ntp -- control message remote Denial of Service vulnerability

ntp.org reports: Under limited and specific circumstances an attacker can send a crafted packet to cause a vulnerable ntpd instance to crash. This requires each of the following to be true: ntpd set up to allow for remote configuration not allowed by default, and knowledge of the configuration...

wesnoth -- disclosure of .pbl files with lowercase, uppercase, and mixed-case extension

Ignacio R. Morelle reports: As mentioned in the Wesnoth 1.12.4 and Wesnoth 1.13.1 release announcements, a security vulnerability targeting add-on authors was found bug 23504 which allowed a malicious user to obtain add-on server passphrases from the client's .pbl files and transmit them over the...

bitcoin -- denial of service

Gregory Maxwell reports: On July 7th I will be making public details of several serious denial of service vulnerabilities which have fixed in recent versions of Bitcoin Core, including including CVE-2015-3641. I strongly recommend anyone running production nodes exposed to inbound connections fro...

qemu -- denial of service vulnerability in MSI-X support

Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the PCI MSI-X support is vulnerable to null pointer dereference issue. It occurs when the controller attempts to write to the pending bit arrayPBA memory region. Because the MSI-X MMIO support did not define the...

PolarSSL -- Security Fix Backports

Paul Bakker reports: PolarSSL 1.2.14 fixes one remotely-triggerable issues that was found by the Codenomicon Defensics tool, one potential remote crash and countermeasures against the "Lucky 13 strikes back" cache-based attack...

cups-filters -- buffer overflow in texttopdf size allocation

Stefan Cornelius from Red Hat reports: A heap-based buffer overflow was discovered in the way the texttopdf utility of cups-filters processed print jobs with a specially crafted line size. An attacker being able to submit print jobs could exploit this flaw to crash texttopdf or, possibly, execute...

ansible -- multiple vulnerabilities

Ansible, Inc. reports: Ensure that hostnames match certificate names when using HTTPS - resolved in Ansible 1.9.2 Improper symlink handling in zone, jail, and chroot connection plugins could lead to escape from confined environment - resolved in Ansible 1.9.2...

php-phar -- multiple vulnerabilities

reports: Segfault in Phar::convertToData on invalid file. Buffer overflow and stack smashing error in pharfixfilepath...

apache22 -- chunk header parsing defect

Apache Foundation reports: CVE-2015-3183 core: Fix chunk header parsing defect. Remove aprbrigadeflatten, buffering and duplicated code from the HTTPIN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters...

Adobe Flash Player -- critical vulnerabilities

Adobe reports: Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address a critical vulnerability CVE-2015-3113 that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that CVE-2015-3113 is...

pcre -- Heap Overflow Vulnerability in find_fixedlength()

Venustech ADLAB reports: PCRE library is prone to a vulnerability which leads to Heap Overflow. During subpattern calculation of a malformed regular expression, an offset that is used as an array index is fully controlled and can be large enough so that unexpected heap memory regions are accessed...

mantis -- information disclosure vulnerability

Mantis reports: CVE-2015-5059: documentation in private projects can be seen by every user...

www/chromium -- multiple vulnerabilities

Google Chrome Releases reports: 4 security fixes in this release: 464922 High CVE-2015-1266: Scheme validation error in WebUI. Credit to anonymous. 494640 High CVE-2015-1268: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. 497507 Medium CVE-2015-1267: Cross-origin bypass in Blink. Credit...

freeradius -- insufficient CRL application vulnerability

oCERT reports: The FreeRADIUS server relies on OpenSSL to perform certificate validation, including Certificate Revocation List CRL checks. The FreeRADIUS usage of OpenSSL, in CRL application, limits the checks to leaf certificates, therefore not detecting revocation of intermediate CA...

devel/ipython -- remote execution

Kyle Kelley reports: Summary: JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack. This affects use...

libav -- divide by zero

Agostino Sarubbo reports: libav: divide-by-zero in ffh263decodemba...

turnserver -- SQL injection vulnerability

Oleg Moskalenko reports: SQL injection security hole fixed...

dhcpcd -- remote code execution/denial of service

MITRE reports: The getoption function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products, does not validate the relationship between length fields and the amount of data, which allows remote DHCP servers to execute arbitrary code or cause a denial of...

drupal -- multiple vulnerabilities

Drupal development team reports: Impersonation OpenID module - Drupal 6 and 7 - Critical A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts. This vulnerability is mitigated by the fa...

qemu -- code execution on host machine

Petr Matousek of Red Hat Inc. reports: Due converting PIO to the new memory read/write api we no longer provide separate I/O region lenghts for read and write operations. As a result, reading from PIT Mode/Command register will end with accessing pit-channels with invalid index and potentially...

cURL -- Multiple Vulnerability

cURL reports: libcurl can wrongly send HTTP credentials when re-using connections. libcurl allows applications to set credentials for the upcoming transfer with HTTP Basic authentication, like with CURLOPTUSERPWD for example. Name and password. Just like all other libcurl options the credentials...

ghostscript -- denial of service (crash) via crafted Postscript files

MITRE reports: Integer overflow in the gsheapallocbytes function in base/gsmalloc.c in Ghostscript 9.15 and earlier allows remote attackers to cause a denial of service crash via a crafted Postscript ps file, as demonstrated by using the ps2pdf command, which triggers an out-of-bounds read or wri...

rubygem-rails -- multiple vulnerabilities

Ruby on Rails blog: Rails 3.2.22, 4.1.11 and 4.2.2 have been released, along with web console and jquery-rails plugins and Rack 1.5.4 and 1.6.2...

chicken -- Potential buffer overrun in string-translate*

chicken developer Peter Bex reports: Using gcc's Address Sanitizer, it was discovered that the string-translate procedure from the data-structures unit can scan beyond the input string's length up to the length of the source strings in the map that's passed to string-translate. This issue was fix...

p5-Dancer -- possible to abuse session cookie values

Russell Jenkins reports: It was possible to abuse session cookie values so that file-based session stores such as Dancer::Session::YAML or Dancer2::Session::YAML would attempt to read/write from any file on the filesystem with the same extension the file-based store uses, such as '.yml' for the...

php5 -- multiple vulnerabilities

The PHP project reports: DOM and GD: Fixed bug 69719 Incorrect handling of paths with NULs. FTP: Improved fix for bug 69545 Integer overflow in ftpgenlist resulting in heap overflow. CVE-2015-4643 Postgres: Fixed bug 69667 segfault in phppgsqlmetadata. CVE-2015-4644...

xen-kernel -- GNTTABOP_swap_grant_ref operation misbehavior

The Xen Project reports: With the introduction of version 2 grant table operations, a version check became necessary for most grant table related hypercalls. The GNTTABOPswapgrantref call was lacking such a check. As a result, the subsequent code behaved as if version 2 was in use, when a guest...

openssl -- multiple vulnerabilities

The OpenSSL team reports: Missing DHE man-in-the-middle protection Logjam CVE-2015-4000 Malformed ECParameters causes infinite loop CVE-2015-1788 Exploitable out-of-bounds read in X509cmptime CVE-2015-1789 PKCS7 crash with missing EnvelopedContent CVE-2015-1790 CMS verify infinite loop with unkno...

xen-kernel -- vulnerability in the iret hypercall handler

The Xen Project reports: A buggy loop in Xen's compatiret function iterates the wrong way around a 32-bit index. Any 32-bit PV guest kernel can trigger this vulnerability by attempting a hypercalliret with EFLAGS.VM set. Given the use of get/putuser, and that the virtual addresses in question are...

security/ossec-hids-* -- root escalation via syscheck feature

OSSEC reports: The CVE-2015-3222 vulnerability, which allows for root escalation via sys check has been fixed in OSSEC 2.8.2. This issue does not affect agents...

django -- multiple vulnerabilities

Tim Graham reports: In accordance with our security release policy, the Django team is issuing multiple releases -- Django 1.4.21, 1.7.9, and 1.8.3. These releases are now available on PyPI and our download page. These releases address several security issues detailed below. We encourage all user...

cacti -- Multiple XSS and SQL injection vulnerabilities

The Cacti Group, Inc. reports: Important Security Fixes Multiple XSS and SQL injection vulnerabilities Changelog bug: Fixed SQL injection VN: JVN78187936 / TN:JPCERT98968540 bug0002542: FG-VD-15-017 Cacti Cross-Site Scripting Vulnerability Notification bug0002571: SQL Injection and Location heade...

logstash -- Directory traversal vulnerability in the file output plugin

Elastic reports: An attacker could use the File output plugin with dynamic field references in the path option to traverse paths outside of Logstash directory. This technique could also be used to overwrite any files which can be accessed with permissions associated with Logstash user. This relea...

elasticsearch -- security fix for shared file-system repositories

Elastic reports: Vulnerability Summary: All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications. Remediation Summary: Users should upgrade to 1.6.0. Alternately, ensure that other applicatio...

logstash-forwarder and logstash -- susceptibility to POODLE vulnerability

Elastic reports: The combination of Logstash Forwarder and Lumberjack input and output was vulnerable to the POODLE attack in SSLv3 protocol. We have disabled SSLv3 for this combination and set the minimum version to be TLSv1.0. We have added this vulnerability to our CVE page and are working on...

Adobe Flash Player -- critical vulnerabilities

Adobe reports: Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. These updates resolve a vulnerability CVE-2015-3096 that could be...

cups -- multiple vulnerabilities

CUPS development team reports: The new release addresses two security vulnerabilities, add localizations for German and Russian, and includes several general bug fixes. Changes include: Security: Fixed CERT VU 810572/CVE-2015-1158/CVE-2015-1159 exploiting the dynamic linker STR 4609 Security: The...

strongswan -- Information Leak Vulnerability

strongSwan Project reports: An information leak vulnerability was fixed that, in certain IKEv2 setups, allowed rogue servers with a valid certificate accepted by the client to trick it into disclosing user credentials even plain passwords if the client accepts EAP-GTC. This was caused because...

php -- arbitrary code execution

cmb reports: When delayed variable substitution is enabled can be set in the Registry, for instance, !ENV! works similar to %ENV%, and the value of the environment variable ENV will be subsituted...

rubygem-paperclip -- validation bypass vulnerability

Jon Yurek reports: Thanks to MORI Shingo of DeNA Co., Ltd. for reporting this. There is an issue where if an HTML file is uploaded with a .html extension, but the content type is listed as being image/jpeg, this will bypass a validation checking for images. But it will also pass the spoof check,...

rubygem-bson -- DoS and possible injection

Phill MV reports: By submitting a specially crafted string to a service relying on the bson rubygem, an attacker may trigger denials of service or even inject data into victim's MongoDB instances...

redis -- EVAL Lua Sandbox Escape

Ben Murphy reports: It is possible to break out of the Lua sandbox in Redis and execute arbitrary code. This shouldn’t pose a threat to users under the trusted Redis security model where only trusted users can connect to the database. However, in real deployments there could be databases that can...

polkit -- multiple vulnerabilities

Colin Walters reports: Integer overflow in the authenticationagentnewcookie function in PolicyKit aka polkit before 0.113 allows local users to gain privileges by creating a large number of connections, which triggers the issuance of a duplicate cookie value. The authenticationagentnew function i...

tidy -- heap-buffer-overflow

Geoff McLane reports: tidy is affected by a write out of bounds when processing malformed html files. This issue could be abused on server side applications that use php-tidy extension with user input. The issue was confirmed, analyzed, and fixed by the tidy5 maintainer...

xen-tools -- Guest triggerable qemu MSI-X pass-through error messages

The Xen Project reports: Device model code dealing with guest PCI MSI-X interrupt management activities logs messages on certain supposedly invalid guest operations. A buggy or malicious guest repeatedly invoking such operations may result in the host disk to fill up, possibly leading to a Denial...

xen-tools -- PCI MSI mask bits inadvertently exposed to guests

The Xen Project reports: The mask bits optionally available in the PCI MSI capability structure are used by the hypervisor to occasionally suppress interrupt delivery. Unprivileged guests were, however, nevertheless allowed direct control of these bits. Interrupts may be observed by Xen at...

xen-tools -- Unmediated PCI register access in qemu

The Xen Project reports: Qemu allows guests to not only read, but also write all parts of the PCI config space but not extended config space of passed through PCI devices not explicitly dealt with for partial emulation purposes. Since the effect depends on the specific purpose of the the config...

xen-tools -- Potential unintended writes to host MSI message data field via qemu

The Xen Project reports: Logic is in place to avoid writes to certain host config space fields when the guest must nevertheless be able to access their virtual counterparts. A bug in how this logic deals with accesses spanning multiple fields allows the guest to write to the host MSI message data...

roundcube -- multiple vulnerabilities

Roundcube reports: We just published updates to both stable versions 1.0 and 1.1 after fixing many minor bugs and adding some security improvements to the 1.1 release branch. Version 1.0.6 comes with cherry-picked fixes from the more recent version to ensure proper long term support especially in...

pcre -- multiple vulnerabilities

Venustech ADLAB reports: PCRE library is prone to a vulnerability which leads to Heap Overflow. During the compilation of a malformed regular expression, more data is written on the malloced block than the expected size output by compileregex. PCRE library is prone to a vulnerability which leads ...