Salt -- information disclosure

Salt release notes report: CVE-2015-8034: Saving state.sls cache data to disk with insecure permissions This affects users of the state.sls function. The state run cache on the minion was being created with incorrect permissions. This file could potentially contain sensitive data that was inserte...

bind -- multiple vulnerabilities

ISC reports: Named is potentially vulnerable to the OpenSSL vulnerability described in CVE-2015-3193. Incorrect reference counting could result in an INSIST failure if a socket error occurred while performing a lookup. This flaw is disclosed in CVE-2015-8461. RT40945 Insufficient testing when...

django -- information leak vulnerability

Tim Graham reports: If an application allows users to specify an unvalidated format for dates and passes this format to the date filter, e.g. lastupdated|date:userdateformat , then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a dat...

quassel -- remote denial of service

Pierre Schweitzer reports: Any client sending the command "/op " in a query will cause the Quassel core to crash...

libxml2 -- multiple vulnerabilities

reports: CVE-2015-5312 Another entity expansion issue David Drysdale. CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey David Drysdale. CVE-2015-7498 Avoid processing entities after encoding conversion failures Daniel Veillard. CVE-2015-7499 1 Add xmlHaltParser to stop the...

qemu -- denial of service vulnerability in Q35 chipset emulation

Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the Q35 chipset based pc system emulator is vulnerable to a heap based buffer overflow. It occurs during VM guest migration, as more16 bytes data is moved into allocated 8 bytes memory area. A privileged guest user...

sudo -- potential privilege escalation via symlink misconfiguration

MITRE reports: sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by "/home///file.txt."...

piwik -- multiple vulnerabilities

Piwik changelog reports: This release is rated critical. We are grateful for Security researchers who disclosed security issues privately to the Piwik Security Response team: Elamaran Venkatraman, Egidio Romano and Dmitriy Shcherbatov. The following vulnerabilities were fixed: XSS, CSRF, possible...

kibana4 -- CSRF vulnerability

Elastic reports: Vulnerability Summary: Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a CSRF attack. Remediation Summary: Users should upgrade to 4.1.3 or 4.2.1...

a2ps -- format string vulnerability

Jong-Gwon Kim reports: When user runs a2ps with malicious crafted proa2ps prologue file, an attacker can execute arbitrary code...

strongswan -- authentication bypass vulnerability in the eap-mschapv2 plugin

Strongswan Release Notes reports: Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that was caused by insufficient verification of the internal state when handling MSCHAPv2 Success messages received by the client. This vulnerability has been registered as CVE-2015-8023...

libpng buffer overflow in png_set_PLTE

libpng reports: CVE for a vulnerability in libpng, all versions, in the pngsetPLTE/pnggetPLTE functions. These functions failed to check for an out-of-range palette when reading or writing PNG files with a bitdepth less than 8. Some applications might read the bit depth from the IHDR chunk and...

subversion -- multiple vulnerabilities

Subversion Project reports: Remotely triggerable heap overflow and out-of-bounds read caused by integer overflow in the svn:// protocol parser. Remotely triggerable heap overflow and out-of-bounds read in moddavsvn caused by integer overflow when parsing skel-encoded request bodies...

redmine -- multiple vulnerabilities

Redmine reports: Potential changeset message disclosure in issues API. Data disclosure on the time logging form...

gdm -- lock screen bypass when holding escape key

Ray Strode reports: CVE-2015-7496 - lock screen bypass when holding escape key...

xen-kernel -- CPU lockup during exception delivery

The Xen Project reports: A malicious HVM guest administrator can cause a denial of service. Specifically, prevent use of a physical CPU for a significant, perhaps indefinite period. If a host watchdog Xen or dom0 is in use, this can lead to a watchdog timeout and consequently a reboot of the host...

flash -- multiple vulnerabilities

Adobe reports: These updates resolve a type confusion vulnerability that could lead to code execution CVE-2015-7659. These updates resolve a security bypass vulnerability that could be exploited to write arbitrary data to the file system under user permissions CVE-2015-7662. These updates resolve...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 520422 High CVE-2015-1302: Information leak in PDF viewer. Credit to Rob Wu...

MySQL - Multiple vulnerabilities

Oracle reports: Critical Patch Update: MySQL Server, versions 5.5.45 and prior, 5.6.26 and prior...

hostapd and wpa_supplicant -- multiple vulnerabilities

Jouni Malinen reports: wpasupplicant unauthorized WNM Sleep Mode GTK control. 2015-6 - CVE-2015-5310 EAP-pwd missing last fragment length validation. 2015-7 - CVE-2015-5315 EAP-pwd peer error path failure on unexpected Confirm message. 2015-8 - CVE-2015-5316...

moodle -- multiple vulnerabilities

Moodle Release Notes report: MSA-15-0037 Possible to send a message to a user who blocked messages from non contacts MSA-15-0038 DDoS possibility in Atto MSA-15-0039 CSRF in site registration form MSA-15-0040 Student XSS in survey MSA-15-0041 XSS in flash video player MSA-15-0042 CSRF in lesson...

adminer -- XSS vulnerability

Jakub Vrana reports: Fix XSS in indexes non-MySQL only...

jenkins -- remote code execution via unsafe deserialization

Jenkins Developers report: Unsafe deserialization allows unauthenticated remote attackers to run arbitrary code on the Jenkins master...

PuTTY -- memory corruption in terminal emulator's erase character handling

Ben Harris reports: Versions of PuTTY and pterm between 0.54 and 0.65 inclusive have a potentially memory-corrupting integer overflow in the handling of the ECH erase characters control sequence in the terminal emulator. To exploit a vulnerability in the terminal emulator, an attacker must be abl...

PHPmailer -- SMTP injection vulnerability

PHPMailer changelog reports: Fix vulnerability that allowed email addresses with line breaks valid in RFC5322 to pass to SMTP, permitting message injection at the SMTP level. Mitigated in both the address validator and in the lower-level SMTP class. Thanks to Takeshi Terada...

claws-mail -- no bounds checking on the output buffer in conv_jistoeuc, conv_euctojis, conv_sjistoeuc

DrWhax reports: So in codeconv.c there is a function for Japanese character set conversion called convjistoeuc. There is no bounds checking on the output buffer, which is created on the stack with alloca Bug can be triggered by sending an email to [email protected] or whatever. Since my C is...

cyrus-imapd -- integer overflow in the start_octet addition

Cyrus IMAP 2.5.7 Release Note states: CVE-2015-8077, CVE-2015-8078: protect against integer overflow in urlfetch range checks...

OpenOffice 4.1.1 -- multiple vulnerabilities

The Apache OpenOffice Project reports: A vulnerability in OpenOffice settings of OpenDocument Format files and templates allows silent access to files that are readable from an user account, over-riding the user's default configuration settings. Once these files are imported into a...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2015-133 NSS and NSPR memory corruption issues MFSA 2015-132 Mixed content WebSocket policy bypass through workers MFSA 2015-131 Vulnerabilities found through code inspection MFSA 2015-130 JavaScript garbage collection crash with Java applet MFSA 2015-129 Certain...

powerdns -- Denial of Service

PowerDNS reports: A bug was found using afl-fuzz in our packet parsing code. This bug, when exploited, causes an assertion error and consequent termination of the the pdnsserver process, causing a Denial of Service...

libsrtp -- DoS via crafted RTP header vulnerability

libsrtp reports: Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length. Credit goes to Randell Jesup and the Firefox team for reporting this issue...

codeigniter -- multiple vulnerabilities

The CodeIgniter changelog reports: Fixed an XSS attack vector in Security Library method xssclean. Changed Config Library method baseurl to fallback to $SERVER'SERVERADDR' in order to avoid Host header injections. Changed CAPTCHA Helper to try to use the operating system's PRNG first...

libvirt -- ACL bypass using ../ to access beyond storage pool

Libvit development team reports: Various virStorageVol API operate on user-supplied volume names by concatenating the volume name to the pool location. Note that the virStoragePoolListVolumes API, when used on a storage pool backed by a directory in a file system, will only list volumes immediate...

cups-filters -- code execution

Salvatore Bonaccorso reports: Cups Filters/Foomatic Filters does not consider backtick as an illegal escape character...

libxslt -- DoS vulnerability due to type confusing error

libxslt maintainer reports: CVE-2015-7995: http://www.openwall.com/lists/oss-security/2015/10/27/10 We need to check that the parent node is an element before dereferencing its namespace...

xen-tools -- populate-on-demand balloon size inaccuracy can crash guests

The Xen Project reports: Guests configured with PoD might be unstable, especially under load. In an affected guest, an unprivileged guest user might be able to cause a guest crash, perhaps simply by applying load so as to cause heavy memory pressure within the guest...

xen-kernel -- some pmu and profiling hypercalls log without rate limiting

The Xen Project reports: HYPERCALLxenoprofop and HYPERVISORxenpmuop log some errors and attempts at invalid operations. These log messages are not rate-limited, even though they can be triggered by guests. A malicious guest could cause repeated logging to the hypervisor console, leading to a Deni...

xen-kernel -- leak of per-domain profiling-related vcpu pointer array

The Xen Project reports: A domain's xenoprofile state contains an array of per-vcpu information... This array is leaked on domain teardown. This memory leak could -- over time -- exhaust the host's memory. The following parties can mount a denial of service attack affecting the whole system: A...

xen-kernel -- Long latency populate-on-demand operation is not preemptible

The Xen Project reports: When running an HVM domain in Populate-on-Demand mode, Xen would sometimes search the domain for memory to reclaim, in response to demands for population of other pages in the same domain. This search runs without preemption. The guest can, by suitable arrangement of its...

xen-kernel -- leak of main per-domain vcpu pointer array

The Xen Project reports: A domain's primary array of vcpu pointers can be allocated by a toolstack exactly once in the lifetime of a domain via the XENDOMCTLmaxvcpus hypercall. This array is leaked on domain teardown. This memory leak could -- over time -- exhaust the host's memory. A domain give...

xen-kernel -- Uncontrolled creation of large page mappings by PV guests

The Xen Project reports: The code to validate level 2 page table entries is bypassed when certain conditions are satisfied. This means that a PV guest can create writable mappings using super page mappings. Such writable mappings can violate Xen intended invariants for pages which Xen is supposed...

openafs -- information disclosure

The OpenAFS development team reports: When constructing an Rx acknowledgment ACK packet, Andrew-derived Rx implementations do not initialize three octets of data that are padding in the C language structure and were inadvertently included in the wire protocol CVE-2015-7762. Additionally, OpenAFS ...

xscreensaver - lock bypass

RedHat bugzilla reports: In dual screen configurations, unplugging one screen will cause xscreensaver to crash, leaving the screen unlocked...

phpMyAdmin -- Content spoofing vulnerability

The phpMyAdmin development team reports: This vulnerability allows an attacker to perform a content spoofing attack using the phpMyAdmin's redirection mechanism to external sites. We consider this vulnerability to be non critical since the spoofed content is escaped and no HTML injection is...

Joomla! -- Core - SQL Injection/ACL Violation vulnerabilities

The JSST and the Joomla! Security Center report: 20151001 - Core - SQL Injection Inadequate filtering of request data leads to a SQL Injection vulnerability. 20151002 - Core - ACL Violations Inadequate ACL checks in comcontenthistory provide potential read access to data which should be access...

Joomla! -- Core - ACL Violation vulnerabilities

The JSST and the Joomla! Security Center report: 20151003 - Core - ACL Violations Inadequate ACL checks in comcontent provide potential read access to data which should be access restricted...

ntp -- denial of service vulnerability

Network Time Foundation reports: NTF's NTP Project has been notified of the following 1 medium-severity vulnerability that is fixed in ntp-4.2.8p5, released on Thursday, 7 January 2016: NtpBug2956: Small-step/Big-step CVE-2015-5300...

drupal -- open redirect vulnerability

Drupal development team reports: The Overlay module in Drupal core displays administrative pages as a layer over the current page using JavaScript, rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents,...

ntp -- 13 low- and medium-severity vulnerabilities

ntp.org reports: NTF's NTP Project has been notified of the following 13 low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p4, released on Wednesday, 21 October 2015: Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric association authentication bypass via crypto-NAK Cisco ASIG...

libebml -- multiple vulnerabilities

Mortiz Bunkus reports: Multiple invalid memory accesses vulnerabilities...