FreeBSD -- Denial of service attack against sshd(8)

Problem Description: Although OpenSSH is not multithreaded, when OpenSSH is compiled with Kerberos support, the Heimdal libraries bring in the POSIX thread library as a dependency. Due to incorrect library ordering while linking sshd8, symbols in the C library which are shadowed by the POSIX thre...

FreeBSD -- Remote command execution in ftp(1)

Problem Description: A malicious HTTP server could cause ftp1 to execute arbitrary commands. Impact: When operating on HTTP URIs, the ftp1 client follows HTTP redirects, and uses the part of the path after the last '/' from the last resource it accesses as the output filename if '-o' is not...

FreeBSD -- Kernel stack disclosure in setlogin(2) / getlogin(2)

Problem Description: When setlogin2 is called while setting up a new login session, the login name is copied into an uninitialized stack buffer, which is then copied into a buffer of the same size in the session structure. The getlogin2 system call returns the entire buffer rather than just the...

unzip -- out of boundary access issues in test_compr_eb

Ubuntu Security Notice USN-2489-1 reports: Michal Zalewski discovered that unzip incorrectly handled certain malformed zip archives. If a user or automated system were tricked into processing a specially crafted zip archive, an attacker could possibly execute arbitrary code...

asterisk -- Remote Crash Vulnerability in WebSocket Server

The Asterisk project reports: When handling a WebSocket frame the reshttpwebsocket module dynamically changes the size of the memory used to allow the provided payload to fit. If a payload length of zero was received the code would incorrectly attempt to resize to zero. This operation would succe...

jenkins -- slave-originated arbitrary code execution on master servers

Kohsuke Kawaguchi from Jenkins team reports: Historically, Jenkins master and slaves behaved as if they altogether form a single distributed process. This means a slave can ask a master to do just about anything within the confinement of the operating system, such as accessing files on the master...

wget -- path traversal vulnerability in recursive FTP mode

MITRE reports: Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates...

davmail -- fix potential CVE-2014-3566 vulnerability (POODLE)

Mickaël Guessant reports: DavMail 4.6.0 released Enhancements: Fix potential CVE-2014-3566 vulnerability...

libpurple/pidgin -- multiple vulnerabilities

The pidgin development team reports:...

FreeBSD -- routed(8) remote denial of service vulnerability

Problem Description: The input path in routed8 will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network. Impact: Upon receipt of a query from a source which is not on a directl...

FreeBSD -- rtsold(8) remote buffer overflow vulnerability

Problem Description: Due to a missing length check in the code that handles DNS parameters, a malformed router advertisement message can result in a stack buffer overflow in rtsold8. Impact: Receipt of a router advertisement message with a malformed DNSSL option, for instance from a compromised...

phpMyAdmin -- XSS vulnerabilities in SQL debug output and server monitor page.

The phpMyAdmin development team reports: With a crafted database or table name it is possible to trigger an XSS in SQL debug output when enabled and in server monitor page when viewing and analysing executed queries. This vulnerability can be triggered only by someone who is logged in to...

FreeBSD -- memory leak in sandboxed namei lookup

Problem Description: The namei facility will leak a small amount of kernel memory every time a sandboxed process looks up a nonexistent path name. Impact: A remote attacker that can cause a sandboxed process for instance, a web server to look up a large number of nonexistent path names can cause...

asterisk -- Asterisk Susceptibility to POODLE Vulnerability

The Asterisk project reports: The POODLE vulnerability is described under CVE-2014-3566. This advisory describes the Asterisk's project susceptibility to this vulnerability...

libxml2 -- Denial of service

RedHat reports: A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption denia...

drupal7 -- SQL injection

Drupal Security Team reports: Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution...

OpenSSL -- multiple vulnerabilities

The OpenSSL Project reports: A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects...

libvpx -- out-of-bounds write

The Mozilla Project reports: Using the Address Sanitizer tool, security researcher Abhishek Arya Inferno of the Google Chrome Security Team found an out-of-bounds write when buffering WebM format video containing frames with invalid tile sizes. This can lead to a potentially exploitable crash...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2014-74 Miscellaneous memory safety hazards rv:33.0 / rv:31.2 MFSA 2014-75 Buffer overflow during CSS manipulation MFSA 2014-76 Web Audio memory corruption issues with custom waveforms MFSA 2014-78 Further uninitialized memory use during GIF MFSA 2014-79...

twiki -- remote Perl code execution

TWiki developers report: The debugenableplugins request parameter allows arbitrary Perl code execution. Using an HTTP GET request towards a TWiki server, add a specially crafted debugenableplugins request parameter to TWiki's view script typically port 80/TCP. Prior authentication may or may not ...

xdelta3 -- buffer overflow vulnerability

Stepan Golosunov reports: Buffer overflow was found and fixed in xdelta3 binary diff tool that allows arbitrary code execution from input files at least on some systems...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 159 security fixes in this release, including 113 found using MemorySanitizer: 416449 Critical CVE-2014-3188: A special thanks to Jüri Aedla for a combination of V8 and IPC bugs that can lead to remote code execution outside of the sandbox. 398384 High...

Bugzilla multiple security issues

Bugzilla Security Advisory Unauthorized Account Creation An attacker creating a new Bugzilla account can override certain parameters when finalizing the account creation that can lead to the user being created with a different email address than originally requested. The overridden login name cou...

magento -- multiple vulnerabilities

Magento, Inc. reports: SUPEE-6482 - This patch addresses two issues related to APIs and two cross-site scripting risks. SUPEE-6285 - This patch provides protection against several types of security-related issues, including information leaks, request forgeries, and cross-site scripting. SUPEE-599...

rt42 -- vulnerabilities related to shellshock

Best Practical reports: RT 4.2.0 and above may be vulnerable to arbitrary execution of code by way of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or CVE-2014-6271 -- collectively known as "Shellshock." This vulnerability requires a privileged user with access to an RT instance...

jenkins -- remote execution, privilege escalation, XSS, password exposure, ACL hole, DoS

Jenkins Security Advisory: Please reference CVE/URL list for details...

phpMyAdmin -- XSS vulnerabilities

The phpMyAdmin development team reports: With a crafted ENUM value it is possible to trigger an XSS in table search and table structure pages. This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from...

elasticsearch -- cross site scripting vulnerability in the CORS functionality

Elastic reports: Vulnerability Summary: Elasticsearch versions 1.3.x and prior have a default configuration for CORS that allows an attacker to craft links that could cause a user's browser to send requests to Elasticsearch instances on their local network. These requests could cause data loss or...

Joomla! -- Core - Remote File Execution/Denial of Service vulnerabilities

The JSST and the Joomla! Security Center report: 20140903 - Core - Remote File Inclusion Inadequate checking allowed the potential for remote files to be executed. 20140904 - Core - Denial of Service Inadequate checking allowed the potential for a denial of service attack...

rsyslog -- remote syslog PRI vulnerability

The rsyslog project reports: potential abort when a message with PRI 191 was processed if the "pri-text" property was used in active templates, this could be abused to a remote denial of service from permitted senders The original fix for CVE-2014-3634 was not adequate...

fish -- local privilege escalation and remote code execution

Fish developer David Adam reports: This release fixes a number of local privilege escalation vulnerability and one remote code execution vulnerability...

Xymon -- buffer overrun

Debian reports: web/acknowledge.c uses a string twice in a format string, but only allocates memory for one copy...

bash -- remote code execution

Note that this is different than the public "Shellshock" issue. Specially crafted environment variables could lead to remote arbitrary code execution. This was fixed in bash 4.3.27, however the port was patched with a mitigation in 4.3.252...

bash -- out-of-bounds memory access in parser

RedHat security team reports: It was discovered that the fixed-sized redirstack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code. An off-by-one...

chromium -- RSA signature malleability in NSS

Google Chrome Releases reports: 414124 RSA signature malleability in NSS CVE-2014-1568. Thanks to Antoine Delignat-Lavaud of Prosecco/INRIA, Brian Smith and Advanced Threat Research team at Intel Security...

bash -- remote code execution vulnerability

Chet Ramey reports: Under certain circumstances, bash will execute user code while processing the environment for exported function definitions. The original fix released for CVE-2014-6271 was not adequate. A similar vulnerability was discovered and tagged as CVE-2014-7169...

py-foolscap -- local file inclusion

Brian Warner reports: The "flappserver" feature was found to have a vulnerability in the service-lookup code which, when combined with an attacker who has the ability to write files to a location where the flappserver process could read them, would allow that attacker to obtain control of the...

Joomla! -- Core - Unauthorized Login vulnerability

The JSST and the Joomla! Security Center report: 20140902 - Core - Unauthorized Logins Inadequate checking allowed unauthorized logins via LDAP authentication...

Joomla! -- Core - XSS Vulnerability

The JSST and the Joomla! Security Center report: 20140901 - Core - XSS Vulnerability Inadequate escaping leads to XSS vulnerability in commedia...

NSS -- RSA Signature Forgery

The Mozilla Project reports: Antoine Delignat-Lavaud discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates...

krfb -- Multiple security issues in bundled libvncserver

Martin Sandsmark reports: krfb 4.14 and earlier embeds libvncserver which has had several security issues. Several remotely exploitable security issues have been uncovered in libvncserver, some of which might allow a remote authenticated user code execution or application crashes...

libvncserver -- multiple security vulnerabilities

Nicolas Ruff reports: Integer overflow in MallocFrameBuffer on client side. Lack of malloc return value checking on client side. Server crash on a very large ClientCutText message. Server crash when scaling factor is set to zero. Multiple stack overflows in File Transfer feature...

nginx -- inject commands into SSL session vulnerability

The nginx project reports: Security: it was possible to reuse SSL sessions in unrelated contexts if a shared SSL session cache or the same TLS session ticket key was used for multiple "server" blocks CVE-2014-3616...

FreeBSD -- Denial of Service in TCP packet processing

Problem Description: When a segment with the SYN flag for an already existing connection arrives, the TCP stack tears down the connection, bypassing a check that the sequence number in the segment is in the expected window. Impact: An attacker who has the ability to spoof IP traffic can tear down...

dbus -- multiple vulnerabilities

Simon McVittie reports: Do not accept an extra fd in the padding of a cmsg message, which could lead to a 4-byte heap buffer overrun CVE-2014-3635. Reduce default for maximum Unix file descriptors passed per message from 1024 to 16, preventing a uid with the default maximum number of connections...

squid -- Buffer overflow in SNMP processing

The squid-cache project reports: Due to incorrect buffer management Squid can be caused by an attacker to write outside its allocated SNMP buffer...

phpMyAdmin -- XSRF/CSRF due to DOM based XSS in the micro history feature

The phpMyAdmin development team reports: XSRF/CSRF due to DOM based XSS in the micro history feature. By deceiving a logged-in user to click on a crafted URL, it is possible to perform remote code execution and in some cases, create a root account due to a DOM based XSS vulnerability in the micro...

www/chromium -- multiple vulnerabilities

Google Chrome Releases reports: 4 security fixes in this release, including: 401362 High CVE-2014-3178: Use-after-free in rendering. Credit to miaubiz. 411014 CVE-2014-3179: Various fixes from internal audits, fuzzing and other initiatives...

Flash player -- Multiple security vulnerabilities in www/linux-*-flashplugin11

Adobe reports: These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system...

security/ossec-hids-* -- root escalation via temp files

OSSEC reports: This correction will create the temp file for the hosts deny file in /var/ossec and will use mktemp where available to create NON-predictable temp file name. In cases where mktemp is not available we have written a BAD version of mktemp, but should be a little better then just...