OpenJPEG -- multiple vulnerabilities

OpenJPEG reports: Multiple vulnerabilities have been found in OpenJPEG, the opensource JPEG 2000 codec. Please consult the CVE list for further details. CVE-2017-17479 and CVE-2017-17480 were fixed in r477112. CVE-2018-5785 was fixed in r480624. CVE-2018-6616 was fixed in r489415...

GitLab -- multiple vulnerabilities

GitLab reports: User without access to private Wiki can see it on the project page Matthias Burtscher reported that it was possible for a user to see a private Wiki on the project page without having the corresponding permission. E-mail address disclosure through member search fields Hugo Geoffro...

OpenSSL -- multiple vulnerabilities

The OpenSSL project reports: Read/write after SSL object in error state CVE-2017-3737 OpenSSL 1.0.2 starting from version 1.0.2b introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediate...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 37 security fixes in this release, including: 778505 Critical CVE-2017-15407: Out of bounds write in QUIC. Reported by Ned Williamson on 2017-10-26 762374 High CVE-2017-15408: Heap buffer overflow in PDFium. Reported by Ke Liu of Tencent's Xuanwu LAB on 2017-09-06...

libraw -- multiple DoS vulnerabilities

Secunia Research reports: CVE-2017-16909: An error related to the "LibRaw::panasonicloadraw" function dcrawcommon.cpp can be exploited to cause a heap-based buffer overflow and subsequently cause a crash via a specially crafted TIFF image. CVE-2017-16910: An error within the...

tor -- Use-after-free in onion service v2

The Torproject.org reports: TROVE-2017-009: Replay-cache ineffective for v2 onion services TROVE-2017-010: Remote DoS attack against directory authorities TROVE-2017-011: An attacker can make Tor ask for a password TROVE-2017-012: Relays can pick themselves in a circuit path TROVE-2017-013:...

transmission-daemon -- vulnerable to dns rebinding attacks

Google Project Zero reports: The transmission bittorrent client uses a client/server architecture, the user interface is the client which communicates to the worker daemon using JSON RPC requests. As with all HTTP RPC schemes like this, any website can send requests to the daemon listening on...

wireshark -- multiple security issues

wireshark developers reports: wnpa-sec-2017-47: The IWARPMPA dissector could crash. CVE-2017-17084 wnpa-sec-2017-48: The NetBIOS dissector could crash. Discovered by Kamil Frankowicz. CVE-2017-17083 wnpa-sec-2017-49: The CIP Safety dissector could crash. CVE-2017-17085...

asterisk -- DOS Vulnerability in Asterisk chan_skinny

The Asterisk project reports: If the chanskinny AKA SCCP protocol channel driver is flooded with certain requests it can cause the asterisk process to use excessive amounts of virtual memory eventually causing asterisk to stop processing requests of any kind...

mozilla -- multiple vulnerabilities

Mozilla Foundation reports: CVE-2017-7843: Web worker in Private Browsing mode can write IndexedDB data CVE-2017-7844: Visited history information leak through SVG image...

FreeBSD -- OpenSSL multiple vulnerabilities

Problem Description: If an X.509 certificate has a malformed IPAddressFamily extension, OpenSSL could do a one-byte buffer overread. CVE-2017-3735 There is a carry propagating bug in the x8664 Montgomery squaring procedure. This only affects processors that support the BMI1, BMI2 and ADX extensio...

wordpress -- multiple issues

wordpress developers reports: Use a properly generated hash for the newbloguser key instead of a determinate substring. Add escaping to the language attributes used on html elements. Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds. Remove the ability to upload...

cURL -- Multiple vulnerabilities

The cURL project reports: NTLM buffer overflow via integer overflow CVE-2017-8816libcurl contains a buffer overrun flaw in the NTLM authentication code. The internal function Curlntlmcoremkntlmv2hash sums up the lengths of the user name + password = SUM and multiplies the sum by two = SIZE to...

libXcursor -- integer overflow that can lead to heap buffer overflow

The freedesktop.org project reports: It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments. The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each...

mybb -- multiple vulnerabilities

mybb Team reports: High risk: Language file headers RCE Low risk: Language Pack Properties XSS...

borgbackup -- remote users can override repository restrictions

BorgBackup reports: Incorrect implementation of access controls allows remote users to override repository restrictions in Borg servers. A user able to access a remote Borg SSH server is able to circumvent access controls post-authentication. Affected releases: 1.1.0, 1.1.1, 1.1.2. Releases 1.0.x...

libXfont -- permission bypass when opening files through symlinks

the freedesktop.org project reports: A non-privileged X client can instruct X server running under root to open any file by creating own directory with "fonts.dir", "fonts.alias" or any font file being a symbolic link to any other file in the system. X server will then open it. This can be issue...

exim -- remote DoS attack in BDAT processing

Exim developers team reports: The receivemsg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service infinite loop and stack exhaustion via vectors involving BDAT commands and an improper check for a '.' character signifying the end of t...

xrdp -- local user can cause a denial of service

xrdp reports: The scpv0saccept function in the session manager uses an untrusted integer as a write length, which allows local users to cause a denial of service buffer overflow and application crash or possibly have unspecified other impact via a crafted input stream...

exim -- remote code execution, deny of service in BDAT

Exim team reports: The receivemsg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service use-after-free via vectors involving BDAT commands...

OTRS -- Multiple vulnerabilities

OTRS reports: An attacker who is logged into OTRS as an agent can request special URLs from OTRS which can lead to the execution of shell commands with the permissions of the web server user. An attacker who is logged into OTRS as a customer can use the ticket search form to disclose internal...

procmail -- Heap-based buffer overflow

MITRE reports: A remote attacker could use a flaw to cause formail to crash, resulting in a denial of service or data loss...

FreeBSD -- Kernel data leak via ptrace(PT_LWPINFO)

Problem Description: Not all information in the struct ptracelwpinfo is relevant for the state of any thread, and the kernel does not fill the irrelevant bytes or short strings. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of informatio...

shibboleth2-sp -- "Dynamic" metadata provider plugin issue

The Internet2 community reports: The Shibboleth Service Provider software includes a MetadataProvider plugin with the plugin type "Dynamic" to obtain metadata on demand from a query server, in place of the more typical mode of downloading aggregates separately containing all of the metadata to...

FreeBSD -- Information leak in kldstat(2)

Problem Description: The kernel does not properly clear the memory of the kldfilestat structure before filling the data. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information from the kernel stack is possible. Impact: Some bytes...

FreeBSD -- POSIX shm allows jails to access global namespace

Problem Description: Named paths are globally scoped, meaning a process located in one jail can read and modify the content of POSIX shared memory objects created by a process in another jail or the host system. Impact: A malicious user that has access to a jailed system is able to abuse shared...

varnish -- information disclosure vulnerability

Varnish reports: A wrong if statement in the varnishd source code means that synthetic objects in stevedores which over-allocate, may leak up to page size of data from a malloc3 memory allocation...

couchdb -- multiple vulnerabilities

Apache CouchDB PMC reports: Database Administrator could achieve privilege escalation to the account that CouchDB runs under, by abusing insufficient validation in the HTTP API, escaping security controls implemented in previous releases...

mozilla -- multiple vulnerabilities

Mozilla Foundation reports: CVE-2017-7828: Use-after-free of PressShell while restyling layout CVE-2017-7830: Cross-origin URL information leak through Resource Timing API CVE-2017-7831: Information disclosure of exposed properties on JavaScript proxy objects CVE-2017-7832: Domain spoofing throug...

palemoon -- multiple vulnerabilities

Pale Moon reports: CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers CVE-2017-7835: Mixed content blocking incorrectly applies with redirects CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags...

mediawiki -- multiple vulnerabilities

mediawiki reports: security fixes: T128209: Reflected File Download from api.php. Reported by Abdullah Hussam. T165846: BotPasswords doesn't throttle login attempts. T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password. T178451: XS...

Flash Player -- multiple vulnerabilities

Adobe reports: These updates resolve out-of-bounds read vulnerabilities that could lead to remote code execution CVE-2017-3112, CVE-2017-3114, CVE-2017-11213. These updates resolve use after free vulnerabilities that could lead to remote code execution CVE-2017-11215, CVE-2017-11225...

rubygem-geminabox -- XSS vulnerabilities

NVD reports: Stored cross-site scripting XSS vulnerability in "geminabox" Gem in a Box before 0.13.10 allows attackers to inject arbitrary web script via the "homepage" value of a ".gemspec" file, related to views/gem.erb and views/index.erb...

chromium -- out of bounds read

Google Chrome Releases reports: 1 security fix in this release, including: 782145 High CVE-2017-15428: Out of bounds read in V8. Reported by Zhao Qixun of Qihoo 360 Vulcan Team on 2017-11-07...

jenkins -- multiple issues

Jenkins developers report: Jenkins stores metadata related to people, which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping. This potentially...

frr -- BGP Mishandled attribute length on Error

FRR reports: BGP Mishandled attribute length on Error A vulnerability exists in the BGP daemon of FRR where a malformed BGP UPDATE packet can leak information from the BGP daemon and cause a denial of service by crashing the daemon...

mybb -- multiple vulnerabilities

myBB Team reports: High risk: Installer RCE on configuration file write High risk: Language file headers RCE Medium risk: Installer XSS Medium risk: Mod CP Edit Profile XSS Low risk: Insufficient moderator permission check in delayed moderation tools Low risk: Announcements HTML filter bypass Low...

roundcube -- file disclosure vulnerability

MITRE reports: Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target syst...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 2 security fixes in this release, including: 777728 Critical CVE-2017-15398: Stack buffer overflow in QUIC. Reported by Ned Williamson on 2017-10-24 776677 High CVE-2017-15399: Use after free in V8. Reported by Zhao Qixun of Qihoo 360 Vulcan Team on 2017-10-20...

OpenSSL -- Multiple vulnerabilities

The OpenSSL project reports: bnsqrx8xinternal carry bug on x8664 CVE-2017-3736 Severity: Moderate There is a carry propagating bug in the x8664 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very...

cacti -- multiple vulnerabilities

cacti reports: Changelog issue1057: CVE-2017-16641 - Potential vulnerability in RRDtool functions issue1066: CVE-2017-16660 in remoteagent.php logging function issue1066: CVE-2017-16661 in view log file issue1071: CVE-2017-16785 in globalsession.php Reflection XSS...

wordpress -- multiple issues

wordpress developers reports: WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb-prepare can create unexpected and unsafe queries leading to potential SQL injection SQLi. WordPress core is not directly vulnerable to this issue, but we've added hardening to prevent plugins a...

bchunk -- heap-based buffer overflow (with invalid free) and crash

Mitre reports: bchunk 1.2.0 and 1.2.1 is vulnerable to a heap-based buffer overflow with a resultant invalid free and crash when processing a malformed CUE .cue file...

bchunk -- heap-based buffer overflow and crash

Mitre reports: bchunk 1.2.0 and 1.2.1 vulnerable to a heap-based buffer overflow and crash when processing a malformed CUE .cue file...

bchunk -- access violation near NULL on destination operand and crash

Mitre reports: bchunk 1.2.0 and 1.2.1 is vulnerable to an "Access violation near NULL on destination operand" and crash when processing a malformed CUE .cue file...

shadowsocks-libev -- command injection via shell metacharacters

MITRE reports: Improper parsing allows command injection via shell metacharacters in a JSON configuration request received via 127.0.0.1 UDP traffic...

konversation -- crash in IRC message parsing

KDE reports: Konversation has support for colors in IRC messages. Any malicious user connected to the same IRC network can send a carefully crafted message that will crash the Konversation user client...

PHP -- denial of service attack

The PHP project reports: The PHP development team announces the immediate availability of PHP 5.6.32. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version. The PHP development team announces the immediate...

chromium -- Stack overflow in V8

Google Chrome Releases reports: 2 security fixes in this release, including: 770452 High CVE-2017-15396: Stack overflow in V8. Reported by Yuan Deng of Ant-financial Light-Year Security Lab on 2017-09-30 770450 Medium CVE-2017-15406: Stack overflow in V8. Reported by Yuan Deng of Ant-financial...

cURL -- out of bounds read

The cURL project reports: libcurl contains a buffer overrun flaw in the IMAP handler. An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that non-existing data with a pointer and the size...