flash -- multiple vulnerabilities

Adobe reports: These updates resolve a type confusion vulnerability that could lead to code execution CVE-2015-8644. These updates resolve an integer overflow vulnerability that could lead to code execution CVE-2015-8651. These updates resolve use-after-free vulnerabilities that could lead to cod...

webkit -- UI spoof

webkit reports: The ScrollView::paint function in platform/scroll/ScrollView.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to spoof the UI by extending scrollbar painting into the parent frame...

tiff -- out-of-bounds read in CIE Lab image format

zzf of Alibaba discovered an out-of-bounds vulnerability in the code processing the LogLUV and CIE Lab image format files. An attacker could create a specially-crafted TIFF file that could cause libtiff to crash...

phpMyAdmin -- path disclosure vulnerability

The phpMyAdmin development team reports: By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. We consider these vulnerabilities to ...

radicale -- multiple vulnerabilities

Radicale reports: The multifilesystem backend allows access to arbitrary files on all platforms. Prevent regex injection in rights management...

tiff -- out-of-bounds read in tif_getimage.c

LMX of Qihoo 360 Codesafe Team discovered an out-of-bounds read in tifgetimage.c. An attacker could create a specially-crafted TIFF file that could cause libtiff to crash...

gdcm -- multiple vulnerabilities

CENSUS S.A. reports: GDCM versions 2.6.0 and 2.6.1 and possibly previous versions are prone to an integer overflow vulnerability which leads to a buffer overflow and potentially to remote code execution. GDCM versions 2.6.0 and 2.6.1 and possibly previous versions are prone to an out-of-bounds re...

qemu -- denial of service vulnerability in Human Monitor Interface support

Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the Human Monitor InterfaceHMP support is vulnerable to an OOB write issue. It occurs while processing 'sendkey' command in hmpsendkey routine, if the command argument is longer than the 'keynamebuf' buffer size. A...

owncloud -- multiple vulnerabilities

Owncloud reports: Reflected XSS in OCS provider discovery oC-SA-2016-001 Information Exposure Through Directory Listing in the file scanner oC-SA-2016-002 Disclosure of files that begin with ".v" due to unchecked return value oC-SA-2016-003...

nghttp2 -- use after free

nghttp2 reports: This release fixes heap-use-after-free bug in idle stream handling code. We strongly recommend to upgrade the older installation to this latest version as soon as possible...

Bugzilla security issues

Bugzilla Security Advisory During the generation of a dependency graph, the code for the HTML image map is generated locally if a local dot installation is used. With escaped HTML characters in a bug summary, it is possible to inject unfiltered HTML code in the map file which the CreateImagemap...

NSS -- MD5 downgrade in TLS 1.2 signatures

The Mozilla Project reports: Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services NSS where MD5 signatures in the server signature within the TLS 1.2 ServerKeyExchange message are still accepted. This is an issue since NSS has officially disallowed the acceptin...

Joomla! -- multiple vulnerabilities

The JSST and the Joomla! Security Center report: 20151206 - Core - Session Hardening The Joomla Security Strike team has been following up on the critical security vulnerability patched last week. Since the recent update it has become clear that the root cause is a bug in PHP itself. This was fix...

qemu -- denial of service vulnerability in MegaRAID SAS HBA emulation

Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the SCSI MegaRAID SAS HBA emulation support is vulnerable to a stack buffer overflow issue. It occurs while processing the SCSI controller's CTRLGETINFO command. A privileged guest user could use this flaw to crash...

giflib -- heap overflow

Hans Jerry Illikainen reports: A heap overflow may occur in the giffix utility included in giflib-5.1.1 when processing records of the type IMAGEDESCRECORDTYPE' due to the allocated size of LineBuffer' equaling the value of the logical screen width, GifFileIn-SWidth', while subsequently having...

ffmpeg -- multiple vulnerabilities

NVD reports: The ffdwtdecode function in libavcodec/jpeg2000dwt.c in FFmpeg before 2.8.4 does not validate the number of decomposition levels before proceeding with Discrete Wavelet Transform decoding, which allows remote attackers to cause a denial of service out-of-bounds array access or possib...

mono -- DoS and code execution

NCC Group reports: An attacker who can cause a carefully-chosen string to be converted to a floating-point number can cause a crash and potentially induce arbitrary code execution...

mediawiki -- multiple vulnerabilities

MediaWiki reports: T117899 SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now...

xen-kernel -- ioreq handling possibly susceptible to multiple read issue

The Xen Project reports: Single memory accesses in source code can be translated to multiple ones in machine code by the compiler, requiring special caution when accessing shared memory. Such precaution was missing from the hypervisor code inspecting the state of I/O requests sent to the device...

xen-kernel -- information leak in legacy x86 FPU/XMM initialization

The Xen Project reports: When XSAVE/XRSTOR are not in use by Xen to manage guest extended register state, the initial values in the FPU stack and XMM registers seen by the guest upon first use are those left there by the previous user of those registers. A malicious domain may be able to leverage...

kibana4 -- XSS vulnerability

Elastic reports: Fixes XSS vulnerability CVE pending - Thanks to Vladimir Ivanov for responsibly reporting...

samba -- multiple vulnerabilities

Samba team reports: CVE-2015-3223 Malicious request can cause Samba LDAP server to hang, spinning using CPU. CVE-2015-5330 Malicious request can cause Samba LDAP server to return uninitialized memory that should not be part of the reply. CVE-2015-5296 Requesting encryption should also request...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 2 security fixes in this release, including: 569486 CVE-2015-6792: Fixes from internal audits and fuzzing...

Ruby -- unsafe tainted string vulnerability

Ruby developer reports: There is an unsafe tainted string vulnerability in Fiddle and DL. This issue was originally reported and fixed with CVE-2009-5147 in DL, but reappeared after DL was reimplemented using Fiddle and libffi. And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not fixed a...

qemu -- denial of service vulnerability in VMWARE VMXNET3 NIC support

Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to a memory leakage flaw. It occurs when a guest repeatedly tries to activate the vmxnet3 device. A privileged guest user could use this flaw to leak...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2015-134 Miscellaneous memory safety hazards rv:43.0 / rv:38.5 MFSA 2015-135 Crash with JavaScript variable assignment with unboxed objects MFSA 2015-136 Same-origin policy violation using perfomance.getEntries and history navigation MFSA 2015-137 Firefox allows...

typo3 -- multiple vulnerabilities

TYPO3 Security Team reports: It has been discovered that TYPO3 CMS is susceptible to Cross-Site Scripting and Cross-Site Flashing...

kea -- unexpected termination while handling a malformed packet

ISC Support reports: ISC Kea may terminate unexpectedly crash while handling a malformed client packet. Related defects in the kea-dhcp4 and kea-dhcp6 servers can cause the server to crash during option processing if a client sends a malformed packet. An attacker sending a crafted malformed packe...

qemu -- denial of service vulnerability in USB EHCI emulation support

Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the USB EHCI emulation support is vulnerable to an infinite loop issue. It occurs during communication between host controller interfaceEHCI and a respective device driver. These two communicate via a isochronous...

joomla -- multiple vulnerabilities

The JSST and the Joomla! Security Center report: 20151201 - Core - Remote Code Execution Vulnerability Browser information is not filtered properly while saving the session values into the database which leads to a Remote Code Execution vulnerability. 20151202 - Core - CSRF Hardening Add addition...

cups-filters -- code execution

Till Kamppeter reports: Cups Filters/Foomatic Filters does not consider semicolon as an illegal escape character...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description SECURITY-95 / CVE-2015-7536 Stored XSS vulnerability through workspace files and archived artifacts In certain configurations, low privilege users were able to create e.g. HTML files in workspaces and archived artifacts that could result in XSS when accessed...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 7 security fixes in this release, including: 548273 High CVE-2015-6788: Type confusion in extensions. Credit to anonymous. 557981 High CVE-2015-6789: Use-after-free in Blink. Credit to cloudfuzzer. 542054 Medium CVE-2015-6790: Escaping issue in saved pages. Credit ...

flash -- multiple vulnerabilities

Adobe reports: These updates resolve heap buffer overflow vulnerabilities that could lead to code execution CVE-2015-8438, CVE-2015-8446. These updates resolve memory corruption vulnerabilities that could lead to code execution CVE-2015-8444, CVE-2015-8443, CVE-2015-8417, CVE-2015-8416,...

xen-kernel -- XENMEM_exchange error handling issues

The Xen Project reports: Error handling in the operation may involve handing back pages to the domain. This operation may fail when in parallel the domain gets torn down. So far this failure unconditionally resulted in the host being brought down due to an internal error being assumed. This is...

xen-tools -- libxl leak of pv kernel and initrd on error

The Xen Project reports: When constructing a guest which is configured to use a PV bootloader which runs as a userspace process in the toolstack domain e.g. pygrub libxl creates a mapping of the files to be used as kernel and initial ramdisk when building the guest domain. However if building the...

qemu -- denial of service vulnerability in VNC

Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the VNC display driver support is vulnerable to an arithmetic exception flaw. It occurs on the VNC server side while processing the 'SetPixelFormat' messages from a client. A privileged remote client could use this...

passenger -- client controlled header overwriting

Daniel Knoppel reports: It was discovered by the SUSE security team that it was possible, in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue. CVE-2015-7519 has been assigned to this issue. Affected use-cases: Header overwriting may occur ...

redmine -- information leak vulnerability

Redmine reports: Data disclosure in atom feed...

cacti -- SQL injection vulnerabilities

NVD reports: SQL injection vulnerability in include/topgraphheader.php in Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary SQL commands via the rraid parameter in a properties action to graph.php...

openssl -- multiple vulnerabilities

OpenSSL project reports: BNmodexp may produce incorrect results on x8664 CVE-2015-3193 Certificate verify crash with missing PSS parameter CVE-2015-3194 X509ATTRIBUTE memory leak CVE-2015-3195 Race condition handling PSK identify hint CVE-2015-3196 Anon DH ServerKeyExchange with 0 p parameter...

libressl -- NULL pointer dereference

The OpenBSD project reports: A NULL pointer deference could be triggered by a crafted certificate sent to services configured to verify client certificates on TLS/SSL connections...

libtorrent -- remote DoS

X-cela reports: Calls into buildbenocde that use %zu could crash on 64 bit machines due to the size change of sizet. Someone can force READENCIA to fail allowing an internalerror to be thrown and bring down the client...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 41 security fixes in this release, including: 558589 Critical CVE-2015-6765: Use-after-free in AppCache. Credit to anonymous. 551044 High CVE-2015-6766: Use-after-free in AppCache. Credit to anonymous. 554908 High CVE-2015-6767: Use-after-free in AppCache. Credit t...

py-amf -- input sanitization errors

oCERT reports: A specially crafted AMF payload, containing malicious references to XML external entities, can be used to trigger Denial of Service DoS conditions or arbitrarily return the contents of files that are accessible with the running application privileges...

qemu and xen-tools -- denial of service vulnerabilities in AMD PC-Net II NIC support

Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the AMD PC-Net II Ethernet Controller support is vulnerable to a heap buffer overflow flaw. While receiving packets in the loopback mode, it appends CRC code to the receive buffer. If the data size given is same as...

libraw -- index overflow in smal_decode_segment

ChenQin reports: The LibRaw raw image decoder has multiple vulnerabilities that can cause memory errors which may lead to code execution or other problems. In CVE-2015-8366, LibRaw's smaldecodesegment function does not handle indexes carefully, which can cause an index overflow...

libraw -- memory objects not properly initialized

ChenQin reports: The LibRaw raw image decoder has multiple vulnerabilities that can cause memory errors which may lead to code execution or other problems. In CVE-2015-8367, LibRaw's phaseonecorrect function does not handle memory initialization correctly, which may cause other problems...

ffmpeg -- multiple vulnerabilities

NVD reports: The updatedimensions function in libavcodec/vp8.c in FFmpeg through 2.8.1, as used in Google Chrome before 46.0.2490.71 and other products, relies on a coefficient-partition count during multi-threaded operation, which allows remote attackers to cause a denial of service race conditi...

dpkg -- stack-based buffer overflow

Salvatore Bonaccorso reports: Hanno Boeck discovered a stack-based buffer overflow in the dpkg-deb component of dpkg, the Debian package management system. This flaw could potentially lead to arbitrary code execution if a user or an automated system were tricked into processing a specially crafte...