[Midnightbsd-cvs] mports [24304] trunk/security/vuxml/vuln.xml: update vulnerability list
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Tue Sep 11 22:52:54 EDT 2018
Revision: 24304
http://svnweb.midnightbsd.org/mports/?rev=24304
Author: laffer1
Date: 2018-09-11 22:52:53 -0400 (Tue, 11 Sep 2018)
Log Message:
-----------
update vulnerability list
Modified Paths:
--------------
trunk/security/vuxml/vuln.xml
Modified: trunk/security/vuxml/vuln.xml
===================================================================
--- trunk/security/vuxml/vuln.xml 2018-09-12 01:14:56 UTC (rev 24303)
+++ trunk/security/vuxml/vuln.xml 2018-09-12 02:52:53 UTC (rev 24304)
@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE vuxml PUBLIC "-//vuxml.org//DTD VuXML 1.1//EN" "http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd">
<!--
-Copyright 2003-2016 Jacques Vidrine and contributors
+Copyright 2003-2018 Jacques Vidrine and contributors
Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
HTML, PDF, PostScript, RTF and so forth) with or without modification,
@@ -28,7 +28,7 @@
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- $FreeBSD: head/security/vuxml/vuln.xml 466712 2018-04-07 09:17:53Z mfechner $
+ $FreeBSD: head/security/vuxml/vuln.xml 479568 2018-09-11 20:36:43Z yuri $
QUICK GUIDE TO ADDING A NEW ENTRY
@@ -58,6 +58,4983 @@
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="fe818607-b5ff-11e8-856b-485b3931c969">
+ <topic>Containous Traefik -- exposes the configuration and secret</topic>
+ <affects>
+ <package>
+ <name>traefik</name>
+ <range><lt>1.6.6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>MITRE reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15598">
+ <p>Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the
+ configuration and secret if authentication is missing and the API's port
+ is publicly reachable.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-15598</cvename>
+ <url>https://github.com/containous/traefik/pull/3790</url>
+ <url>https://github.com/containous/traefik/releases/tag/v1.6.6</url>
+ </references>
+ <dates>
+ <discovery>2018-08-20</discovery>
+ <entry>2018-09-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f9d73a20-b5f0-11e8-b1da-6451062f0f7a">
+ <topic>Flash Player -- information disclosure</topic>
+ <affects>
+ <package>
+ <name>linux-flashplayer</name>
+ <range><lt>31.0.0.108</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Adobe reports:</p>
+ <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb18-31.html">
+ <ul>
+ <li>This update resolves a privilege escalation vulnerability that
+ could lead to information disclosure (CVE-2018-15967).</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-15967</cvename>
+ <url>https://helpx.adobe.com/security/products/flash-player/apsb18-31.html</url>
+ </references>
+ <dates>
+ <discovery>2018-09-11</discovery>
+ <entry>2018-09-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="337960ec-b5dc-11e8-ac58-a4badb2f4699">
+ <topic>Plex Media Server -- Information Disclosure Vulnerability</topic>
+ <affects>
+ <package>
+ <name>plexmediaserver</name>
+ <name>plexmediaserver-plexpass</name>
+ <range><lt>1.13.5.5332</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Chris reports:</p>
+ <blockquote cite="https://seclists.org/fulldisclosure/2018/Aug/1">
+ <p>The XML parsing engine for Plex Media Server's SSDP/UPNP
+ functionality is vulnerable to an XML External Entity
+ Processing (XXE) attack. Unauthenticated attackers on the same LAN can
+ use this vulnerability to:</p>
+ <ul>
+ <li>Access arbitrary files from the filesystem with the same permission as
+ the user account running Plex.</li>
+ <li>Initiate SMB connections to capture NetNTLM challenge/response and
+ crack to clear-text password.</li>
+ <li>Initiate SMB connections to relay NetNTLM challenge/response and
+ achieve Remote Command Execution in Windows domains.</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://seclists.org/fulldisclosure/2018/Aug/1</url>
+ <cvename>CVE-2018-13415</cvename>
+ </references>
+ <dates>
+ <discovery>2018-08-01</discovery>
+ <entry>2018-09-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f00acdec-b59f-11e8-805d-001e2a3f778d">
+ <topic>X11 Session -- SDDM allows unauthorised unlocking</topic>
+ <affects>
+ <package>
+ <name>sddm</name>
+ <range><lt>0.17.0_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>MITRE reports:</p>
+ <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2018-14345">
+ <p>An issue was discovered in SDDM through 0.17.0. If configured with ReuseSession=true, the password is not checked for users with an already existing session. Any user with access to the system D-Bus can therefore unlock any graphical session.</p>
+ </blockquote>
+ <p>The default configuration of SDDM on FreeBSD is not affected, since it has ReuseSession=false.</p>
+ </body>
+ </description>
+ <references>
+ <url>https://www.suse.com/security/cve/CVE-2018-14345/</url>
+ <cvename>CVE-2018-14345</cvename>
+ </references>
+ <dates>
+ <discovery>2018-08-13</discovery>
+ <entry>2018-09-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="db2acdac-b5a7-11e8-8f6f-00e04c1ea73d">
+ <topic>mybb -- vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>mybb</name>
+ <range><lt>1.8.18</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>mybb Team reports:</p>
+ <blockquote cite="https://blog.mybb.com/2018/08/22/mybb-1-8-18-released-security-maintenance-release/">
+ <p>High risk: Image MyCode “alt” attribute persistent XSS.</p>
+ <p>Medium risk: RSS Atom 1.0 item title persistent XSS.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://blog.mybb.com/2018/08/22/mybb-1-8-18-released-security-maintenance-release/</url>
+ </references>
+ <dates>
+ <discovery>2018-08-22</discovery>
+ <entry>2018-09-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="7c750960-b129-11e8-9fcd-080027f43a02">
+ <topic>Information disclosure - Gitea leaks email addresses</topic>
+ <affects>
+ <package>
+ <name>gitea</name>
+ <range><lt>1.5.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Gitea project reports:</p>
+ <blockquote cite="https://github.com/go-gitea/gitea/issues/4417">
+ <p>[Privacy] Gitea leaks hidden email addresses #4417</p>
+ <p>A fix has been implemented in Gitea 1.5.1.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/go-gitea/gitea/issues/4417</url>
+ <url>https://github.com/go-gitea/gitea/pull/4784</url>
+ </references>
+ <dates>
+ <discovery>2018-07-10</discovery>
+ <entry>2018-09-05</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="2a92555f-a6f8-11e8-8acd-10c37b4ac2ea">
+ <topic>links -- denial of service</topic>
+ <affects>
+ <package>
+ <name>links</name>
+ <range><lt>2.16,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>NIST reports:</p>
+ <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-11114">
+ <p>The put_chars function in html_r.c in Twibright Links 2.14 allows
+ remote attackers to cause a denial of service (buffer over-read)
+ via a crafted HTML file.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2017-11114</url>
+ <cvename>CVE-2017-11114</cvename>
+ </references>
+ <dates>
+ <discovery>2017-07-31</discovery>
+ <entry>2018-08-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f4d638b9-e6e5-4dbe-8c70-571dbc116174">
+ <topic>curl -- password overflow vulnerability</topic>
+ <affects>
+ <package>
+ <name>curl</name>
+ <range><ge>7.15.4</ge><lt>7.61.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>curl security problems:</p>
+ <blockquote cite="https://curl.haxx.se/docs/security.html">
+ <p>CVE-2018-14618: NTLM password overflow via integer overflow</p>
+ <p>The internal function Curl_ntlm_core_mk_nt_hash multiplies the length
+ of the password by two (SUM) to figure out how large temporary storage
+ area to allocate from the heap.</p>
+ <p>The length value is then subsequently used to iterate over the
+ password and generate output into the allocated storage buffer. On
+ systems with a 32 bit size_t, the math to calculate SUM triggers an
+ integer overflow when the password length exceeds 2GB (2^31 bytes).
+ This integer overflow usually causes a very small buffer to actually
+ get allocated instead of the intended very huge one, making the use of
+ that buffer end up in a heap buffer overflow.</p>
+ <p>This bug is almost identical to CVE-2017-8816.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://curl.haxx.se/docs/security.html</url>
+ <url>https://curl.haxx.se/docs/CVE-2018-14618.html</url>
+ <cvename>CVE-2018-14618</cvename>
+ </references>
+ <dates>
+ <discovery>2018-09-05</discovery>
+ <entry>2018-09-05</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c96d416a-eae7-4d5d-bc84-40deca9329fb">
+ <topic>mozilla -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>firefox</name>
+ <range><lt>62.0_1,1</lt></range>
+ </package>
+ <package>
+ <name>seamonkey</name>
+ <name>linux-seamonkey</name>
+ <range><lt>2.49.5</lt></range>
+ </package>
+ <package>
+ <name>firefox-esr</name>
+ <range><lt>60.2.0_1,1</lt></range>
+ </package>
+ <package>
+ <name>linux-firefox</name>
+ <range><lt>60.2.0,2</lt></range>
+ </package>
+ <package>
+ <name>libxul</name>
+ <name>thunderbird</name>
+ <name>linux-thunderbird</name>
+ <range><lt>60.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mozilla Foundation reports:</p>
+ <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/">
+ <p>CVE-2018-12377: Use-after-free in refresh driver timers</p>
+ <p>CVE-2018-12378: Use-after-free in IndexedDB</p>
+ <p>CVE-2018-12379: Out-of-bounds write with malicious MAR file</p>
+ <p>CVE-2017-16541: Proxy bypass using automount and autofs</p>
+ <p>CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation</p>
+ <p>CVE-2018-12382: Addressbar spoofing with javascript URI on Firefox for Android</p>
+ <p>CVE-2018-12383: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords</p>
+ <p>CVE-2018-12375: Memory safety bugs fixed in Firefox 62</p>
+ <p>CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-16541</cvename>
+ <cvename>CVE-2018-12375</cvename>
+ <cvename>CVE-2018-12376</cvename>
+ <cvename>CVE-2018-12377</cvename>
+ <cvename>CVE-2018-12378</cvename>
+ <cvename>CVE-2018-12379</cvename>
+ <cvename>CVE-2018-12381</cvename>
+ <cvename>CVE-2018-12382</cvename>
+ <cvename>CVE-2018-12383</cvename>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2018-21/</url>
+ </references>
+ <dates>
+ <discovery>2018-09-05</discovery>
+ <entry>2018-09-05</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="30c0f878-b03e-11e8-be8a-0011d823eebd">
+ <topic>Ghostscript -- arbitrary code execution</topic>
+ <affects>
+ <package>
+ <name>ghostscript9-agpl-base</name>
+ <name>ghostscript9-agpl-x11</name>
+ <range><lt>9.24</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>CERT reports:</p>
+ <blockquote cite="https://www.kb.cert.org/vuls/id/332928">
+ <p>Ghostscript contains an optional -dSAFER option, which is supposed
+ to prevent unsafe PostScript operations. Multiple PostScript
+ operations bypass the protections provided by -dSAFER, which can
+ allow an attacker to execute arbitrary commands with arbitrary
+ arguments. This vulnerability can also be exploited in applications
+ that leverage Ghostscript, such as ImageMagick, GraphicsMagick,
+ evince, Okular, Nautilus, and others.</p>
+ <p>Exploit code for this vulnerability is publicly available.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.kb.cert.org/vuls/id/332928</url>
+ <cvename>CVE-2018-15908</cvename>
+ <cvename>CVE-2018-15909</cvename>
+ <cvename>CVE-2018-15910</cvename>
+ <cvename>CVE-2018-15911</cvename>
+ </references>
+ <dates>
+ <discovery>2018-08-21</discovery>
+ <entry>2018-09-04</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="1f8d5806-ac51-11e8-9cb6-10c37b4ac2ea">
+ <topic>grafana -- LDAP and OAuth login vulnerability</topic>
+ <affects>
+ <package>
+ <name>grafana5</name>
+ <range><ge>5.0.0</ge><lt>5.2.3</lt></range>
+ </package>
+ <package>
+ <name>grafana4</name>
+ <range><ge>4.0.0</ge><lt>4.6.4</lt></range>
+ </package>
+ <package>
+ <name>grafana3</name>
+ <range><ge>3.0.0</ge></range>
+ </package>
+ <package>
+ <name>grafana2</name>
+ <range><ge>2.0.0</ge></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Grafana Labs reports:</p>
+ <blockquote cite="https://community.grafana.com/t/grafana-5-2-3-and-4-6-4-security-update/10050">
+ <p>On the 20th of August at 1800 CEST we were contacted about a
+ potential security issue with the “remember me” cookie Grafana
+ sets upon login. The issue targeted users without a local Grafana
+ password (LDAP & OAuth users) and enabled a potential attacker
+ to generate a valid cookie knowing only a username.</p>
+ <p>All installations which use the Grafana LDAP or OAuth
+ authentication features must be upgraded as soon as possible. If
+ you cannot upgrade, you should switch authentication mechanisms
+ or put additional protections in front of Grafana such as a
+ reverse proxy.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://community.grafana.com/t/grafana-5-2-3-and-4-6-4-security-update/10050</url>
+ <cvename>CVE-2018-558213</cvename>
+ </references>
+ <dates>
+ <discovery>2018-08-20</discovery>
+ <entry>2018-08-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ffeb25d0-ac94-11e8-ab15-d8cb8abf62dd">
+ <topic>Gitlab -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>gitlab-ce</name>
+ <range><ge>11.2.0</ge><lt>11.2.3</lt></range>
+ <range><ge>11.1.0</ge><lt>11.1.6</lt></range>
+ <range><ge>2.7.0</ge><lt>11.0.6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Gitlab reports:</p>
+ <blockquote cite="https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/">
+ <p>Persistent XSS in Pipeline Tooltip</p>
+ <p>GitLab.com GCP Endpoints Exposure</p>
+ <p>Persistent XSS in Merge Request Changes View</p>
+ <p>Sensitive Data Disclosure in Sidekiq Logs</p>
+ <p>Missing CSRF in System Hooks</p>
+ <p>Orphaned Upload Files Exposure</p>
+ <p>Missing Authorization Control API Repository Storage</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/</url>
+ </references>
+ <dates>
+ <discovery>2018-08-28</discovery>
+ <entry>2018-08-30</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="d0be41fe-2a20-4633-b057-4e8b25c41780">
+ <topic>bro -- array bounds and potential DOS issues</topic>
+ <affects>
+ <package>
+ <name>bro</name>
+ <range><lt>2.5.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Corelight reports:</p>
+ <blockquote cite="https://www.bro.org/download/NEWS.bro.html">
+ <p>Bro 2.5.5 primarily addresses security issues:</p>
+ <ul>
+ <li>Fix array bounds checking in BinPAC: for arrays
+ that are fields within a record, the bounds check
+ was based on a pointer to the start of the record
+ rather than the start of the array field, potentially
+ resulting in a buffer over-read.</li>
+ <li>Fix SMTP command string comparisons: the number
+ of bytes compared was based on the user-supplied
+ string length and can lead to incorrect matches.
+ e.g. giving a command of "X" incorrectly matched
+ "X-ANONYMOUSTLS" (and an empty commands match
+ anything).</li>
+ </ul>
+ <p>Address potential vectors for Denial of Service:</p>
+ <ul>
+ <li>"Weird" events are now generally suppressed/sampled
+ by default according to some tunable parameters.</li>
+ <li>Improved handling of empty lines in several text
+ protocol analyzers that can cause performance issues
+ when seen in long sequences.</li>
+ <li>Add `smtp_excessive_pending_cmds' weird which
+ serves as a notification for when the "pending
+ command" queue has reached an upper limit and been
+ cleared to prevent one from attempting to slowly
+ exhaust memory.</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.bro.org/download/NEWS.bro.html</url>
+ </references>
+ <dates>
+ <discovery>2018-08-28</discovery>
+ <entry>2018-08-29</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="0904e81f-a89d-11e8-afbb-bc5ff4f77b71">
+ <topic>node.js -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>node</name>
+ <range><lt>10.9.0</lt></range>
+ </package>
+ <package>
+ <name>node8</name>
+ <range><lt>8.11.4</lt></range>
+ </package>
+ <package>
+ <name>node6</name>
+ <range><lt>6.14.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Node.js reports:</p>
+ <blockquote cite="https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/">
+ <h1>OpenSSL: Client DoS due to large DH parameter</h1>
+ <p>This fixes a potential denial of service (DoS) attack
+ against client connections by a malicious server. During a TLS
+ communication handshake, where both client and server agree to
+ use a cipher-suite using DH or DHE (Diffie-Hellman, in both
+ ephemeral and non-ephemeral modes), a malicious server can
+ send a very large prime value to the client. Because this has
+ been unbounded in OpenSSL, the client can be forced to spend
+ an unreasonably long period of time to generate a key,
+ potentially causing a denial of service.</p>
+ <h1>OpenSSL: ECDSA key extraction via local side-channel</h1>
+ <p>Attackers with access to observe cache-timing may be able
+ to extract DSA or ECDSA private keys by causing the victim to
+ create several signatures and watching responses. This flaw
+ does not have a CVE due to OpenSSL policy to not assign itself
+ CVEs for local-only vulnerabilities that are more academic
+ than practical. This vulnerability was discovered by Keegan
+ Ryan at NCC Group and impacts many cryptographic libraries
+ including OpenSSL.</p>
+ <h1>Unintentional exposure of uninitialized memory</h1>
+ <p>Only Node.js 10 is impacted by this flaw.</p>
+ <p>Node.js TSC member Nikita Skovoroda discovered an argument
+ processing flaw that causes Buffer.alloc() to return
+ uninitialized memory. This method is intended to be safe and
+ only return initialized, or cleared, memory. The third
+ argument specifying encoding can be passed as a number, this
+ is misinterpreted by Buffer's internal "fill" method as the
+ start to a fill operation. This flaw may be abused where
+ Buffer.alloc() arguments are derived from user input to return
+ uncleared memory blocks that may contain sensitive
+ information.</p>
+ <h1>Out of bounds (OOB) write</h1>
+ <p>Node.js TSC member Nikita Skovoroda discovered an OOB write
+ in Buffer that can be used to write to memory outside of a
+ Buffer's memory space. This can corrupt unrelated Buffer
+ objects or cause the Node.js process to crash.</p>
+ <p>When used with UCS-2 encoding (recognized by Node.js under
+ the names 'ucs2', 'ucs-2', 'utf16le' and 'utf-16le'),
+ Buffer#write() can be abused to write outside of the bounds of
+ a single Buffer. Writes that start from the second-to-last
+ position of a buffer cause a miscalculation of the maximum
+ length of the input bytes to be written.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/</url>
+ <cvename>CVE-2018-0732</cvename>
+ <cvename>CVE-2018-7166</cvename>
+ <cvename>CVE-2018-12115</cvename>
+ </references>
+ <dates>
+ <discovery>2018-08-16</discovery>
+ <entry>2018-08-25</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="45671c0e-a652-11e8-805b-a4badb2f4699">
+ <topic>FreeBSD -- Unauthenticated EAPOL-Key Decryption Vulnerability</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>11.2</ge><lt>11.2_2</lt></range>
+ <range><ge>11.1</ge><lt>11.1_13</lt></range>
+ <range><ge>10.4</ge><lt>10.4_11</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>When using WPA2, EAPOL-Key frames with the Encrypted
+ flag and without the MIC flag set, the data field was
+ decrypted first without verifying the MIC. When the dta
+ field was encrypted using RC4, for example, when negotiating
+ TKIP as a pairwise cipher, the unauthenticated but decrypted
+ data was subsequently processed. This opened wpa_supplicant(8)
+ to abuse by decryption and recovery of sensitive information
+ contained in EAPOL-Key messages.</p>
+ <p>See
+ https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
+ for a detailed description of the bug.</p>
+ <h1>Impact:</h1>
+ <p>All users of the WPA2 TKIP pairwise cipher are vulnerable
+ to information, for example, the group key.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-1452</cvename>
+ <freebsdsa>SA-18:11.hostapd</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2018-08-14</discovery>
+ <entry>2018-08-22</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="359e1548-a652-11e8-805b-a4badb2f4699">
+ <topic>FreeBSD -- Resource exhaustion in IP fragment reassembly</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>11.2</ge><lt>11.2_2</lt></range>
+ <range><ge>11.1</ge><lt>11.1_13</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>A researcher has notified us of a DoS attack applicable
+ to another operating system. While FreeBSD may not be
+ vulnerable to that exact attack, we have identified several
+ places where inadequate DoS protection could allow an
+ attacker to consume system resources.</p>
+ <p>It is not necessary that the attacker be able to establish
+ two-way communication to carry out these attacks. These
+ attacks impact both IPv4 and IPv6 fragment reassembly.</p>
+ <h1>Impact:</h1>
+ <p>In the worst case, an attacker could send a stream of
+ crafted fragments with a low packet rate which would consume
+ a substantial amount of CPU.</p>
+ <p>Other attack vectors allow an attacker to send a stream
+ of crafted fragments which could consume a large amount of
+ CPU or all available mbuf clusters on the system.</p>
+ <p>These attacks could temporarily render a system unreachable
+ through network interfaces or temporarily render a system
+ unresponsive. The effects of the attack should clear within
+ 60 seconds after the attack stops.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-6923</cvename>
+ <freebsdsa>SA-18:10.ip</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2018-08-14</discovery>
+ <entry>2018-08-22</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="2310b814-a652-11e8-805b-a4badb2f4699">
+ <topic>FreeBSD -- L1 Terminal Fault (L1TF) Kernel Information Disclosure</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>11.2</ge><lt>11.2_2</lt></range>
+ <range><ge>11.1</ge><lt>11.1_13</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>On certain Intel 64-bit x86 systems there is a period
+ of time during terminal fault handling where the CPU may
+ use speculative execution to try to load data. The CPU may
+ speculatively access the level 1 data cache (L1D). Data
+ which would otherwise be protected may then be determined
+ by using side channel methods.</p>
+ <p>This issue affects bhyve on FreeBSD/amd64 systems.</p>
+ <h1>Impact:</h1>
+ <p>An attacker executing user code, or kernel code inside
+ of a virtual machine, may be able to read secret data from
+ the kernel or from another virtual machine.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-3620</cvename>
+ <cvename>CVE-2018-3646</cvename>
+ <freebsdsa>SA-18:09.l1tf</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2018-08-14</discovery>
+ <entry>2018-08-22</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e53a908d-a645-11e8-8acd-10c37b4ac2ea">
+ <topic>gogs -- open redirect vulnerability</topic>
+ <affects>
+ <package>
+ <name>gogs</name>
+ <range><lt>0.11.53_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>bluecatli (Tencent's Xuanwu Lab) reports:</p>
+ <blockquote cite="https://github.com/gogs/gogs/issues/5364">
+ <p>The function isValidRedirect in gogs/routes/user/auth.go is used in login action to validate if url is on the same site.</p>
+ <p>If the Location header startswith /\, it will be transformed to // by browsers.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/gogs/gogs/issues/5364</url>
+ <url>https://github.com/gogs/gogs/pull/5365</url>
+ <url>https://github.com/gogs/gogs/commit/1f247cf8139cb483276cd8dd06385a800ce9d4b2</url>
+ </references>
+ <dates>
+ <discovery>2018-08-06</discovery>
+ <entry>2018-08-22</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9e205ef5-a649-11e8-b1f6-6805ca0b3d42">
+ <topic>phpmyadmin -- XSS in the import dialog</topic>
+ <affects>
+ <package>
+ <name>phpMyAdmin</name>
+ <name>phpMyAdmin-php56</name>
+ <name>phpMyAdmin-php70</name>
+ <name>phpMyAdmin-php71</name>
+ <name>phpMyAdmin-php72</name>
+ <range><lt>4.8.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The phpMyAdmin development team reports:</p>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2018-5/">
+ <h3>Description</h3>
+ <p>A Cross-Site Scripting vulnerability was found in the
+ file import feature, where an attacker can deliver a payload
+ to a user through importing a specially-crafted file.</p>
+ <h3>Severity</h3>
+ <p>We consider this attack to be of moderate severity.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.phpmyadmin.net/security/PMASA-2018-5/</url>
+ <cvename>CVE-2018-15605</cvename>
+ </references>
+ <dates>
+ <discovery>2018-08-21</discovery>
+ <entry>2018-08-22</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="fe99d3ca-a63a-11e8-a7c6-54e1ad3d6335">
+ <topic>libX11 -- Multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>libX11</name>
+ <range><lt>1.6.6,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The freedesktop.org project reports:</p>
+ <blockquote cite="https://lists.x.org/archives/xorg-announce/2018-August/002915.html">
+ <p>The functions XGetFontPath, XListExtensions, and XListFonts are
+ vulnerable to an off-by-one override on malicious server responses.
+ The server replies consist of chunks consisting of a length byte
+ followed by actual string, which is not NUL-terminated.
+ While parsing the response, the length byte is overridden with '\0',
+ thus the memory area can be used as storage of C strings later on.
+ To be able to NUL-terminate the last string, the buffer is reserved
+ with an additional byte of space. For a boundary check, the variable
+ chend (end of ch) was introduced, pointing at the end of the buffer
+ which ch initially points to. Unfortunately there is a difference
+ in handling "the end of ch". While chend points at the first byte
+ that must not be written to, the for-loop uses chend as the last
+ byte that can be written to. Therefore, an off-by-one can occur.</p>
+ <p>The length value is interpreted as signed char on many systems
+ (depending on default signedness of char), which can lead to an out
+ of boundary write up to 128 bytes in front of the allocated storage,
+ but limited to NUL byte(s).</p>
+ <p>If the server sends a reply in which even the first string would
+ overflow the transmitted bytes, list[0] (or flist[0]) will be set to
+ NULL and a count of 0 is returned. If the resulting list is freed
+ with XFreeExtensionList or XFreeFontPath later on, the first Xfree
+ call is turned into Xfree (NULL-1) which will most likely trigger a
+ segmentation fault. Casting the length value to unsigned char fixes
+ the problem and allows string values with up to 255 characters.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://lists.x.org/archives/xorg-announce/2018-August/002915.html</url>
+ <cvename>CVE-2018-14598</cvename>
+ <cvename>CVE-2018-14599</cvename>
+ <cvename>CVE-2018-14600</cvename>
+ </references>
+ <dates>
+ <discovery>2018-08-21</discovery>
+ <entry>2018-08-22</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9b19b6df-a4be-11e8-9366-0028f8d09152">
+ <topic>couchdb -- administrator privilege escalation</topic>
+ <affects>
+ <package>
+ <name>couchdb</name>
+ <range><lt>2.2.0,2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Apache CouchDB PMC reports:</p>
+ <blockquote cite="https://lists.apache.org/thread.html/1052ad7a1b32b9756df4f7860f5cb5a96b739f444117325a19a4bf75@%3Cdev.couchdb.apache.org%3E">
+ <p>Database Administrator could achieve privilege escalation to
+ the account that CouchDB runs under, by abusing insufficient validation
+ in the HTTP API, escaping security controls implemented in previous
+ releases.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://docs.couchdb.org/en/stable/cve/2018-11769.html</url>
+ <cvename>CVE-2018-11769</cvename>
+ </references>
+ <dates>
+ <discovery>2018-06-05</discovery>
+ <entry>2018-08-08</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="7762d7ad-2e38-41d2-9785-c51f653ba8bd">
+ <topic>botan2 -- ECDSA side channel</topic>
+ <affects>
+ <package>
+ <name>botan2</name>
+ <range><ge>2.5.0</ge><lt>2.7.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>botan2 developers report:</p>
+ <blockquote cite="https://botan.randombit.net/security.html#id1">
+ <p>A side channel in the ECDSA signature operation could allow a local attacker to recover the secret key. Found by Keegan Ryan of NCC Group.</p>
+ <p>Bug introduced in 2.5.0, fixed in 2.7.0. The 1.10 branch is not affected.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://botan.randombit.net/security.html#id1</url>
+ <url>https://github.com/randombit/botan/pull/1604</url>
+ <cvename>CVE-2018-12435</cvename>
+ </references>
+ <dates>
+ <discovery>2018-06-13</discovery>
+ <entry>2018-08-17</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="6905f05f-a0c9-11e8-8335-8c164535ad80">
+ <topic>jenkins -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>jenkins</name>
+ <range><lt>2.138</lt></range>
+ </package>
+ <package>
+ <name>jenkins-lts</name>
+ <range><lt>2.121.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Jenkins Security Advisory:</p>
+ <blockquote cite="https://jenkins.io/security/advisory/2018-08-15/">
+ <h1>Description</h1>
+ <h5>(Low) SECURITY-637</h5>
+ <p> Jenkins allowed deserialization of URL objects with host components</p>
+ <h5>(Medium) SECURITY-672</h5>
+ <p>Ephemeral user record was created on some invalid authentication attempts</p>
+ <h5>(Medium) SECURITY-790</h5>
+ <p>Cron expression form validation could enter infinite loop, potentially resulting in denial of service</p>
+ <h5>(Low) SECURITY-996</h5>
+ <p>"Remember me" cookie was evaluated even if that feature is disabled</p>
+ <h5>(Medium) SECURITY-1071</h5>
+ <p>Unauthorized users could access agent logs</p>
+ <h5>(Low) SECURITY-1076</h5>
+ <p>Unauthorized users could cancel scheduled restarts initiated from the update center</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://jenkins.io/security/advisory/2018-08-15/</url>
+ </references>
+ <dates>
+ <discovery>2018-08-15</discovery>
+ <entry>2018-08-15</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="98b603c8-9ff3-11e8-ad63-6451062f0f7a">
+ <topic>Flash Player -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>linux-flashplayer</name>
+ <range><lt>30.0.0.154</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Adobe reports:</p>
+ <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb18-25.html">
+ <ul>
+ <li>This update resolves out-of-bounds read vulnerabilities that
+ could lead to information disclosure (CVE-2018-12824,
+ CVE-2018-12826, CVE-2018-12827).</li>
+ <li>This update resolves a security bypass vulnerability that
+ could lead to security mitigation bypass (CVE-2018-12825).</li>
+ <li>This update resolves a component vulnerability that
+ could lead to privilege escalation (CVE-2018-12828).</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-12824</cvename>
+ <cvename>CVE-2018-12825</cvename>
+ <cvename>CVE-2018-12826</cvename>
+ <cvename>CVE-2018-12827</cvename>
+ <cvename>CVE-2018-12828</cvename>
+ <url>https://helpx.adobe.com/security/products/flash-player/apsb18-25.html</url>
+ </references>
+ <dates>
+ <discovery>2018-08-14</discovery>
+ <entry>2018-08-14</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c4e9a427-9fc2-11e8-802a-000c29a1e3ec">
+ <topic>samba -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>samba46</name>
+ <range><lt>4.6.16</lt></range>
+ </package>
+ <package>
+ <name>samba47</name>
+ <range><lt>4.7.9</lt></range>
+ </package>
+ <package>
+ <name>samba48</name>
+ <range><lt>4.8.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The samba project reports:</p>
+ <blockquote cite="https://www.samba.org/samba/security/CVE-2018-1139.html">
+ <p>Samba releases 4.7.0 to 4.8.3 (inclusive) contain an error which
+ allows authentication using NTLMv1 over an SMB1 transport (either
+ directory or via NETLOGON SamLogon calls from a member server), even
+ when NTLMv1 is explicitly disabled on the server.</p>
+ </blockquote>
+ <blockquote cite="https://www.samba.org/samba/security/CVE-2018-1140.html">
+ <p>Missing input sanitization checks on some of the input parameters to
+ LDB database layer cause the LDAP server and DNS server to crash when
+ following a NULL pointer.</p>
+ </blockquote>
+ <blockquote cite="https://www.samba.org/samba/security/CVE-2018-10858.html">
+ <p>Samba releases 3.2.0 to 4.8.3 (inclusive) contain an error in
+ libsmbclient that could allow a malicious server to overwrite
+ client heap memory by returning an extra long filename in a directory
+ listing.</p>
+ </blockquote>
+ <blockquote cite="https://www.samba.org/samba/security/CVE-2018-10918.html">
+ <p>Missing database output checks on the returned directory attributes
+ from the LDB database layer cause the DsCrackNames call in the DRSUAPI
+ server to crash when following a NULL pointer.</p>
+ </blockquote>
+ <blockquote cite="https://www.samba.org/samba/security/CVE-2018-10919.html">
+ <p>All versions of the Samba Active Directory LDAP server from 4.0.0
+ onwards are vulnerable to the disclosure of confidential attribute
+ values, both of attributes where the schema SEARCH_FLAG_CONFIDENTIAL
+ (0x80) searchFlags bit and where an explicit Access Control Entry has
+ been specified on the ntSecurityDescriptor.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.samba.org/samba/security/CVE-2018-1139.html</url>
+ <cvename>CVE-2018-1139</cvename>
+ <url>https://www.samba.org/samba/security/CVE-2018-1140.html</url>
+ <cvename>CVE-2018-1140</cvename>
+ <url>https://www.samba.org/samba/security/CVE-2018-10858.html</url>
+ <cvename>CVE-2018-10858</cvename>
+ <url>https://www.samba.org/samba/security/CVE-2018-10918.html</url>
+ <cvename>CVE-2018-10918</cvename>
+ <url>https://www.samba.org/samba/security/CVE-2018-10919.html</url>
+ <cvename>CVE-2018-10919</cvename>
+ </references>
+ <dates>
+ <discovery>2018-08-14</discovery>
+ <entry>2018-08-14</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e714b7d2-39f6-4992-9f48-e6b2f5f949df">
+ <topic>GraphicsMagick -- SVG/Rendering vulnerability</topic>
+ <affects>
+ <package>
+ <name>GraphicsMagick</name>
+ <range><lt>1.3.30,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>GraphicsMagick News:</p>
+ <blockquote cite="http://www.graphicsmagick.org/NEWS.html">
+ <p>Fix heap write overflow of PrimitiveInfo and PointInfo arrays. This is
+ another manefestation of CVE-2016-2317, which should finally be fixed
+ correctly due to active detection/correction of pending overflow rather
+ than using estimation.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.graphicsmagick.org/NEWS.html</url>
+ <cvename>CVE-2016-2317</cvename>
+ </references>
+ <dates>
+ <discovery>2018-06-23</discovery>
+ <entry>2018-08-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="5a771686-9e33-11e8-8b2d-9cf7a8059466">
+ <topic>chicken -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chicken</name>
+ <range><lt>4.13.0,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>CHICKEN reports:</p>
+ <blockquote cite="https://code.call-cc.org/releases/4.13.0/NEWS">
+ <ul>
+ <li>CVE-2017-6949: Unchecked malloc() call in SRFI-4
+ constructors when allocating in non-GC memory, resulting
+ in potential 1-word buffer overrun and/or segfault</li>
+ <li>CVE-2017-9334: "length" crashes on improper lists</li>
+ <li>CVE-2017-11343: The randomization factor of the symbol
+ table was set before the random seed was set, causing it
+ to have a fixed value on many platforms</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://code.call-cc.org/releases/4.13.0/NEWS</url>
+ <cvename>CVE-2017-6949</cvename>
+ <cvename>CVE-2017-9334</cvename>
+ <cvename>CVE-2017-11343</cvename>
+ </references>
+ <dates>
+ <discovery>2017-03-16</discovery>
+ <entry>2018-08-12</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="bcf56a42-9df8-11e8-afb0-589cfc0f81b0">
+ <topic>gitea -- TOTP passcode reuse</topic>
+ <affects>
+ <package>
+ <name>gitea</name>
+ <range><lt>1.5.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Gitea project reports:</p>
+ <blockquote cite="https://blog.gitea.io/2018/08/gitea-1.5.0-is-released/">
+ <p>TOTP passcodes can be reused.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/go-gitea/gitea/pull/3878</url>
+ </references>
+ <dates>
+ <discovery>2018-05-01</discovery>
+ <entry>2018-08-12</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f4876dd4-9ca8-11e8-aa17-0011d823eebd">
+ <topic>mbed TLS -- plaintext recovery vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>mbedtls</name>
+ <range><lt>2.12</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Simon Butcher reports:</p>
+ <blockquote cite="https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02">
+ <ul>
+ <li>When using a CBC based ciphersuite, a remote attacker can
+ partially recover the plaintext.</li>
+ <li>When using a CBC based ciphersuite, an attacker with the
+ ability to execute arbitrary code on the machine under attack
+ can partially recover the plaintext by use of cache based
+ side-channels.</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02</url>
+ <cvename>CVE-2018-0497</cvename>
+ <cvename>CVE-2018-0498</cvename>
+ </references>
+ <dates>
+ <discovery>2018-07-24</discovery>
+ <entry>2018-08-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="96eab874-9c79-11e8-b34b-6cc21735f730">
+ <topic>PostgreSQL -- two vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>postgresql10-server</name>
+ <range><lt>10.5</lt></range>
+ </package>
+ <package>
+ <name>postgresql96-server</name>
+ <range><lt>9.6.10</lt></range>
+ </package>
+ <package>
+ <name>postgresql95-server</name>
+ <range><lt>9.5.14</lt></range>
+ </package>
+ <package>
+ <name>postgresql94-server</name>
+ <range><lt>9.4.19</lt></range>
+ </package>
+ <package>
+ <name>postgresql93-server</name>
+ <range><lt>9.3.24</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The PostgreSQL project reports:</p>
+ <blockquote cite="https://www.postgresql.org/about/news/1878/">
+ <p>CVE-2018-10915: Certain host connection parameters defeat
+ client-side security defenses</p>
+ <p>libpq, the client connection API for PostgreSQL that is also used
+ by other connection libraries, had an internal issue where it did not
+ reset all of its connection state variables when attempting to
+ reconnect. In particular, the state variable that determined whether
+ or not a password is needed for a connection would not be reset, which
+ could allow users of features requiring libpq, such as the "dblink" or
+ "postgres_fdw" extensions, to login to servers they should not be able
+ to access.</p>
+ <p>CVE-2018-10925: Memory disclosure and missing authorization in
+ `INSERT ... ON CONFLICT DO UPDATE`</p>
+ <p>An attacker able to issue CREATE TABLE can read arbitrary bytes of
+ server memory using an upsert (`INSERT ... ON CONFLICT DO UPDATE`)
+ query. By default, any user can exploit that. A user that has
+ specific INSERT privileges and an UPDATE privilege on at least one
+ column in a given table can also update other columns using a view and
+ an upsert query.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.postgresql.org/about/news/1878/</url>
+ <cvename>CVE-2018-10915</cvename>
+ <cvename>CVE-2018-10925</cvename>
+ </references>
+ <dates>
+ <discovery>2018-08-09</discovery>
+ <entry>2018-08-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="909be51b-9b3b-11e8-add2-b499baebfeaf">
+ <topic>MySQL -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>mariadb55-server</name>
+ <range><lt>5.5.61</lt></range>
+ </package>
+ <package>
+ <name>mariadb100-server</name>
+ <range><lt>10.0.36</lt></range>
+ </package>
+ <package>
+ <name>mariadb101-server</name>
+ <range><lt>10.1.35</lt></range>
+ </package>
+ <package>
+ <name>mariadb102-server</name>
+ <range><lt>10.2.17</lt></range>
+ </package>
+ <package>
+ <name>mariadb103-server</name>
+ <range><lt>10.3.9</lt></range>
+ </package>
+ <package>
+ <name>mysql55-server</name>
+ <range><lt>5.5.61</lt></range>
+ </package>
+ <package>
+ <name>mysql56-server</name>
+ <range><lt>5.6.41</lt></range>
+ </package>
+ <package>
+ <name>mysql57-server</name>
+ <range><lt>5.7.23</lt></range>
+ </package>
+ <package>
+ <name>mysql80-server</name>
+ <range><lt>8.0.12</lt></range>
+ </package>
+ <package>
+ <name>percona55-server</name>
+ <range><lt>5.5.61</lt></range>
+ </package>
+ <package>
+ <name>percona56-server</name>
+ <range><lt>5.6.41</lt></range>
+ </package>
+ <package>
+ <name>percona57-server</name>
+ <range><lt>5.7.23</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Oracle reports:</p>
+ <blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html">
+ <p>Multiple vulnerabilities have been disclosed by Oracle without
+ further detail. CVSS scores 7.1 - 2.7</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html</url>
+ <cvename>CVE-2018-3064</cvename>
+ <cvename>CVE-2018-0739</cvename>
+ <cvename>CVE-2018-3070</cvename>
+ <cvename>CVE-2018-3060</cvename>
+ <cvename>CVE-2018-3065</cvename>
+ <cvename>CVE-2018-3073</cvename>
+ <cvename>CVE-2018-3074</cvename>
+ <cvename>CVE-2018-3081</cvename>
+ <cvename>CVE-2018-3071</cvename>
+ <cvename>CVE-2018-3079</cvename>
+ <cvename>CVE-2018-3054</cvename>
+ <cvename>CVE-2018-3077</cvename>
+ <cvename>CVE-2018-3078</cvename>
+ <cvename>CVE-2018-3080</cvename>
+ <cvename>CVE-2018-3061</cvename>
+ <cvename>CVE-2018-3067</cvename>
+ <cvename>CVE-2018-3063</cvename>
+ <cvename>CVE-2018-3075</cvename>
+ <cvename>CVE-2018-3058</cvename>
+ <cvename>CVE-2018-3056</cvename>
+ <cvename>CVE-2018-3066</cvename>
+ <cvename>CVE-2018-2767</cvename>
+ <cvename>CVE-2018-3084</cvename>
+ <cvename>CVE-2018-3082</cvename>
+ </references>
+ <dates>
+ <discovery>2018-07-17</discovery>
+ <entry>2018-08-08</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="5786185a-9a43-11e8-b34b-6cc21735f730">
+ <topic>xml-security-c -- crashes on malformed KeyInfo content</topic>
+ <affects>
+ <package>
+ <name>apache-xml-security-c</name>
+ <range><lt>2.0.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The shibboleth project reports:</p>
+ <blockquote cite="https://shibboleth.net/community/advisories/secadv_20180803.txt">
+ <p>
+ SAML messages, assertions, and metadata all commonly make use of the
+ XML Signature KeyInfo construct, which expresses information about
+ keys and certificates used in signing or encrypting XML.
+ </p>
+ <p>
+ The Apache Santuario XML Security for C++ library contained code
+ paths at risk of dereferencing null pointers when processing various
+ kinds of malformed KeyInfo hints typically found in signed or
+ encrypted XML. The usual effect is a crash, and in the case of the
+ Shibboleth SP software, a crash in the shibd daemon, which prevents
+ access to protected resources until the daemon is restarted.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://shibboleth.net/community/advisories/secadv_20180803.txt</url>
+ </references>
+ <dates>
+ <discovery>2018-08-03</discovery>
+ <entry>2018-08-07</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="3c2eea8c-99bf-11e8-8bee-a4badb2f4699">
+ <topic>FreeBSD -- Resource exhaustion in TCP reassembly</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>11.2</ge><lt>11.2_1</lt></range>
+ <range><ge>11.1</ge><lt>11.1_12</lt></range>
+ <range><ge>10.4</ge><lt>10.4_10</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>One of the data structures that holds TCP segments uses
+ an inefficient algorithm to reassemble the data. This causes
+ the CPU time spent on segment processing to grow linearly
+ with the number of segments in the reassembly queue.</p>
+ <h1>Impact:</h1>
+ <p>An attacker who has the ability to send TCP traffic to
+ a victim system can degrade the victim system's network
+ performance and/or consume excessive CPU by exploiting the
+ inefficiency of TCP reassembly handling, with relatively
+ small bandwidth cost.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-6922</cvename>
+ <freebsdsa>SA-18:08.tcp</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2018-08-06</discovery>
+ <entry>2018-08-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9e2d0dcf-9926-11e8-a92d-0050562a4d7b">
+ <topic>py-cryptography -- tag forgery vulnerability</topic>
+ <affects>
+ <package>
+ <name>py27-cryptography</name>
+ <name>py34-cryptography</name>
+ <name>py35-cryptography</name>
+ <name>py36-cryptography</name>
+ <name>py37-cryptography</name>
+ <range><lt>2.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Python Cryptographic Authority (PyCA) project reports:</p>
+ <blockquote cite="https://cryptography.io/en/latest/changelog/#v2-3">
+ <p>finalize_with_tag() allowed tag truncation by default which can allow tag forgery in some cases. The method now enforces the min_tag_length provided to the GCM constructor</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-10903</cvename>
+ </references>
+ <dates>
+ <discovery>2018-07-17</discovery>
+ <entry>2018-08-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="06c4a79b-981d-11e8-b460-9c5c8e75236a">
+ <topic>cgit -- directory traversal vulnerability</topic>
+ <affects>
+ <package>
+ <name>cgit</name>
+ <range><lt>1.2.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Jann Horn reports:</p>
+ <blockquote cite="https://lists.zx2c4.com/pipermail/cgit/2018-August/004176.html">
+ <p>cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://lists.zx2c4.com/pipermail/cgit/2018-August/004176.html</url>
+ <cvename>CVE-2018-14912</cvename>
+ </references>
+ <dates>
+ <discovery>2018-08-03</discovery>
+ <entry>2018-08-04</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e309a2c7-598b-4fa6-a398-bc72fbd1d167">
+ <topic>rubygem-doorkeeper -- token revocation vulnerability</topic>
+ <affects>
+ <package>
+ <name>rubygem-doorkeeper</name>
+ <name>rubygem-doorkeeper43</name>
+ <name>rubygem-doorkeeper-rails5</name>
+ <name>rubygem-doorkeeper-rails50</name>
+ <range><lt>4.4.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>NVD reports:</p>
+ <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2018-1000211">
+ <p>Doorkeeper version 4.2.0 and later contains a Incorrect Access Control
+ vulnerability in Token revocation API's authorized method that can
+ result in Access tokens are not revoked for public OAuth apps, leaking
+ access until expiry.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2018-1000211</url>
+ <url>https://github.com/doorkeeper-gem/doorkeeper/pull/1120</url>
+ <cvename>CVE-2018-1000211</cvename>
+ </references>
+ <dates>
+ <discovery>2018-07-13</discovery>
+ <entry>2018-07-31</entry>
+ <modified>2018-08-03</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="ca05d9da-ac1d-4113-8a05-ffe9cd0d6160">
+ <topic>sinatra -- XSS vulnerability</topic>
+ <affects>
+ <package>
+ <name>rubygem-sinatra</name>
+ <range><ge>2.0.0</ge><lt>2.0.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Sinatra blog:</p>
+ <blockquote cite="http://sinatrarb.com/2018/06/09/sinatra-2.0.2-and-2.0.3.html">
+ <p>Sinatra had a critical vulnerability since v2.0.0. The purpose of this
+ release is to fix CVE-2018-11627.</p>
+ <p>The vulnerability is that XSS can be executed by using illegal parameters.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://sinatrarb.com/2018/06/09/sinatra-2.0.2-and-2.0.3.html</url>
+ <url>https://github.com/sinatra/sinatra/blob/master/CHANGELOG.md</url>
+ <cvename>CVE-2018-11627</cvename>
+ </references>
+ <dates>
+ <discovery>2018-06-09</discovery>
+ <entry>2018-07-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="b4f0ad36-94a5-11e8-9007-080027ac955c">
+ <topic>mailman -- content spoofing with invalid list names in web UI</topic>
+ <affects>
+ <package><name>mailman</name> <range><lt>2.1.28</lt></range></package>
+ <package><name>mailman-with-htdig</name><range><lt>2.1.28</lt></range></package>
+ <package><name>ja-mailman</name> <range><lt>2.1.14.j7_6,1</lt></range></package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mark Sapiro reports:</p>
+ <blockquote cite="https://bugs.launchpad.net/mailman/+bug/1780874">
+ <p>A URL with a very long text listname such as</p>
+ <pre>http://www.example.com/mailman/listinfo/This_is_a_long_string_with_some_phishing_text</pre>
+ <p>will echo the text in the "No such list" error response. This can be used to make a potential victim think the phishing text comes from a trusted site.</p>
+ <p>This issue was discovered by Hammad Qureshi.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bugs.launchpad.net/mailman/+bug/1780874</url>
+ <url>https://mail.python.org/pipermail/mailman-announce/2018-July/000241.html</url>
+ <cvename>CVE-2018-13796</cvename>
+ </references>
+ <dates>
+ <discovery>2018-07-09</discovery>
+ <entry>2018-07-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="0822a4cf-9318-11e8-8d88-00e04c1ea73d">
+ <topic>mantis -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>mantis</name>
+ <range><lt>2.15.0,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>mantis reports:</p>
+ <blockquote cite="https://github.com/mantisbt/mantisbt/commit/8b5fa243dbf04344a55fe880135ec149fc1f439f">
+ <p>Teun Beijers reported a cross-site scripting (XSS) vulnerability in
+ the Edit Filter page which allows execution of arbitrary code
+ (if CSP settings permit it) when displaying a filter with a crafted
+ name. Prevent the attack by sanitizing the filter name before display.</p>
+ <p>Ömer Cıtak, Security Researcher at Netsparker, reported this
+ vulnerability, allowing remote attackers to inject arbitrary code
+ (if CSP settings permit it) through a crafted PATH_INFO on
+ view_filters_page.php. Prevent the attack by sanitizing the output
+ of $_SERVER['PHP_SELF'] before display.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/mantisbt/mantisbt/commit/8b5fa243dbf04344a55fe880135ec149fc1f439f</url>
+ <url>https://github.com/mantisbt/mantisbt/commit/4efac90ed89a5c009108b641e2e95683791a165a</url>
+ <cvename>CVE-2018-14504</cvename>
+ <cvename>CVE-2018-13066</cvename>
+ </references>
+ <dates>
+ <discovery>2018-07-13</discovery>
+ <entry>2018-07-29</entry>
+ <modified>2018-08-24</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="e97a8852-32dd-4291-ba4d-92711daff056">
+ <topic>py-bleach -- unsanitized character entities</topic>
+ <affects>
+ <package>
+ <name>py27-bleach</name>
+ <name>py36-bleach</name>
+ <range><ge>2.1.0</ge><lt>2.1.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>bleach developer reports:</p>
+ <blockquote cite="https://github.com/mozilla/bleach/blob/v2.1.3/CHANGES">
+ <p>Attributes that have URI values weren't properly sanitized if the
+ values contained character entities. Using character entities, it
+ was possible to construct a URI value with a scheme that was not
+ allowed that would slide through unsanitized.</p>
+ <p>This security issue was introduced in Bleach 2.1. Anyone using
+ Bleach 2.1 is highly encouraged to upgrade.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/mozilla/bleach/blob/v2.1.3/CHANGES</url>
+ </references>
+ <dates>
+ <discovery>2018-03-05</discovery>
+ <entry>2018-07-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="07d04eef-d8e2-11e6-a071-001e67f15f5a">
+ <topic>lshell -- Shell autocomplete reveals forbidden directories</topic>
+ <affects>
+ <package>
+ <name>lshell</name>
+ <range><lt>0.9.18</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>lshell reports:</p>
+ <blockquote cite="https://github.com/ghantoos/lshell/issues/151">
+ <p>The autocomplete feature allows users to list directories, while they do not have access to those paths (issue #109).</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/ghantoos/lshell/issues/109</url>
+ </references>
+ <dates>
+ <discovery>2015-07-25</discovery>
+ <entry>2018-07-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f353525a-d8b8-11e6-a071-001e67f15f5a">
+ <topic>lshell -- Multiple security issues</topic>
+ <affects>
+ <package>
+ <name>lshell</name>
+ <range><le>0.9.18</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>lshell reports:</p>
+ <blockquote cite="https://github.com/ghantoos/lshell/issues/151">
+ <p>It is possible to escape lshell if an allowed command can execute an arbitrary non allowed one (issue #122).</p>
+ <p>Inappropriate parsing of commands can lead to arbitrary command execution (issue #147, #149, #151).</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/ghantoos/lshell/issues/122</url>
+ <url>https://github.com/ghantoos/lshell/issues/147</url>
+ <url>https://github.com/ghantoos/lshell/issues/149</url>
+ <url>https://github.com/ghantoos/lshell/issues/151</url>
+ </references>
+ <dates>
+ <discovery>2016-02-04</discovery>
+ <entry>2018-07-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="11dc3890-0e64-11e8-99b0-d017c2987f9a">
+ <topic>OpenJPEG -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>openjpeg</name>
+ <range><le>2.3.0</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>OpenJPEG reports:</p>
+ <blockquote cite="https://github.com/uclouvain/openjpeg/issues?q=is%3Aissue+CVE-2018-5727+OR+CVE-2018-5785+OR+CVE-2018-6616">
+ <p>Multiple vulnerabilities have been found in OpenJPEG, the
+ opensource JPEG2000 codec. Please consult the CVE list for further
+ details.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2017-17479</url>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2017-17480</url>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2018-5727</url>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2018-5785</url>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2018-6616</url>
+ <cvename>CVE-2017-17479</cvename>
+ <cvename>CVE-2017-17480</cvename>
+ <cvename>CVE-2018-5727</cvename>
+ <cvename>CVE-2018-5785</cvename>
+ <cvename>CVE-2018-6616</cvename>
+ </references>
+ <dates>
+ <discovery>2017-12-08</discovery>
+ <entry>2018-07-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="5ccbb2f8-c798-11e7-a633-009c02a2ab30">
+ <topic>ffmpeg -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>ffmpeg</name>
+ <range><lt>3.3.5_1,1</lt></range>
+ <range><ge>3.4,1</ge><le>3.4.1_4,1</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>MITRE reports:</p>
+ <blockquote cite="http://ffmpeg.org/security.html">
+ <p>Multiple vulnerabilities have been found in FFmpeg. Please refer
+ to CVE list for details.</p>
+ <p>Note: CVE-2017-15186 and CVE-2017-15672 affect only the 3.3 branch
+ before 3.3.5, CVE-2017-16840 and CVE-2017-17081 have been fixed
+ in 3.4.1. They're listed here for completeness of the record.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15186</url>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15672</url>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16840</url>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17081</url>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6392</url>
+ <url>http://ffmpeg.org/security.html</url>
+ <cvename>CVE-2017-15186</cvename>
+ <cvename>CVE-2017-15672</cvename>
+ <cvename>CVE-2017-16840</cvename>
+ <cvename>CVE-2017-17081</cvename>
+ <cvename>CVE-2018-6392</cvename>
+ </references>
+ <dates>
+ <discovery>2017-10-09</discovery>
+ <entry>2018-07-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="bfda2d80-0858-11e8-ad5c-0021ccb9e74d">
+ <topic>GIMP - Heap Buffer Overflow Vulnerability</topic>
+ <affects>
+ <package>
+ <name>gimp</name>
+ <range><lt>2.8.22,2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>GNOME reports:</p>
+ <blockquote cite="https://www.securityfocus.com/bid/102765/references">
+ <p>CVE-2017-17786 Out of bounds read / heap overflow in tga importer / function bgr2rgb.part.1</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bugzilla.gnome.org/show_bug.cgi?id=739134</url>
+ <cvename>CVE-2017-17786</cvename>
+ </references>
+ <dates>
+ <discovery>2017-12-21</discovery>
+ <entry>2018-07-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="b9c525d9-9198-11e8-beba-080027ef1a23">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>68.0.3440.75</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://chromereleases.googleblog.com/2018/07/stable-channel-update-for-desktop.html">
+ <p>42 security fixes in this release, including:</p>
+ <ul>
+ <li>[850350] High CVE-2018-6153: Stack buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-06-07</li>
+ <li>[848914] High CVE-2018-6154: Heap buffer overflow in WebGL. Reported by Omair on 2018-06-01</li>
+ <li>[842265] High CVE-2018-6155: Use after free in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-11</li>
+ <li>[841962] High CVE-2018-6156: Heap buffer overflow in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-10</li>
+ <li>[840536] High CVE-2018-6157: Type confusion in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-07</li>
+ <li>[812667] Medium CVE-2018-6150: Cross origin information disclosure in Service Workers. Reported by Rob Wu on 2018-02-15</li>
+ <li>[805905] Medium CVE-2018-6151: Bad cast in DevTools. Reported by Rob Wu on 2018-01-25</li>
+ <li>[805445] Medium CVE-2018-6152: Local file write in DevTools. Reported by Rob Wu on 2018-01-24</li>
+ <li>[841280] Medium CVE-2018-6158: Use after free in Blink. Reported by Zhe Jin, Luyao Liu from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-05-09</li>
+ <li>[837275] Medium CVE-2018-6159: Same origin policy bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-04-26</li>
+ <li>[839822] Medium CVE-2018-6160: URL spoof in Chrome on iOS. Reported by evi1m0 of Bilibili Security Team on 2018-05-04</li>
+ <li>[826552] Medium CVE-2018-6161: Same origin policy bypass in WebAudio. Reported by Jun Kokatsu (@shhnjk) on 2018-03-27</li>
+ <li>[804123] Medium CVE-2018-6162: Heap buffer overflow in WebGL. Reported by Omair on 2018-01-21</li>
+ <li>[849398] Medium CVE-2018-6163: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-06-04</li>
+ <li>[848786] Medium CVE-2018-6164: Same origin policy bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-06-01</li>
+ <li>[847718] Medium CVE-2018-6165: URL spoof in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-05-30</li>
+ <li>[835554] Medium CVE-2018-6166: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-04-21</li>
+ <li>[833143] Medium CVE-2018-6167: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-04-15</li>
+ <li>[828265] Medium CVE-2018-6168: CORS bypass in Blink. Reported by Gunes Acar and Danny Y. Huang of Princeton University, Frank Li of UC Berkeley on 2018-04-03</li>
+ <li>[394518] Medium CVE-2018-6169: Permissions bypass in extension installation. Reported by Sam P on 2014-07-16</li>
+ <li>[862059] Medium CVE-2018-6170: Type confusion in PDFium. Reported by Anonymous on 2018-07-10</li>
+ <li>[851799] Medium CVE-2018-6171: Use after free in WebBluetooth. Reported by amazon at mimetics.ca on 2018-06-12</li>
+ <li>[847242] Medium CVE-2018-6172: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-05-28</li>
+ <li>[836885] Medium CVE-2018-6173: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-04-25</li>
+ <li>[835299] Medium CVE-2018-6174: Integer overflow in SwiftShader. Reported by Mark Brand of Google Project Zero on 2018-04-20</li>
+ <li>[826019] Medium CVE-2018-6175: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-03-26</li>
+ <li>[666824] Medium CVE-2018-6176: Local user privilege escalation in Extensions. Reported by Jann Horn of Google Project Zero on 2016-11-18</li>
+ <li>[826187] Low CVE-2018-6177: Cross origin information leak in Blink. Reported by Ron Masas (Imperva) on 2018-03-27</li>
+ <li>[823194] Low CVE-2018-6178: UI spoof in Extensions. Reported by Khalil Zhani on 2018-03-19</li>
+ <li>[816685] Low CVE-2018-6179: Local file information leak in Extensions. Reported by Anonymous on 2018-02-26</li>
+ <li>[797461] Low CVE-2018-6044: Request privilege escalation in Extensions. Reported by Wob Wu on 2017-12-23</li>
+ <li>[791324] Low CVE-2018-4117: Cross origin information leak in Blink. Reported by AhsanEjaz - @AhsanEjazA on 2017-12-03</li>
+ <li>[866821] Various fixes from internal audits, fuzzing and other initiatives</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-4117</cvename>
+ <cvename>CVE-2018-6044</cvename>
+ <cvename>CVE-2018-6150</cvename>
+ <cvename>CVE-2018-6151</cvename>
+ <cvename>CVE-2018-6152</cvename>
+ <cvename>CVE-2018-6153</cvename>
+ <cvename>CVE-2018-6154</cvename>
+ <cvename>CVE-2018-6155</cvename>
+ <cvename>CVE-2018-6156</cvename>
+ <cvename>CVE-2018-6157</cvename>
+ <cvename>CVE-2018-6158</cvename>
+ <cvename>CVE-2018-6159</cvename>
+ <cvename>CVE-2018-6160</cvename>
+ <cvename>CVE-2018-6161</cvename>
+ <cvename>CVE-2018-6162</cvename>
+ <cvename>CVE-2018-6163</cvename>
+ <cvename>CVE-2018-6164</cvename>
+ <cvename>CVE-2018-6165</cvename>
+ <cvename>CVE-2018-6166</cvename>
+ <cvename>CVE-2018-6167</cvename>
+ <cvename>CVE-2018-6168</cvename>
+ <cvename>CVE-2018-6169</cvename>
+ <cvename>CVE-2018-6170</cvename>
+ <cvename>CVE-2018-6171</cvename>
+ <cvename>CVE-2018-6172</cvename>
+ <cvename>CVE-2018-6173</cvename>
+ <cvename>CVE-2018-6174</cvename>
+ <cvename>CVE-2018-6175</cvename>
+ <cvename>CVE-2018-6176</cvename>
+ <cvename>CVE-2018-6177</cvename>
+ <cvename>CVE-2018-6178</cvename>
+ <cvename>CVE-2018-6179</cvename>
+ <url>https://chromereleases.googleblog.com/2018/07/stable-channel-update-for-desktop.html</url>
+ </references>
+ <dates>
+ <discovery>2018-07-24</discovery>
+ <entry>2018-07-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="3849e28f-8693-11e8-9610-9c5c8e75236a">
+ <topic>curl -- SMTP send heap buffer overflow</topic>
+ <affects>
+ <package>
+ <name>curl</name>
+ <range><ge>7.54.1</ge><lt>7.61.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Peter Wu reports:</p>
+ <blockquote cite="https://curl.haxx.se/docs/adv_2018-70a2.html">
+ <p>curl might overflow a heap based memory buffer when sending data over SMTP and using a reduced read buffer.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://curl.haxx.se/docs/adv_2018-70a2.html</url>
+ <cvename>CVE-2018-0500</cvename>
+ </references>
+ <dates>
+ <discovery>2018-07-11</discovery>
+ <entry>2018-07-27</entry>
+ <modified>2018-07-28</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="2da838f9-9168-11e8-8c75-d8cb8abf62dd">
+ <topic>Gitlab -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>gitlab-ce</name>
+ <range><ge>11.1.0</ge><lt>11.1.2</lt></range>
+ <range><ge>11.0.0</ge><lt>11.0.5</lt></range>
+ <range><ge>2.7.0</ge><lt>10.8.7</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Gitlab reports:</p>
+ <blockquote cite="https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/">
+ <p>Markdown DoS</p>
+ <p>Information Disclosure Prometheus Metrics</p>
+ <p>CSRF in System Hooks</p>
+ <p>Persistent XSS Pipeline Tooltip</p>
+ <p>Persistent XSS in Branch Name via Web IDE</p>
+ <p>Persistent XSS in Branch Name via Web IDE</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-14601</cvename>
+ <cvename>CVE-2018-14602</cvename>
+ <cvename>CVE-2018-14603</cvename>
+ <cvename>CVE-2018-14604</cvename>
+ <cvename>CVE-2018-14605</cvename>
+ <cvename>CVE-2018-14606</cvename>
+ <url>https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/</url>
+ </references>
+ <dates>
+ <discovery>2018-07-26</discovery>
+ <entry>2018-07-27</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="38fec4bd-90f7-11e8-aafb-1c39475b9f84">
+ <topic>Fix a buffer overflow in the tiff reader</topic>
+ <affects>
+ <package>
+ <name>vips</name>
+ <range><lt>8.6.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>libvips reports:</p>
+ <blockquote cite="https://github.com/jcupitt/libvips/releases/tag/v8.6.5">
+ <p>A buffer overflow was found and fixed in the libvips code</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/jcupitt/libvips/releases/tag/v8.6.5</url>
+ </references>
+ <dates>
+ <discovery>2018-07-22</discovery>
+ <entry>2018-07-26</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="efe43d2b-8f35-11e8-b9e8-dcfe074bd614">
+ <topic>Memory leak in different components</topic>
+ <affects>
+ <package>
+ <name>libsixel</name>
+ <range><lt>1.8.2,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>MITRE reports:</p>
+ <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2018-14072">
+ <p>bsixel 1.8.1 has a memory leak in sixel_decoder_decode in
+ decoder.c, image_buffer_resize in fromsixel.c, sixel_decode_raw in
+ fromsixel.c and sixel_allocator_new in allocator.c</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-14072</cvename>
+ <cvename>CVE-2018-14073</cvename>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14072</url>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14073</url>
+ </references>
+ <dates>
+ <discovery>2018-07-15</discovery>
+ <entry>2018-07-24</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="dc57ad48-ecbb-439b-a4d0-5869be47684e">
+ <topic>vlc -- Use after free vulnerability</topic>
+ <affects>
+ <package>
+ <name>vlc</name>
+ <range><le>2.2.8_6,4</le></range>
+ </package>
+ <package>
+ <name>vlc-qt4</name>
+ <range><le>2.2.8_6,4</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mitre reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11529">
+ <p>VideoLAN VLC media player 2.2.x is prone to a use after free
+ vulnerability which an attacker can leverage to execute arbitrary
+ code via crafted MKV files. Failed exploit attempts will likely
+ result in denial of service conditions.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-11529</cvename>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11529</url>
+ <url>http://seclists.org/fulldisclosure/2018/Jul/28</url>
+ <url>https://github.com/rapid7/metasploit-framework/pull/10335</url>
+ <url>https://github.com/videolan/vlc-3.0/commit/c472668ff873cfe29281822b4548715fb7bb0368</url>
+ <url>https://github.com/videolan/vlc-3.0/commit/d2dadb37e7acc25ae08df71e563855d6e17b5b42</url>
+ </references>
+ <dates>
+ <discovery>2018-06-06</discovery>
+ <entry>2018-07-21</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="a2f35081-8a02-11e8-8fa5-4437e6ad11c4">
+ <topic>mutt -- remote code injection and path traversal vulnerability</topic>
+ <affects>
+ <package>
+ <name>mutt</name>
+ <range><lt>1.10.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Kevin J. McCarthy reports:</p>
+ <blockquote cite="http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20180716/000004.html">
+ <p>Fixes a remote code injection vulnerability when "subscribing"
+ to an IMAP mailbox, either via $imap_check_subscribed, or via the
+ <subscribe> function in the browser menu. Mutt was generating a
+ "mailboxes" command and sending that along to the muttrc parser.
+ However, it was not escaping "`", which executes code and inserts
+ the result. This would allow a malicious IMAP server to execute
+ arbitrary code (for $imap_check_subscribed).</p>
+ <p>Fixes POP body caching path traversal vulnerability.</p>
+ <p>Fixes IMAP header caching path traversal vulnerability.</p>
+ <p>CVE-2018-14349 - NO Response Heap Overflow</p>
+ <p>CVE-2018-14350 - INTERNALDATE Stack Overflow</p>
+ <p>CVE-2018-14351 - STATUS Literal Length relative write</p>
+ <p>CVE-2018-14352 - imap_quote_string off-by-one stack overflow</p>
+ <p>CVE-2018-14353 - imap_quote_string int underflow</p>
+ <p>CVE-2018-14354 - imap_subscribe Remote Code Execution</p>
+ <p>CVE-2018-14355 - STATUS mailbox header cache directory traversal</p>
+ <p>CVE-2018-14356 - POP empty UID NULL deref</p>
+ <p>CVE-2018-14357 - LSUB Remote Code Execution</p>
+ <p>CVE-2018-14358 - RFC822.SIZE Stack Overflow</p>
+ <p>CVE-2018-14359 - base64 decode Stack Overflow</p>
+ <p>CVE-2018-14362 - POP Message Cache Directory Traversal</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-14349</cvename>
+ <cvename>CVE-2018-14350</cvename>
+ <cvename>CVE-2018-14351</cvename>
+ <cvename>CVE-2018-14352</cvename>
+ <cvename>CVE-2018-14353</cvename>
+ <cvename>CVE-2018-14354</cvename>
+ <cvename>CVE-2018-14355</cvename>
+ <cvename>CVE-2018-14356</cvename>
+ <cvename>CVE-2018-14357</cvename>
+ <cvename>CVE-2018-14358</cvename>
+ <cvename>CVE-2018-14359</cvename>
+ <cvename>CVE-2018-14362</cvename>
+ <url>http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20180716/000004.html</url>
+ </references>
+ <dates>
+ <discovery>2018-07-15</discovery>
+ <entry>2018-07-17</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="fe12ef83-8b47-11e8-96cc-001a4a7ec6be">
+ <topic>mutt/neomutt -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>neomutt</name>
+ <range><lt>20180716</lt></range>
+ </package>
+ <package>
+ <name>mutt</name>
+ <range><lt>1.10.1</lt></range>
+ </package>
+ <package>
+ <name>mutt14</name>
+ <range><lt>*</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>NeoMutt report:</p>
+ <blockquote cite="https://github.com/neomutt/neomutt/releases/tag/neomutt-20180716">
+ <h1>Description</h1>
+ <h5>CVE-2018-14349</h5><p>NO Response Heap Overflow</p>
+ <h5>CVE-2018-14350</h5><p>INTERNALDATE Stack Overflow</p>
+ <h5>CVE-2018-14351</h5><p>STATUS Literal Length relative write</p>
+ <h5>CVE-2018-14352</h5><p>imap_quote_string off-by-one stack overflow</p>
+ <h5>CVE-2018-14353</h5><p>imap_quote_string int underflow</p>
+ <h5>CVE-2018-14354</h5><p>imap_subscribe Remote Code Execution</p>
+ <h5>CVE-2018-14355</h5><p>STATUS mailbox header cache directory traversal</p>
+ <h5>CVE-2018-14356</h5><p>POP empty UID NULL deref</p>
+ <h5>CVE-2018-14357</h5><p>LSUB Remote Code Execution</p>
+ <h5>CVE-2018-14358</h5><p>RFC822.SIZE Stack Overflow</p>
+ <h5>CVE-2018-14359</h5><p>base64 decode Stack Overflow</p>
+ <h5>CVE-2018-14360</h5><p>NNTP Group Stack Overflow</p>
+ <h5>CVE-2018-14361</h5><p>NNTP Write 1 where via GROUP response</p>
+ <h5>CVE-2018-14362</h5><p>POP Message Cache Directory Traversal</p>
+ <h5>CVE-2018-14363</h5><p>NNTP Header Cache Directory Traversal</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-14349</cvename>
+ <cvename>CVE-2018-14350</cvename>
+ <cvename>CVE-2018-14351</cvename>
+ <cvename>CVE-2018-14352</cvename>
+ <cvename>CVE-2018-14353</cvename>
+ <cvename>CVE-2018-14354</cvename>
+ <cvename>CVE-2018-14355</cvename>
+ <cvename>CVE-2018-14356</cvename>
+ <cvename>CVE-2018-14357</cvename>
+ <cvename>CVE-2018-14358</cvename>
+ <cvename>CVE-2018-14359</cvename>
+ <cvename>CVE-2018-14360</cvename>
+ <cvename>CVE-2018-14361</cvename>
+ <cvename>CVE-2018-14362</cvename>
+ <cvename>CVE-2018-14363</cvename>
+ <url>https://github.com/neomutt/neomutt/releases/tag/neomutt-20180716</url>
+ </references>
+ <dates>
+ <discovery>2018-07-10</discovery>
+ <entry>2018-07-19</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="20a1881e-8a9e-11e8-bddf-d017c2ca229d">
+ <topic>jenkins -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>jenkins</name>
+ <range><lt>2.133</lt></range>
+ </package>
+ <package>
+ <name>jenkins-lts</name>
+ <range><lt>2.121.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Jenkins Security Advisory:</p>
+ <blockquote cite="https://jenkins.io/security/advisory/2018-07-18/">
+ <h1>Description</h1>
+ <h5>(High) SECURITY-897 / CVE-2018-1999001</h5>
+ <p>Users without Overall/Read permission can have Jenkins reset parts of global configuration on the next restart </p>
+ <h5>(High) SECURITY-914 / CVE-2018-1999002</h5>
+ <p>Arbitrary file read vulnerability</p>
+ <h5>(Medium) SECURITY-891 / CVE-2018-1999003</h5>
+ <p>Unauthorized users could cancel queued builds</p>
+ <h5>(Medium) SECURITY-892 / CVE-2018-1999004</h5>
+ <p>Unauthorized users could initiate and abort agent launches</p>
+ <h5>(Medium) SECURITY-944 / CVE-2018-1999005</h5>
+ <p>Stored XSS vulnerability</p>
+ <h5>(Medium) SECURITY-925 / CVE-2018-1999006</h5>
+ <p>Unauthorized users are able to determine when a plugin was extracted from its JPI package</p>
+ <h5>(Medium) SECURITY-390 / CVE-2018-1999007</h5>
+ <p>XSS vulnerability in Stapler debug mode</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-1999001</cvename>
+ <cvename>CVE-2018-1999002</cvename>
+ <cvename>CVE-2018-1999003</cvename>
+ <cvename>CVE-2018-1999004</cvename>
+ <cvename>CVE-2018-1999005</cvename>
+ <cvename>CVE-2018-1999006</cvename>
+ <cvename>CVE-2018-1999007</cvename>
+ <url>https://jenkins.io/security/advisory/2018-07-18/</url>
+ </references>
+ <dates>
+ <discovery>2018-07-18</discovery>
+ <entry>2018-07-18</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c6d1a8a6-8a91-11e8-be4d-005056925db4">
+ <topic>znc -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>znc</name>
+ <range><lt>1.7.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mitre reports:</p>
+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14055">
+ <p>ZNC before 1.7.1-rc1 does not properly validate untrusted lines
+ coming from the network, allowing a non-admin user to escalate his
+ privilege and inject rogue values into znc.conf.</p>
+ </blockquote>
+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14056">
+ <p>ZNC before 1.7.1-rc1 is prone to a path traversal flaw via ../ in
+ a web skin name to access files outside of the intended skins
+ directories.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-14055</cvename>
+ <cvename>CVE-2018-14056</cvename>
+ <url>https://wiki.znc.in/ChangeLog/1.7.1</url>
+ </references>
+ <dates>
+ <discovery>2018-07-14</discovery>
+ <entry>2018-07-18</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="8b1a50ab-8a8e-11e8-add2-b499baebfeaf">
+ <topic>Apache httpd -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>apache24</name>
+ <range><lt>2.4.34</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Apache project reports:</p>
+ <blockquote cite="http://httpd.apache.org/security/vulnerabilities_24.html">
+ <ul>
+ <li>DoS for HTTP/2 connections by crafted requests
+ (CVE-2018-1333). By specially crafting HTTP/2 requests, workers
+ would be allocated 60 seconds longer than necessary, leading to
+ worker exhaustion and a denial of service. (low)</li>
+ <li>mod_md, DoS via Coredumps on specially crafted requests
+ (CVE-2018-8011). By specially crafting HTTP requests, the mod_md
+ challenge handler would dereference a NULL pointer and cause the
+ child process to segfault. This could be used to DoS the server.
+ (moderate)</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://httpd.apache.org/security/vulnerabilities_24.html</url>
+ <cvename>CVE-2018-1333</cvename>
+ <cvename>CVE-2018-8011</cvename>
+ </references>
+ <dates>
+ <discovery>2018-07-18</discovery>
+ <entry>2018-07-18</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="8fc615cc-8a66-11e8-8c75-d8cb8abf62dd">
+ <topic>Gitlab -- Remote Code Execution Vulnerability in GitLab Projects Import</topic>
+ <affects>
+ <package>
+ <name>gitlab-ce</name>
+ <name>gitlab</name>
+ <range><ge>11.0.0</ge><lt>11.0.4</lt></range>
+ <range><ge>10.8.0</ge><lt>10.8.6</lt></range>
+ <range><ge>8.9.0</ge><lt>10.7.7</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Gitlab reports:</p>
+ <blockquote cite="https://about.gitlab.com/2018/07/17/critical-security-release-gitlab-11-dot-0-dot-4-released/">
+ <p>Remote Code Execution Vulnerability in GitLab Projects Import</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-14364</cvename>
+ <url>https://about.gitlab.com/2018/07/17/critical-security-release-gitlab-11-dot-0-dot-4-released/</url>
+ </references>
+ <dates>
+ <discovery>2018-07-17</discovery>
+ <entry>2018-07-18</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ef013039-89cd-11e8-84e9-00e04c1ea73d">
+ <topic>typo3 -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>typo3-7</name>
+ <range><lt>7.6.30</lt></range>
+ </package>
+ <package>
+ <name>typo3-8</name>
+ <range><lt>8.7.17</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Typo3 core team reports:</p>
+ <blockquote cite="https://typo3.org/article/typo3-931-8717-and-7630-security-releases-published/">
+ <p>It has been discovered that TYPO3’s Salted Password system extension (which is a mandatory system component)
+ is vulnerable to Authentication Bypass when using hashing methods which are related by PHP class inheritance.
+ In standard TYPO3 core distributions stored passwords using the blowfish hashing algorithm can be overridden
+ when using MD5 as the default hashing algorithm by just knowing a valid username.
+ Per default the Portable PHP hashing algorithm (PHPass) is used which is not vulnerable.</p>
+ <p>Phar files (formerly known as "PHP archives") can act als self extracting archives which leads to the fact
+ that source code is executed when Phar files are invoked. The Phar file format is not limited to be stored
+ with a dedicated file extension - "bundle.phar" would be valid as well as "bundle.txt" would be. This way,
+ Phar files can be obfuscated as image or text file which would not be denied from being uploaded and persisted
+ to a TYPO3 installation. Due to a missing sanitization of user input, those Phar files can be invoked by
+ manipulated URLs in TYPO3 backend forms. A valid backend user account is needed to exploit this vulnerability.
+ In theory the attack vector would be possible in the TYPO3 frontend as well, however no functional exploit
+ has been identified so far.</p>
+ <p>Failing to properly dissociate system related configuration from user generated configuration,
+ the Form Framework (system extension "form") is vulnerable to SQL injection and Privilege Escalation.
+ Basically instructions can be persisted to a form definition file that were not configured to be modified -
+ this applies to definitions managed using the form editor module as well as direct file upload using the regular
+ file list module. A valid backend user account as well as having system extension form activated are needed
+ in order to exploit this vulnerability.</p>
+ <p>It has been discovered that the Form Framework (system extension "form") is vulnerable to Insecure Deserialization
+ when being used with the additional PHP PECL package “yaml”, which is capable of unserializing YAML contents
+ to PHP objects. A valid backend user account as well as having PHP setting "yaml.decode_php" enabled is needed
+ to exploit this vulnerability.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://typo3.org/security/advisory/typo3-core-sa-2018-001/</url>
+ <url>https://typo3.org/security/advisory/typo3-core-sa-2018-002/</url>
+ <url>https://typo3.org/security/advisory/typo3-core-sa-2018-003/</url>
+ <url>https://typo3.org/security/advisory/typo3-core-sa-2018-004/</url>
+ </references>
+ <dates>
+ <discovery>2018-07-12</discovery>
+ <entry>2018-07-17</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="fe93803c-883f-11e8-9f0c-001b216d295b">
+ <topic>Several Security Defects in the Bouncy Castle Crypto APIs</topic>
+ <affects>
+ <package>
+ <name>bouncycastle15</name>
+ <range><lt>1.60</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Legion of the Bouncy Castle reports:</p>
+ <blockquote cite="https://www.bouncycastle.org/latest_releases.html">
+ <p>Release 1.60 is now available for download.</p>
+ <p>CVE-2018-1000180: issue around primality tests for RSA key pair
+ generation if done using only the low-level API.</p>
+ <p>CVE-2018-1000613: lack of class checking in deserialization
+ of XMSS/XMSS^MT private keys with BDS state information.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-1000180</cvename>
+ <cvename>CVE-2018-1000613</cvename>
+ <url>https://www.bouncycastle.org/latest_releases.html</url>
+ </references>
+ <dates>
+ <discovery>2018-06-30</discovery>
+ <entry>2018-07-15</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="bd6cf187-8710-11e8-833d-18a6f7016652">
+ <topic>qutebrowser -- Remote code execution due to CSRF</topic>
+ <affects>
+ <package>
+ <name>qutebrowser</name>
+ <range><ge>1.4.0</ge><lt>1.4.1</lt></range>
+ <range><ge>1.0.0</ge><lt>1.3.3_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>qutebrowser team reports:</p>
+ <blockquote cite="https://blog.qutebrowser.org/cve-2018-10895-remote-code-execution-due-to-csrf-in-qutebrowser.html">
+ <p>Due to a CSRF vulnerability affecting the qute://settings page,
+ it was possible for websites to modify qutebrowser settings.
+ Via settings like editor.command, this possibly allowed websites
+ to execute arbitrary code.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://seclists.org/oss-sec/2018/q3/29</url>
+ <cvename>CVE-2018-10895</cvename>
+ </references>
+ <dates>
+ <discovery>2018-07-11</discovery>
+ <entry>2018-07-14</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e78732b2-8528-11e8-9c42-6451062f0f7a">
+ <topic>Flash Player -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>linux-flashplayer</name>
+ <range><lt>30.0.0.134</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Adobe reports:</p>
+ <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb18-24.html">
+ <ul>
+ <li>This update resolves an out-of-bounds read vulnerability that
+ could lead to information disclosure (CVE-2018-5008).</li>
+ <li>This update resolves a type confusion vulnerability that
+ could lead to arbitrary code execution (CVE-2018-5007).</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-5007</cvename>
+ <cvename>CVE-2018-5008</cvename>
+ <url>https://helpx.adobe.com/security/products/flash-player/apsb18-24.html</url>
+ </references>
+ <dates>
+ <discovery>2018-07-10</discovery>
+ <entry>2018-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="1e54d140-8493-11e8-a795-0028f8d09152">
+ <topic>couchdb -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>couchdb</name>
+ <range><lt>1.7.2,2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Apache CouchDB PMC reports:</p>
+ <blockquote cite="https://blog.couchdb.org/2018/07/10/cve-2018-8007/">
+ <p>Database Administrator could achieve privilege escalation to
+ the account that CouchDB runs under, by abusing insufficient validation
+ in the HTTP API, escaping security controls implemented in previous
+ releases.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://blog.couchdb.org/2018/07/10/cve-2018-8007/</url>
+ <cvename>CVE-2018-8007</cvename>
+ <url>https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-cve-2017-12636/</url>
+ <cvename>CVE-2017-12636</cvename>
+ <cvename>CVE-2017-12635</cvename>
+ <url>https://lists.apache.org/thread.html/6fa798e96686b7b0013ec2088140d00aeb7d34487d3f5ad032af6934@%3Cdev.couchdb.apache.org%3E</url>
+ </references>
+ <dates>
+ <discovery>2017-11-14</discovery>
+ <entry>2018-07-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="3c9b7698-84da-11e8-8c75-d8cb8abf62dd">
+ <topic>Libgit2 -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>libgit2</name>
+ <range><lt>0.27.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Git community reports:</p>
+ <blockquote cite="https://github.com/libgit2/libgit2/releases/tag/v0.27.3">
+ <p>Out-of-bounds reads when reading objects from a packfile</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/libgit2/libgit2/releases/tag/v0.27.3</url>
+ <cvename>CVE-2018-10887</cvename>
+ <cvename>CVE-2018-10888</cvename>
+ </references>
+ <dates>
+ <discovery>2018-07-09</discovery>
+ <entry>2018-07-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="d1e9d8c5-839b-11e8-9610-9c5c8e75236a">
+ <topic>clamav -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>clamav</name>
+ <range><lt>0.100.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p> Joel Esler reports:</p>
+ <blockquote cite="https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html">
+ <p>3 security fixes in this release:</p>
+ <ul>
+ <li>CVE-2017-16932: Vulnerability in libxml2 dependency (affects ClamAV on Windows only).</li>
+ <li>CVE-2018-0360: HWP integer overflow, infinite loop vulnerability. Reported by Secunia Research at Flexera.</li>
+ <li>CVE-2018-0361: ClamAV PDF object length check, unreasonably long time to parse relatively small file. Report
+ed by aCaB.</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html</url>
+ <cvename>CVE-2017-16932</cvename>
+ <cvename>CVE-2018-0360</cvename>
+ <cvename>CVE-2018-0361</cvename>
+ </references>
+ <dates>
+ <discovery>2018-07-09</discovery>
+ <entry>2018-07-09</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="7764b219-8148-11e8-aa4d-000e0cd7b374">
+ <topic>zziplib - multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>zziplib</name>
+ <range><lt>0.13.68</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>NIST reports (by search in the range 2017/01/01 - 2018/07/06):</p>
+ <blockquote cite="https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=zziplib&search_type=all&pub_start_date=01%2F01%2F2017&pub_end_date=07%2F06%2F2018">
+ <p>17 security fixes in this release:</p>
+ <ul>
+ <li>Heap-based buffer overflow in the __zzip_get32 function in fetch.c.</li>
+ <li>Heap-based buffer overflow in the __zzip_get64 function in fetch.c.</li>
+ <li>Heap-based buffer overflow in the zzip_mem_entry_extra_block function
+ in memdisk.c.</li>
+ <li>The zzip_mem_entry_new function in memdisk.c allows remote attackers
+ to cause a denial of service (out-of-bounds read and crash) via a
+ crafted ZIP file.</li>
+ <li>The prescan_entry function in fseeko.c allows remote attackers to cause
+ a denial of service (NULL pointer dereference and crash) via crafted
+ ZIP file.</li>
+ <li>The zzip_mem_entry_new function in memdisk.c cause a NULL pointer
+ dereference and crash via a crafted ZIP file.</li>
+ <li>seeko.c cause a denial of service (assertion failure and crash) via a
+ crafted ZIP file.</li>
+ <li>A segmentation fault caused by invalid memory access in the
+ zzip_disk_fread function because the size variable is not validated
+ against the amount of file->stored data.</li>
+ <li>A memory alignment error and bus error in the __zzip_fetch_disk_trailer
+ function of zzip/zip.c.</li>
+ <li>A bus error caused by loading of a misaligned address in the
+ zzip_disk_findfirst function.</li>
+ <li>An uncontrolled memory allocation and a crash in the __zzip_parse_root_directory
+ function.</li>
+ <li>An invalid memory address dereference was discovered in zzip_disk_fread
+ in mmapped.c.</li>
+ <li>A memory leak triggered in the function zzip_mem_disk_new in
+ memdisk.c.</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-5974</cvename>
+ <cvename>CVE-2017-5975</cvename>
+ <cvename>CVE-2017-5976</cvename>
+ <cvename>CVE-2017-5977</cvename>
+ <cvename>CVE-2017-5978</cvename>
+ <cvename>CVE-2017-5979</cvename>
+ <cvename>CVE-2017-5980</cvename>
+ <cvename>CVE-2017-5981</cvename>
+ <cvename>CVE-2018-6381</cvename>
+ <cvename>CVE-2018-6484</cvename>
+ <cvename>CVE-2018-6540</cvename>
+ <cvename>CVE-2018-6541</cvename>
+ <cvename>CVE-2018-6542</cvename>
+ <cvename>CVE-2018-6869</cvename>
+ <cvename>CVE-2018-7725</cvename>
+ <cvename>CVE-2018-7726</cvename>
+ <cvename>CVE-2018-7727</cvename>
+ <url>https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=zziplib&search_type=all&pub_start_date=01%2F01%2F2017&pub_end_date=07%2F06%2F2018"</url>
+ </references>
+ <dates>
+ <discovery>2017-03-01</discovery>
+ <entry>2018-07-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="4740174c-82bb-11e8-a29a-00e04c1ea73d">
+ <topic>wordpress -- multiple issues</topic>
+ <affects>
+ <package>
+ <name>wordpress</name>
+ <name>fr-wordpress</name>
+ <range><lt>4.9.7,1</lt></range>
+ </package>
+ <package>
+ <name>de-wordpress</name>
+ <name>zh_CN-wordpress</name>
+ <name>zh_TW-wordpress</name>
+ <name>ja-wordpress</name>
+ <name>ru-wordpress</name>
+ <range><lt>4.9.7</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>wordpressdevelopers reports:</p>
+ <blockquote cite="https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/">
+ <p>Taxonomy: Improve cache handling for term queries.</p>
+ <p>Posts, Post Types: Clear post password cookie when logging out.</p>
+ <p>Widgets: Allow basic HTML tags in sidebar descriptions on Widgets admin screen.</p>
+ <p>Community Events Dashboard: Always show the nearest WordCamp if one is coming up, even if there are multiple Meetups happening first.</p>
+ <p>Privacy: Make sure default privacy policy content does not cause a fatal error when flushing rewrite rules outside of the admin context.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/</url>
+ </references>
+ <dates>
+ <discovery>2018-07-05</discovery>
+ <entry>2018-07-08</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="bfd5d004-81d4-11e8-a29a-00e04c1ea73d">
+ <topic>mybb -- vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>mybb</name>
+ <range><lt>1.8.16</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>mybb Team reports:</p>
+ <blockquote cite="https://blog.mybb.com/2018/07/04/mybb-1-8-16-released-security-maintenance-release/">
+ <p>High risk: Image and URL MyCode Persistent XSS</p>
+ <p>Medium risk: Multipage Reflected XSS</p>
+ <p>Low risk: ACP logs XSS</p>
+ <p>Low risk: Arbitrary file deletion via ACP’s Settings</p>
+ <p>Low risk: Login CSRF</p>
+ <p>Low risk: Non-video content embedding via Video MyCode</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://blog.mybb.com/2018/07/04/mybb-1-8-16-released-security-maintenance-release/</url>
+ </references>
+ <dates>
+ <discovery>2018-07-04</discovery>
+ <entry>2018-07-07</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e375ff3f-7fec-11e8-8088-28d244aee256">
+ <topic>expat -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>expat</name>
+ <range><lt>2.2.1</lt></range>
+ </package>
+ <package>
+ <name>libwww</name>
+ <range><lt>5.4.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mitre reports:</p>
+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063">
+ <p>An integer overflow during the parsing of XML using the Expat library.</p>
+ </blockquote>
+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9233">
+ <p>XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat
+ XML Parser Library) allows attackers to put the parser in an infinite
+ loop using a malformed external entity definition from an external DTD.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-9063</cvename>
+ <cvename>CVE-2017-9233</cvename>
+ <url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063</url>
+ <url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9233</url>
+ <url>https://libexpat.github.io/doc/cve-2017-9233/</url>
+ </references>
+ <dates>
+ <discovery>2016-10-27</discovery>
+ <entry>2018-07-05</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ce39379f-7eb7-11e8-ab03-00bd7f19ff09">
+ <topic>h2o -- heap buffer overflow during logging</topic>
+ <affects>
+ <package>
+ <name>h2o</name>
+ <range><lt>2.2.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Marlies Ruck reports:</p>
+ <blockquote cite="https://github.com/h2o/h2o/releases/tag/v2.2.5">
+ <p>Fix heap buffer overflow while trying to emit access log
+ - see references for full details.</p>
+ <p>CVE-2018-0608: Buffer overflow in H2O version 2.2.4 and
+ earlier allows remote attackers to execute arbitrary code or
+ cause a denial of service (DoS) via unspecified vectors.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-0608</cvename>
+ <url>https://github.com/h2o/h2o/issues/1775</url>
+ <url>https://github.com/h2o/h2o/releases/tag/v2.2.5</url>
+ </references>
+ <dates>
+ <discovery>2018-06-01</discovery>
+ <entry>2018-07-03</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c1630aa3-7970-11e8-8634-dcfe074bd614">
+ <topic>SQLite -- Corrupt DB can cause a NULL pointer dereference</topic>
+ <affects>
+ <package>
+ <name>upp</name>
+ <range><le>11540</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>MITRE reports:</p>
+ <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2018-8740">
+ <p>SQLite databases whose schema is corrupted using a CREATE TABLE AS
+ statement could cause a NULL pointer dereference, related to build.c
+ and prepare.c.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-8740</cvename>
+ <url>http://openwall.com/lists/oss-security/2018/03/17/1</url>
+ </references>
+ <dates>
+ <discovery>2018-03-16</discovery>
+ <entry>2018-07-01</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="cd81806c-26e7-4d4a-8425-02724a2f48af">
+ <topic>mozilla -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>firefox</name>
+ <range><lt>61.0_1,1</lt></range>
+ </package>
+ <package>
+ <name>waterfox</name>
+ <range><lt>56.2.1.19_2</lt></range>
+ </package>
+ <package>
+ <name>seamonkey</name>
+ <name>linux-seamonkey</name>
+ <range><lt>2.49.4</lt></range>
+ </package>
+ <package>
+ <name>firefox-esr</name>
+ <range><ge>60.0,1</ge><lt>60.1.0_1,1</lt></range>
+ <range><lt>52.9.0_1,1</lt></range>
+ </package>
+ <package>
+ <name>linux-firefox</name>
+ <range><lt>52.9.0,2</lt></range>
+ </package>
+ <package>
+ <name>libxul</name>
+ <name>thunderbird</name>
+ <name>linux-thunderbird</name>
+ <range><lt>52.9.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mozilla Foundation reports:</p>
+ <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/">
+ <p>CVE-2018-12359: Buffer overflow using computed size of canvas element</p>
+ <p>CVE-2018-12360: Use-after-free when using focus()</p>
+ <p>CVE-2018-12361: Integer overflow in SwizzleData</p>
+ <p>CVE-2018-12358: Same-origin bypass using service worker and redirection</p>
+ <p>CVE-2018-12362: Integer overflow in SSSE3 scaler</p>
+ <p>CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture</p>
+ <p>CVE-2018-12363: Use-after-free when appending DOM nodes</p>
+ <p>CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins</p>
+ <p>CVE-2018-12365: Compromised IPC child process can list local filenames</p>
+ <p>CVE-2018-12371: Integer overflow in Skia library during edge builder allocation</p>
+ <p>CVE-2018-12366: Invalid data handling during QCMS transformations</p>
+ <p>CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming</p>
+ <p>CVE-2018-12368: No warning when opening executable SettingContent-ms files</p>
+ <p>CVE-2018-12369: WebExtension security permission checks bypassed by embedded experiments</p>
+ <p>CVE-2018-12370: SameSite cookie protections bypassed when exiting Reader View</p>
+ <p>CVE-2018-5186: Memory safety bugs fixed in Firefox 61</p>
+ <p>CVE-2018-5187: Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1</p>
+ <p>CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-5156</cvename>
+ <cvename>CVE-2018-5186</cvename>
+ <cvename>CVE-2018-5187</cvename>
+ <cvename>CVE-2018-5188</cvename>
+ <cvename>CVE-2018-12358</cvename>
+ <cvename>CVE-2018-12359</cvename>
+ <cvename>CVE-2018-12360</cvename>
+ <cvename>CVE-2018-12361</cvename>
+ <cvename>CVE-2018-12362</cvename>
+ <cvename>CVE-2018-12363</cvename>
+ <cvename>CVE-2018-12364</cvename>
+ <cvename>CVE-2018-12365</cvename>
+ <cvename>CVE-2018-12366</cvename>
+ <cvename>CVE-2018-12367</cvename>
+ <cvename>CVE-2018-12368</cvename>
+ <cvename>CVE-2018-12369</cvename>
+ <cvename>CVE-2018-12370</cvename>
+ <cvename>CVE-2018-12371</cvename>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2018-16/</url>
+ <url>https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/</url>
+ </references>
+ <dates>
+ <discovery>2018-06-26</discovery>
+ <entry>2018-06-26</entry>
+ <modified>2018-07-07</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="739948e3-78bf-11e8-b23c-080027ac955c">
+ <topic>mailman -- hardening against malicious listowners injecting evil HTML scripts</topic>
+ <affects>
+ <package> <name>mailman</name> <range><lt>2.1.27</lt></range> </package>
+ <package> <name>mailman-with-htdig</name> <range><lt>2.1.27</lt></range> </package>
+ <package> <name>ja-mailman</name> <range><lt>2.1.14.j7_5,1</lt></range> </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mark Sapiro reports:</p>
+ <blockquote cite="https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS#L8">
+ <p>Existing protections against malicious listowners injecting evil
+ scripts into listinfo pages have had a few more checks added.
+ </p>
+ <p>A few more error messages have had their values HTML escaped.</p>
+ <p>The hash generated when SUBSCRIBE_FORM_SECRET is set could have been
+ the same as one generated at the same time for a different list and
+ IP address.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/head:/NEWS#L8</url>
+ <url>https://www.mail-archive.com/mailman-users@python.org/</url>
+ <cvename>CVE-2018-0618</cvename>
+ </references>
+ <dates>
+ <discovery>2018-03-09</discovery> <!-- Launchpad rev. 1747 -->
+ <entry>2018-06-25</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="b950a83b-789e-11e8-8545-d8cb8abf62dd">
+ <topic>Gitlab -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>gitlab</name>
+ <range><ge>11.0.0</ge><lt>11.0.1</lt></range>
+ <range><ge>10.8.0</ge><lt>10.8.5</lt></range>
+ <range><ge>4.1</ge><lt>10.7.6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Gitlab reports:</p>
+ <blockquote cite="https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/">
+ <p>Wiki XSS</p>
+ <p>Sanitize gem updates</p>
+ <p>XSS in url_for(params)</p>
+ <p>Content injection via username</p>
+ <p>Activity feed publicly displaying internal project names</p>
+ <p>Persistent XSS in charts</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-12606</cvename>
+ <cvename>CVE-2018-3740</cvename>
+ <cvename>CVE-2018-12605</cvename>
+ <cvename>CVE-2018-12607</cvename>
+ <url>https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/</url>
+ </references>
+ <dates>
+ <discovery>2018-06-25</discovery>
+ <entry>2018-06-25</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="17cb6ff3-7670-11e8-8854-6805ca0b3d42">
+ <topic>phpmyadmin -- remote code inclusion and XSS scripting</topic>
+ <affects>
+ <package>
+ <name>phpmyadmin</name>
+ <range><lt>4.8.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The phpMyAdmin development team reports:</p>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2018-3/">
+ <h3>Summary</h3>
+ <p>XSS in Designer feature</p>
+ <h3>Description</h3>
+ <p>A Cross-Site Scripting vulnerability was found in the
+ Designer feature, where an attacker can deliver a
+ payload to a user through a specially-crafted database
+ name.</p>
+ <h3>Severity</h3>
+ <p>We consider this attack to be of moderate severity.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2018-4/">
+ <h3>Summary</h3>
+ <p>File inclusion and remote code execution attack</p>
+ <h3>Description</h3>
+ <p>A flaw has been discovered where an attacker can include
+ (view and potentially execute) files on the server.</p>
+ <p>The vulnerability comes from a portion of code where
+ pages are redirected and loaded within phpMyAdmin, and an
+ improper test for whitelisted pages.</p>
+ <p>An attacker must be authenticated, except in these
+ situations:</p>
+ <ul>
+ <li>$cfg['AllowArbitraryServer'] = true: attacker can
+ specify any host he/she is already in control of, and
+ execute arbitrary code on phpMyAdmin</li>
+ <li>$cfg['ServerDefault'] = 0: this bypasses the login and
+ runs the vulnerable code without any authentication</li>
+ </ul>
+ <h3>Severity</h3>
+ <p>We consider this to be severe.</p> <h3>Mitigation
+ factor</h3> <p>Configuring PHP with a restrictive
+ `open_basedir` can greatly restrict an attacker's ability to
+ view files on the server. Vulnerable systems should not be
+ run with the phpMyAdmin directives
+ $cfg['AllowArbitraryServer'] = true or $cfg['ServerDefault']
+ = 0</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.phpmyadmin.net/security/PMASA-2018-3/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2018-4/</url>
+ <cvename>CVE-2018-12581</cvename>
+ <cvename>CVE-2018-12613</cvename>
+ </references>
+ <dates>
+ <discovery>2018-06-21</discovery>
+ <entry>2018-06-22</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="4e07d94f-75a5-11e8-85d1-a4badb2f4699">
+ <topic>FreeBSD -- Lazy FPU State Restore Information Disclosure</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>11.1</ge><lt>11.1_11</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>A subset of Intel processors can allow a local thread
+ to infer data from another thread through a speculative
+ execution side channel when Lazy FPU state restore is
+ used.</p>
+ <h1>Impact:</h1>
+ <p>Any local thread can potentially read FPU state information
+ from other threads running on the host. This could include
+ cryptographic keys when the AES-NI CPU feature is present.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-3665</cvename>
+ <freebsdsa>SA-18:07.lazyfpu</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2018-06-21</discovery>
+ <entry>2018-06-21</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="25f73c47-68a8-4a30-9cbc-1ca5eea4d6ba">
+ <topic>GraphicsMagick -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>GraphicsMagick</name>
+ <range><lt>1.3.26,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>GraphicsMagick reports:</p>
+ <blockquote cite="http://www.graphicsmagick.org/NEWS.html">
+ <p>Multiple vulnerabilities have been found in GraphicsMagick 1.3.26
+ or earlier. Please refer to the CVE list for details.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.graphicsmagick.org/NEWS.html</url>
+ <cvename>CVE-2016-7800</cvename>
+ <cvename>CVE-2016-7996</cvename>
+ <cvename>CVE-2016-7997</cvename>
+ <cvename>CVE-2016-9830</cvename>
+ <cvename>CVE-2017-6335</cvename>
+ <cvename>CVE-2017-8350</cvename>
+ <cvename>CVE-2017-10794</cvename>
+ <cvename>CVE-2017-10799</cvename>
+ <cvename>CVE-2017-10800</cvename>
+ </references>
+ <dates>
+ <discovery>2017-07-04</discovery>
+ <entry>2018-06-18</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="3a66cb69-716f-11e8-be54-3085a9a47796">
+ <topic>slurm -- insecure handling of user_name and gid fields</topic>
+ <affects>
+ <package>
+ <name>slurm-wlm</name>
+ <range><lt>17.02.11</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>SchedMD reports:</p>
+ <blockquote cite="https://lists.schedmd.com/pipermail/slurm-announce/2018/000008.html">
+ <h1>Insecure handling of user_name and gid fields (CVE-2018-10995)</h1>
+ <p>While fixes are only available for the supported 17.02 and 17.11
+ releases, it is believed that similar vulnerabilities do affect past
+ versions as well. The only resolution is to upgrade Slurm to a fixed
+ release.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://lists.schedmd.com/pipermail/slurm-announce/2018/000008.html</url>
+ </references>
+ <dates>
+ <discovery>2018-05-30</discovery>
+ <entry>2018-06-16</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="45b8e2eb-7056-11e8-8fab-63ca6e0e13a2">
+ <topic>node.js -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>node6</name>
+ <range><lt>6.14.3</lt></range>
+ </package>
+ <package>
+ <name>node8</name>
+ <range><lt>8.11.3</lt></range>
+ </package>
+ <package>
+ <name>node</name>
+ <range><lt>10.4.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Node.js reports:</p>
+ <blockquote cite="https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/">
+ <h1>Denial of Service Vulnerability in HTTP/2 (CVE-2018-7161)</h1>
+ <p>All versions of 8.x and later are vulnerable and the severity is
+ HIGH. An attacker can cause a denial of service (DoS) by causing a
+ node server providing an http2 server to crash. This can be
+ accomplished by interacting with the http2 server in a manner that
+ triggers a cleanup bug where objects are used in native code after
+ they are no longer available. This has been addressed by updating
+ the http2 implementation. Thanks to Jordan Zebor at F5 Networks for
+ reporting this issue.</p>
+ <h1>Denial of Service, nghttp2 dependency (CVE-2018-1000168)</h1>
+ <p>All versions of 9.x and later are vulnerable and the severity is
+ HIGH. Under certain conditions, a malicious client can trigger an
+ uninitialized read (and a subsequent segfault) by sending a
+ malformed ALTSVC frame. This has been addressed through an by
+ updating nghttp2.</p>
+ <h1>Denial of Service Vulnerability in TLS (CVE-2018-7162)</h1>
+ <p>All versions of 9.x and later are vulnerable and the severity is
+ HIGH. An attacker can cause a denial of service (DoS) by causing a
+ node process which provides an http server supporting TLS server to
+ crash. This can be accomplished by sending duplicate/unexpected
+ messages during the handshake. This vulnerability has been addressed
+ by updating the TLS implementation. Thanks to Jordan Zebor at F5
+ Networks all of his help investigating this issue with the Node.js
+ team.</p>
+ <h1>Memory exhaustion DoS on v9.x (CVE-2018-7164)</h1>
+ <p>Versions 9.7.0 and later are vulnerable and the severity is MEDIUM.
+ A bug introduced in 9.7.0 increases the memory consumed when reading
+ from the network into JavaScript using the net.Socket object
+ directly as a stream. An attacker could use this cause a denial of
+ service by sending tiny chunks of data in short succession. This
+ vulnerability was restored by reverting to the prior behaviour.</p>
+ <h1>Calls to Buffer.fill() and/or Buffer.alloc() may hang (CVE-2018-7167)</h1>
+ <p>Calling Buffer.fill() or Buffer.alloc() with some parameters can
+ lead to a hang which could result in a Denial of Service. In order
+ to address this vulnerability, the implementations of Buffer.alloc()
+ and Buffer.fill() were updated so that they zero fill instead of
+ hanging in these cases.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/</url>
+ <url>https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/</url>
+ <cvename>CVE-2018-7161</cvename>
+ <cvename>CVE-2018-7162</cvename>
+ <cvename>CVE-2018-7164</cvename>
+ <cvename>CVE-2018-7167</cvename>
+ <cvename>CVE-2018-1000168</cvename>
+ </references>
+ <dates>
+ <discovery>2018-06-12</discovery>
+ <entry>2018-06-15</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="53eb9e1e-7014-11e8-8b1f-3065ec8fd3ec">
+ <topic>password-store -- GPG parsing vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>password-store</name>
+ <range><lt>1.7.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Jason A. Donenfeld reports:</p>
+ <blockquote cite="https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html">
+ <p>Markus Brinkmann discovered that [the] parsing of gpg command line
+ output with regexes isn't anchored to the beginning of the line,
+ which means an attacker can generate a malicious key that simply has
+ the verification string as part of its username.</p>
+ <p>This has a number of nasty consequences:</p>
+ <ul>
+ <li>an attacker who manages to write into your ~/.password-store
+ and also inject a malicious key into your keyring can replace
+ your .gpg-id key and have your passwords encrypted under
+ additional keys;</li>
+ <li>if you have extensions enabled (disabled by default), an
+ attacker who manages to write into your ~/.password-store and
+ also inject a malicious key into your keyring can replace your
+ extensions and hence execute code.</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html</url>
+ <cvename>CVE-2018-12356</cvename>
+ </references>
+ <dates>
+ <discovery>2018-06-14</discovery>
+ <entry>2018-06-14</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9b5162de-6f39-11e8-818e-e8e0b747a45a">
+ <topic>libgcrypt -- side-channel attack vulnerability</topic>
+ <affects>
+ <package>
+ <name>libgcrypt</name>
+ <range><lt>1.8.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>GnuPG reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495">
+ <p>Mitigate a local side-channel attack on ECDSA signature as described in the white paper "Return on the Hidden Number Problem".</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-0495</cvename>
+ <url>https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/</url>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495</url>
+ <url>https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.7.4-relnotes.txt</url>
+ </references>
+ <dates>
+ <discovery>2018-06-13</discovery>
+ <entry>2018-06-13</entry>
+ <modified>2018-06-14</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="c82ecac5-6e3f-11e8-8777-b499baebfeaf">
+ <topic>OpenSSL -- Client DoS due to large DH parameter</topic>
+ <affects>
+ <package>
+ <name>libressl</name>
+ <name>libressl-devel</name>
+ <range><lt>2.6.5</lt></range>
+ <range><ge>2.7.0</ge><lt>2.7.4</lt></range>
+ </package>
+ <package>
+ <name>openssl</name>
+ <range><lt>1.0.2o_4,1</lt></range>
+ </package>
+ <package>
+ <name>openssl-devel</name>
+ <range><lt>1.1.0h_2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The OpenSSL project reports:</p>
+ <blockquote cite="https://www.openssl.org/news/secadv/20180612.txt">
+ <p>During key agreement in a TLS handshake using a DH(E) based
+ ciphersuite a malicious server can send a very large prime value
+ to the client. This will cause the client to spend an unreasonably
+ long period of time generating a key for this prime resulting in a
+ hang until the client has finished. This could be exploited in a
+ Denial Of Service attack.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.openssl.org/news/secadv/20180612.txt</url>
+ <cvename>CVE-2018-0732</cvename>
+ </references>
+ <dates>
+ <discovery>2018-06-12</discovery>
+ <entry>2018-06-12</entry>
+ <modified>2018-07-24</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="0137167b-6dca-11e8-a671-001999f8d30b">
+ <topic>asterisk -- PJSIP endpoint presence disclosure when using ACL</topic>
+ <affects>
+ <package>
+ <name>asterisk13</name>
+ <range><lt>13.21.1</lt></range>
+ </package>
+ <package>
+ <name>asterisk15</name>
+ <range><lt>15.4.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Asterisk project reports:</p>
+ <blockquote cite="http://www.asterisk.org/downloads/security-advisories">
+ <p> When endpoint specific ACL rules block a SIP request
+ they respond with a 403 forbidden. However, if an endpoint
+ is not identified then a 401 unauthorized response is
+ sent. This vulnerability just discloses which requests
+ hit a defined endpoint. The ACL rules cannot be bypassed
+ to gain access to the disclosed endpoints.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://downloads.asterisk.org/pub/security/AST-2018-008.html</url>
+ </references>
+ <dates>
+ <discovery>2018-06-11</discovery>
+ <entry>2018-06-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f14ce57f-6dc8-11e8-a671-001999f8d30b">
+ <topic>asterisk -- Infinite loop when reading iostreams</topic>
+ <affects>
+ <package>
+ <name>asterisk15</name>
+ <range><lt>15.4.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Asterisk project reports:</p>
+ <blockquote cite="http://www.asterisk.org/downloads/security-advisories">
+ <p>When connected to Asterisk via TCP/TLS if the client
+ abruptly disconnects, or sends a specially crafted message
+ then Asterisk gets caught in an infinite loop while trying
+ to read the data stream. Thus rendering the system as
+ unusable.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://downloads.asterisk.org/pub/security/AST-2018-007.html</url>
+ </references>
+ <dates>
+ <discovery>2018-06-11</discovery>
+ <entry>2018-06-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="4cb49a23-6c89-11e8-8b33-e8e0b747a45a">
+ <topic>chromium -- Incorrect handling of CSP header</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>67.0.3396.79</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://chromereleases.googleblog.com/2018/06/stable-channel-update-for-desktop.html">
+ <p>1 security fix contributed by external researchers:</p>
+ <ul>
+ <li>[845961] High CVE-2018-6148: Incorrect handling of CSP header. Reported by Michal Bentkowski on 2018-05-23</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-6148</cvename>
+ <url>https://chromereleases.googleblog.com/2018/06/stable-channel-update-for-desktop.html</url>
+ </references>
+ <dates>
+ <discovery>2018-06-06</discovery>
+ <entry>2018-06-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="7da0417f-6b24-11e8-84cc-002590acae31">
+ <topic>gnupg -- unsanitized output (CVE-2018-12020)</topic>
+ <affects>
+ <package>
+ <name>gnupg</name>
+ <range><lt>2.2.8</lt></range>
+ </package>
+ <package>
+ <name>gnupg1</name>
+ <range><lt>1.4.23</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>GnuPG reports:</p>
+ <blockquote cite="https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html">
+ <p>GnuPG did not sanitize input file names, which may then be output to
+ the terminal. This could allow terminal control sequences or fake
+ status messages to be injected into the output.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020</url>
+ <cvename>CVE-2018-12020</cvename>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526</url>
+ <cvename>CVE-2017-7526</cvename>
+ </references>
+ <dates>
+ <discovery>2018-06-07</discovery>
+ <entry>2018-06-08</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e3e68fe8-d9cb-4ba8-b09c-9e3a28588eb7">
+ <topic>firefox -- Heap buffer overflow rasterizing paths in SVG with Skia</topic>
+ <affects>
+ <package>
+ <name>firefox</name>
+ <range><lt>60.0.2,1</lt></range>
+ </package>
+ <package>
+ <name>waterfox</name>
+ <range><lt>56.2.0.13_5</lt></range>
+ </package>
+ <package>
+ <name>firefox-esr</name>
+ <range><lt>52.8.1,1</lt></range>
+ </package>
+ <package>
+ <name>seamonkey</name>
+ <name>linux-seamonkey</name>
+ <range><lt>2.49.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Mozilla Foundation reports:</p>
+ <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2018-14/">
+ <p>A heap buffer overflow can occur in the Skia library when
+ rasterizing paths using a maliciously crafted SVG file
+ with anti-aliasing turned off. This results in a
+ potentially exploitable crash.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.mozilla.org/security/advisories/mfsa2018-14/</url>
+ </references>
+ <dates>
+ <discovery>2018-06-06</discovery>
+ <entry>2018-06-08</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="2dde5a56-6ab1-11e8-b639-6451062f0f7a">
+ <topic>Flash Player -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>linux-flashplayer</name>
+ <range><lt>30.0.0.113</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Adobe reports:</p>
+ <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb18-19.html">
+ <ul>
+ <li>This update resolves a type confusion vulnerability that
+ could lead to arbitrary code execution (CVE-2018-4945).</li>
+ <li>This update resolves an integer overflow vulnerability that
+ could lead to information disclosure (CVE-2018-5000).</li>
+ <li>This update resolves an out-of-bounds read vulnerability that
+ could lead to information disclosure (CVE-2018-5001).</li>
+ <li>This update resolves a stack-based buffer overflow vulnerability that
+ could lead to arbitrary code execution (CVE-2018-5002).</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-4945</cvename>
+ <cvename>CVE-2018-5000</cvename>
+ <cvename>CVE-2018-5001</cvename>
+ <cvename>CVE-2018-5002</cvename>
+ <url>https://helpx.adobe.com/security/products/flash-player/apsb18-19.html</url>
+ </references>
+ <dates>
+ <discovery>2018-06-07</discovery>
+ <entry>2018-06-07</entry>
+ <modified>2018-07-11</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="2f4fd3aa-32f8-4116-92f2-68f05398348e">
+ <topic>bro -- multiple memory allocation issues</topic>
+ <affects>
+ <package>
+ <name>bro</name>
+ <range><lt>2.5.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Corelight reports:</p>
+ <blockquote cite="https://www.bro.org/download/NEWS.bro.html">
+ <p>Bro 2.5.4 primarily fixes security issues</p>
+ <p>Multiple fixes and improvements to BinPAC generated code related to array parsing, with potential impact to all Bro's BinPAC-generated analyzers in the form of buffer over-reads or other invalid memory accesses depending on whether a particular analyzer incorrectly assumed that the evaulated-array-length expression is actually the number of elements that were parsed out from the input.</p>
+ <p>The NCP analyzer (not enabled by default and also updated to actually work with newer Bro APIs in the release) performed a memory allocation based directly on a field in the input packet and using signed integer storage. This could result in a signed integer overflow and memory allocations of negative or very large size, leading to a crash or memory exhaustion. The new NCP::max_frame_size tuning option now limits the maximum amount of memory that can be allocated.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.bro.org/download/NEWS.bro.html</url>
+ </references>
+ <dates>
+ <discovery>2018-05-29</discovery>
+ <entry>2018-06-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="5a1589ad-68f9-11e8-83f5-d8cb8abf62dd">
+ <topic>Libgit2 -- Fixing insufficient validation of submodule names</topic>
+ <affects>
+ <package>
+ <name>libgit2</name>
+ <name>py-pygit2</name>
+ <range><lt>0.27.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Git community reports:</p>
+ <blockquote cite="https://github.com/libgit2/libgit2/releases/tag/v0.27.1">
+ <p>Insufficient validation of submodule names</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/libgit2/libgit2/releases/tag/v0.27.1</url>
+ <cvename>CVE-2018-11235</cvename>
+ </references>
+ <dates>
+ <discovery>2018-05-29</discovery>
+ <entry>2018-06-05</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c7a135f4-66a4-11e8-9e63-3085a9a47796">
+ <topic>Git -- Fix memory out-of-bounds and remote code execution vulnerabilities (CVE-2018-11233 and CVE-2018-11235)</topic>
+ <affects>
+ <package>
+ <name>git</name>
+ <name>git-lite</name>
+ <range><lt>2.13.7</lt></range>
+ <range><ge>2.14</ge><lt>2.14.4</lt></range>
+ <range><ge>2.15</ge><lt>2.15.2</lt></range>
+ <range><ge>2.16</ge><lt>2.16.4</lt></range>
+ <range><ge>2.17</ge><lt>2.17.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Git community reports:</p>
+ <blockquote cite="https://marc.info/?l=git&m=152761328506724&=2">
+ <ul><li>In affected versions of Git, code to sanity-check pathnames on
+ NTFS can result in reading out-of-bounds memory.</li>
+ <li>In affected versions of Git, remote code execution can
+ occur. With a crafted .gitmodules file, a malicious project can
+ execute an arbitrary script on a machine that runs "git clone
+ --recurse-submodules" because submodule "names" are obtained from
+ this file, and then appended to $GIT_DIR/modules, leading to
+ directory traversal with "../" in a name. Finally, post-checkout
+ hooks from a submodule are executed, bypassing the intended design
+ in which hooks are not obtained from a remote server.</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11233</url>
+ <cvename>CVE-2018-11233</cvename>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11235</url>
+ <cvename>CVE-2018-11235</cvename>
+ </references>
+ <dates>
+ <discovery>2018-05-29</discovery>
+ <entry>2018-06-02</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9557dc72-64da-11e8-bc32-d8cb8abf62dd">
+ <topic>Gitlab -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>gitlab</name>
+ <range><ge>10.8.0</ge><lt>10.8.2</lt></range>
+ <range><ge>10.7.0</ge><lt>10.7.5</lt></range>
+ <range><ge>1.0</ge><lt>10.6.6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>GitLab reports:</p>
+ <blockquote cite="https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/">
+ <p>Removing public deploy keys regression</p>
+ <p>Users can update their password without entering current password</p>
+ <p>Persistent XSS - Selecting users as allowed merge request approvers</p>
+ <p>Persistent XSS - Multiple locations of user selection drop downs</p>
+ <p>include directive in .gitlab-ci.yml allows SSRF requests</p>
+ <p>Permissions issue in Merge Requests Create Service</p>
+ <p>Arbitrary assignment of project fields using "Import project"</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/</url>
+ </references>
+ <dates>
+ <discovery>2018-05-29</discovery>
+ <entry>2018-05-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="7fc3e827-64a5-11e8-aedb-00224d821998">
+ <topic>strongswan -- Fix Denial-of-Service Vulnerability strongSwan (CVE-2018-10811, CVE-2018-5388)</topic>
+ <affects>
+ <package>
+ <name>strongswan</name>
+ <range><lt>5.6.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>strongSwan security team reports:</p>
+ <blockquote cite="https://www.strongswan.org/blog/2018/05/28/strongswan-5.6.3-released.html">
+ <ul><li>A denial-of-service vulnerability in the IKEv2 key derivation was fixed
+ if the openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated as
+ PRF (which is not FIPS-compliant). So this should only affect very specific setups,
+ but in such configurations all strongSwan versions since 5.0.1 may be affected.</li>
+ <li>A denial-of-service vulnerability in the stroke plugin was fixed.
+ When reading a message from the socket the plugin did not check the received length.
+ Unless a group is configured, root privileges are required to access that socket,
+ so in the default configuration this shouldn't be an issue, but all strongSwan versions may be affected.
+ </li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.strongswan.org/blog/2018/05/28/strongswan-vulnerability-(cve-2018-10811).html</url>
+ <cvename>CVE-2018-10811</cvename>
+ <url>https://www.strongswan.org/blog/2018/05/28/strongswan-vulnerability-(cve-2018-5388).html</url>
+ <cvename>CVE-2018-5388</cvename>
+ </references>
+ <dates>
+ <discovery>2018-05-16</discovery>
+ <entry>2018-05-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="427b0f58-644c-11e8-9e1b-e8e0b747a45a">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>67.0.3396.62</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html">
+ <p>34 security fixes in this release, including:</p>
+ <ul>
+ <li>[835639] High CVE-2018-6123: Use after free in Blink. Reported by Looben Yang on 2018-04-22</li>
+ <li>[840320] High CVE-2018-6124: Type confusion in Blink. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-07</li>
+ <li>[818592] High CVE-2018-6125: Overly permissive policy in WebUSB. Reported by Yubico, Inc on 2018-03-05</li>
+ <li>[844457] High CVE-2018-6126: Heap buffer overflow in Skia. Reported by Ivan Fratric of Google Project Zero on 2018-05-18</li>
+ <li>[842990] High CVE-2018-6127: Use after free in indexedDB. Reported by Looben Yang on 2018-05-15</li>
+ <li>[841105] High CVE-2018-6128: uXSS in Chrome on iOS. Reported by Tomasz Bojarski on 2018-05-09</li>
+ <li>[838672] High CVE-2018-6129: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-01</li>
+ <li>[838402] High CVE-2018-6130: Out of bounds memory access in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-04-30</li>
+ <li>[826434] High CVE-2018-6131: Incorrect mutability protection in WebAssembly. Reported by Natalie Silvanovich of Google Project Zero on 2018-03-27</li>
+ <li>[839960] Medium CVE-2018-6132: Use of uninitialized memory in WebRTC. Reported by Ronald E. Crane on 2018-05-04</li>
+ <li>[817247] Medium CVE-2018-6133: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-28</li>
+ <li>[797465] Medium CVE-2018-6134: Referrer Policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-12-23</li>
+ <li>[823353] Medium CVE-2018-6135: UI spoofing in Blink. Reported by Jasper Rebane on 2018-03-19</li>
+ <li>[831943] Medium CVE-2018-6136: Out of bounds memory access in V8. Reported by Peter Wong on 2018-04-12</li>
+ <li>[835589] Medium CVE-2018-6137: Leak of visited status of page in Blink. Reported by Michael Smith (spinda.net) on 2018-04-21</li>
+ <li>[810220] Medium CVE-2018-6138: Overly permissive policy in Extensions. Reported by Francois Lajeunesse-Robert on 2018-02-08</li>
+ <li>[805224] Medium CVE-2018-6139: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-24</li>
+ <li>[798222] Medium CVE-2018-6140: Restrictions bypass in the debugger extension API. Reported by Rob Wu on 2018-01-01</li>
+ <li>[796107] Medium CVE-2018-6141: Heap buffer overflow in Skia. Reported by Yangkang (@dnpushme) and Wanglu of Qihoo360 Qex Team on 2017-12-19</li>
+ <li>[837939] Medium CVE-2018-6142: Out of bounds memory access in V8. Reported by Choongwoo Han of Naver Corporation on 2018-04-28</li>
+ <li>[843022] Medium CVE-2018-6143: Out of bounds memory access in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-05-15</li>
+ <li>[828049] Low CVE-2018-6144: Out of bounds memory access in PDFium. Reported by pdknsk on 2018-04-02</li>
+ <li>[805924] Low CVE-2018-6145: Incorrect escaping of MathML in Blink. Reported by Masato Kinugawa on 2018-01-25</li>
+ <li>[818133] Low CVE-2018-6147: Password fields not taking advantage of OS protections in Views. Reported by Michail Pishchagin (Yandex) on 2018-03-02</li>
+ <li>[847542] Various fixes from internal audits, fuzzing and other initiatives</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-6123</cvename>
+ <cvename>CVE-2018-6124</cvename>
+ <cvename>CVE-2018-6125</cvename>
+ <cvename>CVE-2018-6126</cvename>
+ <cvename>CVE-2018-6127</cvename>
+ <cvename>CVE-2018-6128</cvename>
+ <cvename>CVE-2018-6129</cvename>
+ <cvename>CVE-2018-6130</cvename>
+ <cvename>CVE-2018-6131</cvename>
+ <cvename>CVE-2018-6132</cvename>
+ <cvename>CVE-2018-6133</cvename>
+ <cvename>CVE-2018-6134</cvename>
+ <cvename>CVE-2018-6135</cvename>
+ <cvename>CVE-2018-6136</cvename>
+ <cvename>CVE-2018-6137</cvename>
+ <cvename>CVE-2018-6138</cvename>
+ <cvename>CVE-2018-6139</cvename>
+ <cvename>CVE-2018-6140</cvename>
+ <cvename>CVE-2018-6141</cvename>
+ <cvename>CVE-2018-6142</cvename>
+ <cvename>CVE-2018-6143</cvename>
+ <cvename>CVE-2018-6144</cvename>
+ <cvename>CVE-2018-6145</cvename>
+ <cvename>CVE-2018-6147</cvename>
+ <url>https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html</url>
+ </references>
+ <dates>
+ <discovery>2018-05-29</discovery>
+ <entry>2018-05-30</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="94599fe0-5ca3-11e8-8be1-d05099c0ae8c">
+ <topic>BIND -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>bind912</name>
+ <range><lt>9.12.1P2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>ISC reports:</p>
+ <blockquote cite="https://kb.isc.org/article/AA-01602">
+ <p>An error in zone database reference counting can
+ lead to an assertion failure if a server which is
+ running an affected version of BIND attempts
+ several transfers of a slave zone in quick
+ succession.</p>
+ </blockquote>
+ <blockquote cite="https://kb.isc.org/article/AA-01606">
+ <p>A problem with the implementation of the new
+ serve-stale feature in BIND 9.12 can lead to
+ an assertion failure in rbtdb.c, even when
+ stale-answer-enable is off. Additionally,
+ problematic interaction between the serve-stale
+ feature and NSEC aggressive negative caching can
+ in some cases cause undesirable behavior from named,
+ such as a recursion loop or excessive logging.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-5736</cvename>
+ <cvename>CVE-2018-5737</cvename>
+ <url>https://kb.isc.org/article/AA-01602</url>
+ <url>https://kb.isc.org/article/AA-01606</url>
+ </references>
+ <dates>
+ <discovery>2018-05-18</discovery>
+ <entry>2018-05-21</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="04fe6c8d-2a34-4009-a81e-e7a7e759b5d2">
+ <topic>cURL -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>curl</name>
+ <range><lt>7.60.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>cURL security problems:</p>
+ <blockquote cite="https://curl.haxx.se/docs/security.html">
+ <p>CVE-2018-1000300: FTP shutdown response buffer overflow</p>
+ <p>curl might overflow a heap based memory buffer when closing down an
+ FTP connection with very long server command replies.</p>
+ <p>When doing FTP transfers, curl keeps a spare "closure handle" around
+ internally that will be used when an FTP connection gets shut down
+ since the original curl easy handle is then already removed.</p>
+ <p>FTP server response data that gets cached from the original transfer
+ might then be larger than the default buffer size (16 KB) allocated in
+ the "closure handle", which can lead to a buffer overwrite. The
+ contents and size of that overwrite is controllable by the server.</p>
+ <p>This situation was detected by an assert() in the code, but that was
+ of course only preventing bad stuff in debug builds. This bug is very
+ unlikely to trigger with non-malicious servers.</p>
+ <p>We are not aware of any exploit of this flaw.</p>
+ <p>CVE-2018-1000301: RTSP bad headers buffer over-read</p>
+ <p>curl can be tricked into reading data beyond the end of a heap based
+ buffer used to store downloaded content.</p>
+ <p>When servers send RTSP responses back to curl, the data starts out
+ with a set of headers. curl parses that data to separate it into a
+ number of headers to deal with those appropriately and to find the end
+ of the headers that signal the start of the "body" part.</p>
+ <p>The function that splits up the response into headers is called
+ Curl_http_readwrite_headers() and in situations where it can't find a
+ single header in the buffer, it might end up leaving a pointer pointing
+ into the buffer instead of to the start of the buffer which then later
+ on may lead to an out of buffer read when code assumes that pointer
+ points to a full buffer size worth of memory to use.</p>
+ <p>This could potentially lead to information leakage but most likely a
+ crash/denial of service for applications if a server triggers this flaw.</p>
+ <p>We are not aware of any exploit of this flaw.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://curl.haxx.se/docs/security.html</url>
+ <url>https://curl.haxx.se/docs/adv_2018-82c2.html</url>
+ <url>https://curl.haxx.se/docs/adv_2018-b138.html</url>
+ <cvename>CVE-2018-1000300</cvename>
+ <cvename>CVE-2018-1000301</cvename>
+ </references>
+ <dates>
+ <discovery>2018-05-16</discovery>
+ <entry>2018-05-16</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="50210bc1-54ef-11e8-95d9-9c5c8e75236a">
+ <topic>wavpack -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>wavpack</name>
+ <range><lt>5.1.0_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Sebastian Ramacher reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6767">
+ <p>A stack-based buffer over-read in the ParseRiffHeaderConfig function of cli/riff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service attack or possibly have unspecified other impact via a maliciously crafted RF64 file.</p>
+ </blockquote>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7253">
+ <p>The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (heap-based buffer over-read) or possibly overwrite the heap via a maliciously crafted DSDIFF file.</p>
+ </blockquote>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7254">
+ <p>The ParseCaffHeaderConfig function of the cli/caff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (global buffer over-read), or possibly trigger a buffer overflow or incorrect memory allocation, via a maliciously crafted CAF file.</p>
+ </blockquote>
+ <p>Thuan Pham reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10536">
+ <p>An issue was discovered in WavPack 5.1.0 and earlier. The WAV parser component contains a vulnerability that allows writing to memory because ParseRiffHeaderConfig in riff.c does not reject multiple format chunks.</p>
+ </blockquote>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10537">
+ <p>An issue was discovered in WavPack 5.1.0 and earlier. The W64 parser component contains a vulnerability that allows writing to memory because ParseWave64HeaderConfig in wave64.c does not reject multiple format chunks.</p>
+ </blockquote>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10538">
+ <p>An issue was discovered in WavPack 5.1.0 and earlier for WAV input. Out-of-bounds writes can occur because ParseRiffHeaderConfig in riff.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation.</p>
+ </blockquote>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10539">
+ <p>An issue was discovered in WavPack 5.1.0 and earlier for DSDiff input. Out-of-bounds writes can occur because ParseDsdiffHeaderConfig in dsdiff.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation.</p>
+ </blockquote>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10540">
+ <p>An issue was discovered in WavPack 5.1.0 and earlier for W64 input. Out-of-bounds writes can occur because ParseWave64HeaderConfig in wave64.c does not validate the sizes of unknown chunks before attempting memory allocation, related to a lack of integer-overflow protection within a bytes_to_copy calculation and subsequent malloc call, leading to insufficient memory allocation.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-6767</cvename>
+ <cvename>CVE-2018-7253</cvename>
+ <cvename>CVE-2018-7254</cvename>
+ <cvename>CVE-2018-10536</cvename>
+ <cvename>CVE-2018-10537</cvename>
+ <cvename>CVE-2018-10538</cvename>
+ <cvename>CVE-2018-10539</cvename>
+ <cvename>CVE-2018-10540</cvename>
+ <url>https://www.debian.org/security/2018/dsa-4125</url>
+ <url>https://www.debian.org/security/2018/dsa-4197</url>
+ <freebsdpr>228141</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2018-05-09</discovery>
+ <entry>2018-05-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e457978b-5484-11e8-9b85-54ee754af08e">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>66.0.3359.170</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop.html">
+ <p>4 security fixes in this release:</p>
+ <ul>
+ <li>[835887] Critical: Chain leading to sandbox escape.
+ Reported by Anonymous on 2018-04-23</li>
+ <li>[836858] High CVE-2018-6121: Privilege Escalation in extensions</li>
+ <li>[836141] High CVE-2018-6122: Type confusion in V8</li>
+ <li>[833721] High CVE-2018-6120: Heap buffer overflow in PDFium.
+ Reported by Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team on 2018-04-17</li>
+ <li>[841841] Various fixes from internal audits, fuzzing and other initiatives</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-6120</cvename>
+ <cvename>CVE-2018-6121</cvename>
+ <cvename>CVE-2018-6122</cvename>
+ <url>https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop.html</url>
+ </references>
+ <dates>
+ <discovery>2018-04-14</discovery>
+ <entry>2018-05-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="06ab7724-0fd7-427e-a5ce-fe436302b10c">
+ <topic>jenkins -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>jenkins</name>
+ <range><le>2.120</le></range>
+ </package>
+ <package>
+ <name>jenkins-lts</name>
+ <range><le>2.107.2</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Jenkins developers report:</p>
+ <blockquote cite="https://jenkins.io/security/advisory/2018-05-09/">
+ <p>The agent to master security subsystem ensures that the Jenkins
+ master is protected from maliciously configured agents. A path
+ traversal vulnerability allowed agents to escape whitelisted
+ directories to read and write to files they should not be able to
+ access.</p>
+ <p>Black Duck Hub Plugin's API endpoint was affected by an XML
+ External Entity (XXE) processing vulnerability. This allowed an
+ attacker with Overall/Read access to have Jenkins parse a maliciously
+ crafted file that uses external entities for extraction of secrets
+ from the Jenkins master, server-side request forgery, or
+ denial-of-service attacks.</p>
+ <p>Several other lower severity issues were reported, see reference
+ url for details.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://jenkins.io/security/advisory/2018-05-09/</url>
+ </references>
+ <dates>
+ <discovery>2018-05-09</discovery>
+ <entry>2018-05-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="5aefc41e-d304-4ec8-8c82-824f84f08244">
+ <topic>mozilla -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>firefox</name>
+ <range><lt>60.0,1</lt></range>
+ </package>
+ <package>
+ <name>waterfox</name>
+ <range><lt>56.1.0_18</lt></range>
+ </package>
+ <package>
+ <name>seamonkey</name>
+ <name>linux-seamonkey</name>
+ <range><lt>2.49.4</lt></range>
+ </package>
+ <package>
+ <name>firefox-esr</name>
+ <range><lt>52.8.0,1</lt></range>
+ </package>
+ <package>
+ <name>linux-firefox</name>
+ <range><lt>52.8.0,2</lt></range>
+ </package>
+ <package>
+ <name>libxul</name>
+ <name>thunderbird</name>
+ <name>linux-thunderbird</name>
+ <range><lt>52.8.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Mozilla Foundation reports:</p>
+ <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/">
+ <p>CVE-2018-5183: Backport critical security fixes in Skia</p>
+ <p>CVE-2018-5154: Use-after-free with SVG animations and clip paths</p>
+ <p>CVE-2018-5155: Use-after-free with SVG animations and text paths</p>
+ <p>CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files</p>
+ <p>CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer</p>
+ <p>CVE-2018-5159: Integer overflow and out-of-bounds write in Skia</p>
+ <p>CVE-2018-5160: Uninitialized memory use by WebRTC encoder</p>
+ <p>CVE-2018-5152: WebExtensions information leak through webRequest API</p>
+ <p>CVE-2018-5153: Out-of-bounds read in mixed content websocket messages</p>
+ <p>CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache</p>
+ <p>CVE-2018-5164: CSP not applied to all multipart content sent with multipart/x-mixed-replace</p>
+ <p>CVE-2018-5166: WebExtension host permission bypass through filterReponseData</p>
+ <p>CVE-2018-5167: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger</p>
+ <p>CVE-2018-5168: Lightweight themes can be installed without user interaction</p>
+ <p>CVE-2018-5169: Dragging and dropping link text onto home button can set home page to include chrome pages</p>
+ <p>CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer</p>
+ <p>CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters</p>
+ <p>CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update</p>
+ <p>CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in their policies</p>
+ <p>CVE-2018-5176: JSON Viewer script injection</p>
+ <p>CVE-2018-5177: Buffer overflow in XSLT during number formatting</p>
+ <p>CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox</p>
+ <p>CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension</p>
+ <p>CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced</p>
+ <p>CVE-2018-5181: Local file can be displayed in noopener tab through drag and drop of hyperlink</p>
+ <p>CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped on addressbar</p>
+ <p>CVE-2018-5151: Memory safety bugs fixed in Firefox 60</p>
+ <p>CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-5150</cvename>
+ <cvename>CVE-2018-5151</cvename>
+ <cvename>CVE-2018-5152</cvename>
+ <cvename>CVE-2018-5153</cvename>
+ <cvename>CVE-2018-5154</cvename>
+ <cvename>CVE-2018-5155</cvename>
+ <cvename>CVE-2018-5157</cvename>
+ <cvename>CVE-2018-5158</cvename>
+ <cvename>CVE-2018-5159</cvename>
+ <cvename>CVE-2018-5160</cvename>
+ <cvename>CVE-2018-5163</cvename>
+ <cvename>CVE-2018-5164</cvename>
+ <cvename>CVE-2018-5165</cvename>
+ <cvename>CVE-2018-5166</cvename>
+ <cvename>CVE-2018-5167</cvename>
+ <cvename>CVE-2018-5168</cvename>
+ <cvename>CVE-2018-5169</cvename>
+ <cvename>CVE-2018-5172</cvename>
+ <cvename>CVE-2018-5173</cvename>
+ <cvename>CVE-2018-5174</cvename>
+ <cvename>CVE-2018-5175</cvename>
+ <cvename>CVE-2018-5176</cvename>
+ <cvename>CVE-2018-5177</cvename>
+ <cvename>CVE-2018-5178</cvename>
+ <cvename>CVE-2018-5180</cvename>
+ <cvename>CVE-2018-5181</cvename>
+ <cvename>CVE-2018-5182</cvename>
+ <cvename>CVE-2018-5183</cvename>
+ <url>https://www.mozilla.org/security/advisories/mfsa2018-11/</url>
+ <url>https://www.mozilla.org/security/advisories/mfsa2018-12/</url>
+ </references>
+ <dates>
+ <discovery>2018-05-09</discovery>
+ <entry>2018-05-09</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="5af6378b-bd88-4997-bccc-b9ba2daecdd2">
+ <topic>kamailio - buffer overflow</topic>
+ <affects>
+ <package>
+ <name>kamailio</name>
+ <range><lt>5.1.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>A specially crafted REGISTER message with a malformed branch or
+ From tag triggers an off-by-one heap-based buffer overflow in the
+ tmx_check_pretran function in modules/tmx/tmx_pretran.c</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-8828</cvename>
+ <url>https://www.kamailio.org/w/2018/03/kamailio-security-announcement-tmx-lcr/</url>
+ <url>https://github.com/EnableSecurity/advisories/tree/master/ES2018-05-kamailio-heap-overflow</url>
+ </references>
+ <dates>
+ <discovery>2018-02-10</discovery>
+ <entry>2018-05-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="7b5a8e3b-52cc-11e8-8c7a-9c5c8e75236a">
+ <topic>wget -- cookie injection vulnerability</topic>
+ <affects>
+ <package>
+ <name>wget</name>
+ <range><lt>1.19.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Harry Sintonen of F-Secure Corporation reports:</p>
+ <blockquote cite="https://sintonen.fi/advisories/gnu-wget-cookie-injection.txt">
+ <p>GNU Wget is susceptible to a malicious web server injecting arbitrary cookies to the cookie jar file.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://sintonen.fi/advisories/gnu-wget-cookie-injection.txt</url>
+ <cvename>CVE-2018-0494</cvename>
+ <freebsdpr>ports/228071</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2018-04-26</discovery>
+ <entry>2018-05-08</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9558d49c-534c-11e8-8177-d43d7ef03aa6">
+ <topic>Flash Player -- arbitrary code execution</topic>
+ <affects>
+ <package>
+ <name>linux-flashplayer</name>
+ <range><lt>29.0.0.171</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Adobe reports:</p>
+ <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb18-16.html">
+ <ul>
+ <li>This update resolves a type confusion vulnerability that
+ could lead to arbitrary code execution (CVE-2018-4944).</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-4944</cvename>
+ <url>https://helpx.adobe.com/security/products/flash-player/apsb18-16.html</url>
+ </references>
+ <dates>
+ <discovery>2018-05-08</discovery>
+ <entry>2018-05-09</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="521ce804-52fd-11e8-9123-a4badb2f4699">
+ <topic>FreeBSD -- Mishandling of x86 debug exceptions</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>11.1</ge><lt>11.1_10</lt></range>
+ <range><ge>10.4</ge><lt>10.4_9</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>The MOV SS and POP SS instructions inhibit debug exceptions
+ until the instruction boundary following the next instruction.
+ If that instruction is a system call or similar instruction
+ that transfers control to the operating system, the debug
+ exception will be handled in the kernel context instead of
+ the user context.</p>
+ <h1>Impact:</h1>
+ <p>An authenticated local attacker may be able to read
+ sensitive data in kernel memory, control low-level operating
+ system functions, or may panic the system.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-8897</cvename>
+ <freebsdsa>SA-18:06.debugreg</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2018-05-08</discovery>
+ <entry>2018-05-08</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="8719b935-8bae-41ad-92ba-3c826f651219">
+ <topic>python 2.7 -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>python27</name>
+ <range><lt>2.7.15</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>python release notes:</p>
+ <blockquote cite="https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.15rc1.rst">
+ <p>Multiple vulnerabilities has been fixed in this release. Please refer to the CVE list for details.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.15rc1.rst</url>
+ <url>https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.15.rst</url>
+ <cvename>CVE-2012-0876</cvename>
+ <cvename>CVE-2016-0718</cvename>
+ <cvename>CVE-2016-4472</cvename>
+ <cvename>CVE-2016-9063</cvename>
+ <cvename>CVE-2017-9233</cvename>
+ <cvename>CVE-2018-1060</cvename>
+ <cvename>CVE-2018-1061</cvename>
+ </references>
+ <dates>
+ <discovery>2018-05-01</discovery>
+ <entry>2018-05-05</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="83a548b5-4fa5-11e8-9a8e-001e2a3f778d">
+ <topic>KWallet-PAM -- Access to privileged files</topic>
+ <affects>
+ <package>
+ <name>plasma5-kwallet-pam</name>
+ <range><lt>5.12.5_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The KDE Community reports:</p>
+ <blockquote cite="https://www.kde.org/info/security/advisory-20180503-1.txt">
+ <p>
+ kwallet-pam was doing file writing and permission changing
+ as root that with correct timing and use of carefully
+ crafted symbolic links could allow a non privileged user
+ to become the owner of any file on the system.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.kde.org/info/security/advisory-20180503-1.txt</url>
+ </references>
+ <dates>
+ <discovery>2018-05-04</discovery>
+ <entry>2018-05-04</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="89ca6f7d-4f00-11e8-9b1d-00e04c1ea73d">
+ <topic>drupal -- Drupal Core - Multiple Vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>drupal7</name>
+ <range><lt>7.58</lt></range>
+ </package>
+ <package>
+ <name>drupal8</name>
+ <range><lt>8.5.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Drupal Security Team reports:</p>
+ <blockquote cite="https://www.drupal.org/SA-CORE-2018-004">
+ <p>A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x.
+ This potentially allows attackers to exploit multiple attack vectors on a Drupal site,
+ which could result in the site being compromised. This vulnerability is related to
+ Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002.
+ Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.drupal.org/SA-CORE-2018-004</url>
+ </references>
+ <dates>
+ <discovery>2018-04-25</discovery>
+ <entry>2018-05-03</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9dfe61c8-4d15-11e8-8f2f-d8cb8abf62dd">
+ <topic>Gitlab -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>gitlab</name>
+ <range><ge>10.7.0</ge><lt>10.7.2</lt></range>
+ <range><ge>10.6.0</ge><lt>10.6.5</lt></range>
+ <range><ge>9.5.0</ge><lt>10.5.8</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>GitLab reports:</p>
+ <blockquote cite="https://about.gitlab.com/2018/04/30/security-release-gitlab-10-dot-7-dot-2-released">
+ <p>Persistent XSS in Move Issue using project namespace</p>
+ <p>Download Archive allowing unauthorized private repo access</p>
+ <p>Mattermost Updates</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-10379</cvename>
+ <url>https://about.gitlab.com/2018/04/30/security-release-gitlab-10-dot-7-dot-2-released</url>
+ </references>
+ <dates>
+ <discovery>2018-04-30</discovery>
+ <entry>2018-05-01</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="006bee4e-4c49-11e8-9c32-54ee754af08e">
+ <topic>chromium -- vulnerability</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>66.0.3359.139</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop_26.html">
+ <p>3 security fixes in this release:</p>
+ <ul>
+ <li>[831963] Critical CVE-2018-6118: Use after free in Media Cache. Reported by Ned Williamson on 2018-04-12</li>
+ <li>[837635] Various fixes from internal audits, fuzzing and other initiatives</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-6118</cvename>
+ <url>https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop_26.html</url>
+ </references>
+ <dates>
+ <discovery>2018-04-12</discovery>
+ <entry>2018-04-30</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="499f6b41-58db-4f98-b8e7-da8c18985eda">
+ <topic>quassel -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>quassel</name>
+ <range><lt>0.12.5</lt></range>
+ </package>
+ <package>
+ <name>quassel-core</name>
+ <range><lt>0.12.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Gentoo reports:</p>
+ <blockquote cite="https://bugs.gentoo.org/653834">
+ <p>quasselcore: corruption of heap metadata caused by qdatastream
+ leading to preauth remote code execution.</p>
+ <ul>
+ <li>Severity: high, by default the server port is publicly open
+ and the address can be requested using the /WHOIS command of IRC
+ protocol.</li>
+ <li>Description: In Qdatastream protocol each object is prepended
+ with 4 bytes for the object size, this can be used to trigger
+ allocation errors.</li>
+ </ul>
+ <p>quasselcore DDOS</p>
+ <ul>
+ <li>Severity: low, only impacts unconfigured quasselcore
+ instances.</li>
+ <li>Description: A login attempt causes a NULL pointer dereference
+ when the database is not initialized.</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bugs.gentoo.org/653834</url>
+ <url>https://github.com/quassel/quassel/commit/08bace4e9ecf08273f094c0c6aa8b3363d38ac3e</url>
+ <url>https://github.com/quassel/quassel/commit/18389a713a6810f57ab237b945e8ee03df857b8b</url>
+ </references>
+ <dates>
+ <discovery>2018-04-24</discovery>
+ <entry>2018-04-26</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="36ff7a74-47b1-11e8-a7d6-54e1ad544088">
+ <topic>chromium -- vulnerability</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>66.0.3359.117</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html">
+ <p>62 security fixes in this release:</p>
+ <ul>
+ <li>[826626] Critical CVE-2018-6085: Use after free in Disk Cache. Reported by Ned Williamson on 2018-03-28</li>
+ <li>[827492] Critical CVE-2018-6086: Use after free in Disk Cache. Reported by Ned Williamson on 2018-03-30</li>
+ <li>[813876] High CVE-2018-6087: Use after free in WebAssembly. Reported by Anonymous on 2018-02-20</li>
+ <li>[822091] High CVE-2018-6088: Use after free in PDFium. Reported by Anonymous on 2018-03-15</li>
+ <li>[808838] High CVE-2018-6089: Same origin policy bypass in Service Worker. Reported by Rob Wu on 2018-02-04</li>
+ <li>[820913] High CVE-2018-6090: Heap buffer overflow in Skia. Reported by ZhanJia Song on 2018-03-12</li>
+ <li>[771933] High CVE-2018-6091: Incorrect handling of plug-ins by Service Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-10-05</li>
+ <li>[819869] High CVE-2018-6092: Integer overflow in WebAssembly. Reported by Natalie Silvanovich of Google Project Zero on 2018-03-08</li>
+ <li>[780435] Medium CVE-2018-6093: Same origin bypass in Service Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-01</li>
+ <li>[633030] Medium CVE-2018-6094: Exploit hardening regression in Oilpan. Reported by Chris Rohlf on 2016-08-01</li>
+ <li>[637098] Medium CVE-2018-6095: Lack of meaningful user interaction requirement before file upload. Reported by Abdulrahman Alqabandi (@qab) on 2016-08-11</li>
+ <li>[776418] Medium CVE-2018-6096: Fullscreen UI spoof. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-19</li>
+ <li>[806162] Medium CVE-2018-6097: Fullscreen UI spoof. Reported by xisigr of Tencent's Xuanwu Lab on 2018-01-26</li>
+ <li>[798892] Medium CVE-2018-6098: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-01-03</li>
+ <li>[808825] Medium CVE-2018-6099: CORS bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-02-03</li>
+ <li>[811117] Medium CVE-2018-6100: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-02-11</li>
+ <li>[813540] Medium CVE-2018-6101: Insufficient protection of remote debugging prototol in DevTools . Reported by Rob Wu on 2018-02-19</li>
+ <li>[813814] Medium CVE-2018-6102: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-20</li>
+ <li>[816033] Medium CVE-2018-6103: UI spoof in Permissions. Reported by Khalil Zhani on 2018-02-24</li>
+ <li>[820068] Medium CVE-2018-6104: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-03-08</li>
+ <li>[803571] Medium CVE-2018-6105: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-01-18</li>
+ <li>[805729] Medium CVE-2018-6106: Incorrect handling of promises in V8. Reported by lokihardt of Google Project Zero on 2018-01-25</li>
+ <li>[808316] Medium CVE-2018-6107: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-02</li>
+ <li>[816769] Medium CVE-2018-6108: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-02-27</li>
+ <li>[710190] Low CVE-2018-6109: Incorrect handling of files by FileAPI. Reported by Dominik Weber (@DoWeb_) on 2017-04-10</li>
+ <li>[777737] Low CVE-2018-6110: Incorrect handling of plaintext files via file:// . Reported by Wenxiang Qian (aka blastxiang) on 2017-10-24</li>
+ <li>[780694] Low CVE-2018-6111: Heap-use-after-free in DevTools. Reported by Khalil Zhani on 2017-11-02</li>
+ <li>[798096] Low CVE-2018-6112: Incorrect URL handling in DevTools. Reported by Rob Wu on 2017-12-29</li>
+ <li>[805900] Low CVE-2018-6113: URL spoof in Navigation. Reported by Khalil Zhani on 2018-01-25</li>
+ <li>[811691] Low CVE-2018-6114: CSP bypass. Reported by Lnyas Zhang on 2018-02-13</li>
+ <li>[819809] Low CVE-2018-6115: SmartScreen bypass in downloads. Reported by James Feher on 2018-03-07</li>
+ <li>[822266] Low CVE-2018-6116: Incorrect low memory handling in WebAssembly. Reported by Jin from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. on 2018-03-15</li>
+ <li>[822465] Low CVE-2018-6117: Confusing autofill settings. Reported by Spencer Dailey on 2018-03-15</li>
+ <li>[822424] Low CVE-2018-6084: Incorrect use of Distributed Objects in Google Software Updater on MacOS. Reported by Ian Beer of Google Project Zero on 2018-03-15</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html</url>
+ <cvename>CVE-2018-6085</cvename>
+ <cvename>CVE-2018-6086</cvename>
+ <cvename>CVE-2018-6087</cvename>
+ <cvename>CVE-2018-6088</cvename>
+ <cvename>CVE-2018-6089</cvename>
+ <cvename>CVE-2018-6090</cvename>
+ <cvename>CVE-2018-6091</cvename>
+ <cvename>CVE-2018-6092</cvename>
+ <cvename>CVE-2018-6093</cvename>
+ <cvename>CVE-2018-6094</cvename>
+ <cvename>CVE-2018-6095</cvename>
+ <cvename>CVE-2018-6096</cvename>
+ <cvename>CVE-2018-6097</cvename>
+ <cvename>CVE-2018-6098</cvename>
+ <cvename>CVE-2018-6099</cvename>
+ <cvename>CVE-2018-6100</cvename>
+ <cvename>CVE-2018-6101</cvename>
+ <cvename>CVE-2018-6102</cvename>
+ <cvename>CVE-2018-6103</cvename>
+ <cvename>CVE-2018-6104</cvename>
+ <cvename>CVE-2018-6105</cvename>
+ <cvename>CVE-2018-6106</cvename>
+ <cvename>CVE-2018-6107</cvename>
+ <cvename>CVE-2018-6108</cvename>
+ <cvename>CVE-2018-6109</cvename>
+ <cvename>CVE-2018-6110</cvename>
+ <cvename>CVE-2018-6111</cvename>
+ <cvename>CVE-2018-6112</cvename>
+ <cvename>CVE-2018-6113</cvename>
+ <cvename>CVE-2018-6114</cvename>
+ <cvename>CVE-2018-6115</cvename>
+ <cvename>CVE-2018-6116</cvename>
+ <cvename>CVE-2018-6117</cvename>
+ <cvename>CVE-2018-6084</cvename>
+ </references>
+ <dates>
+ <discovery>2017-04-10</discovery>
+ <entry>2018-04-24</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="d8382a69-4728-11e8-ba83-0011d823eebd">
+ <topic>mbed TLS (PolarSSL) -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>mbedtls</name>
+ <range><lt>2.7.2</lt></range>
+ </package>
+ <package>
+ <name>polarssl13</name>
+ <range><ge>*</ge></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Simon Butcher reports:</p>
+ <blockquote cite="https://tls.mbed.org/tech-updates/releases/mbedtls-2.8.0-2.7.2-and-2.1.11-released">
+ <ul>
+ <li>Defend against Bellcore glitch attacks by verifying the results
+ of RSA private key operations.</li>
+ <li>Fix implementation of the truncated HMAC extension. The
+ previous implementation allowed an offline 2^80 brute force
+ attack on the HMAC key of a single, uninterrupted connection
+ (with no resumption of the session).</li>
+ <li>Reject CRLs containing unsupported critical extensions. Found
+ by Falko Strenzke and Evangelos Karatsiolis.</li>
+ <li>Fix a buffer overread in ssl_parse_server_key_exchange() that
+ could cause a crash on invalid input.</li>
+ <li>Fix a buffer overread in ssl_parse_server_psk_hint() that could
+ cause a crash on invalid input.</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://tls.mbed.org/tech-updates/releases/mbedtls-2.8.0-2.7.2-and-2.1.11-released</url>
+ </references>
+ <dates>
+ <discovery>2018-03-21</discovery>
+ <entry>2018-04-23</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="57aec168-453e-11e8-8777-b499baebfeaf">
+ <topic>MySQL -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>mariadb55-server</name>
+ <range><lt>5.5.60</lt></range>
+ </package>
+ <package>
+ <name>mariadb100-server</name>
+ <range><lt>10.0.35</lt></range>
+ </package>
+ <package>
+ <name>mariadb101-server</name>
+ <range><lt>10.1.33</lt></range>
+ </package>
+ <package>
+ <name>mariadb102-server</name>
+ <range><lt>10.2.15</lt></range>
+ </package>
+ <package>
+ <name>mysql55-server</name>
+ <range><lt>5.5.60</lt></range>
+ </package>
+ <package>
+ <name>mysql56-server</name>
+ <range><lt>5.6.40</lt></range>
+ </package>
+ <package>
+ <name>mysql57-server</name>
+ <range><lt>5.7.22</lt></range>
+ </package>
+ <package>
+ <name>percona55-server</name>
+ <range><lt>5.5.60</lt></range>
+ </package>
+ <package>
+ <name>percona56-server</name>
+ <range><lt>5.6.40</lt></range>
+ </package>
+ <package>
+ <name>percona57-server</name>
+ <range><lt>5.7.22</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Oracle reports:</p>
+ <blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html">
+ <p>MySQL Multiple Flaws Let Remote Authenticated Users Access and
+ Modify Data, Remote and Local Users Deny Service, and Local Users
+ Access Data and Gain Elevated Privileges</p>
+ <ul>
+ <li>A local user can exploit a flaw in the Replication component
+ to gain elevated privileges [CVE-2018-2755].</li>
+ <li>A remote authenticated user can exploit a flaw in the GIS
+ Extension component to cause denial of service conditions
+ [CVE-2018-2805].</li>
+ <li>A remote authenticated user can exploit a flaw in the InnoDB
+ component to cause denial of service conditions [CVE-2018-2782,
+ CVE-2018-2784, CVE-2018-2819].</li>
+ <li>A remote authenticated user can exploit a flaw in the Security
+ Privileges component to cause denial of service conditions
+ [CVE-2018-2758, CVE-2018-2818].</li>
+ <li>A remote authenticated user can exploit a flaw in the DDL
+ component to cause denial of service conditions
+ [CVE-2018-2817].</li>
+ <li>A remote authenticated user can exploit a flaw in the Optimizer
+ component to cause denial of service conditions [CVE-2018-2775,
+ CVE-2018-2778, CVE-2018-2779, CVE-2018-2780, CVE-2018-2781,
+ CVE-2018-2816].</li>
+ <li>A remote user can exploit a flaw in the Client programs
+ component to cause denial of service conditions [CVE-2018-2761,
+ CVE-2018-2773].</li>
+ <li>A remote authenticated user can exploit a flaw in the InnoDB
+ component to partially modify data and cause denial of service
+ conditions [CVE-2018-2786, CVE-2018-2787].</li>
+ <li>A remote authenticated user can exploit a flaw in the Optimizer
+ component to partially modify data and cause denial of service
+ conditions [CVE-2018-2812].</li>
+ <li>A local user can exploit a flaw in the Cluster ndbcluster/plugin
+ component to cause denial of service conditions [CVE-2018-2877].
+ </li>
+ <li>A remote authenticated user can exploit a flaw in the InnoDB
+ component to cause denial of service conditions [CVE-2018-2759,
+ CVE-2018-2766, CVE-2018-2777, CVE-2018-2810].</li>
+ <li>A remote authenticated user can exploit a flaw in the DML
+ component to cause denial of service conditions [CVE-2018-2839].
+ </li>
+ <li>A remote authenticated user can exploit a flaw in the
+ Performance Schema component to cause denial of service conditions
+ [CVE-2018-2846].</li>
+ <li>A remote authenticated user can exploit a flaw in the Pluggable
+ Auth component to cause denial of service conditions
+ [CVE-2018-2769].</li>
+ <li>A remote authenticated user can exploit a flaw in the Group
+ Replication GCS component to cause denial of service conditions
+ [CVE-2018-2776].</li>
+ <li>A local user can exploit a flaw in the Connection component to
+ cause denial of service conditions [CVE-2018-2762].</li>
+ <li>A remote authenticated user can exploit a flaw in the Locking
+ component to cause denial of service conditions [CVE-2018-2771].
+ </li>
+ <li>A remote authenticated user can exploit a flaw in the DDL
+ component to partially access data [CVE-2018-2813].</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html</url>
+ <cvename>CVE-2018-2755</cvename>
+ <cvename>CVE-2018-2805</cvename>
+ <cvename>CVE-2018-2782</cvename>
+ <cvename>CVE-2018-2784</cvename>
+ <cvename>CVE-2018-2819</cvename>
+ <cvename>CVE-2018-2758</cvename>
+ <cvename>CVE-2018-2817</cvename>
+ <cvename>CVE-2018-2775</cvename>
+ <cvename>CVE-2018-2780</cvename>
+ <cvename>CVE-2018-2761</cvename>
+ <cvename>CVE-2018-2786</cvename>
+ <cvename>CVE-2018-2787</cvename>
+ <cvename>CVE-2018-2812</cvename>
+ <cvename>CVE-2018-2877</cvename>
+ <cvename>CVE-2018-2759</cvename>
+ <cvename>CVE-2018-2766</cvename>
+ <cvename>CVE-2018-2777</cvename>
+ <cvename>CVE-2018-2810</cvename>
+ <cvename>CVE-2018-2818</cvename>
+ <cvename>CVE-2018-2839</cvename>
+ <cvename>CVE-2018-2778</cvename>
+ <cvename>CVE-2018-2779</cvename>
+ <cvename>CVE-2018-2781</cvename>
+ <cvename>CVE-2018-2816</cvename>
+ <cvename>CVE-2018-2846</cvename>
+ <cvename>CVE-2018-2769</cvename>
+ <cvename>CVE-2018-2776</cvename>
+ <cvename>CVE-2018-2762</cvename>
+ <cvename>CVE-2018-2771</cvename>
+ <cvename>CVE-2018-2813</cvename>
+ <cvename>CVE-2018-2773</cvename>
+ </references>
+ <dates>
+ <discovery>2018-04-17</discovery>
+ <entry>2018-04-21</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="be38245e-44d9-11e8-a292-00e04c1ea73d">
+ <topic>wordpress -- multiple issues</topic>
+ <affects>
+ <package>
+ <name>wordpress</name>
+ <name>fr-wordpress</name>
+ <range><lt>4.9.5,1</lt></range>
+ </package>
+ <package>
+ <name>de-wordpress</name>
+ <name>zh_CN-wordpress</name>
+ <name>zh_TW-wordpress</name>
+ <name>ja-wordpress</name>
+ <range><lt>4.9.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>wordpress developers reports:</p>
+ <blockquote cite="https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/">
+ <p>Don't treat localhost as same host by default.</p>
+ <p>Use safe redirects when redirecting the login page if SSL is forced.</p>
+ <p>Make sure the version string is correctly escaped for use in generator tags.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/</url>
+ </references>
+ <dates>
+ <discovery>2018-04-03</discovery>
+ <entry>2018-04-20</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ac7da39b-4405-11e8-afbe-6805ca0b3d42">
+ <topic>phpmyadmin -- CSRF vulnerability allowing arbitrary SQL execution</topic>
+ <affects>
+ <package>
+ <name>phpmyadmin</name>
+ <range><ge>4.8.0</ge><lt>4.8.0.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The phpMyAdmin development team reports:</p>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2018-2/">
+ <h3>Summary</h3>
+ <p>CSRF vulnerability allowing arbitrary SQL execution</p>
+ <h3>Description</h3>
+ <p>By deceiving a user to click on a crafted URL, it is
+ possible for an attacker to execute arbitrary SQL
+ commands.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be critical.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.phpmyadmin.net/security/PMASA-2018-2/</url>
+ </references>
+ <dates>
+ <discovery>2018-04-17</discovery>
+ <entry>2018-04-19</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="33174280-43fa-11e8-aad5-6cf0497db129">
+ <topic>drupal -- Drupal core - Moderately critical</topic>
+ <affects>
+ <package>
+ <name>drupal8</name>
+ <range><lt>8.5.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Drupal security team reports:</p>
+ <blockquote cite="https://www.drupal.org/sa-core-2018-003">
+ <p>CKEditor, a third-party JavaScript library included in Drupal
+ core, has fixed a cross-site scripting (XSS) vulnerability. The
+ vulnerability stemmed from the fact that it was possible to execute
+ XSS inside CKEditor when using the image2 plugin (which Drupal 8
+ core also uses).</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.drupal.org/sa-core-2018-003</url>
+ </references>
+ <dates>
+ <discovery>2018-04-18</discovery>
+ <entry>2018-04-19</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="8f353420-4197-11e8-8777-b499baebfeaf">
+ <topic>OpenSSL -- Cache timing vulnerability</topic>
+ <affects>
+ <package>
+ <name>openssl</name>
+ <range><lt>1.0.2o_2,1</lt></range>
+ </package>
+ <package>
+ <name>openssl-devel</name>
+ <range><lt>1.1.0h_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The OpenSSL project reports:</p>
+ <blockquote cite="https://www.openssl.org/news/secadv/20180416.txt">
+ <p>The OpenSSL RSA Key generation algorithm has been shown to be
+ vulnerable to a cache timing side channel attack. An attacker
+ with sufficient access to mount cache timing attacks during the
+ RSA key generation process could recover the private key.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.openssl.org/news/secadv/20180416.txt</url>
+ <cvename>CVE-2018-0737</cvename>
+ </references>
+ <dates>
+ <discovery>2018-04-16</discovery>
+ <entry>2018-04-16</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="a9e466e8-4144-11e8-a292-00e04c1ea73d">
+ <topic>drupal -- Drupal Core - Multiple Vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>drupal7</name>
+ <range><lt>7.57</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Drupal Security Team reports:</p>
+ <blockquote cite="https://www.drupal.org/psa-2018-001">
+ <p>CVE-2018-7600: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6,
+ and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because
+ of an issue affecting multiple subsystems with default or common module configurations.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-7600</cvename>
+ </references>
+ <dates>
+ <discovery>2018-03-13</discovery>
+ <entry>2018-04-16</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="41c96ffd-29a6-4dcc-9a88-65f5038fa6eb">
+ <topic>perl -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>perl5</name>
+ <range><ge>5.24.0</ge><lt>5.24.4</lt></range>
+ <range><ge>5.26.0</ge><lt>5.26.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>perldelta:</p>
+ <blockquote cite="https://metacpan.org/changes/release/SHAY/perl-5.26.2">
+ <p>CVE-2018-6797: heap-buffer-overflow (WRITE of size 1) in S_regatom
+ (regcomp.c)</p>
+ <p>A crafted regular expression could cause a heap buffer write overflow,
+ with control over the bytes written. [perl #132227]</p>
+ <p>CVE-2018-6798: Heap-buffer-overflow in Perl__byte_dump_string (utf8.c)</p>
+ <p>Matching a crafted locale dependent regular expression could cause a
+ heap buffer read overflow and potentially information disclosure. [perl
+ #132063]</p>
+ <p>CVE-2018-6913: heap-buffer-overflow in S_pack_rec</p>
+ <p>pack() could cause a heap buffer write overflow with a large item
+ count. [perl #131844]</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://metacpan.org/changes/release/SHAY/perl-5.26.2</url>
+ <url>https://metacpan.org/changes/release/SHAY/perl-5.24.4</url>
+ <cvename>CVE-2018-6797</cvename>
+ <cvename>CVE-2018-6798</cvename>
+ <cvename>CVE-2018-6913</cvename>
+ </references>
+ <dates>
+ <discovery>2018-04-14</discovery>
+ <entry>2018-04-15</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="974a6d32-3fda-11e8-aea4-001b216d295b">
+ <topic>ipsec-tools -- remotely exploitable computational-complexity attack</topic>
+ <affects>
+ <package>
+ <name>ipsec-tools</name>
+ <range><lt>0.8.2_3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Robert Foggia via NetBSD GNATS reports:</p>
+ <blockquote cite="https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682">
+ <p>The ipsec-tools racoon daemon contains a remotely exploitable computational
+ complexity attack when parsing and storing isakmp fragments. The implementation
+ permits a remote attacker to exhaust computational resources on the remote endpoint
+ by repeatedly sending isakmp fragment packets in a particular order such that
+ the worst-case computational complexity is realized in the algorithm utilized
+ to determine if reassembly of the fragments can take place.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682</url>
+ <cvename>CVE-2016-10396</cvename>
+ </references>
+ <dates>
+ <discovery>2016-12-02</discovery>
+ <entry>2018-04-14</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="1fccb25e-8451-438c-a2b9-6a021e4d7a31">
+ <topic>nghttp2 -- Denial of service due to NULL pointer dereference</topic>
+ <affects>
+ <package>
+ <name>libnghttp2</name>
+ <name>nghttp2</name>
+ <range><ge>1.10.0</ge><lt>1.31.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>nghttp2 blog:</p>
+ <blockquote cite="https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/">
+ <p>If ALTSVC frame is received by libnghttp2 and it is larger than it can
+ accept, the pointer field which points to ALTSVC frame payload is left
+ NULL. Later libnghttp2 attempts to access another field through the
+ pointer, and gets segmentation fault.</p>
+ <p>ALTSVC frame is defined by RFC 7838.</p>
+ <p>The largest frame size libnghttp2 accept is by default 16384 bytes.</p>
+ <p>Receiving ALTSVC frame is disabled by default. Application has to
+ enable it explicitly by calling
+ nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC).</p>
+ <p>Transmission of ALTSVC is always enabled, and it does not cause this
+ vulnerability.</p>
+ <p>ALTSVC frame is expected to be sent by server, and received by client
+ as defined in RFC 7838.</p>
+ <p>Client and server are both affected by this vulnerability if the
+ reception of ALTSVC frame is enabled. As written earlier, it is useless
+ to enable reception of ALTSVC frame on server side. So, server is
+ generally safe unless application accidentally enabled the reception of
+ ALTSVC frame.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/</url>
+ <cvename>CVE-2018-1000168</cvename>
+ </references>
+ <dates>
+ <discovery>2018-04-04</discovery>
+ <entry>2018-04-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="48894ca9-3e6f-11e8-92f0-f0def167eeea">
+ <topic>roundcube -- IMAP command injection vulnerability</topic>
+ <affects>
+ <package>
+ <name>roundcube</name>
+ <range><le>1.3.5,1</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Upstream reports:</p>
+ <blockquote cite="https://roundcube.net/news/2018/04/11/security-update-1.3.6">
+ <p>This update primarily fixes a recently discovered IMAP-cmd-injection
+ vulnerability caused by insufficient input validation within
+ the archive plugin.
+ Details about the vulnerability are published under CVE-2018-9846.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-9846</cvename>
+ <url>https://roundcube.net/news/2018/04/11/security-update-1.3.6</url>
+ </references>
+ <dates>
+ <discovery>2018-04-11</discovery>
+ <entry>2018-04-13</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="aaba17aa-782e-4843-8a79-7756cfa2bf89">
+ <topic>jenkins -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>jenkins</name>
+ <range><le>2.115</le></range>
+ </package>
+ <package>
+ <name>jenkins-lts</name>
+ <range><le>2.107.1</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Jenkins developers report:</p>
+ <blockquote cite="https://jenkins.io/security/advisory/2018-04-11/">
+ <p>The Jenkins CLI sent different error responses for commands with
+ view and agent arguments depending on the existence of the specified
+ views or agents to unauthorized users. This allowed attackers to
+ determine whether views or agents with specified names exist.</p>
+ <p>The Jenkins CLI now returns the same error messages to unauthorized
+ users independent of the existence of specified view or agent
+ names</p>
+ <p>Some JavaScript confirmation dialogs included the item name in an
+ unsafe manner, resulting in a possible cross-site scripting
+ vulnerability exploitable by users with permission to create or
+ configure items.</p>
+ <p>JavaScript confirmation dialogs that include the item name now
+ properly escape it, so it can be safely displayed.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://jenkins.io/security/advisory/2018-04-11/</url>
+ </references>
+ <dates>
+ <discovery>2018-04-11</discovery>
+ <entry>2018-04-12</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="5c6f7482-3ced-11e8-b157-6451062f0f7a">
+ <topic>Flash Player -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>linux-flashplayer</name>
+ <range><lt>29.0.0.140</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Adobe reports:</p>
+ <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb18-08.html">
+ <ul>
+ <li>This update resolves a use-after-free vulnerability that
+ could lead to remote code execution (CVE-2018-4932).</li>
+ <li>This update resolves out-of-bounds read vulnerabilities that
+ could lead to information disclosure (CVE-2018-4933,
+ CVE-2018-4934).</li>
+ <li>This update resolves out-of-bounds write vulnerabilities that
+ could lead to remote code execution (CVE-2018-4935,
+ CVE-2018-4937).</li>
+ <li>This update resolves a heap overflow vulnerability that
+ could lead to information disclosure (CVE-2018-4936).</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2018-4932</cvename>
+ <cvename>CVE-2018-4933</cvename>
+ <cvename>CVE-2018-4934</cvename>
+ <cvename>CVE-2018-4935</cvename>
+ <cvename>CVE-2018-4936</cvename>
+ <cvename>CVE-2018-4937</cvename>
+ <url>https://helpx.adobe.com/security/products/flash-player/apsb18-08.html</url>
+ </references>
+ <dates>
+ <discovery>2018-04-10</discovery>
+ <entry>2018-04-10</entry>
+ <modified>2018-07-11</modified>
+ </dates>
+ </vuln>
+
<vuln vid="085a087b-3897-11e8-ac53-d8cb8abf62dd">
<topic>Gitlab -- multiple vulnerabilities</topic>
<affects>
@@ -484,8 +5461,8 @@
<affects>
<package>
<name>gitlab</name>
- <range><ge>8.3</ge><lt>10.5.6</lt></range>
- <range><ge>8.3</ge><lt>10.4.6</lt></range>
+ <range><ge>10.5.0</ge><lt>10.5.6</lt></range>
+ <range><ge>10.4.0</ge><lt>10.4.6</lt></range>
<range><ge>8.3</ge><lt>10.3.9</lt></range>
</package>
</affects>
@@ -512,6 +5489,7 @@
<dates>
<discovery>2018-03-20</discovery>
<entry>2018-03-27</entry>
+ <modified>2018-04-07</modified>
</dates>
</vuln>
@@ -2238,7 +7216,7 @@
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
- <blockquote cite="http://www.asterisk.org/downloads/security-advisories HERE">
+ <blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>AST-2018-004 - When processing a SUBSCRIBE request the
res_pjsip_pubsub module stores the accepted formats present
in the Accept headers of the request. This code did not
@@ -2262,6 +7240,7 @@
<dates>
<discovery>2018-02-21</discovery>
<entry>2018-02-22</entry>
+ <modified>2018-06-12</modified>
</dates>
</vuln>
@@ -7244,7 +12223,8 @@
<affects>
<package>
<name>xorg-server</name>
- <range><le>1.19.3</le></range>
+ <range><le>1.18.4_6,1</le></range>
+ <range><ge>1.19.0,1</ge><le>1.19.3,1</le></range>
</package>
</affects>
<description>
@@ -7251,8 +12231,14 @@
<body xmlns="http://www.w3.org/1999/xhtml">
<p>xorg-server developers reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/99546">
- <p>In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events.</p>
- <p>Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server before 2017-06-19 allowed authenticated malicious users to access potentially privileged data from the X server.</p>
+ <p>In the X.Org X server before 2017-06-19, a user authenticated to
+ an X Session could crash or execute code in the context of the X
+ Server by exploiting a stack overflow in the endianness conversion
+ of X Events.</p>
+ <p>Uninitialized data in endianness conversion in the XEvent handling
+ of the X.Org X Server before 2017-06-19 allowed authenticated
+ malicious users to access potentially privileged data from the X
+ server.</p>
</blockquote>
</body>
</description>
@@ -7271,6 +12257,7 @@
<dates>
<discovery>2017-07-06</discovery>
<entry>2017-10-17</entry>
+ <modified>2018-05-20</modified>
</dates>
</vuln>
@@ -15413,7 +20400,7 @@
<affects>
<package>
<name>freeimage</name>
- <range><ge>0</ge></range>
+ <range><lt>3.16.0_4</lt></range>
</package>
</affects>
<description>
@@ -15433,6 +20420,7 @@
<dates>
<discovery>2016-10-03</discovery>
<entry>2017-02-04</entry>
+ <modified>2018-04-14</modified>
</dates>
</vuln>
@@ -65024,7 +70012,7 @@
driver to dereference an invalid pointer.</p>
<p>Although this has not been confirmed, the possibility that
an attacker may be able to execute arbitrary code in kernel
- context can not be ruled out.</p>
+ context cannot be ruled out.</p>
</body>
</description>
<references>
@@ -76257,7 +81245,7 @@
<p>Problem description:</p>
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-12:02.crypt.asc">
<p>There is a programming error in the DES implementation used in crypt()
- when handling input which contains characters that can not be represented
+ when handling input which contains characters that cannot be represented
with 7-bit ASCII.</p>
<p>When the input contains characters with only the most significant bit set
(0x80), that character and all characters after it will be ignored.</p>
@@ -86247,7 +91235,7 @@
being too small, allowing it to be overwritten. The impact of this
programming error is that MaraDNS can be crashed by sending
MaraDNS a single "packet of death". Since the data placed in the
- overwritten array can not be remotely controlled (it is a list of
+ overwritten array cannot be remotely controlled (it is a list of
increasing integers), there is no way to increase privileges
exploiting this bug.</p>
</blockquote>
@@ -112030,7 +117018,7 @@
RealMedia RTSP streams. When checking for matching asm rules, the code
stores the results in a fixed-size array, but no boundary checks are
performed. This may lead to a buffer overflow if the user is tricked
- into connecting to a malicious server. Since the attacker can not write
+ into connecting to a malicious server. Since the attacker cannot write
arbitrary data into the buffer, creating an exploit is very hard; but a
DoS attack is easily made.
A fix for this problem was committed to SVN on Sun Dec 31 13:27:53 2006
More information about the Midnightbsd-cvs
mailing list