FreeBSD -- routed(8) remote denial of service vulnerability

Problem Description: The input path in routed8 will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network. Impact: Upon receipt of a query from a source which is not on a directl...

FreeBSD -- shell injection vulnerability in patch(1)

Problem Description: Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch1 to pass certain ed1 scripts to the ed1 editor, which would run commands. Impact: This issue could be exploited to execute arbitrary commands as the user invoking patch1...

wordpress -- Multiple vulnerability

Gary Pendergast reports: WordPress 4.2.4 fixes three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site...

qemu, xen-tools -- QEMU leak of uninitialized heap memory in rtl8139 device model

The Xen Project reports: The QEMU model of the RTL8139 network card did not sufficiently validate inputs in the C+ mode offload emulation. This results in uninitialized memory from the QEMU process's heap being leaked to the domain as well as to the network. A guest may be able to read sensitive...

Botan BER Decoder vulnerabilities

The botan developers reports: Excess memory allocation in BER decoder - The BER decoder would allocate a fairly arbitrary amount of memory in a length field, even if there was no chance the read request would succeed. This might cause the process to run out of memory or invoke the OOM killer. Cra...

qemu, xen-tools -- use-after-free in QEMU/Xen block unplug protocol

The Xen Project reports: When unplugging an emulated block device the device was not fully unplugged, meaning a second unplug attempt would attempt to unplug the device a second time using a previously freed pointer. An HVM guest which has access to an emulated IDE disk device may be able to...

froxlor -- database password information leak

[email protected] reports: An unauthenticated remote attacker is able to get the database password via webaccess due to wrong file permissions of the /logs/ folder in froxlor version 0.9.33.1 and earlier. The plain SQL password and username may be stored in the /logs/sql-error.log file...

go -- multiple vulnerabilities

Jason Buberel, Go Product Manager, reports: CVE-2015-5739 - "Content Length" treated as valid header CVE-2015-5740 - Double content-length headers does not return 400 error CVE-2015-5741 - Additional hardening, not sending Content-Length w/Transfer-Encoding, Closing connections...

FreeBSD -- Resource exhaustion in TCP reassembly

Problem Description: There is a mistake with the introduction of VNET, which converted the global limit on the number of segments that could belong to reassembly queues into a per-VNET limit. Because mbufs are allocated from a global pool, in the presence of a sufficient number of VNETs, the tota...

FreeBSD -- shell injection vulnerability in patch(1)

Problem Description: Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch1 to run commands in addition to the desired SCCS or RCS commands. Impact: This issue could be exploited to execute arbitrary commands as the user invoking patch1 against...

subversion -- multiple vulnerabilities

Subversion reports: CVE-2015-3184: Subversion's modauthzsvn does not properly restrict anonymous access in some mixed anonymous/authenticated environments when using Apache httpd 2.4. CVE-2015-3187: Subversion servers, both httpd and svnserve, will reveal some paths that should be hidden by...

remind -- buffer overflow with malicious reminder file input

Dianne Skoll reports: BUG FIX: Fix a buffer overflow found by Alexander Keller. The bug can be manifested by an extended DUMP command using a system variable that is a special variable whose name begins with '$'...

qemu, xen-tools -- QEMU heap overflow flaw with certain ATAPI commands

The Xen Project reports: A heap overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the...

lshell -- Shell autocomplete reveals forbidden directories

lshell reports: The autocomplete feature allows users to list directories, while they do not have access to those paths issue 109...

qemu -- stack buffer overflow while parsing SCSI commands

Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the SCSI device emulation support is vulnerable to a stack buffer overflow issue. It could occur while parsing SCSI command descriptor block with an invalid operation code. A privilegedCAPSYSRAWIO user inside guest...

wordpress -- XSS vulnerability

Gary Pendergast reports: WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team...

logstash -- SSL/TLS vulnerability with Lumberjack input

Elastic reports: Vulnerability Summary: All Logstash versions prior to 1.5.2 that use Lumberjack input in combination with Logstash Forwarder agent are vulnerable to a SSL/TLS security issue called the FREAK attack. This allows an attacker to intercept communication and access secure data. Users...

sox -- memory corruption vulnerabilities

Michele Spagnuolo, Google Security Team, reports: The write heap buffer overflows are related to ADPCM handling in WAV files, while the read heap buffer overflow is while opening a .VOC...

FreeBSD -- Resource exhaustion due to sessions stuck in LAST_ACK state

Problem Description: TCP connections transitioning to the LASTACK state can become permanently stuck due to mishandling of protocol state in certain situations, which in turn can lead to accumulated consumption and eventual exhaustion of system resources, such as mbufs and sockets. Impact: An...

shibboleth-sp -- DoS vulnerability

Shibboleth consortium reports: Shibboleth SP software crashes on well-formed but invalid XML. The Service Provider software contains a code path with an uncaught exception that can be triggered by an unauthenticated attacker by supplying well-formed but schema-invalid XML in the form of SAML...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 43 security fixes in this release, including: 446032 High CVE-2015-1271: Heap-buffer-overflow in pdfium. Credit to cloudfuzzer. 459215 High CVE-2015-1273: Heap-buffer-overflow in pdfium. Credit to makosoft. 461858 High CVE-2015-1274: Settings allowed executable fil...

OpenSSH -- MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices

It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks...

bind -- denial of service vulnerability

ISC reports: An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit...

gnutls -- double free in certificate DN decoding

gnutls.org reports: Kurt Roeckx reported that decoding a specific certificate with very long DistinguishedName DN entries leads to double free, which may result to a denial of service. Since the DN decoding occurs in almost all applications using certificates it is recommended to upgrade the late...

elasticsearch -- directory traversal attack via snapshot API

Elastic reports: Vulnerability Summary: Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack. Remediation Summary: Users should upgrade to 1.6.1 or later, or constrain access to the snapshot API to trusted sources...

elasticsearch -- remote code execution via transport protocol

Elastic reports: Vulnerability Summary: Elasticsearch versions prior to 1.6.1 are vulnerable to an attack that can result in remote code execution. Remediation Summary: Users should upgrade to 1.6.1 or 1.7.0. Alternately, ensure that only trusted applications have access to the transport protocol...

codeigniter -- mysql database driver vulnerability

The CodeIgniter changelog reports: Security: Removed a fallback to mysqlescapestring in the mysql database driver escapestr method when there's no active database connection...

gdk-pixbuf2 -- heap overflow and DoS affecting Firefox and other programs

[email protected] reports: We found a heap overflow and a DoS in the gdk-pixbuf implementation triggered by the scaling of a malformed bmp...

gdk-pixbuf2 -- heap overflow and DoS

Gustavo Grieco reports: We found a heap overflow and a DoS in the gdk-pixbuf implementation triggered by the scaling of a malformed bmp...

devel/ipython -- CSRF possible remote execution vulnerability

Kyle Kelley reports: Summary: POST requests exposed via the IPython REST API are vulnerable to cross-site request forgery CSRF. Web pages on different domains can make non-AJAX POST requests to known IPython URLs, and IPython will honor them. The user's browser will automatically send IPython...

cacti -- Multiple XSS and SQL injection vulnerabilities

The Cacti Group, Inc. reports: Important Security Fixes Multiple XSS and SQL injection vulnerabilities CVE-2015-4634 - SQL injection in graphs.php Changelog bug: Fixed various SQL Injection vectors bug0002574: SQL Injection Vulnerabilities in graph items and graph template items bug0002577:...

Adobe Flash Player -- critical vulnerabilities

Adobe reports: Critical vulnerabilities CVE-2015-5122, CVE-2015-5123 have been identified. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of reports that exploits targeting these vulnerabilities have been...

openssl -- alternate chains certificate forgery vulnerability

OpenSSL reports: During certificate verification, OpenSSL starting from version 1.0.1n and 1.0.2b will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain chec...

groovy -- remote execution of untrusted code

Cédric Champeau reports: Description When an application has Groovy on the classpath and that it uses standard Java serialization mechanism to communicate between servers, or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly wh...

wpa_supplicant -- WPS_NFC option payload length validation vulnerability

Jouni Malinen reports: Incomplete WPS and P2P NFC NDEF record payload length validation. 2015-5...

KeePassX -- information disclosure

Yves-Alexis Perez reports: Starting an export using File / Export to / KeepassX XML file and cancelling it leads to KeepassX saving a cleartext XML file in /.xml without any warning...

bind -- denial of service vulnerability

ISC reports: A very uncommon combination of zone data has been found that triggers a bug in BIND, with the result that named will exit with a "REQUIRE" failure in name.c when validating the data returned in answer to a recursive query. A recursive resolver that is performing DNSSEC validation can...

Adobe Flash Player -- critical vulnerabilities

Adobe reports: Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit targeting CVE-2015-5119 has been publicly published...

xen-tools -- xl command line config handling stack overflow

The Xen Project reports: The xl command line utility mishandles long configuration values when passed as command line arguments, with a buffer overrun. A semi-trusted guest administrator or controller, who is intended to be able to partially control the configuration settings for a domain, can...

squid -- Improper Protection of Alternate Path with CONNECT requests

Squid security advisory 2015:2 reports: Squid configured with cachepeer and operating on explicit proxy traffic does not correctly handle CONNECT method peer responses. The bug is important because it allows remote clients to bypass security in an explicit gateway proxy. However, the bug is...

moodle -- multiple vulnerabilities

Marina Glancy reports: MSA-15-0026: Possible phishing when redirecting to external site using referer header. CVE-2015-3272 MSA-15-0027: Capability 'mod/forum:canposttomygroups' is not respected when using 'Post a copy to all groups' in forum CVE-2015-3273 MSA-15-0028: Possible XSS through custom...

freexl -- integer overflow

Stefan Cornelius reports: There's an integer overflow in the allocatecells function when trying to allocate the memory for worksheet with specially crafted row/column dimensions. This can be exploited to cause a heap memory corruption. The most likely outcome of this is a crash when trying to...

cups-filters -- texttopdf integer overflow

Stefan Cornelius from Red Hat reports: An integer overflow flaw leading to a heap-based buffer overflow was discovered in the way the texttopdf utility of cups-filter processed print jobs with a specially crafted line size. An attacker being able to submit print jobs could exploit this flaw to...

node, iojs, and v8 -- denial of service

node reports: This release of Node.js fixes a bug that triggers an out-of-band write in V8's utf-8 decoder. This bug impacts all Buffer to String conversions. This is an important security update as this bug can be used to cause a denial of service attack...

haproxy -- information leak vulnerability

HAProxy reports: A vulnerability was found when HTTP pipelining is used. In some cases, a client might be able to cause a buffer alignment issue and retrieve uninitialized memory contents that exhibit data from a past request or session. I want to address sincere congratulations to Charlie...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2015-59 Miscellaneous memory safety hazards rv:39.0 / rv:31.8 / rv:38.1 MFSA 2015-60 Local files or privileged URLs in pages can be opened into new tabs MFSA 2015-61 Type confusion in Indexed Database Manager MFSA 2015-62 Out-of-bound read while computing an...

php -- use-after-free vulnerability

Symeon Paraschoudis reports: Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk...

Joomla! -- Core - Open Redirect vulnerability

The JSST and the Joomla! Security Center report: 20150601 - Core - Open Redirect Inadequate checking of the return value allowed to redirect to an external page...

php -- use-after-free vulnerability

Symeon Paraschoudis reports: Use-after-free vulnerability in splrecursiveitmoveforwardex...

Joomla! -- Core - CSRF Protection vulnerabilities

The JSST and the Joomla! Security Center report: 20150602 - Core - CSRF Protection Lack of CSRF checks potentially enabled uploading malicious code...