3816 matches found
rclone: Weak random number generation
Background rclone is a problem to sync files to and from various cloud storage providers. Description Passwords generated with rclone were insecurely generated and are vulnerable to brute force attacks. Impact Data kept secret with a password generated by rclone may be disclosed to a local...
BladeEnc: Buffer overflow
Background BladeEnc is an mp3 encoder. Description A crafted file could cause a buffer overflow in the iterationloop function in BladeEnc. Impact A remote attacker could entice a user to open a specially crafted using BladeEnc, possibly resulting in execution of arbitrary code with the privileges...
blktrace: Buffer overflow
Background blktrace shows detailed information about what is happening on a block device IO queue. Description A crafted file could cause a buffer overflow in the ‘devmapread’ function because the device and devno arrays are too small. Impact A remote attacker could entice a user to open a...
Privoxy: Multiple vulnerabilities
Background Privoxy is a web proxy with advanced filtering capabilities for enhancing privacy. Description Multiple vulnerabilities have been discovered in privoxy. Please review the CVE identifiers referenced below for details. Impact An attacker could cause a possible Denial of Service condition...
Mechanize: Command injection
Background Mechanize is a Ruby library used for automating interaction with websites. Description Mechanize does not neutralize filename input and could allow arbitrary code execution if an attacker can control filenames used by Mechanize. Impact Please review the referenced CVE identifiers for...
TCG TPM2 Software Stack: Information disclosure
Background TCG TPM2 Software Stack is a library to interface with trusted platform modules. Description TCG TPM2 Software Stack did not appropriately apply FAPI policies to protect data encrypted with the trusted platform module. Impact Data encrypted using TCG TPM2 Software Stack tpm2-tss may no...
Schism Tracker: Multiple vulnerabilities
Background Schism Tracker is a free implementation of Impulse Tracker, a tool used to create high quality music. Description Multiple vulnerabilities have been discovered in Schism Tracker. Please review the CVE identifiers referenced below for details. Impact Please review the referenced CVE...
Mozilla Firefox: Multiple vulnerabilities
Background Mozilla Firefox is a popular open-source web browser from the Mozilla project. Description Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details. Impact Please review the referenced CVE identifiers for details...
GLib: Multiple vulnerabilities
Background GLib is a library providing a number of GNOME’s core objects and functions. Description Multiple vulnerabilities have been discovered in GLib. Please review the CVE identifiers referenced below for details. Impact Please review the referenced CVE identifiers for details. Workaround The...
OpenDoas: Insufficient environment filtering
Background OpenDoas allows users to run commands as other users. Description OpenDoas does not properly filter the PATH variable from the resulting shell after escalating privileges. Impact A local attacker with control of a user’s PATH variable could escalate privileges if that user uses OpenDoa...
PostSRSd: Denial of service
Background PostSRSd is a Postfix sender rewriting scheme daemon Description Multiple vulnerabilities have been discovered in PostSRSd. Please review the CVE identifiers referenced below for details. Impact An attacker could cause a possible Denial of Service condition. Workaround There is no know...
libxml2: Multiple vulnerabilities
Background libxml2 is the XML eXtended Markup Language C parser and toolkit initially developed for the GNOME project. Description Multiple vulnerabilities have been discovered in libxml2. Please review the CVE identifiers referenced below for details. Impact A remote attacker could entice a user...
glibc: Multiple vulnerabilities
Background glibc is a package that contains the GNU C library. Description Multiple vulnerabilities have been discovered in glibc. Please review the CVE identifiers referenced below for details. Impact An attacker could cause a possible Denial of Service condition. Workaround There is no known...
Chromium, Google Chrome: Multiple vulnerabilities
Background Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web. Google Chrome is one fast, simple, and secure browser for all your devices. Description Multiple vulnerabilities have been discovered in Chromium and...
corosync: Denial of service
Background The Corosync Cluster Engine is a Group Communication System with additional features for implementing high availability within applications. Description It was discovered that corosync allowed an unauthenticated user to cause a Denial of Service by application crash. Impact A remote...
FreeImage: Multiple vulnerabilities
Background FreeImage is an Open Source library project for developers who would like to support popular graphics image formats like PNG, BMP, JPEG, TIFF and others as needed by today’s multimedia applications. Description Multiple vulnerabilities have been discovered in FreeImage. Please review t...
libqb: Insecure temporary file
Background libqb is a library with the primary purpose of providing high-performance, reusable features for client-server architecture, such as logging, tracing, inter-process communication IPC, and polling. Description It was discovered that libqb used predictable filenames under /dev/shm and /t...
Background Graphviz is an open source graph visualization software. Description Multiple vulnerabilities have been discovered in Graphviz. Please review the CVE identifiers referenced below for details. Impact A remote attacker could entice a user to process a specially crafted file using Graphvi...
OpenSMTPD: Multiple vulnerabilities
Background OpenSMTPD is a lightweight but featured SMTP daemon from OpenBSD. Description Multiple vulnerabilities have been discovered in OpenSMTPD. Please review the CVE identifiers referenced below for details. Impact A remote attacker, by connecting to the SMTP listener daemon, could possibly...
Mutt, NeoMutt: Denial of service
Background Mutt is a small but very powerful text-based mail client. NeoMutt is a command line mail reader or MUA. It’s a fork of Mutt with added features. Description It was discovered that Mutt, and NeoMutt did not properly handle certain situations where an IMAP sequence set ends with a comma...
Boost: Buffer overflow
Background Boost is a set of C++ libraries, including the Boost.Regex library to process regular expressions. Description It was discovered that Boost incorrectly sanitized ‘nextsize’ and ‘maxsize’ parameter in orderedmalloc function when allocating memory. Impact A remote attacker could provide ...
Smarty: Multiple vulnerabilities
Background Smarty is a template engine for PHP. Description Multiple vulnerabilities have been discovered in Smarty template engine. Please review the CVE identifiers referenced below for details. Impact Please review the referenced CVE identifiers for details. Workaround There is no known...
stunnel: Improper certificate validation
Background The stunnel program is designed to work as an SSL/TLS encryption wrapper between a client and a local or remote server. Description It was discovered that stunnel did not correctly verified the client certificate when options “redirect” and “verifyChain” are used. Impact A remote...
GPT fdisk: Integer underflow
Background GPT fdisk consisting of the gdisk, cgdisk, sgdisk, and fixparts programs is a set of text-mode partitioning tools for Linux, FreeBSD, Mac OS X, and Windows. Description It was discovered that ReadLogicalParts function in basicmbr.cc was missing a bounds check. Impact A local attacker...
SpamAssassin: Arbitrary command execution
Background SpamAssassin is an extensible email filter used to identify junk email. Description It was discovered that SpamAssassin incorrectly handled certain CF files. Impact A remote attacker could entice a user or automated system to process a specially crafted CF file using SpamAssassin,...
containerd: Multiple vulnerabilities
Background Containerd is a daemon with an API and a command line client, to manage containers on one machine. It uses runC to run containers according to the OCI specification. Description Multiple vulnerabilities have been discovered in containerd. Please review the CVE identifiers referenced...
Telegram: Security bypass
Background Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed. Description It was discovered that Telegram failed to invalidate a recently active session. Impact Please review the referenced CVE identifiers for details. Workaround There is no known...
ICU: Multiple vulnerabilities
Background ICU is a mature, widely used set of C/C++ and Java libraries providing Unicode and Globalization support for software applications. Description Multiple vulnerabilities have been discovered in ICU. Please review the upstream bugs referenced below for details. Impact Remote attackers...
Samba: Multiple vulnerabilities
Background Samba is a suite of SMB and CIFS client/server programs. Description Multiple vulnerabilities have been discovered in Samba. Please review the CVE identifiers referenced below for details. Impact Please review the referenced CVE identifiers for details. Workaround There is no known...
BusyBox: Denial of service
Background BusyBox is a set of tools for embedded systems and is a replacement for GNU Coreutils. Description It was discovered that BusyBox mishandled the error bit on the huftbuild result pointer when decompressing GZIP compressed data. Impact A remote attacker could entice a user to open a...
X.Org X11 library: Denial of service
Background X.Org is an implementation of the X Window System. The X.Org X11 library provides the X11 protocol library files. Description It was discovered that XLookupColor and other X.Org X11 library functions lacked proper validation of the length of their string parameters. Impact An attacker...
GNOME Autoar: User-assisted execution of arbitrary code
Background GNOME Autoar provides functions and widgets for GNOME applications which want to use archives as a method to transfer directories over the internet. Description It was discovered that GNOME Autoar could extract files outside of the intended directory. Impact A remote attacker could...
Squid: Multiple vulnerabilities
Background Squid is a full-featured Web proxy cache designed to run on Unix systems. It supports proxying and caching of HTTP, FTP, and other URLs, as well as SSL support, cache hierarchies, transparent caching, access control lists and many other features. Description Multiple vulnerabilities ha...
MySQL: Multiple vulnerabilities
Background MySQL is a popular multi-threaded, multi-user SQL server. Description Multiple vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details. Impact An attacker could possibly execute arbitrary code with the privileges of the process,...
MuPDF: Multiple vulnerabilities
Background MuPDF is a lightweight PDF viewer and toolkit written in portable C. Description Multiple vulnerabilities have been discovered in MuPDF. Please review the CVE identifiers referenced below for details. Impact A remote attacker could entice a user to open a specially crafted PDF document...
MariaDB: Multiple vulnerabilities
Background MariaDB is an enhanced, drop-in replacement for MySQL. Description Multiple vulnerabilities have been discovered in MariaDB. Please review the CVE identifiers referenced below for details. Impact Please review the referenced CVE identifiers for details. Workaround There is no known...
OpenVPN: Authentication bypass
Background OpenVPN is a multi-platform, full-featured SSL VPN solution. Description It was discovered that OpenVPN incorrectly handled deferred authentication. Impact A remote attacker could bypass authentication and access control channel data and trigger further information leaks. Workaround...
PostgreSQL: Multiple vulnerabilities
Background PostgreSQL is an open source object-relational database management system. Description Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details. Impact An authenticated remote attacker, by executing malicious crafted...
Mumble: User-assisted execution of arbitrary code
Background Mumble is low-latency voice chat software intended for use with gaming. Description Please review the CVE identifiers referenced below for details. Impact A remote attacker could entice a user to open a specially crafted server list web page using Mumble, possibly resulting in executio...
Bash: Privilege escalation
Background Bash is the standard GNU Bourne Again SHell. Description It was discovered that Bash incorrectly dropped privileges by setting its effective UID to its real UID. Impact A local attacker could possibly escalate privileges. Workaround There is no known workaround at this time. Resolution...
LittleCMS: User-assisted execution of arbitrary code
Background LittleCMS, or short lcms, is a color management system for working with ICC profiles. It is used by many applications including GIMP, Firefox and Chromium. Description It was discovered that LittleCMS aka Little Color Management System had an integer overflow in the AllocateDataSet...
rxvt-unicode: User-assisted execution of arbitrary code
Background rxvt-unicode urxvt is a clone of the rxvt terminal emulator. Description It was discovered that rxvt-unicode did not properly handle certain escape sequences. Impact A remote attacker could entice a user to run a program where attacker controls the output inside a rxvt terminal window,...
PHP: Multiple vulnerabilities
Background PHP is an open source general-purpose scripting language that is especially suited for web development. Description Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers and bugs referenced below for details. Impact Please review the referenced CVE...
Tar: Denial of service
Background The Tar program provides the ability to create and manipulate tar archives. Description It was discovered that GNU Tar had a memory leak when processing archive headers. Impact A remote attacker could entice a user to open a specially crafted archive using Tar, possibly resulting in a...
Dnsmasq: DNS cache poisoning
Background Dnsmasq is a lightweight and easily-configurable DNS forwarder and DHCP server. Description It was discovered that Dnsmasq, when configured with --server=@ or similar e.g. through dbus, configured a fixed UDP port for all outgoing queries to the specified upstream DNS server. Impact An...
Tcpreplay: Multiple vulnerabilities
Background Tcpreplay is a suite of utilities for UNIX systems for editing and replaying network traffic which was previously captured by tools like tcpdump and ethereal/wireshark. Description Multiple vulnerabilities have been discovered in Tcpreplay. Please review the CVE identifiers referenced...
Nettle: Denial of service
Background Nettle is a cryptographic library that is designed to fit easily in almost any context: In cryptographic toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like lsh or GnuPG, or even in kernel space. Description It was discovered that Nettle incorrect...
FFmpeg: Multiple vulnerabilities
Background FFmpeg is a complete, cross-platform solution to record, convert and stream audio and video. Description Multiple vulnerabilities have been discovered in FFmpeg. Please review the CVE identifiers referenced below for details. Impact A remote attacker could entice a user to open a...
GNU Screen: User-assisted execution of arbitrary code
Background GNU Screen is a full-screen window manager that multiplexes a physical terminal between several processes, typically interactive shells. Description It was discovered that GNU screen did not properly handle certain UTF-8 character sequences. Impact A remote attacker could entice a user...
Prosŏdy IM: Multiple vulnerabilities
Background Prosŏdy IM is a modern XMPP communication server. It aims to be easy to set up and configure, and efficient with system resources. Description Multiple vulnerabilities have been discovered in Prosŏdy IM. Please review the CVE identifiers referenced below for details. Impact Please revi...