907757 matches found
DLA-1839-1 expat - security update
Bulletin has no description...
DLA-1829-1 firefox-esr - security update
Bulletin has no description...
RLSA-2019:1529 Important: pki-deps:10.6 security update
The Public Key Infrastructure PKI Deps module contains fundamental packages required as dependencies for the pki-core module by Rocky Enterprise Software Foundation Certificate System. Security Fixes: tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up...
CVE-2019-2614
Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Replication. Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple...
DLA-1761-1 ghostscript - security update
Bulletin has no description...
PSF-2019-10 HTTP Header Injection (follow-up of CVE-2016-5699)
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the query string after a ? charact...
DLA-1562-3 poppler - regression update
Bulletin has no description...
DLA-1586-1 openssl - security update
Bulletin has no description...
GHSA-X2RG-FMCV-CRQ5 DNN (aka DotNetNuke) has Remote Code Execution via a cookie
DNN aka DotNetNuke before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 Critical Possible remote code execution on DNN sites."...
RUSTSEC-2018-0006 Uncontrolled recursion leads to abort in deserialization
Affected versions of this crate did not prevent deep recursion while deserializing data structures. This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it. The flaw was corrected by checking the recursion depth. Note: clap 2.33 is not...
DSA-4287-1 firefox-esr - security update
Bulletin has no description...
DLA-1490-1 php5 - security update
Bulletin has no description...
DLA-1479-1 twitter-bootstrap3 - security update
Bulletin has no description...
DSA-4280-1 openssh - security update
Bulletin has no description...
DSA-4279-1 linux - security update
Bulletin has no description...
DSA-4273-1 intel-microcode - security update
Bulletin has no description...
CVE-2018-8034
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88...
DLA-1453-1 tomcat7 - security update
Bulletin has no description...
DLA-1421-1 ruby2.1 - security update
Bulletin has no description...
DLA-1418-1 bouncycastle - security update
Bulletin has no description...
DSA-4210-1 xen - security update
Bulletin has no description...
DSA-4185-1 openjdk-8 - security update
Bulletin has no description...
DLA-1355-1 mysql-5.5 - security update
Bulletin has no description...
DLA-1319-1 firefox-esr - security update
Bulletin has no description...
DSA-4135-1 samba - security update
Bulletin has no description...
CVE-2017-1000393
Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was suppose...
DSA-4037-1 jackson-databind - security update
Bulletin has no description...
PYSEC-2017-12
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117...
GHSA-76WQ-XW4H-F8WJ activerecord vulnerable to SQL Injection
The Active Record component in Ruby on Rails efore 2.3.15, 3.0.x before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via...
GHSA-HGPP-PP89-4FGF Action Pack contains database-query restrictions bypass
actionpack/lib/actiondispatch/http/request.rb in Ruby on Rails before 2.3.16, 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to...
GHSA-7G65-GHRG-HPF5 actionpack Cross-site Scripting vulnerability
Cross-site scripting XSS vulnerability in actionpack/lib/actionview/helpers/sanitizehelper.rb in the striptags helper in Ruby on Rails before 2.3.16, 3.0.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML...
GHSA-6H5Q-96HP-9JGM actionpack vulnerable to Cross-site Scripting
Cross-site scripting XSS vulnerability in the numbertocurrency helper in actionpack/lib/actionview/helpers/numberhelper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter...
GHSA-XRR4-P6FQ-HJG7 Directory traversal vulnerability in Action View in Ruby on Rails
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing...
CVE-2017-1000117
A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim...
DLA-1112-1 rubygems - security update
Bulletin has no description...
DLA-1070-1 qemu - security update
Bulletin has no description...
DSA-3944-1 mariadb-10.0 - security update
Bulletin has no description...
DSA-3945-1 linux - security update
Bulletin has no description...
CVE-2017-9787
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33...
DSA-3892-1 tomcat7 - security update
Bulletin has no description...
CVE-2016-4473
/ext/phar/pharobject.c in PHP 7.0.7 and 5.6.x allows remote attackers to execute arbitrary code. NOTE: Introduced as part of an incomplete fix to CVE-2015-6833...
DSA-3870-1 wordpress - security update
Bulletin has no description...
DLA-946-1 nss - security update
Bulletin has no description...
DLA-875-1 php5 - security update
Bulletin has no description...
DLA-797-1 mysql-5.5 - security update
Bulletin has no description...
DSA-3732-1 php5 - security update
Bulletin has no description...
RUSTSEC-2016-0001 SSL/TLS MitM vulnerability due to insecure defaults
All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults including off-by-default certificate verification and no API to perform hostname verification. Unless configured correctly by a developer, these defaults could allow an attacker to perform man-in-the-middle attacks...
DLA-626-1 phpmyadmin - security update
Bulletin has no description...
CVE-2016-2183
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted...
DLA-569-1 xmlrpc-epi - security update
Bulletin has no description...