chromium -- multiple vulnerabilities

Google Chrome Releases reports: 42 security fixes in this release Please reference CVE/URL list for details...

VLC -- Possibly remote code execution via crafted file

The VLC project reports: Fix out-of-bound write in adpcm QT IMA codec CVE-2016-5108...

libxslt -- Denial of Service

Google reports: 583156 Medium CVE-2016-1683: Out-of-bounds access in libxslt. Credit to Nicolas Gregoire. 583171 Medium CVE-2016-1684: Integer overflow in libxslt. Credit to Nicolas Gregoire...

typo3 -- Missing access check in Extbase

TYPO3 reports: Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must...

xen-tools -- Unrestricted qemu logging

The Xen Project reports: When the libxl toolstack launches qemu for HVM guests, it pipes the output of stderr to a file in /var/log/xen. This output is not rate-limited in any way. The guest can easily cause qemu to print messages to stderr, causing this file to become arbitrarily large. The disk...

libxml2 -- multiple vulnerabilities

Daniel Veillard reports: More format string warnings with possible format string vulnerability David Kilzer Avoid building recursive entities Daniel Veillard Heap-based buffer overread in htmlCurrentChar Pranjal Jumde Heap-based buffer-underreads due to xmlParseName David Kilzer Heap use-after-fr...

mediawiki -- multiple vulnerabilities

Mediawiki reports: Security fixes: T122056: Old tokens are remaining valid within a new session T127114: Login throttle can be tricked using non-canonicalized usernames T123653: Cross-domain policy regexp is too narrow T123071: Incorrectly identifying http link in a's href attributes, due to m...

moodle -- multiple vulnerabilities

Marina Glancy reports: MSA-16-0013: Users are able to change profile fields that were locked by the administrator. MSA-16-0015: Information disclosure of hidden forum names and sub-names. MSA-16-0016: User can view badges of other users without proper permissions. MSA-16-0017: Course idnumber not...

expat -- denial of service vulnerability on malformed input

Gustavo Grieco reports: The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial...

h2o -- use after free on premature connection close

Tim Newsha reports: When H2O tries to disconnect a premature HTTP/2 connection, it calls free3 to release memory allocated for the connection and immediately after then touches the memory. No malloc-related operation is performed by the same thread between the time it calls free and the time the...

xen-kernel -- x86 software guest page walk PS bit handling flaw

The Xen Project reports: The Page Size PS page table entry bit exists at all page table levels other than L1. Its meaning is reserved in L4, and conditionally reserved in L3 and L2 depending on hardware capabilities. The software page table walker in the hypervisor, however, so far ignored that b...

FreeBSD -- Incorrect argument handling in sendmsg(2)

Problem Description: Incorrect argument handling in the socket code allows malicious local user to overwrite large portion of the kernel memory. Impact: Malicious local user may crash kernel or execute arbitrary code in the kernel, potentially gaining superuser privileges...

FreeBSD -- Buffer overflow in keyboard driver

Problem Description: Incorrect signedness comparison in the ioctl2 handler allows a malicious local user to overwrite a portion of the kernel memory. Impact: A local user may crash the kernel, read a portion of kernel memory and execute arbitrary code in kernel context. The result of executing an...

flash -- multiple vulnerabilities

Adobe reports: These updates resolve type confusion vulnerabilities that could lead to code execution CVE-2016-1105, CVE-2016-4117. These updates resolve use-after-free vulnerabilities that could lead to code execution CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109,...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description SECURITY-170 / CVE-2016-3721 Arbitrary build parameters are passed to build scripts as environment variables SECURITY-243 / CVE-2016-3722 Malicious users with multiple user accounts can prevent other users from logging in SECURITY-250 / CVE-2016-3723...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 5 security fixes in this release, including: 605766 High CVE-2016-1667: Same origin bypass in DOM. Credit to Mariusz Mlynski. 605910 High CVE-2016-1668: Same origin bypass in Blink V8 bindings. Credit to Mariusz Mlynski. 606115 High CVE-2016-1669: Buffer overflow i...

p7zip -- out-of-bounds read vulnerability

Cisco Talos reports: An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format UDF files. Central to 7-Zip’s processing of UDF files is the CInArchive::ReadFileItem method. Because volumes can have more than one partition map, their objects are kept in an object...

p7zip -- heap overflow vulnerability

Cisco Talos reports: An exploitable heap overflow vulnerability exists in the NArchive::NHfs::CHandler::ExtractZlibFile method functionality of 7zip that can lead to arbitrary code execution...

imagemagick -- buffer overflow

ImageMagick reports: Fix a buffer overflow in magick/drag.c/DrawStrokePolygon...

xen-tools -- QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks

The Xen Project reports: Qemu VGA module allows banked access to video memory using the window at 0xa00000 and it supports different access modes with different address calculations. Qemu VGA module allows guest to edit certain registers in 'vbe' and 'vga' modes. A privileged guest user could use...

xercesi-c3 -- multiple vulnerabilities

Apache reports: The Xerces-C XML parser fails to successfully parse a DTD that is deeply nested, and this causes a stack overflow, which makes a denial of service attack against many applications possible by an unauthenticated attacker. Also, CVE-2016-2099: Use-after-free vulnerability in...

squid -- multiple vulnerabilities

The squid development team reports: Please reference CVE/URL list for details...

roundcube -- XSS vulnerability

Roundcube reports: Fix XSS issue in href attribute on area tag 5240...

wordpress -- multiple vulnerabilities

Helen Hou-Sandi reports: WordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library...

ikiwiki -- XSS vulnerability

Mitre reports: Cross-site scripting XSS vulnerability in the cgierror function in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message...

hostapd -- multiple vulnerabilities

Jouni Malinen reports: EAP-pwd missing last fragment length validation. 2015-7 - CVE-2015-5315 psk configuration parameter update allowing arbitrary data to be written. 2016-1 - CVE-2016-4476...

chromium -- vulnerability

Google Chrome Releases reports: 45 security fixes in this release: 758848 High CVE-2017-11215: Use after free in Flash. Reported by JieZeng of Tencent Zhanlu Lab on 2017-08-25 758863 High CVE-2017-11225: Use after free in Flash. Reported by JieZeng of Tencent Zhanlu Lab on 2017-08-25 780919 High...

OpenSSL -- multiple vulnerabilities

OpenSSL reports: Memory corruption in the ASN.1 encoder Padding oracle in AES-NI CBC MAC check EVPEncodeUpdate overflow EVPEncryptUpdate overflow ASN.1 BIO excessive memory allocation EBCDIC overread OpenSSL only...

OpenSSL -- multiple vulnerabilities

OpenSSL reports: Padding oracle in AES-NI CBC MAC check EVPEncodeUpdate overflow EVPEncryptUpdate overflow ASN.1 BIO excessive memory allocation EBCDIC overread...

ImageMagick -- multiple vulnerabilities

Openwall reports: Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats. Any service which uses ImageMagick to process user supplied images and uses default delegates.xml / policy.xml, may be vulnerable to this issu...

gitlab -- privilege escalation via "impersonate" feature

GitLab reports: During an internal code review, we discovered a critical security flaw in the "impersonate" feature of GitLab. Added in GitLab 8.2, this feature was intended to allow an administrator to simulate being logged in as any other user. A part of this feature was not properly secured an...

hostapd and wpa_supplicant -- psk configuration parameter update allowing arbitrary data to be written

Jouni Malinen reports: psk configuration parameter update allowing arbitrary data to be written 2016-1 - CVE-2016-4476/CVE-2016-4477...

mercurial -- arbitrary code execution vulnerability

Mercurial reports: CVE-2016-3105: Arbitrary code execution when converting Git repos...

jansson -- local denial of service vulnerabilities

QuickFuzz reports: A crash caused by stack exhaustion parsing a JSON was found...

libarchive -- RCE vulnerability

The libarchive project reports: Heap-based buffer overflow in the zipreadmacmetadata function in archivereadsupportformatzip.c in libarchive before 3.2.0 allows remote attackers to execute arbitrary code via crafted entry-size values in a ZIP archive...

php -- multiple vulnerabilities

The PHP Group reports: BCMath: Fixed bug 72093 bcpowmod accepts negative scale and corrupts one definition. Exif: Fixed bug 72094 Out of bounds heap read access in exif header processing. GD: Fixed bug 71912 libgd: signedness vulnerability. CVE-2016-3074 Intl: Fixed bug 72061 Out-of-bounds reads ...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 9 security fixes in this release, including: 574802 High CVE-2016-1660: Out-of-bounds write in Blink. Credit to Atte Kettunen of OUSPG. 601629 High CVE-2016-1661: Memory corruption in cross-process frames. Credit to Wadih Matar. 603732 High CVE-2016-1662:...

botan -- multiple vulnerabilities

Jack Lloyd reports: Botan 1.10.13 has been released backporting some side channel protections for ECDSA signatures CVE-2016-2849 and PKCS 1 RSA decryption CVE-2015-7827...

mozilla -- multiple vulnerabilities

Mozilla Foundation reports: MFSA 2016-39 Miscellaneous memory safety hazards rv:46.0 / rv:45.1 / rv:38.8 MFSA 2016-42 Use-after-free and buffer overflow in Service Workers MFSA 2016-44 Buffer overflow in libstagefright with CENC offsets MFSA 2016-45 CSP not applied to pages sent with...

ntp -- multiple vulnerabilities

Network Time Foundation reports: NTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p7, released on Tuesday, 26 April 2016: Bug 3020 / CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering. Reported by Matt...

quassel -- remote denial of service

Mitre reports: The onReadyRead function in core/coreauthhandler.cpp in Quassel before 0.12.4 allows remote attackers to cause a denial of service NULL pointer dereference and crash via invalid handshake data...

wireshark -- multiple vulnerabilities

Wireshark development team reports: The following vulnerabilities have been fixed: wnpa-sec-2016-19 The NCP dissector could crash. Bug 11591 wnpa-sec-2016-20 TShark could crash due to a packet reassembly bug. Bug 11799 wnpa-sec-2016-21 The IEEE 802.11 dissector could crash. Bug 11824, Bug 12187...

subversion -- multiple vulnerabilities

Subversion project reports: svnserve, the svn:// protocol server, can optionally use the Cyrus SASL library for authentication, integrity protection, and encryption. Due to a programming oversight, authentication against Cyrus SASL would permit the remote user to specify a realm string which is a...

squid -- multiple vulnerabilities

Squid security advisory 2016:5 reports: Due to incorrect buffer management Squid cachemgr.cgi tool is vulnerable to a buffer overflow when processing remotely supplied inputs relayed to it from Squid. This problem allows any client to seed the Squid manager reports with data that will cause a...

MySQL -- multiple vulnerabilities

Oracle reports reports: Critical Patch Update contains 31 new security fixes for Oracle MySQL 5.5.48, 5.6.29, 5.7.11 and earlier...

dnsmasq -- denial of service

reports: Dnsmasq before 2.76 allows remote servers to cause a denial of service crash via a reply with an empty DNS address that has an 1 A or 2 AAAA record defined locally...

xen-kernel -- x86 shadow pagetables: address width overflow

The Xen Project reports: In the x86 shadow pagetable code, the guest frame number of a superpage mapping is stored in a 32-bit field. If a shadowed guest can cause a superpage mapping of a guest-physical address at or above 2^44 to be shadowed, the top bits of the address will be lost, causing an...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 20 security fixes in this release, including: 590275 High CVE-2016-1652: Universal XSS in extension bindings. Credit to anonymous. 589792 High CVE-2016-1653: Out-of-bounds write in V8. Credit to Choongwoo Han. 591785 Medium CVE-2016-1651: Out-of-bounds read in Pdfi...

samba -- multiple vulnerabilities

Samba team reports: CVE-2015-5370 Errors in Samba DCE-RPC code can lead to denial of service crashes and high cpu consumption and man in the middle attacks. CVE-2016-2110 The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags,...

libtasn1 -- denial of service parsing malicious DER certificates

GNU Libtasn1 NEWS reports: Fixes to avoid an infinite recursion when decoding without the ASN1DECODEFLAGSTRICTDER flag. Reported by Pascal Cuoq...