[Midnightbsd-cvs] mports [22074] trunk/security/vuxml/vuln.xml: sync vulnerability list
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sun Nov 6 10:03:49 EST 2016
Revision: 22074
http://svnweb.midnightbsd.org/mports/?rev=22074
Author: laffer1
Date: 2016-11-06 10:03:49 -0500 (Sun, 06 Nov 2016)
Log Message:
-----------
sync vulnerability list
Modified Paths:
--------------
trunk/security/vuxml/vuln.xml
Modified: trunk/security/vuxml/vuln.xml
===================================================================
--- trunk/security/vuxml/vuln.xml 2016-11-04 23:28:26 UTC (rev 22073)
+++ trunk/security/vuxml/vuln.xml 2016-11-06 15:03:49 UTC (rev 22074)
@@ -28,7 +28,7 @@
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- $FreeBSD: head/security/vuxml/vuln.xml 421245 2016-09-01 20:27:24Z gjb $
+ $FreeBSD: head/security/vuxml/vuln.xml 425272 2016-11-03 20:34:34Z rene $
QUICK GUIDE TO ADDING A NEW ENTRY
@@ -58,6 +58,2570 @@
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="ae9cb9b8-a203-11e6-a265-3065ec8fd3ec">
+ <topic>chromium -- out-of-bounds memory access</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <name>chromium-npapi</name>
+ <name>chromium-pulse</name>
+ <range><lt>54.0.2840.90</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://googlechromereleases.blogspot.nl/2016/11/stable-channel-update-for-desktop.html">
+ <p>[659475] High CVE-2016-5198: Out of bounds memory access in V8.
+ Credit to Tencent Keen Security Lab, working with Trend Micro's
+ Zero Day Initiative.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-5198</cvename>
+ <url>https://googlechromereleases.blogspot.nl/2016/11/stable-channel-update-for-desktop.html</url>
+ </references>
+ <dates>
+ <discovery>2016-11-01</discovery>
+ <entry>2016-11-03</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="0fcd3af0-a0fe-11e6-b1cf-14dae9d210b8">
+ <topic>FreeBSD -- OpenSSL Remote DoS vulnerability</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>10.3</ge><lt>10.3_12</lt></range>
+ <range><ge>10.2</ge><lt>10.2_25</lt></range>
+ <range><ge>10.1</ge><lt>10.1_42</lt></range>
+ <range><ge>9.3</ge><lt>9.3_50</lt></range>
+ </package>
+ <package>
+ <name>openssl</name>
+ <range><lt>1.0.2i,1</lt></range>
+ </package>
+ <package>
+ <name>openssl-devel</name>
+ <range><lt>1.1.0a</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>Due to improper handling of alert packets, OpenSSL would
+ consume an excessive amount of CPU time processing undefined
+ alert messages.</p>
+ <h1>Impact:</h1>
+ <p>A remote attacker who can initiate handshakes with an
+ OpenSSL based server can cause the server to consume a lot
+ of computation power with very little bandwidth usage, and
+ may be able to use this technique in a leveraged Denial of
+ Service attack.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-8610</cvename>
+ <freebsdsa>SA-16:35.openssl</freebsdsa>
+ <url>http://seclists.org/oss-sec/2016/q4/224</url>
+ </references>
+ <dates>
+ <discovery>2016-11-02</discovery>
+ <entry>2016-11-02</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="cb116651-79db-4c09-93a2-c38f9df46724">
+ <topic>django -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>py27-django</name>
+ <name>py33-django</name>
+ <name>py34-django</name>
+ <name>py35-django</name>
+ <range><lt>1.8.16</lt></range>
+ </package>
+ <package>
+ <name>py27-django18</name>
+ <name>py33-django18</name>
+ <name>py34-django18</name>
+ <name>py35-django18</name>
+ <range><lt>1.8.16</lt></range>
+ </package>
+ <package>
+ <name>py27-django19</name>
+ <name>py33-django19</name>
+ <name>py34-django19</name>
+ <name>py35-django19</name>
+ <range><lt>1.9.11</lt></range>
+ </package>
+ <package>
+ <name>py27-django110</name>
+ <name>py33-django110</name>
+ <name>py34-django110</name>
+ <name>py35-django110</name>
+ <range><lt>1.10.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Django project reports:</p>
+ <blockquote cite="https://www.djangoproject.com/weblog/2016/nov/01/security-releases/">
+ <p>Today the Django team released Django 1.10.3, Django 1.9.11,
+ and 1.8.16. These releases addresses two security issues
+ detailed below. We encourage all users of Django to upgrade
+ as soon as possible.</p>
+ <ul>
+ <li>User with hardcoded password created when running tests on Oracle</li>
+ <li>DNS rebinding vulnerability when DEBUG=True</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.djangoproject.com/weblog/2016/nov/01/security-releases/</url>
+ <cvename>CVE-2016-9013</cvename>
+ <cvename>CVE-2016-9014</cvename>
+ </references>
+ <dates>
+ <discovery>2016-11-01</discovery>
+ <entry>2016-11-02</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="765feb7d-a0d1-11e6-a881-b499baebfeaf">
+ <topic>cURL -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>curl</name>
+ <range><ge>7.1</ge><lt>7.51.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The cURL project reports</p>
+ <blockquote cite="https://curl.haxx.se/docs/security.html">
+ <ul>
+ <li>cookie injection for other servers</li>
+ <li>case insensitive password comparison</li>
+ <li>OOB write via unchecked multiplication</li>
+ <li>double-free in curl_maprintf</li>
+ <li>double-free in krb5 code</li>
+ <li>glob parser write/read out of bounds</li>
+ <li>curl_getdate read out of bounds</li>
+ <li>URL unescape heap overflow via integer truncation</li>
+ <li>Use-after-free via shared cookies</li>
+ <li>invalid URL parsing with '#'</li>
+ <li>IDNA 2003 makes curl use wrong host</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://curl.haxx.se/docs/security.html</url>
+ <cvename>CVE-2016-8615</cvename>
+ <cvename>CVE-2016-8616</cvename>
+ <cvename>CVE-2016-8617</cvename>
+ <cvename>CVE-2016-8618</cvename>
+ <cvename>CVE-2016-8619</cvename>
+ <cvename>CVE-2016-8620</cvename>
+ <cvename>CVE-2016-8621</cvename>
+ <cvename>CVE-2016-8622</cvename>
+ <cvename>CVE-2016-8623</cvename>
+ <cvename>CVE-2016-8624</cvename>
+ <cvename>CVE-2016-8625</cvename>
+ </references>
+ <dates>
+ <discovery>2016-11-02</discovery>
+ <entry>2016-11-02</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="0b8d01a4-a0d2-11e6-9ca2-d050996490d0">
+ <topic>BIND -- Remote Denial of Service vulnerability</topic>
+ <affects>
+ <package>
+ <name>bind99</name>
+ <range><lt>9.9.9P4</lt></range>
+ </package>
+ <package>
+ <name>bind910</name>
+ <range><lt>9.10.4P4</lt></range>
+ </package>
+ <package>
+ <name>bind911</name>
+ <range><lt>9.11.0P1</lt></range>
+ </package>
+ <package>
+ <name>bind9-devel</name>
+ <range><le>9.12.0.a.2016.10.21</le></range>
+ </package>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>9.3</ge><lt>9.3_50</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>ISC reports:</p>
+ <blockquote cite="https://kb.isc.org/article/AA-01434/">
+ <p>A defect in BIND's handling of responses containing
+ a DNAME answer can cause a resolver to exit after
+ encountering an assertion failure in db.c or
+ resolver.c</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-8864</cvename>
+ <freebsdsa>SA-16:34.bind</freebsdsa>
+ <url>https://kb.isc.org/article/AA-01434/</url>
+ </references>
+ <dates>
+ <discovery>2016-11-01</discovery>
+ <entry>2016-11-02</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f4bf713f-6ac7-4b76-8980-47bf90c5419f">
+ <topic>memcached -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>memcached</name>
+ <range><lt>1.4.33</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Cisco Talos reports:</p>
+ <blockquote cite="http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html">
+ <p>Multiple integer overflow vulnerabilities exist within Memcached
+ that could be exploited to achieve remote code execution on the
+ targeted system. These vulnerabilities manifest in various Memcached
+ functions that are used in inserting, appending, prepending, or
+ modifying key-value data pairs. Systems which also have Memcached
+ compiled with support for SASL authentication are also vulnerable to
+ a third flaw due to how Memcached handles SASL authentication
+ commands.</p>
+ <p>An attacker could exploit these vulnerabilities by sending a
+ specifically crafted Memcached command to the targeted server.
+ Additionally, these vulnerabilities could also be exploited to leak
+ sensitive process information which an attacker could use to bypass
+ common exploitation mitigations, such as ASLR, and can be triggered
+ multiple times. This enables reliable exploitation which makes these
+ vulnerabilities severe.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html</url>
+ <cvename>CVE-2016-8704</cvename>
+ <cvename>CVE-2016-8705</cvename>
+ <cvename>CVE-2016-8706</cvename>
+ </references>
+ <dates>
+ <discovery>2016-10-31</discovery>
+ <entry>2016-11-02</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9bc14850-a070-11e6-a881-b499baebfeaf">
+ <topic>MySQL -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>mariadb55-server</name>
+ <name>mysql55-server</name>
+ <range><lt>5.5.53</lt></range>
+ </package>
+ <package>
+ <name>mysql56-server</name>
+ <range><lt>5.6.34</lt></range>
+ </package>
+ <package>
+ <name>mysql57-server</name>
+ <range><lt>5.7.15</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The MariaDB project reports:</p>
+ <blockquote cite="https://mariadb.com/kb/en/mariadb/mariadb-5553-release-notes/">
+ <p>Fixes for the following security vulnerabilities:</p>
+ <ul>
+ <li>CVE-2016-7440</li>
+ <li>CVE-2016-5584</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://mariadb.com/kb/en/mariadb/mariadb-5553-release-notes/</url>
+ <cvename>CVE-2016-7440</cvename>
+ <cvename>CVE-2016-5584</cvename>
+ </references>
+ <dates>
+ <discovery>2016-10-17</discovery>
+ <entry>2016-11-01</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9118961b-9fa5-11e6-a265-3065ec8fd3ec">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <name>chromium-npapi</name>
+ <name>chromium-pulse</name>
+ <range><lt>54.0.2840.59</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://googlechromereleases.blogspot.nl/2016/10/stable-channel-update-for-desktop.html">
+ <p>21 security fixes in this release, including:</p>
+ <ul>
+ <li>[645211] High CVE-2016-5181: Universal XSS in Blink. Credit to
+ Anonymous</li>
+ <li>[638615] High CVE-2016-5182: Heap overflow in Blink. Credit to
+ Giwan Go of STEALIEN</li>
+ <li>[645122] High CVE-2016-5183: Use after free in PDFium. Credit
+ to Anonymous</li>
+ <li>[630654] High CVE-2016-5184: Use after free in PDFium. Credit
+ to Anonymous</li>
+ <li>[621360] High CVE-2016-5185: Use after free in Blink. Credit to
+ cloudfuzzer</li>
+ <li>[639702] High CVE-2016-5187: URL spoofing. Credit to Luan
+ Herrera</li>
+ <li>[565760] Medium CVE-2016-5188: UI spoofing. Credit to Luan
+ Herrera</li>
+ <li>[633885] Medium CVE-2016-5192: Cross-origin bypass in Blink.
+ Credit to haojunhou at gmail.com</li>
+ <li>[646278] Medium CVE-2016-5189: URL spoofing. Credit to xisigr
+ of Tencent's Xuanwu Lab</li>
+ <li>[644963] Medium CVE-2016-5186: Out of bounds read in DevTools.
+ Credit to Abdulrahman Alqabandi (@qab)</li>
+ <li>[639126] Medium CVE-2016-5191: Universal XSS in Bookmarks.
+ Credit to Gareth Hughes</li>
+ <li>[642067] Medium CVE-2016-5190: Use after free in Internals.
+ Credit to Atte Kettunen of OUSPG</li>
+ <li>[639658] Low CVE-2016-5193: Scheme bypass. Credit to Yuyang
+ ZHOU (martinzhou96)</li>
+ <li>[654782] CVE-2016-5194: Various fixes from internal audits,
+ fuzzing and other initiatives</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-5181</cvename>
+ <cvename>CVE-2016-5182</cvename>
+ <cvename>CVE-2016-5183</cvename>
+ <cvename>CVE-2016-5184</cvename>
+ <cvename>CVE-2016-5185</cvename>
+ <cvename>CVE-2016-5186</cvename>
+ <cvename>CVE-2016-5187</cvename>
+ <cvename>CVE-2016-5188</cvename>
+ <cvename>CVE-2016-5189</cvename>
+ <cvename>CVE-2016-5190</cvename>
+ <cvename>CVE-2016-5191</cvename>
+ <cvename>CVE-2016-5192</cvename>
+ <cvename>CVE-2016-5193</cvename>
+ <cvename>CVE-2016-5194</cvename>
+ <url>https://googlechromereleases.blogspot.nl/2016/10/stable-channel-update-for-desktop.html</url>
+ </references>
+ <dates>
+ <discovery>2016-10-12</discovery>
+ <entry>2016-10-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9c135c7e-9fa4-11e6-a265-3065ec8fd3ec">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <name>chromium-npapi</name>
+ <name>chromium-pulse</name>
+ <range><lt>53.0.2785.143</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://googlechromereleases.blogspot.nl/2016/09/stable-channel-update-for-desktop_29.html">
+ <p>3 security fixes in this release, including:</p>
+ <ul>
+ <li>[642496] High CVE-2016-5177: Use after free in V8. Credit to
+ Anonymous</li>
+ <li>[651092] CVE-2016-5178: Various fixes from internal audits,
+fuzzing and other initiatives.</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-5177</cvename>
+ <cvename>CVE-2016-5178</cvename>
+ <url>https://googlechromereleases.blogspot.nl/2016/09/stable-channel-update-for-desktop_29.html</url>
+ </references>
+ <dates>
+ <discovery>2016-09-29</discovery>
+ <entry>2016-10-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="6a2cfcdc-9dea-11e6-a298-14dae9d210b8">
+ <topic>FreeBSD -- OpenSSH Remote Denial of Service vulnerability</topic>
+ <affects>
+ <package>
+ <name>openssh-portable</name>
+ <range><lt>7.3p1_1</lt></range>
+ </package>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>11.0</ge><lt>11.0_3</lt></range>
+ <range><ge>10.3</ge><lt>10.3_12</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>When processing the SSH_MSG_KEXINIT message, the server
+ could allocate up to a few hundreds of megabytes of memory
+ per each connection, before any authentication take place.</p>
+ <h1>Impact:</h1>
+ <p>A remote attacker may be able to cause a SSH server to
+ allocate an excessive amount of memory. Note that the default
+ MaxStartups setting on FreeBSD will limit the effectiveness
+ of this attack.</p>
+ </body>
+ </description>
+ <references>
+ <url>http://seclists.org/oss-sec/2016/q4/191</url>
+ <cvename>CVE-2016-8858</cvename>
+ <freebsdsa>SA-16:33.openssh</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2016-10-19</discovery>
+ <entry>2016-10-29</entry>
+ <modified>2016-11-02</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="2e4fbc9a-9d23-11e6-a298-14dae9d210b8">
+ <topic>sudo -- Potential bypass of sudo_noexec.so via wordexp()</topic>
+ <affects>
+ <package>
+ <name>sudo</name>
+ <range><ge>1.6.8</ge><lt>1.8.18p1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Todd C. Miller reports:</p>
+ <blockquote cite="https://www.sudo.ws/alerts/noexec_wordexp.html">
+ <p>A flaw exists in sudo's noexec functionality that may allow
+ a user with sudo privileges to run additional commands even when the
+ NOEXEC tag has been applied to a command that uses the wordexp()
+ function.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.sudo.ws/alerts/noexec_wordexp.html</url>
+ <cvename>CVE-2016-7076</cvename>
+ </references>
+ <dates>
+ <discovery>2016-10-28</discovery>
+ <entry>2016-10-28</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ac18046c-9b08-11e6-8011-005056925db4">
+ <topic>Axis2 -- Security vulnerabilities on dependency Apache HttpClient</topic>
+ <affects>
+ <package>
+ <name>axis2</name>
+ <range><lt>1.7.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Apache Axis2 reports:</p>
+ <blockquote cite="http://axis.apache.org/axis2/java/core/release-notes/1.7.4.html">
+ <p>Apache Axis2 1.7.4 is a maintenance release that includes fixes for
+ several issues, including the following security issues:
+ Session fixation (AXIS2-4739) and XSS (AXIS2-5683) vulnerabilities
+ affecting the admin console.
+ A dependency on an Apache HttpClient version affected by known security
+ vulnerabilities (CVE-2012-6153 and CVE-2014-3577); see AXIS2-5757.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://axis.apache.org/axis2/java/core/release-notes/1.7.4.html</url>
+ <url>https://issues.apache.org/jira/browse/AXIS2-4739</url>
+ <url>https://issues.apache.org/jira/browse/AXIS2-5683</url>
+ <url>https://issues.apache.org/jira/browse/AXIS2-5757</url>
+ <cvename>CVE-2012-6153</cvename>
+ <cvename>CVE-2014-3577</cvename>
+ </references>
+ <dates>
+ <discovery>2012-12-06</discovery>
+ <entry>2016-10-28</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="28bb6ee5-9b5c-11e6-b799-19bef72f4b7c">
+ <topic>node.js -- ares_create_query single byte out of buffer write</topic>
+ <affects>
+ <package>
+ <name>node010</name>
+ <range><lt>0.10.48</lt></range>
+ </package>
+ <package>
+ <name>node012</name>
+ <range><lt>0.12.17</lt></range>
+ </package>
+ <package>
+ <name>node4</name>
+ <range><lt>4.6.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Node.js has released new verions containing the following security fix:</p>
+ <blockquote cite="https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/">
+ <p>The following releases all contain fixes for CVE-2016-5180 "ares_create_query single
+ byte out of buffer write": Node.js v0.10.48 (Maintenance), Node.js v0.12.17 (Maintenance),
+ Node.js v4.6.1 (LTS "Argon")
+ </p>
+ <p>While this is not a critical update, all users of these release lines should upgrade at
+ their earliest convenience.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/</url>
+ <cvename>CVE-2016-5180</cvename>
+ <freebsdpr>ports/213800</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2016-10-18</discovery>
+ <entry>2016-10-26</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="27180c99-9b5c-11e6-b799-19bef72f4b7c">
+ <topic>node.js -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>node</name>
+ <range><ge>6.0.0</ge><lt>6.9.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Node.js v6.9.0 LTS contains the following security fixes, specific to v6.x:</p>
+ <blockquote cite="https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/">
+ <p>Disable auto-loading of openssl.cnf: Don't automatically attempt to load an OpenSSL
+ configuration file, from the OPENSSL_CONF environment variable or from the default
+ location for the current platform. Always triggering a configuration file load attempt
+ may allow an attacker to load compromised OpenSSL configuration into a Node.js process
+ if they are able to place a file in a default location.
+ </p>
+ <p>Patched V8 arbitrary memory read (CVE-2016-5172): The V8 parser mishandled scopes,
+ potentially allowing an attacker to obtain sensitive information from arbitrary memory
+ locations via crafted JavaScript code. This vulnerability would require an attacker to
+ be able to execute arbitrary JavaScript code in a Node.js process.
+ </p>
+ <p>Create a unique v8_inspector WebSocket address: Generate a UUID for each execution of
+ the inspector. This provides additional security to prevent unauthorized clients from
+ connecting to the Node.js process via the v8_inspector port when running with --inspect.
+ Since the debugging protocol allows extensive access to the internals of a running process,
+ and the execution of arbitrary code, it is important to limit connections to authorized
+ tools only. Note that the v8_inspector protocol in Node.js is still considered an
+ experimental feature. Vulnerability originally reported by Jann Horn.
+ </p>
+ <p>All of these vulnerabilities are considered low-severity for Node.js users, however,
+ users of Node.js v6.x should upgrade at their earliest convenience.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/</url>
+ <cvename>CVE-2016-5172</cvename>
+ </references>
+ <dates>
+ <discovery>2016-10-18</discovery>
+ <entry>2016-10-28</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c5c6e293-9cc7-11e6-823f-b8aeed92ecc4">
+ <topic>urllib3 -- certificate verification failure</topic>
+ <affects>
+ <package>
+ <name>py-urllib3</name>
+ <range><lt>1.18</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>urllib3 reports:</p>
+ <blockquote cite="https://github.com/shazow/urllib3/blob/1.18.1/CHANGES.rst">
+ <p>CVE-2016-9015: Certification verification failure</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-9015</cvename>
+ <url>https://github.com/shazow/urllib3/blob/1.18.1/CHANGES.rst</url>
+ </references>
+ <dates>
+ <discovery>2016-10-27</discovery>
+ <entry>2016-10-28</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="de6d01d5-9c44-11e6-ba67-0011d823eebd">
+ <topic>flash -- remote code execution</topic>
+ <affects>
+ <package>
+ <name>linux-f10-flashplugin</name>
+ <name>linux-c6-flashplugin</name>
+ <name>linux-c7-flashplugin</name>
+ <range><lt>11.2r202.643</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Adobe reports:</p>
+ <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-36.html">
+ <p>Adobe has released security updates for Adobe Flash Player for
+ Windows, Macintosh, Linux and Chrome OS. These updates address a
+ critical vulnerability that could potentially allow an attacker to
+ take control of the affected system.</p>
+ <p>Adobe is aware of a report that an exploit for CVE-2016-7855
+ exists in the wild, and is being used in limited, targeted attacks
+ against users running Windows versions 7, 8.1 and 10.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-7855</cvename>
+ <url>https://helpx.adobe.com/security/products/flash-player/apsb16-36.html</url>
+ </references>
+ <dates>
+ <discovery>2016-10-26</discovery>
+ <entry>2016-10-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="a479a725-9adb-11e6-a298-14dae9d210b8">
+ <topic>FreeBSD -- bhyve - privilege escalation vulnerability</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>11.0</ge><lt>11.0_2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>An unchecked array reference in the VGA device emulation
+ code could potentially allow guests access to the heap of
+ the bhyve process. Since the bhyve process is running as
+ root, this may allow guests to obtain full control of the
+ hosts they are running on.</p>
+ <h1>Impact:</h1>
+ <p>For bhyve virtual machines with the "fbuf" framebuffer
+ device configured, if exploited, a malicious guest could
+ obtain full access to not just the host system, but to other
+ virtual machines running on the system.</p>
+ </body>
+ </description>
+ <references>
+ <freebsdsa>SA-16:32.bhyve</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2016-10-25</discovery>
+ <entry>2016-10-25</entry>
+ <modified>2016-10-25</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="2482c798-93c6-11e6-846f-bc5ff4fb5ea1">
+ <topic>flash -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>linux-c6-flashplugin</name>
+ <name>linux-c6_64-flashplugin</name>
+ <name>linux-c7-flashplugin</name>
+ <name>linux-f10-flashplugin</name>
+ <range><lt>11.2r202.637</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Adobe reports:</p>
+ <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-32.html">
+ <p>Adobe has released security updates for Adobe Flash Player for
+ Windows, Macintosh, Linux and ChromeOS. These updates address
+ critical vulnerabilities that could potentially allow an attacker
+ to take control of the affected system.</p>
+ <p>These updates resolve a type confusion vulnerability that could
+ lead to code execution (CVE-2016-6992).</p>
+ <p>These updates resolve use-after-free vulnerabilities that could
+ lead to code execution (CVE-2016-6981, CVE-2016-6987).</p>
+ <p>These updates resolve a security bypass vulnerability
+ (CVE-2016-4286).</p>
+ <p>These updates resolve memory corruption vulnerabilities that could
+ lead to code execution (CVE-2016-4273, CVE-2016-6982,
+ CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986,
+ CVE-2016-6989, CVE-2016-6990).</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-4273</cvename>
+ <cvename>CVE-2016-4286</cvename>
+ <cvename>CVE-2016-6981</cvename>
+ <cvename>CVE-2016-6982</cvename>
+ <cvename>CVE-2016-6983</cvename>
+ <cvename>CVE-2016-6984</cvename>
+ <cvename>CVE-2016-6985</cvename>
+ <cvename>CVE-2016-6986</cvename>
+ <cvename>CVE-2016-6987</cvename>
+ <cvename>CVE-2016-6989</cvename>
+ <cvename>CVE-2016-6990</cvename>
+ <cvename>CVE-2016-6992</cvename>
+ <url>https://helpx.adobe.com/security/products/flash-player/apsb16-32.html</url>
+ </references>
+ <dates>
+ <discovery>2016-10-11</discovery>
+ <entry>2016-10-24</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="aaa9f3db-13b5-4a0e-9ed7-e5ab287098fa">
+ <topic>mozilla -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>firefox</name>
+ <range><lt>49.0.2,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mozilla Foundation reports:</p>
+ <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/">
+ <p>CVE-2016-5287: Crash in nsTArray_base<T>::SwapArrayElements</p>
+ <p>CVE-2016-5288: Web content can read cache entries</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-5287</cvename>
+ <cvename>CVE-2016-5288</cvename>
+ <url>https://www.mozilla.org/security/advisories/mfsa2016-87/</url>
+ </references>
+ <dates>
+ <discovery>2016-10-20</discovery>
+ <entry>2016-10-21</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="0baadc45-92d0-11e6-8011-005056925db4">
+ <topic>Axis2 -- Cross-site scripting (XSS) vulnerability</topic>
+ <affects>
+ <package>
+ <name>axis2</name>
+ <range><lt>1.7.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Apache Axis2 reports:</p>
+ <blockquote cite="http://axis.apache.org/axis2/java/core/release-notes/1.7.3.html">
+ <p>Apache Axis2 1.7.3 is a security release that contains a fix
+ for CVE-2010-3981. That security vulnerability affects the admin console
+ that is part of the Axis2 Web application and was originally reported
+ for SAP BusinessObjects (which includes a version of Axis2). That report
+ didn’t mention Axis2 at all and the Axis2 project only recently became
+ aware (thanks to Devesh Bhatt and Nishant Agarwala) that the issue
+ affects Apache Axis2 as well.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://axis.apache.org/axis2/java/core/release-notes/1.7.3.html</url>
+ <cvename>CVE-2010-3981</cvename>
+ <freebsdpr>ports/213546</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2010-10-18</discovery>
+ <entry>2016-10-18</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c1dc55dc-9556-11e6-b154-3065ec8fd3ec">
+ <topic>Tor -- remote denial of service</topic>
+ <affects>
+ <package>
+ <name>tor</name>
+ <range><lt>0.2.8.9</lt></range>
+ </package>
+ <package>
+ <name>tor-devel</name>
+ <range><lt>0.2.9.4-alpha</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Tor Blog reports:</p>
+ <blockquote cite="https://blog.torproject.org/blog/tor-0289-released-important-fixes">
+ <p>Prevent a class of security bugs caused by treating the contents
+ of a buffer chunk as if they were a NUL-terminated string. At least
+ one such bug seems to be present in all currently used versions of
+ Tor, and would allow an attacker to remotely crash most Tor
+ instances, especially those compiled with extra compiler hardening.
+ With this defense in place, such bugs can't crash Tor, though we
+ should still fix them as they occur. Closes ticket 20384
+ (TROVE-2016-10-001).</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://blog.torproject.org/blog/tor-0289-released-important-fixes</url>
+ </references>
+ <dates>
+ <discovery>2016-10-17</discovery>
+ <entry>2016-10-18</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="43f1c867-654a-11e6-8286-00248c0c745d">
+ <topic>Rails 4 -- Possible XSS Vulnerability in Action View</topic>
+ <affects>
+ <package>
+ <name>rubygem-actionview</name>
+ <range><gt>3.0.0</gt><lt>4.2.7.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Ruby Security team reports:</p>
+ <blockquote cite="https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE">
+ <p>There is a possible XSS vulnerability in Action View. Text declared as "HTML
+safe" will not have quotes escaped when used as attribute values in tag
+helpers. This vulnerability has been assigned the CVE identifier
+CVE-2016-6316.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE</url>
+ <cvename>CVE-2016-6316</cvename>
+ </references>
+ <dates>
+ <discovery>2016-08-11</discovery>
+ <entry>2016-08-18</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="7e61cf44-6549-11e6-8286-00248c0c745d">
+ <topic>Rails 4 -- Unsafe Query Generation Risk in Active Record</topic>
+ <affects>
+ <package>
+ <name>rubygem-activerecord4</name>
+ <range><gt>4.2.0</gt><lt>4.2.7.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Ruby Security team reports:</p>
+ <blockquote cite="https://groups.google.com/forum/#!topic/ruby-security-ann/WccgKSKiPZA">
+ <p>There is a vulnerability when Active Record is used in conjunction with JSON
+parameter parsing. This vulnerability has been assigned the CVE identifier
+CVE-2016-6317. This vulnerability is similar to CVE-2012-2660, CVE-2012-2694
+and CVE-2013-0155.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://groups.google.com/forum/#!topic/ruby-security-ann/WccgKSKiPZA</url>
+ <cvename>CVE-2016-6317</cvename>
+ </references>
+ <dates>
+ <discovery>2016-08-11</discovery>
+ <entry>2016-08-18</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f471032a-8700-11e6-8d93-00248c0c745d">
+ <topic>PHP -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>php70</name>
+ <range><lt>7.0.11</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>PHP reports:</p>
+ <blockquote cite="http://php.net/ChangeLog-7.php#7.0.11">
+ <ul>
+ <li><p>Fixed bug #73007 (add locale length check)</p></li>
+ <li><p>Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields)</p></li>
+ <li><p>Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile)</p></li>
+ <li><p>Fixed bug #73029 (Missing type check when unserializing SplArray)</p></li>
+ <li><p>Fixed bug #73052 (Memory Corruption in During Deserialized-object Destruction)</p></li>
+ <li><p>Fixed bug #72860 (wddx_deserialize use-after-free)</p></li>
+ <li><p>Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element)</p></li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://php.net/ChangeLog-7.php#7.0.11</url>
+ <cvename>CVE-2016-7416</cvename>
+ <cvename>CVE-2016-7412</cvename>
+ <cvename>CVE-2016-7414</cvename>
+ <cvename>CVE-2016-7417</cvename>
+ <cvename>CVE-2016-7413</cvename>
+ <cvename>CVE-2016-7418</cvename>
+ </references>
+ <dates>
+ <discovery>2016-09-15</discovery>
+ <entry>2016-09-30</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="8d5180a6-86fe-11e6-8d93-00248c0c745d">
+ <topic>PHP -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>php56</name>
+ <range><lt>5.6.26</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>PHP reports:</p>
+ <blockquote cite="http://php.net/ChangeLog-5.php#5.6.26">
+ <ul>
+ <li><p>Fixed bug #73007 (add locale length check)</p></li>
+ <li><p>Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields)</p></li>
+ <li><p>Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile)</p></li>
+ <li><p>Fixed bug #73029 (Missing type check when unserializing SplArray)</p></li>
+ <li><p>Fixed bug #73052 (Memory Corruption in During Deserialized-object Destruction)</p></li>
+ <li><p>Fixed bug #72860 (wddx_deserialize use-after-free)</p></li>
+ <li><p>Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element)</p></li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://php.net/ChangeLog-5.php#5.6.26</url>
+ <cvename>CVE-2016-7416</cvename>
+ <cvename>CVE-2016-7412</cvename>
+ <cvename>CVE-2016-7414</cvename>
+ <cvename>CVE-2016-7417</cvename>
+ <cvename>CVE-2016-7411</cvename>
+ <cvename>CVE-2016-7413</cvename>
+ <cvename>CVE-2016-7418</cvename>
+ </references>
+ <dates>
+ <discovery>2016-09-16</discovery>
+ <entry>2016-09-30</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ad479f89-9020-11e6-a590-14dae9d210b8">
+ <topic>file-roller -- path traversal vulnerability</topic>
+ <affects>
+ <package>
+ <name>file-roller</name>
+ <range><ge>3.5.4,1</ge><lt>3.20.2,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p> reports:</p>
+ <blockquote cite="http://www.openwall.com/lists/oss-security/2016/09/08/4">
+ <p>File Roller 3.5.4 through 3.20.2 was affected by a path
+ traversal bug that could result in deleted files if a user
+ were tricked into opening a malicious archive.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.openwall.com/lists/oss-security/2016/09/08/4</url>
+ <cvename>CVE-2016-7162</cvename>
+ <freebsdpr>ports/213199</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2016-09-08</discovery>
+ <entry>2016-10-12</entry>
+ <modified>2016-10-18</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="7d40edd1-901e-11e6-a590-14dae9d210b8">
+ <topic>VirtualBox -- undisclosed vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>virtualbox-ose</name>
+ <range><ge>5.0</ge><lt>5.0.8</lt></range>
+ <range><ge>4.3</ge><lt>4.3.32</lt></range>
+ <range><ge>4.2</ge><lt>4.2.34</lt></range>
+ <range><ge>4.1</ge><lt>4.1.42</lt></range>
+ <range><ge>4.0</ge><lt>4.0.34</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Oracle reports reports:</p>
+ <blockquote cite="http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html">
+ <p>Unspecified vulnerability in the Oracle VM VirtualBox
+ component in Oracle Virtualization VirtualBox prior to 4.0.34, 4.1.42,
+ 4.2.34, 4.3.32, and 5.0.8, when using a Windows guest, allows local
+ users to affect availability via unknown vectors related to Core.</p>
+ <p>Unspecified vulnerability in the Oracle VM VirtualBox
+ component in Oracle Virtualization VirtualBox before 4.0.34, 4.1.42,
+ 4.2.34, 4.3.32, and 5.0.8, when a VM has the Remote Display feature
+ (RDP) enabled, allows remote attackers to affect availability via
+ unknown vectors related to Core.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html</url>
+ <cvename>CVE-2015-4813</cvename>
+ <cvename>CVE-2015-4896</cvename>
+ <freebsdpr>ports/204406</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2015-10-01</discovery>
+ <entry>2016-10-12</entry>
+ <modified>2016-10-18</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="10f7f782-901c-11e6-a590-14dae9d210b8">
+ <topic>ImageMagick -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>ImageMagick</name>
+ <name>ImageMagick-nox11</name>
+ <range><lt>6.9.5.10,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Debian reports:</p>
+ <blockquote cite="https://www.debian.org/security/2016/dsa-3675">
+ <p>Various memory handling problems and cases of missing or
+ incomplete input sanitising may result in denial of service or the
+ execution of arbitrary code if malformed SIXEL, PDB, MAP, SGI, TIFF and
+ CALS files are processed.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.debian.org/security/2016/dsa-3675</url>
+ <freebsdpr>ports/213032</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2016-09-23</discovery>
+ <entry>2016-10-12</entry>
+ <modified>2016-10-18</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="2a526c78-84ab-11e6-a4a1-60a44ce6887b">
+ <topic>libgd -- integer overflow which could lead to heap buffer overflow</topic>
+ <affects>
+ <package>
+ <name>gd</name>
+ <range><le>2.2.3</le></range>
+ </package>
+ <package>
+ <name>php70-gd</name>
+ <range><le>7.0.11</le></range>
+ </package>
+ <package>
+ <name>php56-gd</name>
+ <range><le>5.6.26</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>LibGD reports:</p>
+ <blockquote cite="https://github.com/libgd/libgd/issues/308">
+ <p>An integer overflow issue was found in function gdImageWebpCtx of file gd_webp.c which could lead to heap buffer overflow.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/libgd/libgd/issues/308</url>
+ <url>https://bugs.php.net/bug.php?id=73003</url>
+ <freebsdpr>ports/213023</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2016-09-02</discovery>
+ <entry>2016-10-11</entry>
+ <modified>2016-10-18</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="cb3f036d-8c7f-11e6-924a-60a44ce6887b">
+ <topic>libvncserver -- multiple security vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>libvncserver</name>
+ <range><lt>0.9.10</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Nicolas Ruff reports:</p>
+ <blockquote cite="http://seclists.org/oss-sec/2014/q3/639">
+ <p>Integer overflow in MallocFrameBuffer() on client side.</p>
+ <p>Lack of malloc() return value checking on client side.</p>
+ <p>Server crash on a very large ClientCutText message.</p>
+ <p>Server crash when scaling factor is set to zero.</p>
+ <p>Multiple stack overflows in File Transfer feature.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://seclists.org/oss-sec/2014/q3/639</url>
+ <cvename>CVE-2014-6051</cvename>
+ <cvename>CVE-2014-6052</cvename>
+ <cvename>CVE-2014-6053</cvename>
+ <cvename>CVE-2014-6054</cvename>
+ <cvename>CVE-2014-6055</cvename>
+ <freebsdpr>ports/212380</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2014-09-23</discovery>
+ <entry>2016-10-11</entry>
+ <modified>2016-10-18</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="ab947396-9018-11e6-a590-14dae9d210b8">
+ <topic>openoffice -- information disclosure vulnerability</topic>
+ <affects>
+ <package>
+ <name>apache-openoffice</name>
+ <name>apache-openoffice-devel</name>
+ <range><lt>4.1.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Apache reports:</p>
+ <blockquote cite="http://www.openoffice.org/security/cves/CVE-2014-3575.html">
+ <p>The exposure exploits the way OLE previews are generated to
+ embed arbitrary file data into a specially crafted document when it is
+ opened. Data exposure is possible if the updated document is distributed
+ to other parties.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.openoffice.org/security/cves/CVE-2014-3575.html</url>
+ <cvename>CVE-2014-3575</cvename>
+ <freebsdpr>ports/212379</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2014-08-21</discovery>
+ <entry>2016-10-12</entry>
+ <modified>2016-10-18</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="47157c14-9013-11e6-a590-14dae9d210b8">
+ <topic>mupdf -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>mupdf</name>
+ <range><lt>1.9a_1,1</lt></range>
+ </package>
+ <package>
+ <name>llpp</name>
+ <range><lt>22_2</lt></range>
+ </package>
+ <package>
+ <name>zathura-pdf-mupdf</name>
+ <range><lt>0.3.0_2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Tobias Kortkamp reports:</p>
+ <blockquote cite="http://openbsd-archive.7691.n7.nabble.com/mupdf-CVE-2016-6525-amp-CVE-2016-6265-td302904.html">
+ <p>Heap-based buffer overflow in the pdf_load_mesh_params
+ function in pdf/pdf-shade.c in MuPDF allows remote attackers to cause a
+ denial of service (crash) or execute arbitrary code via a large decode
+ array.</p>
+ <p>Use-after-free vulnerability in the pdf_load_xref function in
+ pdf/pdf-xref.c in MuPDF allows remote attackers to cause a denial of
+ service (crash) via a crafted PDF file.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://openbsd-archive.7691.n7.nabble.com/mupdf-CVE-2016-6525-amp-CVE-2016-6265-td302904.html</url>
+ <url>http://bugs.ghostscript.com/show_bug.cgi?id=696941</url>
+ <url>http://bugs.ghostscript.com/show_bug.cgi?id=696954</url>
+ <cvename>CVE-2016-6525</cvename>
+ <cvename>CVE-2016-6265</cvename>
+ <freebsdpr>ports/212207</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2016-08-27</discovery>
+ <entry>2016-10-12</entry>
+ <modified>2016-10-18</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="b7d56d0b-7a11-11e6-af78-589cfc0654e1">
+ <topic>openjpeg -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>openjpeg</name>
+ <range><lt>2.1.1_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Tencent's Xuanwu LAB reports:</p>
+ <blockquote cite="http://www.openwall.com/lists/oss-security/2016/09/08/2">
+ <p>A Heap Buffer Overflow (Out-of-Bounds Write) issue was found in
+ function opj_dwt_interleave_v of dwt.c. This vulnerability allows
+ remote attackers to execute arbitrary code on vulnerable installations
+ of OpenJPEG.</p>
+ <p>An integer overflow issue exists in function opj_pi_create_decode of
+ pi.c. It can lead to Out-Of-Bounds Read and Out-Of-Bounds Write in
+ function opj_pi_next_cprl of pi.c (function opj_pi_next_lrcp,
+ opj_pi_next_rlcp, opj_pi_next_rpcl, opj_pi_next_pcrl may also be
+ vulnerable). This vulnerability allows remote attackers to execute
+ arbitrary code on vulnerable installations of OpenJPEG.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>"http://www.openwall.com/lists/oss-security/2016/09/08/2"</url>
+ <url>"http://www.openwall.com/lists/oss-security/2016/09/08/3"</url>
+ <cvename>CVE-2016-5157</cvename>
+ <cvename>CVE-2016-7163</cvename>
+ </references>
+ <dates>
+ <discovery>2016-09-08</discovery>
+ <entry>2016-10-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="fa175f30-8c75-11e6-924a-60a44ce6887b">
+ <topic>redis -- sensitive information leak through command history file</topic>
+ <affects>
+ <package>
+ <name>redis</name>
+ <name>redis-devel</name>
+ <range><lt>3.2.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Redis team reports:</p>
+ <blockquote cite="https://github.com/antirez/redis/pull/1418">
+ <p>The redis-cli history file (in linenoise) is created with the
+ default OS umask value which makes it world readable in most systems
+ and could potentially expose authentication credentials to other
+ users.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/antirez/redis/pull/1418</url>
+ <url>https://github.com/antirez/redis/issues/3284</url>
+ <cvename>CVE-2013-7458</cvename>
+ </references>
+ <dates>
+ <discovery>2013-11-30</discovery>
+ <entry>2016-10-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="1a71a972-8ee7-11e6-a590-14dae9d210b8">
+ <topic>FreeBSD -- Multiple libarchive vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>11.0</ge><lt>11.0_1</lt></range>
+ <range><ge>10.3</ge><lt>10.3_10</lt></range>
+ <range><ge>10.2</ge><lt>10.2_23</lt></range>
+ <range><ge>10.1</ge><lt>10.1_40</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>Flaws in libarchive's handling of symlinks and hard links
+ allow overwriting files outside the extraction directory,
+ or permission changes to a directory outside the extraction
+ directory.</p>
+ <h1>Impact:</h1>
+ <p>An attacker who can control freebsd-update's or portsnap's
+ input to tar can change file content or permisssions on
+ files outside of the update tool's working sandbox.</p>
+ </body>
+ </description>
+ <references>
+ <freebsdsa>SA-16:31.libarchive</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2016-10-05</discovery>
+ <entry>2016-10-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e7dcd69d-8ee6-11e6-a590-14dae9d210b8">
+ <topic>FreeBSD -- Multiple portsnap vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>11.0</ge><lt>11.0_1</lt></range>
+ <range><ge>10.3</ge><lt>10.3_10</lt></range>
+ <range><ge>10.2</ge><lt>10.2_23</lt></range>
+ <range><ge>10.1</ge><lt>10.1_40</lt></range>
+ <range><ge>9.3</ge><lt>9.3_48</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>Flaws in portsnap's verification of downloaded tar files
+ allows additional files to be included without causing the
+ verification to fail. Portsnap may then use or execute these
+ files.</p>
+ <h1>Impact:</h1>
+ <p>An attacker who can conduct man in the middle attack on
+ the network at the time when portsnap is run can cause
+ portsnap to execute arbitrary commands under the credentials
+ of the user who runs portsnap, typically root.</p>
+ </body>
+ </description>
+ <references>
+ <freebsdsa>SA-16:30.portsnap</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2016-10-10</discovery>
+ <entry>2016-10-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ce808022-8ee6-11e6-a590-14dae9d210b8">
+ <topic>FreeBSD -- Heap overflow vulnerability in bspatch</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>11.0</ge><lt>11.0_1</lt></range>
+ <range><ge>10.3</ge><lt>10.3_10</lt></range>
+ <range><ge>10.2</ge><lt>10.2_23</lt></range>
+ <range><ge>10.1</ge><lt>10.1_40</lt></range>
+ <range><ge>9.3</ge><lt>9.3_48</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>The implementation of bspatch is susceptible to integer
+ overflows with carefully crafted input, potentially allowing
+ an attacker who can control the patch file to write at
+ arbitrary locations in the heap. This issue was partially
+ addressed in FreeBSD-SA-16:25.bspatch, but some possible
+ integer overflows remained.</p>
+ <h1>Impact:</h1>
+ <p>An attacker who can control the patch file can cause a
+ crash or run arbitrary code under the credentials of the
+ user who runs bspatch, in many cases, root.</p>
+ </body>
+ </description>
+ <references>
+ <freebsdsa>SA-16:29.bspatch</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2016-10-10</discovery>
+ <entry>2016-10-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="aeb7874e-8df1-11e6-a082-5404a68ad561">
+ <topic>mkvtoolnix -- code execution via specially crafted files</topic>
+ <affects>
+ <package>
+ <name>mkvtoolnix</name>
+ <range><lt>9.4.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Moritz Bunkus reports:</p>
+ <blockquote cite="https://mkvtoolnix.download/doc/ChangeLog">
+ <p>most of the bugs fixed on 2016-09-06 and 2016-09-07 for
+ issue #1780 are potentially exploitable. The scenario is arbitrary
+ code execution with specially-crafted files.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://mkvtoolnix.download/doc/ChangeLog</url>
+ </references>
+ <dates>
+ <discovery>2016-09-07</discovery>
+ <entry>2016-10-09</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="1cf65085-a760-41d2-9251-943e1af62eb8">
+ <topic>X.org libraries -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>libX11</name>
+ <range><lt>1.6.4,1</lt></range>
+ </package>
+ <package>
+ <name>libXfixes</name>
+ <range><lt>5.0.3</lt></range>
+ </package>
+ <package>
+ <name>libXi</name>
+ <range><lt>1.7.7,1</lt></range>
+ </package>
+ <package>
+ <name>libXrandr</name>
+ <range><lt>1.5.1</lt></range>
+ </package>
+ <package>
+ <name>libXrender</name>
+ <range><lt>0.9.10</lt></range>
+ </package>
+ <package>
+ <name>libXtst</name>
+ <range><lt>1.2.3</lt></range>
+ </package>
+ <package>
+ <name>libXv</name>
+ <range><lt>1.0.11,1</lt></range>
+ </package>
+ <package>
+ <name>libXvMC</name>
+ <range><lt>1.0.10</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Matthieu Herrb reports:</p>
+ <blockquote cite="https://lists.x.org/archives/xorg-announce/2016-October/002720.html">
+ <p>Tobias Stoeckmann from the OpenBSD project has discovered a
+ number of issues in the way various X client libraries handle
+ the responses they receive from servers, and has worked with
+ X.Org's security team to analyze, confirm, and fix these issues.
+ These issue come in addition to the ones discovered by Ilja van
+ Sprundel in 2013.</p>
+
+ <p>Most of these issues stem from the client libraries trusting
+ the server to send correct protocol data, and not verifying
+ that the values will not overflow or cause other damage. Most
+ of the time X clients and servers are run by the same user, with
+ the server more privileged than the clients, so this is not a
+ problem, but there are scenarios in which a privileged client
+ can be connected to an unprivileged server, for instance,
+ connecting a setuid X client (such as a screen lock program)
+ to a virtual X server (such as Xvfb or Xephyr) which the user
+ has modified to return invalid data, potentially allowing the
+ user to escalate their privileges.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://lists.x.org/archives/xorg-announce/2016-October/002720.html</url>
+ <cvename>CVE-2016-5407</cvename>
+ </references>
+ <dates>
+ <discovery>2016-10-04</discovery>
+ <entry>2016-10-07</entry>
+ <modified>2016-10-10</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="c8d902b1-8550-11e6-81e7-d050996490d0">
+ <topic>BIND -- Remote Denial of Service vulnerability</topic>
+ <affects>
+ <package>
+ <name>bind99</name>
+ <range><lt>9.9.9P3</lt></range>
+ </package>
+ <package>
+ <name>bind910</name>
+ <range><lt>9.10.4P3</lt></range>
+ </package>
+ <package>
+ <name>bind911</name>
+ <range><lt>9.11.0.rc3</lt></range>
+ </package>
+ <package>
+ <name>bind9-devel</name>
+ <range><lt>9.12.0.a.2016.09.10</lt></range>
+ </package>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>9.3</ge><lt>9.3_48</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>ISC reports:</p>
+ <blockquote cite="https://kb.isc.org/article/AA-01419">
+ <p>Testing by ISC has uncovered a critical error condition
+ which can occur when a nameserver is constructing a
+ response. A defect in the rendering of messages into
+ packets can cause named to exit with an assertion
+ failure in buffer.c while constructing a response
+ to a query that meets certain criteria.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-2776</cvename>
+ <freebsdsa>SA-16:28.bind</freebsdsa>
+ <url>https://kb.isc.org/article/AA-01419</url>
+ </references>
+ <dates>
+ <discovery>2016-09-27</discovery>
+ <entry>2016-09-28</entry>
+ <modified>2016-10-10</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="bb022643-84fb-11e6-a4a1-60a44ce6887b">
+ <topic>django -- CSRF protection bypass on a site with Google Analytics</topic>
+ <affects>
+ <package>
+ <name>py-django19</name>
+ <range><lt>1.9.10</lt></range>
+ </package>
+ <package>
+ <name>py-django18</name>
+ <range><lt>1.8.15</lt></range>
+ </package>
+ <package>
+ <name>py-django</name>
+ <range><lt>1.8.15</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Django Software Foundation reports:</p>
+ <blockquote cite="https://www.djangoproject.com/weblog/2016/sep/26/security-releases/">
+ <p>An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.djangoproject.com/weblog/2016/sep/26/security-releases/</url>
+ <cvename>CVE-2016-7401</cvename>
+ </references>
+ <dates>
+ <discovery>2016-09-26</discovery>
+ <entry>2016-09-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="91a337d8-83ed-11e6-bf52-b499baebfeaf">
+ <topic>OpenSSL -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>openssl</name>
+ <range><lt>1.0.2j,1</lt></range>
+ </package>
+ <package>
+ <name>openssl-devel</name>
+ <range><lt>1.1.0b</lt></range>
+ </package>
+ <package>
+ <name>libressl</name>
+ <range><lt>2.4.3</lt></range>
+ </package>
+ <package>
+ <name>libressl-devel</name>
+ <range><lt>2.4.3</lt></range>
+ </package>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>11.0</ge><lt>11.0_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>OpenSSL reports:</p>
+ <blockquote cite="https://www.openssl.org/news/secadv/20160926.txt">
+ <p>Critical vulnerability in OpenSSL 1.1.0a<br/>
+ Fix Use After Free for large message sizes (CVE-2016-6309)</p>
+ <p>Moderate vulnerability in OpenSSL 1.0.2i<br/>
+ Missing CRL sanity check (CVE-2016-7052)</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.openssl.org/news/secadv/20160926.txt</url>
+ <cvename>CVE-2016-6309</cvename>
+ <cvename>CVE-2016-7052</cvename>
+ <freebsdsa>SA-16:27.openssl</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2016-09-26</discovery>
+ <entry>2016-09-26</entry>
+ <modified>2016-10-10</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="43eaa656-80bc-11e6-bf52-b499baebfeaf">
+ <topic>OpenSSL -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>openssl-devel</name>
+ <range><ge>1.1.0</ge><lt>1.1.0_1</lt></range>
+ </package>
+ <package>
+ <name>openssl</name>
+ <range><lt>1.0.2i,1</lt></range>
+ </package>
+ <package>
+ <name>linux-c6-openssl</name>
+ <range><lt>1.0.1e_11</lt></range>
+ </package>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>10.3</ge><lt>10.3_8</lt></range>
+ <range><ge>10.2</ge><lt>10.2_21</lt></range>
+ <range><ge>10.1</ge><lt>10.1_38</lt></range>
+ <range><ge>9.3</ge><lt>9.3_46</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>OpenSSL reports:</p>
+ <blockquote cite="https://www.openssl.org/news/secadv/20160922.txt">
+ <p>High: OCSP Status Request extension unbounded memory growth</p>
+ <p>SSL_peek() hang on empty record</p>
+ <p>SWEET32 Mitigation</p>
+ <p>OOB write in MDC2_Update()</p>
+ <p>Malformed SHA512 ticket DoS</p>
+ <p>OOB write in BN_bn2dec()</p>
+ <p>OOB read in TS_OBJ_print_bio()</p>
+ <p>Pointer arithmetic undefined behaviour</p>
+ <p>Constant time flag not preserved in DSA signing</p>
+ <p>DTLS buffered message DoS</p>
+ <p>DTLS replay protection DoS</p>
+ <p>Certificate message OOB reads</p>
+ <p>Excessive allocation of memory in tls_get_message_header()</p>
+ <p>Excessive allocation of memory in dtls1_preprocess_fragment()</p>
+ <p>NB: LibreSSL is only affected by CVE-2016-6304</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.openssl.org/news/secadv/20160922.txt</url>
+ <cvename>CVE-2016-6304</cvename>
+ <cvename>CVE-2016-6305</cvename>
+ <cvename>CVE-2016-2183</cvename>
+ <cvename>CVE-2016-6303</cvename>
+ <cvename>CVE-2016-6302</cvename>
+ <cvename>CVE-2016-2182</cvename>
+ <cvename>CVE-2016-2180</cvename>
+ <cvename>CVE-2016-2177</cvename>
+ <cvename>CVE-2016-2178</cvename>
+ <cvename>CVE-2016-2179</cvename>
+ <cvename>CVE-2016-2181</cvename>
+ <cvename>CVE-2016-6306</cvename>
+ <cvename>CVE-2016-6307</cvename>
+ <cvename>CVE-2016-6308</cvename>
+ <freebsdsa>SA-16:26.openssl</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2016-09-22</discovery>
+ <entry>2016-09-22</entry>
+ <modified>2016-10-11</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="e78261e4-803d-11e6-a590-14dae9d210b8">
+ <topic>irssi -- heap corruption and missing boundary checks</topic>
+ <affects>
+ <package>
+ <name>irssi</name>
+ <name>zh-irssi</name>
+ <range><ge>0.8.17</ge><lt>0.8.20</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Irssi reports:</p>
+ <blockquote cite="https://irssi.org/security/irssi_sa_2016.txt">
+ <p>Remote crash and heap corruption. Remote code execution seems
+ difficult since only Nuls are written.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://irssi.org/security/irssi_sa_2016.txt</url>
+ <cvename>CVE-2016-7044</cvename>
+ <cvename>CVE-2016-7045</cvename>
+ </references>
+ <dates>
+ <discovery>2016-09-21</discovery>
+ <entry>2016-09-21</entry>
+ <modified>2016-09-22</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="2c57c47e-8bb3-4694-83c8-9fc3abad3964">
+ <topic>mozilla -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>firefox</name>
+ <range><lt>49.0,1</lt></range>
+ </package>
+ <package>
+ <name>seamonkey</name>
+ <name>linux-seamonkey</name>
+ <range><lt>2.46</lt></range>
+ </package>
+ <package>
+ <name>firefox-esr</name>
+ <range><lt>45.4.0,1</lt></range>
+ </package>
+ <package>
+ <name>linux-firefox</name>
+ <range><lt>45.4.0,2</lt></range>
+ </package>
+ <package>
+ <name>libxul</name>
+ <name>thunderbird</name>
+ <name>linux-thunderbird</name>
+ <range><lt>45.4.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mozilla Foundation reports:</p>
+ <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-85/">
+ <p>CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]</p>
+ <p>CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]</p>
+ <p>CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]</p>
+ <p>CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]</p>
+ <p>CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]</p>
+ <p>CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]</p>
+ <p>CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]</p>
+ <p>CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]</p>
+ <p>CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]</p>
+ <p>CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]</p>
+ <p>CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]</p>
+ <p>CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]</p>
+ <p>CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]</p>
+ <p>CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]</p>
+ <p>CVE-2016-5281 - use-after-free in DOMSVGLength [high]</p>
+ <p>CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]</p>
+ <p>CVE-2016-5283 - <iframe src> fragment timing attack can reveal cross-origin data [high]</p>
+ <p>CVE-2016-5284 - Add-on update site certificate pin expiration [high]</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-2827</cvename>
+ <cvename>CVE-2016-5256</cvename>
+ <cvename>CVE-2016-5257</cvename>
+ <cvename>CVE-2016-5270</cvename>
+ <cvename>CVE-2016-5271</cvename>
+ <cvename>CVE-2016-5272</cvename>
+ <cvename>CVE-2016-5273</cvename>
+ <cvename>CVE-2016-5274</cvename>
+ <cvename>CVE-2016-5275</cvename>
+ <cvename>CVE-2016-5276</cvename>
+ <cvename>CVE-2016-5277</cvename>
+ <cvename>CVE-2016-5278</cvename>
+ <cvename>CVE-2016-5279</cvename>
+ <cvename>CVE-2016-5280</cvename>
+ <cvename>CVE-2016-5281</cvename>
+ <cvename>CVE-2016-5282</cvename>
+ <cvename>CVE-2016-5283</cvename>
+ <cvename>CVE-2016-5284</cvename>
+ <url>https://www.mozilla.org/security/advisories/mfsa2016-85/</url>
+ <url>https://www.mozilla.org/security/advisories/mfsa2016-86/</url>
+ <url>https://www.mozilla.org/security/advisories/mfsa2016-88/</url>
+ </references>
+ <dates>
+ <discovery>2016-09-13</discovery>
+ <entry>2016-09-20</entry>
+ <modified>2016-10-21</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="653a8059-7c49-11e6-9242-3065ec8fd3ec">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <name>chromium-npapi</name>
+ <name>chromium-pulse</name>
+ <range><lt>53.0.2785.113</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://googlechromereleases.blogspot.nl/2016/09/stable-channel-update-for-desktop_13.html">
+ <p>Several security fixes in this release, including:</p>
+ <ul>
+ <li>[641101] High CVE-2016-5170: Use after free in Blink.Credit to
+ Anonymous</li>
+ <li>[643357] High CVE-2016-5171: Use after free in Blink. Credit to
+ Anonymous</li>
+ <li>[616386] Medium CVE-2016-5172: Arbitrary Memory Read in v8.
+ Credit to Choongwoo Han</li>
+ <li>[468931] Medium CVE-2016-5173: Extension resource access.
+ Credit to Anonymous</li>
+ <li>[579934] Medium CVE-2016-5174: Popup not correctly suppressed.
+ Credit to Andrey Kovalev (@L1kvID) Yandex Security Team</li>
+ <li>[646394] CVE-2016-5175: Various fixes from internal audits,
+ fuzzing and other initiatives.</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-5170</cvename>
+ <cvename>CVE-2016-5171</cvename>
+ <cvename>CVE-2016-5172</cvename>
+ <cvename>CVE-2016-5173</cvename>
+ <cvename>CVE-2016-5174</cvename>
+ <cvename>CVE-2016-5175</cvename>
+ <url>https://googlechromereleases.blogspot.nl/2016/09/stable-channel-update-for-desktop_13.html</url>
+ </references>
+ <dates>
+ <discovery>2016-09-13</discovery>
+ <entry>2016-09-16</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="b64a7389-7c27-11e6-8aaa-5404a68ad561">
+ <topic>Remote-Code-Execution vulnerability in mysql and its variants CVE 2016-6662</topic>
+ <affects>
+ <package>
+ <name>mysql57-client</name>
+ <name>mysql57-server</name>
+ <range><lt>5.7.15</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>LegalHackers' reports:</p>
+ <blockquote cite="http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html">
+ <p>RCE Bugs discovered in MySQL and its variants like MariaDB.
+ It works by manupulating my.cnf files and using --malloc-lib.
+ The bug seems fixed in MySQL5.7.15 by Oracle</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-6662</cvename>
+ <url>http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html</url>
+ <url>https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html</url>
+ </references>
+ <dates>
+ <discovery>2016-09-12</discovery>
+ <entry>2016-09-14</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="bc19dcca-7b13-11e6-b99e-589cfc0654e1">
+ <topic>dropbear -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>dropbear</name>
+ <range><lt>2016.74</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Matt Johnston reports:</p>
+ <blockquote cite="http://www.openwall.com/lists/oss-security/2016/09/15/2">
+ <p>If specific usernames including "%" symbols can be created on a system
+ (validated by getpwnam()) then an attacker could run arbitrary code as root
+ when connecting to Dropbear server.
+
+ A dbclient user who can control username or host arguments could potentially
+ run arbitrary code as the dbclient user. This could be a problem if scripts
+ or webpages pass untrusted input to the dbclient program.</p>
+ <p>dropbearconvert import of OpenSSH keys could run arbitrary code as
+ the local dropbearconvert user when parsing malicious key files.</p>
+ <p>dbclient could run arbitrary code as the local dbclient user if
+ particular -m or -c arguments are provided. This could be an issue where
+ dbclient is used in scripts.</p>
+ <p>dbclient or dropbear server could expose process memory to the
+ running user if compiled with DEBUG_TRACE and running with -v</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>"http://www.openwall.com/lists/oss-security/2016/09/15/2"</url>
+ <cvename>CVE-2016-7406</cvename>
+ <cvename>CVE-2016-7407</cvename>
+ <cvename>CVE-2016-7408</cvename>
+ <cvename>CVE-2016-7409</cvename>
+ </references>
+ <dates>
+ <discovery>2016-07-12</discovery>
+ <entry>2016-09-15</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="08664d42-7989-11e6-b7a8-74d02b9a84d5">
+ <topic>h2o -- fix DoS attack vector</topic>
+ <affects>
+ <package>
+ <name>h2o</name>
+ <range>
+ <lt>2.0.4</lt>
+ </range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Frederik Deweerdt reported a denial-of-service attack vector
+ due to an unhandled error condition during socket connection.</p>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/h2o/h2o/issues/1077</url>
+ <cvename>CVE-2016-4864</cvename>
+ </references>
+ <dates>
+ <discovery>2016-06-09</discovery>
+ <entry>2016-09-14</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="b018121b-7a4b-11e6-bf52-b499baebfeaf">
+ <topic>cURL -- Escape and unescape integer overflows</topic>
+ <affects>
+ <package>
+ <name>curl</name>
+ <range><ge>7.11.1</ge><lt>7.50.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The cURL project reports</p>
+ <blockquote cite="https://curl.haxx.se/docs/adv_20160914.html">
+ <p>The four libcurl functions curl_escape(), curl_easy_escape(),
+ curl_unescape and curl_easy_unescape perform string URL percent
+ escaping and unescaping. They accept custom string length inputs
+ in signed integer arguments.</p>
+ <p>The provided string length arguments were not properly checked
+ and due to arithmetic in the functions, passing in the length
+ 0xffffffff (2^32-1 or UINT_MAX or even just -1) would end up
+ causing an allocation of zero bytes of heap memory that curl
+ would attempt to write gigabytes of data into.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://curl.haxx.se/docs/adv_20160914.html</url>
+ <cvename>CVE-2016-7167</cvename>
+ </references>
+ <dates>
+ <discovery>2016-09-14</discovery>
+ <entry>2016-09-14</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="769ba449-79e1-11e6-bf75-3065ec8fd3ec">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <name>chromium-npapi</name>
+ <name>chromium-pulse</name>
+ <range><lt>53.0.2785.92</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://googlechromereleases.blogspot.nl/2016/08/stable-channel-update-for-desktop_31.html">
+ <p>33 security fixes in this release, including:</p>
+ <ul>
+ <li>[628942] High CVE-2016-5147: Universal XSS in Blink. Credit to
+ anonymous</li>
+ <li>[621362] High CVE-2016-5148: Universal XSS in Blink. Credit to
+ anonymous</li>
+ <li>[573131] High CVE-2016-5149: Script injection in extensions.
+ Credit to Max Justicz (http://web.mit.edu/maxj/www/)</li>
+ <li>[637963] High CVE-2016-5150: Use after free in Blink. Credit to
+ anonymous</li>
+ <li>[634716] High CVE-2016-5151: Use after free in PDFium. Credit to
+ anonymous</li>
+ <li>[629919] High CVE-2016-5152: Heap overflow in PDFium. Credit to
+ GiWan Go of Stealien</li>
+ <li>[631052] High CVE-2016-5153: Use after destruction in Blink.
+ Credit to Atte Kettunen of OUSPG</li>
+ <li>[633002] High CVE-2016-5154: Heap overflow in PDFium. Credit to
+ anonymous</li>
+ <li>[630662] High CVE-2016-5155: Address bar spoofing. Credit to
+ anonymous</li>
+ <li>[625404] High CVE-2016-5156: Use after free in event bindings.
+ Credit to jinmo123</li>
+ <li>[632622] High CVE-2016-5157: Heap overflow in PDFium. Credit to
+ anonymous</li>
+ <li>[628890] High CVE-2016-5158: Heap overflow in PDFium. Credit to
+ GiWan Go of Stealien</li>
+ <li>[628304] High CVE-2016-5159: Heap overflow in PDFium. Credit to
+ GiWan Go of Stealien</li>
+ <li>[622420] Medium CVE-2016-5161: Type confusion in Blink. Credit
+ to 62600BCA031B9EB5CB4A74ADDDD6771E working with Trend Micro's
+ Zero Day Initiative</li>
+ <li>[589237] Medium CVE-2016-5162: Extensions web accessible
+ resources bypass. Credit to Nicolas Golubovic</li>
+ <li>[609680] Medium CVE-2016-5163: Address bar spoofing. Credit to
+ Rafay Baloch PTCL Etisalat (http://rafayhackingarticles.net)</li>
+ <li>[637594] Medium CVE-2016-5164: Universal XSS using DevTools.
+ Credit to anonymous</li>
+ <li>[618037] Medium CVE-2016-5165: Script injection in DevTools.
+ Credit to Gregory Panakkal</li>
+ <li>[616429] Medium CVE-2016-5166: SMB Relay Attack via Save Page
+ As. Credit to Gregory Panakkal</li>
+ <li>[576867] Low CVE-2016-5160: Extensions web accessible resources
+ bypass. Credit to @l33terally, FogMarks.com (@FogMarks)</li>
+ <li>[642598] CVE-2016-5167: Various fixes from internal audits,
+ fuzzing and other initiatives.</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-5147</cvename>
+ <cvename>CVE-2016-5148</cvename>
+ <cvename>CVE-2016-5149</cvename>
+ <cvename>CVE-2016-5150</cvename>
+ <cvename>CVE-2016-5151</cvename>
+ <cvename>CVE-2016-5152</cvename>
+ <cvename>CVE-2016-5153</cvename>
+ <cvename>CVE-2016-5154</cvename>
+ <cvename>CVE-2016-5155</cvename>
+ <cvename>CVE-2016-5156</cvename>
+ <cvename>CVE-2016-5157</cvename>
+ <cvename>CVE-2016-5158</cvename>
+ <cvename>CVE-2016-5159</cvename>
+ <cvename>CVE-2016-5160</cvename>
+ <cvename>CVE-2016-5161</cvename>
+ <cvename>CVE-2016-5162</cvename>
+ <cvename>CVE-2016-5163</cvename>
+ <cvename>CVE-2016-5164</cvename>
+ <cvename>CVE-2016-5165</cvename>
+ <cvename>CVE-2016-5166</cvename>
+ <cvename>CVE-2016-5167</cvename>
+ <url>https://googlechromereleases.blogspot.nl/2016/08/stable-channel-update-for-desktop_31.html</url>
+ </references>
+ <dates>
+ <discovery>2016-08-31</discovery>
+ <entry>2016-09-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="958b9cee-79da-11e6-bf75-3065ec8fd3ec">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <name>chromium-npapi</name>
+ <name>chromium-pulse</name>
+ <range><lt>52.0.2743.116</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://googlechromereleases.blogspot.nl/2016/08/stable-channel-update-for-desktop.html">
+ <p>10 security fixes in this release, including:</p>
+ <ul>
+ <li>[629542] High CVE-2016-5141 Address bar spoofing. Credit to
+ anonymous</li>
+ <li>[626948] High CVE-2016-5142 Use-after-free in Blink. Credit to
+ anonymous</li>
+ <li>[625541] High CVE-2016-5139 Heap overflow in pdfium. Credit to
+ GiWan Go of Stealien</li>
+ <li>[619405] High CVE-2016-5140 Heap overflow in pdfium. Credit to
+ Ke Liu of Tencent's Xuanwu LAB</li>
+ <li>[623406] Medium CVE-2016-5145 Same origin bypass for images in
+ Blink. Credit to anonymous</li>
+ <li>[619414] Medium CVE-2016-5143 Parameter sanitization failure in
+ DevTools. Credit to Gregory Panakkal</li>
+ <li>[618333] Medium CVE-2016-5144 Parameter sanitization failure in
+ DevTools. Credit to Gregory Panakkal</li>
+ <li>[633486] CVE-2016-5146: Various fixes from internal audits,
+ fuzzing and other initiatives.</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-5139</cvename>
+ <cvename>CVE-2016-5140</cvename>
+ <cvename>CVE-2016-5141</cvename>
+ <cvename>CVE-2016-5142</cvename>
+ <cvename>CVE-2016-5143</cvename>
+ <cvename>CVE-2016-5144</cvename>
+ <cvename>CVE-2016-5145</cvename>
+ <cvename>CVE-2016-5146</cvename>
+ <url>https://googlechromereleases.blogspot.nl/2016/08/stable-channel-update-for-desktop.html</url>
+ </references>
+ <dates>
+ <discovery>2016-08-03</discovery>
+ <entry>2016-09-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="856b88bf-7984-11e6-81e7-d050996490d0">
+ <topic>mysql -- Remote Root Code Execution</topic>
+ <affects>
+ <package>
+ <name>mariadb55-server</name>
+ <range><lt>5.5.51</lt></range>
+ </package>
+ <package>
+ <name>mariadb100-server</name>
+ <range><lt>10.0.27</lt></range>
+ </package>
+ <package>
+ <name>mariadb101-server</name>
+ <range><lt>10.1.17</lt></range>
+ </package>
+ <package>
+ <name>mysql55-server</name>
+ <range><lt>5.5.52</lt></range>
+ </package>
+ <package>
+ <name>mysql56-server</name>
+ <range><lt>5.6.33</lt></range>
+ </package>
+ <package>
+ <name>mysql57-server</name>
+ <range><lt>5.7.15</lt></range>
+ </package>
+ <package>
+ <name>percona55-server</name>
+ <range><lt>5.5.51.38.1</lt></range>
+ </package>
+ <package>
+ <name>percona56-server</name>
+ <range><lt>5.6.32.78.0</lt></range>
+ </package>
+ <package>
+ <name>percona57-server</name>
+ <range><lt>5.7.14.7</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Dawid Golunski reports:</p>
+ <blockquote cite="http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt">
+ <p>An independent research has revealed multiple severe MySQL
+ vulnerabilities. This advisory focuses on a critical
+ vulnerability with a CVEID of CVE-2016-6662 which can allow
+ attackers to (remotely) inject malicious settings into MySQL
+ configuration files (my.cnf) leading to critical
+ consequences.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-6662</cvename>
+ <url>http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt</url>
+ <url>https://jira.mariadb.org/browse/MDEV-10465</url>
+ <url>https://www.percona.com/blog/2016/09/12/percona-server-critical-update-cve-2016-6662/</url>
+ <url>https://www.percona.com/blog/2016/09/12/database-affected-cve-2016-6662/</url>
+ <url>https://www.psce.com/blog/2016/09/12/how-to-quickly-patch-mysql-server-against-cve-2016-6662/</url>
+ </references>
+ <dates>
+ <discovery>2016-09-12</discovery>
+ <entry>2016-09-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="331eabb3-85b1-466a-a2af-66ac864d395a">
+ <topic>wolfssl -- leakage of private key information</topic>
+ <affects>
+ <package>
+ <name>wolfssl</name>
+ <range><lt>3.6.8</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Florian Weimer of Redhat discovered that an optimization in
+ RSA signature validation can result in disclosure of the
+ server's private key under certain fault conditions.</p>
+ </body>
+ </description>
+ <references>
+ <url>https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found%2C_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html</url>
+ <url>https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/</url>
+ <cvename>CVE-2015-7744</cvename>
+ </references>
+ <dates>
+ <discovery>2015-09-17</discovery>
+ <entry>2016-01-05</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="3d1372e1-7822-4fd8-b56e-5ee832afbd96">
+ <topic>wolfssl -- DDoS amplification in DTLS</topic>
+ <affects>
+ <package>
+ <name>wolfssl</name>
+ <range><lt>3.6.8</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Sebastian Ramacher identified an error in wolfSSL's implementation
+ of the server side of the DTLS handshake, which could be abused
+ for DDoS amplification or a DoS on the DTLS server itself.</p>
+ </body>
+ </description>
+ <references>
+ <url>https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found%2C_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html</url>
+ <url>https://github.com/IAIK/wolfSSL-DoS</url>
+ <cvename>CVE-2015-6925</cvename>
+ </references>
+ <dates>
+ <discovery>2015-09-18</discovery>
+ <entry>2016-01-05</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="a0128291-7690-11e6-95a8-0011d823eebd">
+ <topic>gnutls -- OCSP validation issue</topic>
+ <affects>
+ <package>
+ <name>gnutls</name>
+ <range><lt>3.4.15</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>gnutls.org reports:</p>
+ <blockquote cite="https://gnutls.org/security.html#GNUTLS-SA-2016-3">
+ <p>Stefan Bühler discovered an issue that affects validation
+ of certificates using OCSP responses, which can falsely report a
+ certificate as valid under certain circumstances.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://gnutls.org/security.html#GNUTLS-SA-2016-3</url>
+ </references>
+ <dates>
+ <discovery>2016-09-08</discovery>
+ <entry>2016-09-09</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="aa1aefe3-6e37-47db-bfda-343ef4acb1b5">
+ <topic>Mozilla -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>firefox</name>
+ <range><lt>48.0,1</lt></range>
+ </package>
+ <package>
+ <name>seamonkey</name>
+ <name>linux-seamonkey</name>
+ <range><lt>2.45</lt></range>
+ </package>
+ <package>
+ <name>firefox-esr</name>
+ <range><lt>45.3.0,1</lt></range>
+ </package>
+ <package>
+ <name>linux-firefox</name>
+ <range><lt>45.3.0,2</lt></range>
+ </package>
+ <package>
+ <name>libxul</name>
+ <name>thunderbird</name>
+ <name>linux-thunderbird</name>
+ <range><lt>45.3.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mozilla Foundation reports:</p>
+ <blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox48">
+ <p>MFSA2016-84 Information disclosure through Resource Timing API \
+ during page navigation</p>
+ <p>MFSA2016-83 Spoofing attack through text injection into \
+ internal error pages</p>
+ <p>MFSA2016-82 Addressbar spoofing with right-to-left characters \
+ on Firefox for Android</p>
+ <p>MFSA2016-81 Information disclosure and local file \
+ manipulation through drag and drop</p>
+ <p>MFSA2016-80 Same-origin policy violation using local HTML
+ file and saved shortcut file</p>
+ <p>MFSA2016-79 Use-after-free when applying SVG effects</p>
+ <p>MFSA2016-78 Type confusion in display transformation</p>
+ <p>MFSA2016-77 Buffer overflow in ClearKey Content Decryption
+ Module (CDM) during video playback</p>
+ <p>MFSA2016-76 Scripts on marquee tag can execute in sandboxed
+ iframes</p>
+ <p>MFSA2016-75 Integer overflow in WebSockets during data \
+ buffering</p>
+ <p>MFSA2016-74 Form input type change from password to text \
+ can store plain text password in session restore file</p>
+ <p>MFSA2016-73 Use-after-free in service workers with nested
+ sync events</p>
+ <p>MFSA2016-72 Use-after-free in DTLS during WebRTC session
+ shutdown</p>
+ <p>MFSA2016-71 Crash in incremental garbage collection in \
+ JavaScript</p>
+ <p>MFSA2016-70 Use-after-free when using alt key and toplevel
+ menus</p>
+ <p>MFSA2016-69 Arbitrary file manipulation by local user through \
+ Mozilla updater and callback application path parameter</p>
+ <p>MFSA2016-68 Out-of-bounds read during XML parsing in \
+ Expat library</p>
+ <p>MFSA2016-67 Stack underflow during 2D graphics rendering</p>
+ <p>MFSA2016-66 Location bar spoofing via data URLs with \
+ malformed/invalid mediatypes</p>
+ <p>MFSA2016-65 Cairo rendering crash due to memory allocation
+ issue with FFmpeg 0.10</p>
+ <p>MFSA2016-64 Buffer overflow rendering SVG with bidirectional
+ content</p>
+ <p>MFSA2016-63 Favicon network connection can persist when page
+ is closed</p>
+ <p>MFSA2016-62 Miscellaneous memory safety hazards (rv:48.0 /
+ rv:45.3)</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-0718</cvename>
+ <cvename>CVE-2016-2830</cvename>
+ <cvename>CVE-2016-2835</cvename>
+ <cvename>CVE-2016-2836</cvename>
+ <cvename>CVE-2016-2837</cvename>
+ <cvename>CVE-2016-2838</cvename>
+ <cvename>CVE-2016-2839</cvename>
+ <cvename>CVE-2016-5250</cvename>
+ <cvename>CVE-2016-5251</cvename>
+ <cvename>CVE-2016-5252</cvename>
+ <cvename>CVE-2016-5253</cvename>
+ <cvename>CVE-2016-5254</cvename>
+ <cvename>CVE-2016-5255</cvename>
+ <cvename>CVE-2016-5258</cvename>
+ <cvename>CVE-2016-5259</cvename>
+ <cvename>CVE-2016-5260</cvename>
+ <cvename>CVE-2016-5261</cvename>
+ <cvename>CVE-2016-5262</cvename>
+ <cvename>CVE-2016-5263</cvename>
+ <cvename>CVE-2016-5264</cvename>
+ <cvename>CVE-2016-5265</cvename>
+ <cvename>CVE-2016-5266</cvename>
+ <cvename>CVE-2016-5267</cvename>
+ <cvename>CVE-2016-5268</cvename>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-62/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-63/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-64/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-65/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-66/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-67/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-68/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-69/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-70/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-71/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-72/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-73/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-74/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-75/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-76/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-77/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-78/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-79/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-80/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-81/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-82/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-83/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-84/</url>
+ </references>
+ <dates>
+ <discovery>2016-08-02</discovery>
+ <entry>2016-09-07</entry>
+ <modified>2016-09-20</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="5cb18881-7604-11e6-b362-001999f8d30b">
+ <topic>asterisk -- RTP Resource Exhaustion</topic>
+ <affects>
+ <package>
+ <name>asterisk11</name>
+ <range><lt>11.23.1</lt></range>
+ </package>
+ <package>
+ <name>asterisk13</name>
+ <range><lt>13.11.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Asterisk project reports:</p>
+ <blockquote cite="http://www.asterisk.org/downloads/security-advisories">
+ <p>The overlap dialing feature in chan_sip allows chan_sip
+ to report to a device that the number that has been dialed
+ is incomplete and more digits are required. If this
+ functionality is used with a device that has performed
+ username/password authentication RTP resources are leaked.
+ This occurs because the code fails to release the old RTP
+ resources before allocating new ones in this scenario.
+ If all resources are used then RTP port exhaustion will
+ occur and no RTP sessions are able to be set up.</p>
+ <p>If overlap dialing support is not needed the "allowoverlap"
+ option can be set to no. This will stop any usage of the
+ scenario which causes the resource exhaustion.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://downloads.asterisk.org/pub/security/AST-2016-007.html</url>
+ </references>
+ <dates>
+ <discovery>2016-08-05</discovery>
+ <entry>2016-09-08</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="7fda7920-7603-11e6-b362-001999f8d30b">
+ <topic>asterisk -- Crash on ACK from unknown endpoint</topic>
+ <affects>
+ <package>
+ <name>asterisk13</name>
+ <range><ge>13.10.0</ge><lt>13.11.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Asterisk project reports:</p>
+ <blockquote cite="http://www.asterisk.org/downloads/security-advisories">
+ <p>Asterisk can be crashed remotely by sending an ACK to
+ it from an endpoint username that Asterisk does not
+ recognize. Most SIP request types result in an "artificial"
+ endpoint being looked up, but ACKs bypass this lookup.
+ The resulting NULL pointer results in a crash when
+ attempting to determine if ACLs should be applied.</p>
+ <p>This issue was introduced in the Asterisk 13.10 release
+ and only affects that release.</p>
+ <p>This issue only affects users using the PJSIP stack
+ with Asterisk. Those users that use chan_sip are
+ unaffected.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://downloads.asterisk.org/pub/security/AST-2016-006.html</url>
+ </references>
+ <dates>
+ <discovery>2016-08-03</discovery>
+ <entry>2016-09-08</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="70c85c93-743c-11e6-a590-14dae9d210b8">
+ <topic>inspircd -- authentication bypass vulnerability</topic>
+ <affects>
+ <package>
+ <name>inspircd</name>
+ <range><lt>2.0.23</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Adam reports:</p>
+ <blockquote cite="http://www.inspircd.org/2016/09/03/v2023-released.html">
+ <p>A serious vulnerability exists in when using m_sasl in
+ combination with any services that support SASL EXTERNAL.
+ To be vulnerable you must have m_sasl loaded, and have services which
+ support SASL EXTERNAL authentication.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.inspircd.org/2016/09/03/v2023-released.html</url>
+ </references>
+ <dates>
+ <discovery>2016-09-03</discovery>
+ <entry>2016-09-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9e50dcc3-740b-11e6-94a2-080027ef73ec">
+ <topic>mailman -- CSRF hardening in parts of the web interface</topic>
+ <affects>
+ <package>
+ <name>mailman</name>
+ <range><lt>2.1.15</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The late Tokio Kikuchi reported:</p>
+ <blockquote cite="https://bugs.launchpad.net/mailman/+bug/775294">
+ <p>We may have to set lifetime for input forms because of recent
+ activities on cross-site request forgery (CSRF). The form lifetime
+ is successfully deployed in frameworks like web.py or plone etc.
+ Proposed branch lp:~tkikuchi/mailman/form-lifetime implement
+ lifetime in admin, admindb, options and edithtml interfaces.
+ [...]</p>
+ </blockquote>
+ <blockquote cite="https://launchpad.net/mailman/2.1/2.1.15">
+ <p>The web admin interface has been hardened against CSRF attacks by
+ adding a hidden, encrypted token with a time stamp to form submissions
+ and not accepting authentication by cookie if the token is missing,
+ invalid or older than the new mm_cfg.py setting FORM_LIFETIME which
+ defaults to one hour. Posthumous thanks go to Tokio Kikuchi for this implementation [...].</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bugs.launchpad.net/mailman/+bug/775294</url>
+ <url>https://launchpad.net/mailman/2.1/2.1.15</url>
+ <cvename>CVE-2016-7123</cvename>
+ </references>
+ <dates>
+ <discovery>2011-05-02</discovery>
+ <entry>2016-09-06</entry>
+ </dates>
+ </vuln>
+
<vuln vid="adccefd1-7080-11e6-a2cb-c80aa9043978">
<topic>openssh -- sshd -- remote valid user discovery and PAM /bin/login attack</topic>
<affects>
@@ -383,12 +2947,12 @@
</body>
</description>
<references>
- <freebsdpr>211975</freebsdpr>
+ <freebsdpr>ports/211975</freebsdpr>
</references>
<dates>
<discovery>2016-08-18</discovery>
<entry>2016-08-18</entry>
- <modified>2016-08-19</modified>
+ <modified>2016-10-18</modified>
</dates>
</vuln>
@@ -1199,9 +3763,11 @@
<affects>
<package>
<name>FreeBSD-kernel</name>
- <range><ge>10.2</ge><lt>10.2_14</lt></range>
- <range><ge>10.1</ge><lt>10.1_31</lt></range>
- <range><ge>9.3</ge><lt>9.3_39</lt></range>
+ <range><ge>11.0</ge><lt>11.0_2</lt></range>
+ <range><ge>10.3</ge><lt>10.3_11</lt></range>
+ <range><ge>10.2</ge><lt>10.2_24</lt></range>
+ <range><ge>10.1</ge><lt>10.1_41</lt></range>
+ <range><ge>9.3</ge><lt>9.3_49</lt></range>
</package>
</affects>
<description>
@@ -1210,10 +3776,10 @@
<p>A special combination of sysarch(2) arguments, specify
a request to uninstall a set of descriptors from the LDT.
The start descriptor is cleared and the number of descriptors
- are provided. Due to invalid use of a signed intermediate
- value in the bounds checking during argument validity
- verification, unbound zero'ing of the process LDT and
- adjacent memory can be initiated from usermode.</p>
+ are provided. Due to lack of sufficient bounds checking
+ during argument validity verification, unbound zero'ing of
+ the process LDT and adjacent memory can be initiated from
+ usermode.</p>
<h1>Impact:</h1>
<p>This vulnerability could cause the kernel to panic. In
addition it is possible to perform a local Denial of Service
@@ -1227,6 +3793,7 @@
<dates>
<discovery>2016-03-16</discovery>
<entry>2016-08-11</entry>
+ <modified>2016-10-25</modified>
</dates>
</vuln>
@@ -4154,6 +6721,14 @@
<name>tiff</name>
<range><lt>4.0.6_2</lt></range>
</package>
+ <package>
+ <name>linux-c6-tiff</name>
+ <range><lt>3.9.4_2</lt></range>
+ </package>
+ <package>
+ <name>linux-f10-tiff</name>
+ <range><ge>*</ge></range>
+ </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
@@ -4166,40 +6741,19 @@
</description>
<references>
<url>https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2</url>
+ <cvename>CVE-2016-5314</cvename>
+ <cvename>CVE-2016-5320</cvename>
<cvename>CVE-2016-5875</cvename>
</references>
<dates>
<discovery>2016-06-28</discovery>
<entry>2016-07-15</entry>
+ <modified>2016-09-06</modified>
</dates>
</vuln>
<vuln vid="42ecf370-4aa4-11e6-a7bd-14dae9d210b8">
- <topic>tiff -- denial of service</topic>
- <affects>
- <package>
- <name>tiff</name>
- <range><lt>4.0.6_2</lt></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>Aladdin Mubaied reports:</p>
- <blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=1319503">
- <p>Buffer-overflow in gif2tiff utility</p>
- </blockquote>
- </body>
- </description>
- <references>
- <url>https://bugzilla.redhat.com/show_bug.cgi?id=1319503</url>
- <url>https://bugzilla.redhat.com/show_bug.cgi?id=1319666</url>
- <url>http://www.openwall.com/lists/oss-security/2016/03/30/2</url>
- <cvename>CVE-2016-3186</cvename>
- </references>
- <dates>
- <discovery>2016-03-20</discovery>
- <entry>2016-07-15</entry>
- </dates>
+ <cancelled/>
</vuln>
<vuln vid="d706a3a3-4a7c-11e6-97f7-5453ed2e2b49">
@@ -7008,12 +9562,13 @@
<references>
<cvename>CVE-2016-4476</cvename>
<cvename>CVE-2016-4477</cvename>
- <freebsdpr>/ports/209564</freebsdpr>
+ <freebsdpr>ports/209564</freebsdpr>
<url>http://w1.fi/security/2016-1/psk-parameter-config-update.txt</url>
</references>
<dates>
<discovery>2016-05-02</discovery>
<entry>2016-05-20</entry>
+ <modified>2016-05-20</modified>
</dates>
</vuln>
@@ -10204,11 +12759,15 @@
<affects>
<package>
<name>nss</name>
- <name>linux-c6-nss</name>
<range><ge>3.20</ge><lt>3.21.1</lt></range>
<range><lt>3.19.2.3</lt></range>
</package>
<package>
+ <name>linux-c6-nss</name>
+ <range><ge>3.20</ge><lt>3.21.0_1</lt></range>
+ <range><lt>3.19.2.3</lt></range>
+ </package>
+ <package>
<name>linux-firefox</name>
<range><lt>45.0,1</lt></range>
</package>
@@ -10252,6 +12811,7 @@
<dates>
<discovery>2016-03-08</discovery>
<entry>2016-03-08</entry>
+ <modified>2016-09-05</modified>
</dates>
</vuln>
@@ -10305,7 +12865,7 @@
</vuln>
<vuln vid="f9e6c0d1-e4cc-11e5-b2bd-002590263bf5">
- <topic>django -- multiple vulnerabilies</topic>
+ <topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py27-django</name>
@@ -11919,7 +14479,7 @@
</vuln>
<vuln vid="3aa8b781-d2c4-11e5-b2bd-002590263bf5">
- <topic>horde -- XSS vulnerabilies</topic>
+ <topic>horde -- XSS vulnerabilities</topic>
<affects>
<package>
<name>horde</name>
@@ -14878,8 +17438,16 @@
<affects>
<package>
<name>tiff</name>
- <range><le>4.0.6</le></range>
+ <range><lt>4.0.6_1</lt></range>
</package>
+ <package>
+ <name>linux-c6-tiff</name>
+ <range><lt>3.9.4_2</lt></range>
+ </package>
+ <package>
+ <name>linux-f10-tiff</name>
+ <range><ge>*</ge></range>
+ </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
@@ -14896,6 +17464,7 @@
<dates>
<discovery>2015-12-25</discovery>
<entry>2016-01-05</entry>
+ <modified>2016-09-06</modified>
</dates>
</vuln>
@@ -14904,8 +17473,16 @@
<affects>
<package>
<name>tiff</name>
- <range><le>4.0.6</le></range>
+ <range><lt>4.0.6_1</lt></range>
</package>
+ <package>
+ <name>linux-c6-tiff</name>
+ <range><lt>3.9.4_2</lt></range>
+ </package>
+ <package>
+ <name>linux-f10-tiff</name>
+ <range><ge>*</ge></range>
+ </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
@@ -14921,6 +17498,7 @@
<dates>
<discovery>2015-12-24</discovery>
<entry>2016-01-05</entry>
+ <modified>2016-09-06</modified>
</dates>
</vuln>
More information about the Midnightbsd-cvs
mailing list