file-roller -- path traversal vulnerability

reports: File Roller 3.5.4 through 3.20.2 was affected by a path traversal bug that could result in deleted files if a user were tricked into opening a malicious archive...

wordpress -- multiple vulnerabilities

Jeremy Felt reports: WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling...

mkvtoolnix -- code execution via specially crafted files

Moritz Bunkus reports: most of the bugs fixed on 2016-09-06 and 2016-09-07 for issue 1780 are potentially exploitable. The scenario is arbitrary code execution with specially-crafted files...

Pillow -- multiple vulnerabilities

Pillow reports: Pillow prior to 3.3.2 may experience integer overflow errors in map.c when reading specially crafted image files. This may lead to memory disclosure or corruption. Pillow prior to 3.3.2 and PIL 1.1.7 at least do not check for negative image sizes in ImagingNew in Storage.c. A...

inspircd -- authentication bypass vulnerability

Adam reports: A serious vulnerability exists in when using msasl in combination with any services that support SASL EXTERNAL. To be vulnerable you must have msasl loaded, and have services which support SASL EXTERNAL authentication...

libgd -- integer overflow which could lead to heap buffer overflow

LibGD reports: An integer overflow issue was found in function gdImageWebpCtx of file gdwebp.c which could lead to heap buffer overflow...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 33 security fixes in this release Please reference CVE/URL list for details...

mupdf -- multiple vulnerabilities

Tobias Kortkamp reports: Heap-based buffer overflow in the pdfloadmeshparams function in pdf/pdf-shade.c in MuPDF allows remote attackers to cause a denial of service crash or execute arbitrary code via a large decode array. Use-after-free vulnerability in the pdfloadxref function in pdf/pdf-xref...

eog -- out-of-bounds write

Felix Riemann reports: CVE-2016-6855 out-of-bounds write in eog 3.10.2...

mailman -- CSRF protection enhancements

Mark Sapiro reports: CSRF protection has been extended to the user options page. This was actually fixed by Tokio Kikuchi as part of the fix for LP: 775294 and intended for Mailman 2.1.15, but that fix wasn't completely merged at the time. The full fix also addresses the admindb, and edithtml pag...

End of Life Ports

These packages have reached End of Life status and/or have been removed from the Ports Tree. They may contain undocumented security issues. Please take caution and find alternative software as soon as possible...

phpmyadmin -- multiple vulnerabilities

The phpmyadmin development team reports: Weakness with cookie encryption Multiple XSS vulnerabilities Multiple XSS vulnerabilities PHP code injection Full path disclosure SQL injection attack Local file exposure Local file exposure through symlinks with UploadDir Path traversal with SaveDir and...

gnupg -- attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output

Werner Koch reports: There was a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions...

mantis -- XSS vulnerability

wdollman reports: The value of the viewtype parameter on the viewallbugpage.php page is not encoded before being displayed on the page...

chicken -- multiple vulnerabilities

Peter Bex reports: A buffer overflow error was found in the POSIX unit's procedures process-execute and process-spawn. Additionally, a memory leak existed in this code, which would be triggered when an error is raised during argument and environment processing. Irregex versions before 0.9.6 conta...

TeamSpeak Server 3 -- Multiple vulnerabilities including Remote Code Execution

Hanz Jenson audit report: I found 10 vulnerabilities. Some of these are critical and allow remote code execution. For the average user, that means that these vulnerabilities can be exploited by a malicious attacker in order to take over any Teamspeak server, not only becoming serveradmin, but...

PostgreSQL -- Denial-of-Service and Code Injection Vulnerabilities

PostgreSQL project reports: Security Fixes nested CASE expressions + database and role names with embedded special characters CVE-2016-5423: certain nested CASE expressions can cause the server to crash. CVE-2016-5424: database and role names with embedded special characters can allow code...

Rails 4 -- Possible XSS Vulnerability in Action View

Ruby Security team reports: There is a possible XSS vulnerability in Action View. Text declared as "HTML safe" will not have quotes escaped when used as attribute values in tag helpers. This vulnerability has been assigned the CVE identifier CVE-2016-6316...

Rails 4 -- Unsafe Query Generation Risk in Active Record

Ruby Security team reports: There is a vulnerability when Active Record is used in conjunction with JSON parameter parsing. This vulnerability has been assigned the CVE identifier CVE-2016-6317. This vulnerability is similar to CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155...

puppet-agent MCollective plugin -- Remote Code Execution vulnerability

Puppet reports: Puppet Enterprise previously included a puppet-agent MCollective plugin that allowed you to pass the --server argument to MCollective. This insecure argument enabled remote code execution via connection to an untrusted host. The puppet-agent MCollective version included in PE...

fontconfig -- insufficiently cache file validation

Debian security team reports: Tobias Stoeckmann discovered that cache files are insufficiently validated in fontconfig, a generic font configuration library. An attacker can trigger arbitrary free calls, which in turn allows double free attacks and therefore arbitrary code execution. In combinati...

asterisk -- RTP Resource Exhaustion

The Asterisk project reports: The overlap dialing feature in chansip allows chansip to report to a device that the number that has been dialed is incomplete and more digits are required. If this functionality is used with a device that has performed username/password authentication RTP resources...

Joomla! -- multiple vulnerabilities

The JSST and the Joomla! Security Center report: 20160801 - Core - ACL Violation Inadequate ACL checks in comcontent provide potential read access to data which should be access restricted to users with editown level. 20160802 - Core - XSS Vulnerability Inadequate escaping leads to XSS...

Vulnerabilities in Curl

Curl security team reports: CVE-2016-5419 - TLS session resumption client cert bypass CVE-2016-5420 - Re-using connections with wrong client cert CVE-2016-5421 - use of connection struct after free...

piwik -- XSS vulnerability

Piwik reports: We have identified and fixed several XSS security issues in this release...

asterisk -- Crash on ACK from unknown endpoint

The Asterisk project reports: Asterisk can be crashed remotely by sending an ACK to it from an endpoint username that Asterisk does not recognize. Most SIP request types result in an "artificial" endpoint being looked up, but ACKs bypass this lookup. The resulting NULL pointer results in a crash...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 10 security fixes in this release, including: 629542 High CVE-2016-5141 Address bar spoofing. Credit to anonymous 626948 High CVE-2016-5142 Use-after-free in Blink. Credit to anonymous 625541 High CVE-2016-5139 Heap overflow in pdfium. Credit to GiWan Go of Stealie...

Mozilla -- multiple vulnerabilities

Mozilla Foundation reports: Please reference CVE/URL list for details...

openssh -- sshd -- remote valid user discovery and PAM /bin/login attack

The OpenSSH project reports: sshd8: Mitigate timing differences in password authentication that could be used to discern valid from invalid account names when long passwords were sent and particular password hashing algorithms are in use on the server. CVE-2016-6210, reported by EddieEzra.Harari ...

lighttpd - multiple vulnerabilities

Lighttpd Project reports: Security fixes for Lighttpd: security: encode quoting chars in HTML and XML security: ensure gid != 0 if server.username is set, but not server.groupname security: disable statcache if server.follow-symlink = “disable” security: httpoxy defense: do not emit HTTPPROXY to...

lives -- insecure files permissions

Debian reports: smogrify script creates insecure temporary files. lives creates and uses world-writable directory...

xen-tools -- virtio: unbounded memory allocation issue

The Xen Project reports: A guest can submit virtio requests without bothering to wait for completion and is therefore not bound by virtqueue size... A malicious guest administrator can cause unbounded memory allocation in QEMU, which can cause an Out-of-Memory condition in the domain running qemu...

wireshark -- multiple vulnerabilities

Wireshark development team reports: The following vulnerabilities have been fixed: wnpa-sec-2016-41 PacketBB crash. Bug 12577 wnpa-sec-2016-42 WSP infinite loop. Bug 12594 wnpa-sec-2016-44 RLC long loop. Bug 12660 wnpa-sec-2016-45 LDSS dissector crash. Bug 12662 wnpa-sec-2016-46 RLC dissector...

codeigniter -- multiple vulnerabilities

The CodeIgniter changelog reports: Fixed an SQL injection in the ‘odbc’ database driver. Updated setrealpath Path Helper function to filter-out php:// wrapper inputs...

xen-kernel -- x86: Missing SMAP whitelisting in 32-bit exception / event delivery

The Xen Project reports: Supervisor Mode Access Prevention is a hardware feature designed to make an Operating System more robust, by raising a pagefault rather than accidentally following a pointer into userspace. However, legitimate accesses into userspace require whitelisting, and the exceptio...

xen-kernel -- x86: Privilege escalation in PV guests

The Xen Project reports: The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases e.g. clearing only Access/Dirty bits. The bits considered safe were too broad, and not actually safe. A malicious PV guest administrato...

collectd -- Network plugin heap overflow

The collectd Project reports: Emilien Gaspar has identified a heap overflow in collectd's network plugin which can be triggered remotely and is potentially exploitable...

FreeBSD -- Heap vulnerability in bspatch

Problem Description: The implementation of bspatch does not check for a negative value on numbers of bytes read from the diff and extra streams, allowing an attacker who can control the patch file to write at arbitrary locations in the heap. This issue was first discovered by The Chromium Project...

kdelibs -- directory traversal vulnerability

David Faure reports: A maliciously crafted archive .zip or .tar.bz2 with "../" in the file paths could be offered for download via the KNewStuff framework e.g. on www.kde-look.org, and upon extraction would install files anywhere in the user's home directory...

perl -- local arbitrary code execution

Sawyer X reports: Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . period characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory...

gd -- multiple vulnerabilities

Pierre Joye reports: fix php bug 72339, Integer Overflow in gd2GetHeader CVE-2016-5766 gd: Buffer over-read issue when parsing crafted TGA file CVE-2016-6132 Integer overflow error within gdContributionsAlloc CVE-2016-6207 fix php bug 72494, invalid color index not handled, can lead to crash...

php -- multiple vulnerabilities

PHP reports: Fixed bug 69975 PHP segfaults when accessing nvarcharmax defined columns Fixed bug 72479 Use After Free Vulnerability in SNMP with GC and unserialize. Fixed bug 72512 gdImageTrueColorToPaletteBody allows arbitrary write/read access. Fixed bug 72519 imagegif/output out-of-bounds acces...

libidn -- multiple vulnerabilities

Simon Josefsson reports: libidn: Fix out-of-bounds stack read in idnatoascii4i. idn: Solve out-of-bounds-read when reading one zero byte as input. Also replaced fgets with getline. libidn: stringpreputf8nfkcnormalize reject invalid UTF-8. It was always documented to only accept UTF-8 data, but no...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 48 security fixes in this release, including: 610600 High CVE-2016-1706: Sandbox escape in PPAPI. Credit to Pinkie Pie xisigr of Tencent's Xuanwu Lab 613949 High CVE-2016-1708: Use-after-free in Extensions. Credit to Adam Varsan 614934 High CVE-2016-1709:...

krb5 -- KDC denial of service vulnerability

Major changes in krb5 1.14.3 and krb5 1.13.6: Fix a rare KDC denial of service vulnerability when anonymous client principals are restricted to obtaining TGTs only CVE-2016-3120...

MySQL -- Multiple vulnerabilities

Oracle reports: The quarterly Critical Patch Update contains 22 new security fixes for Oracle MySQL 5.5.49, 5.6.30, 5.7.13 and earlier...

smarty3 -- shell injection in math

The smarty project reports: bugfix math shell injection vulnerability...

moodle -- multiple vulnerabilities

Marina Glancy reports: MSA-16-0019: Glossary search displays entries without checking user permissions to view them MSA-16-0020: Text injection in email headers MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course...

Multiple ports -- Proxy HTTP header vulnerability (httpoxy)

httpoxy.org reports: httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:. RFC 3875 CGI puts the HTTP Proxy header from a request into the environment variables as HTTPPROXY HTTPPROXY is a popular...

bind -- denial of service vulnerability

ISC reports: A query name which is too long can cause a segmentation fault in lwresd...