ffmpeg -- out-of-bounds array access

NVD reports: The msrledecodepal4 function in msrledec.c in Libav before 10.7 and 11.x before 11.4 and FFmpeg before 2.0.7, 2.2.x before 2.2.15, 2.4.x before 2.4.8, 2.5.x before 2.5.6, and 2.6.x before 2.6.2 allows remote attackers to have unspecified impact via a crafted image, related to a pixel...

qt4-imageformats, qt4-gui, qt5-gui -- Multiple Vulnerabilities in Qt Image Format Handling

Richard J. Moore reports: Due to two recent vulnerabilities identified in the built-in image format handling code, it was decided that this area required further testing to determine if further issues remained. Fuzzing using afl-fuzz located a number of issues in the handling of BMP, ICO and GIF...

libtasn1 -- stack-based buffer overflow in asn1_der_decoding

Debian reports: Hanno Boeck discovered a stack-based buffer overflow in the asn1derdecoding function in Libtasn1, a library to manage ASN.1 structures. A remote attacker could take advantage of this flaw to cause an application using the Libtasn1 library to crash, or potentially to execute...

Wesnoth -- Remote information disclosure

US-CERT/NIST reports: The WML/Lua API in Battle for Wesnoth 1.7.x through 1.11.x and 1.12.x before 1.12.2 allows remote attackers to read arbitrary files via a crafted 1 campaign or 2 map file...

net-snmp -- snmp_pdu_parse() function incomplete initialization

Qinghao Tang reports: Incompletely initialized vulnerability exists in the function ‘snmppduparse’ of ‘snmpapi.c', and remote attackers can cause memory leak, DOS and possible command executions by sending malicious packets...

PostgreSQL -- minor security problems.

PostgreSQL project reports: This update fixes three security vulnerabilities reported in PostgreSQL over the past few months. Nether of these issues is seen as particularly urgent. However, users should examine them in case their installations are vulnerable:. CVE-2015-3165 Double "free" after...

qemu -- Heap overflow in QEMU PCNET controller, allowing guest to host escape (CVE-2015-3209)

The QEMU security team reports: A guest which has access to an emulated PCNET network device e.g. with "model=pcnet" in their VIF configuration can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process...

pgbouncer -- remote denial of service

PgBouncer reports: Fix remote crash - invalid packet order causes lookup of NULL pointer. Not exploitable, just DoS...

arj -- multiple vulnerabilities

Several vulnerabilities: symlink directory traversal, absolute path directory traversal and buffer overflow were discovered in the arj archiver...

libksba -- local denial of service vulnerabilities

Martin Prpic, Red Hat Product Security Team, reports: Denial of Service due to stack overflow in src/ber-decoder.c. Integer overflow in the BER decoder src/ber-decoder.c. Integer overflow in the DN decoder src/dn.c...

rubygem-redcarpet -- XSS vulnerability

Daniel LeCheminant reports: When markdown is being presented as HTML, there seems to be a strange interaction between and @ that lets an attacker insert malicious tags...

ntp -- multiple vulnerabilities

ntp.org reports: Sec 2779 ntpd accepts unauthenticated packets with symmetric key crypto. Sec 2781 Authentication doesn't protect symmetric associations against DoS attacks...

dnsmasq -- data exposure and denial of service

Nick Sampanis reported a potential memory exposure and denial of service vulnerability against dnsmasq 2.72. The CVE entry summarizes this as: The tcprequest function in Dnsmasq before 2.73rc4 does not properly handle the return value of the setupreply function, which allows remote attackers to...

FreeBSD -- Denial of Service with IPv6 Router Advertisements

Problem Description: The Neighbor Discover Protocol allows a local router to advertise a suggested Current Hop Limit value of a link, which will replace Current Hop Limit on an interface connected to the link on the FreeBSD system. Impact: When the Current Hop Limit similar to IPv4's TTL is small...

FreeBSD -- Insecure default GELI keyfile permissions

Problem Description: The default permission set by bsdinstall8 installer when configuring full disk encrypted ZFS is too open. Impact: A local attacker may be able to get a copy of the geli8 provider's keyfile which is located at a fixed location...

freeradius3 -- insufficient validation on packets

Jouni Malinen reports: The EAP-PWD module performed insufficient validation on packets received from an EAP peer. This module is not enabled in the default configuration. Administrators must manually enable it for their server to be vulnerable. Only versions 3.0 up to 3.0.8 are affected...

pidgin-otr -- use after free

Hanno Bock reports: The pidgin-otr plugin version 4.0.2 fixes a heap use after free error. The bug is triggered when a user tries to authenticate a buddy and happens in the function createsmpdialog...

asterisk -- TLS Certificate Common name NULL byte exploit

The Asterisk project reports: When Asterisk registers to a SIP TLS device and and verifies the server, Asterisk will accept signed certificates that match a common name other than the one Asterisk is expecting if the signed certificate has a common name containing a null byte after the portion of...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2015-44 Certificate verification bypass through the HTTP/2 Alt-Svc header MFSA 2015-43 Loading privileged content through Reader mode...

cassandra -- remote execution of arbitrary code

Jake Luciani reports: Under its default configuration, Cassandra binds an unauthenticated JMX/RMI interface to all network interfaces. As RMI is an API for the transport and remote execution of serialized Java, anyone with access to this interface can execute arbitrary code as the running user...

subversion -- DoS vulnerabilities

Subversion Project reports: Subversion HTTP servers with FSFS repositories are vulnerable to a remotely triggerable excessive memory use with certain REPORT requests. Subversion moddavsvn and svnserve are vulnerable to a remotely triggerable assertion DoS vulnerability for certain requests with...

xen-tools -- Unmediated PCI command register access in qemu

The Xen Project reports: HVM guests are currently permitted to modify the memory and I/O decode bits in the PCI command register of devices passed through to them. Unless the device is an SR-IOV virtual function, after disabling one or both of these bits subsequent accesses to the MMIO or I/O por...

xen-kernel and xen-tools -- Long latency MMIO mapping operations are not preemptible

The Xen Project reports: The XENDOMCTLmemorymapping hypercall allows long running operations without implementing preemption. This hypercall is used by the device model as part of the emulation associated with configuration of PCI devices passed through to HVM guests and is therefore indirectly...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA-2015-30 Miscellaneous memory safety hazards rv:37.0 / rv:31.6 MFSA-2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin MFSA-2015-32 Add-on lightweight theme installation approval bypassed through MITM attack MFSA-2015-33 resource:// documents can...

xen-kernel -- Certain domctl operations may be abused to lock up the host

The Xen Project reports: XSA-77 put the majority of the domctl operations on a list excepting them from having security advisories issued for them if any effects their use might have could hamper security. Subsequently some of them got declared disaggregation safe, but for a small subset this was...

cpio -- multiple vulnerabilities

From the Debian Security Team: Heap-based buffer overflow in the processcopyin function in GNU Cpio 2.11 allows remote attackers to cause a denial of service via a large block value in a cpio archive. cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitra...

mailman -- path traversal vulnerability

Mark Sapiro reports: A path traversal vulnerability has been discovered and fixed. This vulnerability is only exploitable by a local user on a Mailman server where the suggested Exim transport, the Postfix postfixtomailman.py transport or some other programmatic MTA delivery not using aliases is...

Several vulnerabilities in libav

The libav project reports: utvideodec: Handle sliceheight being zero CVE-2014-9604 tiff: Check that there is no aliasing in pixel format selection CVE-2014-8544...

rest-client -- session fixation vulnerability

Andy Brody reports: When Ruby rest-client processes an HTTP redirection response, it blindly passes along the values from any Set-Cookie headers to the redirection target, regardless of domain, path, or expiration...

freexl -- multiple vulnerabilities

Jodie Cunningham reports: 1: A flaw was found in the way FreeXL reads sectors from the input file. A specially crafted file could possibly result in stack corruption near freexl.c:3752. 2: A flaw was found in the function allocatecells. A specially crafted file with invalid workbook dimensions...

qemu -- denial of service vulnerability

Daniel P. Berrange reports: The VNC server websockets decoder will read and buffer data from websockets clients until it sees the end of the HTTP headers, as indicated by \r\n\r\n. In theory this allows a malicious to trick QEMU into consuming an arbitrary amount of RAM...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description SECURITY-171, SECURITY-177 Reflective XSS vulnerability An attacker without any access to Jenkins can navigate the user to a carefully crafted URL and have the user execute unintended actions. This vulnerability can be used to attack Jenkins inside firewalls...

mysql -- SSL Downgrade

Duo Security reports: Researchers have identified a serious vulnerability in some versions of Oracle’s MySQL database product that allows an attacker to strip SSL/TLS connections of their security wrapping transparently...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA-2015-28 Privilege escalation through SVG navigation MFSA-2015-29 Code execution through incorrect JavaScript bounds checking elimination...

Several vulnerabilities found in PHP

The PHP project reports: The PHP development team announces the immediate availability of PHP 5.6.7. Several bugs have been fixed as well as CVE-2015-0231, CVE-2015-2305 and CVE-2015-2331. All PHP 5.6 users are encouraged to upgrade to this version. The PHP development team announces the immediat...

OpenSSL -- multiple vulnerabilities

OpenSSL project reports: Reclassified: RSA silently downgrades to EXPORTRSA Client CVE-2015-0204. OpenSSL only. Segmentation fault in ASN1TYPEcmp CVE-2015-0286 ASN.1 structure reuse memory corruption CVE-2015-0287 PKCS7 NULL pointer dereferences CVE-2015-0289 Base64 decode CVE-2015-0292. OpenSSL...

libzip -- integer overflow

libzip developers report: Avoid integer overflow. Fixed similarly to patch used in PHP copy of libzip...

django -- multiple vulnerabilities

The Django project reports: In accordance with our security release policy, the Django team is issuing multiple releases -- Django 1.4.20, 1.6.11, 1.7.7 and 1.8c1. These releases are now available on PyPI and our download page. These releases address several security issues detailed below. We...

libXfont -- BDF parsing issues

Alan Coopersmith reports: Ilja van Sprundel, a security researcher with IOActive, has discovered an issue in the parsing of BDF font files by libXfont. Additional testing by Alan Coopersmith and William Robinet with the American Fuzzy Lop afl tool uncovered two more issues in the parsing of BDF...

osc -- shell command injection via crafted _service files

SUSE Security Update reports: osc before 0.151.0 allows remote attackers to execute arbitrary commands via shell metacharacters in a service file...

libuv -- incorrect revocation order while relinquishing privileges

Nodejs releases reports: CVE-2015-0278 This may potentially allow an attacker to gain elevated privileges...

xen-tools -- HVM qemu unexpectedly enabling emulated VGA graphics backends

The Xen Project reports: When instantiating an emulated VGA device for an x86 HVM guest qemu will by default enable a backend to expose that device, either SDL or VNC depending on the version of qemu and the build time configuration. The libxl toolstack library does not explicitly disable these...

Adobe Flash Player -- critical vulnerabilities

Adobe reports: Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. These updates resolve memory corruption vulnerabilities that could lea...

ffmpeg -- multiple vulnerabilities

Please reference CVE/URL list for details...

xen-kernel -- Hypervisor memory corruption due to x86 emulator flaw

The Xen Project reports: Instructions with register operands ignore eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override can, however, corrupt a pointer used subsequently to store the result of the instruction. A malicious gues...

mono -- TLS bugs

The Mono project reports: Mono’s implementation of the SSL/TLS stack failed to check the order of the handshake messages. Which would allow various attacks on the protocol to succeed. Details of this vulnerability are discussed in SKIP-TLS post. Mono’s implementation of SSL/TLS also contained...

xen-kernel -- Information leak through version information hypercall

The Xen Project reports: The code handling certain sub-operations of the HYPERVISORxenversion hypercall fails to fully initialize all fields of structures subsequently copied back to guest memory. Due to this hypervisor stack contents are copied into the destination of the operation, thus becomin...

xen-kernel -- Information leak via internal x86 system device emulation

The Xen Project reports: Emulation routines in the hypervisor dealing with certain system devices check whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that...

phpMyAdmin -- Risk of BREACH attack due to reflected parameter

The phpMyAdmin development team reports: Risk of BREACH attack due to reflected parameter. With a large number of crafted requests it was possible to infer the CSRF token by a BREACH attack. Mitigation factor: this vulnerability can only be exploited in the presence of another vulnerability that...

chromium -- multiple vulnerabilities

Chrome Releases reports: 51 security fixes in this release, including: 456516 High CVE-2015-1212: Out-of-bounds write in media. Credit to anonymous. 448423 High CVE-2015-1213: Out-of-bounds write in skia filters. Credit to cloudfuzzer. 445810 High CVE-2015-1214: Out-of-bounds write in skia filter...