git -- integer overflow

Debian reports: integer overflow due to a loop which adds more to "len"...

drupal -- multiple vulnerabilities

Drupal Security Team reports: File upload access bypass and denial of service File module - Drupal 7 and 8 - Moderately Critical Brute force amplification attacks via XML-RPC XML-RPC server - Drupal 6 and 7 - Moderately Critical Open redirect via path manipulation Base system - Drupal 6, 7 and 8 ...

squid -- remote DoS in HTTP response processing

Squid security advisory 2016:2 reports: Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses. These problems allow remote servers delivering certain unusual HTTP response syntax to trigger a denial of service for all clients accessing t...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description SECURITY-232 / CVE-2016-0788Remote code execution vulnerability in remoting module A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins master process, which allowed...

upnp -- multiple vulnerabilities

Matthew Garett reports: Reported this to upstream 8 months ago without response, so: libupnp's default behaviour allows anyone to write to your filesystem. Seriously. Find a device running a libupnp based server Shodan says there's rather a lot, and POST a file to /testfile. Then GET /testfile...

libssh -- weak Diffie-Hellman secret generation

Andreas Schneider reports: libssh versions 0.1 and above have a bits/bytes confusion bug and generate an abnormally short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. The resulting secret is 128 bits long, instead of the recommended sizes of 1024...

tomcat -- multiple vulnerabilities

Mark Thomas reports: CVE-2015-5346 Apache Tomcat Session fixation CVE-2015-5351 Apache Tomcat CSRF token leak CVE-2016-0763 Apache Tomcat Security Manager Bypass...

websvn -- reflected cross-site scripting

Sebastien Delafond reports: Jakub Palaczynski discovered that websvn, a web viewer for Subversion repositories, does not correctly sanitize user-supplied input, which allows a remote user to run reflected cross-site scripting attacks...

tomcat -- multiple vulnerabilities

Mark Thomas reports: CVE-2015-5345 Apache Tomcat Directory disclosure CVE-2016-0706 Apache Tomcat Security Manager bypass CVE-2016-0714 Apache Tomcat Security Manager Bypass...

cacti -- multiple vulnerabilities

The Cacti Group, Inc. reports: Changelog bug:0002652: CVE-2015-8604: SQL injection in graphsnew.php bug:0002655: CVE-2015-8377: SQL injection vulnerability in the hostnewgraphssave function in graphsnew.php bug:0002656: Authentication using web authentication as a user not in the cacti database...

chromium -- same origin bypass

Google Chrome Releases reports: 583431 Critical CVE-2016-1629: Same-origin bypass in Blink and Sandbox escape in Chrome. Credit to anonymous...

bsh -- remote code execution vulnerability

Stian Soiland-Reyes reports: This release fixes a remote code execution vulnerability that was identified in BeanShell by Alvaro Muñoz and Christian Schneider. The BeanShell team would like to thank them for their help and contributions to this fix! An application that includes BeanShell on the...

xen-kernel -- VMX: guest user mode may crash guest with non-canonical RIP

The Xen Project reports: VMX refuses attempts to enter a guest with an instruction pointer which doesn't satisfy certain requirements. In particular, the instruction pointer needs to be canonical when entering a guest currently in 64-bit mode. This is the case even if the VM entry information...

libotr -- integer overflow

X41 D-Sec reports: A remote attacker may crash or execute arbitrary code in libotr by sending large OTR messages...

glibc -- getaddrinfo stack-based buffer overflow

Fabio Olive Leite reports: A stack-based buffer overflow was found in libresolv when invoked from nssdns, allowing specially crafted DNS responses to seize control of EIP in the DNS client. The buffer overflow occurs in the functions senddg send datagram and sendvc send TCP for the NSS module...

squid -- SSL/TLS processing remote DoS

Squid security advisory 2016:1 reports: Due to incorrectly handling server errors Squid is vulnerable to a denial of service attack when connecting to TLS or SSL servers. This problem allows any trusted client to perform a denial of service attack on the Squid service regardless of whether TLS or...

hadoop2 -- unauthorized disclosure of data vulnerability

Arun Suresh reports: RPC traffic from clients, potentially including authentication credentials, may be intercepted by a malicious user with access to run tasks or containers on a cluster...

kamailio -- SEAS Module Heap overflow

Stelios Tsampas reports: A remotely exploitable heap overflow vulnerability was found in Kamailio v4.3.4...

PJSIP -- TCP denial of service in PJProject

The Asterisk project reports: PJProject has a limit on the number of TCP connections that it can accept. Furthermore, PJProject does not close TCP connections it accepts. By default, this value is approximately 60. An attacker can deplete the number of allowed TCP connections by opening TCP...

ricochet -- information disclosure

special reports: By sending a nickname with some HTML tags in a contact request, an attacker could cause Ricochet to make network requests without Tor after the request is accepted, which would reveal the user's IP address...

firefox -- Same-origin-policy violation using Service Workers with plugins

The Mozilla Foundation reports: MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a servic...

pcre -- stack buffer overflow

Philip Hazel reports: PCRE does not validate that handling the ACCEPT verb will occur within the bounds of the cworkspace stack buffer, leading to a stack buffer overflow...

libgcrypt -- side-channel attack on ECDH

GnuPG reports: Mitigate side-channel attack on ECDH with Weierstrass curves...

flash -- multiple vulnerabilities

Adobe reports: These updates resolve a type confusion vulnerability that could lead to code execution CVE-2016-0985. These updates resolve use-after-free vulnerabilities that could lead to code execution CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984. The...

brotli -- buffer overflow

Google Chrome Releases reports: 583607 High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli. Mozilla Foundation reports: Security researcher Luke Li reported a pointer underflow bug in the Brotli library's decompression that leads to a buffer overflow. This results in a potentially...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 6 security fixes in this release, including: 546677 High CVE-2016-1622: Same-origin bypass in Extensions. Credit to anonymous. 577105 High CVE-2016-1623: Same-origin bypass in DOM. Credit to Mariusz Mlynski. 509313 Medium CVE-2016-1625: Navigation bypass in Chrome...

PostgreSQL -- Security Fixes for Regular Expressions, PL/Java.

PostgreSQL project reports: Security Fixes for Regular Expressions, PL/Java CVE-2016-0773: This release closes security hole CVE-2016-0773, an issue with regular expression regex parsing. Prior code allowed users to pass in expressions which included out-of-range Unicode characters, triggering a...

adminer -- remote code execution

Jakub Vrana reports: Fix remote code execution in SQLite query...

py-pillow -- Integer overflow in Resample.c

The Pillow maintainers report: If a large value was passed into the new size for an image, it is possible to overflow an int32 value passed into malloc, leading the malloc’d buffer to be undersized. These allocations are followed by a loop that writes out of bounds. This can lead to corruption on...

py-imaging, py-pillow -- Buffer overflow in FLI decoding code

The Pillow maintainers report: In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error. There is a memcpy error where x is added to a target buffer address. X is used in several internal temporary variable roles, but can take a value ...

graphite2 -- code execution vulnerability

Talos reports: An exploitable denial of service vulnerability exists in the font handling of Libgraphite. A specially crafted font can cause an out-of-bounds read potentially resulting in an information leak or denial of service. A specially crafted font can cause a buffer overflow resulting in...

php -- multiple vulnerabilities

PHP reports: Core: Fixed bug 71039 exec functions ignore length but look for NULL termination. Fixed bug 71323 Output of streamgetmetadata can be falsified by its input. Fixed bug 71459 Integer overflow in iptcembed. PCRE: Upgraded bundled PCRE library to 8.38.CVE-2015-8383, CVE-2015-8386,...

lshell -- Multiple security issues

lshell reports: It is possible to escape lshell if an allowed command can execute an arbitrary non allowed one issue 122. Inappropriate parsing of commands can lead to arbitrary command execution issue 147, 149, 151...

py-pillow -- Buffer overflow in TIFF decoding code

The Pillow maintainers report: Pillow 3.1.0 and earlier when linked against libtiff = 4.0.0 on x64 may overflow a buffer when reading a specially crafted tiff file. Specifically, libtiff = 4.0.0 changed the return type of TIFFScanlineSize from int32 to machine dependent int32|64. If the scanline ...

asterisk -- Multiple vulnerabilities

The Asterisk project reports: AST-2016-001 - BEAST vulnerability in HTTP server AST-2016-002 - File descriptor exhaustion in chansip AST-2016-003 - Remote crash vulnerability when receiving UDPTL FAX data...

nghttp2 -- Out of memory in nghttpd, nghttp, and libnghttp2_asio

Nghttp2 reports: Out of memory in nghttpd, nghttp, and libnghttp2asio applications due to unlimited incoming HTTP header fields. nghttpd, nghttp, and libnghttp2asio applications do not limit the memory usage for the incoming HTTP header field. If peer sends specially crafted HTTP/2 HEADERS frames...

dnscrypt-proxy -- code execution

Frank Denis reports: Malformed packets could lead to denial of service or code execution...

py-imaging, py-pillow -- Buffer overflow in PCD decoder

The Pillow maintainers report: In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, PcdDecode.c has a buffer overflow error. The state.buffer for PcdDecode.c is allocated based on a 3 bytes per pixel sizing, where PcdDecode.c wrote into the buffer assuming 4 bytes per...

wordpress -- multiple vulnerabilities

Samuel Sidler reports: WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.4.1 and earlier are affected by two security issues: a possible SSRF for certain local URIs, reported ...

horde -- XSS vulnerabilities

The Horde Team reports: Fixed XSS vulnerabilities in menu bar and form renderer...

django -- regression in permissions model

Tim Graham reports: User with "change" but not "add" permission can create objects for ModelAdmin’s with saveas=True...

Multiple vulnerabilities in Botan

The botan developers reports: Infinite loop in modular square root algorithm - The ressol function implements the Tonelli-Shanks algorithm for finding square roots could be sent into a nearly infinite loop due to a misplaced conditional check. This could occur if a composite modulus is provided, ...

socat -- diffie hellman parameter was not prime

socat reports: In the OpenSSL address implementation the hard coded 1024 bit DH p parameter was not prime. The effective cryptographic strength of a key exchange using these parameters was weaker than the one one could get by using a prime p. Moreover, since there is no indication of how these...

atutor -- multiple vulnerabilities

ATutor reports: Security Fixes: A number of minor XSS vulnerabilities discovered in the previous version of ATutor have been corrected...

phpmyadmin -- Unsafe comparison of XSRF/CSRF token

The phpMyAdmin development team reports: The comparison of the XSRF/CSRF token parameter with the value saved in the session is vulnerable to timing attacks. Moreover, the comparison could be bypassed if the XSRF/CSRF token matches a particular pattern. We consider this vulnerability to be seriou...

phpmyadmin -- Unsafe generation of XSRF/CSRF token

The phpMyAdmin development team reports: The XSRF/CSRF token is generated with a weak algorithm using functions that do not return cryptographically secure values. We consider this vulnerability to be non-critical...

phpmyadmin -- Multiple XSS vulnerabilities

The phpMyAdmin development team reports: With a crafted table name it is possible to trigger an XSS attack in the database search page. With a crafted SET value or a crafted search query, it is possible to trigger an XSS attacks in the zoom search page. With a crafted hostname header, it is...

phpmyadmin -- XSS vulnerability in SQL editor

The phpMyAdmin development team reports: With a crafted SQL query, it is possible to trigger an XSS attack in the SQL editor. We consider this vulnerability to be non-critical. This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection preven...

phpmyadmin -- XSS vulnerability in normalization page

The phpMyAdmin development team reports: With a crafted table name it is possible to trigger an XSS attack in the database normalization page. We consider this vulnerability to be non-critical. This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token...

phpmyadmin -- Insecure password generation in JavaScript

The phpMyAdmin development team reports: Password suggestion functionality uses Math.random which does not provide cryptographically secure random numbers. We consider this vulnerability to be non-critical...