wget -- Stack overflow in HTTP protocol handling

Antti Levomäki, Christian Jalio, Joonas Pihlaja: Wget contains two vulnerabilities, a stack overflow and a heap overflow, in the handling of HTTP chunked encoding. By convincing a user to download a specific link over HTTP, an attacker may be able to execute arbitrary code with the privileges of...

wget -- Heap overflow in HTTP protocol handling

Antti Levomäki, Christian Jalio, Joonas Pihlaja: Wget contains two vulnerabilities, a stack overflow and a heap overflow, in the handling of HTTP chunked encoding. By convincing a user to download a specific link over HTTP, an attacker may be able to execute arbitrary code with the privileges of...

webkit2-gtk3 -- multiple vulnerabilities

The WebKit team reports many vulnerabilities. Please reference the CVE/URL list for details...

MySQL -- multiple vulnerabilities

Oracle reports: Please reference CVE/URL list for details...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 35 security fixes in this release, including: 762930 High CVE-2017-5124: UXSS with MHTML. Reported by Anonymous on 2017-09-07 749147 High CVE-2017-5125: Heap overflow in Skia. Reported by Anonymous on 2017-07-26 760455 High CVE-2017-5126: Use after free in PDFium...

Node.js -- remote DOS security vulnerability

Node.js reports: Node.js was susceptible to a remote DoS attack due to a change that came in as part of zlib v1.2.9. In zlib v1.2.9 8 became an invalid value for the windowBits parameter and Node's zlib module will crash or throw an exception depending on the version...

GitLab -- multiple vulnerabilities

GitLab reports: Cross-Site Scripting XSS vulnerability in the Markdown sanitization filter Yasin Soliman via HackerOne reported a Cross-Site Scripting XSS vulnerability in the GitLab markdown sanitization filter. The sanitization filter was not properly stripping invalid characters from URL schem...

FreeBSD -- WPA2 protocol vulnerability

Problem Description: A vulnerability was found in how a number of implementations can be triggered to reconfigure WPA/WPA2/RSN keys TK, GTK, or IGTK by replaying a specific frame that is used to manage the keys. Impact: Such reinstallation of the encryption key can result in two different types o...

WPA packet number reuse with replayed messages and key reinstallation

wpasupplicant developers report: A vulnerability was found in how a number of implementations can be triggered to reconfigure WPA/WPA2/RSN keys TK, GTK, or IGTK by replaying a specific frame that is used to manage the keys...

bro -- out of bounds write allows remote DOS

Frank Meier: Bro before Bro v2.5.2 is vulnerable to an out of bounds write in the ContentLine analyzer allowing remote attackers to cause a denial of service crash and possibly other exploitation...

Flash Player -- Remote code execution

Adobe reports: This update resolves a type confusion vulnerability that could lead to remote code execution CVE-2017-11292...

asterisk -- Memory/File Descriptor/RTP leak in pjsip session resource

The Asterisk project reports: A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed. This then leads to file descriptors and RTP ports being leaked...

rubygem-passenger -- arbitrary file read vulnerability

Phusion reports: The cPanel Security Team discovered a vulnerability in Passenger that allows users to list the contents of arbitrary files on the system. CVE-2017-16355 has been assigned to this issue...

solr -- Code execution via entity expansion

Solr developers report: Lucene XML parser does not explicitly prohibit doctype declaration and expansion of external entities which leads to arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions. Solr "RunExecutableListener" class can be used to execute...

xorg-server -- multiple vulnerabilities

Adam Jackson reports: One regression fix since 1.19.4 mea culpa, and fixes for CVEs 2017-12176 through 2017-12187...

xen-kernel -- multiple vulnerabilities

The Xen project reports multiple vulnerabilities...

jenkins -- multiple issues

jenkins developers report: A total of 11 issues are reported, please see reference URL for details...

cacti -- Cross Site Scripting issue

cacti developers report: The file include/globalsession.php in Cacti 1.1.25 has XSS related to 1 the URI or 2 the refresh page...

PostgreSQL vulnerabilities

The PostgreSQL project reports: CVE-2017-15098: Memory disclosure in JSON functions CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges...

wireshark -- multiple security issues

wireshark developers reports: In Wireshark 2.4.0 to 2.4.1, the DOCSIS dissector could go into an infinite loop. This was addressed in plugins/docsis/packet-docsis.c by adding decrements. In Wireshark 2.4.0 to 2.4.1, the RTSP dissector could crash. This was addressed in epan/dissectors/packet-rtsp...

irssi -- multiple vulnerabilities

Irssi reports: When installing themes with unterminated colour formatting sequences, Irssi may access data beyond the end of the string. While waiting for the channel synchronisation, Irssi may incorrectly fail to remove destroyed channels from the query list, resulting in use after free conditio...

ffmpeg -- multiple vulnerabilities

MITRE reports: Multiple vulnerabilities have been found in FFmpeg. Please refer to CVE list for details. Note: CVE-2017-15186 and CVE-2017-15672 affect only the 3.3 branch before 3.3.5, CVE-2017-16840 and CVE-2017-17081 have been fixed in 3.4.1. They're listed here for completeness of the record...

salt -- multiple vulnerabilities

SaltStack reports: Directory traversal vulnerability in minion id validation in SaltStack. Allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. Credit for discovering the security flaw goes to: Julian Brost [email protected]. NOTE: this vulnerabili...

asterisk -- Buffer overflow in CDR's set user

The Asterisk project reports: No size checking is done when setting the user field for Party B on a CDR. Thus, it is possible for someone to use an arbitrarily large string and write past the end of the user field storage buffer. The earlier AST-2017-001 advisory for the CDR user field overflow w...

rubygems -- deserialization vulnerability

oss-security mailing list: There is a possible unsafe object desrialization vulnerability in RubyGems. It is possible for YAML deserialization of gem specifications to bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution...

zookeeper -- Denial Of Service

zookeeper developers report: Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from...

unbound -- vulnerability in the processing of wildcard synthesized NSEC records

Unbound reports: We discovered a vulnerability in the processing of wildcard synthesized NSEC records. While synthesis of NSEC records is allowed by RFC4592, these synthesized owner names should not be used in the NSEC processing. This does, however, happen in Unbound 1.6.7 and earlier versions...

mercurial -- multiple issues

mercurial developers reports: Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks...

asterisk -- Buffer overflow in pjproject header parsing can cause crash in Asterisk

The Asterisk project reports: By carefully crafting invalid values in the Cseq and the Via header port, pjprojects packet parsing code can create strings larger than the buffer allocated to hold them. This will usually cause Asterisk to crash immediately. The packets do not have to be authenticat...

libXfont -- multiple memory leaks

The freedesktop.org project reports: If a pattern contains '?' character, any character in the string is skipped, even if it is '\0'. The rest of the matching then reads invalid memory. Without the checks a malformed PCF file can cause the library to make atom from random heap memory that was...

tomcat -- Remote Code Execution

tomcat developers reports: When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default servlet to false it was possible to upload a JSP file to the serv...

cURL -- out of bounds read

The cURL project reports: FTP PWD response parser out of bounds read libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in anonymous or not, it asks the server for the current directory with the PWD command. The server...

xorg-server -- multiple vulnerabilities

Alan Coopersmith reports: X.Org thanks Michal Srb of SuSE for finding these issues and bringing them to our attention, Julien Cristau of Debian for getting the fixes integrated, and Adam Jackson of Red Hat for publishing the release...

dnsmasq -- multiple vulnerabilities

Google Project Zero reports: CVE-2017-14491: Heap based overflow 2 bytes. Before 2.76 and this commit overflow was unrestricted. CVE-2017-14492: Heap based overflow. CVE-2017-14493: Stack Based overflow. CVE-2017-14494: Information Leak CVE-2017-14495: Lack of free CVE-2017-14496: Invalid boundar...

mozilla -- multiple vulnerabilities

Mozilla Foundation reports: CVE-2017-7793: Use-after-free with Fetch API CVE-2017-7817: Firefox for Android address bar spoofing through fullscreen mode CVE-2017-7818: Use-after-free during ARIA array manipulation CVE-2017-7819: Use-after-free while resizing images in design mode CVE-2017-7824:...

node -- access to unintended files

node developers report: Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules...

codeigniter -- input validation bypass

The CodeIgniter changelog reports: Security: Fixed a potential object injection in Cache Library 'apc' driver when save is used with $raw = TRUE...

wordpress -- multiple issues

wordpress developers report: Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. Before versi...

weechat -- crash in logger plugin

WeeChat reports: security problem: a crash can happen in logger plugin when converting date/time specifiers in file mask...

libvorbis -- two vulnerabilities

Two vulnerabilities were fixed in the upstream repository: The barknoisehybridmp function allows remote attackers to cause a denial of service out-of-bounds access and application crash or possibly have unspecified other impact via a crafted file. mapping0forward does not validate the number of...

ImageMagick -- denial of service via a crafted font file

MITRE reports: The ReadCAPTIONImage function in coders/caption.c in ImageMagick allows remote attackers to cause a denial of service infinite loop via a crafted font file...

OpenVPN -- out-of-bounds write in legacy key-method 1

Steffan Karger reports: The bounds check in readkey was performed after using the value, instead of before. If 'key-method 1' is used, this allowed an attacker to send a malformed packet to trigger a stack buffer overflow. ... Note that 'key-method 1' has been replaced by 'key method 2' as the...

sam2p -- multiple issues

sam2p developers report: In sam2p 0.49.3, a heap-based buffer overflow exists in the pcxLoadImage24 function of the file inpcx.cpp. In sam2p 0.49.3, the inxpmreader function in inxpm.cpp has an integer signedness error, leading to a crash when writing to an out-of-bounds array element. In sam2p...

chromium -- multiple vulnerabilities

Google Chrome releases reports: 3 security fixes in this release, including: 765433 High CVE-2017-5121: Out-of-bounds access in V8. Reported by Jordan Rabet, Microsoft Offensive Security Research and Microsoft ChakraCore team on 2017-09-14 752423 High CVE-2017-5122: Out-of-bounds access in V8...

phpmyfaq -- multiple issues

phpmyfaq developers report: Cross-site scripting XSS vulnerability in inc/PMF/Faq.php in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the Questions field in an "Add New FAQ" action. Cross-site scripting XSS vulnerability in phpMyFAQ through 2.9.8 allow...

libraw -- Out-of-bounds Read

libraw developers report: In LibRaw through 0.18.4, an out of bounds read flaw related to kodak65000loadraw has been reported in dcraw/dcraw.c and internal/dcrawcommon.cpp. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash...

perl -- multiple vulnerabilities

Meta CPAN reports: CVE-2017-12814: $ENV$key stack buffer overflow on Windows A possible stack buffer overflow in the %ENV code on Windows has been fixed by removing the buffer completely since it was superfluous anyway. CVE-2017-12837: Heap buffer overflow in regular expression compiler Compiling...

Apache -- HTTP OPTIONS method can leak server memory

The Fuzzing Project reports: Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x...

rubygem-geminabox -- XSS & CSRF vulnerabilities

Gem in a box XSS vulenrability - CVE-2017-14506: Malicious attacker create GEM file with crafted homepage value gem.homepage in .gemspec file includes XSS payload. The attacker access geminabox system and uploads the gem file or uses CSRF/SSRF attack to do so. From now on, any user access Geminab...

sugarcrm -- multiple vulnerabilities

sugarcrm developers report: An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 and Sugar Community Edition 6.5.26. Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection,...