[Midnightbsd-cvs] mports [23018] trunk/security/vuxml/vuln.xml: update list of vulnerabilities
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sat Feb 17 17:43:57 EST 2018
Revision: 23018
http://svnweb.midnightbsd.org/mports/?rev=23018
Author: laffer1
Date: 2018-02-17 17:43:57 -0500 (Sat, 17 Feb 2018)
Log Message:
-----------
update list of vulnerabilities
Modified Paths:
--------------
trunk/security/vuxml/vuln.xml
Modified: trunk/security/vuxml/vuln.xml
===================================================================
--- trunk/security/vuxml/vuln.xml 2018-02-17 22:41:36 UTC (rev 23017)
+++ trunk/security/vuxml/vuln.xml 2018-02-17 22:43:57 UTC (rev 23018)
@@ -28,7 +28,7 @@
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- $FreeBSD: head/security/vuxml/vuln.xml 450904 2017-09-29 15:28:54Z zi $
+ $FreeBSD: head/security/vuxml/vuln.xml 462088 2018-02-17 09:42:12Z ohauer $
QUICK GUIDE TO ADDING A NEW ENTRY
@@ -58,6 +58,5628 @@
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="22283b8c-13c5-11e8-a861-20cf30e32f6d">
+ <topic>Bugzilla security issues</topic>
+ <affects>
+ <package>
+ <name>bugzilla44</name>
+ <range><lt>4.4.13</lt></range>
+ </package>
+ <package>
+ <name>bugzilla50</name>
+ <range><lt>5.0.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Bugzilla Security Advisory</p>
+ <blockquote cite="https://www.bugzilla.org/security/4.4.12/">
+ <p>A CSRF vulnerability in report.cgi would allow a third-party site
+ to extract confidential information from a bug the victim had access to.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-5123</cvename>
+ <url>https://bugzilla.mozilla.org/show_bug.cgi?id=1433400</url>
+ </references>
+ <dates>
+ <discovery>2018-02-16</discovery>
+ <entry>2018-02-16</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="044cff62-ed8b-4e72-b102-18a7d58a669f">
+ <topic>bro -- integer overflow allows remote DOS</topic>
+ <affects>
+ <package>
+ <name>bro</name>
+ <range><lt>2.5.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Philippe Antoine of Catena cyber:</p>
+ <blockquote cite="http://blog.bro.org/2018/02/bro-253-released-security-update.html">
+ <p>This is a security release that fixes an integer overflow in code generated by binpac. This issue can be used by remote attackers to crash Bro (i.e. a DoS attack). There also is a possibility this can be exploited in other ways. (CVE pending.)</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://blog.bro.org/2018/02/bro-253-released-security-update.html</url>
+ </references>
+ <dates>
+ <discovery>2018-02-14</discovery>
+ <entry>2018-02-16</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ad2eeab6-ca68-4f06-9325-1937b237df60">
+ <topic>consul -- vulnerability in embedded DNS library</topic>
+ <affects>
+ <package>
+ <name>consul</name>
+ <range><lt>1.0.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Consul developers report:</p>
+ <blockquote cite="https://github.com/hashicorp/consul/issues/3859">
+ <p>A flaw was found in the embedded DNS library used in consul which
+ may allow a denial of service attack. Consul was updated to include
+ the fixed version.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/hashicorp/consul/issues/3859</url>
+ <url>https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#105-february-7-2018</url>
+ <url>https://github.com/miekg/dns/pull/631</url>
+ <url>https://github.com/miekg/dns/issues/627</url>
+ <cvename>CVE-2017-15133</cvename>
+ </references>
+ <dates>
+ <discovery>2018-01-17</discovery>
+ <entry>2018-02-16</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="746d04dc-507e-4450-911f-4c41e48bb07a">
+ <topic>bro -- out of bounds write allows remote DOS</topic>
+ <affects>
+ <package>
+ <name>bro</name>
+ <range><lt>2.5.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Frank Meier:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000458">
+ <p>Bro before Bro v2.5.2 is vulnerable to an out of bounds write in the ContentLine analyzer allowing remote attackers to cause a denial of service (crash) and possibly other exploitation.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://blog.bro.org/2017/10/bro-252-242-release-security-update.html</url>
+ </references>
+ <dates>
+ <discovery>2017-10-16</discovery>
+ <entry>2018-02-16</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e15a22ce-f16f-446b-9ca7-6859350c2e75">
+ <topic>quagga -- several security issues</topic>
+ <affects>
+ <package>
+ <name>quagga</name>
+ <range><lt>1.2.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Quagga reports:</p>
+ <blockquote cite="https://www.quagga.net/security/Quagga-2018-0543.txt">
+ <p>The Quagga BGP daemon, bgpd, does not properly bounds
+ check the data sent with a NOTIFY to a peer, if an attribute
+ length is invalid. Arbitrary data from the bgpd process
+ may be sent over the network to a peer and/or it may crash.</p>
+ </blockquote>
+ <blockquote cite="https://www.quagga.net/security/Quagga-2018-1114.txt">
+ <p>The Quagga BGP daemon, bgpd, can double-free memory
+ when processing certain forms of UPDATE message, containing
+ cluster-list and/or unknown attributes.</p>
+ </blockquote>
+ <blockquote cite="https://www.quagga.net/security/Quagga-2018-1550.txt">
+ <p>The Quagga BGP daemon, bgpd, can overrun internal BGP
+ code-to-string conversion tables used for debug by 1
+ pointer value, based on input.</p>
+ </blockquote>
+ <blockquote cite="https://www.quagga.net/security/Quagga-2018-1975.txt">
+ <p>The Quagga BGP daemon, bgpd, can enter an infinite
+ loop if sent an invalid OPEN message by a configured peer.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.quagga.net/security/Quagga-2018-0543.txt</url>
+ <url>https://www.quagga.net/security/Quagga-2018-1114.txt</url>
+ <url>https://www.quagga.net/security/Quagga-2018-1550.txt</url>
+ <url>https://www.quagga.net/security/Quagga-2018-1975.txt</url>
+ <cvename>CVE-2018-5378</cvename>
+ <cvename>CVE-2018-5379</cvename>
+ <cvename>CVE-2018-5380</cvename>
+ <cvename>CVE-2018-5381</cvename>
+ </references>
+ <dates>
+ <discovery>2018-01-31</discovery>
+ <entry>2018-02-15</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="6f0b0cbf-1274-11e8-8b5b-4ccc6adda413">
+ <topic>libraw -- multiple DoS vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>libraw</name>
+ <range><lt>0.18.7</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Secunia Research reports:</p>
+ <blockquote cite="https://www.securityfocus.com/archive/1/541732">
+ <p>CVE-2018-5800: An off-by-one error within the "LibRaw::kodak_ycbcr_load_raw()"
+ function (internal/dcraw_common.cpp) can be exploited to cause a heap-based
+ buffer overflow and subsequently cause a crash.</p>
+ <p>CVE-2017-5801: An error within the "LibRaw::unpack()" function
+ (src/libraw_cxx.cpp) can be exploited to trigger a NULL pointer dereference.</p>
+ <p>CVE-2017-5802: An error within the "kodak_radc_load_raw()" function
+ (internal/dcraw_common.cpp) related to the "buf" variable can be exploited
+ to cause an out-of-bounds read memory access and subsequently cause a crash.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.securityfocus.com/archive/1/541732</url>
+ <cvename>CVE-2018-5800</cvename>
+ <cvename>CVE-2018-5801</cvename>
+ <cvename>CVE-2018-5802</cvename>
+ </references>
+ <dates>
+ <discovery>2018-01-16</discovery>
+ <entry>2018-02-15</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c60804f1-126f-11e8-8b5b-4ccc6adda413">
+ <topic>libraw -- multiple DoS vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>libraw</name>
+ <range><lt>0.18.6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Secunia Research reports:</p>
+ <blockquote cite="https://www.securityfocus.com/archive/1/541583">
+ <p>CVE-2017-16909: An error related to the "LibRaw::panasonic_load_raw()"
+ function (dcraw_common.cpp) can be exploited to cause a heap-based buffer
+ overflow and subsequently cause a crash via a specially crafted TIFF image.</p>
+ <p>CVE-2017-16910: An error within the "LibRaw::xtrans_interpolate()" function
+ (internal/dcraw_common.cpp) can be exploited to cause an invalid read
+ memory access.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.securityfocus.com/archive/1/541583</url>
+ <cvename>CVE-2017-16909</cvename>
+ <cvename>CVE-2017-16910</cvename>
+ </references>
+ <dates>
+ <discovery>2017-12-04</discovery>
+ <entry>2018-02-15</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="1a75c84a-11c8-11e8-83e7-485b3931c969">
+ <topic>bitmessage -- remote code execution vulnerability</topic>
+ <affects>
+ <package>
+ <name>bitmessage</name>
+ <range><le>0.6.2</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Bitmessage developers report:</p>
+ <blockquote cite="https://github.com/Bitmessage/PyBitmessage/releases/tag/v0.6.3">
+ <p>A remote code execution vulnerability has been spotted in use
+ against some users running PyBitmessage v0.6.2. The cause was
+ identified and a fix has been added and released as 0.6.3.2. (Will be
+ updated if/when CVE will be available.)</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/Bitmessage/PyBitmessage/releases/tag/v0.6.3</url>
+ <url>https://bitmessage.org/wiki/Main_Page</url>
+ </references>
+ <dates>
+ <discovery>2018-02-13</discovery>
+ <entry>2018-02-14</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="5d374fbb-bae3-45db-afc0-795684ac7353">
+ <topic>jenkins -- Path traversal vulnerability allows access to files outside plugin resources</topic>
+ <affects>
+ <package>
+ <name>jenkins</name>
+ <range><le>2.106</le></range>
+ </package>
+ <package>
+ <name>jenkins-lts</name>
+ <range><le>2.89.3</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Jenkins developers report:</p>
+ <blockquote cite="https://jenkins.io/security/advisory/2018-02-14/">
+ <p>Jenkins did not properly prevent specifying relative paths that
+ escape a base directory for URLs accessing plugin resource files. This
+ allowed users with Overall/Read permission to download files from the
+ Jenkins master they should not have access to.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://jenkins.io/security/advisory/2018-02-14/</url>
+ <url>https://jenkins.io/blog/2018/02/14/security-updates/</url>
+ <cvename>CVE-2018-6356</cvename>
+ </references>
+ <dates>
+ <discovery>2018-02-14</discovery>
+ <entry>2018-02-14</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="279f682c-0e9e-11e8-83e7-485b3931c969">
+ <topic>bchunk -- access violation near NULL on destination operand and crash</topic>
+ <affects>
+ <package>
+ <name>bchunk</name>
+ <range><ge>1.2.0</ge><le>1.2.1</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mitre reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15955">
+ <p>bchunk 1.2.0 and 1.2.1 is vulnerable to an "Access violation near
+ NULL on destination operand" and crash when processing a malformed CUE
+ (.cue) file.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-15955</cvename>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2017-15955</url>
+ </references>
+ <dates>
+ <discovery>2017-10-28</discovery>
+ <entry>2018-02-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="8ba2819c-0e9d-11e8-83e7-485b3931c969">
+ <topic>bchunk -- heap-based buffer overflow (with invalid free) and crash</topic>
+ <affects>
+ <package>
+ <name>bchunk</name>
+ <range><ge>1.2.0</ge><le>1.2.1</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mitre reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15954">
+ <p>bchunk 1.2.0 and 1.2.1 is vulnerable to a heap-based buffer
+ overflow (with a resultant invalid free) and crash when processing a
+ malformed CUE (.cue) file.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-15954</cvename>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2017-15954</url>
+ </references>
+ <dates>
+ <discovery>2017-10-28</discovery>
+ <entry>2018-02-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="1ec1c59b-0e98-11e8-83e7-485b3931c969">
+ <topic>bchunk -- heap-based buffer overflow and crash</topic>
+ <affects>
+ <package>
+ <name>bchunk</name>
+ <range><ge>1.2.0</ge><le>1.2.1</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mitre reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15953">
+ <p>bchunk 1.2.0 and 1.2.1 vulnerable to a heap-based buffer overflow
+ and crash when processing a malformed CUE (.cue) file.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-15953</cvename>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2017-15953</url>
+ </references>
+ <dates>
+ <discovery>2017-10-28</discovery>
+ <entry>2018-02-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="a8f25565-109e-11e8-8d41-97657151f8c2">
+ <topic>uwsgi -- a stack-based buffer overflow</topic>
+ <affects>
+ <package>
+ <name>uwsgi</name>
+ <range><lt>2.0.16</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Uwsgi developers report:</p>
+ <blockquote cite="http://lists.unbit.it/pipermail/uwsgi/2018-February/008835.html">
+ <p>It was discovered that the uwsgi_expand_path function in utils.c in
+ Unbit uWSGI, an application container server, has a stack-based buffer
+ overflow via a large directory length that can cause a
+ denial-of-service (application crash) or stack corruption.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://lists.unbit.it/pipermail/uwsgi/2018-February/008835.html</url>
+ <url>https://lists.debian.org/debian-lts-announce/2018/02/msg00010.html</url>
+ <cvename>CVE-2018-6758</cvename>
+ </references>
+ <dates>
+ <discovery>2018-02-06</discovery>
+ <entry>2018-02-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="0fe70bcd-2ce3-46c9-a64b-4a7da097db07">
+ <topic>python -- possible integer overflow vulnerability</topic>
+ <affects>
+ <package>
+ <name>python34</name>
+ <range><lt>3.4.8</lt></range>
+ </package>
+ <package>
+ <name>python35</name>
+ <range><lt>3.5.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Python issue:</p>
+ <blockquote cite="https://bugs.python.org/issue30657">
+ <p>There is a possible integer overflow in PyString_DecodeEscape
+ function of the file stringobject.c, which can be abused to gain
+ a heap overflow, possibly leading to arbitrary code execution.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bugs.python.org/issue30657</url>
+ <url>https://docs.python.org/3.4/whatsnew/changelog.html</url>
+ <url>https://docs.python.org/3.5/whatsnew/changelog.html</url>
+ <cvename>CVE-2017-1000158</cvename>
+ </references>
+ <dates>
+ <discovery>2017-06-03</discovery>
+ <entry>2018-02-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="aa743ee4-0f16-11e8-8fd2-10bf48e1088e">
+ <topic>electrum -- JSONRPC vulnerability</topic>
+ <affects>
+ <package>
+ <name>electrum-py36</name>
+ <range><ge>2.6</ge><lt>3.0.5</lt></range>
+ </package>
+ <package>
+ <name>electrum2</name>
+ <range><ge>2.6</ge><lt>3.0.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>MITRE reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6353">
+ <p>JSONRPC vulnerability</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-6353</cvename>
+ <url>https://github.com/spesmilo/electrum-docs/blob/master/cve.rst</url>
+ <url>https://bitcointalk.org/index.php?topic=2702103.0</url>
+ </references>
+ <dates>
+ <discovery>2018-01-27</discovery>
+ <entry>2018-02-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e4dd787e-0ea9-11e8-95f2-005056925db4">
+ <topic>libtorrent -- remote DoS</topic>
+ <affects>
+ <package>
+ <name>libtorrent</name>
+ <range><lt>0.13.6_5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>X-cela reports:</p>
+ <blockquote cite="https://github.com/rakshasa/libtorrent/pull/99">
+ <p>Calls into build_benocde that use %zu could crash on 64 bit
+ machines due to the size change of size_t. Someone can force
+ READ_ENC_IA to fail allowing an internal_error to be thrown
+ and bring down the client.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/rakshasa/libtorrent/pull/99</url>
+ <freebsdpr>ports/224664</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2015-12-01</discovery>
+ <entry>2018-02-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="316b3c3e-0e98-11e8-8d41-97657151f8c2">
+ <topic>exim -- a buffer overflow vulnerability, remote code execution</topic>
+ <affects>
+ <package>
+ <name>exim</name>
+ <range><lt>4.90.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Exim developers report:</p>
+ <blockquote cite="https://exim.org/static/doc/security/CVE-2018-6789.txt">
+ <p>There is a buffer overflow in base64d(), if some pre-conditions are met.
+Using a handcrafted message, remote code execution seems to be possible.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://exim.org/static/doc/security/CVE-2018-6789.txt</url>
+ </references>
+ <dates>
+ <discovery>2018-02-05</discovery>
+ <entry>2018-02-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="7a2e0063-0e4e-11e8-94c0-5453ed2e2b49">
+ <topic>p7zip-codec-rar -- insufficient error handling</topic>
+ <affects>
+ <package>
+ <name>p7zip-codec-rar</name>
+ <range><lt>16.02_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>MITRE reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5996">
+ <p>Insufficient exception handling in the method
+ NCompress::NRar3::CDecoder::Code of 7-Zip before 18.00 and p7zip
+ can lead to multiple memory corruptions within the PPMd code,
+ alows remote attackers to cause a denial of service (segmentation
+ fault) or execute arbitrary code via a crafted RAR archive.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-5996</cvename>
+ <url>https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/</url>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5996</url>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2018-5996</url>
+ </references>
+ <dates>
+ <discovery>2018-01-23</discovery>
+ <entry>2018-02-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="6d337396-0e4a-11e8-94c0-5453ed2e2b49">
+ <topic>p7zip -- heap-based buffer overflow</topic>
+ <affects>
+ <package>
+ <name>p7zip</name>
+ <range><lt>16.02_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>MITRE reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17969">
+ <p>Heap-based buffer overflow in the
+ NCompress::NShrink::CDecoder::CodeReal method in 7-Zip before
+ 18.00 and p7zip allows remote attackers to cause a denial of
+ service (out-of-bounds write) or potentially execute arbitrary
+ code via a crafted ZIP archive.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-17969</cvename>
+ <url>https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/</url>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17969</url>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2017-17969</url>
+ <url>https://marc.info/?l=bugtraq&=151782582216805&=2</url>
+ </references>
+ <dates>
+ <discovery>2018-01-23</discovery>
+ <entry>2018-02-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="3ee6e521-0d32-11e8-99b0-d017c2987f9a">
+ <topic>mpv -- arbitrary code execution via crafted website</topic>
+ <affects>
+ <package>
+ <name>mpv</name>
+ <range><lt>0.27.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>mpv developers report:</p>
+ <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2018-6360">
+ <p>mpv through 0.28.0 allows remote attackers to execute arbitrary code
+ via a crafted web site, because it reads HTML documents containing
+ VIDEO elements, and accepts arbitrary URLs in a src attribute without
+ a protocol whitelist in player/lua/ytdl_hook.lua. For example, an
+ av://lavfi:ladspa=file= URL signifies that the product should call
+ dlopen on a shared object file located at an arbitrary local pathname.
+ The issue exists because the product does not consider that youtube-dl
+ can provide a potentially unsafe URL.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/mpv-player/mpv/issues/5456</url>
+ <cvename>CVE-2018-6360</cvename>
+ </references>
+ <dates>
+ <discovery>2018-01-28</discovery>
+ <entry>2018-02-09</entry>
+ <modified>2018-02-11</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="3d0eeef8-0cf9-11e8-99b0-d017c2987f9a">
+ <topic>Mailman -- Cross-site scripting (XSS) vulnerability in the web UI</topic>
+ <affects>
+ <package>
+ <name>mailman</name>
+ <range><lt>2.1.26</lt></range>
+ </package>
+ <package>
+ <name>mailman-with-htdig</name>
+ <range><lt>2.1.26</lt></range>
+ </package>
+ <package>
+ <name>ja-mailman</name>
+ <range><le>2.1.14.j7_2,1</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mark Sapiro reports:</p>
+ <blockquote cite="https://www.mail-archive.com/mailman-users@python.org/msg70478.html">
+ <p>An XSS vulnerability in the user options CGI could allow a crafted URL
+ to execute arbitrary javascript in a user's browser. A related issue
+ could expose information on a user's options page without requiring
+ login.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.mail-archive.com/mailman-users@python.org/msg70478.html</url>
+ <cvename>CVE-2018-5950</cvename>
+ </references>
+ <dates>
+ <discovery>2018-01-20</discovery>
+ <entry>2018-02-08</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c602c791-0cf4-11e8-a2ec-6cc21735f730">
+ <topic>PostgreSQL vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>postgresql93-server</name>
+ <range><ge>9.3.0</ge><lt>9.3.21</lt></range>
+ </package>
+ <package>
+ <name>postgresql94-server</name>
+ <range><ge>9.4.0</ge><lt>9.4.16</lt></range>
+ </package>
+ <package>
+ <name>postgresql95-server</name>
+ <range><ge>9.5.0</ge><lt>9.5.11</lt></range>
+ </package>
+ <package>
+ <name>postgresql96-server</name>
+ <range><ge>9.6.0</ge><lt>9.6.7</lt></range>
+ </package>
+ <package>
+ <name>postgresql10-server</name>
+ <range><ge>10.0</ge><lt>10.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The PostgreSQL project reports:</p>
+ <blockquote cite="https://www.postgresql.org/about/news/1829/">
+ <ul>
+ <li>CVE-2018-1052: Fix the processing of partition keys containing multiple expressions (only for PostgreSQL-10.x)</li>
+ <li>CVE-2018-1053: Ensure that all temporary files made with "pg_upgrade" are non-world-readable</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-1052</cvename>
+ <cvename>CVE-2018-1053</cvename>
+ </references>
+ <dates>
+ <discovery>2018-02-05</discovery>
+ <entry>2018-02-08</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="b38e8150-0535-11e8-96ab-0800271d4b9c">
+ <topic>tiff -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>tiff</name>
+ <range><le>4.0.9</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Debian Security Advisory reports:</p>
+ <blockquote cite="https://www.debian.org/security/2018/dsa-4100">
+ <p>Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-9935</cvename>
+ <url>http://bugzilla.maptools.org/show_bug.cgi?id=2704</url>
+ <cvename>CVE-2017-18013</cvename>
+ <url>http://bugzilla.maptools.org/show_bug.cgi?id=2770</url>
+ <bid>225544</bid>
+ </references>
+ <dates>
+ <discovery>2017-06-22</discovery>
+ <entry>2018-01-29</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="756a8631-0b84-11e8-a986-6451062f0f7a">
+ <topic>Flash Player -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>linux-flashplayer</name>
+ <range><lt>28.0.0.161</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Adobe reports:</p>
+ <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb18-03.html">
+ <ul>
+ <li>This update resolves use-after-free vulnerabilities that
+ could lead to remote code execution (CVE-2018-4877,
+ CVE-2018-4878).</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-4877</cvename>
+ <cvename>CVE-2018-4878</cvename>
+ <url>https://helpx.adobe.com/security/products/flash-player/apsa18-01.html</url>
+ <url>https://helpx.adobe.com/security/products/flash-player/apsb18-03.html</url>
+ </references>
+ <dates>
+ <discovery>2018-01-31</discovery>
+ <entry>2018-02-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f5524753-67b1-4c88-8114-29c2d258b383">
+ <topic>mini_httpd,thttpd -- Buffer overflow in htpasswd</topic>
+ <affects>
+ <package>
+ <name>mini_httpd</name>
+ <range><lt>1.28</lt></range>
+ </package>
+ <package>
+ <name>thttpd</name>
+ <range><lt>2.28</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Alessio Santoru reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17663">
+ <p>Buffer overflow in htpasswd.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://acme.com/updates/archive/199.html</url>
+ </references>
+ <dates>
+ <discovery>2017-12-13</discovery>
+ <entry>2018-02-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="3746de31-0a1a-11e8-83e7-485b3931c969">
+ <topic>shadowsocks-libev -- command injection via shell metacharacters</topic>
+ <affects>
+ <package>
+ <name>shadowsocks-libev</name>
+ <range><ge>3.1.0</ge><lt>3.1.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>MITRE reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15924">
+ <p>Improper parsing allows command injection via shell metacharacters in
+ a JSON configuration request received via 127.0.0.1 UDP traffic.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2017-15924</url>
+ </references>
+ <dates>
+ <discovery>2017-10-27</discovery>
+ <entry>2018-02-05</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="5044bd23-08cb-11e8-b08f-00012e582166">
+ <topic>palemoon -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>palemoon</name>
+ <range><lt>27.7.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Pale Moon reports:</p>
+ <blockquote cite="http://www.palemoon.org/releasenotes.shtml">
+ <p>CVE-2018-5102: Use-after-free in HTML media elements</p>
+ <p>CVE-2018-5122: Potential integer overflow in DoCrypt</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-5102</cvename>
+ <cvename>CVE-2018-5122</cvename>
+ </references>
+ <dates>
+ <discovery>2018-01-23</discovery>
+ <entry>2018-02-03</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="d696473f-9f32-42c5-a106-bf4536fb1f74">
+ <topic>Django -- information leakage</topic>
+ <affects>
+ <package>
+ <name>py27-django111</name>
+ <name>py34-django111</name>
+ <name>py35-django111</name>
+ <name>py36-django111</name>
+ <range><lt>1.11.10</lt></range>
+ </package>
+ <package>
+ <name>py27-django20</name>
+ <name>py34-django20</name>
+ <name>py35-django20</name>
+ <name>py36-django20</name>
+ <range><lt>2.0.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Django release notes:</p>
+ <blockquote cite="https://docs.djangoproject.com/en/1.11/releases/1.11.10/">
+ <p>CVE-2018-6188: Information leakage in AuthenticationForm</p>
+ <p>A regression in Django 1.11.8 made AuthenticationForm run its
+ confirm_login_allowed() method even if an incorrect password is entered.
+ This can leak information about a user, depending on what messages
+ confirm_login_allowed() raises. If confirm_login_allowed() isn't
+ overridden, an attacker enter an arbitrary username and see if that user
+ has been set to is_active=False. If confirm_login_allowed() is
+ overridden, more sensitive details could be leaked.</p>
+ <p>This issue is fixed with the caveat that AuthenticationForm can no
+ longer raise the "This account is inactive." error if the authentication
+ backend rejects inactive users (the default authentication backend,
+ ModelBackend, has done that since Django 1.10). This issue will be
+ revisited for Django 2.1 as a fix to address the caveat will likely be too
+ invasive for inclusion in older versions.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://docs.djangoproject.com/en/1.11/releases/1.11.10/</url>
+ <url>https://docs.djangoproject.com/en/2.0/releases/2.0.2/</url>
+ <cvename>CVE-2018-6188</cvename>
+ </references>
+ <dates>
+ <discovery>2018-02-01</discovery>
+ <entry>2018-02-02</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e72d5bf5-07a0-11e8-8248-0021ccb9e74d">
+ <topic>w3m - multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>w3m</name>
+ <name>w3m-img</name>
+ <name>ja-w3m</name>
+ <name>ja-w3m-img</name>
+ <range><lt>0.5.3.20180125</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Tatsuya Kinoshita reports:</p>
+ <blockquote cite="https://github.com/tats/w3m/commit/01d41d49b273a8cc75b27c6ab42291b46004fc0c">
+ <p>CVE-2018-6196 * table.c: Prevent negative indent value in feed_table_block_tag().</p>
+ <p>CVE-2018-6197 * form.c: Prevent invalid columnPos() call in formUpdateBuffer().</p>
+ <p>CVE-2018-6198 * config.h.dist, config.h.in, configure, configure.ac, main.c, rc.c: Make temporary directory safely when ~/.w3m is unwritable.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/tats/w3m/commit/e773a0e089276f82c546447c0fd1e6c0f9156628</url>
+ <cvename>CVE-2018-6196</cvename>
+ <cvename>CVE-2018-6197</cvename>
+ <cvename>CVE-2018-6198</cvename>
+ </references>
+ <dates>
+ <discovery>2018-01-25</discovery>
+ <entry>2018-02-01</entry>
+ <modified>2018-02-03</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="103bf96a-6211-45ab-b567-1555ebb3a86a">
+ <topic>firefox -- Arbitrary code execution through unsanitized browser UI</topic>
+ <affects>
+ <package>
+ <name>firefox</name>
+ <range><lt>58.0.1,1</lt></range>
+ </package>
+ <package>
+ <name>waterfox</name>
+ <range><lt>56.0.3.65</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Mozilla Foundation reports:</p>
+ <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2018-05/">
+ <p>Mozilla developer <strong>Johann Hofmann</strong> reported that
+ unsanitized output in the browser UI can lead to arbitrary
+ code execution.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bugzilla.mozilla.org/show_bug.cgi?id=1432966</url>
+ </references>
+ <dates>
+ <discovery>2018-01-29</discovery>
+ <entry>2018-01-29</entry>
+ <modified>2018-01-31</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="2cceb80e-c482-4cfd-81b3-2088d2c0ad53">
+ <topic>gcab -- stack overflow</topic>
+ <affects>
+ <package>
+ <name>gcab</name>
+ <range><lt>0.8</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Upstream reports:</p>
+ <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2018-5345">
+ <p>A stack-based buffer overflow within GNOME gcab through
+ 0.7.4 can be exploited by malicious attackers to cause a
+ crash or, potentially, execute arbitrary code via a
+ crafted .cab file.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2018-5345</url>
+ <url>https://mail.gnome.org/archives/ftp-release-list/2018-January/msg00066.html</url>
+ <cvename>CVE-2018-5345</cvename>
+ </references>
+ <dates>
+ <discovery>2018-01-23</discovery>
+ <entry>2018-01-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="92b8b284-a3a2-41b1-956c-f9cf8b74f500">
+ <topic>dovecot -- abort of SASL authentication results in a memory leak</topic>
+ <affects>
+ <package>
+ <name>dovecot</name>
+ <range><gt>2.0</gt><le>2.2.33.2_3</le></range>
+ <range><ge>2.3</ge><le>2.3.0</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p> Pedro Sampaio reports:</p>
+ <blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=1532768">
+ <p>A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. A abort of
+ SASL authentication results in a memory leak in Dovecot auth client
+ used by login processes. The leak has impact in high performance
+ configuration where same login processes are reused and can cause the
+ process to crash due to memory exhaustion.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-15132</cvename>
+ <url>https://bugzilla.redhat.com/show_bug.cgi?id=1532768</url>
+ <url>https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch</url>
+ </references>
+ <dates>
+ <discovery>2018-01-09</discovery>
+ <entry>2018-01-26</entry>
+ <modified>2018-02-01</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="0cbf0fa6-dcb7-469c-b87a-f94cffd94583">
+ <topic>cURL -- Multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>curl</name>
+ <range><lt>7.58.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The cURL project reports:</p>
+ <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000007">
+ <p>libcurl 7.1 through 7.57.0 might accidentally leak authentication
+ data to third parties. When asked to send custom headers in its HTTP
+ requests, libcurl will send that set of headers first to the host in
+ the initial URL but also, if asked to follow redirects and a 30X HTTP
+ response code is returned, to the host mentioned in URL in the
+ `Location:` response header value. Sending the same set of headers to
+ subsequest hosts is in particular a problem for applications that pass
+ on custom `Authorization:` headers, as this header often contains
+ privacy sensitive information or data that could allow others to
+ impersonate the libcurl-using client's request.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://curl.haxx.se/docs/adv_2018-b3bf.html</url>
+ <cvename>CVE-2018-1000007</cvename>
+ </references>
+ <dates>
+ <discovery>2018-01-24</discovery>
+ <entry>2018-01-26</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="b464f61b-84c7-4e1c-8ad4-6cf9efffd025">
+ <topic>clamav -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>clamav</name>
+ <range><lt>0.99.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>ClamAV project reports:</p>
+ <blockquote cite="http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html">
+ <p>Join us as we welcome ClamAV 0.99.3 to the family!.</p>
+ <p>This release is a security release and is recommended for
+ all ClamAV users.</p>
+ <p>CVE-2017-12374 ClamAV UAF (use-after-free) Vulnerabilities</p>
+ <p>CVE-2017-12375 ClamAV Buffer Overflow Vulnerability</p>
+ <p>CVE-2017-12376 ClamAV Buffer Overflow in handle_pdfname
+ Vulnerability</p>
+ <p>CVE-2017-12377 ClamAV Mew Packet Heap Overflow Vulnerability</p>
+ <p>CVE-2017-12378 ClamAV Buffer Over Read Vulnerability</p>
+ <p>CVE-2017-12379 ClamAV Buffer Overflow in messageAddArgument
+ Vulnerability</p>
+ <p>CVE-2017-12380 ClamAV Null Dereference Vulnerability</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html</url>
+ <cvename>CVE-2017-12374</cvename>
+ <cvename>CVE-2017-12375</cvename>
+ <cvename>CVE-2017-12376</cvename>
+ <cvename>CVE-2017-12377</cvename>
+ <cvename>CVE-2017-12378</cvename>
+ <cvename>CVE-2017-12379</cvename>
+ <cvename>CVE-2017-12380</cvename>
+ </references>
+ <dates>
+ <discovery>2018-01-25</discovery>
+ <entry>2018-01-26</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="a891c5b4-3d7a-4de9-9c71-eef3fd698c77">
+ <topic>mozilla -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>firefox</name>
+ <range><lt>58.0_1,1</lt></range>
+ </package>
+ <package>
+ <name>waterfox</name>
+ <range><lt>56.0.3.63</lt></range>
+ </package>
+ <package>
+ <name>seamonkey</name>
+ <name>linux-seamonkey</name>
+ <range><lt>2.49.2</lt></range>
+ </package>
+ <package>
+ <name>firefox-esr</name>
+ <range><lt>52.6.0_1,1</lt></range>
+ </package>
+ <package>
+ <name>linux-firefox</name>
+ <range><lt>52.6.0,2</lt></range>
+ </package>
+ <package>
+ <name>libxul</name>
+ <name>thunderbird</name>
+ <name>linux-thunderbird</name>
+ <range><lt>52.6.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mozilla Foundation reports:</p>
+ <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/">
+ <p>CVE-2018-5091: Use-after-free with DTMF timers</p>
+ <p>CVE-2018-5092: Use-after-free in Web Workers</p>
+ <p>CVE-2018-5093: Buffer overflow in WebAssembly during Memory/Table resizing</p>
+ <p>CVE-2018-5094: Buffer overflow in WebAssembly with garbage collection on uninitialized memory</p>
+ <p>CVE-2018-5095: Integer overflow in Skia library during edge builder allocation</p>
+ <p>CVE-2018-5097: Use-after-free when source document is manipulated during XSLT</p>
+ <p>CVE-2018-5098: Use-after-free while manipulating form input elements</p>
+ <p>CVE-2018-5099: Use-after-free with widget listener</p>
+ <p>CVE-2018-5100: Use-after-free when IsPotentiallyScrollable arguments are freed from memory</p>
+ <p>CVE-2018-5101: Use-after-free with floating first-letter style elements</p>
+ <p>CVE-2018-5102: Use-after-free in HTML media elements</p>
+ <p>CVE-2018-5103: Use-after-free during mouse event handling</p>
+ <p>CVE-2018-5104: Use-after-free during font face manipulation</p>
+ <p>CVE-2018-5105: WebExtensions can save and execute files on local file system without user prompts</p>
+ <p>CVE-2018-5106: Developer Tools can expose style editor information cross-origin through service worker</p>
+ <p>CVE-2018-5107: Printing process will follow symlinks for local file access</p>
+ <p>CVE-2018-5108: Manually entered blob URL can be accessed by subsequent private browsing tabs</p>
+ <p>CVE-2018-5109: Audio capture prompts and starts with incorrect origin attribution</p>
+ <p>CVE-2018-5110: Cursor can be made invisible on OS X</p>
+ <p>CVE-2018-5111: URL spoofing in addressbar through drag and drop</p>
+ <p>CVE-2018-5112: Extension development tools panel can open a non-relative URL in the panel</p>
+ <p>CVE-2018-5113: WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow</p>
+ <p>CVE-2018-5114: The old value of a cookie changed to HttpOnly remains accessible to scripts</p>
+ <p>CVE-2018-5115: Background network requests can open HTTP authentication in unrelated foreground tabs</p>
+ <p>CVE-2018-5116: WebExtension ActiveTab permission allows cross-origin frame content access</p>
+ <p>CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right</p>
+ <p>CVE-2018-5118: Activity Stream images can attempt to load local content through file:</p>
+ <p>CVE-2018-5119: Reader view will load cross-origin content in violation of CORS headers</p>
+ <p>CVE-2018-5121: OS X Tibetan characters render incompletely in the addressbar</p>
+ <p>CVE-2018-5122: Potential integer overflow in DoCrypt</p>
+ <p>CVE-2018-5090: Memory safety bugs fixed in Firefox 58</p>
+ <p>CVE-2018-5089: Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-5089</cvename>
+ <cvename>CVE-2018-5090</cvename>
+ <cvename>CVE-2018-5091</cvename>
+ <cvename>CVE-2018-5092</cvename>
+ <cvename>CVE-2018-5093</cvename>
+ <cvename>CVE-2018-5094</cvename>
+ <cvename>CVE-2018-5095</cvename>
+ <cvename>CVE-2018-5097</cvename>
+ <cvename>CVE-2018-5098</cvename>
+ <cvename>CVE-2018-5099</cvename>
+ <cvename>CVE-2018-5100</cvename>
+ <cvename>CVE-2018-5101</cvename>
+ <cvename>CVE-2018-5102</cvename>
+ <cvename>CVE-2018-5103</cvename>
+ <cvename>CVE-2018-5104</cvename>
+ <cvename>CVE-2018-5105</cvename>
+ <cvename>CVE-2018-5106</cvename>
+ <cvename>CVE-2018-5107</cvename>
+ <cvename>CVE-2018-5108</cvename>
+ <cvename>CVE-2018-5109</cvename>
+ <cvename>CVE-2018-5110</cvename>
+ <cvename>CVE-2018-5111</cvename>
+ <cvename>CVE-2018-5112</cvename>
+ <cvename>CVE-2018-5113</cvename>
+ <cvename>CVE-2018-5114</cvename>
+ <cvename>CVE-2018-5115</cvename>
+ <cvename>CVE-2018-5116</cvename>
+ <cvename>CVE-2018-5117</cvename>
+ <cvename>CVE-2018-5118</cvename>
+ <cvename>CVE-2018-5119</cvename>
+ <cvename>CVE-2018-5121</cvename>
+ <cvename>CVE-2018-5122</cvename>
+ <url>https://www.mozilla.org/security/advisories/mfsa2018-02/</url>
+ <url>https://www.mozilla.org/security/advisories/mfsa2018-03/</url>
+ </references>
+ <dates>
+ <discovery>2018-01-23</discovery>
+ <entry>2018-01-23</entry>
+ <modified>2018-01-29</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="24a82876-002e-11e8-9a95-0cc47a02c232">
+ <topic>powerdns-recursor -- insufficient validation of DNSSEC signatures</topic>
+ <affects>
+ <package>
+ <name>powerdns-recursor</name>
+ <range><lt>4.1.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>PowerDNS Security Advisory reports:</p>
+ <blockquote cite="https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html">
+ <p>An issue has been found in the DNSSEC validation component of
+ PowerDNS Recursor, allowing an ancestor delegation NSEC or NSEC3
+ record to be used to wrongfully prove the non-existence of a RR
+ below the owner name of that record. This would allow an attacker in
+ position of man-in-the-middle to send a NXDOMAIN answer for a name
+ that does exist.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-1000003</cvename>
+ <url>https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html</url>
+ </references>
+ <dates>
+ <discovery>2018-01-22</discovery>
+ <entry>2018-01-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e264e74e-ffe0-11e7-8b91-e8e0b747a45a">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>63.0.3239.108</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop_14.html">
+ <p>2 security fixes in this release, including:</p>
+ <ul>
+ <li>[788453] High CVE-2017-15429: UXSS in V8. Reported by
+ Anonymous on 2017-11-24</li>
+ <li>[794792] Various fixes from internal audits, fuzzing and other initiatives</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-15429</cvename>
+ <url>https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop_14.html</url>
+ </references>
+ <dates>
+ <discovery>2017-12-14</discovery>
+ <entry>2018-01-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="1d951e85-ffdb-11e7-8b91-e8e0b747a45a">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>63.0.3239.84</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html">
+ <p>37 security fixes in this release, including:</p>
+ <ul>
+ <li>[778505] Critical CVE-2017-15407: Out of bounds write in QUIC. Reported by
+ Ned Williamson on 2017-10-26</li>
+ <li>[762374] High CVE-2017-15408: Heap buffer overflow in PDFium. Reported by
+ Ke Liu of Tencent's Xuanwu LAB on 2017-09-06</li>
+ <li>[763972] High CVE-2017-15409: Out of bounds write in Skia. Reported by
+ Anonymous on 2017-09-11</li>
+ <li>[765921] High CVE-2017-15410: Use after free in PDFium. Reported by
+ Luat Nguyen of KeenLab, Tencent on 2017-09-16</li>
+ <li>[770148] High CVE-2017-15411: Use after free in PDFium. Reported by
+ Luat Nguyen of KeenLab, Tencent on 2017-09-29</li>
+ <li>[727039] High CVE-2017-15412: Use after free in libXML. Reported by
+ Nick Wellnhofer on 2017-05-27</li>
+ <li>[766666] High CVE-2017-15413: Type confusion in WebAssembly. Reported by
+ Gaurav Dewan of Adobe Systems India Pvt. Ltd. on 2017-09-19</li>
+ <li>[765512] Medium CVE-2017-15415: Pointer information disclosure in IPC call.
+ Reported by Viktor Brange of Microsoft Offensive Security Research Team on 2017-09-15</li>
+ <li>[779314] Medium CVE-2017-15416: Out of bounds read in Blink. Reported by
+ Ned Williamson on 2017-10-28</li>
+ <li>[699028] Medium CVE-2017-15417: Cross origin information disclosure in Skia.
+ Reported by Max May on 2017-03-07</li>
+ <li>[765858] Medium CVE-2017-15418: Use of uninitialized value in Skia. Reported by
+ Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-09-15</li>
+ <li>[780312] Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink.
+ Reported by Jun Kokatsu on 2017-10-31</li>
+ <li>[777419] Medium CVE-2017-15420: URL spoofing in Omnibox. Reported by
+ WenXu Wu of Tencent's Xuanwu Lab on 2017-10-23</li>
+ <li>[774382] Medium CVE-2017-15422: Integer overflow in ICU. Reported by
+ Yuan Deng of Ant-financial Light-Year Security Lab on 2017-10-13</li>
+ <li>[780484] Medium CVE-2017-15430: Unsafe navigation in Chromecast Plugin.
+ Reported by jinmo123 on 2017-01-11</li>
+ <li>[778101] Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL.
+ Reported by Greg Hudson on 2017-10-25</li>
+ <li>[756226] Low CVE-2017-15424: URL Spoof in Omnibox. Reported by
+ Khalil Zhani on 2017-08-16</li>
+ <li>[756456] Low CVE-2017-15425: URL Spoof in Omnibox. Reported by
+ xisigr of Tencent's Xuanwu Lab on 2017-08-17</li>
+ <li>[757735] Low CVE-2017-15426: URL Spoof in Omnibox. Reported by
+ WenXu Wu of Tencent's Xuanwu Lab on 2017-08-18</li>
+ <li>[768910] Low CVE-2017-15427: Insufficient blocking of Javascript in Omnibox.
+ Reported by Junaid Farhan on 2017-09-26</li>
+ <li>[792099] Various fixes from internal audits, fuzzing and other initiatives</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-15407</cvename>
+ <cvename>CVE-2017-15408</cvename>
+ <cvename>CVE-2017-15409</cvename>
+ <cvename>CVE-2017-15410</cvename>
+ <cvename>CVE-2017-15411</cvename>
+ <cvename>CVE-2017-15412</cvename>
+ <cvename>CVE-2017-15413</cvename>
+ <cvename>CVE-2017-15415</cvename>
+ <cvename>CVE-2017-15416</cvename>
+ <cvename>CVE-2017-15417</cvename>
+ <cvename>CVE-2017-15418</cvename>
+ <cvename>CVE-2017-15419</cvename>
+ <cvename>CVE-2017-15420</cvename>
+ <cvename>CVE-2017-15422</cvename>
+ <cvename>CVE-2017-15430</cvename>
+ <cvename>CVE-2017-15423</cvename>
+ <cvename>CVE-2017-15424</cvename>
+ <cvename>CVE-2017-15425</cvename>
+ <cvename>CVE-2017-15426</cvename>
+ <cvename>CVE-2017-15427</cvename>
+ <url>https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html</url>
+ </references>
+ <dates>
+ <discovery>2017-12-06</discovery>
+ <entry>2018-01-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="82894193-ffd4-11e7-8b91-e8e0b747a45a">
+ <topic>chromium -- out of bounds read</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>62.0.3202.94</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://chromereleases.googleblog.com/2017/11/stable-channel-update-for-desktop_13.html">
+ <p>1 security fix in this release, including:</p>
+ <ul>
+ <li>[782145] High CVE-2017-15428: Out of bounds read in V8. Reported by
+ Zhao Qixun of Qihoo 360 Vulcan Team on 2017-11-07</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-15428</cvename>
+ <url>https://chromereleases.googleblog.com/2017/11/stable-channel-update-for-desktop_13.html</url>
+ </references>
+ <dates>
+ <discovery>2017-11-13</discovery>
+ <entry>2018-01-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="8d3bae09-fd28-11e7-95f2-005056925db4">
+ <topic>unbound -- vulnerability in the processing of wildcard synthesized NSEC records</topic>
+ <affects>
+ <package>
+ <name>unbound</name>
+ <range><lt>1.6.8</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Unbound reports:</p>
+ <blockquote cite="https://unbound.net/downloads/CVE-2017-15105.txt">
+ <p>We discovered a vulnerability in the processing of wildcard synthesized
+ NSEC records. While synthesis of NSEC records is allowed by RFC4592,
+ these synthesized owner names should not be used in the NSEC processing.
+ This does, however, happen in Unbound 1.6.7 and earlier versions.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://unbound.net/downloads/CVE-2017-15105.txt</url>
+ <cvename>CVE-2017-15105</cvename>
+ <freebsdpr>ports/225313</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2017-10-08</discovery>
+ <entry>2018-01-19</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="8e89a89a-fd15-11e7-bdf6-00e04c1ea73d">
+ <topic>phpbb3 -- multiple issues</topic>
+ <affects>
+ <package>
+ <name>phpbb3</name>
+ <range><lt>3.2.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>phpbb developers reports:</p>
+ <blockquote cite="https://wiki.phpbb.com/Release_Highlights/3.2.2">
+ <p>Password updater working with PostgreSQL - The cron for updating legacy password hashes was running invalid queries on PostgreSQL.</p>
+ <p>Deleting orphaned attachments w/ large number of orphaned attachments - Orphaned attachment deletion was improved to be able to delete them when a large number of orphaned attachments exist.</p>
+ <p>Multiple bugfixes for retrieving image size - Multiple issues with retrieving the image size of JPEGs and temporary files were resolved.</p>
+ <p>Issues with updating from phpBB 3.0.6 - Inconsistencies in the way parent modules were treated caused issues with updating from older phpBB 3.0 versions.</p>
+ <p>Forum / topic icon blurriness - Fixed issues with forum and topic icons looking blurry on some browsers.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://wiki.phpbb.com/Release_Highlights/3.2.2</url>
+ </references>
+ <dates>
+ <discovery>2018-01-07</discovery>
+ <entry>2018-01-19</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e3445736-fd01-11e7-ac58-b499baebfeaf">
+ <topic>MySQL -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>mariadb55-server</name>
+ <range><lt>5.5.59</lt></range>
+ </package>
+ <package>
+ <name>mariadb100-server</name>
+ <range><lt>10.0.34</lt></range>
+ </package>
+ <package>
+ <name>mariadb101-server</name>
+ <range><lt>10.1.31</lt></range>
+ </package>
+ <package>
+ <name>mariadb102-server</name>
+ <range><lt>10.2.13</lt></range>
+ </package>
+ <package>
+ <name>mysql55-server</name>
+ <range><lt>5.5.59</lt></range>
+ </package>
+ <package>
+ <name>mysql56-server</name>
+ <range><lt>5.6.39</lt></range>
+ </package>
+ <package>
+ <name>mysql57-server</name>
+ <range><lt>5.7.21</lt></range>
+ </package>
+ <package>
+ <name>percona55-server</name>
+ <range><lt>5.5.59</lt></range>
+ </package>
+ <package>
+ <name>percona56-server</name>
+ <range><lt>5.6.39</lt></range>
+ </package>
+ <package>
+ <name>percona57-server</name>
+ <range><lt>5.7.21</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Oracle reports:</p>
+ <blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL">
+ <p>Not all vulnerabilities are relevant for all flavors/versions of the
+ servers and clients</p>
+ <ul>
+ <li>Vulnerability allows low privileged attacker with network access
+ via multiple protocols to compromise MySQL Server. Successful attacks
+ of this vulnerability can result in unauthorized ability to cause a
+ hang or frequently repeatable crash (complete DOS) of MySQL Server.
+ GIS: CVE-2018-2573, DDL CVE-2018-2622, Optimizer: CVE-2018-2640,
+ CVE-2018-2665, CVE-2018-2668, Security:Privileges: CVE-2018-2703,
+ Partition: CVE-2018-2562.</li>
+ <li>Vulnerability allows high privileged attacker with network access
+ via multiple protocols to compromise MySQL Server. Successful attacks
+ of this vulnerability can result in unauthorized ability to cause a
+ hang or frequently repeatable crash (complete DOS) of MySQL Server.
+ InnoDB: CVE-2018-2565, CVE-2018-2612 DML: CVE-2018-2576,
+ CVE-2018-2646, Stored Procedure: CVE-2018-2583, Performance Schema:
+ CVE-2018-2590, Partition: CVE-2018-2591, Optimizer: CVE-2018-2600,
+ CVE-2018-2667, Security:Privileges: CVE-2018-2696, Replication:
+ CVE-2018-2647.</li>
+ <li>Vulnerability allows a low or high privileged attacker with network
+ access via multiple protocols to compromise MySQL Server with
+ unauthorized creation, deletion, modification or access to data/
+ critical data. InnoDB: CVE-2018-2612, Performance Schema:
+ CVE-2018-2645, Replication: CVE-2018-2647, Partition: CVE-2018-2562.
+ </li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL</url>
+ <url>https://mariadb.com/kb/en/library/mariadb-5559-release-notes/</url>
+ <cvename>CVE-2018-2562</cvename>
+ <cvename>CVE-2018-2565</cvename>
+ <cvename>CVE-2018-2573</cvename>
+ <cvename>CVE-2018-2576</cvename>
+ <cvename>CVE-2018-2583</cvename>
+ <cvename>CVE-2018-2586</cvename>
+ <cvename>CVE-2018-2590</cvename>
+ <cvename>CVE-2018-2591</cvename>
+ <cvename>CVE-2018-2600</cvename>
+ <cvename>CVE-2018-2612</cvename>
+ <cvename>CVE-2018-2622</cvename>
+ <cvename>CVE-2018-2640</cvename>
+ <cvename>CVE-2018-2645</cvename>
+ <cvename>CVE-2018-2646</cvename>
+ <cvename>CVE-2018-2647</cvename>
+ <cvename>CVE-2018-2665</cvename>
+ <cvename>CVE-2018-2667</cvename>
+ <cvename>CVE-2018-2668</cvename>
+ <cvename>CVE-2018-2696</cvename>
+ <cvename>CVE-2018-2703</cvename>
+ </references>
+ <dates>
+ <discovery>2017-01-18</discovery>
+ <entry>2018-01-19</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c04dc18f-fcde-11e7-bdf6-00e04c1ea73d">
+ <topic>wordpress -- multiple issues</topic>
+ <affects>
+ <package>
+ <name>wordpress</name>
+ <name>fr-wordpress</name>
+ <range><lt>4.9.2,1</lt></range>
+ </package>
+ <package>
+ <name>de-wordpress</name>
+ <name>ja-wordpress</name>
+ <name>ru-wordpress</name>
+ <name>zh-wordpress-zh_CN</name>
+ <name>zh-wordpress-zh_TW</name>
+ <range><lt>4.9.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>wordpress developers reports:</p>
+ <blockquote cite="https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/">
+ <p>JavaScript errors that prevented saving posts in Firefox have been fixed.</p>
+ <p>The previous taxonomy-agnostic behavior of get_category_link() and category_description() was restored.</p>
+ <p>Switching themes will now attempt to restore previous widget assignments, even when there are no sidebars to map.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/</url>
+ </references>
+ <dates>
+ <discovery>2018-01-16</discovery>
+ <entry>2018-01-19</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="65fab89f-2231-46db-8541-978f4e87f32a">
+ <topic>gitlab -- Remote code execution on project import</topic>
+ <affects>
+ <package>
+ <name>gitlab</name>
+ <range><lt>10.1.6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>GitLab developers report:</p>
+ <blockquote cite="https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/">
+ <p>Today we are releasing versions 10.3.4, 10.2.6, and 10.1.6 for
+ GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
+ <p>These versions contain a number of important security fixes,
+ including two that prevent remote code execution, and we strongly
+ recommend that all GitLab installations be upgraded to one of these
+ versions immediately.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/</url>
+ <cvename>CVE-2017-0915</cvename>
+ <cvename>CVE-2018-3710</cvename>
+ </references>
+ <dates>
+ <discovery>2018-01-16</discovery>
+ <entry>2018-01-17</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="3e5b8bd3-0c32-452f-a60e-beab7b762351">
+ <topic>transmission-daemon -- vulnerable to dns rebinding attacks</topic>
+ <affects>
+ <package>
+ <name>transmission-daemon</name>
+ <range><le>2.92_3</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Project Zero reports:</p>
+ <blockquote cite="https://bugs.chromium.org/p/project-zero/issues/detail?id=1447">
+ <p>The transmission bittorrent client uses a client/server
+ architecture, the user interface is the client which communicates
+ to the worker daemon using JSON RPC requests.</p>
+ <p>As with all HTTP RPC schemes like this, any website can send
+ requests to the daemon listening on localhost with XMLHttpRequest(),
+ but the theory is they will be ignored because clients must prove
+ they can read and set a specific header, X-Transmission-Session-Id.
+ Unfortunately, this design doesn't work because of an attack called
+ "DNS rebinding". Any website can simply create a dns name that they
+ are authorized to communicate with, and then make it resolve to
+ localhost.</p>
+ <p>Exploitation is simple, you could set script-torrent-done-enabled
+ and run any command, or set download-dir to /home/user/ and then
+ upload a torrent for .bashrc.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bugs.chromium.org/p/project-zero/issues/detail?id=1447</url>
+ <url>https://github.com/transmission/transmission/pull/468</url>
+ </references>
+ <dates>
+ <discovery>2017-11-30</discovery>
+ <entry>2018-01-14</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="3dbe9492-f7b8-11e7-a12d-6cc21735f730">
+ <topic>shibboleth-sp -- vulnerable to forged user attribute data</topic>
+ <affects>
+ <package>
+ <name>xmltooling</name>
+ <range><lt>1.6.3</lt></range>
+ </package>
+ <package>
+ <name>xerces-c3</name>
+ <range><lt>3.1.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Shibboleth consortium reports:</p>
+ <blockquote cite="https://shibboleth.net/community/advisories/secadv_20180112.txt">
+ <p>
+ Shibboleth SP software vulnerable to forged user attribute data
+ </p>
+ <p>
+ The Service Provider software relies on a generic XML parser to
+ process SAML responses and there are limitations in older versions
+ of the parser that make it impossible to fully disable Document Type
+ Definition (DTD) processing.
+ </p>
+ <p>
+ Through addition/manipulation of a DTD, it's possible to make
+ changes to an XML document that do not break a digital signature but
+ are mishandled by the SP and its libraries. These manipulations can
+ alter the user data passed through to applications behind the SP and
+ result in impersonation attacks and exposure of protected
+ information.
+ </p>
+ <p>
+ While newer versions of the xerces-c3 parser are configured by the
+ SP into disallowing the use of a DTD via an environment variable,
+ this feature is not present in the xerces-c3 parser before version
+ 3.1.4, so an additional fix is being provided now that an actual DTD
+ exploit has been identified. Xerces-c3-3.1.4 was committed to the
+ ports tree already on 2016-07-26.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://shibboleth.net/community/advisories/secadv_20180112.txt</url>
+ <cvename>CVE-2018-0486</cvename>
+ </references>
+ <dates>
+ <discovery>2018-01-12</discovery>
+ <entry>2018-01-12</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9c016563-f582-11e7-b33c-6451062f0f7a">
+ <topic>Flash Player -- information disclosure</topic>
+ <affects>
+ <package>
+ <name>linux-flashplayer</name>
+ <range><lt>28.0.0.137</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Adobe reports:</p>
+ <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb18-01.html">
+ <ul>
+ <li>This update resolves an out-of-bounds read vulnerability that
+ could lead to information disclosure (CVE-2018-4871).</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-4871</cvename>
+ <url>https://helpx.adobe.com/security/products/flash-player/apsb18-01.html</url>
+ </references>
+ <dates>
+ <discovery>2018-01-09</discovery>
+ <entry>2018-01-09</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="4055aee5-f4c6-11e7-95f2-005056925db4">
+ <topic>awstats -- remote code execution</topic>
+ <affects>
+ <package>
+ <name>awstats</name>
+ <range><lt>7.7,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mitre reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000501">
+ <p>Awstats version 7.6 and earlier is vulnerable to a path traversal
+ flaw in the handling of the "config" and "migrate" parameters resulting
+ in unauthenticated remote code execution.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000501</url>
+ <cvename>CVE-2017-1000501</cvename>
+ <freebsdpr>ports/225007</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2018-01-03</discovery>
+ <entry>2018-01-08</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="a3764767-f31e-11e7-95f2-005056925db4">
+ <topic>irssi -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>irssi</name>
+ <range><lt>1.0.6,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Irssi reports:</p>
+ <blockquote cite="https://irssi.org/security/irssi_sa_2018_01.txt">
+ <p>When the channel topic is set without specifying a sender, Irssi
+ may dereference NULL pointer. Found by Joseph Bisch.</p>
+ <p>When using incomplete escape codes, Irssi may access data beyond
+ the end of the string. Found by Joseph Bisch.</p>
+ <p>A calculation error in the completion code could cause a heap
+ buffer overflow when completing certain strings.
+ Found by Joseph Bisch.</p>
+ <p>When using an incomplete variable argument, Irssi may access data
+ beyond the end of the string. Found by Joseph Bisch.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://irssi.org/security/irssi_sa_2018_01.txt</url>
+ <cvename>CVE-2018-5205</cvename>
+ <cvename>CVE-2018-5206</cvename>
+ <cvename>CVE-2018-5207</cvename>
+ <cvename>CVE-2018-5208</cvename>
+ <freebsdpr>ports/224954</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2018-01-03</discovery>
+ <entry>2018-01-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="8429711b-76ca-474e-94a0-6b980f1e2d47">
+ <topic>mozilla -- Speculative execution side-channel attack</topic>
+ <affects>
+ <package>
+ <name>firefox</name>
+ <range><lt>57.0.4,1</lt></range>
+ </package>
+ <package>
+ <name>waterfox</name>
+ <range><lt>56.0.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mozilla Foundation reports:</p>
+ <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/">
+ <p><strong>Jann Horn</strong> of Google Project Zero
+ Security reported that speculative execution performed
+ by modern CPUs could leak information through a timing
+ side-channel attack. Microsoft Vulnerability Research
+ extended this attack to browser JavaScript engines and
+ demonstrated that code on a malicious web page could
+ read data from other web sites (violating the
+ same-origin policy) or private data from the browser
+ itself.</p>
+ <p>Since this new class of attacks involves measuring
+ precise time intervals, as a parti al, short-term,
+ mitigation we are disabling or reducing the precision of
+ several time sources in Firefox. The precision of
+ <code>performance.now()</code> has been reduced from 5μs
+ to 20μs, and the <code>SharedArrayBuffer</code> feature
+ has been disabled because it can be used to construct a
+ high-resolution timer.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.mozilla.org/security/advisories/mfsa2018-01/</url>
+ </references>
+ <dates>
+ <discovery>2018-01-04</discovery>
+ <entry>2018-01-05</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="cebd05d6-ed7b-11e7-95f2-005056925db4">
+ <topic>OTRS -- Multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>otrs</name>
+ <range><lt>5.0.26</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>OTRS reports:</p>
+ <blockquote cite="https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/">
+ <p>An attacker who is logged into OTRS as an agent can request special URLs
+ from OTRS which can lead to the execution of shell commands with the
+ permissions of the web server user.</p>
+ </blockquote>
+ <blockquote cite="https://www.otrs.com/security-advisory-2017-08-security-update-otrs-framework/">
+ <p>An attacker who is logged into OTRS as a customer can use the ticket search
+ form to disclose internal article information of their customer tickets.</p>
+ </blockquote>
+ <blockquote cite="https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/">
+ <p>An attacker who is logged into OTRS as an agent can manipulate form
+ parameters and execute arbitrary shell commands with the permissions of the
+ OTRS or web server user.</p>
+ </blockquote>
+ <blockquote cite="https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/">
+ <p>An attacker can send a specially prepared email to an OTRS system. If this
+ system has cookie support disabled, and a logged in agent clicks a link in this
+ email, the session information could be leaked to external systems, allowing the
+ attacker to take over the agent’s session.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-16664</cvename>
+ <cvename>CVE-2017-16854</cvename>
+ <cvename>CVE-2017-16921</cvename>
+ <freebsdpr>ports/224729</freebsdpr>
+ <url>https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/</url>
+ <url>https://www.otrs.com/security-advisory-2017-08-security-update-otrs-framework/</url>
+ <url>https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/</url>
+ <url>https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/</url>
+ </references>
+ <dates>
+ <discovery>2017-11-21</discovery>
+ <entry>2017-12-30</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="6a131fbf-ec76-11e7-aa65-001b216d295b">
+ <topic>The Bouncy Castle Crypto APIs: CVE-2017-13098 ("ROBOT")</topic>
+ <affects>
+ <package>
+ <name>bouncycastle15</name>
+ <range><lt>1.59</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Legion of the Bouncy Castle reports:</p>
+ <blockquote cite="https://www.bouncycastle.org/releasenotes.html">
+ <p>Release: 1.59</p>
+ <p>CVE-2017-13098 ("ROBOT"), a Bleichenbacher oracle in TLS
+ when RSA key exchange is negotiated. This potentially affected
+ BCJSSE servers and any other TLS servers configured to use JCE
+ for the underlying crypto - note the two TLS implementations
+ using the BC lightweight APIs are not affected by this.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-13098</cvename>
+ <url>https://www.bouncycastle.org/releasenotes.html</url>
+ </references>
+ <dates>
+ <discovery>2017-12-12</discovery>
+ <entry>2017-12-29</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="6a09c80e-6ec7-442a-bc65-d72ce69fd887">
+ <topic>mozilla -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>thunderbird</name>
+ <name>linux-thunderbird</name>
+ <range><lt>52.5.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mozilla Foundation reports:</p>
+ <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/">
+ <p>CVE-2017-7845: Buffer overflow when drawing and validating elements with ANGLE library using Direct 3D 9</p>
+ <p>CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin</p>
+ <p>CVE-2017-7847: Local path string can be leaked from RSS feed</p>
+ <p>CVE-2017-7848: RSS Feed vulnerable to new line Injection</p>
+ <p>CVE-2017-7829: Mailsploit part 1: From address with encoded null character is cut off in message header display</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-7829</cvename>
+ <cvename>CVE-2017-7845</cvename>
+ <cvename>CVE-2017-7846</cvename>
+ <cvename>CVE-2017-7847</cvename>
+ <cvename>CVE-2017-7848</cvename>
+ <url>https://www.mozilla.org/security/advisories/mfsa2017-30/</url>
+ </references>
+ <dates>
+ <discovery>2017-12-22</discovery>
+ <entry>2017-12-25</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="63eb2b11-e802-11e7-a58c-6805ca0b3d42">
+ <topic>phpMyAdmin -- XSRF/CSRF vulnerability</topic>
+ <affects>
+ <package>
+ <name>phpMyAdmin</name>
+ <range><ge>4.7.0</ge><lt>4.7.7</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The phpMyAdmin team reports:</p>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-9/">
+ <h3>Description</h3>
+ <p>By deceiving a user to click on a crafted URL, it is
+ possible to perform harmful database operations such as
+ deleting records, dropping/truncating tables etc.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be critical.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.phpmyadmin.net/security/PMASA-2017-9/</url>
+ </references>
+ <dates>
+ <discovery>2017-12-23</discovery>
+ <entry>2017-12-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="2a3bc6ac-e7c6-11e7-a90b-001999f8d30b">
+ <topic>asterisk -- Crash in PJSIP resource when missing a contact header</topic>
+ <affects>
+ <package>
+ <name>asterisk13</name>
+ <range><lt>13.18.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Asterisk project reports:</p>
+ <blockquote cite="https://www.asterisk.org/downloads/security-advisories">
+ <p>A select set of SIP messages create a dialog in Asterisk.
+ Those SIP messages must contain a contact header. For
+ those messages, if the header was not present and using
+ the PJSIP channel driver, it would cause Asterisk to
+ crash. The severity of this vulnerability is somewhat
+ mitigated if authentication is enabled. If authentication
+ is enabled a user would have to first be authorized before
+ reaching the crash point.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://downloads.asterisk.org/pub/security/AST-2017-014.html</url>
+ <cvename>CVE-2017-17850</cvename>
+ </references>
+ <dates>
+ <discovery>2017-12-12</discovery>
+ <entry>2017-12-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="b7d89082-e7c0-11e7-ac58-b499baebfeaf">
+ <topic>MariaDB -- unspecified vulnerability</topic>
+ <affects>
+ <package>
+ <name>mariadb101-client</name>
+ <range><lt>10.1.30</lt></range>
+ </package>
+ <package>
+ <name>mariadb102-client</name>
+ <range><lt>10.2.10</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The MariaDB project reports:</p>
+ <blockquote cite="https://mariadb.com/kb/en/library/mariadb-10130-release-notes/">
+ <p>Fixes for the following security vulnerabilities:
+ CVE-2017-15365</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://mariadb.com/kb/en/library/mariadb-10130-release-notes/</url>
+ <cvename>CVE-2017-15365</cvename>
+ </references>
+ <dates>
+ <discovery>2017-12-23</discovery>
+ <entry>2017-12-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="72fff788-e561-11e7-8097-0800271d4b9c">
+ <topic>rsync -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>rsync</name>
+ <range><ge>3.1.2</ge><le>3.1.2_7</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Jeriko One reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16548">
+ <p>The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon.</p>
+ </blockquote>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17433">
+ <p>The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions.</p>
+ </blockquote>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17434">
+ <p>The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xname follows" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.debian.org/security/2017/dsa-4068</url>
+ <cvename>CVE-2017-16548</cvename>
+ <cvename>CVE-2017-17433</cvename>
+ <cvename>CVE-2017-17434</cvename>
+ <freebsdpr>ports/224477</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2017-12-17</discovery>
+ <entry>2017-12-20</entry>
+ <modified>2017-12-31</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="dd644964-e10e-11e7-8097-0800271d4b9c">
+ <topic>ruby -- Command injection vulnerability in Net::FTP</topic>
+ <affects>
+ <package>
+ <name>ruby</name>
+ <range><ge>2.2.0,1</ge><lt>2.2.9,1</lt></range>
+ <range><ge>2.3.0,1</ge><lt>2.3.6,1</lt></range>
+ <range><ge>2.4.0,1</ge><lt>2.4.3,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Etienne Stalmans from the Heroku product security team reports:</p>
+ <blockquote cite="https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/">
+ <p>There is a command injection vulnerability in Net::FTP bundled with Ruby.</p>
+ <p><code>Net::FTP#get</code>, <code>getbinaryfile</code>, <code>gettextfile</code>, <code>put</code>, <code>putbinaryfile</code>, and <code>puttextfile</code> use <code>Kernel#open</code> to open a local file. If the <code>localfile</code> argument starts with the pipe character <code>"|"</code>, the command following the pipe character is executed. The default value of <code>localfile</code> is <code>File.basename(remotefile)</code>, so malicious FTP servers could cause arbitrary command execution.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/</url>
+ <cvename>CVE-2017-17405</cvename>
+ </references>
+ <dates>
+ <discovery>2017-12-14</discovery>
+ <entry>2017-12-14</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="8cf25a29-e063-11e7-9b2c-001e672571bc">
+ <topic>rubygem-passenger -- arbitrary file read vulnerability</topic>
+ <affects>
+ <package>
+ <name>rubygem-passenger</name>
+ <range><ge>5.0.10</ge><lt>5.1.11</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Phusion reports:</p>
+ <blockquote cite="https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/">
+ <p>The cPanel Security Team discovered a vulnerability in Passenger
+ that allows users to list the contents of arbitrary files on the
+ system. CVE-2017-16355 has been assigned to this issue.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/</url>
+ <cvename>CVE-2017-16355</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-13</discovery>
+ <entry>2017-12-18</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="08a125f3-e35a-11e7-a293-54e1ad3d6335">
+ <topic>libXfont -- permission bypass when opening files through symlinks</topic>
+ <affects>
+ <package>
+ <name>libXfont</name>
+ <range><lt>1.5.4</lt></range>
+ </package>
+ <package>
+ <name>libXfont2</name>
+ <range><lt>2.0.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>the freedesktop.org project reports:</p>
+ <blockquote cite="https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=7b377456f95d2ec3ead40f4fb74ea620191f88c8">
+ <p>A non-privileged X client can instruct X server running under root
+ to open any file by creating own directory with "fonts.dir",
+ "fonts.alias" or any font file being a symbolic link to any other
+ file in the system. X server will then open it. This can be issue
+ with special files such as /dev/watchdog.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=7b377456f95d2ec3ead40f4fb74ea620191f88c8</url>
+ <cvename>CVE-2017-16611</cvename>
+ </references>
+ <dates>
+ <discovery>2017-11-25</discovery>
+ <entry>2017-12-17</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="3b9590a1-e358-11e7-a293-54e1ad3d6335">
+ <topic>libXfont -- multiple memory leaks</topic>
+ <affects>
+ <package>
+ <name>libXfont</name>
+ <range><lt>1.5.3</lt></range>
+ </package>
+ <package>
+ <name>libXfont2</name>
+ <range><lt>2.0.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The freedesktop.org project reports:</p>
+ <blockquote cite="https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608">
+ <p>If a pattern contains '?' character, any character in the string
+ is skipped, even if it is '\0'. The rest of the matching then reads
+ invalid memory.</p>
+ </blockquote>
+ <blockquote cite="https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=672bb944311392e2415b39c0d63b1e1902906bcd">
+ <p>Without the checks a malformed PCF file can cause the library to
+ make atom from random heap memory that was behind the `strings`
+ buffer. This may crash the process or leak information.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608</url>
+ <url>https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=672bb944311392e2415b39c0d63b1e1902905bcd</url>
+ <cvename>CVE-2017-13720</cvename>
+ <cvename>CVE-2017-13722</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-04</discovery>
+ <entry>2017-12-17</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ddecde18-e33b-11e7-a293-54e1ad3d6335">
+ <topic>libXcursor -- integer overflow that can lead to heap buffer overflow</topic>
+ <affects>
+ <package>
+ <name>libXcursor</name>
+ <range><lt>1.1.15</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The freedesktop.org project reports:</p>
+ <blockquote cite="http://seclists.org/oss-sec/2017/q4/339">
+ <p>It is possible to trigger heap overflows due to an integer
+ overflow while parsing images and a signedness issue while
+ parsing comments.</p>
+ <p>The integer overflow occurs because the chosen limit 0x10000
+ for dimensions is too large for 32 bit systems, because each pixel
+ takes 4 bytes. Properly chosen values allow an overflow which in
+ turn will lead to less allocated memory than needed for subsequent
+ reads.</p>
+ <p>The signedness bug is triggered by reading the length of a comment
+ as unsigned int, but casting it to int when calling the function
+ XcursorCommentCreate. Turning length into a negative value allows
+ the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
+ addition of sizeof (XcursorComment) + 1 makes it possible to
+ allocate less memory than needed for subsequent reads.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://seclists.org/oss-sec/2017/q4/339</url>
+ <url>https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8</url>
+ <cvename>CVE-2017-16612</cvename>
+ </references>
+ <dates>
+ <discovery>2017-11-28</discovery>
+ <entry>2017-12-17</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="48cca164-e269-11e7-be51-6599c735afc8">
+ <topic>global -- gozilla vulnerability</topic>
+ <affects>
+ <package>
+ <name>global</name>
+ <range><ge>4.8.6</ge><lt>6.6.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>MITRE reports:</p>
+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17531">
+ <p>gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before launching
+ the program specified by the BROWSER environment variable, which might
+ allow remote attackers to conduct argument-injection attacks via a crafted
+ URL.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17531</url>
+ <url>http://lists.gnu.org/archive/html/info-global/2017-12/msg00001.html</url>
+ <cvename>CVE-2017-17531</cvename>
+ </references>
+ <dates>
+ <discovery>2017-12-11</discovery>
+ <entry>2017-12-16</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="7136e6b7-e1b3-11e7-a4d3-000c292ee6b8">
+ <topic>jenkins -- Two startup race conditions</topic>
+ <affects>
+ <package>
+ <name>jenkins</name>
+ <range><lt>2.95</lt></range>
+ </package>
+ <package>
+ <name>jenkins-lts</name>
+ <range><lt>2.89.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Jenkins project reports:</p>
+ <blockquote cite="https://jenkins.io/security/advisory/2017-12-14/">
+ <p>A race condition during Jenkins startup could result in the wrong
+ order of execution of commands during initialization.</p>
+ <p>On Jenkins 2.81 and newer, including LTS 2.89.1, this could in
+ rare cases (we estimate less than 20% of new instances) result in
+ failure to initialize the setup wizard on the first startup.</p>
+ <p>There is a very short window of time after startup during which
+ Jenkins may no longer show the "Please wait while Jenkins is
+ getting ready to work" message, but Cross-Site Request Forgery
+ (CSRF) protection may not yet be effective.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://jenkins.io/security/advisory/2017-12-14/</url>
+ </references>
+ <dates>
+ <discovery>2017-12-14</discovery>
+ <entry>2017-12-15</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="bea84a7a-e0c9-11e7-b4f3-11baa0c2df21">
+ <topic>node.js -- Data Confidentiality/Integrity Vulnerability, December 2017</topic>
+ <affects>
+ <package>
+ <name>node4</name>
+ <range><lt>4.8.7</lt></range>
+ </package>
+ <package>
+ <name>node6</name>
+ <range><lt>6.12.2</lt></range>
+ </package>
+ <package>
+ <name>node8</name>
+ <range><lt>8.9.3</lt></range>
+ </package>
+ <package>
+ <name>node</name>
+ <range><lt>9.2.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Node.js reports:</p>
+ <blockquote cite="https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/">
+ <h1>Data Confidentiality/Integrity Vulnerability - CVE-2017-15896</h1>
+ <p>Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.</p>
+ <h1>Uninitialized buffer vulnerability - CVE-2017-15897</h1>
+ <p>Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.</p>
+ <h1>Also included in OpenSSL update - CVE 2017-3738</h1>
+ <p>Note that CVE 2017-3738 of OpenSSL-1.0.2 affected Node but it was low severity.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/</url>
+ <cvename>CVE-2017-15896</cvename>
+ <cvename>CVE-2017-15897</cvename>
+ <cvename>CVE-2017-3738</cvename>
+ </references>
+ <dates>
+ <discovery>2017-12-08</discovery>
+ <entry>2017-12-14</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e72a8864-e0bc-11e7-b627-d43d7e971a1b">
+ <topic>GitLab -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>gitlab</name>
+ <range><ge>4.2.0</ge><le>10.0.6</le></range>
+ <range><ge>10.1.0</ge><le>10.1.4</le></range>
+ <range><ge>10.2.0</ge><le>10.2.3</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>GitLab reports:</p>
+ <blockquote cite="https://about.gitlab.com/2017/12/08/gitlab-10-dot-2-dot-4-security-release/">
+ <h1>User without access to private Wiki can see it on the project page</h1>
+ <p>Matthias Burtscher reported that it was possible for a user to see a
+ private Wiki on the project page without having the corresponding
+ permission.</p>
+ <h1>E-mail address disclosure through member search fields</h1>
+ <p>Hugo Geoffroy reported via HackerOne that it was possible to find out the
+ full e-mail address of any user by brute-forcing the member search
+ field.</p>
+ <h1>Groups API leaks private projects</h1>
+ <p>An internal code review discovered that users were able to list private
+ projects they had no access to by using the Groups API.</p>
+ <h1>Cross-Site Scripting (XSS) possible by editing a comment</h1>
+ <p>Sylvain Heiniger reported via HackerOne that it was possible for
+ arbitrary JavaScript code to be executed when editing a comment.</p>
+ <h1>Issue API allows any user to create a new issue even when issues are
+ restricted or disabled</h1>
+ <p>Mohammad Hasbini reported that any user could create a new issues in a
+ project even when issues were disabled or restricted to team members in the
+ project settings.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://about.gitlab.com/2017/12/08/gitlab-10-dot-2-dot-4-security-release/</url>
+ </references>
+ <dates>
+ <discovery>2017-12-08</discovery>
+ <entry>2017-12-14</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="36ef8753-d86f-11e7-ad28-0025908740c2">
+ <topic>tor -- Use-after-free in onion service v2</topic>
+ <affects>
+ <package>
+ <name>tor</name>
+ <range><lt>0.3.1.9</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Torproject.org reports:</p>
+ <blockquote cite="https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516">
+ <ul>
+ <li>TROVE-2017-009: Replay-cache ineffective for v2 onion services</li>
+ <li>TROVE-2017-010: Remote DoS attack against directory authorities</li>
+ <li>TROVE-2017-011: An attacker can make Tor ask for a password</li>
+ <li>TROVE-2017-012: Relays can pick themselves in a circuit path</li>
+ <li>TROVE-2017-013: Use-after-free in onion service v2</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516</url>
+ <cvename>CVE-2017-8819</cvename>
+ </references>
+ <dates>
+ <discovery>2017-12-01</discovery>
+ <entry>2017-12-14</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="4a67450a-e044-11e7-accc-001999f8d30b">
+ <topic>asterisk -- Remote Crash Vulnerability in RTCP Stack</topic>
+ <affects>
+ <package>
+ <name>asterisk13</name>
+ <range><lt>13.18.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Asterisk project reports:</p>
+ <blockquote cite="https://www.asterisk.org/downloads/security-advisories">
+ <p>If a compound RTCP packet is received containing more
+ than one report (for example a Receiver Report and a
+ Sender Report) the RTCP stack will incorrectly store
+ report information outside of allocated memory potentially
+ causing a crash.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://downloads.asterisk.org/pub/security/AST-2017-012.html</url>
+ </references>
+ <dates>
+ <discovery>2017-12-12</discovery>
+ <entry>2017-12-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="76e59f55-4f7a-4887-bcb0-11604004163a">
+ <topic>libxml2 -- Multiple Issues</topic>
+ <affects>
+ <package>
+ <name>libxml2</name>
+ <range><le>2.9.4</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>libxml2 developers report:</p>
+ <p>The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.</p>
+ <p>A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.</p>
+ <p>libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.</p>
+ <p>libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.</p>
+ <p>libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.</p>
+ </body>
+ </description>
+ <references>
+ <url>https://bugzilla.gnome.org/show_bug.cgi?id=775200</url>
+ <url>http://www.openwall.com/lists/oss-security/2017/05/15/1</url>
+ <url>http://www.securityfocus.com/bid/98599</url>
+ <url>http://www.openwall.com/lists/oss-security/2017/05/15/1</url>
+ <url>http://www.securityfocus.com/bid/98556</url>
+ <url>http://www.openwall.com/lists/oss-security/2017/05/15/1</url>
+ <url>http://www.securityfocus.com/bid/98601</url>
+ <url>http://www.openwall.com/lists/oss-security/2017/05/15/1</url>
+ <url>http://www.securityfocus.com/bid/98568</url>
+ <cvename>CVE-2017-8872</cvename>
+ <cvename>CVE-2017-9047</cvename>
+ <cvename>CVE-2017-9048</cvename>
+ <cvename>CVE-2017-9049</cvename>
+ <cvename>CVE-2017-9050</cvename>
+ </references>
+ <dates>
+ <discovery>2017-05-10</discovery>
+ <entry>2017-12-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9f7a0f39-ddc0-11e7-b5af-a4badb2f4699">
+ <topic>FreeBSD -- OpenSSL multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>11.1</ge><lt>11.1_6</lt></range>
+ <range><ge>10.4</ge><lt>10.4_5</lt></range>
+ <range><ge>10.3</ge><lt>10.3_26</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>Invoking SSL_read()/SSL_write() while in an error state
+ causes data to be passed without being decrypted/encrypted
+ directly from the SSL/TLS record layer.</p>
+ <p>In order to exploit this issue an application bug would
+ have to be present that resulted in a call to
+ SSL_read()/SSL_write() being issued after having already
+ received a fatal error. [CVE-2017-3737]</p>
+ <p>There is an overflow bug in the x86_64 Montgomery
+ multiplication procedure used in exponentiation with 1024-bit
+ moduli. This only affects processors that support the AVX2
+ but not ADX extensions like Intel Haswell (4th generation).
+ [CVE-2017-3738] This bug only affects FreeBSD 11.x.</p>
+ <h1>Impact:</h1>
+ <p>Applications with incorrect error handling may inappropriately
+ pass unencrypted data. [CVE-2017-3737]</p>
+ <p>Mishandling of carry propagation will produce incorrect
+ output, and make it easier for a remote attacker to obtain
+ sensitive private-key information. No EC algorithms are
+ affected and analysis suggests that attacks against RSA and
+ DSA as a result of this defect would be very difficult to
+ perform and are not believed likely.</p>
+ <p>Attacks against DH1024 are considered just feasible
+ (although very difficult) because most of the work necessary
+ to deduce information about a private key may be performed
+ offline. The amount of resources required for such an attack
+ would be very significant and likely only accessible to a
+ limited number of attackers. However, for an attack on TLS
+ to be meaningful, the server would have to share the DH1024
+ private key among multiple clients, which is no longer an
+ option since CVE-2016-0701. [CVE-2017-3738]</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-0701</cvename>
+ <cvename>CVE-2017-3737</cvename>
+ <cvename>CVE-2017-3738</cvename>
+ <freebsdsa>SA-17:12.openssl</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2017-12-09</discovery>
+ <entry>2017-12-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="4b228e69-22e1-4019-afd0-8aa716d0ec0b">
+ <topic>wireshark -- multiple security issues</topic>
+ <affects>
+ <package>
+ <name>wireshark</name>
+ <range><ge>2.2.0</ge><le>2.2.10</le></range>
+ <range><ge>2.4.0</ge><le>2.4.2</le></range>
+ </package>
+ <package>
+ <name>wireshark-lite</name>
+ <range><ge>2.2.0</ge><le>2.2.10</le></range>
+ <range><ge>2.4.0</ge><le>2.4.2</le></range>
+ </package>
+ <package>
+ <name>wireshark-qt5</name>
+ <range><ge>2.2.0</ge><le>2.2.10</le></range>
+ <range><ge>2.4.0</ge><le>2.4.2</le></range>
+ </package>
+ <package>
+ <name>tshark</name>
+ <range><ge>2.2.0</ge><le>2.2.10</le></range>
+ <range><ge>2.4.0</ge><le>2.4.2</le></range>
+ </package>
+ <package>
+ <name>tshark-lite</name>
+ <range><ge>2.2.0</ge><le>2.2.10</le></range>
+ <range><ge>2.4.0</ge><le>2.4.2</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>wireshark developers reports:</p>
+ <blockquote cite="https://www.wireshark.org/security/">
+ <p>wnpa-sec-2017-47: The IWARP_MPA dissector could crash. (CVE-2017-17084)</p>
+ <p>wnpa-sec-2017-48: The NetBIOS dissector could crash. Discovered by Kamil Frankowicz. (CVE-2017-17083)</p>
+ <p>wnpa-sec-2017-49: The CIP Safety dissector could crash. (CVE-2017-17085)</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.wireshark.org/security/</url>
+ <url>https://www.wireshark.org/security/wnpa-sec-2017-47.html</url>
+ <url>https://www.wireshark.org/security/wnpa-sec-2017-48.html</url>
+ <url>https://www.wireshark.org/security/wnpa-sec-2017-49.html</url>
+ <cvename>CVE-2017-17083</cvename>
+ <cvename>CVE-2017-17084</cvename>
+ <cvename>CVE-2017-17085</cvename>
+ </references>
+ <dates>
+ <discovery>2017-11-30</discovery>
+ <entry>2017-12-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="3bb451fc-db64-11e7-ac58-b499baebfeaf">
+ <topic>OpenSSL -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>openssl</name>
+ <range><gt>1.0.2</gt><lt>1.0.2n</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The OpenSSL project reports:</p>
+ <blockquote cite="https://www.openssl.org/news/secadv/20171207.txt">
+ <ul><li>Read/write after SSL object in error state (CVE-2017-3737)<br/>
+ OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error
+ state" mechanism. The intent was that if a fatal error occurred
+ during a handshake then OpenSSL would move into the error state and
+ would immediately fail if you attempted to continue the handshake.
+ This works as designed for the explicit handshake functions
+ (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to
+ a bug it does not work correctly if SSL_read() or SSL_write() is
+ called directly. In that scenario, if the handshake fails then a
+ fatal error will be returned in the initial function call. If
+ SSL_read()/SSL_write() is subsequently called by the application for
+ the same SSL object then it will succeed and the data is passed
+ without being decrypted/encrypted directly from the SSL/TLS record
+ layer.</li>
+ <li>rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)<br/>
+ There is an overflow bug in the AVX2 Montgomery multiplication
+ procedure used in exponentiation with 1024-bit moduli. No EC
+ algorithms are affected. Analysis suggests that attacks against
+ RSA and DSA as a result of this defect would be very difficult to
+ perform and are not believed likely. Attacks against DH1024 are
+ considered just feasible, because most of the work necessary to
+ deduce information about a private key may be performed offline.
+ The amount of resources required for such an attack would be
+ significant. However, for an attack on TLS to be meaningful, the
+ server would have to share the DH1024 private key among multiple
+ clients, which is no longer an option since CVE-2016-0701.</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.openssl.org/news/secadv/20171207.txt</url>
+ <cvename>CVE-2017-3737</cvename>
+ <cvename>CVE-2017-3738</cvename>
+ </references>
+ <dates>
+ <discovery>2017-12-07</discovery>
+ <entry>2017-12-07</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9442a811-dab3-11e7-b5af-a4badb2f4699">
+ <topic>FreeBSD -- OpenSSL multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>11.1</ge><lt>11.1_5</lt></range>
+ <range><ge>11.0</ge><lt>11.0_16</lt></range>
+ <range><ge>10.4</ge><lt>10.4_4</lt></range>
+ <range><ge>10.3</ge><lt>10.3_25</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>If an X.509 certificate has a malformed IPAddressFamily
+ extension, OpenSSL could do a one-byte buffer overread.
+ [CVE-2017-3735]</p>
+ <p>There is a carry propagating bug in the x86_64 Montgomery
+ squaring procedure. This only affects processors that support
+ the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th
+ generation) and later or AMD Ryzen. [CVE-2017-3736] This
+ bug only affects FreeBSD 11.x.</p>
+ <h1>Impact:</h1>
+ <p>Application using OpenSSL may display erroneous certificate
+ in text format. [CVE-2017-3735]</p>
+ <p>Mishandling of carry propagation will produce incorrect
+ output, and make it easier for a remote attacker to obtain
+ sensitive private-key information. No EC algorithms are
+ affected, analysis suggests that attacks against RSA and
+ DSA as a result of this defect would be very difficult to
+ perform and are not believed likely.</p>
+ <p>Attacks against DH are considered just feasible (although
+ very difficult) because most of the work necessary to deduce
+ information about a private key may be performed offline.
+ The amount of resources required for such an attack would
+ be very significant and likely only accessible to a limited
+ number of attackers. An attacker would additionally need
+ online access to an unpatched system using the target private
+ key in a scenario with persistent DH parameters and a private
+ key that is shared between multiple clients. [CVE-2017-3736]</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-3735</cvename>
+ <cvename>CVE-2017-3736</cvename>
+ <freebsdsa>SA-17:11.openssl</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2017-11-29</discovery>
+ <entry>2017-12-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="759059ac-dab3-11e7-b5af-a4badb2f4699">
+ <topic>FreeBSD -- Information leak in kldstat(2)</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>11.1</ge><lt>11.1_4</lt></range>
+ <range><ge>11.0</ge><lt>11.0_15</lt></range>
+ <range><ge>10.4</ge><lt>10.4_3</lt></range>
+ <range><ge>10.3</ge><lt>10.3_24</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>The kernel does not properly clear the memory of the
+ kld_file_stat structure before filling the data. Since the
+ structure filled by the kernel is allocated on the kernel
+ stack and copied to userspace, a leak of information from
+ the kernel stack is possible.</p>
+ <h1>Impact:</h1>
+ <p>Some bytes from the kernel stack can be observed in
+ userspace.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-1088</cvename>
+ <freebsdsa>SA-17:10.kldstat</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2017-11-15</discovery>
+ <entry>2017-12-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="5b1463dd-dab3-11e7-b5af-a4badb2f4699">
+ <topic>FreeBSD -- POSIX shm allows jails to access global namespace</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>10.4</ge><lt>10.4_3</lt></range>
+ <range><ge>10.3</ge><lt>10.3_24</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>Named paths are globally scoped, meaning a process located
+ in one jail can read and modify the content of POSIX shared
+ memory objects created by a process in another jail or the
+ host system.</p>
+ <h1>Impact:</h1>
+ <p>A malicious user that has access to a jailed system is
+ able to abuse shared memory by injecting malicious content
+ in the shared memory region. This memory region might be
+ executed by applications trusting the shared memory, like
+ Squid.</p>
+ <p>This issue could lead to a Denial of Service or local
+ privilege escalation.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-1087</cvename>
+ <freebsdsa>SA-17:09.shm</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2017-11-15</discovery>
+ <entry>2017-12-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="34a3f9b5-dab3-11e7-b5af-a4badb2f4699">
+ <topic>FreeBSD -- Kernel data leak via ptrace(PT_LWPINFO)</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>11.1</ge><lt>11.1_4</lt></range>
+ <range><ge>11.0</ge><lt>11.0_15</lt></range>
+ <range><ge>10.4</ge><lt>10.4_3</lt></range>
+ <range><ge>10.3</ge><lt>10.3_24</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>Not all information in the struct ptrace_lwpinfo is
+ relevant for the state of any thread, and the kernel does
+ not fill the irrelevant bytes or short strings. Since the
+ structure filled by the kernel is allocated on the kernel
+ stack and copied to userspace, a leak of information of the
+ kernel stack of the thread is possible from the debugger.</p>
+ <h1>Impact:</h1>
+ <p>Some bytes from the kernel stack of the thread using
+ ptrace(PT_LWPINFO) call can be observed in userspace.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-1086</cvename>
+ <freebsdsa>SA-17:08.ptrace</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2017-11-15</discovery>
+ <entry>2017-12-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="1f8de723-dab3-11e7-b5af-a4badb2f4699">
+ <topic>FreeBSD -- WPA2 protocol vulnerability</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>11.1</ge><lt>11.1_2</lt></range>
+ <range><ge>11.0</ge><lt>11.0_13</lt></range>
+ <range><ge>10.4</ge><lt>10.4_1</lt></range>
+ <range><ge>10.3</ge><lt>10.3_22</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>A vulnerability was found in how a number of implementations
+ can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK,
+ or IGTK) by replaying a specific frame that is used to
+ manage the keys.</p>
+ <h1>Impact:</h1>
+ <p>Such reinstallation of the encryption key can result in
+ two different types of vulnerabilities: disabling replay
+ protection and significantly reducing the security of
+ encryption to the point of allowing frames to be decrypted
+ or some parts of the keys to be determined by an attacker
+ depending on which cipher is used.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-1307</cvename>
+ <cvename>CVE-2017-1308</cvename>
+ <freebsdsa>SA-17:07.wpa</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2017-10-16</discovery>
+ <entry>2017-12-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="b7e23050-2d5d-4e61-9b48-62e89db222ca">
+ <topic>mozilla -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>firefox</name>
+ <range><ge>57.0,1</ge><lt>57.0.1,1</lt></range>
+ <range><lt>56.0.2_11,1</lt></range>
+ </package>
+ <package>
+ <name>waterfox</name>
+ <range><lt>56.0.s20171130</lt></range>
+ </package>
+ <package>
+ <name>seamonkey</name>
+ <name>linux-seamonkey</name>
+ <range><lt>2.49.2</lt></range>
+ </package>
+ <package>
+ <name>firefox-esr</name>
+ <range><lt>52.5.1,1</lt></range>
+ </package>
+ <package>
+ <name>linux-firefox</name>
+ <range><lt>52.5.1,2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mozilla Foundation reports:</p>
+ <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-27/">
+ <p>CVE-2017-7843: Web worker in Private Browsing mode can write IndexedDB data</p>
+ <p>CVE-2017-7844: Visited history information leak through SVG image</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-7843</cvename>
+ <cvename>CVE-2017-7844</cvename>
+ <url>https://www.mozilla.org/security/advisories/mfsa2017-27/</url>
+ </references>
+ <dates>
+ <discovery>2017-11-29</discovery>
+ <entry>2017-12-05</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="17133e7e-d764-11e7-b5af-a4badb2f4699">
+ <topic>varnish -- information disclosure vulnerability</topic>
+ <affects>
+ <package>
+ <name>varnish4</name>
+ <range><lt>4.1.9</lt></range>
+ </package>
+ <package>
+ <name>varnish5</name>
+ <range><lt>5.2.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Varnish reports:</p>
+ <blockquote cite="https://varnish-cache.org/security/VSV00002.html">
+ <p>A wrong if statement in the varnishd source code means that
+ synthetic objects in stevedores which over-allocate, may leak up to page
+ size of data from a malloc(3) memory allocation.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://varnish-cache.org/security/VSV00002.html</url>
+ <cvename>CVE-2017-8807</cvename>
+ </references>
+ <dates>
+ <discovery>2017-11-15</discovery>
+ <entry>2017-12-02</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="addad6de-d752-11e7-99bf-00e04c1ea73d">
+ <topic>mybb -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>mybb</name>
+ <range><lt>1.8.14</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>mybb Team reports:</p>
+ <blockquote cite="https://blog.mybb.com/2017/11/28/mybb-1-8-14-released-security-maintenance-release/">
+ <p>High risk: Language file headers RCE</p>
+ <p>Low risk: Language Pack Properties XSS</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://blog.mybb.com/2017/11/28/mybb-1-8-14-released-security-maintenance-release/</url>
+ </references>
+ <dates>
+ <discovery>2017-11-27</discovery>
+ <entry>2017-12-02</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="a2589511-d6ba-11e7-88dd-00e04c1ea73d">
+ <topic>wordpress -- multiple issues</topic>
+ <affects>
+ <package>
+ <name>wordpress</name>
+ <name>fr-wordpress</name>
+ <range><lt>4.9.1,1</lt></range>
+ </package>
+ <package>
+ <name>de-wordpress</name>
+ <name>ja-wordpress</name>
+ <name>ru-wordpress</name>
+ <name>zh-wordpress-zh_CN</name>
+ <name>zh-wordpress-zh_TW</name>
+ <range><lt>4.9.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>wordpress developers reports:</p>
+ <blockquote cite="https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/">
+ <p>Use a properly generated hash for the newbloguser key instead of a determinate substring.</p>
+ <p>Add escaping to the language attributes used on html elements.</p>
+ <p>Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.</p>
+ <p>Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/</url>
+ </references>
+ <dates>
+ <discovery>2017-11-29</discovery>
+ <entry>2017-12-01</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e91cf90c-d6dd-11e7-9d10-001999f8d30b">
+ <topic>asterisk -- DOS Vulnerability in Asterisk chan_skinny</topic>
+ <affects>
+ <package>
+ <name>asterisk13</name>
+ <range><lt>13.18.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Asterisk project reports:</p>
+ <blockquote cite="https://www.asterisk.org/downloads/security-advisories">
+ <p>If the chan_skinny (AKA SCCP protocol) channel driver
+ is flooded with certain requests it can cause the asterisk
+ process to use excessive amounts of virtual memory
+ eventually causing asterisk to stop processing requests
+ of any kind.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://downloads.asterisk.org/pub/security/AST-2017-013.html</url>
+ <cvename>CVE-2017-17090</cvename>
+ </references>
+ <dates>
+ <discovery>2017-11-30</discovery>
+ <entry>2017-12-01</entry>
+ <modified>2017-12-13</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="75dd622c-d5fd-11e7-b9fe-c13eb7bcbf4f">
+ <topic>exim -- remote DoS attack in BDAT processing</topic>
+ <affects>
+ <package>
+ <name>exim</name>
+ <range><ge>4.88</ge><lt>4.89.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Exim developers team reports:</p>
+ <blockquote cite="https://bugs.exim.org/show_bug.cgi?id=2199">
+ <p>The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bugs.exim.org/show_bug.cgi?id=2199</url>
+ <cvename>CVE-2017-16944</cvename>
+ </references>
+ <dates>
+ <discovery>2017-11-23</discovery>
+ <entry>2017-11-30</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="a66f9be2-d519-11e7-9866-c85b763a2f96">
+ <topic>xrdp -- local user can cause a denial of service</topic>
+ <affects>
+ <package>
+ <name>xrdp-devel</name>
+ <range><le>0.9.3,1</le></range>
+ <range><gt>0.9.3_1,1</gt><le>0.9.4,1</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>xrdp reports:</p>
+ <blockquote cite="https://github.com/neutrinolabs/xrdp/pull/958">
+ <p>The scp_v0s_accept function in the session manager uses an untrusted integer as a write length,
+ which allows local users to cause a denial of service (buffer overflow and application crash)
+ or possibly have unspecified other impact via a crafted input stream.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-16927</cvename>
+ </references>
+ <dates>
+ <discovery>2017-11-23</discovery>
+ <entry>2017-11-29</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="301a01b7-d50e-11e7-ac58-b499baebfeaf">
+ <topic>cURL -- Multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>curl</name>
+ <range><ge>7.21.0</ge><lt>7.57.0</lt></range>
+ </package>
+ <package>
+ <name>linux-c7-curl</name>
+ <range><ge>7.21.0</ge><lt>7.29.0_4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The cURL project reports:</p>
+ <blockquote cite="https://curl.haxx.se/changes.html">
+ <ul><li>NTLM buffer overflow via integer overflow
+ (CVE-2017-8816)<br/>libcurl contains a buffer overrun flaw
+ in the NTLM authentication code.
+ The internal function Curl_ntlm_core_mk_ntlmv2_hash sums up
+ the lengths of the user name + password (= SUM) and multiplies
+ the sum by two (= SIZE) to figure out how large storage to
+ allocate from the heap.</li>
+ <li>FTP wildcard out of bounds read (CVE-2017-8817)<br/>
+ libcurl contains a read out of bounds flaw in the FTP wildcard
+ function.
+ libcurl's FTP wildcard matching feature, which is enabled with
+ the CURLOPT_WILDCARDMATCH option can use a built-in wildcard
+ function or a user provided one. The built-in wildcard function
+ has a flaw that makes it not detect the end of the pattern
+ string if it ends with an open bracket ([) but instead it will
+ continue reading the heap beyond the end of the URL buffer that
+ holds the wildcard.</li>
+ <li>SSL out of buffer access (CVE-2017-8818)<br/>
+ libcurl contains an out boundary access flaw in SSL related code.
+ When allocating memory for a connection (the internal struct
+ called connectdata), a certain amount of memory is allocated at
+ the end of the struct to be used for SSL related structs. Those
+ structs are used by the particular SSL library libcurl is built
+ to use. The application can also tell libcurl which specific SSL
+ library to use if it was built to support more than one.
+ </li></ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://curl.haxx.se/changes.html</url>
+ <cvename>CVE-2017-8816</cvename>
+ <cvename>CVE-2017-8817</cvename>
+ <cvename>CVE-2017-8818</cvename>
+ </references>
+ <dates>
+ <discovery>2017-11-29</discovery>
+ <entry>2017-11-29</entry>
+ <modified>2017-12-11</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="0d369972-d4ba-11e7-bfca-005056925db4">
+ <topic>borgbackup -- remote users can override repository restrictions</topic>
+ <affects>
+ <package>
+ <name>py34-borgbackup</name>
+ <name>py35-borgbackup</name>
+ <name>py36-borgbackup</name>
+ <range><ge>1.1.0</ge><lt>1.1.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>BorgBackup reports:</p>
+ <blockquote cite="https://github.com/borgbackup/borg/blob/1.1.3/docs/changes.rst#version-113-2017-11-27">
+ <p>Incorrect implementation of access controls allows remote users to
+ override repository restrictions in Borg servers. A user able to
+ access a remote Borg SSH server is able to circumvent access controls
+ post-authentication. Affected releases: 1.1.0, 1.1.1, 1.1.2. Releases
+ 1.0.x are NOT affected.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-15914</cvename>
+ <url>https://github.com/borgbackup/borg/blob/1.1.3/docs/changes.rst#version-113-2017-11-27</url>
+ </references>
+ <dates>
+ <discovery>2017-11-27</discovery>
+ <entry>2017-11-29</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="6056bf68-f570-4e70-b740-b9f606971283">
+ <topic>palemoon -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>palemoon</name>
+ <range><lt>27.6.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Pale Moon reports:</p>
+ <blockquote cite="http://www.palemoon.org/releasenotes.shtml">
+ <p>CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers</p>
+ <p>CVE-2017-7835: Mixed content blocking incorrectly applies with redirects</p>
+ <p>CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-7832</cvename>
+ <cvename>CVE-2017-7835</cvename>
+ <cvename>CVE-2017-7840</cvename>
+ </references>
+ <dates>
+ <discovery>2017-11-14</discovery>
+ <entry>2017-11-28</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="68b29058-d348-11e7-b9fe-c13eb7bcbf4f">
+ <topic>exim -- remote code execution, deny of service in BDAT</topic>
+ <affects>
+ <package>
+ <name>exim</name>
+ <range><ge>4.88</ge><lt>4.89_2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Exim team reports:</p>
+ <blockquote cite="https://bugs.exim.org/show_bug.cgi?id=2199">
+ <p>The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bugs.exim.org/show_bug.cgi?id=2199</url>
+ </references>
+ <dates>
+ <discovery>2017-11-23</discovery>
+ <entry>2017-11-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="7761288c-d148-11e7-87e5-00e04c1ea73d">
+ <topic>mybb -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>mybb</name>
+ <range><lt>1.8.13</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>myBB Team reports:</p>
+ <blockquote cite="https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/">
+ <p>High risk: Installer RCE on configuration file write</p>
+ <p>High risk: Language file headers RCE</p>
+ <p>Medium risk: Installer XSS</p>
+ <p>Medium risk: Mod CP Edit Profile XSS</p>
+ <p>Low risk: Insufficient moderator permission check in delayed moderation tools</p>
+ <p>Low risk: Announcements HTML filter bypass</p>
+ <p>Low risk: Language Pack Properties XSS.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/</url>
+ </references>
+ <dates>
+ <discovery>2017-11-07</discovery>
+ <entry>2017-11-24</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="50127e44-7b88-4ade-8e12-5d57320823f1">
+ <topic>salt -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>py27-salt</name>
+ <name>py32-salt</name>
+ <name>py33-salt</name>
+ <name>py34-salt</name>
+ <name>py35-salt</name>
+ <name>py36-salt</name>
+ <range><lt>2016.11.8</lt></range>
+ <range><ge>2017.7.0</ge><lt>2017.7.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>SaltStack reports:</p>
+ <blockquote cite="https://docs.saltstack.com/en/latest/topics/releases/2017.7.2.html">
+ <p>Directory traversal vulnerability in minion id validation in SaltStack.
+ Allows remote minions with incorrect credentials to authenticate to a
+ master via a crafted minion ID. Credit for discovering the security flaw
+ goes to: Julian Brost (julian at 0x4a42.net). NOTE: this vulnerability exists
+ because of an incomplete fix for CVE-2017-12791.</p>
+ <p>Remote Denial of Service with a specially crafted authentication request.
+ Credit for discovering the security flaw goes to: Julian Brost
+ (julian at 0x4a42.net)</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-14695</cvename>
+ <cvename>CVE-2017-14696</cvename>
+ <url>https://docs.saltstack.com/en/latest/topics/releases/2017.7.2.html</url>
+ <url>https://docs.saltstack.com/en/2016.11/topics/releases/2016.11.8.html</url>
+ <url>https://github.com/saltstack/salt/commit/80d90307b07b3703428ecbb7c8bb468e28a9ae6d</url>
+ <url>https://github.com/saltstack/salt/commit/5f8b5e1a0f23fe0f2be5b3c3e04199b57a53db5b</url>
+ </references>
+ <dates>
+ <discovery>2017-10-09</discovery>
+ <entry>2017-11-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ef3423e4-d056-11e7-a52c-002590263bf5">
+ <topic>codeigniter -- input validation bypass</topic>
+ <affects>
+ <package>
+ <name>codeigniter</name>
+ <range><lt>3.1.6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The CodeIgniter changelog reports:</p>
+ <blockquote cite="https://www.codeigniter.com/user_guide/changelog.html">
+ <p>Security: Fixed a potential object injection in Cache Library 'apc'
+ driver when save() is used with $raw = TRUE.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.codeigniter.com/user_guide/changelog.html</url>
+ </references>
+ <dates>
+ <discovery>2017-09-25</discovery>
+ <entry>2017-11-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="288f7cee-ced6-11e7-8ae9-0050569f0b83">
+ <topic>procmail -- Heap-based buffer overflow</topic>
+ <affects>
+ <package>
+ <name>procmail</name>
+ <range><lt>3.22_10</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>MITRE reports:</p>
+ <blockquote cite="https://www.debian.org/security/2017/dsa-4041">
+ <p>A remote attacker could use a flaw to cause formail to crash,
+ resulting in a denial of service or data loss.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-16844</cvename>
+ <url>https://www.debian.org/security/2017/dsa-4041</url>
+ <url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876511</url>
+ </references>
+ <dates>
+ <discovery>2017-11-16</discovery>
+ <entry>2017-11-21</entry>
+ <modified>2017-12-08</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="bf266183-cec7-11e7-af2d-2047478f2f70">
+ <topic>frr -- BGP Mishandled attribute length on Error</topic>
+ <affects>
+ <package>
+ <name>frr</name>
+ <range><lt>3.0.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>FRR reports:</p>
+ <blockquote cite="https://frrouting.org/community/security/cve-2017-15865.html">
+ <p>BGP Mishandled attribute length on Error</p>
+ <p>A vulnerability exists in the BGP daemon of FRR where a malformed BGP UPDATE
+ packet can leak information from the BGP daemon and cause a denial of
+ service by crashing the daemon.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-15865</cvename>
+ <url>https://frrouting.org/community/security/cve-2017-15865.html</url>
+ </references>
+ <dates>
+ <discovery>2017-11-08</discovery>
+ <entry>2017-11-21</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="db570002-ce06-11e7-804e-c85b763a2f96">
+ <topic>cacti -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>cacti</name>
+ <range><lt>1.1.28</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>cacti reports:</p>
+ <blockquote cite="https://www.cacti.net/release_notes.php?version=1.1.28">
+ <p>Changelog</p>
+ <p>issue#1057: CVE-2017-16641 - Potential vulnerability in RRDtool functions</p>
+ <p>issue#1066: CVE-2017-16660 in remote_agent.php logging function</p>
+ <p>issue#1066: CVE-2017-16661 in view log file</p>
+ <p>issue#1071: CVE-2017-16785 in global_session.php Reflection XSS</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-16641</cvename>
+ <cvename>CVE-2017-16660</cvename>
+ <cvename>CVE-2017-16661</cvename>
+ <cvename>CVE-2017-16785</cvename>
+ <url>https://sourceforge.net/p/cacti/mailman/message/36122745/</url>
+ </references>
+ <dates>
+ <discovery>2017-11-01</discovery>
+ <entry>2017-11-20</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="298829e2-ccce-11e7-92e4-000c29649f92">
+ <topic>mediawiki -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>mediawiki127</name>
+ <range><lt>1.27.3</lt></range>
+ </package>
+ <package>
+ <name>mediawiki128</name>
+ <range><lt>1.28.2</lt></range>
+ </package>
+ <package>
+ <name>mediawiki129</name>
+ <range><lt>1.29.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>mediawiki reports:</p>
+ <blockquote cite="https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html">
+ <p>security fixes:</p>
+ <p>T128209: Reflected File Download from api.php. Reported by Abdullah Hussam.</p>
+ <p>T165846: BotPasswords doesn't throttle login attempts.</p>
+ <p>T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password.</p>
+ <p>T178451: XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping.</p>
+ <p>T176247: It's possible to mangle HTML via raw message parameter expansion.</p>
+ <p>T125163: id attribute on headlines allow raw.</p>
+ <p>T124404: language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition.</p>
+ <p>T119158: Language converter: unsafe attribute injection via glossary rules.</p>
+ <p>T180488: api.log contains passwords in plaintext wasn't correctly fixed.</p>
+ <p>T180231: composer.json has require-dev versions of PHPUnit with known security issues. Reported by Tom Hutchison.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-8808</cvename>
+ <cvename>CVE-2017-8809</cvename>
+ <cvename>CVE-2017-8810</cvename>
+ <cvename>CVE-2017-8811</cvename>
+ <cvename>CVE-2017-8812</cvename>
+ <cvename>CVE-2017-8814</cvename>
+ <cvename>CVE-2017-8815</cvename>
+ <cvename>CVE-2017-0361</cvename>
+ <cvename>CVE-2017-9841</cvename>
+ <url>https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html</url>
+ </references>
+ <dates>
+ <discovery>2017-11-14</discovery>
+ <entry>2017-11-19</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="52f10525-caff-11e7-b590-6451062f0f7a">
+ <topic>Flash Player -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>linux-flashplayer</name>
+ <range><lt>27.0.0.187</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Adobe reports:</p>
+ <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb17-33.html">
+ <ul>
+ <li>These updates resolve out-of-bounds read vulnerabilities that
+ could lead to remote code execution (CVE-2017-3112,
+ CVE-2017-3114, CVE-2017-11213).</li>
+ <li>These updates resolve use after free vulnerabilities that
+ could lead to remote code execution (CVE-2017-11215,
+ CVE-2017-11225).</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-3112</cvename>
+ <cvename>CVE-2017-3114</cvename>
+ <cvename>CVE-2017-11213</cvename>
+ <cvename>CVE-2017-11215</cvename>
+ <cvename>CVE-2017-11225</cvename>
+ <url>https://helpx.adobe.com/security/products/flash-player/apsb17-33.html</url>
+ </references>
+ <dates>
+ <discovery>2017-11-14</discovery>
+ <entry>2017-11-16</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="b4b7ec7d-ca27-11e7-a12d-6cc21735f730">
+ <topic>shibboleth2-sp -- "Dynamic" metadata provider plugin issue</topic>
+ <affects>
+ <package>
+ <name>shibboleth2-sp</name>
+ <range><lt>2.6.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Internet2 community reports:</p>
+ <blockquote cite="http://shibboleth.internet2.edu/secadv/secadv_20171115.txt">
+ <p>
+ The Shibboleth Service Provider software includes a MetadataProvider
+ plugin with the plugin type "Dynamic" to obtain metadata on demand
+ from a query server, in place of the more typical mode of
+ downloading aggregates separately containing all of the metadata to
+ load.
+ </p><p>
+ All the plugin types rely on MetadataFilter plugins to perform
+ critical security checks such as signature verification, enforcement
+ of validity periods, and other checks specific to deployments.
+ </p><p>
+ Due to a coding error, the "Dynamic" plugin fails to configure
+ itself with the filters provided to it and thus omits whatever
+ checks they are intended to perform, which will typically leave
+ deployments vulnerable to active attacks involving the substitution
+ of metadata if the network path to the query service is
+ compromised.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://shibboleth.internet2.edu/secadv/secadv_20171115.txt</url>
+ </references>
+ <dates>
+ <discovery>2017-11-15</discovery>
+ <entry>2017-11-15</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f78eac48-c3d1-4666-8de5-63ceea25a578">
+ <topic>mozilla -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>firefox</name>
+ <!-- 56.0.2_10,1 unlike 57.0,1 has CVE-2017-7827 partially unfixed:
+ bug 1384615, 1386490, 1393840, 1403716 -->
+ <range><lt>56.0.2_10,1</lt></range>
+ </package>
+ <package>
+ <name>seamonkey</name>
+ <name>linux-seamonkey</name>
+ <range><lt>2.49.2</lt></range>
+ </package>
+ <package>
+ <name>firefox-esr</name>
+ <range><lt>52.5.0,1</lt></range>
+ </package>
+ <package>
+ <name>linux-firefox</name>
+ <range><lt>52.5.0,2</lt></range>
+ </package>
+ <package>
+ <name>libxul</name>
+ <name>thunderbird</name>
+ <name>linux-thunderbird</name>
+ <range><lt>52.5.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mozilla Foundation reports:</p>
+ <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/">
+ <p>CVE-2017-7828: Use-after-free of PressShell while restyling layout</p>
+ <p>CVE-2017-7830: Cross-origin URL information leak through Resource Timing API</p>
+ <p>CVE-2017-7831: Information disclosure of exposed properties on JavaScript proxy objects</p>
+ <p>CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers</p>
+ <p>CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker characters</p>
+ <p>CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections</p>
+ <p>CVE-2017-7835: Mixed content blocking incorrectly applies with redirects</p>
+ <p>CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and OS X</p>
+ <p>CVE-2017-7837: SVG loaded as <img> can use meta tags to set cookies</p>
+ <p>CVE-2017-7838: Failure of individual decoding of labels in international domain names triggers punycode display of entire IDN</p>
+ <p>CVE-2017-7839: Control characters before javascript: URLs defeats self-XSS prevention mechanism</p>
+ <p>CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags</p>
+ <p>CVE-2017-7842: Referrer Policy is not always respected for <link> elements</p>
+ <p>CVE-2017-7827: Memory safety bugs fixed in Firefox 57</p>
+ <p>CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-7826</cvename>
+ <cvename>CVE-2017-7827</cvename>
+ <cvename>CVE-2017-7828</cvename>
+ <cvename>CVE-2017-7830</cvename>
+ <cvename>CVE-2017-7831</cvename>
+ <cvename>CVE-2017-7832</cvename>
+ <cvename>CVE-2017-7833</cvename>
+ <cvename>CVE-2017-7834</cvename>
+ <cvename>CVE-2017-7835</cvename>
+ <cvename>CVE-2017-7836</cvename>
+ <cvename>CVE-2017-7837</cvename>
+ <cvename>CVE-2017-7838</cvename>
+ <cvename>CVE-2017-7839</cvename>
+ <cvename>CVE-2017-7840</cvename>
+ <cvename>CVE-2017-7842</cvename>
+ <url>https://www.mozilla.org/security/advisories/mfsa2017-24/</url>
+ <url>https://www.mozilla.org/security/advisories/mfsa2017-25/</url>
+ </references>
+ <dates>
+ <discovery>2017-11-14</discovery>
+ <entry>2017-11-14</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="27b38d85-c891-11e7-a7bd-cd1209e563f2">
+ <topic>rubygem-geminabox -- XSS vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>rubygem-geminabox</name>
+ <range><lt>0.13.10</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>NVD reports:</p>
+ <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-16792">
+ <p>Stored cross-site scripting (XSS) vulnerability in "geminabox"
+ (Gem in a Box) before 0.13.10 allows attackers to inject arbitrary
+ web script via the "homepage" value of a ".gemspec" file, related
+ to views/gem.erb and views/index.erb.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2017-16792</url>
+ <cvename>CVE-2017-16792</cvename>
+ </references>
+ <dates>
+ <discovery>2017-11-13</discovery>
+ <entry>2017-11-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="795ccee1-c7ed-11e7-ad7d-001e2a3f778d">
+ <topic>konversation -- crash in IRC message parsing</topic>
+ <affects>
+ <package>
+ <name>konversation</name>
+ <range><lt>1.7.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>KDE reports:</p>
+ <blockquote cite="https://www.kde.org/info/security/advisory-20171112-1.txt">
+ <p>Konversation has support for colors in IRC messages. Any malicious user connected to the same IRC network can send a carefully crafted message that will crash the Konversation user client.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-15923</cvename>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15923</url>
+ <url>https://www.kde.org/info/security/advisory-20171112-1.txt</url>
+ </references>
+ <dates>
+ <discovery>2017-10-27</discovery>
+ <entry>2017-11-12</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f622608c-c53c-11e7-a633-009c02a2ab30">
+ <topic>roundcube -- file disclosure vulnerability</topic>
+ <affects>
+ <package>
+ <name>roundcube</name>
+ <range><lt>1.3.3,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>MITRE reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16651">
+ <p>Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before
+ 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem,
+ including configuration files, as exploited in the wild in November 2017.
+ The attacker must be able to authenticate at the target system with a valid
+ username/password as the attack requires an active session.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/roundcube/roundcubemail/issues/6026</url>
+ <url>https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10</url>
+ <cvename>CVE-2017-16651</cvename>
+ <freebsdpr>ports/223557</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2017-11-06</discovery>
+ <entry>2017-11-11</entry>
+ <modified>2017-12-31</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="f8e72cd4-c66a-11e7-bb17-e8e0b747a45a">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>62.0.3202.89</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://chromereleases.googleblog.com/2017/11/stable-channel-update-for-desktop.html">
+ <p>2 security fixes in this release, including:</p>
+ <ul>
+ <li>[777728] Critical CVE-2017-15398: Stack buffer overflow in QUIC.
+ Reported by Ned Williamson on 2017-10-24</li>
+ <li>[776677] High CVE-2017-15399: Use after free in V8. Reported by
+ Zhao Qixun of Qihoo 360 Vulcan Team on 2017-10-20</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-15398</cvename>
+ <cvename>CVE-2017-15399</cvename>
+ <url>https://chromereleases.googleblog.com/2017/11/stable-channel-update-for-desktop.html</url>
+ </references>
+ <dates>
+ <discovery>2017-11-06</discovery>
+ <entry>2017-11-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="1f02af5d-c566-11e7-a12d-6cc21735f730">
+ <topic>PostgreSQL vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>postgresql92-server</name>
+ <range><ge>9.2.0</ge><lt>9.2.24</lt></range>
+ </package>
+ <package>
+ <name>postgresql93-server</name>
+ <range><ge>9.3.0</ge><lt>9.3.20</lt></range>
+ </package>
+ <package>
+ <name>postgresql94-server</name>
+ <range><ge>9.4.0</ge><lt>9.4.15</lt></range>
+ </package>
+ <package>
+ <name>postgresql95-server</name>
+ <range><ge>9.5.0</ge><lt>9.5.10</lt></range>
+ </package>
+ <package>
+ <name>postgresql96-server</name>
+ <range><ge>9.6.0</ge><lt>9.6.6</lt></range>
+ </package>
+ <package>
+ <name>postgresql10-server</name>
+ <range><ge>10.0</ge><lt>10.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The PostgreSQL project reports:</p>
+ <blockquote cite="https://www.postgresql.org/about/news/1801/">
+ <ul>
+ <li>CVE-2017-15098: Memory disclosure in JSON functions</li>
+ <li>CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to
+ enforce SELECT privileges</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-15099</cvename>
+ <cvename>CVE-2017-15098</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-10</discovery>
+ <entry>2017-11-09</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="1c2a9d76-9d98-43c3-8f5d-8c059b104d99">
+ <topic>jenkins -- multiple issues</topic>
+ <affects>
+ <package>
+ <name>jenkins</name>
+ <range><lt>2.89</lt></range>
+ </package>
+ <package>
+ <name>jenkins-lts</name>
+ <range><lt>2.73.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Jenkins developers report:</p>
+ <blockquote cite="http://www.securityfocus.com/bid/99574">
+ <p>Jenkins stores metadata related to people, which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping. This potentially resulted in a number of problems.</p>
+ <p>Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://jenkins.io/security/advisory/2017-11-08/</url>
+ </references>
+ <dates>
+ <discovery>2017-11-08</discovery>
+ <entry>2017-11-09</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="be261737-c535-11e7-8da5-001999f8d30b">
+ <topic>asterisk -- Memory/File Descriptor/RTP leak in pjsip session resource</topic>
+ <affects>
+ <package>
+ <name>asterisk13</name>
+ <range><ge>13.5.0</ge><lt>13.18.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Asterisk project reports:</p>
+ <blockquote cite="http://www.asterisk.org/downloads/security-advisories">
+ <p>A memory leak occurs when an Asterisk pjsip session
+ object is created and that call gets rejected before the
+ session itself is fully established. When this happens
+ the session object never gets destroyed. This then leads
+ to file descriptors and RTP ports being leaked as well.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://downloads.asterisk.org/pub/security/AST-2017-011.html</url>
+ <cvename>CVE-2017-16672</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-15</discovery>
+ <entry>2017-11-09</entry>
+ <modified>2017-12-13</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="ab04cb0b-c533-11e7-8da5-001999f8d30b">
+ <topic>asterisk -- Buffer overflow in CDR's set user</topic>
+ <affects>
+ <package>
+ <name>asterisk13</name>
+ <range><lt>13.18.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Asterisk project reports:</p>
+ <blockquote cite="http://www.asterisk.org/downloads/security-advisories">
+ <p>No size checking is done when setting the user field
+ for Party B on a CDR. Thus, it is possible for someone
+ to use an arbitrarily large string and write past the end
+ of the user field storage buffer. The earlier AST-2017-001
+ advisory for the CDR user field overflow was for the Party
+ A buffer.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://downloads.asterisk.org/pub/security/AST-2017-010.html</url>
+ <cvename>CVE-2017-16671</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-09</discovery>
+ <entry>2017-11-09</entry>
+ <modified>2017-12-13</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="19b052c9-c533-11e7-8da5-001999f8d30b">
+ <topic>asterisk -- Buffer overflow in pjproject header parsing can cause crash in Asterisk</topic>
+ <affects>
+ <package>
+ <name>asterisk13</name>
+ <range><lt>13.18.1</lt></range>
+ </package>
+ <package>
+ <name>pjsip</name>
+ <range><lt>2.7.1</lt></range>
+ </package>
+ <package>
+ <name>pjsip-extsrtp</name>
+ <range><lt>2.7.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Asterisk project reports:</p>
+ <blockquote cite="http://www.asterisk.org/downloads/security-advisories">
+ <p>By carefully crafting invalid values in the Cseq and
+ the Via header port, pjprojects packet parsing code can
+ create strings larger than the buffer allocated to hold
+ them. This will usually cause Asterisk to crash immediately.
+ The packets do not have to be authenticated.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://downloads.asterisk.org/pub/security/AST-2017-009.html</url>
+ </references>
+ <dates>
+ <discovery>2017-10-05</discovery>
+ <entry>2017-11-09</entry>
+ <modified>2017-11-15</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="f40f07aa-c00f-11e7-ac58-b499baebfeaf">
+ <topic>OpenSSL -- Multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>openssl</name>
+ <range><lt>1.0.2m,1</lt></range>
+ </package>
+ <package>
+ <name>openssl-devel</name>
+ <range><lt>1.1.0g</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The OpenSSL project reports:</p>
+ <blockquote cite="https://www.openssl.org/news/secadv/20171102.txt">
+ <p>bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)<br/>
+ Severity: Moderate<br/>
+ There is a carry propagating bug in the x86_64 Montgomery squaring
+ procedure. No EC algorithms are affected. Analysis suggests that
+ attacks against RSA and DSA as a result of this defect would be
+ very difficult to perform and are not believed likely. Attacks
+ against DH are considered just feasible (although very difficult)
+ because most of the work necessary to deduce information about a
+ private key may be performed offline.</p>
+ <p>Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)<br/>
+ Severity: Low<br/>
+ This issue was previously announced in security advisory
+ https://www.openssl.org/news/secadv/20170828.txt, but the fix has
+ not previously been included in a release due to its low severity.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.openssl.org/news/secadv/20171102.txt</url>
+ <cvename>CVE-2017-3735</cvename>
+ <cvename>CVE-2017-3736</cvename>
+ </references>
+ <dates>
+ <discovery>2017-11-02</discovery>
+ <entry>2017-11-02</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="cee3d12f-bf41-11e7-bced-00e04c1ea73d">
+ <topic>wordpress -- multiple issues</topic>
+ <affects>
+ <package>
+ <name>wordpress</name>
+ <range><lt>4.8.3,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>wordpress developers reports:</p>
+ <blockquote cite="https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/">
+ <p>WordPress versions 4.8.2 and earlier are affected by an issue
+ where $wpdb->prepare() can create unexpected and unsafe queries
+ leading to potential SQL injection (SQLi). WordPress core is not
+ directly vulnerable to this issue, but we've added hardening to
+ prevent plugins and themes from accidentally causing a vulnerability.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/</url>
+ </references>
+ <dates>
+ <discovery>2017-10-31</discovery>
+ <entry>2017-11-01</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="4684a426-774d-4390-aa19-b8dd481c4c94">
+ <topic>wireshark -- multiple security issues</topic>
+ <affects>
+ <package>
+ <name>wireshark</name>
+ <range><ge>2.2.0</ge><le>2.2.9</le></range>
+ <range><ge>2.4.0</ge><le>2.4.1</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>wireshark developers reports:</p>
+ <blockquote cite="http://www.securityfocus.com/bid/101228">
+ <p>In Wireshark 2.4.0 to 2.4.1, the DOCSIS dissector could go into an infinite loop. This was addressed in plugins/docsis/packet-docsis.c by adding decrements.</p>
+ <p>In Wireshark 2.4.0 to 2.4.1, the RTSP dissector could crash. This was addressed in epan/dissectors/packet-rtsp.c by correcting the scope of a variable.</p>
+ <p>In Wireshark 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, and 2.0.0 to 2.0.15, the DMP dissector could crash. This was addressed in epan/dissectors/packet-dmp.c by validating a string length.</p>
+ <p>In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the BT ATT dissector could crash. This was addressed in epan/dissectors/packet-btatt.c by considering a case where not all of the BTATT packets have the same encapsulation level.</p>
+ <p>In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the MBIM dissector could crash or exhaust system memory. This was addressed in epan/dissectors/packet-mbim.c by changing the memory-allocation approach.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.securityfocus.com/bid/101227</url>
+ <url>http://www.securityfocus.com/bid/101228</url>
+ <url>http://www.securityfocus.com/bid/101229</url>
+ <url>http://www.securityfocus.com/bid/101235</url>
+ <url>http://www.securityfocus.com/bid/101240</url>
+ <url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14049</url>
+ <url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14056</url>
+ <url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14068</url>
+ <url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14077</url>
+ <url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14080</url>
+ <url>https://code.wireshark.org/review/23470</url>
+ <url>https://code.wireshark.org/review/23537</url>
+ <url>https://code.wireshark.org/review/23591</url>
+ <url>https://code.wireshark.org/review/23635</url>
+ <url>https://code.wireshark.org/review/23663</url>
+ <url>https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=3689dc1db36037436b1616715f9a3f888fc9a0f6</url>
+ <url>https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=625bab309d9dd21db2d8ae2aa3511810d32842a8</url>
+ <url>https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8dbb21dfde14221dab09b6b9c7719b9067c1f06e</url>
+ <url>https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=afb9ff7982971aba6e42472de0db4c1bedfc641b</url>
+ <url>https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e27870eaa6efa1c2dac08aa41a67fe9f0839e6e0</url>
+ <url>https://www.wireshark.org/security/wnpa-sec-2017-42.html</url>
+ <url>https://www.wireshark.org/security/wnpa-sec-2017-43.html</url>
+ <url>https://www.wireshark.org/security/wnpa-sec-2017-44.html</url>
+ <url>https://www.wireshark.org/security/wnpa-sec-2017-45.html</url>
+ <url>https://www.wireshark.org/security/wnpa-sec-2017-46.html</url>
+ <cvename>CVE-2017-15189</cvename>
+ <cvename>CVE-2017-15190</cvename>
+ <cvename>CVE-2017-15191</cvename>
+ <cvename>CVE-2017-15192</cvename>
+ <cvename>CVE-2017-15193</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-10</discovery>
+ <entry>2017-10-30</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="de7a2b32-bd7d-11e7-b627-d43d7e971a1b">
+ <topic>PHP -- denial of service attack</topic>
+ <affects>
+ <package>
+ <name>php56</name>
+ <range><lt>5.6.32</lt></range>
+ </package>
+ <package>
+ <name>php70</name>
+ <range><lt>7.0.25</lt></range>
+ </package>
+ <package>
+ <name>php71</name>
+ <range><lt>7.1.11</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The PHP project reports:</p>
+ <blockquote cite="http://php.net/archive/2017.php#id2017-10-26-3">
+ <p>The PHP development team announces the immediate availability of PHP
+ 5.6.32. This is a security release. Several security bugs were fixed in this
+ release. All PHP 5.6 users are encouraged to upgrade to this version.</p>
+ </blockquote>
+ <blockquote cite="http://php.net/archive/2017.php#id2017-10-26-1">
+ <p>The PHP development team announces the immediate availability of PHP
+ 7.0.25. This is a security release. Several security bugs were fixed in this
+ release. All PHP 7.0 users are encouraged to upgrade to this version.</p>
+ </blockquote>
+ <blockquote cite="http://php.net/archive/2017.php#id2017-10-27-1">
+ <p>The PHP development team announces the immediate availability of PHP
+ 7.1.11. This is a bugfix release, with several bug fixes included. All PHP
+ 7.1 users are encouraged to upgrade to this version. </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://php.net/archive/2017.php#id2017-10-26-3</url>
+ <url>http://php.net/archive/2017.php#id2017-10-26-1</url>
+ <url>http://php.net/archive/2017.php#id2017-10-27-1</url>
+ <cvename>CVE-2016-1283</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-26</discovery>
+ <entry>2017-10-30</entry>
+ <modified>2017-11-14</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="3cd46257-bbc5-11e7-a3bc-e8e0b747a45a">
+ <topic>chromium -- Stack overflow in V8</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>62.0.3202.75</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop_26.html">
+ <p>2 security fixes in this release, including:</p>
+ <ul>
+ <li>[770452] High CVE-2017-15396: Stack overflow in V8. Reported by
+ Yuan Deng of Ant-financial Light-Year Security Lab on 2017-09-30</li>
+ <li>[770450] Medium CVE-2017-15406: Stack overflow in V8. Reported by
+ Yuan Deng of Ant-financial Light-Year Security Lab on 2017-09-30</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-15396</cvename>
+ <cvename>CVE-2017-15406</cvename>
+ <url>https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop_26.html</url>
+ </references>
+ <dates>
+ <discovery>2017-10-26</discovery>
+ <entry>2017-10-28</entry>
+ <modified>2018-01-23</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="d77ceb8c-bb13-11e7-8357-3065ec6f3643">
+ <topic>wget -- Heap overflow in HTTP protocol handling</topic>
+ <affects>
+ <package>
+ <name>wget</name>
+ <range><lt>1.19.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Antti Levomäki, Christian Jalio, Joonas Pihlaja:</p>
+ <blockquote cite="https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html">
+ <p>Wget contains two vulnerabilities, a stack overflow and a heap
+ overflow, in the handling of HTTP chunked encoding. By convincing
+ a user to download a specific link over HTTP, an attacker may be
+ able to execute arbitrary code with the privileges of the user.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba</url>
+ <cvename>CVE-2017-13090</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-20</discovery>
+ <entry>2017-10-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="09849e71-bb12-11e7-8357-3065ec6f3643">
+ <topic>wget -- Stack overflow in HTTP protocol handling</topic>
+ <affects>
+ <package>
+ <name>wget</name>
+ <range><lt>1.19.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Antti Levomäki, Christian Jalio, Joonas Pihlaja:</p>
+ <blockquote cite="https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html">
+ <p>Wget contains two vulnerabilities, a stack overflow and a heap
+ overflow, in the handling of HTTP chunked encoding. By convincing
+ a user to download a specific link over HTTP, an attacker may be
+ able to execute arbitrary code with the privileges of the user.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f</url>
+ <cvename>CVE-2017-13089</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-20</discovery>
+ <entry>2017-10-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="d7d1cc94-b971-11e7-af3a-f1035dd0da62">
+ <topic>Node.js -- remote DOS security vulnerability</topic>
+ <affects>
+ <package>
+ <name>node</name>
+ <range><lt>8.8.0</lt></range>
+ </package>
+ <package>
+ <name>node6</name>
+ <range><ge>6.10.2</ge><lt>6.11.5</lt></range>
+ </package>
+ <package>
+ <name>node4</name>
+ <range><ge>4.8.2</ge><lt>4.8.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Node.js reports:</p>
+ <blockquote cite="https://nodejs.org/en/blog/vulnerability/oct-2017-dos/">
+ <p>Node.js was susceptible to a remote DoS attack due to a change that came in as part of zlib v1.2.9. In zlib v1.2.9 8 became an invalid value for the windowBits parameter and Node's zlib module will crash or throw an exception (depending on the version)</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://nodejs.org/en/blog/vulnerability/oct-2017-dos/</url>
+ <cvename>CVE-2017-14919</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-17</discovery>
+ <entry>2017-10-25</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="418c172b-b96f-11e7-b627-d43d7e971a1b">
+ <topic>GitLab -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>gitlab</name>
+ <range><ge>2.8.0</ge><le>9.4.6</le></range>
+ <range><ge>9.5.0</ge><le>9.5.8</le></range>
+ <range><ge>10.0.0</ge><le>10.0.3</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>GitLab reports:</p>
+ <blockquote cite="https://about.gitlab.com/2017/10/17/gitlab-10-dot-0-dot-4-security-release/">
+ <h1>Cross-Site Scripting (XSS) vulnerability in the Markdown sanitization
+ filter</h1>
+ <p>Yasin Soliman via HackerOne reported a Cross-Site Scripting (XSS)
+ vulnerability in the GitLab markdown sanitization filter. The sanitization
+ filter was not properly stripping invalid characters from URL schemes and
+ was therefore vulnerable to persistent XSS attacks anywhere Markdown was
+ supported.</p>
+ <h1>Cross-Site Scripting (XSS) vulnerability in search bar</h1>
+ <p>Josh Unger reported a Cross-Site Scripting (XSS) vulnerability in the
+ issue search bar. Usernames were not being properly HTML escaped inside the
+ author filter would could allow arbitrary script execution.</p>
+ <h1>Open redirect in repository git redirects</h1>
+ <p>Eric Rafaloff via HackerOne reported that GitLab was vulnerable to an
+ open redirect vulnerability when redirecting requests for repository names
+ that include the git extension. GitLab was not properly removing dangerous
+ parameters from the params field before redirecting which could allow an
+ attacker to redirect users to arbitrary hosts.</p>
+ <h1>Username changes could leave repositories behind</h1>
+ <p>An internal code review discovered that a bug in the code that moves
+ repositories during a username change could potentially leave behind
+ projects, allowing an attacker who knows the previous username to
+ potentially steal the contents of repositories on instances that are not
+ configured with hashed namespaces.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://about.gitlab.com/2017/10/17/gitlab-10-dot-0-dot-4-security-release/</url>
+ </references>
+ <dates>
+ <discovery>2017-10-17</discovery>
+ <entry>2017-10-25</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="27229c67-b8ff-11e7-9f79-ac9e174be3af">
+ <topic>Apache OpenOffice -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>apache-openoffice</name>
+ <range><lt>4.1.4</lt></range>
+ </package>
+ <package>
+ <name>apache-openoffice-devel</name>
+ <range><lt>4.2.1810071_1,4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Apache Openofffice project reports:</p>
+ <blockquote cite="https://www.openoffice.org/security/cves/CVE-2017-3157.html">
+ <h1>CVE-2017-3157: Arbitrary file disclosure in Calc and Writer</h1>
+ <p>By exploiting the way OpenOffice renders embedded objects, an attacker could craft a document that allows reading in a file from the user's filesystem. Information could be retrieved by the attacker by, e.g., using hidden sections to store the information, tricking the user into saving the document and convincing the user to sent the document back to the attacker.</p>
+ <p>The vulnerability is mitigated by the need for the attacker to know the precise file path in the target system, and the need to trick the user into saving the document and sending it back.</p>
+ </blockquote>
+ <blockquote cite="https://www.openoffice.org/security/cves/CVE-2017-9806.html">
+ <h1>CVE-2017-9806: Out-of-Bounds Write in Writer's WW8Fonts Constructor</h1>
+ <p>A vulnerability in the OpenOffice Writer DOC file parser, and specifically in the WW8Fonts Constructor, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution.</p>
+ </blockquote>
+ <blockquote cite="https://www.openoffice.org/security/cves/CVE-2017-12607.html">
+ <h1>CVE-2017-12607: Out-of-Bounds Write in Impress' PPT Filter</h1>
+ <p>A vulnerability in OpenOffice's PPT file parser, and specifically in PPTStyleSheet, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution.</p>
+ </blockquote>
+ <blockquote cite="https://www.openoffice.org/security/cves/CVE-2017-12608.html">
+ <h1>CVE-2017-12608: Out-of-Bounds Write in Writer's ImportOldFormatStyles</h1>
+ <p>A vulnerability in OpenOffice Writer DOC file parser, and specifically in ImportOldFormatStyles, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.openoffice.org/security/cves/CVE-2017-3157.html</url>
+ <url>https://www.openoffice.org/security/cves/CVE-2017-9806.html</url>
+ <url>https://www.openoffice.org/security/cves/CVE-2017-12607.html</url>
+ <url>https://www.openoffice.org/security/cves/CVE-2017-12608.html</url>
+ <cvename>CVE-2017-3157</cvename>
+ <cvename>CVE-2017-9806</cvename>
+ <cvename>CVE-2017-12607</cvename>
+ <cvename>CVE-2017-12608</cvename>
+ </references>
+ <dates>
+ <discovery>2016-09-11</discovery>
+ <entry>2017-10-24</entry>
+ <modified>2017-10-26</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="143ec3d6-b7cf-11e7-ac58-b499baebfeaf">
+ <topic>cURL -- out of bounds read</topic>
+ <affects>
+ <package>
+ <name>curl</name>
+ <range><ge>7.20</ge><lt>7.56.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The cURL project reports:</p>
+ <blockquote cite="https://curl.haxx.se/docs/adv_20171023.html">
+ <p>libcurl contains a buffer overrun flaw in the IMAP handler.<br/>
+ An IMAP FETCH response line indicates the size of the returned data,
+ in number of bytes. When that response says the data is zero bytes,
+ libcurl would pass on that (non-existing) data with a pointer and
+ the size (zero) to the deliver-data function.<br/>
+ libcurl's deliver-data function treats zero as a magic number and
+ invokes strlen() on the data to figure out the length. The strlen()
+ is called on a heap based buffer that might not be zero terminated
+ so libcurl might read beyond the end of it into whatever memory lies
+ after (or just crash) and then deliver that to the application as if
+ it was actually downloaded.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://curl.haxx.se/docs/adv_20171023.html</url>
+ <cvename>CVE-2017-1000257</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-23</discovery>
+ <entry>2017-10-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="10c0fabc-b5da-11e7-816e-00bd5d1fff09">
+ <topic>h2o -- DoS in workers</topic>
+ <affects>
+ <package>
+ <name>h2o</name>
+ <range><lt>2.2.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Frederik Deweerdt reports:</p>
+ <blockquote cite="https://github.com/h2o/h2o/releases/tag/v2.2.3">
+ <p>Multiple Denial-of-Service vulnerabilities exist in h2o workers -
+ see references for full details.</p>
+ <p>CVE-2017-10868: Worker processes may crash when receiving a request with invalid framing.</p>
+ <p>CVE-2017-10869: The stack may overflow when proxying huge requests.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-10868</cvename>
+ <cvename>CVE-2017-10869</cvename>
+ <url>https://github.com/h2o/h2o/issues/1459</url>
+ <url>https://github.com/h2o/h2o/issues/1460</url>
+ <url>https://github.com/h2o/h2o/releases/tag/v2.2.3</url>
+ </references>
+ <dates>
+ <discovery>2017-07-19</discovery>
+ <entry>2017-10-17</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="85e2c7eb-b74b-11e7-8546-5cf3fcfdd1f1">
+ <topic>irssi -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>irssi</name>
+ <range><lt>1.0.5,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Irssi reports:</p>
+ <blockquote cite="https://irssi.org/security/irssi_sa_2017_10.txt">
+ <p>When installing themes with unterminated colour formatting
+ sequences, Irssi may access data beyond the end of the string.</p>
+ <p>While waiting for the channel synchronisation, Irssi may
+ incorrectly fail to remove destroyed channels from the query list,
+ resulting in use after free conditions when updating the state later
+ on.</p>
+ <p>Certain incorrectly formatted DCC CTCP messages could cause NULL
+ pointer dereference.</p>
+ <p>Overlong nicks or targets may result in a NULL pointer dereference
+ while splitting the message.</p>
+ <p>In certain cases Irssi may fail to verify that a Safe channel ID
+ is long enough, causing reads beyond the end of the string.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://irssi.org/security/irssi_sa_2017_10.txt</url>
+ <cvename>CVE-2017-15721</cvename>
+ <cvename>CVE-2017-15722</cvename>
+ <cvename>CVE-2017-15723</cvename>
+ <cvename>CVE-2017-15227</cvename>
+ <cvename>CVE-2017-15228</cvename>
+ <freebsdpr>ports/223169</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2017-10-10</discovery>
+ <entry>2017-10-22</entry>
+ <modified>2017-12-31</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="a692bffe-b6ad-11e7-a1c2-e8e0b747a45a">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>62.0.3202.62</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html">
+ <p>35 security fixes in this release, including:</p>
+ <ul>
+ <li>[762930] High CVE-2017-5124: UXSS with MHTML. Reported by
+ Anonymous on 2017-09-07</li>
+ <li>[749147] High CVE-2017-5125: Heap overflow in Skia. Reported by
+ Anonymous on 2017-07-26</li>
+ <li>[760455] High CVE-2017-5126: Use after free in PDFium. Reported by
+ Luat Nguyen on KeenLab, Tencent on 2017-08-30</li>
+ <li>[765384] High CVE-2017-5127: Use after free in PDFium. Reported by
+ Luat Nguyen on KeenLab, Tencent on 2017-09-14</li>
+ <li>[765469] High CVE-2017-5128: Heap overflow in WebGL. Reported by
+ Omair on 2017-09-14</li>
+ <li>[765495] High CVE-2017-5129: Use after free in WebAudio. Reported by
+ Omair on 2017-09-15</li>
+ <li>[718858] High CVE-2017-5132: Incorrect stack manipulation in WebAssembly. Reported by
+ Gaurav Dewan of Adobe Systems India Pvt. Ltd. on 2017-05-05</li>
+ <li>[722079] High CVE-2017-5130: Heap overflow in libxml2. Reported by
+ Pranjal Jumde on 2017-05-14</li>
+ <li>[744109] Medium CVE-2017-5131: Out of bounds write in Skia. Reported by
+ Anonymous on 2017-07-16</li>
+ <li>[762106] Medium CVE-2017-5133: Out of bounds write in Skia. Reported by
+ Aleksandar Nikolic of Cisco Talos on 2017-09-05</li>
+ <li>[752003] Medium CVE-2017-15386: UI spoofing in Blink. Reported by
+ WenXu Wu of Tencent's Xuanwu Lab on 2017-08-03</li>
+ <li>[756040] Medium CVE-2017-15387: Content security bypass. Reported by
+ Jun Kokatsu on 2017-08-16</li>
+ <li>[756563] Medium CVE-2017-15388: Out of bounds read in Skia. Reported by
+ Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-08-17</li>
+ <li>[739621] Medium CVE-2017-15389: URL spoofing in Omnibox. Reported by
+ xisigr of Tencent's Xuanwu Lab on 2017-07-06</li>
+ <li>[750239] Medium CVE-2017-15390: URL spoofing in Omnibox. Reported by
+ Haosheng Wang on 2017-07-28</li>
+ <li>[598265] Low CVE-2017-15391: Extension limitation bypass in Extensions. Reported by
+ Joao Lucas Melo Brasio on 2016-03-28</li>
+ <li>[714401] Low CVE-2017-15392: Incorrect registry key handling in PlatformIntegration.
+ Reported by Xiaoyin Liu on 2017-04-22</li>
+ <li>[732751] Low CVE-2017-15393: Referrer leak in Devtools. Reported by
+ Svyat Mitin on 2017-06-13</li>
+ <li>[745580] Low CVE-2017-15394: URL spoofing in extensions UI. Reported by
+ Sam on 2017-07-18</li>
+ <li>[759457] Low CVE-2017-15395: Null pointer dereference in ImageCapture. Reported by
+ Johannes Bergman on 2017-08-28</li>
+ <li>[775550] Various fixes from internal audits, fuzzing and other initiatives</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-5124</cvename>
+ <cvename>CVE-2017-5125</cvename>
+ <cvename>CVE-2017-5126</cvename>
+ <cvename>CVE-2017-5127</cvename>
+ <cvename>CVE-2017-5128</cvename>
+ <cvename>CVE-2017-5129</cvename>
+ <cvename>CVE-2017-5132</cvename>
+ <cvename>CVE-2017-5130</cvename>
+ <cvename>CVE-2017-5131</cvename>
+ <cvename>CVE-2017-5133</cvename>
+ <cvename>CVE-2017-15386</cvename>
+ <cvename>CVE-2017-15387</cvename>
+ <cvename>CVE-2017-15388</cvename>
+ <cvename>CVE-2017-15389</cvename>
+ <cvename>CVE-2017-15390</cvename>
+ <cvename>CVE-2017-15391</cvename>
+ <cvename>CVE-2017-15392</cvename>
+ <cvename>CVE-2017-15393</cvename>
+ <cvename>CVE-2017-15394</cvename>
+ <cvename>CVE-2017-15395</cvename>
+ <url>https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html</url>
+ </references>
+ <dates>
+ <discovery>2017-10-17</discovery>
+ <entry>2017-10-21</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e1cb9dc9-daa9-44db-adde-e94d900e2f7f">
+ <topic>cacti -- Cross Site Scripting issue</topic>
+ <affects>
+ <package>
+ <name>cacti</name>
+ <range><lt>1.1.26</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>cacti developers report:</p>
+ <blockquote cite=" https://github.com/Cacti/cacti/commit/93f661d8adcfa6618b11522cdab30e97bada33fd">
+ <p>The file include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.securitytracker.com/id/1039569</url>
+ <url>https://github.com/Cacti/cacti/commit/93f661d8adcfa6618b11522cdab30e97bada33fd</url>
+ <url>https://github.com/Cacti/cacti/issues/1010</url>
+ <cvename>CVE-2017-15194</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-10</discovery>
+ <entry>2017-10-19</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="b95e5674-b4d6-11e7-b895-0cc47a494882">
+ <topic>arj -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>arj</name>
+ <range><lt>3.10.22_5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Several vulnerabilities: symlink directory traversal, absolute path directory
+ traversal and buffer overflow were discovered in the arj archiver.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-0556</cvename>
+ <cvename>CVE-2015-0557</cvename>
+ <cvename>CVE-2015-2782</cvename>
+ </references>
+ <dates>
+ <discovery>2015-04-08</discovery>
+ <entry>2017-10-19</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="3f3837cc-48fb-4414-aa46-5b1c23c9feae">
+ <topic>krb5 -- Multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>krb5</name>
+ <range><lt>1.14.6</lt></range>
+ <range><ge>1.15</ge><lt>1.15.2</lt></range>
+ </package>
+ <package>
+ <name>krb5-devel</name>
+ <range><lt>1.14.6</lt></range>
+ <range><ge>1.15</ge><lt>1.15.2</lt></range>
+ </package>
+ <package>
+ <name>krb5-115</name>
+ <range><lt>1.15.2</lt></range>
+ </package>
+ <package>
+ <name>krb5-114</name>
+ <range><lt>1.14.6</lt></range>
+ </package>
+ <package>
+ <name>krb5-113</name>
+ <range><lt>1.14.6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>MIT reports:</p>
+ <blockquote cite="http://krbdev.mit.edu/rt/Ticket/Display.html?id=8599">
+ <p>CVE-2017-11368:</p>
+ <p>In MIT krb5 1.7 and later, an authenticated attacker can cause an
+ assertion failure in krb5kdc by sending an invalid S4U2Self or
+ S4U2Proxy request.</p>
+ </blockquote>
+ <blockquote cite="http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598">
+ <p>CVE-2017-11462:</p>
+ <p>RFC 2744 permits a GSS-API implementation to delete an existing
+ security context on a second or subsequent call to gss_init_sec_context()
+ or gss_accept_sec_context() if the call results in an error.
+ This API behavior has been found to be dangerous, leading to the
+ possibility of memory errors in some callers. For safety, GSS-API
+ implementations should instead preserve existing security contexts
+ on error until the caller deletes them.</p>
+ <p>All versions of MIT krb5 prior to this change may delete acceptor
+ contexts on error. Versions 1.13.4 through 1.13.7, 1.14.1 through
+ 1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts
+ on error.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2017-11368</url>
+ <url>https://krbdev.mit.edu/rt/Ticket/Display.html?id=8599</url>
+ <url>https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970</url>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2017-11462</url>
+ <url>https://krbdev.mit.edu/rt/Ticket/Display.html?id=8598</url>
+ <url>https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf</url>
+ <cvename>CVE-2017-11368</cvename>
+ <cvename>CVE-2017-11462</cvename>
+ </references>
+ <dates>
+ <discovery>2017-07-14</discovery>
+ <entry>2017-10-18</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c41bedfd-b3f9-11e7-ac58-b499baebfeaf">
+ <topic>MySQL -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>mariadb55-server</name>
+ <range><lt>5.5.58</lt></range>
+ </package>
+ <package>
+ <name>mariadb100-server</name>
+ <range><lt>10.0.33</lt></range>
+ </package>
+ <package>
+ <name>mariadb101-server</name>
+ <range><lt>10.1.29</lt></range>
+ </package>
+ <package>
+ <name>mariadb102-server</name>
+ <range><lt>10.2.10</lt></range>
+ </package>
+ <package>
+ <name>mysql55-server</name>
+ <range><lt>5.5.58</lt></range>
+ </package>
+ <package>
+ <name>mysql56-server</name>
+ <range><lt>5.6.38</lt></range>
+ </package>
+ <package>
+ <name>mysql57-server</name>
+ <range><lt>5.7.20</lt></range>
+ </package>
+ <package>
+ <name>percona55-server</name>
+ <range><lt>5.5.58</lt></range>
+ </package>
+ <package>
+ <name>percona56-server</name>
+ <range><lt>5.6.38</lt></range>
+ </package>
+ <package>
+ <name>percona57-server</name>
+ <range><lt>5.7.20</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Oracle reports:</p>
+ <blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL">
+ <p>Please reference CVE/URL list for details</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL</url>
+ <cvename>CVE-2017-10155</cvename>
+ <cvename>CVE-2017-10379</cvename>
+ <cvename>CVE-2017-10384</cvename>
+ <cvename>CVE-2017-10276</cvename>
+ <cvename>CVE-2017-10167</cvename>
+ <cvename>CVE-2017-10378</cvename>
+ <cvename>CVE-2017-10277</cvename>
+ <cvename>CVE-2017-10203</cvename>
+ <cvename>CVE-2017-10283</cvename>
+ <cvename>CVE-2017-10313</cvename>
+ <cvename>CVE-2017-10296</cvename>
+ <cvename>CVE-2017-10311</cvename>
+ <cvename>CVE-2017-10320</cvename>
+ <cvename>CVE-2017-10314</cvename>
+ <cvename>CVE-2017-10227</cvename>
+ <cvename>CVE-2017-10279</cvename>
+ <cvename>CVE-2017-10294</cvename>
+ <cvename>CVE-2017-10165</cvename>
+ <cvename>CVE-2017-10284</cvename>
+ <cvename>CVE-2017-10286</cvename>
+ <cvename>CVE-2017-10268</cvename>
+ <cvename>CVE-2017-10365</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-18</discovery>
+ <entry>2017-10-18</entry>
+ <modified>2017-12-23</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="ab881a74-c016-4e6d-9f7d-68c8e7cedafb">
+ <topic>xorg-server -- Multiple Issues</topic>
+ <affects>
+ <package>
+ <name>xorg-server</name>
+ <range><le>1.19.3</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>xorg-server developers reports:</p>
+ <blockquote cite="http://www.securityfocus.com/bid/99546">
+ <p>In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events.</p>
+ <p>Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server before 2017-06-19 allowed authenticated malicious users to access potentially privileged data from the X server.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.securityfocus.com/bid/99546</url>
+ <url>https://bugzilla.suse.com/show_bug.cgi?id=1035283</url>
+ <url>https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c</url>
+ <url>https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d</url>
+ <url>https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455</url>
+ <url>http://www.securityfocus.com/bid/99543</url>
+ <url>https://bugzilla.suse.com/show_bug.cgi?id=1035283</url>
+ <url>https://cgit.freedesktop.org/xorg/xserver/commit/?id=05442de962d3dc624f79fc1a00eca3ffc5489ced</url>
+ <cvename>CVE-2017-10971</cvename>
+ <cvename>CVE-2017-10972</cvename>
+ </references>
+ <dates>
+ <discovery>2017-07-06</discovery>
+ <entry>2017-10-17</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="a73518da-b2fa-11e7-98ef-d43d7ef03aa6">
+ <topic>Flash Player -- Remote code execution</topic>
+ <affects>
+ <package>
+ <name>linux-flashplayer</name>
+ <range><lt>27.0.0.170</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Adobe reports:</p>
+ <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb17-32.html">
+ <ul>
+ <li>This update resolves a type confusion vulnerability that
+ could lead to remote code execution (CVE-2017-11292).</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-11292</cvename>
+ <url>https://helpx.adobe.com/security/products/flash-player/apsb17-32.html</url>
+ </references>
+ <dates>
+ <discovery>2017-10-16</discovery>
+ <entry>2017-10-17</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="d670a953-b2a1-11e7-a633-009c02a2ab30">
+ <topic>WPA packet number reuse with replayed messages and key reinstallation</topic>
+ <affects>
+ <package>
+ <name>wpa_supplicant</name>
+ <range><le>2.6_1</le></range>
+ </package>
+ <package>
+ <name>hostapd</name>
+ <range><le>2.6</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>wpa_supplicant developers report:</p>
+ <blockquote cite="http://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt">
+ <p>A vulnerability was found in how a number of implementations can be
+ triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
+ replaying a specific frame that is used to manage the keys.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt</url>
+ <url>https://www.kb.cert.org/vuls/id/228519</url>
+ <cvename>CVE-2017-13077</cvename>
+ <cvename>CVE-2017-13078</cvename>
+ <cvename>CVE-2017-13079</cvename>
+ <cvename>CVE-2017-13080</cvename>
+ <cvename>CVE-2017-13081</cvename>
+ <cvename>CVE-2017-13082</cvename>
+ <cvename>CVE-2017-13084</cvename>
+ <cvename>CVE-2017-13086</cvename>
+ <cvename>CVE-2017-13087</cvename>
+ <cvename>CVE-2017-13088</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-16</discovery>
+ <entry>2017-10-16</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="b0628e53-092a-4037-938b-29805a7cd31b">
+ <topic>mercurial -- multiple issues</topic>
+ <affects>
+ <package>
+ <name>mercurial</name>
+ <range><lt>4.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>mercurial developers reports:</p>
+ <blockquote cite="http://www.securityfocus.com/bid/100290">
+ <p>Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository</p>
+ <p>Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.securityfocus.com/bid/100290</url>
+ <url>https://security.gentoo.org/glsa/201709-18</url>
+ <url>https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.2F_4.3.1_.282017-08-10.29</url>
+ <url>http://www.securityfocus.com/bid/100290</url>
+ <url>https://security.gentoo.org/glsa/201709-18</url>
+ <url>https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.2F_4.3.1_.282017-08-10.29</url>
+ <cvename>CVE-2017-1000115</cvename>
+ <cvename>CVE-2017-1000116</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-05</discovery>
+ <entry>2017-10-16</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="555cd806-b031-11e7-a369-14dae9d59f67">
+ <topic>Multiple exploitable heap-based buffer overflow vulnerabilities exists in FreeXL 1.0.3</topic>
+ <affects>
+ <package>
+ <name>freexl</name>
+ <range><lt>1.0.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Cisco TALOS reports:</p>
+ <blockquote cite="http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0430">
+ <p>An exploitable heap based buffer overflow vulnerability exists in the read_biff_next_record function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.</p>
+ </blockquote>
+ <blockquote cite="https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0431">
+ <p>An exploitable heap-based buffer overflow vulnerability exists in the read_legacy_biff function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0430</url>
+ <cvename>CVE-2017-2923</cvename>
+ <url>https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0431</url>
+ <cvename>CVE-2017-2924</cvename>
+ </references>
+ <dates>
+ <discovery>2017-09-11</discovery>
+ <entry>2017-10-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ed73829d-af6d-11e7-a633-009c02a2ab30">
+ <topic>FFmpeg -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>ffmpeg</name>
+ <range><lt>3.3.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>FFmpeg security reports:</p>
+ <blockquote cite="https://www.ffmpeg.org/security.html">
+ <p>Multiple vulnerabilities have been fixed in FFmpeg 3.3.4. Please refer to the CVE list for details.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.ffmpeg.org/security.html</url>
+ <cvename>CVE-2017-14054</cvename>
+ <cvename>CVE-2017-14055</cvename>
+ <cvename>CVE-2017-14056</cvename>
+ <cvename>CVE-2017-14057</cvename>
+ <cvename>CVE-2017-14058</cvename>
+ <cvename>CVE-2017-14059</cvename>
+ <cvename>CVE-2017-14169</cvename>
+ <cvename>CVE-2017-14170</cvename>
+ <cvename>CVE-2017-14171</cvename>
+ <cvename>CVE-2017-14222</cvename>
+ <cvename>CVE-2017-14223</cvename>
+ <cvename>CVE-2017-14225</cvename>
+ <cvename>CVE-2017-14767</cvename>
+ </references>
+ <dates>
+ <discovery>2017-09-11</discovery>
+ <entry>2017-10-12</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="7274e0cc-575f-41bc-8619-14a41b3c2ad0">
+ <topic>xorg-server -- multiple vulnabilities</topic>
+ <affects>
+ <package>
+ <name>xephyr</name>
+ <range><lt>1.18.4_5,1</lt></range>
+ </package>
+ <package>
+ <name>xorg-dmx</name>
+ <range><lt>1.18.4_5,1</lt></range>
+ </package>
+ <package>
+ <name>xorg-nestserver</name>
+ <range><lt>1.19.1_2,2</lt></range>
+ </package>
+ <package>
+ <name>xorg-server</name>
+ <range><lt>1.18.4_5,1</lt></range>
+ </package>
+ <package>
+ <name>xorg-vfbserver</name>
+ <range><lt>1.19.1_2,1</lt></range>
+ </package>
+ <package>
+ <name>xwayland</name>
+ <range><lt>1.19.1_2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Adam Jackson reports:</p>
+ <blockquote cite="https://lists.x.org/archives/xorg-announce/2017-October/002814.html">
+ <p>One regression fix since 1.19.4 (mea culpa), and fixes for
+ CVEs 2017-12176 through 2017-12187.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://lists.x.org/archives/xorg-announce/2017-October/002814.html</url>
+ <cvename>CVE-2017-12176</cvename>
+ <cvename>CVE-2017-12177</cvename>
+ <cvename>CVE-2017-12178</cvename>
+ <cvename>CVE-2017-12179</cvename>
+ <cvename>CVE-2017-12180</cvename>
+ <cvename>CVE-2017-12181</cvename>
+ <cvename>CVE-2017-12182</cvename>
+ <cvename>CVE-2017-12183</cvename>
+ <cvename>CVE-2017-12184</cvename>
+ <cvename>CVE-2017-12185</cvename>
+ <cvename>CVE-2017-12186</cvename>
+ <cvename>CVE-2017-12187</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-12</discovery>
+ <entry>2017-10-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e837390d-0ceb-46b8-9b32-29c1195f5dc7">
+ <topic>solr -- Code execution via entity expansion</topic>
+ <affects>
+ <package>
+ <name>apache-solr</name>
+ <range><ge>5.1</ge><le>6.6.1</le></range>
+ <range><ge>7.0.0</ge><lt>7.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Solr developers report:</p>
+ <blockquote cite="http://lucene.472066.n3.nabble.com/Re-Several-critical-vulnerabilities-discovered-in-Apache-Solr-XXE-amp-RCE-td4358308.html">
+ <p>Lucene XML parser does not explicitly prohibit doctype declaration and expansion of external entities which leads to arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions.</p>
+ <p>Solr "RunExecutableListener" class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API with add-listener command.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://lucene.472066.n3.nabble.com/Re-Several-critical-vulnerabilities-discovered-in-Apache-Solr-XXE-amp-RCE-td4358308.html</url>
+ <url>https://marc.info/?l=apache-announce&m=150786685013286</url>
+ <cvename>CVE-2017-12629</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-13</discovery>
+ <entry>2017-10-13</entry>
+ <modified>2017-10-16</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="6dc3c61c-e866-4c27-93f7-ae50908594fd">
+ <topic>jenkins -- multiple issues</topic>
+ <affects>
+ <package>
+ <name>jenkins</name>
+ <range><le>2.83</le></range>
+ </package>
+ <package>
+ <name>jenkins-lts</name>
+ <range><le>2.73.1</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>jenkins developers report:</p>
+ <blockquote cite="https://jenkins.io/security/advisory/2017-10-11/">
+ <p>A total of 11 issues are reported, please see reference URL for details.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://jenkins.io/security/advisory/2017-10-11/</url>
+ </references>
+ <dates>
+ <discovery>2017-10-11</discovery>
+ <entry>2017-10-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="da70d472-af59-11e7-ace2-f8b156b439c5">
+ <topic>xen-kernel -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>xen-kernel</name>
+ <range><lt>4.7.2_6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen project reports multiple vulnerabilities.</p>
+ </body>
+ </description>
+ <references>
+ <url>http://xenbits.xen.org/xsa/advisory-237.html</url>
+ <url>http://xenbits.xen.org/xsa/advisory-238.html</url>
+ <url>http://xenbits.xen.org/xsa/advisory-239.html</url>
+ <url>http://xenbits.xen.org/xsa/advisory-240.html</url>
+ <url>http://xenbits.xen.org/xsa/advisory-241.html</url>
+ <url>http://xenbits.xen.org/xsa/advisory-242.html</url>
+ <url>http://xenbits.xen.org/xsa/advisory-243.html</url>
+ <url>http://xenbits.xen.org/xsa/advisory-244.html</url>
+ </references>
+ <dates>
+ <discovery>2017-10-12</discovery>
+ <entry>2017-10-12</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e71fd9d3-af47-11e7-a633-009c02a2ab30">
+ <topic>nss -- Use-after-free in TLS 1.2 generating handshake hashes</topic>
+ <affects>
+ <package>
+ <name>nss</name>
+ <range><ge>3.32</ge><lt>3.32.1</lt></range>
+ <range><ge>3.28</ge><lt>3.28.6</lt></range>
+ </package>
+ <package>
+ <name>linux-c6-nss</name>
+ <range><ge>3.28</ge><lt>3.28.4_2</lt></range>
+ </package>
+ <package>
+ <name>linux-c7-nss</name>
+ <range><ge>3.28</ge><lt>3.28.4_2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mozilla reports:</p>
+ <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7805">
+ <p>During TLS 1.2 exchanges, handshake hashes are generated which
+ point to a message buffer. This saved data is used for later
+ messages but in some cases, the handshake transcript can
+ exceed the space available in the current buffer, causing the
+ allocation of a new buffer. This leaves a pointer pointing to
+ the old, freed buffer, resulting in a use-after-free when
+ handshake hashes are then calculated afterwards. This can
+ result in a potentially exploitable crash.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7805</url>
+ <url>https://hg.mozilla.org/projects/nss/rev/2d7b65b72290</url>
+ <url>https://hg.mozilla.org/projects/nss/rev/d3865e2957d0</url>
+ <cvename>CVE-2017-7805</cvename>
+ </references>
+ <dates>
+ <discovery>2017-08-04</discovery>
+ <entry>2017-10-12</entry>
+ <modified>2018-01-29</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="15a62f22-098a-443b-94e2-2d26c375b993">
+ <topic>osip -- Improper Restriction of Operations within the Bounds of a Memory Buffer</topic>
+ <affects>
+ <package>
+ <name>libosip2</name>
+ <range><le>5.0.0</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>osip developers reports:</p>
+ <blockquote cite="http://www.securityfocus.com/bid/97644">
+ <p>In libosip2 in GNU oSIP 4.1.0 and 5.0.0, a malformed SIP message can lead to a heap buffer overflow in the msg_osip_body_parse() function defined in osipparser2/osip_message_parse.c, resulting in a remote DoS.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.securityfocus.com/bid/97644</url>
+ <url>https://savannah.gnu.org/support/index.php?109265</url>
+ <cvename>CVE-2017-7853</cvename>
+ </references>
+ <dates>
+ <discovery>2017-04-13</discovery>
+ <entry>2017-10-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="b84dbd94-e894-4c91-b8cd-d328537b1b2b">
+ <topic>ncurses -- multiple issues</topic>
+ <affects>
+ <package>
+ <name>ncurses</name>
+ <range><le>6.0</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>ncurses developers reports:</p>
+ <blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=1484285">
+ <p>There are multiple illegal address access issues and an infinite loop issue. Please refer to the CVE list for details.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bugzilla.redhat.com/show_bug.cgi?id=1484274</url>
+ <url>https://bugzilla.redhat.com/show_bug.cgi?id=1484276</url>
+ <url>https://bugzilla.redhat.com/show_bug.cgi?id=1484284</url>
+ <url>https://bugzilla.redhat.com/show_bug.cgi?id=1484285</url>
+ <url>https://bugzilla.redhat.com/show_bug.cgi?id=1484287</url>
+ <url>https://bugzilla.redhat.com/show_bug.cgi?id=1484290</url>
+ <url>https://bugzilla.redhat.com/show_bug.cgi?id=1484291</url>
+ <cvename>CVE-2017-13728</cvename>
+ <cvename>CVE-2017-13729</cvename>
+ <cvename>CVE-2017-13730</cvename>
+ <cvename>CVE-2017-13731</cvename>
+ <cvename>CVE-2017-13732</cvename>
+ <cvename>CVE-2017-13733</cvename>
+ <cvename>CVE-2017-13734</cvename>
+ </references>
+ <dates>
+ <discovery>2017-08-29</discovery>
+ <entry>2017-10-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9164f51e-ae20-11e7-a633-009c02a2ab30">
+ <topic>Python 2.7 -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>python27</name>
+ <range><lt>2.7.14</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Python reports:</p>
+ <blockquote cite="https://raw.githubusercontent.com/python/cpython/84471935ed2f62b8c5758fd544c7d37076fe0fa5/Misc/NEWS">
+ <p>Multiple vulnerabilities have been fixed in Python 2.7.14. Please refer to the CVE list for details.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://raw.githubusercontent.com/python/cpython/84471935ed2f62b8c5758fd544c7d37076fe0fa5/Misc/NEWS</url>
+ <cvename>CVE-2012-0876</cvename>
+ <cvename>CVE-2016-0718</cvename>
+ <cvename>CVE-2016-4472</cvename>
+ <cvename>CVE-2016-5300</cvename>
+ <cvename>CVE-2016-9063</cvename>
+ <cvename>CVE-2017-9233</cvename>
+ </references>
+ <dates>
+ <discovery>2017-08-26</discovery>
+ <entry>2017-10-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="1257718e-be97-458a-9744-d938b592db42">
+ <topic>node -- access to unintended files</topic>
+ <affects>
+ <package>
+ <name>node</name>
+ <range><ge>8.5.0</ge><lt>8.6.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>node developers report:</p>
+ <blockquote cite="http://www.securityfocus.com/bid/101056">
+ <p>Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.securityfocus.com/bid/101056</url>
+ <cvename>CVE-2017-14849</cvename>
+ </references>
+ <dates>
+ <discovery>2017-09-27</discovery>
+ <entry>2017-10-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="af61b271-9e47-4db0-a0f6-29fb032236a3">
+ <topic>zookeeper -- Denial Of Service</topic>
+ <affects>
+ <package>
+ <name>zookeeper</name>
+ <range><lt>3.4.10</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>zookeeper developers report:</p>
+ <blockquote cite="https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E">
+ <p>Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E</url>
+ <cvename>CVE-2017-5637</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-09</discovery>
+ <entry>2017-10-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9b5a905f-e556-452f-a00c-8f070a086181">
+ <topic>libtiff -- Improper Input Validation</topic>
+ <affects>
+ <package>
+ <name>libtiff</name>
+ <range><le>4.0.8</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>libtiff developers report:</p>
+ <blockquote cite="http://www.securityfocus.com/bid/100524">
+ <p>There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.</p>
+ <p>There is a reachable assertion abort in the function TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://bugzilla.maptools.org/show_bug.cgi?id=2727</url>
+ <url>http://bugzilla.maptools.org/show_bug.cgi?id=2728</url>
+ <url>http://www.securityfocus.com/bid/100524</url>
+ <cvename>CVE-2017-13726</cvename>
+ <cvename>CVE-2017-13727</cvename>
+ </references>
+ <dates>
+ <discovery>2017-08-29</discovery>
+ <entry>2017-10-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="2c8bd00d-ada2-11e7-82af-8dbff7d75206">
+ <topic>rubygems -- deserialization vulnerability</topic>
+ <affects>
+ <package>
+ <name>ruby22-gems</name>
+ <name>ruby23-gems</name>
+ <name>ruby24-gems</name>
+ <range><lt>2.6.14</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>oss-security mailing list:</p>
+ <blockquote cite="http://www.openwall.com/lists/oss-security/2017/10/10/2">
+ <p>There is a possible unsafe object desrialization vulnerability in
+ RubyGems. It is possible for YAML deserialization of gem specifications
+ to bypass class white lists. Specially crafted serialized objects can
+ possibly be used to escalate to remote code execution.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.openwall.com/lists/oss-security/2017/10/10/2</url>
+ <url>http://blog.rubygems.org/2017/10/09/2.6.14-released.html</url>
+ <cvename>CVE-2017-0903</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-09</discovery>
+ <entry>2017-10-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="4f8ffb9c-f388-4fbd-b90f-b3131559d888">
+ <topic>xorg-server -- multiple vulnabilities</topic>
+ <affects>
+ <package>
+ <name>xephyr</name>
+ <range><lt>1.18.4_4,1</lt></range>
+ </package>
+ <package>
+ <name>xorg-dmx</name>
+ <range><lt>1.18.4_4,1</lt></range>
+ </package>
+ <package>
+ <name>xorg-nestserver</name>
+ <range><lt>1.19.1_1,2</lt></range>
+ </package>
+ <package>
+ <name>xorg-server</name>
+ <range><lt>1.18.4_4,1</lt></range>
+ </package>
+ <package>
+ <name>xorg-vfbserver</name>
+ <range><lt>1.19.1_1,1</lt></range>
+ </package>
+ <package>
+ <name>xwayland</name>
+ <range><lt>1.19.1_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Alan Coopersmith reports:</p>
+ <blockquote cite="https://lists.x.org/archives/xorg-announce/2017-October/002809.html">
+ <p>X.Org thanks Michal Srb of SuSE for finding these issues
+ and bringing them to our attention, Julien Cristau of
+ Debian for getting the fixes integrated, and Adam Jackson
+ of Red Hat for publishing the release.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://lists.x.org/archives/xorg-announce/2017-October/002809.html</url>
+ <cvename>CVE-2017-13721</cvename>
+ <cvename>CVE-2017-13723</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-04</discovery>
+ <entry>2017-10-09</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c0dae634-4820-4505-850d-b1c975d0f67d">
+ <topic>tomcat -- Remote Code Execution</topic>
+ <affects>
+ <package>
+ <name>tomcat</name>
+ <range><ge>7.0.0</ge><le>7.0.81</le></range>
+ <range><ge>8.0.0</ge><le>8.0.46</le></range>
+ <range><ge>8.5.0</ge><le>8.5.22</le></range>
+ <range><ge>9.0.0</ge><lt>9.0.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>tomcat developers reports:</p>
+ <blockquote cite="http://www.securityfocus.com/bid/100954">
+ <p>When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.securityfocus.com/bid/100954</url>
+ <url>https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb@%3Cannounce.tomcat.apache.org%3E</url>
+ <cvename>CVE-2017-12617</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-04</discovery>
+ <entry>2017-10-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ccace707-a8d8-11e7-ac58-b499baebfeaf">
+ <topic>cURL -- out of bounds read</topic>
+ <affects>
+ <package>
+ <name>curl</name>
+ <range><lt>7.56.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The cURL project reports:</p>
+ <blockquote cite="https://curl.haxx.se/docs/adv_20171004.html">
+ <p>FTP PWD response parser out of bounds read</p>
+ <p>libcurl may read outside of a heap allocated buffer when doing FTP.</p>
+ <p>When libcurl connects to an FTP server and successfully logs in
+ (anonymous or not), it asks the server for the current directory with
+ the PWD command. The server then responds with a 257 response containing
+ the path, inside double quotes. The returned path name is then kept by
+ libcurl for subsequent uses.</p>
+ <p>Due to a flaw in the string parser for this directory name, a directory
+ name passed like this but without a closing double quote would lead to
+ libcurl not adding a trailing NUL byte to the buffer holding the name.
+ When libcurl would then later access the string, it could read beyond
+ the allocated heap buffer and crash or wrongly access data beyond the
+ buffer, thinking it was part of the path.</p>
+ <p>A malicious server could abuse this fact and effectively prevent
+ libcurl-based clients to work with it - the PWD command is always issued
+ on new FTP connections and the mistake has a high chance of causing a
+ segfault.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://curl.haxx.se/docs/adv_20171004.html</url>
+ <cvename>CVE-2017-1000254</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-04</discovery>
+ <entry>2017-10-04</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="6ed5c5e3-a840-11e7-b5af-a4badb2f4699">
+ <topic>FreeBSD -- OpenSSH Denial of Service vulnerability</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>11.1</ge><lt>11.1_1</lt></range>
+ <range><ge>11.0</ge><lt>11.0_12</lt></range>
+ <range><ge>10.3</ge><lt>10.3_21</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>There is no limit on the password length.</p>
+ <h1>Impact:</h1>
+ <p>A remote attacker may be able to cause an affected SSH
+ server to use excessive amount of CPU by sending very long
+ passwords, when PasswordAuthentication is enabled by the
+ system administrator.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-6515</cvename>
+ <freebsdsa>SA-17:06.openssh</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2017-08-10</discovery>
+ <entry>2017-10-03</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="420243e9-a840-11e7-b5af-a4badb2f4699">
+ <topic>FreeBSD -- heimdal KDC-REP service name validation vulnerability</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>11.0</ge><lt>11.0_11</lt></range>
+ <range><ge>10.3</ge><lt>10.3_20</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>There is a programming error in the Heimdal implementation
+ that used an unauthenticated, plain-text version of the
+ KDC-REP service name found in a ticket.</p>
+ <h1>Impact:</h1>
+ <p>An attacker who has control of the network between a
+ client and the service it talks to will be able to impersonate
+ the service, allowing a successful man-in-the-middle (MITM)
+ attack that circumvents the mutual authentication.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-1110</cvename>
+ <freebsdsa>SA-17:05.heimdal</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2017-07-12</discovery>
+ <entry>2017-10-03</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="b77b5646-a778-11e7-ac58-b499baebfeaf">
+ <topic>dnsmasq -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>dnsmasq</name>
+ <range><lt>2.78,1</lt></range>
+ </package>
+ <package>
+ <name>dnsmasq-devel</name>
+ <range><lt>2.78</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Project Zero reports:</p>
+ <blockquote cite="https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html">
+ <ul>
+ <li>CVE-2017-14491: Heap based overflow (2 bytes). Before 2.76 and this
+ commit overflow was unrestricted.</li>
+ <li>CVE-2017-14492: Heap based overflow.</li>
+ <li>CVE-2017-14493: Stack Based overflow.</li>
+ <li>CVE-2017-14494: Information Leak</li>
+ <li>CVE-2017-14495: Lack of free()</li>
+ <li>CVE-2017-14496: Invalid boundary checks. Integer underflow leading
+ to a huge memcpy.</li>
+ <li>CVE-2017-13704: Crash on large DNS query</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html</url>
+ <cvename>CVE-2017-14491</cvename>
+ <cvename>CVE-2017-14492</cvename>
+ <cvename>CVE-2017-14493</cvename>
+ <cvename>CVE-2017-14494</cvename>
+ <cvename>CVE-2017-14495</cvename>
+ <cvename>CVE-2017-14496</cvename>
+ <cvename>CVE-2017-13704</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-02</discovery>
+ <entry>2017-10-02</entry>
+ </dates>
+ </vuln>
+
<vuln vid="33888815-631e-4bba-b776-a9b46fe177b5">
<topic>phpmyfaq -- multiple issues</topic>
<affects>
@@ -146,7 +5768,7 @@
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
- <range><lt>2.49.2</lt></range>
+ <range><lt>2.49.1</lt></range>
</package>
<package>
<name>firefox-esr</name>
@@ -213,6 +5835,7 @@
<dates>
<discovery>2017-09-28</discovery>
<entry>2017-09-29</entry>
+ <modified>2017-10-03</modified>
</dates>
</vuln>
@@ -368,7 +5991,7 @@
<affects>
<package>
<name>libofx</name>
- <range><le>0.9.11</le></range>
+ <range><le>0.9.11_1</le></range>
</package>
</affects>
<description>
@@ -1070,10 +6693,10 @@
<topic>GitLab -- multiple vulnerabilities</topic>
<affects>
<package>
- <name>gitlab</name>
- <range><ge>1.0.0</ge><le>9.3.10</le></range>
- <range><ge>9.4.0</ge><le>9.4.5</le></range>
- <range><ge>9.5.0</ge><le>9.5.3</le></range>
+ <name>gitlab</name>
+ <range><ge>1.0.0</ge><le>9.3.10</le></range>
+ <range><ge>9.4.0</ge><le>9.4.5</le></range>
+ <range><ge>9.5.0</ge><le>9.5.3</le></range>
</package>
</affects>
<description>
@@ -1080,54 +6703,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2017/09/07/gitlab-9-dot-5-dot-4-security-release/">
- <h1>Cross-Site Scripting (XSS) vulnerability in profile names</h1>
- <p>An external security audit performed by Madison Gurkha disclosed a
- Cross-Site Scripting (XSS) vulnerability in user names that could be
- exploited in several locations.</p>
- <h1>Open Redirect in go-get middleware</h1>
- <p>Tim Goddard via HackerOne reported that GitLab was vulnerable to an open
- redirect vulnerability caused when a specific flag is passed to the go-get
- middleware. This vulnerability could also possibly be used to conduct
- Cross-Site Scripting attacks.</p>
- <h1>Race condition in project uploads</h1>
- <p>Jobert Abma from HackerOne reported that GitLab was vulnerable to a race
- condition in project uploads. While very difficult to exploit this race
- condition could potentially allow an attacker to overwrite a victim's
- uploaded project if the attacker can guess the name of the uploaded file
- before it is extracted.</p>
- <h1>Cross-Site Request Forgery (CSRF) token leakage</h1>
- <p>naure via HackerOne reported that GitLab was vulnerable to CSRF token
- leakage via improper filtering of external URLs in relative URL creation. A
- specially crafted link configured in a project's environments settings could
- be used to steal a visiting user's CSRF token.</p>
- <h1>Potential project disclosure via project deletion bug</h1>
- <p>An internal code review discovered that removed projects were not always
- being deleted from the file system. This could allow an attacker who knew
- the full path to a previously deleted project to steal a copy of the
- repository. These releases prevent the leftover repository from being
- accessed when creating a new project. The project deletion bug will be fixed
- in a later release.</p>
- <h1>White-listed style attribute for table contents in MD enables UI
- redressing</h1>
- <p>An external security audit performed by Recurity-Labs discovered a UI
- redressing vulnerability in the GitLab markdown sanitization library.</p>
- <h1>DOM clobbering in sanitized MD causes errors</h1>
- <p>An external security audit performed by Recurity-Labs discovered a DOM
- clobbering vulnerability in the GitLab markdown sanitization library that
- could be used to render project pages unreadable.</p>
- <h1>Nokogiri vendored libxslt library vulnerable to potential integer
- overflow (CVE-2017-5029 and CVE-2016-4738)</h1>
- <p>The bundled Nokogiri library has been updated to patch an integer
- overflow vulnerability. Details are available in the Nokogiri issue.</p>
- <h1>Security risk in recommended Geo configuration could give all users
- access to all repositories</h1>
- <p>An internal code review discovered that GitLab Geo instances could be
- vulnerable to an attack that would allow any user on the primary Geo
- instance to clone any repository on a secondary Geo instance.</p>
- <h1>GitLab Pages private certificate disclosure via symlinks</h1>
- <p>An external security review conducted by Recurity-Labs discovered a
- vulnerability in GitLab Pages that could be used to disclose the contents of
- private SSL keys.</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -1686,7 +7262,7 @@
<p>GNOME reports:</p>
<blockquote cite="https://bugzilla.gnome.org/show_bug.cgi?id=784630">
<p>The comic book backend in evince 3.24.0 (and earlier) is vulnerable to a command injection bug that can be used to execute arbitrary commands when a CBT file is opened.</p>
- <p>The same vulnerabilty affects atril, the Evince fork.</p>
+ <p>The same vulnerability affects atril, the Evince fork.</p>
</blockquote>
</body>
</description>
@@ -2183,47 +7759,9 @@
<p>The cURL project reports:</p>
<blockquote cite="https://curl.haxx.se/docs/security.html">
<ul>
- <li><h2>FILE buffer read out of bounds</h2>
- <p>When asking to get a file from a file:// URL, libcurl provides
- a feature that outputs meta-data about the file using HTTP-like
- headers.</p>
- <p>The code doing this would send the wrong buffer to the user
- (stdout or the application's provide callback), which could
- lead to other private data from the heap to get inadvertently
- displayed.</p>
- <p>The wrong buffer was an uninitialized memory area allocated on
- the heap and if it turned out to not contain any zero byte, it
- would continue and display the data following that buffer in
- memory.</p>
- </li>
- <li><h2>TFTP sends more than buffer size</h2>
- <p>When doing a TFTP transfer and curl/libcurl is given a URL that
- contains a very long file name (longer than about 515 bytes),
- the file name is truncated to fit within the buffer boundaries,
- but the buffer size is still wrongly updated to use the
- untruncated length. This too large value is then used in the
- sendto() call, making curl attempt to send more data than what
- is actually put into the buffer. The sendto() function will then
- read beyond the end of the heap based buffer.</p>
- <p>A malicious HTTP(S) server could redirect a vulnerable libcurl-
- using client to a crafted TFTP URL (if the client hasn't
- restricted which protocols it allows redirects to) and trick it
- to send private memory contents to a remote server over UDP.
- Limit curl's redirect protocols with --proto-redir and libcurl's
- with CURLOPT_REDIR_PROTOCOLS.</p>
- </li>
- <li><h2>URL globbing out of bounds read</h2>
- <p>curl supports "globbing" of URLs, in which a user can pass a
- numerical range to have the tool iterate over those numbers to
- do a sequence of transfers.</p>
- <p>In the globbing function that parses the numerical range, there
- was an omission that made curl read a byte beyond the end of the
- URL if given a carefully crafted, or just wrongly written, URL.
- The URL is stored in a heap based buffer, so it could then be
- made to wrongly read something else instead of crashing.</p>
- <p>An example of a URL that triggers the flaw would be
- http://ur%20[0-60000000000000000000.</p>
- </li>
+ <li>FILE buffer read out of bounds</li>
+ <li>TFTP sends more than buffer size</li>
+ <li>URL globbing out of bounds read</li>
</ul>
</blockquote>
</body>
@@ -2300,34 +7838,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/">
- <p>CVE-2017-7798: XUL injection in the style editor in devtools</p>
- <p>CVE-2017-7800: Use-after-free in WebSockets during disconnection</p>
- <p>CVE-2017-7801: Use-after-free with marquee during window resizing</p>
- <p>CVE-2017-7784: Use-after-free with image observers</p>
- <p>CVE-2017-7802: Use-after-free resizing image elements</p>
- <p>CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM</p>
- <p>CVE-2017-7786: Buffer overflow while painting non-displayable SVG</p>
- <p>CVE-2017-7806: Use-after-free in layer manager with SVG</p>
- <p>CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements</p>
- <p>CVE-2017-7787: Same-origin policy bypass with iframes through page reloads</p>
- <p>CVE-2017-7807: Domain hijacking through AppCache fallback</p>
- <p>CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID</p>
- <p>CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher</p>
- <p>CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts</p>
- <p>CVE-2017-7808: CSP information leak with frame-ancestors containing paths</p>
- <p>CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections</p>
- <p>CVE-2017-7781: Elliptic curve point addition error when using mixed Jacobian-affine coordinates</p>
- <p>CVE-2017-7794: Linux file truncation via sandbox broker</p>
- <p>CVE-2017-7803: CSP containing 'sandbox' improperly applied</p>
- <p>CVE-2017-7799: Self-XSS XUL injection in about:webrtc</p>
- <p>CVE-2017-7783: DOS attack through long username in URL</p>
- <p>CVE-2017-7788: Sandboxed about:srcdoc iframes do not inherit CSP directives</p>
- <p>CVE-2017-7789: Failure to enable HSTS when two STS headers are sent for a connection</p>
- <p>CVE-2017-7790: Windows crash reporter reads extra memory for some non-null-terminated registry values</p>
- <p>CVE-2017-7796: Windows updater can delete any file named update.log</p>
- <p>CVE-2017-7797: Response header name interning leaks across origins</p>
- <p>CVE-2017-7780: Memory safety bugs fixed in Firefox 55</p>
- <p>CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -2441,52 +7952,8 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html">
- <p>40 security fixes in this release, including:</p>
- <ul>
- <li>[728887] High CVE-2017-5091: Use after free in IndexedDB. Reported by
- Ned Williamson on 2017-06-02</li>
- <li>[733549] High CVE-2017-5092: Use after free un PPAPI. Reported by
- Yu Zhou, Yuan Deng of Ant-financial Light-Year Security Lab on 2017-06-15</li>
- <li>[550017] High CVE-2017-5093: UI spoofing in Blink. Reported by
- Luan Herrera on 2015-10-31</li>
- <li>[702946] High CVE-2017-5094: Type confusion in extensions. Reported by
- Anonymous on 2017-03-19</li>
- <li>[732661] High CVE-2017-5095: Out-of-bounds write in PDFium. Reported by
- Anonymous on 2017-06-13</li>
- <li>[714442] High CVE-2017-5096: User information leak via Android intents. Reported by
- Takeshi Terada on 2017-04-23</li>
- <li>[740789] High CVE-2017-5097: Out-of-bounds read in Skia. Reported by
- Anonymous on 2017-07-11</li>
- <li>[740803] High CVE-2017-5098: Use after free in V8. Reported by
- Jihoon Kim on 2017-07-11</li>
- <li>[733548] High CVE-2017-5099: Out-of-bounds write in PPAPI. Reported by
- Yuan Deng, Yu Zhou of Ant-financial Light-Year Security Lab on 2017-06-15</li>
- <li>[718292] Medium CVE-2017-5100: Use after free in Chrome Apps. Reported by
- Anonymous on 2017-05-04</li>
- <li>[681740] Medium CVE-2017-5101: URL spoofing in OmniBox. Reported by
- Luan Herrera on 2017-01-17</li>
- <li>[727678] Medium CVE-2017-5102: Uninitialized use in Skia. Reported by
- Anonymous on 2017-05-30</li>
- <li>[726199] Medium CVE-2017-5103: Uninitialized use in Skia. Reported by
- Anonymous on 2017-05-25</li>
- <li>[729105] Medium CVE-2017-5104: UI spoofing in browser. Reported by
- Khalil Zhani on 2017-06-02</li>
- <li>[742407] Medium CVE-2017-7000: Pointer disclosure in SQLite. Reported by
- Chaitin Security Research Lab working with Trend Micro's Zero Day Initiative</li>
- <li>[729979] Low CVE-2017-5105: URL spoofing in OmniBox. Reported by
- Rayyan Bijoora on 2017-06-06</li>
- <li>[714628] Medium CVE-2017-5106: URL spoofing in OmniBox. Reported by
- Jack Zac on 2017-04-24</li>
- <li>[686253] Low CVE-2017-5107: User information leak via SVG. Reported by
- David Kohlbrenner of UC San Diego on 2017-01-27</li>
- <li>[695830] Low CVE-2017-5108: Type of confusion in PDFium. Reported by
- Guang Gong of Alpha Team, Qihoo 360 on 2017-02-24</li>
- <li>[710400] Low CVE-2017-5109: UI spoofing in browser. Reported by
- Jose Maria Acunia Morgado on 2017-04-11</li>
- <li>[717476] Low CVE-2017-5110: UI spoofing in payments dialog. Reported by
- xisigr of Tencent's Xuanwu Lab on 2017-05-02</li>
- <li>[748565] Various fixes from internal audits, fuzzing and other initiatives</li>
- </ul>
+ <p>40 security fixes in this release</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -2622,176 +8089,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Webkit gtk team reports:</p>
<blockquote cite="https://webkitgtk.org/security/WSA-2017-0006.html">
- <p>CVE-2017-7006: Versions affected: WebKitGTK+ before 2.16.2.<br/>
- Credit to David Kohlbrenner of UC San Diego, an anonymous
- researcher.<br/>
- Impact: A malicious website may exfiltrate data cross-origin.
- Description: Processing maliciously crafted web content may
- allow cross-origin data to be exfiltrated by using SVG filters
- to conduct a timing side-channel attack. This issue was addressed by not painting the cross-origin buffer into the frame that gets filtered.</p>
-
- <p>CVE-2017-7011: Versions affected: WebKitGTK+ before 2.16.3.<br/>
- Credit to xisigr of Tencent’s Xuanwu Lab (tencent.com).<br/>
- Impact: Visiting a malicious website may lead to address bar
- spoofing. Description: A state management issue was addressed
- with improved frame handling.</p>
-
- <p>CVE-2017-7012: Versions affected: WebKitGTK+ before 2.16.2.<br/>
- Credit to Apple.<br/>
- Impact: Processing maliciously crafted web content may lead to
- arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7018: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to lokihardt of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead to
- arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7019: Versions affected: WebKitGTK+ before 2.16.2.<br/>
- Credit to Zhiyang Zeng of Tencent Security Platform Department.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7020: Versions affected: WebKitGTK+ before 2.16.1.<br/>
- Credit to likemeng of Baidu Security Lab.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7030: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to chenqin of Ant-financial Light-Year Security Lab
- (蚂蚁金服巴斯光年安全实验室).<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7034: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to chenqin of Ant-financial Light-Year Security Lab
- (蚂蚁金服巴斯光年安全实验室).<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7037: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to lokihardt of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7038: Versions affected: WebKitGTK+ before 2.16.2.<br/>
- Credit to Neil Jenkins of FastMail Pty Ltd, Egor Karbutov
- (@ShikariSenpai) of Digital Security and Egor Saltykov
- (@ansjdnakjdnajkd) of Digital Security.<br/>
- Impact: Processing maliciously crafted web content with
- DOMParser may lead to cross site scripting. Description:
- A logic issue existed in the handling of DOMParser. This
- issue was addressed with improved state management.</p>
-
- <p>CVE-2017-7039: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to Ivan Fratric of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7040: Versions affected: WebKitGTK+ before 2.16.3.<br/>
- Credit to Ivan Fratric of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7041: Versions affected: WebKitGTK+ before 2.16.2.<br/>
- Credit to Ivan Fratric of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7042: Versions affected: WebKitGTK+ before 2.16.2.<br/>
- Credit to Ivan Fratric of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7043: Versions affected: WebKitGTK+ before 2.16.2.<br/>
- Credit to Ivan Fratric of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7046: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to Ivan Fratric of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7048: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to Ivan Fratric of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7049: Versions affected: WebKitGTK+ before 2.16.2.<br/>
- Credit to Ivan Fratric of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed through improved memory
- handling.</p>
-
- <p>CVE-2017-7052: Versions affected: WebKitGTK+ before 2.16.4.<br/>
- Credit to cc working with Trend Micro’s Zero Day Initiative.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7055: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to The UK’s National Cyber Security Centre (NCSC).<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7056: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to lokihardt of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7059: Versions affected: WebKitGTK+ before 2.16.3.<br/>
- Credit to an anonymous researcher.<br/>
- Impact: Processing maliciously crafted web content with
- DOMParser may lead to cross site scripting. Description:
- A logic issue existed in the handling of DOMParser. This
- issue was addressed with improved state management.</p>
-
- <p>CVE-2017-7061: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to lokihardt of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7064: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to lokihardt of Google Project Zero.<br/>
- Impact: An application may be able to read restricted
- memory. Description: A memory initialization issue was
- addressed through improved memory handling.</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -2867,12 +8165,12 @@
<topic>GitLab -- Various security issues</topic>
<affects>
<package>
- <name>gitlab</name>
- <range><ge>8.0.0</ge><le>8.17.6</le></range>
+ <name>gitlab</name>
+ <range><ge>8.0.0</ge><le>8.17.6</le></range>
<range><ge>9.0.0</ge><le>9.0.10</le></range>
<range><ge>9.1.0</ge><le>9.1.7</le></range>
<range><ge>9.2.0</ge><le>9.2.7</le></range>
- <range><ge>9.3.0</ge><le>9.3.7</le></range>
+ <range><ge>9.3.0</ge><le>9.3.7</le></range>
</package>
</affects>
<description>
@@ -2879,48 +8177,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2017/07/19/gitlab-9-dot-3-dot-8-released/">
- <h1>Projects in subgroups authorization bypass with SQL wildcards
- (CVE-2017-11438)</h1>
- <p>An internal code review disclosed that by choosing a namespace with
- underscores an authenticated user could take advantage of a badly written
- SQL query to add themselves to any project inside a subgroup with
- permissions of their choice.<br/>
- This vulnerability was caused by a SQL query that automatically adjusts
- project permissions but does not escape wildcards. This vulnerability was
- coincidentally patched when the affected code was rewritten for
- 9.3. Therefore, versions 9.3 and above are not vulnerable.<br/>
- <br/>
- This issue has been assigned CVE-2017-11438.<br/>
- <br/>
- Note: GitLab-CE+EE 8.17 is not vulnerable to this issue, however patches
- have been included to improve the security of the SQL queries in 8.17.7.</p>
- <h1>Symlink cleanup from a previous security release</h1>
- <p>The 9.2.5 security release contained a fix for a data corruption
- vulnerability involving file uploads. This fix utilized symlinks to migrate
- file uploads to a new directory. Due to a typo in the included migration a
- symlink was accidentally left behind after the migration finished. This
- symlink can cause problems with instance backups. A fix is included with
- these releases to remove the problematic symlink.</p>
- <h1>Accidental or malicious use of reserved names in group names could cause
- deletion of all snippet uploads</h1>
- <p>The 9.2.5 security release contained a fix for a data corruption
- vulnerability involving file uploads. After the release of 9.2.5 an internal
- code review determined that the recently introduced snippet file uploads
- feature was also vulnerable to file deletion. Snippet uploads have now been
- moved into the protected system namespace.</p>
- <h1>Project name leak on todos page</h1>
- <p>An internal code review discovered that forceful browsing could be
- utilized to disclose the names of private projects.</p>
- <h1>Denial of Service via regular expressions in CI process</h1>
- <p>Lukas Svoboda reported that regular expressions (regex) included with CI
- scripts could be utilized to perform a denial-of-service attack on GitLab
- instances. GitLab now uses the re2 Regex library to limit regex execution
- time.</p>
- <h1>Issue title leakage when external issue tracker is enabled</h1>
- <p>An internal code review determined that when an external issue tracker is
- configured it was possible to discover the titles of all issues in a given
- GitLab instance, including issues in private projects and confidential
- issues.</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -2983,45 +8240,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Oracle reports:</p>
<blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixMSQL">
- <ul>
- <li>Reserved [CVE-2017-3629]</li>
- <li>A remote user can exploit a flaw in the Server: Memcached component to partially
- modify data and cause denial of service conditions [CVE-2017-3633].</li>
- <li>A remote authenticated user can exploit a flaw in the Server: DML component to
- cause denial of service conditions [CVE-2017-3634].</li>
- <li>A remote authenticated user can exploit a flaw in the Connector/C component to
- cause denial of service conditions [CVE-2017-3635].</li>
- <li>A remote authenticated user can exploit a flaw in the C API component to cause
- denial of service conditions [CVE-2017-3635].</li>
- <li>A local user can exploit a flaw in the Client programs component to partially
- access data, partially modify data, and partially deny service
- [CVE-2017-3636].</li>
- <li>A remote authenticated user can exploit a flaw in the Server: UDF component to
- cause denial of service conditions [CVE-2017-3529].</li>
- <li>A remote authenticated user can exploit a flaw in the X Plugin component to
- cause denial of service conditions [CVE-2017-3637].</li>
- <li>A remote authenticated user can exploit a flaw in the Server: DML component to
- cause denial of service conditions [CVE-2017-3639, CVE-2017-3640, CVE-2017-3641,
- CVE-2017-3643, CVE-2017-3644].</li>
- <li>A remote authenticated user can exploit a flaw in the Server: Optimizer
- component to cause denial of service conditions [CVE-2017-3638, CVE-2017-3642,
- CVE-2017-3645].</li>
- <li>A remote authenticated user can exploit a flaw in the X Plugin component to
- cause denial of service conditions [CVE-2017-3646].</li>
- <li>A remote authenticated user can exploit a flaw in the Server: Charsets component
- to cause denial of service conditions [CVE-2017-3648].</li>
- <li>A remote authenticated user can exploit a flaw in the Server: Replication
- component to cause denial of service conditions [CVE-2017-3647,
- CVE-2017-3649].</li>
- <li>A remote authenticated user can exploit a flaw in the Client mysqldump component
- to partially modify data [CVE-2017-3651].</li>
- <li>A remote authenticated user can exploit a flaw in the Server: DDL component to
- partially access and partially modify data [CVE-2017-3652].</li>
- <li>A remote user can exploit a flaw in the C API component to partially access data
- [CVE-2017-3650].</li>
- <li>A remote authenticated user can exploit a flaw in the Server: DDL component to
- partially modify data [CVE-2017-3653].</li>
- </ul>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -3418,6 +8637,10 @@
<topic>oniguruma -- multiple vulnerabilities</topic>
<affects>
<package>
+ <name>libevhtp</name>
+ <range><lt>1.2.14</lt></range>
+ </package>
+ <package>
<name>oniguruma4</name>
<range><lt>4.7.2</lt></range>
</package>
@@ -3487,6 +8710,7 @@
<dates>
<discovery>2017-07-06</discovery>
<entry>2017-07-07</entry>
+ <modified>2018-01-04</modified>
</dates>
</vuln>
@@ -3624,46 +8848,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2017/06/07/gitlab-9-dot-2-dot-5-security-release/">
- <h1>Cross-Site Scripting (XSS) vulnerability when editing comments</h1>
- <p>A GitLab.com user reported that recent changes to Markdown rendering
- designed to improve performance by allowing comments to be rendered
- client-side opened a persistent Cross-Site Scripting (XSS) vulnerability
- when comments are edited and then re-saved. This vulnerability is difficult
- to exploit because a victim must be tricked into editing and then saving
- another user's comment.</p>
- <h1>API vulnerable to embedding in iFrames using Session Auth</h1>
- <p>A tip from a Twitter user led to an internal code audit that discovered a
- malicious website could embed a GitLab API URL inside an iFrame, possibly
- tricking a user into thinking that the website had access to the user's
- GitLab user information. This attack would not disclose the user's data to
- the malicious website, but it could cause confusion and the API has added an
- X-Frame-Options header to prevent content from the API being included in
- iFrames.</p>
- <h1>Accidental or malicious use of reserved names in group names could cause
- deletion of all project avatars</h1>
- <p>A GitLab.com user reported that creating a group named project and then
- renaming the group would cause all project avatars to be deleted. This was
- due to an improperly constructed path variable when renaming files. To help
- prevent this from happening again all avatar uploads have been moved from
- /public/uploads/(user|group|project) to
- /public/uploads/system/(user|group|project) and system has been made a
- reserved namespace. A migration included with this release will rename any
- existing top-level system namespace to be system0 (or system1, system2,
- etc.)</p>
- <h1>Unauthenticated disclosure of usernames in autocomplete controller</h1>
- <p>HackerOne reporter Evelyn Lee reported that usernames could be enumerated
- using the autocomplete/users.json endpoint without authenticating. This
- could allow an unauthenticated attacker to gather a list of all valid
- usernames from a GitLab instance.</p>
- <h1>Information leakage with references to private project snippets</h1>
- <p>GitLab.com user Patrick Fiedler reported that titles of private project
- snippets could leak when they were referenced in other issues, merge
- requests, or comments.</p>
- <h1>Elasticsearch does not implement external user checks correctly</h1>
- <p>An internal code review discovered that on instances with Elasticsearch
- enabled GitLab allowed external users to view internal project data. This
- could unintentionally expose sensitive information to external users. This
- vulnerability only affects EE installations with Elasticsearch enabled.</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -3993,68 +9178,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>BestPractical reports:</p>
<blockquote cite="http://lists.bestpractical.com/pipermail/rt-announce/2017-June/000297.html">
- <p>RT 4.0.0 and above are vulnerable to an information
- leak of cross-site request forgery (CSRF) verification
- tokens if a user visits a specific URL crafted by an
- attacker. This vulnerability is assigned CVE-2017-5943. It
- was discovered by a third-party security researcher.</p>
-
- <p>RT 4.0.0 and above are vulnerable to a cross-site
- scripting (XSS) attack if an attacker uploads a malicious
- file with a certain content type. Installations which use
- the AlwaysDownloadAttachments config setting are
- unaffected. This fix addresses all existant and future
- uploaded attachments. This vulnerability is assigned
- CVE-2016-6127. This was responsibly disclosed to us first
- by Scott Russo and the GE Application Security Assessment
- Team.</p>
-
- <p>One of RT's dependencies, a Perl module named
- Email::Address, has a denial of service vulnerability
- which could induce a denial of service of RT itself. We
- recommend administrators install Email::Address version
- 1.908 or above, though we additionally provide a new
- workaround within RT. Tss vulnerability was assigned
- CVE-2015-7686. This vulnerability's application to RT was
- brought to our attention by Pali Rohár.</p>
-
- <p>RT 4.0.0 and above are vulnerable to timing
- side-channel attacks for user passwords. By carefully
- measuring millions or billions of login attempts, an
- attacker could crack a user's password even over the
- internet. RT now uses a constant-time comparison algorithm
- for secrets to thwart such attacks. This vulnerability is
- assigned CVE-2017-5361. This was responsibly disclosed to
- us by Aaron Kondziela.</p>
-
- <p>RT's ExternalAuth feature is vulnerable to a similar
- timing side-channel attack. Both RT 4.0/4.2 with the
- widely-deployed RT::Authen::ExternalAuth extension, as
- well as the core ExternalAuth feature in RT 4.4 are
- vulnerable. Installations which don't use ExternalAuth, or
- which use ExternalAuth for LDAP/ActiveDirectory
- authentication, or which use ExternalAuth for cookie-based
- authentication, are unaffected. Only ExternalAuth in DBI
- (database) mode is vulnerable.</p>
-
- <p>RT 4.0.0 and above are potentially vulnerable to a
- remote code execution attack in the dashboard subscription
- interface. A privileged attacker can cause unexpected code
- to be executed through carefully-crafted saved search
- names. Though we have not been able to demonstrate an
- actual attack owing to other defenses in place, it could
- be possible. This fix addresses all existant and future
- saved searches. This vulnerability is assigned
- CVE-2017-5944. It was discovered by an internal security
- audit.</p>
-
- <p>RT 4.0.0 and above have misleading documentation which
- could reduce system security. The RestrictLoginReferrer
- config setting (which has security implications) was
- inconsistent with its implementation, which checked for a
- slightly different variable name. RT will now check for
- the incorrect name and produce an error message. This was
- responsibly disclosed to us by Alex Vandiver.</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -4144,29 +9268,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/">
- <p>CVE-2017-5472: Use-after-free using destroyed node when regenerating trees</p>
- <p>CVE-2017-7749: Use-after-free during docshell reloading</p>
- <p>CVE-2017-7750: Use-after-free with track elements</p>
- <p>CVE-2017-7751: Use-after-free with content viewer listeners</p>
- <p>CVE-2017-7752: Use-after-free with IME input</p>
- <p>CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object</p>
- <p>CVE-2017-7755: Privilege escalation through Firefox Installer with same directory DLL files</p>
- <p>CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors</p>
- <p>CVE-2017-7757: Use-after-free in IndexedDB</p>
- <p>CVE-2017-7778: Vulnerabilities in the Graphite 2 library</p>
- <p>CVE-2017-7758: Out-of-bounds read in Opus encoder</p>
- <p>CVE-2017-7759: Android intent URLs can cause navigation to local file system</p>
- <p>CVE-2017-7760: File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service</p>
- <p>CVE-2017-7761: File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application</p>
- <p>CVE-2017-7762: Addressbar spoofing in Reader mode</p>
- <p>CVE-2017-7763: Mac fonts render some unicode characters as spaces</p>
- <p>CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks</p>
- <p>CVE-2017-7765: Mark of the Web bypass when saving executable files</p>
- <p>CVE-2017-7766: File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service</p>
- <p>CVE-2017-7767: Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service</p>
- <p>CVE-2017-7768: 32 byte arbitrary file read through Mozilla Maintenance Service</p>
- <p>CVE-2017-5471: Memory safety bugs fixed in Firefox 54</p>
- <p>CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -4304,42 +9406,8 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html">
- <p>30 security fixes in this release, including:</p>
- <ul>
- <li>[722756] High CVE-2017-5070: Type confusion in V8. Reported by
- Zhao Qixun of Qihoo 360 Vulcan Team on 2017-05-16</li>
- <li>[715582] High CVE-2017-5071: Out of bounds read in V8. Reported by
- Choongwood Han on 2017-04-26</li>
- <li>[709417] High CVE-2017-5072: Address spoofing in Omnibox. Reported by
- Rayyan Bijoora on 2017-04-07</li>
- <li>[716474] High CVE-2017-5073: Use after free in print preview. Reported by
- Khalil Zhani on 2017-04-28</li>
- <li>[700040] High CVE-2017-5074: Use after free in Apps Bluetooth. Reported by
- anonymous on 2017-03-09</li>
- <li>[678776] Medium CVE-2017-5075: Information leak in CSP reporting. Reported by
- Emmanuel Gil Peyrot on 2017-01-05</li>
- <li>[722639] Medium CVE-2017-5086: Address spoofing in Omnibox. Reported by
- Rayyan Bijoora on 2017-05-16</li>
- <li>[719199] Medium CVE-2017-5076: Address spoofing in Omnibox. Reported by
- Samuel Erb on 2017-05-06</li>
- <li>[716311] Medium CVE-2017-5077: Heap buffer overflow in Skia. Reported by
- Sweetchip on 2017-04-28</li>
- <li>[711020] Medium CVE-2017-5078: Possible command injection in mailto handling.
- Reported by Jose Carlos Exposito Bueno on 2017-04-12</li>
- <li>[713686] Medium CVE-2017-5079: UI spoofing in Blink. Reported by
- Khalil Zhani on 2017-04-20</li>
- <li>[708819] Medium CVE-2017-5080: Use after free in credit card autofill.
- Reported by Khalil Zhani on 2017-04-05</li>
- <li>[672008] Medium CVE-2017-5081: Extension verification bypass. Reported by
- Andrey Kovalev of Yandex Security Team on 2016-12-07</li>
- <li>[721579] Low CVE-2017-5082: Insufficient hardening in credit card editor.
- Reported by Nightwatch Cybersecurity Research on 2017-05-11</li>
- <li>[714849] Low CVE-2017-5083: UI spoofing in Blink. Reported by
- Khalil Zhani on 2017-04-24</li>
- <li>[692378] Low CVE-2017-5085: Inappropriate javascript execution on WebUI pages.
- Reported by Zhiyang Zeng of Tencent security platform department on 2017-02-15</li>
- <li>[729639] Various fixes from internal audits, fuzzing and other initiatives</li>
- </ul>
+ <p>30 security fixes in this release</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -4674,120 +9742,7 @@
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://nvd.nist.gov/vuln/search/results?query=ImageMagick">
- <ul>
- <li>CVE-2017-5506: Double free vulnerability in magick/profile.c in
- ImageMagick allows remote attackers to have unspecified impact via
- a crafted file.</li>
- <li>CVE-2017-5507: Memory leak in coders/mpc.c in ImageMagick before
- 6.9.7-4 and 7.x before 7.0.4-4 allows remote attackers to cause a
- denial of service (memory consumption) via vectors involving a
- pixel cache.</li>
- <li>CVE-2017-5508: Heap-based buffer overflow in the
- PushQuantumPixel function in ImageMagick before 6.9.7-3 and 7.x
- before 7.0.4-3 allows remote attackers to cause a denial of
- service (application crash) via a crafted TIFF file.</li>
- <li>CVE-2017-5509: coders/psd.c in ImageMagick allows remote
- attackers to have unspecified impact via a crafted PSD file, which
- triggers an out-of-bounds write.</li>
- <li>CVE-2017-5510: coders/psd.c in ImageMagick allows remote
- attackers to have unspecified impact via a crafted PSD file, which
- triggers an out-of-bounds write.</li>
- <li>CVE-2017-5511: coders/psd.c in ImageMagick allows remote
- attackers to have unspecified impact by leveraging an improper
- cast, which triggers a heap-based buffer overflow.</li>
- <li>CVE-2017-6497: An issue was discovered in ImageMagick 6.9.7.
- A specially crafted psd file could lead to a NULL pointer
- dereference (thus, a DoS).</li>
- <li>CVE-2017-6498: An issue was discovered in ImageMagick 6.9.7.
- Incorrect TGA files could trigger assertion failures, thus leading
- to DoS.</li>
- <li>CVE-2017-6499: An issue was discovered in Magick++ in
- ImageMagick 6.9.7. A specially crafted file creating a nested
- exception could lead to a memory leak (thus, a DoS).</li>
- <li>CVE-2017-6500: An issue was discovered in ImageMagick 6.9.7.
- A specially crafted sun file triggers a heap-based
- buffer over-read.</li>
- <li>CVE-2017-6501: An issue was discovered in ImageMagick 6.9.7.
- A specially crafted xcf file could lead to a NULL pointer
- dereference.</li>
- <li>CVE-2017-6502: An issue was discovered in ImageMagick 6.9.7.
- A specially crafted webp file could lead to a file-descriptor
- leak in libmagickcore (thus, a DoS).</li>
- <li>CVE-2017-7275: The ReadPCXImage function in coders/pcx.c in
- ImageMagick 7.0.4.9 allows remote attackers to cause a denial of
- service (attempted large memory allocation and application crash)
- via a crafted file. NOTE: this vulnerability exists because of an
- incomplete fix for CVE-2016-8862 and CVE-2016-8866.</li>
- <li>CVE-2017-7606: coders/rle.c in ImageMagick 7.0.5-4 has an
- "outside the range of representable values of type unsigned char"
- undefined behavior issue, which might allow remote attackers to
- cause a denial of service (application crash) or possibly have
- unspecified other impact via a crafted image.</li>
- <li>CVE-2017-7619: In ImageMagick 7.0.4-9, an infinite loop can
- occur because of a floating-point rounding error in some of the
- color algorithms. This affects ModulateHSL, ModulateHCL,
- ModulateHCLp, ModulateHSB, ModulateHSI, ModulateHSV, ModulateHWB,
- ModulateLCHab, and ModulateLCHuv.</li>
- <li>CVE-2017-7941: The ReadSGIImage function in sgi.c allows remote
- attackers to consume an amount of available memory via a crafted
- file.</li>
- <li>CVE-2017-7942: The ReadAVSImage function in avs.c allows remote
- attackers to consume an amount of available memory via a crafted
- file.</li>
- <li>CVE-2017-7943: The ReadSVGImage function in svg.c allows remote
- attackers to consume an amount of available memory via a crafted
- file.</li>
- <li>CVE-2017-8343: ReadAAIImage function in aai.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8344: ReadPCXImage function in pcx.c allows attackers
- to cause a denial of service (memory leak) via a crafted file. The
- ReadMNGImage function in png.c allows attackers to cause a denial
- of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8345: ReadMNGImage function in png.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8346: ReadMATImage function in mat.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8347: ReadMATImage function in mat.c allows attackers
- to cause a denial of service (memory leak) via a crafted file. </li>
- <li>CVE-2017-8348: ReadMATImage function in mat.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8349: ReadSFWImage function in sfw.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8350: ReadJNGImage function in png.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8351: ReadPCDImage function in pcd.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8352: ReadXWDImage function in xwd.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8353: ReadPICTImage function in pict.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8354: ReadBMPImage function in bmp.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8355: ReadMTVImage function in mtv.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8356: ReadSUNImage function in sun.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8357: ReadEPTImage function in ept.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8765: The function named ReadICONImage in coders\icon.c
- has a memory leak vulnerability which can cause memory exhaustion
- via a crafted ICON file.</li>
- <li>CVE-2017-8830: ReadBMPImage function in bmp.c:1379 allows
- attackers to cause a denial of service (memory leak) via a crafted
- file.</li>
- <li>CVE-2017-9141: A crafted file could trigger an assertion failure
- in the ResetImageProfileIterator function in MagickCore/profile.c
- because of missing checks in the ReadDDSImage function in
- coders/dds.c.</li>
- <li>CVE-2017-9142: A crafted file could trigger an assertion failure
- in the WriteBlob function in MagickCore/blob.c because of missing
- checks in the ReadOneJNGImage function in coders/png.c.</li>
- <li>CVE-2017-9143: ReadARTImage function in coders/art.c allows
- attackers to cause a denial of service (memory leak) via a crafted
- .art file.</li>
- <li>CVE-2017-9144: A crafted RLE image can trigger a crash because
- of incorrect EOF handling in coders/rle.c.</li>
- </ul>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -4954,17 +9909,17 @@
<affects>
<package>
<name>wordpress</name>
+ <name>fr-wordpress</name>
<range><lt>4.7.5,1</lt></range>
</package>
<package>
- <name>de-wordpress</name>
- <name>fr-wordpress</name>
- <name>ja-wordpress</name>
- <name>ru-wordpress</name>
- <name>zh-wordpress-zh_CN</name>
- <name>zh-wordpress-zh_TW</name>
- <range><lt>4.7.5,1</lt></range>
- </package>
+ <name>de-wordpress</name>
+ <name>ja-wordpress</name>
+ <name>ru-wordpress</name>
+ <name>zh-wordpress-zh_CN</name>
+ <name>zh-wordpress-zh_TW</name>
+ <range><lt>4.7.5</lt></range>
+ </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
@@ -5113,57 +10068,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2017/05/08/gitlab-9-dot-1-dot-3-security-release/">
- <h1>Cross-Site Scripting (XSS) vulnerability in project import file names
- for gitlab_project import types</h1>
- <p>Timo Schmid from ERNW reported a persistent Cross-Site Scripting
- vulnerability in the new project import view for gitlab_project import
- types. This XSS vulnerability was caused by the use of Hamlit filters inside
- HAML views without manually escaping HTML. Unlike content outside of a
- filter, content inside Hamlit filters (:css, :javascript, :preserve, :plain)
- is not automatically escaped.</p>
- <h1>Cross-Site Scripting (XSS) vulnerability in git submodule support</h1>
- <p>Jobert Abma from HackerOne reported a persistent XSS vulnerability in the
- GitLab repository files view that could be exploited by injecting malicious
- script into a git submodule.</p>
- <h1>Cross-Site Scripting (XSS) vulnerability in repository "new branch"
- view</h1>
- <p>A GitLab user reported a persistent XSS vulnerability in the repository
- new branch view that allowed malicious branch names or git references to
- execute arbitrary Javascript.</p>
- <h1>Cross-Site Scripting (XSS) vulnerability in mirror errors display</h1>
- <p>While investigating Timo Schmid's previously reported XSS vulnerability
- in import filenames another persistent XSS vulnerability was discovered in
- the GitLab Enterprise Edition's (EE) mirror view. This vulnerability was
- also caused by the misuse of Hamlit filters.</p>
- <h1>Potential XSS vulnerability in DropLab</h1>
- <p>An internal code audit disclosed a vulnerability in DropLab's templating
- that, while not currently exploitable, could become exploitable depending on
- how the templates were used in the future.</p>
- <h1>Tab Nabbing vulnerabilities in mardown link filter, Asciidoc files, and
- other markup files</h1>
- <p>edio via HackerOne reported two tab nabbing vulnerabilities. The first
- tab nabbing vulnerability was caused by improper hostname filtering when
- identifying user-supplied external links. GitLab did not properly filter
- usernames from the URL. An attacker could construct a specially crafted link
- including a username to bypass GitLab's external link filter. This allowed
- an attacker to post links in Markdown that did not include the appropriate
- "noreferrer noopener" options, allowing tab nabbing attacks.</p>
- <p>The second vulnerability was in the AsciiDoctor markup
- library. AsciiDoctor was not properly including the "noreferrer noopener"
- options with external links. An internal investigation discovered other
- markup libraries that were also vulnerable.</p>
- <h1>Unauthorized disclosure of wiki pages in search</h1>
- <p>M. Hasbini reported a flaw in the project search feature that allowed
- authenticated users to disclose the contents of private wiki pages inside
- public projects.</p>
- <h1>External users can view internal snippets</h1>
- <p>Christian Kühn discovered a vulnerability in GitLab snippets that allowed
- an external user to view the contents of internal snippets.</p>
- <h1>Subgroup visibility for private subgroups under a public parent
- group</h1>
- <p>Matt Harrison discovered a vulnerability with subgroups that allowed
- private subgroup names to be disclosed when they belong to a parent group
- that is public.</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -5820,81 +10725,8 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-5225">
- <p>LibTIFF version 4.0.7 is vulnerable to a heap buffer
- overflow in the tools/tiffcp resulting in DoS or code
- execution via a crafted BitsPerSample value.</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7592">
- <p>The putagreytile function in tif_getimage.c in LibTIFF
- 4.0.7 has a left-shift undefined behavior issue, which
- might allow remote attackers to cause a denial of service
- (application crash) or possibly have unspecified other
- impact via a crafted image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7593">
- <p>tif_read.c in LibTIFF 4.0.7 does not ensure that
- tif_rawdata is properly initialized, which might allow
- remote attackers to obtain sensitive information from
- process memory via a crafted image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7594">
- <p>The OJPEGReadHeaderInfoSecTablesDcTable function in
- tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to
- cause a denial of service (memory leak) via a crafted
- image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7595">
- <p>The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF
- 4.0.7 allows remote attackers to cause a denial of service
- (divide-by-zero error and application crash) via a crafted
- image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7596">
- <p>LibTIFF 4.0.7 has an "outside the range of
- representable values of type float" undefined behavior
- issue, which might allow remote attackers to cause a
- denial of service (application crash) or possibly have
- unspecified other impact via a crafted image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7597">
- <p>tif_dirread.c in LibTIFF 4.0.7 has an "outside the
- range of representable values of type float" undefined
- behavior issue, which might allow remote attackers to
- cause a denial of service (application crash) or possibly
- have unspecified other impact via a crafted image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7598">
- <p>tif_dirread.c in LibTIFF 4.0.7 might allow remote
- attackers to cause a denial of service (divide-by-zero
- error and application crash) via a crafted image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7599">
- <p>LibTIFF 4.0.7 has an "outside the range of
- representable values of type short" undefined behavior
- issue, which might allow remote attackers to cause a
- denial of service (application crash) or possibly have
- unspecified other impact via a crafted image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7600">
- <p>LibTIFF 4.0.7 has an "outside the range of
- representable values of type unsigned char" undefined
- behavior issue, which might allow remote attackers to
- cause a denial of service (application crash) or possibly
- have unspecified other impact via a crafted image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7601">
- <p>LibTIFF 4.0.7 has a "shift exponent too large for
- 64-bit type long" undefined behavior issue, which might
- allow remote attackers to cause a denial of service
- (application crash) or possibly have unspecified other
- impact via a crafted image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7602">
- <p>LibTIFF 4.0.7 has a signed integer overflow, which
- might allow remote attackers to cause a denial of service
- (application crash) or possibly have unspecified other
- impact via a crafted image.</p>
- </blockquote>
</body>
</description>
<references>
@@ -6216,45 +11048,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/">
- <p>CVE-2017-5433: Use-after-free in SMIL animation functions</p>
- <p>CVE-2017-5435: Use-after-free during transaction processing in the editor</p>
- <p>CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2</p>
- <p>CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS</p>
- <p>CVE-2017-5459: Buffer overflow in WebGL</p>
- <p>CVE-2017-5466: Origin confusion when reloading isolated data:text/html URL</p>
- <p>CVE-2017-5434: Use-after-free during focus handling</p>
- <p>CVE-2017-5432: Use-after-free in text input selection</p>
- <p>CVE-2017-5460: Use-after-free in frame selection</p>
- <p>CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing</p>
- <p>CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing</p>
- <p>CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing</p>
- <p>CVE-2017-5441: Use-after-free with selection during scroll events</p>
- <p>CVE-2017-5442: Use-after-free during style changes</p>
- <p>CVE-2017-5464: Memory corruption with accessibility and DOM manipulation</p>
- <p>CVE-2017-5443: Out-of-bounds write during BinHex decoding</p>
- <p>CVE-2017-5444: Buffer overflow while parsing application/http-index-format content</p>
- <p>CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data</p>
- <p>CVE-2017-5447: Out-of-bounds read during glyph processing</p>
- <p>CVE-2017-5465: Out-of-bounds read in ConvolvePixel</p>
- <p>CVE-2017-5448: Out-of-bounds write in ClearKeyDecryptor</p>
- <p>CVE-2017-5437: Vulnerabilities in Libevent library</p>
- <p>CVE-2017-5454: Sandbox escape allowing file system read access through file picker</p>
- <p>CVE-2017-5455: Sandbox escape through internal feed reader APIs</p>
- <p>CVE-2017-5456: Sandbox escape allowing local file system access</p>
- <p>CVE-2017-5469: Potential Buffer overflow in flex-generated code</p>
- <p>CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content</p>
- <p>CVE-2017-5449: Crash during bidirectional unicode manipulation with animation</p>
- <p>CVE-2017-5450: Addressbar spoofing using javascript: URI on Firefox for Android</p>
- <p>CVE-2017-5451: Addressbar spoofing with onblur event</p>
- <p>CVE-2017-5462: DRBG flaw in NSS</p>
- <p>CVE-2017-5463: Addressbar spoofing through reader view on Firefox for Android</p>
- <p>CVE-2017-5467: Memory corruption when drawing Skia content</p>
- <p>CVE-2017-5452: Addressbar spoofing during scrolling with editable content on Firefox for Android</p>
- <p>CVE-2017-5453: HTML injection into RSS Reader feed preview page through TITLE element</p>
- <p>CVE-2017-5458: Drag and drop of javascript: URLs can allow for self-XSS</p>
- <p>CVE-2017-5468: Incorrect ownership model for Private Browsing information</p>
- <p>CVE-2017-5430: Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1</p>
- <p>CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -7266,46 +12060,8 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html">
- <p>36 security fixes in this release, including:</p>
- <ul>
- <li>[682194] High CVE-2017-5030: Memory corruption in V8. Credit to
- Brendon Tiszka</li>
- <li>[682020] High CVE-2017-5031: Use after free in ANGLE. Credit to
- Looben Yang</li>
- <li>[668724] High CVE-2017-5032: Out of bounds write in PDFium. Credit to
- Ashfaq Ansari - Project Srishti</li>
- <li>[676623] High CVE-2017-5029: Integer overflow in libxslt. Credit to
- Holger Fuhrmannek</li>
- <li>[678461] High CVE-2017-5034: Use after free in PDFium. Credit to
- Ke Liu of Tencent's Xuanwu Lab</li>
- <li>[688425] High CVE-2017-5035: Incorrect security UI in Omnibox. Credit to
- Enzo Aguado</li>
- <li>[691371] High CVE-2017-5036: Use after free in PDFium. Credit to
- Anonymous</li>
- <li>[679640] High CVE-2017-5037: Multiple out of bounds writes in ChunkDemuxer.
- Credit to Yongke Wang of Tecent's Xuanwu Lab</li>
- <li>[679649] High CVE-2017-5039: Use after free in PDFium. Credit to
- jinmo123</li>
- <li>[691323] Medium CVE-2017-5040: Information disclosure in V8. Credit to
- Choongwoo Han</li>
- <li>[642490] Medium CVE-2017-5041: Address spoofing in Omnibox. Credit to
- Jordi Chancel</li>
- <li>[669086] Medium CVE-2017-5033: Bypass of Content Security Policy in Blink.
- Credit to Nicolai Grodum</li>
- <li>[671932] Medium CVE-2017-5042: Incorrect handling of cookies in Cast.
- Credit to Mike Ruddy</li>
- <li>[695476] Medium CVE-2017-5038: Use after free in GuestView. Credit to
- Anonymous</li>
- <li>[683523] Medium CVE-2017-5043: Use after free in GuestView. Credit to
- Anonymous</li>
- <li>[688987] Medium CVE-2017-5044: Heap overflow in Skia. Credit to
- Kushal Arvind Shah of Fortinet's FortiGuard Labs</li>
- <li>[667079] Medium CVE-2017-5045: Information disclosure in XSS Auditor.
- Credit to Dhaval Kapil</li>
- <li>[680409] Medium CVE-2017-5046: Information disclosure in Blink. Credit to
- Masato Kinugawa</li>
- <li>[699618] Various fixes from internal audits, fuzzing and other initiatives</li>
- </ul>
+ <p>36 security fixes in this release</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -7539,34 +12295,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/">
- <p>CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP</p>
- <p>CVE-2017-5401: Memory Corruption when handling ErrorResult</p>
- <p>CVE-2017-5402: Use-after-free working with events in FontFace objects</p>
- <p>CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object</p>
- <p>CVE-2017-5404: Use-after-free working with ranges in selections</p>
- <p>CVE-2017-5406: Segmentation fault in Skia with canvas operations</p>
- <p>CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters</p>
- <p>CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping</p>
- <p>CVE-2017-5411: Use-after-free in Buffer Storage in libGLES</p>
- <p>CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service</p>
- <p>CVE-2017-5408: Cross-origin reading of video captions in violation of CORS</p>
- <p>CVE-2017-5412: Buffer overflow read in SVG filters</p>
- <p>CVE-2017-5413: Segmentation fault during bidirectional operations</p>
- <p>CVE-2017-5414: File picker can choose incorrect default directory</p>
- <p>CVE-2017-5415: Addressbar spoofing through blob URL</p>
- <p>CVE-2017-5416: Null dereference crash in HttpChannel</p>
- <p>CVE-2017-5417: Addressbar spoofing by draging and dropping URLs</p>
- <p>CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access</p>
- <p>CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running</p>
- <p>CVE-2017-5427: Non-existent chrome.manifest file loaded during startup</p>
- <p>CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses</p>
- <p>CVE-2017-5419: Repeated authentication prompts lead to DOS attack</p>
- <p>CVE-2017-5420: Javascript: URLs can obfuscate addressbar location</p>
- <p>CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports</p>
- <p>CVE-2017-5421: Print preview spoofing</p>
- <p>CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink</p>
- <p>CVE-2017-5399: Memory safety bugs fixed in Firefox 52</p>
- <p>CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -8341,43 +13070,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01">
- <h1>Description</h1>
- <h5>SECURITY-304 / CVE-2017-2598</h5>
- <p>Use of AES ECB block cipher mode without IV for encrypting secrets</p>
- <h5>SECURITY-321 / CVE-2017-2599</h5>
- <p>Items could be created with same name as existing item</p>
- <h5>SECURITY-343 / CVE-2017-2600</h5>
- <p>Node monitor data could be viewed by low privilege users</p>
- <h5>SECURITY-349 / CVE-2011-4969</h5>
- <p>Possible cross-site scripting vulnerability in jQuery bundled with timeline widget</p>
- <h5>SECURITY-353 / CVE-2017-2601</h5>
- <p>Persisted cross-site scripting vulnerability in parameter names and descriptions</p>
- <h5>SECURITY-354 / CVE-2015-0886</h5>
- <p>Outdated jbcrypt version bundled with Jenkins</p>
- <h5>SECURITY-358 / CVE-2017-2602</h5>
- <p>Pipeline metadata files not blacklisted in agent-to-master security subsystem</p>
- <h5>SECURITY-362 / CVE-2017-2603</h5>
- <p>User data leak in disconnected agents' config.xml API</p>
- <h5>SECURITY-371 / CVE-2017-2604</h5>
- <p>Low privilege users were able to act on administrative monitors</p>
- <h5>SECURITY-376 / CVE-2017-2605</h5>
- <p>Re-key admin monitor leaves behind unencrypted credentials in upgraded installations</p>
- <h5>SECURITY-380 / CVE-2017-2606</h5>
- <p>Internal API allowed access to item names that should not be visible</p>
- <h5>SECURITY-382 / CVE-2017-2607</h5>
- <p>Persisted cross-site scripting vulnerability in console notes</p>
- <h5>SECURITY-383 / CVE-2017-2608</h5>
- <p>XStream remote code execution vulnerability</p>
- <h5>SECURITY-385 / CVE-2017-2609</h5>
- <p>Information disclosure vulnerability in search suggestions</p>
- <h5>SECURITY-388 / CVE-2017-2610</h5>
- <p>Persisted cross-site scripting vulnerability in search suggestions</p>
- <h5>SECURITY-389 / CVE-2017-2611</h5>
- <p>Insufficient permission check for periodic processes</p>
- <h5>SECURITY-392 / CVE-2017-2612</h5>
- <p>Low privilege users were able to override JDK download credentials</p>
- <h5>SECURITY-406 / CVE-2017-2613</h5>
- <p>User creation CSRF using GET by admins</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -8499,51 +13192,8 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html">
- <p>51 security fixes in this release, including:</p>
- <ul>
- <li>[671102] High CVE-2017-5007: Universal XSS in Blink. Credit to
- Mariusz Mlynski</li>
- <li>[673170] High CVE-2017-5006: Universal XSS in Blink. Credit to
- Mariusz Mlynski</li>
- <li>[668552] High CVE-2017-5008: Universal XSS in Blink. Credit to
- Mariusz Mlynski</li>
- <li>[663476] High CVE-2017-5010: Universal XSS in Blink. Credit to
- Mariusz Mlynski</li>
- <li>[662859] High CVE-2017-5011: Unauthorised file access in Devtools.
- Credit to Khalil Zhani</li>
- <li>[667504] High CVE-2017-5009: Out of bounds memory access in WebRTC.
- Credit to Sean Stanek and Chip Bradford</li>
- <li>[681843] High CVE-2017-5012: Heap overflow in V8. Credit to
- Gergely Nagy (Tresorit)</li>
- <li>[677716] Medium CVE-2017-5013: Address spoofing in Omnibox.
- Credit to Haosheng Wang (@gnehsoah)</li>
- <li>[675332] Medium CVE-2017-5014: Heap overflow in Skia. Credit to
- sweetchip</li>
- <li>[673971] Medium CVE-2017-5015: Address spoofing in Omnibox.
- Credit to Armin Razmdjou</li>
- <li>[666714] Medium CVE-2017-5019: Use after free in Renderer.
- Credit to Wadih Matar</li>
- <li>[673163] Medium CVE-2017-5016: UI spoofing in Blink. Credit to
- Haosheng Wang (@gnehsoah)</li>
- <li>[676975] Medium CVE-2017-5017: Uninitialised memory access in webm video.
- Credit to danberm</li>
- <li>[668665] Medium CVE-2017-5018: Universal XSS in chrome://apps.
- Credit to Rob Wu</li>
- <li>[668653] Medium CVE-2017-5020: Universal XSS in chrome://downloads.
- Credit to Rob Wu</li>
- <li>[663726] Low CVE-2017-5021: Use after free in Extensions. Credit to
- Rob Wu</li>
- <li>[663620] Low CVE-2017-5022: Bypass of Content Security Policy in Blink.
- Credit to Pujun Li of PKAV Team</li>
- <li>[651443] Low CVE-2017-5023: Type confunsion in metrics. Credit to the
- UK's National Cyber Security Centre (NCSC)</li>
- <li>[643951] Low CVE-2017-5024: Heap overflow in FFmpeg. Credit to
- Paul Mehta</li>
- <li>[643950] Low CVE-2017-5025: Heap overflow in FFmpeg. Credit to
- Paul Mehta</li>
- <li>[634108] Low CVE-2017-5026: UI spoofing. Credit to Ronni Skansing</li>
- <li>[685349] Various fixes from internal audits, fuzzing and other initiatives</li>
- </ul>
+ <p>51 security fixes in this release</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -8607,38 +13257,10 @@
<p>The OpenSSL project reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv/20170126.txt">
<ul>
- <li>Truncated packet could crash via OOB read (CVE-2017-3731)<br/>
- Severity: Moderate<br/>
- If an SSL/TLS server or client is running on a 32-bit host, and a specific
- cipher is being used, then a truncated packet can cause that server or client
- to perform an out-of-bounds read, usually resulting in a crash.</li>
- <li>Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)<br/>
- Severity: Moderate<br/>
- If a malicious server supplies bad parameters for a DHE or ECDHE key exchange
- then this can result in the client attempting to dereference a NULL pointer
- leading to a client crash. This could be exploited in a Denial of Service
- attack.</li>
- <li>BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)<br/>
- Severity: Moderate<br/>
- There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
- EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
- as a result of this defect would be very difficult to perform and are not
- believed likely. Attacks against DH are considered just feasible (although very
- difficult) because most of the work necessary to deduce information
- about a private key may be performed offline. The amount of resources
- required for such an attack would be very significant and likely only
- accessible to a limited number of attackers. An attacker would
- additionally need online access to an unpatched system using the target
- private key in a scenario with persistent DH parameters and a private
- key that is shared between multiple clients. For example this can occur by
- default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
- similar to CVE-2015-3193 but must be treated as a separate problem.</li>
- <li>Montgomery multiplication may produce incorrect results (CVE-2016-7055)<br/>
- Severity: Low<br/>
- There is a carry propagating bug in the Broadwell-specific Montgomery
- multiplication procedure that handles input lengths divisible by, but
- longer than 256 bits. (OpenSSL 1.0.2 only)<br/>
- This issue was previously fixed in 1.1.0c</li>
+ <li>Truncated packet could crash via OOB read (CVE-2017-3731)</li>
+ <li>Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)</li>
+ <li>BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)</li>
+ <li>Montgomery multiplication may produce incorrect results (CVE-2016-7055)</li>
</ul>
</blockquote>
</body>
@@ -8689,30 +13311,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/">
- <p>CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7</p>
- <p>CVE-2017-5374: Memory safety bugs fixed in Firefox 51</p>
- <p>CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP</p>
- <p>CVE-2017-5376: Use-after-free in XSL</p>
- <p>CVE-2017-5377: Memory corruption with transforms to create gradients in Skia</p>
- <p>CVE-2017-5378: Pointer and frame data leakage of Javascript objects</p>
- <p>CVE-2017-5379: Use-after-free in Web Animations</p>
- <p>CVE-2017-5380: Potential use-after-free during DOM manipulations</p>
- <p>CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations</p>
- <p>CVE-2017-5382: Feed preview can expose privileged content errors and exceptions</p>
- <p>CVE-2017-5383: Location bar spoofing with unicode characters</p>
- <p>CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)</p>
- <p>CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers</p>
- <p>CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions</p>
- <p>CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages</p>
- <p>CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks</p>
- <p>CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests</p>
- <p>CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer</p>
- <p>CVE-2017-5391: Content about: pages can load privileged about: pages</p>
- <p>CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage</p>
- <p>CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager</p>
- <p>CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events</p>
- <p>CVE-2017-5395: Android location bar spoofing during scrolling</p>
- <p>CVE-2017-5396: Use-after-free with Media Decoder</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -8762,69 +13361,25 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-1/">
- <h3>Summary</h3>
<p>Open redirect</p>
- <h3>Description</h3>
- <p>It was possible to trick phpMyAdmin to redirect to
- insecure using special request path.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be non critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-2/">
- <h3>Summary</h3>
<p>php-gettext code execution</p>
- <h3>Description</h3>
- <p>The php-gettext library can suffer to code
- execution. However there is no way to trigger this inside
- phpMyAdmin.</p>
- <h3>Severity</h3>
- <p>We consider this to be minor.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-3/">
- <h3>Summary</h3>
<p>DOS vulnerability in table editing</p>
- <h3>Description</h3>
- <p>It was possible to trigger recursive include operation by
- crafted parameters when editing table data.</p>
- <h3>Severity</h3>
- <p>We consider this to be non critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-4/">
- <h3>Summary</h3>
<p>CSS injection in themes</p>
- <h3>Description</h3>
- <p>It was possible to cause CSS injection in themes by
- crafted cookie parameters.</p>
- <h3>Severity</h3>
- <p>We consider this to be non critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-5/">
- <h3>Summary</h3>
<p>Cookie attribute injection attack</p>
- <h3>Description</h3>
- <p>A vulnerability was found where, under some
- circumstances, an attacker can inject arbitrary values in
- the browser cookies. This was incompletely fixed in <a href="https://www.phpmyadmin.net/security/PMASA-2016-18/">PMASA-2016-18</a>.</p>
- <h3>Severity</h3>
- <p>We consider this to be non-critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-6/">
- <h3>Summary</h3>
<p>SSRF in replication</p>
- <h3>Description</h3>
- <p>For a user with appropriate MySQL privileges it was
- possible to connect to arbitrary host.</p>
- <h3>Severity</h3>
- <p>We consider this to be non-critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-7/">
- <h3>Summary</h3>
<p>DOS in replication status</p>
- <h3>Description</h3>
- <p>It was possible to trigger DOS in replication status by
- specially crafted table name.</p>
- <h3>Severity</h3>
- <p>We consider this to be non critical.</p>
</blockquote>
</body>
</description>
@@ -10543,6 +15098,7 @@
<affects>
<package>
<name>vim</name>
+ <name>vim-console</name>
<name>vim-lite</name>
<range><lt>8.0.0056</lt></range>
</package>
@@ -10945,81 +15501,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache Software Foundation reports:</p>
<blockquote cite="http://httpd.apache.org/security/vulnerabilities_24.html">
- <ul>
- <li>Important: Apache HTTP Request Parsing Whitespace Defects CVE-2016-8743<br/>
- Apache HTTP Server, prior to release 2.4.25, accepted a broad
- pattern of unusual whitespace patterns from the user-agent,
- including bare CR, FF, VTAB in parsing the request line and
- request header lines, as well as HTAB in parsing the request line.
- Any bare CR present in request lines was treated as whitespace and
- remained in the request field member "the_request", while a bare
- CR in the request header field name would be honored as
- whitespace, and a bare CR in the request header field value was
- retained the input headers array. Implied additional whitespace
- was accepted in the request line and prior to the
- ':' delimiter of any request header lines.<br/><br/>
- RFC7230 Section 3.5 calls out some of these whitespace exceptions,
- and section 3.2.3 eliminated and clarified the role of implied
- whitespace in the grammar of this specification. Section 3.1.1
- requires exactly one single SP between the method and
- request-target, and between the request-target and HTTP-version,
- followed immediately by a CRLF sequence. None of these
- fields permit any (unencoded) CTL character whatsoever. Section
- 3.2.4 explicitly disallowed any whitespace from the request header
- field prior to the ':' character, while Section 3.2 disallows all
- CTL characters in the request header line other than the HTAB
- character as whitespace.<br/><br/>
- These defects represent a security concern when httpd is
- participating in any chain of proxies or interacting with back-end
- application servers, either through mod_proxy or using conventional
- CGI mechanisms. In each case where one agent accepts such CTL
- characters and does not treat them as whitespace, there is the
- possibility in a proxy chain of generating two responses from a
- server behind the uncautious proxy agent. In a sequence of two
- requests, this results in request A to the first proxy being
- interpreted as requests A + A' by the backend server, and if
- requests A and B were submitted to the first proxy in a keepalive
- connection, the proxy may interpret response A' as the response to
- request B, polluting the cache or potentially serving the A' content
- to a different downstream user-agent.<br/><br/>
- These defects are addressed with the release of Apache HTTP Server
- 2.4.25 and coordinated by a new directive<br/>
- HttpProtocolOptions Strict<br/>
- </li>
- </ul><ul>
- <li>low: DoS vulnerability in mod_auth_digest CVE-2016-2161<br/>
- Malicious input to mod_auth_digest will cause the server to crash,
- and each instance continues to crash even for subsequently valid
- requests.<br/>
- </li>
- </ul><ul>
- <li>low: Padding Oracle in Apache mod_session_crypto CVE-2016-0736<br/>
- Authenticate the session data/cookie presented to mod_session_crypto
- with a MAC (SipHash) to prevent deciphering or tampering with a
- padding oracle attack.<br/>
- </li>
- </ul><ul>
- <li>low: Padding Oracle in Apache mod_session_crypto CVE-2016-0736<br/>
- Authenticate the session data/cookie presented to mod_session_crypto
- with a MAC (SipHash) to prevent deciphering or tampering with a
- padding oracle attack.<br/>
- </li>
- </ul><ul>
- <li>low: HTTP/2 CONTINUATION denial of service CVE-2016-8740<br/>
- The HTTP/2 protocol implementation (mod_http2) had an incomplete
- handling of the LimitRequestFields directive. This allowed an
- attacker to inject unlimited request headers into the server,
- leading to eventual memory exhaustion.<br/>
- </li>
- </ul><ul>
- <li>n/a: HTTP_PROXY environment variable "httpoxy" mitigation CVE-2016-5387<br/>
- HTTP_PROXY is a well-defined environment variable in a CGI process,
- which collided with a number of libraries which failed to avoid
- colliding with this CGI namespace. A mitigation is provided for the
- httpd CGI environment to avoid populating the "HTTP_PROXY" variable
- from a "Proxy:" header, which has never been registered by IANA.
- </li>
- </ul>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -11576,63 +16058,8 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://googlechromereleases.blogspot.nl/2016/12/stable-channel-update-for-desktop.html">
- <p>36 security fixes in this release, including:</p>
- <ul>
- <li>[664411] High CVE-2016-9651: Private property access in V8.
- Credit to Guang Gong of Alpha Team Of Qihoo 360</li>
- <li>[658535] High CVE-2016-5208: Universal XSS in Blink. Credit to
- Mariusz Mlynski</li>
- <li>[655904] High CVE-2016-5207: Universal XSS in Blink. Credit to
- Mariusz Mlynski</li>
- <li>[653749] High CVE-2016-5206: Same-origin bypass in PDFium.
- Credit to Rob Wu (robwu.nl)</li>
- <li>[646610] High CVE-2016-5205: Universal XSS in Blink. Credit to
- Anonymous</li>
- <li>[630870] High CVE-2016-5204: Universal XSS in Blink. Credit to
- Mariusz Mlynski</li>
- <li>[664139] High CVE-2016-5209: Out of bounds write in Blink.
- Credit to Giwan Go of STEALIEN</li>
- <li>[644219] High CVE-2016-5203: Use after free in PDFium. Credit
- to Anonymous</li>
- <li>[654183] High CVE-2016-5210: Out of bounds write in PDFium.
- Credit to Ke Liu of Tencent's Xuanwu LAB</li>
- <li>[653134] High CVE-2016-5212: Local file disclosure in DevTools.
- Credit to Khalil Zhani</li>
- <li>[649229] High CVE-2016-5211: Use after free in PDFium. Credit
- to Anonymous</li>
- <li>[652548] High CVE-2016-5213: Use after free in V8. Credit to
- Khalil Zhani</li>
- <li>[601538] Medium CVE-2016-5214: File download protection bypass.
- Credit to Jonathan Birch and MSVR</li>
- <li>[653090] Medium CVE-2016-5216: Use after free in PDFium. Credit
- to Anonymous</li>
- <li>[619463] Medium CVE-2016-5215: Use after free in Webaudio.
- Credit to Looben Yang</li>
- <li>[654280] Medium CVE-2016-5217: Use of unvalidated data in
- PDFium. Credit to Rob Wu (robwu.nl)</li>
- <li>[660498] Medium CVE-2016-5218: Address spoofing in Omnibox.
- Credit to Abdulrahman Alqabandi (@qab)</li>
- <li>[657568] Medium CVE-2016-5219: Use after free in V8. Credit to
- Rob Wu (robwu.nl)</li>
- <li>[660854] Medium CVE-2016-5221: Integer overflow in ANGLE.
- Credit to Tim Becker of ForAllSecure</li>
- <li>[654279] Medium CVE-2016-5220: Local file access in PDFium.
- Credit to Rob Wu (robwu.nl)</li>
- <li>[657720] Medium CVE-2016-5222: Address spoofing in Omnibox.
- Credit to xisigr of Tencent's Xuanwu Lab</li>
- <li>[653034] Low CVE-2016-9650: CSP Referrer disclosure. Credit to
- Jakub Żoczek</li>
- <li>[652038] Low CVE-2016-5223: Integer overflow in PDFium. Credit
- to Hwiwon Lee</li>
- <li>[639750] Low CVE-2016-5226: Limited XSS in Blink. Credit to Jun
- Kokatsu (@shhnjk)</li>
- <li>[630332] Low CVE-2016-5225: CSP bypass in Blink. Credit to
- Scott Helme (@Scott_Helme, scotthelme.co.uk)</li>
- <li>[615851] Low CVE-2016-5224: Same-origin bypass in SVG. Credit
- to Roeland Krak</li>
- <li>[669928] CVE-2016-9652: Various fixes from internal audits,
- fuzzing and other initiatives</li>
- </ul>
+ <p>36 security fixes in this release</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -12689,200 +17116,7 @@
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>The phpMyAdmin development team reports:</p>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-57/">
- <h3>Summary</h3>
- <p>Open redirection</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where a user can be
- tricked in to following a link leading to phpMyAdmin,
- which after authentication redirects to another
- malicious site.</p>
- <p>The attacker must sniff the user's valid phpMyAdmin
- token.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be of moderate
- severity.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-58/">
- <h3>Summary</h3>
- <p>Unsafe generation of blowfish secret</p>
- <h3>Description</h3>
- <p>When the user does not specify a blowfish_secret key
- for encrypting cookies, phpMyAdmin generates one at
- runtime. A vulnerability was reported where the way this
- value is created using a weak algorithm.</p>
- <p>This could allow an attacker to determine the user's
- blowfish_secret and potentially decrypt their
- cookies.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be of moderate
- severity.</p>
- <h3>Mitigation factor</h3>
- <p>This vulnerability only affects cookie
- authentication and only when a user has not
- defined a $cfg['blowfish_secret'] in
- their config.inc.php</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-59/">
- <h3>Summary</h3>
- <p>phpinfo information leak value of sensitive
- (HttpOnly) cookies</p>
- <h3>Description</h3>
- <p>phpinfo (phpinfo.php) shows PHP information
- including values of HttpOnly cookies.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be
- non-critical.</p>
- <h3>Mitigation factor</h3>
- <p>phpinfo in disabled by default and needs
- to be enabled explicitly.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-60/">
- <h3>Summary</h3>
- <p>Username deny rules bypass (AllowRoot & Others)
- by using Null Byte</p>
- <h3>Description</h3>
- <p>It is possible to bypass AllowRoot restriction
- ($cfg['Servers'][$i]['AllowRoot']) and deny rules
- for username by using Null Byte in the username.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be
- severe.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-61/">
- <h3>Summary</h3>
- <p>Username rule matching issues</p>
- <h3>Description</h3>
- <p>A vulnerability in username matching for the
- allow/deny rules may result in wrong matches and
- detection of the username in the rule due to
- non-constant execution time.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be severe.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-62/">
- <h3>Summary</h3>
- <p>Bypass logout timeout</p>
- <h3>Description</h3>
- <p>With a crafted request parameter value it is possible
- to bypass the logout timeout.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be of moderate
- severity.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-63/">
- <h3>Summary</h3>
- <p>Multiple full path disclosure vulnerabilities</p>
- <h3>Description</h3>
- <p>By calling some scripts that are part of phpMyAdmin in an
- unexpected way, it is possible to trigger phpMyAdmin to
- display a PHP error message which contains the full path of
- the directory where phpMyAdmin is installed. During an
- execution timeout in the export functionality, the errors
- containing the full path of the directory of phpMyAdmin is
- written to the export file.</p>
- <h3>Severity</h3>
- <p>We consider these vulnerability to be
- non-critical.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-64/">
- <h3>Summary</h3>
- <p>Multiple XSS vulnerabilities</p>
- <h3>Description</h3>
- <p>Several XSS vulnerabilities have been reported, including
- an improper fix for <a href="https://www.phpmyadmin.net/security/PMASA-2016-10/">PMASA-2016-10</a> and a weakness in a regular expression
- using in some JavaScript processing.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be
- non-critical.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-65/">
- <h3>Summary</h3>
- <p>Multiple DOS vulnerabilities</p>
- <h3>Description</h3>
- <p>With a crafted request parameter value it is possible
- to initiate a denial of service attack in saved searches
- feature.</p>
- <p>With a crafted request parameter value it is possible
- to initiate a denial of service attack in import
- feature.</p>
- <p>An unauthenticated user can execute a denial of
- service attack when phpMyAdmin is running with
- <code>$cfg['AllowArbitraryServer']=true;</code>.</p>
- <h3>Severity</h3>
- <p>We consider these vulnerabilities to be of
- moderate severity.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-66/">
- <h3>Summary</h3>
- <p>Bypass white-list protection for URL redirection</p>
- <h3>Description</h3>
- <p>Due to the limitation in URL matching, it was
- possible to bypass the URL white-list protection.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be of moderate
- severity.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-67/">
- <h3>Summary</h3>
- <p>BBCode injection vulnerability</p>
- <h3>Description</h3>
- <p>With a crafted login request it is possible to inject
- BBCode in the login page.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be severe.</p>
- <h3>Mitigation factor</h3>
- <p>This exploit requires phpMyAdmin to be configured
- with the "cookie" auth_type; other
- authentication methods are not affected.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-68/">
- <h3>Summary</h3>
- <p>DOS vulnerability in table partitioning</p>
- <h3>Description</h3>
- <p>With a very large request to table partitioning
- function, it is possible to invoke a Denial of Service
- (DOS) attack.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be of moderate
- severity.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-69/">
- <h3>Summary</h3>
- <p>Multiple SQL injection vulnerabilities</p>
- <h3>Description</h3>
- <p>With a crafted username or a table name, it was possible
- to inject SQL statements in the tracking functionality that
- would run with the privileges of the control user. This
- gives read and write access to the tables of the
- configuration storage database, and if the control user has
- the necessary privileges, read access to some tables of the
- mysql database.</p>
- <h3>Severity</h3>
- <p>We consider these vulnerabilities to be serious.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-70/">
- <h3>Summary</h3>
- <p>Incorrect serialized string parsing</p>
- <h3>Description</h3>
- <p>Due to a bug in serialized string parsing, it was
- possible to bypass the protection offered by
- PMA_safeUnserialize() function.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be severe.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-71/">
- <h3>Summary</h3>
- <p>CSRF token not stripped from the URL</p>
- <h3>Description</h3>
- <p>When the <code>arg_separator</code> is different from its
- default value of <code>&</code>, the token was not
- properly stripped from the return URL of the preference
- import action.</p>
- <h3>Severity</h3>
- <p>We have not yet determined a severity for this issue.</p>
- </blockquote>
+ <p>Please reference CVE/URL list for details</p>
</body>
</description>
<references>
@@ -13174,33 +17408,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/">
- <p>CVE-2016-5289: Memory safety bugs fixed in Firefox 50</p>
- <p>CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5</p>
- <p>CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file</p>
- <p>CVE-2016-5292: URL parsing causes crash</p>
- <p>CVE-2016-5293: Write to arbitrary file with updater and moz maintenance service using updater.log h</p>
- <p>CVE-2016-5294: Arbitrary target directory for result files of update process</p>
- <p>CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM</p>
- <p>CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1</p>
- <p>CVE-2016-5297: Incorrect argument length checking in Javascript</p>
- <p>CVE-2016-5298: SSL indicator can mislead the user about the real URL visited</p>
- <p>CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an app</p>
- <p>CVE-2016-9061: API Key (glocation) in broadcast protected with signature-level permission can be accessed by an a</p>
- <p>CVE-2016-9062: Private browsing browser traces (android) in browser.db and wal file</p>
- <p>CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat</p>
- <p>CVE-2016-9064: Addons update must verify IDs match between current and new versions</p>
- <p>CVE-2016-9065: Firefox for Android location bar spoofing using fullscreen</p>
- <p>CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler</p>
- <p>CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore</p>
- <p>CVE-2016-9068: heap-use-after-free in nsRefreshDriver</p>
- <p>CVE-2016-9070: Sidebar bookmark can have reference to chrome window</p>
- <p>CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP</p>
- <p>CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile</p>
- <p>CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"</p>
- <p>CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler</p>
- <p>CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges</p>
- <p>CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s</p>
- <p>CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing atta</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -15457,52 +19665,8 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://googlechromereleases.blogspot.nl/2016/08/stable-channel-update-for-desktop_31.html">
- <p>33 security fixes in this release, including:</p>
- <ul>
- <li>[628942] High CVE-2016-5147: Universal XSS in Blink. Credit to
- anonymous</li>
- <li>[621362] High CVE-2016-5148: Universal XSS in Blink. Credit to
- anonymous</li>
- <li>[573131] High CVE-2016-5149: Script injection in extensions.
- Credit to Max Justicz (http://web.mit.edu/maxj/www/)</li>
- <li>[637963] High CVE-2016-5150: Use after free in Blink. Credit to
- anonymous</li>
- <li>[634716] High CVE-2016-5151: Use after free in PDFium. Credit to
- anonymous</li>
- <li>[629919] High CVE-2016-5152: Heap overflow in PDFium. Credit to
- GiWan Go of Stealien</li>
- <li>[631052] High CVE-2016-5153: Use after destruction in Blink.
- Credit to Atte Kettunen of OUSPG</li>
- <li>[633002] High CVE-2016-5154: Heap overflow in PDFium. Credit to
- anonymous</li>
- <li>[630662] High CVE-2016-5155: Address bar spoofing. Credit to
- anonymous</li>
- <li>[625404] High CVE-2016-5156: Use after free in event bindings.
- Credit to jinmo123</li>
- <li>[632622] High CVE-2016-5157: Heap overflow in PDFium. Credit to
- anonymous</li>
- <li>[628890] High CVE-2016-5158: Heap overflow in PDFium. Credit to
- GiWan Go of Stealien</li>
- <li>[628304] High CVE-2016-5159: Heap overflow in PDFium. Credit to
- GiWan Go of Stealien</li>
- <li>[622420] Medium CVE-2016-5161: Type confusion in Blink. Credit
- to 62600BCA031B9EB5CB4A74ADDDD6771E working with Trend Micro's
- Zero Day Initiative</li>
- <li>[589237] Medium CVE-2016-5162: Extensions web accessible
- resources bypass. Credit to Nicolas Golubovic</li>
- <li>[609680] Medium CVE-2016-5163: Address bar spoofing. Credit to
- Rafay Baloch PTCL Etisalat (http://rafayhackingarticles.net)</li>
- <li>[637594] Medium CVE-2016-5164: Universal XSS using DevTools.
- Credit to anonymous</li>
- <li>[618037] Medium CVE-2016-5165: Script injection in DevTools.
- Credit to Gregory Panakkal</li>
- <li>[616429] Medium CVE-2016-5166: SMB Relay Attack via Save Page
- As. Credit to Gregory Panakkal</li>
- <li>[576867] Low CVE-2016-5160: Extensions web accessible resources
- bypass. Credit to @l33terally, FogMarks.com (@FogMarks)</li>
- <li>[642598] CVE-2016-5167: Various fixes from internal audits,
- fuzzing and other initiatives.</li>
- </ul>
+ <p>33 security fixes in this release</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -15766,49 +19930,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox48">
- <p>MFSA2016-84 Information disclosure through Resource Timing API \
- during page navigation</p>
- <p>MFSA2016-83 Spoofing attack through text injection into \
- internal error pages</p>
- <p>MFSA2016-82 Addressbar spoofing with right-to-left characters \
- on Firefox for Android</p>
- <p>MFSA2016-81 Information disclosure and local file \
- manipulation through drag and drop</p>
- <p>MFSA2016-80 Same-origin policy violation using local HTML
- file and saved shortcut file</p>
- <p>MFSA2016-79 Use-after-free when applying SVG effects</p>
- <p>MFSA2016-78 Type confusion in display transformation</p>
- <p>MFSA2016-77 Buffer overflow in ClearKey Content Decryption
- Module (CDM) during video playback</p>
- <p>MFSA2016-76 Scripts on marquee tag can execute in sandboxed
- iframes</p>
- <p>MFSA2016-75 Integer overflow in WebSockets during data \
- buffering</p>
- <p>MFSA2016-74 Form input type change from password to text \
- can store plain text password in session restore file</p>
- <p>MFSA2016-73 Use-after-free in service workers with nested
- sync events</p>
- <p>MFSA2016-72 Use-after-free in DTLS during WebRTC session
- shutdown</p>
- <p>MFSA2016-71 Crash in incremental garbage collection in \
- JavaScript</p>
- <p>MFSA2016-70 Use-after-free when using alt key and toplevel
- menus</p>
- <p>MFSA2016-69 Arbitrary file manipulation by local user through \
- Mozilla updater and callback application path parameter</p>
- <p>MFSA2016-68 Out-of-bounds read during XML parsing in \
- Expat library</p>
- <p>MFSA2016-67 Stack underflow during 2D graphics rendering</p>
- <p>MFSA2016-66 Location bar spoofing via data URLs with \
- malformed/invalid mediatypes</p>
- <p>MFSA2016-65 Cairo rendering crash due to memory allocation
- issue with FFmpeg 0.10</p>
- <p>MFSA2016-64 Buffer overflow rendering SVG with bidirectional
- content</p>
- <p>MFSA2016-63 Favicon network connection can persist when page
- is closed</p>
- <p>MFSA2016-62 Miscellaneous memory safety hazards (rv:48.0 /
- rv:45.3)</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -16398,411 +20520,91 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpmyadmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-29/">
- <h3>Summary</h3>
<p>Weakness with cookie encryption</p>
- <h3>Description</h3>
- <p>A pair of vulnerabilities were found affecting the
- way cookies are stored.</p>
- <ul>
- <li>The decryption of the username/password is
- vulnerable to a padding oracle attack. The can allow
- an attacker who has access to a user's browser cookie
- file to decrypt the username and password.</li>
- <li>A vulnerability was found where the same
- initialization vector (IV) is used to hash the
- username and password stored in the phpMyAdmin
- cookie. If a user has the same password as their
- username, an attacker who examines the browser cookie
- can see that they are the but the attacker can not
- directly decode these values from the cookie as it is
- still hashed.</li>
- </ul>
- <h3>Severity</h3>
- <p>We consider this to be critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-30/">
- <h3>Summary</h3>
<p>Multiple XSS vulnerabilities</p>
- <h3>Description</h3>
- <p>Multiple vulnerabilities have been discovered in the
- following areas of phpMyAdmin:</p>
- <ul>
- <li>Zoom search: Specially crafted column content can
- be used to trigger an XSS attack</li>
- <li>GIS editor: Certain fields in the graphical GIS
- editor at not properly escaped and can be used to
- trigger an XSS attack</li>
- <li>Relation view</li>
- <li>The following Transformations:
- <ul>
- <li>Formatted</li>
- <li>Imagelink</li>
- <li>JPEG: Upload</li>
- <li>RegexValidation</li>
- <li>JPEG inline</li>
- <li>PNG inline</li>
- <li>transformation wrapper</li>
- </ul>
- </li>
- <li>XML export</li>
- <li>MediaWiki export</li>
- <li>Designer</li>
- <li>When the MySQL server is running with a
- specially-crafted <code>log_bin</code> directive</li>
- <li>Database tab</li>
- <li>Replication feature</li>
- <li>Database search</li>
- </ul>
- <h3>Severity</h3>
- <p>We consider these vulnerabilities to be of
- moderate severity.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-31/">
- <h3>Summary</h3>
<p>Multiple XSS vulnerabilities</p>
- <h3>Description</h3>
- <p>XSS vulnerabilities were discovered in:</p>
- <ul>
- <li>The database privilege check</li>
- <li>The "Remove partitioning" functionality</li>
- </ul>
- <p>Specially crafted database names can trigger the XSS
- attack.</p>
- <h3>Severity</h3>
- <p>We consider these vulnerabilities to be of moderate
- severity.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-32/">
- <h3>Summary</h3>
<p>PHP code injection</p>
- <h3>Description</h3>
- <p>A vulnerability was found where a specially crafted
- database name could be used to run arbitrary PHP
- commands through the array export feature</p>
- <h3>Severity</h3>
- <p>We consider these vulnerabilities to be of
- moderate severity.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-33/">
- <h3>Summary</h3>
<p>Full path disclosure</p>
- <h3>Description</h3>
- <p>A full path disclosure vulnerability was discovered
- where a user can trigger a particular error in the
- export mechanism to discover the full path of phpMyAdmin
- on the disk.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be
- non-critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-34/">
- <h3>Summary</h3>
<p>SQL injection attack</p>
- <h3>Description</h3>
- <p>A vulnerability was reported where a specially
- crafted database and/or table name can be used to
- trigger an SQL injection attack through the export
- functionality.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-35/">
- <h3>Summary</h3>
<p>Local file exposure</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where a user can
- exploit the LOAD LOCAL INFILE functionality to expose
- files on the server to the database system.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-36/">
- <h3>Summary</h3>
<p>Local file exposure through symlinks with
UploadDir</p>
- <h3>Description</h3>
- <p>A vulnerability was found where a user can
- specially craft a symlink on disk, to a file which
- phpMyAdmin is permitted to read but the user is not,
- which phpMyAdmin will then expose to the user.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious,
- however due to the mitigation factors the
- default state is not vulnerable.</p>
- <h3>Mitigation factor</h3>
- <p>1) The installation must be run with UploadDir configured
- (not the default) 2) The user must be able to create a
- symlink in the UploadDir 3) The user running the phpMyAdmin
- application must be able to read the file</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-37/">
- <h3>Summary</h3>
<p>Path traversal with SaveDir and UploadDir</p>
- <h3>Description</h3>
- <p>A vulnerability was reported with the <code>%u</code>
- username replacement functionality of the SaveDir and
- UploadDir features. When the username substitution is
- configured, a specially-crafted user name can be used to
- circumvent restrictions to traverse the file system.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious,
- however due to the mitigation factors the default
- state is not vulnerable.</p>
- <h3>Mitigation factor</h3>
- <p>1) A system must be configured with the %u username
- replacement, such as `$cfg['SaveDir'] =
- 'SaveDir_%u';` 2) The user must be able to create a
- specially-crafted MySQL user, including the `/.` sequence of
- characters, such as `/../../`</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-38/">
- <h3>Summary</h3>
<p>Multiple XSS vulnerabilities</p>
- <h3>Description</h3>
- <p>Multiple XSS vulnerabilities were found in the following
- areas:</p>
- <ul>
- <li>Navigation pane and database/table hiding
- feature. A specially-crafted database name can be used
- to trigger an XSS attack.</li>
- <li>The "Tracking" feature. A specially-crafted query
- can be used to trigger an XSS attack.</li>
- <li>GIS visualization feature. </li>
- </ul>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be non-critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-39/">
- <h3>Summary</h3>
<p>SQL injection attack</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered in the following
- features where a user can execute an SQL injection
- attack against the account of the control user:
- <em>User group</em> Designer</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious.</p>
- <h3>Mitigation factor</h3>
- <p>The server must have a control user account created in
- MySQL and configured in phpMyAdmin; installations without a
- control user are not vulnerable.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-40/">
- <h3>Summary</h3>
<p>SQL injection attack</p>
- <h3>Description</h3>
- <p>A vulnerability was reported where a specially
- crafted database and/or table name can be used to
- trigger an SQL injection attack through the export
- functionality.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-41/">
- <h3>Summary</h3>
<p>Denial of service (DOS) attack in transformation
feature</p>
- <h3>Description</h3>
- <p>A vulnerability was found in the transformation feature
- allowing a user to trigger a denial-of-service (DOS) attack
- against the server.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be non-critical</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-42/">
- <h3>Summary</h3>
<p>SQL injection attack as control user</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered in the user interface
- preference feature where a user can execute an SQL injection
- attack against the account of the control user.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious.</p>
- <h3>Mitigation factor</h3>
- <p>The server must have a control user account created in
- MySQL and configured in phpMyAdmin; installations without a
- control user are not vulnerable.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-43/">
- <h3>Summary</h3>
<p>Unvalidated data passed to unserialize()</p>
- <h3>Description</h3>
- <p>A vulnerability was reported where some data is passed to
- the PHP <code>unserialize()</code> function without
- verification that it's valid serialized data.</p>
- <p>Due to how the <a href="https://secure.php.net/unserialize">PHP function</a>
- operates,</p>
- <blockquote>
- <p>Unserialization can result in code being loaded and
- executed due to object instantiation and autoloading, and
- a malicious user may be able to exploit this.</p>
- </blockquote>
- <p>Therefore, a malicious user may be able to manipulate the
- stored data in a way to exploit this weakness.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be moderately
- severe.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-45/">
- <h3>Summary</h3>
<p>DOS attack with forced persistent connections</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where an unauthenticated
- user is able to execute a denial-of-service (DOS) attack by
- forcing persistent connections when phpMyAdmin is running
- with <code>$cfg['AllowArbitraryServer']=true;</code>.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be critical, although
- note that phpMyAdmin is not vulnerable by default.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-46/">
- <h3>Summary</h3>
<p>Denial of service (DOS) attack by for loops</p>
- <h3>Description</h3>
- <p>A vulnerability has been reported where a malicious
- authorized user can cause a denial-of-service (DOS) attack
- on a server by passing large values to a loop.</p>
- <h3>Severity</h3>
- <p>We consider this issue to be of moderate severity.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-47/">
- <h3>Summary</h3>
<p>IPv6 and proxy server IP-based authentication rule
circumvention</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where, under certain
- circumstances, it may be possible to circumvent the
- phpMyAdmin IP-based authentication rules.</p>
- <p>When phpMyAdmin is used with IPv6 in a proxy server
- environment, and the proxy server is in the allowed range
- but the attacking computer is not allowed, this
- vulnerability can allow the attacking computer to connect
- despite the IP rules.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious</p>
- <h3>Mitigation factor</h3>
- <p>* The phpMyAdmin installation must be running with
- IP-based allow/deny rules * The phpMyAdmin installation must
- be running behind a proxy server (or proxy servers) where
- the proxy server is "allowed" and the attacker is
- "denied" * The connection between the proxy server
- and phpMyAdmin must be via IPv6</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-48/">
- <h3>Summary</h3>
<p>Detect if user is logged in</p>
- <h3>Description</h3>
- <p>A vulnerability was reported where an attacker can
- determine whether a user is logged in to phpMyAdmin.</p>
- <p>The user's session, username, and password are not
- compromised by this vulnerability.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be non-critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-49/">
- <h3>Summary</h3>
<p>Bypass URL redirect protection</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where an attacker could
- redirect a user to a malicious web page.</p>
- <h3>Severity</h3>
- <p>We consider this to be of moderate severity</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-50/">
- <h3>Summary</h3>
<p>Referrer leak in url.php</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where an attacker can
- determine the phpMyAdmin host location through the file
- <code>url.php</code>.</p>
- <h3>Severity</h3>
- <p>We consider this to be of moderate severity.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-51/">
- <h3>Summary</h3>
<p>Reflected File Download attack</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where an attacker may be
- able to trigger a user to download a specially crafted
- malicious SVG file.</p>
- <h3>Severity</h3>
- <p>We consider this issue to be of moderate severity.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-52/">
- <h3>Summary</h3>
<p>ArbitraryServerRegexp bypass</p>
- <h3>Description</h3>
- <p>A vulnerability was reported with the
- <code>$cfg['ArbitraryServerRegexp']</code> configuration
- directive. An attacker could reuse certain cookie values in
- a way of bypassing the servers defined by
- <code>ArbitraryServerRegexp</code>.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be critical.</p>
- <h3>Mitigation factor</h3>
- <p>Only servers using
- `$cfg['ArbitraryServerRegexp']` are vulnerable to
- this attack.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-53/">
- <h3>Summary</h3>
<p>Denial of service (DOS) attack by changing password to a
very long string</p>
- <h3>Description</h3>
- <p>An authenticated user can trigger a denial-of-service
- (DOS) attack by entering a very long password at the change
- password dialog.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-54/">
- <h3>Summary</h3>
<p>Remote code execution vulnerability when run as CGI</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where a user can execute a
- remote code execution attack against a server when
- phpMyAdmin is being run as a CGI application. Under certain
- server configurations, a user can pass a query string which
- is executed as a command-line argument by the file
- <code>generator_plugin.sh</code>.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be critical.</p>
- <h3>Mitigation factor</h3>
- <p>The file
- `/libraries/plugins/transformations/generator_plugin.sh` may
- be removed. Under certain server configurations, it may be
- sufficient to remove execute permissions for this file.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-55/">
<h3>Summary</h3>
<p>Denial of service (DOS) attack with dbase extension</p>
- <h3>Description</h3>
- <p>A flaw was discovered where, under certain conditions,
- phpMyAdmin may not delete temporary files during the import
- of ESRI files.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be non-critical.</p>
- <h3>Mitigation factor</h3>
- <p>This vulnerability only exists when PHP is running with
- the dbase extension, which is not shipped by default, not
- available in most Linux distributions, and doesn't
- compile with PHP7.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-56/">
- <h3>Summary</h3>
<p>Remote code execution vulnerability when PHP is running
with dbase extension</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where phpMyAdmin can be
- used to trigger a remote code execution attack against
- certain PHP installations. </p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be critical.</p>
- <h3>Mitigation factor</h3>
- <p>This vulnerability only exists when PHP is running with
- the dbase extension, which is not shipped by default, not
- available in most Linux distributions, and doesn't
- compile with PHP7.</p>
</blockquote>
</body>
</description>
@@ -20782,199 +24584,7 @@
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>The phpMyAdmin development team reports:</p>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-17/">
- <h3>Summary</h3>
- <p>BBCode injection vulnerability</p>
-
- <h3>Description</h3>
- <p>A vulnerability was discovered that allows an BBCode
- injection to setup script in case it's not accessed on
- https.</p>
-
- <h3>Severity</h3>
- <p>We consider this to be non-critical.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-18/">
- <h3>Summary</h3>
- <p>Cookie attribute injection attack</p>
-
- <h3>Description</h3>
- <p>A vulnerability was found where, under some
- circumstances, an attacker can inject arbitrary values
- in the browser cookies.</p>
-
- <h3>Severity</h3>
- <p>We consider this to be non-critical.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-19/">
- <h3>Summary</h3>
- <p>SQL injection attack</p>
-
- <h3>Description</h3>
- <p>A vulnerability was discovered that allows an SQL
- injection attack to run arbitrary commands as the
- control user.</p>
-
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-20/">
- <h3>Summary</h3>
- <p>XSS on table structure page</p>
-
- <h3>Description</h3>
- <p>An XSS vulnerability was discovered on the table
- structure page</p>
-
- <h3>Severity</h3>
- <p>We consider this to be a serious
- vulnerability</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-21/">
- <h3>Summary</h3>
- <p>Multiple XSS vulnerabilities</p>
-
- <h3>Description</h3>
- <ul>
- <li>An XSS vulnerability was discovered on the user
- privileges page.</li>
- <li>An XSS vulnerability was discovered in the error
- console.</li>
- <li>An XSS vulnerability was discovered in the central
- columns feature.</li>
- <li>An XSS vulnerability was discovered in the query
- bookmarks feature.</li>
- <li>An XSS vulnerability was discovered in the user groups
- feature.</li>
- </ul>
-
- <h3>Severity</h3>
- <p>We consider this to be a serious vulnerability</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-22/">
- <h3>Summary</h3>
- <p>DOS attack</p>
-
- <h3>Description</h3>
- <p>A Denial Of Service (DOS) attack was discovered in
- the way phpMyAdmin loads some JavaScript files.</p>
-
- <h3>Severity</h3>
- <p>We consider this to be of moderate severity</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-23/">
- <h3>Summary</h3>
- <p>Multiple full path disclosure vulnerabilities</p>
-
- <h3>Description</h3>
- <p>This PMASA contains information on multiple full-path
- disclosure vulnerabilities reported in phpMyAdmin.</p>
- <p>By specially crafting requests in the following
- areas, it is possible to trigger phpMyAdmin to display a
- PHP error message which contains the full path of the
- directory where phpMyAdmin is installed.</p>
- <ol>
- <li>Setup script</li>
- <li>Example OpenID authentication script</li>
- </ol>
-
- <h3>Severity</h3>
- <p>We consider these vulnerabilities to be
- non-critical.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-24/">
- <h3>Summary</h3>
- <p>XSS through FPD</p>
-
- <h3>Description</h3>
- <p>With a specially crafted request, it is possible to
- trigger an XSS attack through the example OpenID
- authentication script.</p>
-
- <h3>Severity</h3>
- <p>We do not consider this vulnerability to be
- secure due to the non-standard required PHP setting
- for html_errors.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-25/">
- <h3>Summary</h3>
- <p>XSS in partition range functionality</p>
-
- <h3>Description</h3>
- <p>A vulnerability was reported allowing a specially
- crafted table parameters to cause an XSS attack through
- the table structure page.</p>
-
- <h3>Severity</h3>
- <p>We consider this vulnerability to be severe.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-26/">
- <h3>Summary</h3>
- <p>Multiple XSS vulnerabilities</p>
-
- <h3>Description</h3>
- <ul>
- <li>A vulnerability was reported allowing a specially
- crafted table name to cause an XSS attack through the
- functionality to check database privileges.
- <ul>
- <li>This XSS doesn't exist in some translations due to
- different quotes being used there (eg. Czech).</li>
- </ul>
- </li>
- <li>A vulnerability was reported allowing a
- specifically-configured MySQL server to execute an XSS
- attack. This particular attack requires configuring the
- MySQL server log_bin directive with the payload.</li>
- <li>Several XSS vulnerabilities were found with the
- Transformation feature</li>
- <li>Several XSS vulnerabilities were found in AJAX error
- handling</li>
- <li>Several XSS vulnerabilities were found in the Designer
- feature</li>
- <li>An XSS vulnerability was found in the charts
- feature</li>
- <li>An XSS vulnerability was found in the zoom search
- feature</li>
- </ul>
-
- <h3>Severity</h3>
- <p>We consider these attacks to be of moderate
- severity.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-27/">
- <h3>Summary</h3>
- <p>Unsafe handling of preg_replace parameters</p>
-
- <h3>Description</h3>
- <p>In some versions of PHP, it's possible for an
- attacker to pass parameters to the
- <code>preg_replace()</code> function which can allow the
- execution of arbitrary PHP code. This code is not
- properly sanitized in phpMyAdmin as part of the table
- search and replace feature.</p>
-
- <h3>Severity</h3>
- <p>We consider this vulnerability to be of moderate
- severity.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-28/">
- <h3>Summary</h3>
- <p>Referrer leak in transformations</p>
-
- <h3>Description</h3>
- <p>A vulnerability was reported where a specially
- crafted Transformation could be used to leak information
- including the authentication token. This could be used
- to direct a CSRF attack against a user.</p>
- <p>Furthermore, the CSP code used in version 4.0.x is
- outdated and has been updated to more modern
- standards.</p>
-
- <h3>Severity</h3>
- <p>We consider this to be of moderate severity</p>
- </blockquote>
+ <p>Please reference CVE/URL list for details</p>
</body>
</description>
<references>
@@ -21341,61 +24951,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP Group reports:</p>
<blockquote cite="http://php.net/ChangeLog-5.php#5.5.37">
- <ul><li>Core:
- <ul>
- <li>Fixed bug #72268 (Integer Overflow in nl2br())</li>
- <li>Fixed bug #72275 (Integer Overflow in json_encode()/
- json_decode()/ json_utf8_to_utf16())</li>
- <li>Fixed bug #72400 (Integer Overflow in addcslashes/
- addslashes)</li>
- <li>Fixed bug #72403 (Integer Overflow in Length of String-typed
- ZVAL)</li>
- </ul></li>
- <li>GD:
- <ul>
- <li>Fixed bug #66387 (Stack overflow with imagefilltoborder)
- (CVE-2015-8874)</li>
- <li>Fixed bug #72298 (pass2_no_dither out-of-bounds access)</li>
- <li>Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting
- in heap overflow) (CVE-2016-5766)</li>
- <li>Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert)</li>
- <li>Fixed bug #72446 (Integer Overflow in
- gdImagePaletteToTrueColor() resulting in heap overflow)
- (CVE-2016-5767)</li>
- </ul></li>
- <li>mbstring:
- <ul>
- <li>Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free)
- (CVE-2016-5768)</li>
- </ul></li>
- <li>mcrypt:
- <ul>
- <li>Fixed bug #72455 (Heap Overflow due to integer overflows)
- (CVE-2016-5769)</li>
- </ul></li>
- <li>Phar:
- <ul>
- <li>Fixed bug #72321 (invalid free in phar_extract_file()). (PHP
- 5.6/7.0 only)</li>
- </ul></li>
- <li>SPL:
- <ul>
- <li>Fixed bug #72262 (int/size_t confusion in SplFileObject::fread)
- (CVE-2016-5770)</li>
- <li>Fixed bug #72433 (Use After Free Vulnerability in PHP's GC
- algorithm and unserialize) (CVE-2016-5771)</li>
- </ul></li>
- <li>WDDX:
- <ul>
- <li>Fixed bug #72340 (Double Free Courruption in wddx_deserialize)
- (CVE-2016-5772)</li>
- </ul></li>
- <li>zip:
- <ul>
- <li>Fixed bug #72434 (ZipArchive class Use After Free Vulnerability
- in PHP's GC algorithm and unserialize). (CVE-2016-5773)</li>
- </ul></li>
- </ul>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -22565,53 +26121,8 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update_25.html">
- <p>42 security fixes in this release, including:</p>
- <ul>
- <li>[590118] High CVE-2016-1672: Cross-origin bypass in extension
- bindings. Credit to Mariusz Mlynski.</li>
- <li>[597532] High CVE-2016-1673: Cross-origin bypass in Blink.
- Credit to Mariusz Mlynski.</li>
- <li>[598165] High CVE-2016-1674: Cross-origin bypass in extensions.i
- Credit to Mariusz Mlynski.</li>
- <li>[600182] High CVE-2016-1675: Cross-origin bypass in Blink.
- Credit to Mariusz Mlynski.</li>
- <li>[604901] High CVE-2016-1676: Cross-origin bypass in extension
- bindings. Credit to Rob Wu.</li>
- <li>[602970] Medium CVE-2016-1677: Type confusion in V8. Credit to
- Guang Gong of Qihoo 360.</li>
- <li>[595259] High CVE-2016-1678: Heap overflow in V8. Credit to
- Christian Holler.</li>
- <li>[606390] High CVE-2016-1679: Heap use-after-free in V8
- bindings. Credit to Rob Wu.</li>
- <li>[589848] High CVE-2016-1680: Heap use-after-free in Skia.
- Credit to Atte Kettunen of OUSPG.</li>
- <li>[613160] High CVE-2016-1681: Heap overflow in PDFium. Credit to
- Aleksandar Nikolic of Cisco Talos.</li>
- <li>[579801] Medium CVE-2016-1682: CSP bypass for ServiceWorker.
- Credit to KingstonTime.</li>
- <li>[601362] Medium CVE-2016-1685: Out-of-bounds read in PDFium.
- Credit to Ke Liu of Tencent's Xuanwu LAB.</li>
- <li>[603518] Medium CVE-2016-1686: Out-of-bounds read in PDFium.
- Credit to Ke Liu of Tencent's Xuanwu LAB.</li>
- <li>[603748] Medium CVE-2016-1687: Information leak in extensions.
- Credit to Rob Wu.</li>
- <li>[604897] Medium CVE-2016-1688: Out-of-bounds read in V8.
- Credit to Max Korenko.</li>
- <li>[606185] Medium CVE-2016-1689: Heap buffer overflow in media.
- Credit to Atte Kettunen of OUSPG.</li>
- <li>[608100] Medium CVE-2016-1690: Heap use-after-free in Autofill.
- Credit to Rob Wu.</li>
- <li>[597926] Low CVE-2016-1691: Heap buffer-overflow in Skia.
- Credit to Atte Kettunen of OUSPG.</li>
- <li>[598077] Low CVE-2016-1692: Limited cross-origin bypass in
- ServiceWorker. Credit to Til Jasper Ullrich.</li>
- <li>[598752] Low CVE-2016-1693: HTTP Download of Software Removal
- Tool. Credit to Khalil Zhani.</li>
- <li>[603682] Low CVE-2016-1694: HPKP pins removed on cache
- clearance. Credit to Ryan Lester and Bryant Zadegan.</li>
- <li>[614767] CVE-2016-1695: Various fixes from internal audits,
- fuzzing and other initiatives.</li>
- </ul>
+ <p>42 security fixes in this release</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -22692,7 +26203,7 @@
</vuln>
<vuln vid="7da1da96-24bb-11e6-bd31-3065ec8fd3ec">
- <topic>chromium -- multiple vulnerablities</topic>
+ <topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
@@ -23265,54 +26776,7 @@
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The squid development team reports:</p>
- <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_7.txt">
- <dl>
- <dt>Problem Description:</dt>
- <dd>Due to incorrect data validation of intercepted HTTP
- Request messages Squid is vulnerable to clients bypassing
- the protection against CVE-2009-0801 related issues. This
- leads to cache poisoning.</dd>
- <dt>Severity:</dt>
- <dd>This problem is serious because it allows any client,
- including browser scripts, to bypass local security and
- poison the proxy cache and any downstream caches with
- content from an arbitrary source.</dd>
- </dl>
- </blockquote>
- <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_8.txt">
- <dl>
- <dt>Problem Description:</dt>
- <dd>Due to incorrect input validation Squid is vulnerable
- to a header smuggling attack leading to cache poisoning
- and to bypass of same-origin security policy in Squid and
- some client browsers.</dd>
- <dt>Severity:</dt>
- <dd>This problem allows a client to smuggle Host header
- value past same-origin security protections to cause Squid
- operating as interception or reverse-proxy to contact the
- wrong origin server. Also poisoning any downstream cache
- which stores the response.</dd>
- <dd>However, the cache poisoning is only possible if the
- caching agent (browser or explicit/forward proxy) is not
- following RFC 7230 processing guidelines and lets the
- smuggled value through.</dd>
- </dl>
- </blockquote>
- <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_9.txt">
- <dl>
- <dt>Problem Description:</dt>
- <dd>Due to incorrect pointer handling and reference
- counting Squid is vulnerable to a denial of service attack
- when processing ESI responses.</dd>
- <dt>Severity:</dt>
- <dd>These problems allow a remote server delivering
- certain ESI response syntax to trigger a denial of service
- for all clients accessing the Squid service.</dd>
- <dd>Due to unrelated changes Squid-3.5 has become
- vulnerable to some regular ESI server responses also
- triggering one or more of these issues.</dd>
- </dl>
- </blockquote>
+ <p>Please reference CVE/URL list for details</p>
</body>
</description>
<references>
@@ -45084,85 +48548,7 @@
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>NVD and Vigilance report:</p>
- <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5150">
- <p>Use-after-free vulnerability in Google Chrome before
- 24.0.1312.52 allows remote attackers to cause a denial of
- service or possibly have unspecified other impact via vectors
- involving seek operations on video data.</p>
- </blockquote>
- <blockquote cite="http://vigilance.fr/vulnerability/Libav-integer-overflow-of-av-lzo1x-decode-14944">
- <p> An attacker can generate an integer overflow in the
- av_lzo1x_decode() function of Libav, in order to trigger a
- denial of service, and possibly to execute code.</p>
- </blockquote>
- <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8541">
- <p>libavcodec/mjpegdec.c in FFmpeg before 2.4.2 considers only
- dimension differences, and not bits-per-pixel differences, when
- determining whether an image size has changed, which allows
- remote attackers to cause a denial of service (out-of-bounds
- access) or possibly have unspecified other impact via crafted
- MJPEG data.</p>
- </blockquote>
- <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8542">
- <p>libavcodec/utils.c in FFmpeg before 2.4.2 omits a certain
- codec ID during enforcement of alignment, which allows remote
- attackers to cause a denial of service (out-of-bounds access) or
- possibly have unspecified other impact via crafted JV data.</p>
- </blockquote>
- <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8543">
- <p>libavcodec/mmvideo.c in FFmpeg before 2.4.2 does not consider
- all lines of HHV Intra blocks during validation of image height,
- which allows remote attackers to cause a denial of service
- (out-of-bounds access) or possibly have unspecified other impact
- via crafted MM video data.</p>
- </blockquote>
- <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8545">
- <p>libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the
- monochrome-black format without verifying that the
- bits-per-pixel value is 1, which allows remote attackers to
- cause a denial of service (out-of-bounds access) or possibly
- have unspecified other impact via crafted PNG data.</p>
- </blockquote>
- <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8547">
- <p>libavcodec/gifdec.c in FFmpeg before 2.4.2 does not properly
- compute image heights, which allows remote attackers to cause a
- denial of service (out-of-bounds access) or possibly have
- unspecified other impact via crafted GIF data.</p>
- </blockquote>
- <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8548">
- <p>Off-by-one error in libavcodec/smc.c in FFmpeg before 2.4.2
- allows remote attackers to cause a denial of service
- (out-of-bounds access) or possibly have unspecified other impact
- via crafted Quicktime Graphics (aka SMC) video data.</p>
- </blockquote>
- <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9316">
- <p>The mjpeg_decode_app function in libavcodec/mjpegdec.c in
- FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4
- allows remote attackers to cause a denial of service
- (out-of-bounds heap access) and possibly have other unspecified
- impact via vectors related to LJIF tags in an MJPEG file.</p>
- </blockquote>
- <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9317">
- <p>The decode_ihdr_chunk function in libavcodec/pngdec.c in
- FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4
- allows remote attackers to cause a denial of service
- (out-of-bounds heap access) and possibly have other unspecified
- impact via an IDAT before an IHDR in a PNG file.</p>
- </blockquote>
- <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9603">
- <p>The vmd_decode function in libavcodec/vmdvideo.c in FFmpeg
- before 2.5.2 does not validate the relationship between a
- certain length value and the frame width, which allows remote
- attackers to cause a denial of service (out-of-bounds array
- access) or possibly have unspecified other impact via crafted
- Sierra VMD video data.</p>
- </blockquote>
- <blockquote cite="http://vigilance.fr/vulnerability/FFmpeg-unreachable-memory-reading-via-mjpegdec-c-16213">
- <p>An attacker can force a read at an invalid address in
- mjpegdec.c of FFmpeg, in order to trigger a denial of
- service.</p>
- </blockquote>
+ <p>Please reference CVE/URL list for details</p>
</body>
</description>
<references>
@@ -52486,105 +55872,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01">
- <h1>Description</h1>
- <h5>SECURITY-87/CVE-2014-3661 (anonymous DoS attack through CLI
- handshake)</h5>
- <p>This vulnerability allows unauthenticated users
- with access to Jenkins' HTTP/HTTPS port to mount a DoS attack on
- Jenkins through thread exhaustion.</p>
-
- <h5>SECURITY-110/CVE-2014-3662 (User name discovery)</h5>
- <p>Anonymous users can test if the user of a specific name exists or
- not through login attempts.</p>
-
- <h5>SECURITY-127&128/CVE-2014-3663 (privilege escalation in job
- configuration permission)</h5>
- <p>An user with a permission limited
- to Job/CONFIGURE can exploit this vulnerability to effectively
- create a new job, which should have been only possible for users
- with Job/CREATE permission, or to destroy jobs that he/she does not
- have access otherwise.</p>
-
- <h5>SECURITY-131/CVE-2014-3664 (directory traversal attack)</h5>
- <p>Users with Overall/READ permission can access arbitrary files in
- the file system readable by the Jenkins process, resulting in the
- exposure of sensitive information, such as encryption keys.</p>
-
- <h5>SECURITY-138/CVE-2014-3680 (Password exposure in DOM)</h5>
- <p>If a parameterized job has a default value in a password field,
- that default value gets exposed to users with Job/READ permission.
- </p>
-
- <h5>SECURITY-143/CVE-2014-3681 (XSS vulnerability in Jenkins
- core)</h5>
- <p>Reflected cross-site scripting vulnerability in Jenkins
- core. An attacker can navigate the user to a carefully crafted URL
- and have the user execute unintended actions.</p>
-
- <h5>SECURITY-150/CVE-2014-3666 (remote code execution from CLI)</h5>
- <p>Unauthenticated user can execute arbitrary code on Jenkins master
- by sending carefully crafted packets over the CLI channel.</p>
-
- <h5>SECURITY-155/CVE-2014-3667 (exposure of plugin code)</h5>
- <p>Programs that constitute plugins can be downloaded by anyone with
- the Overall/READ permission, resulting in the exposure of otherwise
- sensitive information, such as hard-coded keys in plugins, if
- any.</p>
-
- <h5>SECURITY-159/CVE-2013-2186 (arbitrary file system write)</h5>
- <p>Security vulnerability in commons fileupload allows
- unauthenticated attacker to upload arbitrary files to Jenkins
- master.</p>
-
- <h5>SECURITY-149/CVE-2014-1869 (XSS vulnerabilities in
- ZeroClipboard)</h5>
- <p>reflective XSS vulnerability in one of the
- library dependencies of Jenkins.</p>
-
- <h5>SECURITY-113/CVE-2014-3678 (XSS vulnerabilities in monitoring
- plugin)</h5> <p>Monitoring plugin allows an attacker to cause a
- victim into executing unwanted actions on Jenkins instance.</p>
-
- <h5>SECURITY-113/CVE-2014-3679 (hole in access control)</h5>
- <p>Certain pages in monitoring plugin are visible to anonymous users,
- allowing them to gain information that they are not supposed to.
- </p>
-
- <h1>Severity</h1>
- <p>SECURITY-87 is rated <strong>medium</strong>, as it results in the
- loss of functionality.</p>
-
- <p>SECURITY-110 is rated <strong>medium</strong>, as it results in a
- limited amount of information exposure.</p>
-
- <p>SECURITY-127 and SECURITY-128 are rated <strong>high</strong>. The
- former can be used to further escalate privileges, and the latter
- results in loss of data.</p>
-
- <p>SECURITY-131 and SECURITY-138 is rated <strong>critical</strong>.
- This vulnerabilities results in exposure of sensitie information
- and is easily exploitable.</p>
-
- <p>SECURITY-143 is rated <strong>high</strong>. It is a passive
- attack, but it can result in a compromise of Jenkins master or loss
- of data.</p>
-
- <p>SECURITY-150 is rated <strong>critical</strong>. This attack can
- be mounted by any unauthenticated anonymous user with HTTP
- reachability to Jenkins instance, and results in remote code
- execution on Jenkins.</p>
-
- <p>SECURITY-155 is rated <strong>medium</strong>. This only affects
- users who have installed proprietary plugins on publicly accessible
- instances, which is relatively uncommon.</p>
-
- <p>SECURITY-159 is rated <strong>critical</strong>. This attack can
- be mounted by any unauthenticated anonymous user with HTTP
- reachability to Jenkins instance.</p>
-
- <p>SECURITY-113 is rated <strong>high</strong>. It is a passive
- attack, but it can result in a compromise of Jenkins master or loss
- of data.</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -56859,107 +60147,7 @@
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14">
<p>This advisory announces multiple security vulnerabilities that
were found in Jenkins core.</p>
- <ol>
- <li>
- <p>iSECURITY-105</p>
- <p>In some places, Jenkins XML API uses XStream to deserialize
- arbitrary content, which is affected by CVE-2013-7285 reported
- against XStream. This allows malicious users of Jenkins with
- a limited set of permissions to execute arbitrary code inside
- Jenkins master.</p>
- </li>
- <li>
- <p>SECURITY-76 & SECURITY-88 / CVE-2013-5573</p>
- <p>Restrictions of HTML tags for user-editable contents are too
- lax. This allows malicious users of Jenkins to trick other
- unsuspecting users into providing sensitive information.</p>
- </li>
- <li>
- <p>SECURITY-109</p>
- <p>Plugging a hole in the earlier fix to SECURITY-55. Under some
- circimstances, a malicious user of Jenkins can configure job
- X to trigger another job Y that the user has no access to.</p>
- </li>
- <li>
- <p>SECURITY-108</p>
- <p>CLI job creation had a directory traversal vulnerability. This
- allows a malicious user of Jenkins with a limited set of
- permissions to overwrite files in the Jenkins master and
- escalate privileges.</p>
- </li>
- <li>
- <p>SECURITY-106</p>
- <p>The embedded Winstone servlet container is susceptive to
- session hijacking attack.</p>
- </li>
- <li>
- <p>SECURITY-93</p>
- <p>The password input control in the password parameter
- definition in the Jenkins UI was serving the actual value of
- the password in HTML, not an encrypted one. If a sensitive
- value is set as the default value of such a parameter
- definition, it can be exposed to unintended audience.</p>
- </li>
- <li>
- <p>SECURITY-89</p>
- <p>Deleting the user was not invalidating the API token,
- allowing users to access Jenkins when they shouldn't be
- allowed to do so.</p>
- </li>
- <li>
- <p>SECURITY-80</p>
- <p>Jenkins UI was vulnerable to click jacking attacks.</p>
- </li>
- <li>
- <p>SECURITY-79</p>
- <p>"Jenkins' own user database" was revealing the
- presence/absence of users when login attempts fail.</p>
- </li>
- <li>
- <p>SECURITY-77</p>
- <p>Jenkins had a cross-site scripting vulnerability in one of its
- cookies. If Jenkins is deployed in an environment that allows
- an attacker to override Jenkins cookies in victim's browser,
- this vulnerability can be exploited.</p>
- </li>
- <li>
- <p>SECURITY-75</p>
- <p>Jenkins was vulnerable to session fixation attack. If Jenkins
- is deployed in an environment that allows an attacker to
- override Jenkins cookies in victim's browser, this
- vulnerability can be exploited.</p>
- </li>
- <li>
- <p>SECURITY-74</p>
- <p>Stored XSS vulnerability. A malicious user of Jenkins with a
- certain set of permissions can cause Jenkins to store
- arbitrary HTML fragment.</p>
- </li>
- <li>
- <p>SECURITY-73</p>
- <p>Some of the system diagnostic functionalities were checking a
- lesser permission than it should have. In a very limited
- circumstances, this can cause an attacker to gain information
- that he shouldn't have access to.</p>
- </li>
- </ol>
- <p>Severity</p>
- <ol>
- <li>SECURITY-106, and SECURITY-80 are rated <strong>high</strong>. An attacker only
- needs direct HTTP access to the server to mount this attack.</li>
- <li>SECURITY-105, SECURITY-109, SECURITY-108, and SECURITY-74 are
- rated <strong>high</strong>. These vulnerabilities allow attackes with valid
- Jenkins user accounts to escalate privileges in various ways.</li>
- <li>SECURITY-76, SECURIT-88, and SECURITY-89 are rated <strong>medium.</strong>
- These vulnerabilities requires an attacker to be an user of
- Jenkins, and the mode of the attack is limited.</li>
- <li>SECURITY-93, and SECURITY-79 are <strong>rated</strong> low. These
- vulnerabilities only affect a small part of Jenkins and has
- limited impact.</li>
- <li>SECURITY-77, SECURITY-75, and SECURITY-73 are <strong>rated</strong> low. These
- vulnerabilities are hard to exploit unless combined with other
- exploit in the network.</li>
- </ol>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -60203,97 +63391,29 @@
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-8.php">
<p>XSS due to unescaped HTML Output when executing a SQL query.</p>
- <p>Using a crafted SQL query, it was possible to produce an
- XSS on the SQL query form.</p>
- <p>This vulnerability can be triggered only by someone who
- logged in to phpMyAdmin, as the usual token protection
- prevents non-logged-in users from accessing the required
- form.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php">
<p>5 XSS vulnerabilities in setup, chart display, process
list, and logo link.</p>
- <ul>
- <li>In the setup/index.php, using a crafted # hash with a
- Javascript event, untrusted JS code could be
- executed.</li>
- <li>In the Display chart view, a chart title containing
- HTML code was rendered unescaped, leading to possible
- JavaScript code execution via events.</li>
- <li>A malicious user with permission to create databases
- or users having HTML tags in their name, could trigger an
- XSS vulnerability by issuing a sleep query with a long
- delay. In the server status monitor, the query parameters
- were shown unescaped.</li>
- <li>By configuring a malicious URL for the phpMyAdmin logo
- link in the navigation sidebar, untrusted script code
- could be executed when a user clicked the logo.</li>
- <li>The setup field for "List of trusted proxies for IP
- allow/deny" Ajax validation code returned the unescaped
- input on errors, leading to possible JavaScript execution
- by entering arbitrary HTML.</li>
- </ul>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-11.php">
<p>If a crafted version.json would be presented, an XSS
could be introduced.</p>
- <p>Due to not properly validating the version.json file,
- which is fetched from the phpMyAdmin.net website, could lead
- to an XSS attack, if a crafted version.json file would be
- presented.</p>
- <p>This vulnerability can only be exploited with a
- combination of complicated techniques and tricking the user
- to visit a page.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php">
<p>Full path disclosure vulnerabilities.</p>
- <p>By calling some scripts that are part of phpMyAdmin in an
- unexpected way, it is possible to trigger phpMyAdmin to
- display a PHP error message which contains the full path of
- the directory where phpMyAdmin is installed.</p>
- <p>This path disclosure is possible on servers where the
- recommended setting of the PHP configuration directive
- display_errors is set to on, which is against the
- recommendations given in the PHP manual.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-13.php">
<p> XSS vulnerability when a text to link transformation is
used.</p>
- <p>When the TextLinkTransformationPlugin is used to create a
- link to an object when displaying the contents of a table,
- the object name is not properly escaped, which could lead to
- an XSS, if the object name has a crafted value.</p>
- <p>The stored XSS vulnerabilities can be triggered only by
- someone who logged in to phpMyAdmin, as the usual token
- protection prevents non-logged-in users from accessing the
- required forms.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-14.php">
<p>Self-XSS due to unescaped HTML output in schema
export.</p>
- <p>When calling schema_export.php with crafted parameters,
- it is possible to trigger an XSS.</p>
- <p>This vulnerability can be triggered only by someone who
- logged in to phpMyAdmin, as the usual token protection
- prevents non-logged-in users from accessing the required
- form.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php">
<p>SQL injection vulnerabilities, producing a privilege
escalation (control user).</p>
- <p>Due to a missing validation of parameters passed to
- schema_export.php and pmd_pdf.php, it was possible to inject
- SQL statements that would run with the privileges of the
- control user. This gives read and write access to the tables
- of the configuration storage database, and if the control
- user has the necessary privileges, read access to some
- tables of the mysql database.</p>
- <p>These vulnerabilities can be triggered only by someone
- who logged in to phpMyAdmin, as the usual token protection
- prevents non-logged-in users from accessing the required
- form. Moreover, a control user must have been created and
- configured as part of the phpMyAdmin configuration storage
- installation.</p>
</blockquote>
</body>
</description>
@@ -76783,85 +79903,7 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Django project reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/">
- <p>Today the Django team is issuing multiple releases --
- Django 1.2.6 and Django 1.3.1 -- to remedy security issues
- reported to us. Additionally, this announcement contains
- advisories for several other issues which, while not
- requiring changes to Django itself, will be of concern
- to users of Django.</p>
- <p>All users are encouraged to upgrade Django, and to implement
- the recommendations in these advisories, immediately.</p>
- <h3>Session manipulation</h3>
- <p>Django's session framework, django.contrib.sessions, is
- configurable to use any of multiple backends for storage of
- session data. One such backend, provided with Django itself,
- integrates with Django's cache framework to use the cache as
- storage for session data.</p>
- <p>When configured in this fashion using memory-based sessions
- and caching, Django sessions are stored directly in the root
- namespace of the cache, using session identifiers as keys.</p>
- <p>This results in a potential attack when coupled with an
- application storing user-supplied data in the cache; if an
- attacker can cause data to be cached using a key which is
- also a valid session identifier, Django's session framework
- will treat that data -- so long as it is a dictionary-like
- object -- as the session, thus allowing arbitrary data to be
- inserted into a session so long as the attacker knows the
- session key.</p>
- <h3>Denial of service attack via URLField</h3>
- <p>Django's model system includes a field type -- URLField --
- which validates that the supplied value is a valid URL, and if
- the boolean keyword argument verify_exists is true, attempts
- to validate that the supplied URL also resolves, by issuing a
- request to it.</p>
- <p>By default, the underlying socket libraries in Python do not
- have a timeout. This can manifest as a security problem in
- three different ways:</p>
- <ol>
- <li>An attacker can supply a slow-to-respond URL. Each request
- will tie up a server process for a period of time; if the
- attacker is able to make enough requests, they can tie up
- all available server processes.</li>
- <li>An attacker can supply a URL under his or her control, and
- which will simply hold an open connection indefinitely. Due
- to the lack of timeout, the Django process attempting to
- verify the URL will similarly spin indefinitely. Repeating
- this can easily tie up all available server processes.</li>
- <li>An attacker can supply a URL under his or her control
- which not only keeps the connection open, but also sends an
- unending stream of random garbage data. This data will
- cause the memory usage of the Django process (which will
- hold the response in memory) to grow without bound, thus
- consuming not only server processes but also server
- memory.</li>
- </ol>
- <h3>URLField redirection</h3>
- <p>The regular expression which validates URLs is used to check
- the supplied URL before issuing a check to verify that it
- exists, but if that URL issues a redirect in response to the
- request, no validation of the resulting redirected URL is
- performed, including basic checks for supported protocols
- (HTTP, HTTPS, and FTP).</p>
- <p>This creates a small window for an attacker to gain knowledge
- of, for example, server layout; a redirect to a file:// URL,
- for example, will tell an attacker whether a given file exists
- locally on the server.</p>
- <p>Additionally, although the initial request issued by Django
- uses the HEAD method for HTTP/HTTPS, the request to the target
- of the redirect is issued using GET. This may create further
- issues for systems which implicitly trust GET requests from
- the local machine/network.</p>
- <h3>Host header cache poisoning</h3>
- <p>In several places, Django itself -- independent of the
- developer -- generates full URLs (for example, when issuing
- HTTP redirects). Currently this uses the value of the HTTP
- Host header from the request to construct the URL, which opens
- a potential cache-poisoning vector: an attacker can submit
- a request with a Host header of his or her choice, receive a
- response which constructs URLs using that Host header, and --
- if that response is cached -- further requests will be served
- out of cache using URLs containing the attacker's host of
- choice.</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -81767,6 +84809,10 @@
</dates>
</vuln>
+ <vuln vid="6887828f-0229-11e0-b84d-00262d5ed8ee">
+ <cancelled/>
+ </vuln>
+
<vuln vid="b2a6fc0e-070f-11e0-a6e9-00215c6a37bb">
<cancelled/>
</vuln>
@@ -93857,6 +96903,7 @@
<affects>
<package>
<name>vim</name>
+ <name>vim-console</name>
<name>vim-lite</name>
<name>vim-gtk2</name>
<name>vim-gnome</name>
@@ -97799,6 +100846,7 @@
<affects>
<package>
<name>vim</name>
+ <name>vim-console</name>
<name>vim-lite</name>
<name>vim-ruby</name>
<name>vim6</name>
@@ -103760,6 +106808,7 @@
<affects>
<package>
<name>vim</name>
+ <name>vim-console</name>
<name>vim-lite</name>
<name>vim-ruby</name>
<name>vim6</name>
@@ -119142,6 +122191,7 @@
<affects>
<package>
<name>vim</name>
+ <name>vim-console</name>
<name>vim-lite</name>
<name>vim+ruby</name>
<range><ge>6.3</ge><lt>6.3.82</lt></range>
@@ -120835,88 +123885,8 @@
<p>An Ethreal Security Advisories reports:</p>
<blockquote cite="http://www.ethereal.com/appnotes/enpa-sa-00019.html">
<p>An aggressive testing program as well as independent
- discovery has turned up a multitude of security issues:</p>
- <ul>
- <li>The ANSI A dissector was susceptible to format string
- vulnerabilities. Discovered by Bryan Fulton.</li>
- <li>The GSM MAP dissector could crash.</li>
- <li>The AIM dissector could cause a crash.</li>
- <li>The DISTCC dissector was susceptible to a buffer
- overflow. Discovered by Ilja van Sprundel</li>
- <li>The FCELS dissector was susceptible to a buffer
- overflow. Discovered by Neil Kettle</li>
- <li>The SIP dissector was susceptible to a buffer
- overflow. Discovered by Ejovi Nuwere.</li>
- <li>The KINK dissector was susceptible to a null pointer
- exception, endless looping, and other problems.</li>
- <li>The LMP dissector was susceptible to an endless
- loop.</li>
- <li>The Telnet dissector could abort.</li>
- <li>The TZSP dissector could cause a segmentation
- fault.</li>
- <li>The WSP dissector was susceptible to a null pointer
- exception and assertions.</li>
- <li>The 802.3 Slow protocols dissector could throw an
- assertion.</li>
- <li>The BER dissector could throw assertions.</li>
- <li>The SMB Mailslot dissector was susceptible to a null
- pointer exception and could throw assertions.</li>
- <li>The H.245 dissector was susceptible to a null pointer
- exception.</li>
- <li>The Bittorrent dissector could cause a segmentation
- fault.</li>
- <li>The SMB dissector could cause a segmentation fault and
- throw assertions.</li>
- <li>The Fibre Channel dissector could cause a crash.</li>
- <li>The DICOM dissector could attempt to allocate large
- amounts of memory.</li>
- <li>The MGCP dissector was susceptible to a null pointer
- exception, could loop indefinitely, and segfault.</li>
- <li>The RSVP dissector could loop indefinitely.</li>
- <li>The DHCP dissector was susceptible to format string
- vulnerabilities, and could abort.</li>
- <li>The SRVLOC dissector could crash unexpectedly or go
- into an infinite loop.</li>
- <li>The EIGRP dissector could loop indefinitely.</li>
- <li>The ISIS dissector could overflow a buffer.</li>
- <li>The CMIP, CMP, CMS, CRMF, ESS, OCSP, PKIX1Explitit,
- PKIX Qualified, and X.509 dissectors could overflow
- buffers.</li>
- <li>The NDPS dissector could exhaust system memory or
- cause an assertion, or crash.</li>
- <li>The Q.931 dissector could try to free a null pointer
- and overflow a buffer.</li>
- <li>The IAX2 dissector could throw an assertion.</li>
- <li>The ICEP dissector could try to free the same memory
- twice.</li>
- <li>The MEGACO dissector was susceptible to an infinite
- loop and a buffer overflow.</li>
- <li>The DLSw dissector was susceptible to an infinite
- loop.</li>
- <li>The RPC dissector was susceptible to a null pointer
- exception.</li>
- <li>The NCP dissector could overflow a buffer or loop for
- a large amount of time.</li>
- <li>The RADIUS dissector could throw an assertion.</li>
- <li>The GSM dissector could access an invalid
- pointer.</li>
- <li>The SMB PIPE dissector could throw an assertion.</li>
- <li>The L2TP dissector was susceptible to an infinite loop.</li>
- <li>The SMB NETLOGON dissector could dereference a null
- pointer.</li>
- <li>The MRDISC dissector could throw an assertion.</li>
- <li>The ISUP dissector could overflow a buffer or cause a
- segmentation fault.</li>
- <li>The LDAP dissector could crash.</li>
- <li>The TCAP dissector could overflow a buffer or throw an
- assertion.</li>
- <li>The NTLMSSP dissector could crash.</li>
- <li>The Presentation dissector could overflow a
- buffer.</li>
- <li>Additionally, a number of dissectors could throw an
- assertion when passing an invalid protocol tree item
- length.</li>
- </ul>
+ discovery has turned up a multitude of security issues</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -128149,6 +131119,7 @@
<affects>
<package>
<name>vim</name>
+ <name>vim-console</name>
<name>vim-lite</name>
<name>vim+ruby</name>
<range><lt>6.3.45</lt></range>
More information about the Midnightbsd-cvs
mailing list