6585 matches found
isc-dhcpd -- Denial of Service
ISC reports: A badly formed packet with an invalid IPv4 UDP length field can cause a DHCP server, client, or relay program to terminate abnormally...
mbedTLS/PolarSSL -- SLOTH attack on TLS 1.2 server authentication
ARM Limited reports: MD5 handshake signatures in TLS 1.2 are vulnerable to the SLOTH attack on TLS 1.2 server authentication. They have been disabled by default. Other attacks from the SLOTH paper do not apply to any version of mbed TLS or PolarSSL...
dhcpcd -- multiple vulnerabilities
Nico Golde reports: heap overflow via malformed dhcp responses later in printoption via dhcpenvoption1 due to incorrect option length values. Exploitation is non-trivial, but I'd love to be proven wrong. invalid read/crash via malformed dhcp responses. not exploitable beyond DoS as far as I can...
wireshark -- multiple vulnerabilities
Wireshark development team reports: The following vulnerabilities have been fixed: wnpa-sec-2015-31 NBAP dissector crashes. Bug 11602, Bug 11835, Bug 11841 wnpa-sec-2015-37 NLM dissector crash. wnpa-sec-2015-39 BER dissector crash. wnpa-sec-2015-40 Zlib decompression crash. Bug 11548...
webkit -- UI spoof
webkit reports: The ScrollView::paint function in platform/scroll/ScrollView.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to spoof the UI by extending scrollbar painting into the parent frame...
qemu -- denial of service vulnerability in Rocker switch emulation
Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmittx descriptors in 'txconsume' routine, if a descriptor was to have more than allowed ROCKERTXFRAGSMAX=16...
flash -- multiple vulnerabilities
Adobe reports: These updates resolve a type confusion vulnerability that could lead to code execution CVE-2015-8644. These updates resolve an integer overflow vulnerability that could lead to code execution CVE-2015-8651. These updates resolve use-after-free vulnerabilities that could lead to cod...
tiff -- out-of-bounds read in CIE Lab image format
zzf of Alibaba discovered an out-of-bounds vulnerability in the code processing the LogLUV and CIE Lab image format files. An attacker could create a specially-crafted TIFF file that could cause libtiff to crash...
phpMyAdmin -- path disclosure vulnerability
The phpMyAdmin development team reports: By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. We consider these vulnerabilities to ...
radicale -- multiple vulnerabilities
Radicale reports: The multifilesystem backend allows access to arbitrary files on all platforms. Prevent regex injection in rights management...
tiff -- out-of-bounds read in tif_getimage.c
LMX of Qihoo 360 Codesafe Team discovered an out-of-bounds read in tifgetimage.c. An attacker could create a specially-crafted TIFF file that could cause libtiff to crash...
gdcm -- multiple vulnerabilities
CENSUS S.A. reports: GDCM versions 2.6.0 and 2.6.1 and possibly previous versions are prone to an integer overflow vulnerability which leads to a buffer overflow and potentially to remote code execution. GDCM versions 2.6.0 and 2.6.1 and possibly previous versions are prone to an out-of-bounds re...
owncloud -- multiple vulnerabilities
Owncloud reports: Reflected XSS in OCS provider discovery oC-SA-2016-001 Information Exposure Through Directory Listing in the file scanner oC-SA-2016-002 Disclosure of files that begin with ".v" due to unchecked return value oC-SA-2016-003...
nghttp2 -- use after free
nghttp2 reports: This release fixes heap-use-after-free bug in idle stream handling code. We strongly recommend to upgrade the older installation to this latest version as soon as possible...
qemu -- denial of service vulnerability in Human Monitor Interface support
Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the Human Monitor InterfaceHMP support is vulnerable to an OOB write issue. It occurs while processing 'sendkey' command in hmpsendkey routine, if the command argument is longer than the 'keynamebuf' buffer size. A...
Bugzilla security issues
Bugzilla Security Advisory During the generation of a dependency graph, the code for the HTML image map is generated locally if a local dot installation is used. With escaped HTML characters in a bug summary, it is possible to inject unfiltered HTML code in the map file which the CreateImagemap...
NSS -- MD5 downgrade in TLS 1.2 signatures
The Mozilla Project reports: Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services NSS where MD5 signatures in the server signature within the TLS 1.2 ServerKeyExchange message are still accepted. This is an issue since NSS has officially disallowed the acceptin...
qemu -- denial of service vulnerability in MegaRAID SAS HBA emulation
Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the SCSI MegaRAID SAS HBA emulation support is vulnerable to a stack buffer overflow issue. It occurs while processing the SCSI controller's CTRLGETINFO command. A privileged guest user could use this flaw to crash...
Joomla! -- multiple vulnerabilities
The JSST and the Joomla! Security Center report: 20151206 - Core - Session Hardening The Joomla Security Strike team has been following up on the critical security vulnerability patched last week. Since the recent update it has become clear that the root cause is a bug in PHP itself. This was fix...
giflib -- heap overflow
Hans Jerry Illikainen reports: A heap overflow may occur in the giffix utility included in giflib-5.1.1 when processing records of the type IMAGEDESCRECORDTYPE' due to the allocated size of LineBuffer' equaling the value of the logical screen width, GifFileIn-SWidth', while subsequently having...
ffmpeg -- multiple vulnerabilities
NVD reports: The ffdwtdecode function in libavcodec/jpeg2000dwt.c in FFmpeg before 2.8.4 does not validate the number of decomposition levels before proceeding with Discrete Wavelet Transform decoding, which allows remote attackers to cause a denial of service out-of-bounds array access or possib...
mono -- DoS and code execution
NCC Group reports: An attacker who can cause a carefully-chosen string to be converted to a floating-point number can cause a crash and potentially induce arbitrary code execution...
mediawiki -- multiple vulnerabilities
MediaWiki reports: T117899 SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now...
kibana4 -- XSS vulnerability
Elastic reports: Fixes XSS vulnerability CVE pending - Thanks to Vladimir Ivanov for responsibly reporting...
xen-kernel -- information leak in legacy x86 FPU/XMM initialization
The Xen Project reports: When XSAVE/XRSTOR are not in use by Xen to manage guest extended register state, the initial values in the FPU stack and XMM registers seen by the guest upon first use are those left there by the previous user of those registers. A malicious domain may be able to leverage...
xen-kernel -- ioreq handling possibly susceptible to multiple read issue
The Xen Project reports: Single memory accesses in source code can be translated to multiple ones in machine code by the compiler, requiring special caution when accessing shared memory. Such precaution was missing from the hypervisor code inspecting the state of I/O requests sent to the device...
samba -- multiple vulnerabilities
Samba team reports: CVE-2015-3223 Malicious request can cause Samba LDAP server to hang, spinning using CPU. CVE-2015-5330 Malicious request can cause Samba LDAP server to return uninitialized memory that should not be part of the reply. CVE-2015-5296 Requesting encryption should also request...
Ruby -- unsafe tainted string vulnerability
Ruby developer reports: There is an unsafe tainted string vulnerability in Fiddle and DL. This issue was originally reported and fixed with CVE-2009-5147 in DL, but reappeared after DL was reimplemented using Fiddle and libffi. And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not fixed a...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 2 security fixes in this release, including: 569486 CVE-2015-6792: Fixes from internal audits and fuzzing...
kea -- unexpected termination while handling a malformed packet
ISC Support reports: ISC Kea may terminate unexpectedly crash while handling a malformed client packet. Related defects in the kea-dhcp4 and kea-dhcp6 servers can cause the server to crash during option processing if a client sends a malformed packet. An attacker sending a crafted malformed packe...
mozilla -- multiple vulnerabilities
The Mozilla Project reports: MFSA 2015-134 Miscellaneous memory safety hazards rv:43.0 / rv:38.5 MFSA 2015-135 Crash with JavaScript variable assignment with unboxed objects MFSA 2015-136 Same-origin policy violation using perfomance.getEntries and history navigation MFSA 2015-137 Firefox allows...
typo3 -- multiple vulnerabilities
TYPO3 Security Team reports: It has been discovered that TYPO3 CMS is susceptible to Cross-Site Scripting and Cross-Site Flashing...
qemu -- denial of service vulnerability in VMWARE VMXNET3 NIC support
Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to a memory leakage flaw. It occurs when a guest repeatedly tries to activate the vmxnet3 device. A privileged guest user could use this flaw to leak...
qemu -- denial of service vulnerability in USB EHCI emulation support
Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the USB EHCI emulation support is vulnerable to an infinite loop issue. It occurs during communication between host controller interfaceEHCI and a respective device driver. These two communicate via a isochronous...
joomla -- multiple vulnerabilities
The JSST and the Joomla! Security Center report: 20151201 - Core - Remote Code Execution Vulnerability Browser information is not filtered properly while saving the session values into the database which leads to a Remote Code Execution vulnerability. 20151202 - Core - CSRF Hardening Add addition...
cups-filters -- code execution
Till Kamppeter reports: Cups Filters/Foomatic Filters does not consider semicolon as an illegal escape character...
jenkins -- multiple vulnerabilities
Jenkins Security Advisory: Description SECURITY-95 / CVE-2015-7536 Stored XSS vulnerability through workspace files and archived artifacts In certain configurations, low privilege users were able to create e.g. HTML files in workspaces and archived artifacts that could result in XSS when accessed...
xen-tools -- libxl leak of pv kernel and initrd on error
The Xen Project reports: When constructing a guest which is configured to use a PV bootloader which runs as a userspace process in the toolstack domain e.g. pygrub libxl creates a mapping of the files to be used as kernel and initial ramdisk when building the guest domain. However if building the...
xen-kernel -- XENMEM_exchange error handling issues
The Xen Project reports: Error handling in the operation may involve handing back pages to the domain. This operation may fail when in parallel the domain gets torn down. So far this failure unconditionally resulted in the host being brought down due to an internal error being assumed. This is...
flash -- multiple vulnerabilities
Adobe reports: These updates resolve heap buffer overflow vulnerabilities that could lead to code execution CVE-2015-8438, CVE-2015-8446. These updates resolve memory corruption vulnerabilities that could lead to code execution CVE-2015-8444, CVE-2015-8443, CVE-2015-8417, CVE-2015-8416,...
qemu -- denial of service vulnerability in VNC
Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the VNC display driver support is vulnerable to an arithmetic exception flaw. It occurs on the VNC server side while processing the 'SetPixelFormat' messages from a client. A privileged remote client could use this...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 7 security fixes in this release, including: 548273 High CVE-2015-6788: Type confusion in extensions. Credit to anonymous. 557981 High CVE-2015-6789: Use-after-free in Blink. Credit to cloudfuzzer. 542054 Medium CVE-2015-6790: Escaping issue in saved pages. Credit ...
passenger -- client controlled header overwriting
Daniel Knoppel reports: It was discovered by the SUSE security team that it was possible, in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue. CVE-2015-7519 has been assigned to this issue. Affected use-cases: Header overwriting may occur ...
redmine -- information leak vulnerability
Redmine reports: Data disclosure in atom feed...
cacti -- SQL injection vulnerabilities
NVD reports: SQL injection vulnerability in include/topgraphheader.php in Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary SQL commands via the rraid parameter in a properties action to graph.php...
libressl -- NULL pointer dereference
The OpenBSD project reports: A NULL pointer deference could be triggered by a crafted certificate sent to services configured to verify client certificates on TLS/SSL connections...
openssl -- multiple vulnerabilities
OpenSSL project reports: BNmodexp may produce incorrect results on x8664 CVE-2015-3193 Certificate verify crash with missing PSS parameter CVE-2015-3194 X509ATTRIBUTE memory leak CVE-2015-3195 Race condition handling PSK identify hint CVE-2015-3196 Anon DH ServerKeyExchange with 0 p parameter...
py-amf -- input sanitization errors
oCERT reports: A specially crafted AMF payload, containing malicious references to XML external entities, can be used to trigger Denial of Service DoS conditions or arbitrarily return the contents of files that are accessible with the running application privileges...
libtorrent -- remote DoS
X-cela reports: Calls into buildbenocde that use %zu could crash on 64 bit machines due to the size change of sizet. Someone can force READENCIA to fail allowing an internalerror to be thrown and bring down the client...
chromium -- multiple vulnerabilities
Google Chrome Releases reports: 41 security fixes in this release, including: 558589 Critical CVE-2015-6765: Use-after-free in AppCache. Credit to anonymous. 551044 High CVE-2015-6766: Use-after-free in AppCache. Credit to anonymous. 554908 High CVE-2015-6767: Use-after-free in AppCache. Credit t...