mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2014-48 Miscellaneous memory safety hazards rv:30.0 / rv:24.6 MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer MFSA 2014-51 Use-after-free in Event Listener Manager MFSA 2014-52 Use-after-free with SMIL Animation Controller MFSA...

file -- buffer overruns and missing buffer size tests

Christos Zoulas reports: A specially crafted file can cause a segmentation fault...

codeigniter -- multiple vulnerabilities

The CodeIgniter changelog reports: Security: The xorencode method in the Encrypt Class has been removed. The Encrypt Class now requires the Mcrypt extension to be installed. Security: The Session Library now uses HMAC authentication instead of a simple MD5 checksum...

OpenSSL -- multiple vulnerabilities

The OpenSSL Project reports: An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle MITM attack where the attacker can decrypt and modify traffic from the attacked client and...

FreeBSD -- sendmail improper close-on-exec flag handling

Problem Description: There is a programming error in sendmail8 that prevented open file descriptors have close-on-exec properly set. Consequently a subprocess will be able to access all open files that the parent process have open. Impact: A local user who can execute their own program for mail...

FreeBSD -- Incorrect error handling in PAM policy parser

Problem Description: The OpenPAM library searches for policy definitions in several locations. While doing so, the absence of a policy file is a soft failure handled by searching in the next location while the presence of an invalid file is a hard failure handled by returning an error to the...

FreeBSD -- ktrace kernel memory disclosure

Problem Description: Due to an overlooked merge to -STABLE branches, the size for page fault kernel trace entries was set incorrectly. Impact: A user who can enable kernel process tracing could end up reading the contents of kernel memory. Such memory might contain sensitive information, such as...

tomcat -- multiple vulnerabilities

Tomcat Security Team reports: Tomcat does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference,...

elasticsearch and logstash -- remote OS command execution via dynamic scripting

Elastic reports: Vulnerability Summary: In Elasticsearch versions 1.1.x and prior, dynamic scripting is enabled by default. This could allow an attacker to execute OS commands. Remediation Summary: Disable dynamic scripting. Logstash 1.4.2 was bundled with Elasticsearch 1.1.1, which is vulnerable...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 23 security fixes in this release, including: 356653 High CVE-2014-1743: Use-after-free in styles. Credit to cloudfuzzer. 359454 High CVE-2014-1744: Integer overflow in audio. Credit to Aaron Staple. 346192 High CVE-2014-1745: Use-after-free in SVG. Credit to Atte...

gnutls -- client-side memory corruption

GnuTLS project reports: This vulnerability affects the client side of the gnutls library. A server that sends a specially crafted ServerHello could corrupt the memory of a requesting client...

gnutls -- client-side memory corruption

GnuTLS project reports: This vulnerability affects the client side of the gnutls library. A server that sends a specially crafted ServerHello could corrupt the memory of a requesting client...

libXfont -- X Font Service Protocol and Font metadata file handling issues

Alan Coopersmith reports: Ilja van Sprundel, a security researcher with IOActive, has discovered several issues in the way the libXfont library handles the responses it receives from xfs servers, and has worked with X.Org's security team to analyze, confirm, and fix these issues. Most of these...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 3 security fixes in this release: 358038 High CVE-2014-1740: Use-after-free in WebSockets. Credit to Collin Payne. 349898 High CVE-2014-1741: Integer overflow in DOM ranges. Credit to John Butler. 356690 High CVE-2014-1742: Use-after-free in editing. Credit to...

foreman-proxy SSL verification issue

Foreman Security reports: The smart proxy when running in an SSL-secured mode permits incoming API calls to any endpoint without requiring, or performing any verification of an SSL client certificate. This permits any client with access to the API to make requests and perform actions permitting...

OpenSSL -- NULL pointer dereference / DoS

OpenBSD and David Ramos reports: Applications that use SSLMODERELEASEBUFFERS, such as nginx/apache, are prone to a race condition which may allow a remote attacker to crash the current service...

FreeBSD -- TCP reassembly vulnerability

Problem Description: FreeBSD may add a reassemble queue entry on the stack into the segment list when the reassembly queue reaches its limit. The memory from the stack is undefined after the function returns. Subsequent iterations of the reassembly function will attempt to access this entry...

FreeBSD -- devfs rules not applied by default for jails

Problem Description: The default devfs rulesets are not loaded on boot, even when jails are used. Device nodes will be created in the jail with their normal default access permissions, while most of them should be hidden and inaccessible. Impact: Jailed processes can get access to restricted...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2014-34 Miscellaneous memory safety hazards rv:29.0 / rv:24.5 MFSA 2014-35 Privilege escalation through Mozilla Maintenance Service Installer MFSA 2014-36 Web Audio memory corruption issues MFSA 2014-37 Out of bounds read while decoding JPG images MFSA 2014-38...

chromium -- multiple vulnerabilities

Google Chrome Releases reports belatedly: 9 security fixes in this release, including: 354967 High CVE-2014-1730: Type confusion in V8. Credit to Anonymous. 349903 High CVE-2014-1731: Type confusion in DOM. Credit to John Butler. 359802 High CVE-2014-1736: Integer overflow in V8. Credit to SkyLin...

qt4-imageformats, qt5-gui -- DoS vulnerability in the GIF image handler

Richard J. Moore reports: The builtin GIF decoder in QtGui prior to Qt 5.3 contained a bug that would lead to a null pointer dereference when loading certain hand crafted corrupt GIF files. This in turn would cause the application loading these hand crafted GIFs to crash...

django -- multiple vulnerabilities

The Django project reports: These releases address an unexpected code-execution issue, a caching issue which can expose CSRF tokens and a MySQL typecasting issue. While these issues present limited risk and may not affect all Django users, we encourage all users to evaluate their own risk and...

bugzilla -- Cross-Site Request Forgery

A Bugzilla Security Advisory reports: The login form had no CSRF protection, meaning that an attacker could force the victim to log in using the attacker's credentials. If the victim then reports a new security sensitive bug, the attacker would get immediate access to this bug. Due to changes...

bugzilla -- Social Engineering

A Bugzilla Security Advisory reports: Dangerous control characters can be inserted into Bugzilla, notably into bug comments. If the text, which may look safe, is copied into a terminal such as xterm or gnome-terminal, then unexpected commands could be executed on the local machine...

mumble -- multiple vulnerabilities

Mumble reports: SVG images with local file references could trigger client DoS The Mumble client did not properly HTML-escape some external strings before using them in a rich-text HTML context...

pivotx -- Multiple unrestricted file upload vulnerabilities

Pivotx reports: Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a 1 .php or 2 .php extension, and then accessing it via unspecified vectors...

pivotx -- cross-site scripting (XSS) vulnerability

pivotx reports: cross-site scripting XSS vulnerability in the nickname and possibly the email field. Mitigated by the fact that an attacker must have a PivotX account...

botan -- cryptographic vulnerability

MITRE reports: The Miller-Rabin primality check in Botan before 1.10.8 and 1.11.x before 1.11.9 improperly uses a single random base, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a DH group...

mohawk -- multiple vulnerabilities

The mohawk project reports: Segfault when parsing malformed / unescaped url, coredump when setting syslog facility...

openafs -- Denial of Service

The OpenAFS development team reports: An attacker with the ability to connect to an OpenAFS fileserver can trigger a buffer overflow, crashing the server. The buffer overflow can be triggered by sending an unauthenticated request for file server statistical information. Clients are not affected...

FreeBSD -- Deadlock in the NFS server

Problem Description: The kernel holds a lock over the source directory vnode while trying to convert the target directory file handle to a vnode, which needs to be returned with the lock held, too. This order may be in violation of normal lock order, which in conjunction with other threads that...

chromium -- multiple vulnerabilities

Google Chrome Releases reports: 31 vulnerabilities fixed in this release, including: 354123 High CVE-2014-1716: UXSS in V8. Credit to Anonymous. 353004 High CVE-2014-1717: OOB access in V8. Credit to Anonymous. 348332 High CVE-2014-1718: Integer overflow in compositor. Credit to Aaron Staple...

OpenSSL -- Remote Information Disclosure

OpenSSL Reports: A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with...

OpenSSL -- Local Information Disclosure

OpenSSL reports: A flaw in the implementation of Montgomery Ladder Approach would create a side-channel that leaks sensitive timing information. A local attacker might be able to snoop a signing process and might recover the signing key from it...

otrs -- Clickjacking issue

The OTRS Project reports: An attacker could embed OTRS in a hidden iframe tag of another page, tricking the user into clicking links in OTRS...

redmine -- open redirect vulnerability

Redmine reports: Open Redirect vulnerability...

postfixadmin -- SQL injection vulnerability

Thijs Kinkhorst reports: Postfixadmin has an SQL injection vulnerability. This vulnerability is only exploitable by authenticated users able to create new aliases...

mail/trojita -- may leak mail contents (not user credentials) over unencrypted connection

Jan Kundrát reports: An SSL stripping vulnerability was discovered in Trojitá, a fast Qt IMAP e-mail client. User's credentials are never leaked, but if a user tries to send an e-mail, the automatic saving into the "sent" or "draft" folders could happen over a plaintext connection even if the...

mozilla -- multiple vulnerabilities

The Mozilla Project reports: MFSA 2014-15 Miscellaneous memory safety hazards rv:28.0 / rv:24.4 MFSA 2014-16 Files extracted during updates are not always read only MFSA 2014-17 Out of bounds read during WAV file decoding MFSA 2014-18 crypto.generateCRMFRequest does not validate type of key MFSA...

nginx-devel -- SPDY heap buffer overflow

The nginx project reports: A bug in the experimental SPDY implementation in nginx was found, which might allow an attacker to cause a heap memory buffer overflow in a worker process by using a specially crafted request, potentially resulting in arbitrary code execution CVE-2014-0133. The problem...

nginx -- SPDY heap buffer overflow

The nginx project reports: A bug in the experimental SPDY implementation in nginx was found, which might allow an attacker to cause a heap memory buffer overflow in a worker process by using a specially crafted request, potentially resulting in arbitrary code execution CVE-2014-0133. The problem...

www/chromium -- multiple vulnerabilities

Google Chrome Releases reports: New vulnerabilities after the Pwn2Own competition: 352369 Code execution outside sandbox. Credit to VUPEN. 352374 High CVE-2014-1713: Use-after-free in Blink bindings 352395 High CVE-2014-1714: Windows clipboard vulnerability 352420 Code execution outside sandbox...

linux-flashplugin -- multiple vulnerabilities

Adobe reports: These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system...

mutt -- denial of service, potential remote code execution

Beatrice Torracca and Evgeni Golov report: A buffer overflow has been discovered that could result in denial of service or potential execution of arbitrary code. This condition can be triggered by malformed RFC2047 header lines...

strongswan -- Remote Authentication Bypass

strongSwan developers report: Remote attackers are able to bypass authentication by rekeying an IKESA during 1 initiation or 2 re-authentication, which triggers the IKESA state to be set to established. Only installations that actively initiate or re-authenticate IKEv2 IKESAs are affected...

www/chromium --multiple vulnerabilities

Google Chrome Releases reports: 7 vulnerabilities fixed in this release, including: 344881 High CVE-2014-1700: Use-after-free in speech. Credit to Chamal de Silva. 342618 High CVE-2014-1701: UXSS in events. Credit to aidanhs. 333058 High CVE-2014-1702: Use-after-free in web database. Credit to...

LibYAML input sanitization errors

oCERT reports: The LibYAML project is an open source YAML 1.1 parser and emitter written in C. The library is affected by a heap-based buffer overflow which can lead to arbitrary code execution. The vulnerability is caused by lack of proper expansion for the string passed to the...

samba -- multiple vulnerabilities

Samba project reports: In Samba's SAMR server we neglect to ensure that attempted password changes will update the bad password count, nor set the lockout flags. This would allow a user unlimited attempts against the password by simply calling ChangePasswordUser2 repeatedly. This is available...

asterisk -- multiple vulnerabilities

The Asterisk project reports: Stack Overflow in HTTP Processing of Cookie Headers. Sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. You could even exhaust memory if you sent an unlimited number of headers in the request. Denial of...

libssh -- PRNG state reuse on forking servers

Aris Adamantiadis reports: When accepting a new connection, the server forks and the child process handles the request. The RANDbytes function of openssl doesn't reset its state after the fork, but simply adds the current process id getpid to the PRNG state, which is not guaranteed to be unique...