asterisk -- Remotely triggered crash

The Asterisk project reports: When an out of call message - delivered by either the SIP or PJSIP channel driver or the XMPP stack - is handled in Asterisk, a crash can occur if the channel servicing the message is sent into the ReceiveFax dialplan application while using the resfaxspandsp module...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 50 security fixes in this release, including: 386988 Critical CVE-2014-3176, CVE-2014-3177: A special reward to lokihardt@asrt for a combination of bugs in V8, IPC, sync, and extensions that can lead to remote code execution outside of the sandbox. 369860 High...

openoffice -- information disclosure vulnerability

Apache reports: The exposure exploits the way OLE previews are generated to embed arbitrary file data into a specially crafted document when it is opened. Data exposure is possible if the updated document is distributed to other parties...

django -- multiple vulnerabilities

The Django project reports: These releases address an issue with reverse generating external URLs; a denial of service involving file uploads; a potential session hijacking issue in the remote-user middleware; and a data leak in the administrative interface. We encourage all users of Django to...

phpMyAdmin -- XSS vulnerabilities

The phpMyAdmin development team reports: Multiple XSS vulnerabilities in browse table, ENUM editor, monitor, query charts and table relations pages. With a crafted database, table or a primary/unique key column name it is possible to trigger an XSS when dropping a row from the table. With a craft...

PHP multiple vulnerabilities

The PHP Team reports: insecure temporary file use in the configure script unserialize SPL ArrayObject / SPLObjectStorage Type Confusion Heap buffer over-read in DateInterval fileinfo: cdfreadshortsector insufficient boundary check fileinfo: CDF infinite loop in nelements DoS fileinfo: fileinfo:...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 12 security fixes in this release, including 390174 High CVE-2014-3165: Use-after-free in web sockets. Credit to Collin Payne. 398925 High CVE-2014-3166: Information disclosure in SPDY. Credit to Antoine Delignat-Lavaud. 400950 CVE-2014-3167: Various fixes from...

e2fsprogs -- buffer overflow if s_first_meta_bg too big

Theodore Ts'o reports: If sfirstmetabg is greater than the of number block group descriptor blocks, then reading or writing the block group descriptors will end up overruning the memory buffer allocated for the descriptors. The finding is credited to a vulnerability report from Jose Duart of Goog...

OpenSSL -- multiple vulnerabilities

The OpenSSL Project reports: A flaw in OBJobj2txt may cause pretty printing functions such as X509nameoneline, X509nameprintex et al. to leak some information from the stack. CVE-2014-3508 The issue affects OpenSSL clients and allows a malicious server to crash the client with a null pointer...

subversion -- several vulnerabilities

Subversion Project reports: Using the Serf RA layer of Subversion for HTTPS uses the aprfnmatch API to handle matching wildcards in certificate Common Names and Subject Alternate Names. However, aprfnmatch is not designed for this purpose. Instead it is designed to behave like common shell...

serf -- SSL Certificate Null Byte Poisoning

serf Development list reports: Serf provides APIs to retrieve information about a certificate. These APIs return the information as NUL terminated strings commonly called C strings. X.509 uses counted length strings which may include a NUL byte. This means that a library user will interpret any...

ansible -- multiple vulnerabilities

Ansible, Inc. reports: Arbitrary execution from data from compromised remote hosts or local data when using a legacy Ansible syntax - resolved in Ansible 1.7 ansible-galaxy command when used on local tarballs and not galaxy.ansible.com can install a malformed tarball if so provided - resolved in...

nginx -- inject commands into SSL session vulnerability

The nginx project reports: Security: pipelined commands were not discarded after STARTTLS command in SMTP proxy CVE-2014-3556; the bug had appeared in 1.5.6...

krfb -- Possible Denial of Service or code execution via integer overflow

Albert Aastals Cid reports: krfb embeds libvncserver which embeds liblzo2, it contains various flaws that result in integer overflow problems. This potentially allows a malicious application to create a possible denial of service or code execution. Due to the need to exploit precise details of th...

samba -- remote code execution

Samba developers report: A malicious browser can send packets that may overwrite the heap of the target nmbd NetBIOS name services daemon. It may be possible to use this to generate a remote code execution vulnerability as the superuser root...

net-snmp -- snmptrapd crash

Murray McAllister reports: A remote denial-of-service flaw was found in the way snmptrapd handled certain SNMP traps when started with the "-OQ" option. If an attacker sent an SNMP trap containing a variable with a NULL type where an integer variable type was expected, it would cause snmptrapd to...

kdelibs -- KAuth PID Reuse Flaw

Martin Sandsmark reports: The KAuth framework uses polkit-1 API which tries to authenticate using the requestors PID. This is prone to PID reuse race conditions. This potentially allows a malicious application to pose as another for authentication purposes when executing privileged actions...

tor -- traffic confirmation attack

The Tor Project reports: Tor before 0.2.4.23 and 0.2.5 before 0.2.5.6-alpha maintains a circuit after an inbound RELAYEARLY cell is received by a client, which makes it easier for remote attackers to conduct traffic-confirmation attacks by using the pattern of RELAY and RELAYEARLY cells as a mean...

librsync -- collision vulnerability

Michael Samuel reports: librsync before 1.0.0 uses a truncated MD4 checksum to match blocks, which makes it easier for remote attackers to modify transmitted data via a birthday attack...

bugzilla -- Cross Site Request Forgery

A Bugzilla Security Advisory reports: Adobe does not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery CSRF attacks against Bugzilla's JSONP endpoint, possibly obtaining sensitive bug information, via a crafted OBJECT element with SWF conte...

i2p -- Multiple Vulnerabilities

The i2p project reports: XSS and remote execution vulnerabilities reported by Exodus Intelligence. Exodus Intelligence reports: The vulnerability we have found is able to perform remote code execution with a specially crafted payload. This payload can be customized to unmask a user and show the...

trafficserver -- unspecified vulnerability

Bryan Call reports: Below is our announcement for the security issue reported to us from Yahoo! Japan. All versions of Apache Traffic Server are vulnerable. We urge users to upgrade to either 4.2.1.1 or 5.0.1 immediately. This fixes CVE-2014-3525 and limits access to how the health checks are...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2014-66 IFRAME sandbox same-origin access through redirect MFSA 2014-65 Certificate parsing broken by non-standard character encoding MFSA 2014-64 Crash in Skia library when scaling high quality images MFSA 2014-63 Use-after-free while when manipulating...

ansible -- code execution from compromised remote host data or untrusted local data

Ansible, Inc. reports: Arbitrary execution from data from compromised remote hosts or untrusted local data - resolved in Ansible 1.6.7...

apache22 -- several vulnerabilities

Apache HTTP SERVER PROJECT reports: moddeflate: The DEFLATE input filter inflates request bodies now limits the length and compression ratio of inflated request bodies to avoid denial of service via highly compressed bodies. See directives DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,...

phpMyAdmin -- multiple XSS vulnerabilities, missing validation

The phpMyAdmin development team reports: Self-XSS due to unescaped HTML output in database structure page. With a crafted table comment, it is possible to trigger an XSS in database structure page. Self-XSS due to unescaped HTML output in database triggers page. When navigating into the database...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 26 security fixes in this release, including 380885 Medium CVE-2014-3160: Same-Origin-Policy bypass in SVG. Credit to Christian Schneider. 393765 CVE-2014-3162: Various fixes from internal audits, fuzzing and other initiatives...

apache24 -- several vulnerabilities

Apache HTTP SERVER PROJECT reports: modproxy: Fix crash in Connection header handling which allowed a denial of service attack against a reverse proxy with a threaded MPM. Fix a race condition in scoreboard handling, which could lead to a heap buffer overflow. moddeflate: The DEFLATE input filter...

mcollective -- cert valication issue

Melissa Stone reports: The MCollective aessecurity public key plugin does not correctly validate certs against the CA. By exploiting this vulnerability within a race/initialization window, an attacker with local access could initiate an unauthorized MCollective client connection with a server, an...

FreeBSD -- Kernel memory disclosure in control messages and SCTP

Problem Description: Buffer between control message header and data may not be completely initialized before being copied to userland. CVE-2014-3952 Three SCTP cmsgs, SCTPSNDRCV, SCTPEXTRCV and SCTPRCVINFO, have implicit padding that may not be completely initialized before being copied to...

redmine -- information leak vulnerability

Redmine reports: Potential data leak project names in the invalid form authenticity token error screen...

yii -- Remote arbitrary PHP code execution

Yii PHP Framework developers report: We are releasing Yii 1.1.15 to fix a security issue found in 1.1.14. We urge all 1.1.14 users to upgrade their Yii to this latest release. Note that the issue only affects 1.1.14. All previous releases are not affected. Upgrading to this release from 1.1.14 is...

dbus -- multiple vulnerabilities

Simon McVittie reports: Alban Crequy at Collabora Ltd. discovered a bug in dbus-daemon's support for file descriptor passing. A malicious process could force system services or user applications to be disconnected from the D-Bus system bus by sending them a message containing a file descriptor,...

qemu -- denial of service vulnerability in VNC

Prasad J Pandit, Red Hat Product Security Team, reports: Qemu emulator built with the VNC display driver is vulnerable to an infinite loop issue. It could occur while processing a CLIENTCUTTEXT message with specially crafted payload message. A privileged guest user could use this flaw to crash th...

ansible -- remote code execution vulnerability

Ansible, Inc. reports: Incomplete Fix Remote Code Execution Vulnerability - Fixed in Ansible 1.6.4...

LZO -- potential buffer overrun when processing malicious input data

Markus Franz Xaver Johannes Oberhumer reports, in the package's NEWS file: Fixed a potential integer overflow condition in the "safe" decompressor variants which could result in a possible buffer overrun when processing maliciously crafted compressed input data. As this issue only affects 32-bit...

gpgme -- heap-based buffer overflow in gpgsm status handler

Tomas Trnka reports: Gpgme contains a buffer overflow in the gpgsm status handler that could possibly be exploited using a specially crafted certificate...

FreeBSD -- Multiple vulnerabilities in file(1) and libmagic(3)

Problem Description: A specifically crafted Composite Document File CDF file can trigger an out-of-bounds read or an invalid pointer dereference. CVE-2012-1571 A flaw in regular expression in the awk script detector makes use of multiple wildcards with unlimited repetitions. CVE-2013-7345 A...

mplayer -- potential buffer overrun when processing malicious lzo compressed input

Michael Niedermayer and Luca Barbato report in upstream ffmpeg: avutil/lzo: Fix integer overflow...

logstash -- Remote command execution in Logstash zabbix and nagios_nsca outputs

Elastic reports: The vulnerability impacts deployments that use the either the zabbix or the nagiosnsca outputs. In these cases, an attacker with an ability to send crafted events to any source of data for Logstash could execute operating system commands with the permissions of the Logstash...

mencoder -- potential buffer overrun when processing malicious lzo compressed input

Michael Niedermayer and Luca Barbato report in upstream ffmpeg: avutil/lzo: Fix integer overflow...

FreeBSD -- iconv(3) NULL pointer dereference and out-of-bounds array access

Problem Description: A NULL pointer dereference in the initialization code of the HZ module and an out of bounds array access in the initialization code of the VIQR module make iconvopen3 calls involving HZ or VIQR result in an application crash. Impact: Services where an attacker can control the...

gnupg -- possible DoS using garbled compressed data packets

Werner Koch reports: This release includes a security fix to stop a possible DoS using garbled compressed data packets which can be used to put gpg into an infinite loop...

samba -- multiple vulnerabilities

The samba project reports: A malformed packet can cause the nmbd server to loop the CPU and prevent any further NetBIOS name service. Valid unicode path names stored on disk can cause smbd to crash if an authenticated client attempts to read them using a non-unicode request...

phpMyAdmin -- two XSS vulnerabilities due to unescaped db/table names

The phpMyAdmin development team reports: Self-XSS due to unescaped HTML output in recent/favorite tables navigation. When marking a crafted database or table name as favorite or having it in recent tables, it is possible to trigger an XSS. This vulnerability can be triggered only by someone who...

kdelibs4 -- KMail/KIO POP3 SSL Man-in-the-middle Flaw

Richard J. Moore reports: The POP3 kioslave used by KMail will accept invalid certificates without presenting a dialog to the user due a bug that leads to an inability to display the dialog combined with an error in the way the result is checked. This flaw allows an active attacker to perform MIT...

iodined -- authentication bypass

Erik Ekman of the iodine project reports: The client could bypass the password check by continuing after getting error from the server and guessing the network parameters. The server would still accept the rest of the setup and also network traffic...

asterisk -- multiple vulnerabilities

The Asterisk project reports: Asterisk Manager User Unauthorized Shell Access. Manager users can execute arbitrary shell commands with the MixMonitor manager action. Asterisk does not require system class authorization for a manager user to use the MixMonitor action, so any manager user who is...

dbus -- local DoS

Simon MvVittie reports: Alban Crequy at Collabora Ltd. discovered and fixed a denial-of-service flaw in dbus-daemon, part of the reference implementation of D-Bus. Additionally, in highly unusual environments the same flaw could lead to a side channel between processes that should not be able to...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 4 security fixes in this release, including: 369525 High CVE-2014-3154: Use-after-free in filesystem api. Credit to Collin Payne. 369539 High CVE-2014-3155: Out-if-bounds read in SPDY. Credit to James March, Daniel Sommermann and Alan Frindell of Facebook. 369621...