

clamav -- multiple vulnerabilities

ClamAV project reports: Join us as we welcome ClamAV 0.99.3 to the family!. This release is a security release and is recommended for all ClamAV users. CVE-2017-12374 ClamAV UAF use-after-free Vulnerabilities CVE-2017-12375 ClamAV Buffer Overflow Vulnerability CVE-2017-12376 ClamAV Buffer Overflo...

cURL -- Multiple vulnerabilities

The cURL project reports: libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HT...

p7zip -- heap-based buffer overflow

MITRE reports: Heap-based buffer overflow in the NCompress::NShrink::CDecoder::CodeReal method in 7-Zip before 18.00 and p7zip allows remote attackers to cause a denial of service out-of-bounds write or potentially execute arbitrary code via a crafted ZIP archive...

palemoon -- multiple vulnerabilities

Pale Moon reports: CVE-2018-5102: Use-after-free in HTML media elements CVE-2018-5122: Potential integer overflow in DoCrypt...

p7zip-codec-rar -- insufficient error handling

MITRE reports: Insufficient exception handling in the method NCompress::NRar3::CDecoder::Code of 7-Zip before 18.00 and p7zip can lead to multiple memory corruptions within the PPMd code, alows remote attackers to cause a denial of service segmentation fault or execute arbitrary code via a crafte...

mozilla -- multiple vulnerabilities

Mozilla Foundation reports: CVE-2018-5091: Use-after-free with DTMF timers CVE-2018-5092: Use-after-free in Web Workers CVE-2018-5093: Buffer overflow in WebAssembly during Memory/Table resizing CVE-2018-5094: Buffer overflow in WebAssembly with garbage collection on uninitialized memory...

gcab -- stack overflow

Upstream reports: A stack-based buffer overflow within GNOME gcab through 0.7.4 can be exploited by malicious attackers to cause a crash or, potentially, execute arbitrary code via a crafted .cab file...

powerdns-recursor -- insufficient validation of DNSSEC signatures

PowerDNS Security Advisory reports: An issue has been found in the DNSSEC validation component of PowerDNS Recursor, allowing an ancestor delegation NSEC or NSEC3 record to be used to wrongfully prove the non-existence of a RR below the owner name of that record. This would allow an attacker in...

Mailman -- Cross-site scripting (XSS) vulnerability in the web UI

Mark Sapiro reports: An XSS vulnerability in the user options CGI could allow a crafted URL to execute arbitrary javascript in a user's browser. A related issue could expose information on a user's options page without requiring login...

consul -- vulnerability in embedded DNS library

Consul developers report: A flaw was found in the embedded DNS library used in consul which may allow a denial of service attack. Consul was updated to include the fixed version...

wordpress -- multiple issues

wordpress developers reports: JavaScript errors that prevented saving posts in Firefox have been fixed. The previous taxonomy-agnostic behavior of getcategorylink and categorydescription was restored. Switching themes will now attempt to restore previous widget assignments, even when there are no...

libraw -- multiple DoS vulnerabilities

Secunia Research reports: CVE-2018-5800: An off-by-one error within the "LibRaw::kodakycbcrloadraw" function internal/dcrawcommon.cpp can be exploited to cause a heap-based buffer overflow and subsequently cause a crash. CVE-2017-5801: An error within the "LibRaw::unpack" function src/librawcxx.c...

gitlab -- Remote code execution on project import

GitLab developers report: Today we are releasing versions 10.3.4, 10.2.6, and 10.1.6 for GitLab Community Edition CE and Enterprise Edition EE. These versions contain a number of important security fixes, including two that prevent remote code execution, and we strongly recommend that all GitLab...

shibboleth-sp -- vulnerable to forged user attribute data

Shibboleth consortium reports: Shibboleth SP software vulnerable to forged user attribute data The Service Provider software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type...

Flash Player -- information disclosure

Adobe reports: This update resolves an out-of-bounds read vulnerability that could lead to information disclosure CVE-2018-4871...

dovecot -- abort of SASL authentication results in a memory leak

Pedro Sampaio reports: A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. A abort of SASL authentication results in a memory leak in Dovecot auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the...

phpbb3 -- multiple issues

phpbb developers reports: Password updater working with PostgreSQL - The cron for updating legacy password hashes was running invalid queries on PostgreSQL. Deleting orphaned attachments w/ large number of orphaned attachments - Orphaned attachment deletion was improved to be able to delete them...

mozilla -- Speculative execution side-channel attack

Mozilla Foundation reports: Jann Horn of Google Project Zero Security reported that speculative execution performed by modern CPUs could leak information through a timing side-channel attack. Microsoft Vulnerability Research extended this attack to browser JavaScript engines and demonstrated that...

irssi -- multiple vulnerabilities

Irssi reports: When the channel topic is set without specifying a sender, Irssi may dereference NULL pointer. Found by Joseph Bisch. When using incomplete escape codes, Irssi may access data beyond the end of the string. Found by Joseph Bisch. A calculation error in the completion code could caus...

awstats -- remote code execution

Mitre reports: Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution...

samba -- multiple vulnerabilities

The samba project reports: Missing null pointer checks may crash the external print server process. On a Samba 4 AD DC any authenticated user can change other user's passwords over LDAP, including the passwords of administrative users and service accounts...

phpMyAdmin -- XSRF/CSRF vulnerability

The phpMyAdmin team reports: Description By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc. Severity We consider this vulnerability to be critical...

MariaDB -- unspecified vulnerability

The MariaDB project reports: Fixes for the following security vulnerabilities: CVE-2017-15365...

mozilla -- multiple vulnerabilities

Mozilla Foundation reports: CVE-2017-7845: Buffer overflow when drawing and validating elements with ANGLE library using Direct 3D 9 CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin CVE-2017-7847: Local path string can be leaked from RSS feed CVE-2017-7848: RSS Feed vulnerable to...

GIMP - Heap Buffer Overflow Vulnerability

GNOME reports: CVE-2017-17786 Out of bounds read / heap overflow in tga importer / function bgr2rgb.part.1...

rsync -- multiple vulnerabilities

Jeriko One reports: The receivexattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service heap-based buffer over-read and application crash or possibly have unspecified...

ruby -- Command injection vulnerability in Net::FTP

Etienne Stalmans from the Heroku product security team reports: There is a command injection vulnerability in Net::FTP bundled with Ruby. Net::FTPget, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernelopen to open a local file. If the localfile argument starts with the pip...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 2 security fixes in this release, including: 788453 High CVE-2017-15429: UXSS in V8. Reported by Anonymous on 2017-11-24 794792 Various fixes from internal audits, fuzzing and other initiatives...

jenkins -- Two startup race conditions

The Jenkins project reports: A race condition during Jenkins startup could result in the wrong order of execution of commands during initialization. On Jenkins 2.81 and newer, including LTS 2.89.1, this could in rare cases we estimate less than 20% of new instances result in failure to initialize...

squid -- Vulnerable to Denial of Service attack

Louis Dion-Marcil reports: Due to incorrect pointer handling Squid is vulnerable to denial of service attack when processing ESI responses. This problem allows a remote server delivering certain ESI response syntax to trigger a denial of service for all clients accessing the Squid service. Due to...

mini_httpd,thttpd -- Buffer overflow in htpasswd

Alessio Santoru reports: Buffer overflow in htpasswd...

The Bouncy Castle Crypto APIs: CVE-2017-13098 ("ROBOT")

The Legion of the Bouncy Castle reports: Release: 1.59 CVE-2017-13098 "ROBOT", a Bleichenbacher oracle in TLS when RSA key exchange is negotiated. This potentially affected BCJSSE servers and any other TLS servers configured to use JCE for the underlying crypto - note the two TLS implementations...

asterisk -- Remote Crash Vulnerability in RTCP Stack

The Asterisk project reports: If a compound RTCP packet is received containing more than one report for example a Receiver Report and a Sender Report the RTCP stack will incorrectly store report information outside of allocated memory potentially causing a crash...

asterisk -- Crash in PJSIP resource when missing a contact header

The Asterisk project reports: A select set of SIP messages create a dialog in Asterisk. Those SIP messages must contain a contact header. For those messages, if the header was not present and using the PJSIP channel driver, it would cause Asterisk to crash. The severity of this vulnerability is...

global -- gozilla vulnerability

MITRE reports: gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL...

FreeBSD -- OpenSSL multiple vulnerabilities

Problem Description: Invoking SSLread/SSLwrite while in an error state causes data to be passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSLread/SSLwrite being...

OpenJPEG -- integer overflow

NVD reports: In OpenJPEG 2.3.0, there is an integer overflow vulnerability in the opjt1encodecblks function openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file...

OpenJPEG -- multiple vulnerabilities

OpenJPEG reports: Multiple vulnerabilities have been found in OpenJPEG, the opensource JPEG 2000 codec. Please consult the CVE list for further details. CVE-2017-17479 and CVE-2017-17480 were fixed in r477112. CVE-2018-5785 was fixed in r480624. CVE-2018-6616 was fixed in r489415...