1 <vuln vid="d0b12952-cb86-11e6-906f-0cc47a065786"> 2 <topic>h2o -- Use-after-free vulnerability</topic> 3 <affects> 4 <package> 5 <name>h2o</name> 6 <range><lt>2.0.4_2</lt></range> 7 </package> 8 </affects> 9 <description> 10 <body xmlns="http://www.w3.org/1999/xhtml"> 11 <p>Kazuho Oku reports:</p> 12 <blockquote cite="https://github.com/h2o/h2o/issues?q=label%3Avulnerability"> 13 <p>A use-after-free vulnerability exists in H2O up to and including 14 version 2.0.4 / 2.1.0-beta3 that can be used by a remote attacker to 15 mount DoS attacks and / or information theft.</p> 16 </blockquote> 17 </body> 18 </description> 19 <references> 20 <url>https://github.com/h2o/h2o/releases/tag/v2.0.5</url> 21 <url>https://github.com/h2o/h2o/issues/1144</url> 22 </references> 23 <dates> 24 <discovery>2016-09-09</discovery> 25 <entry>2016-12-29</entry> 26 </dates> 27 </vuln> 28 29 <vuln vid="1b61ecef-cdb9-11e6-a9a5-b499baebfeaf"> 30 <topic>PHP -- multiple vulnerabilities</topic> 31 <affects> 32 <package> 33 <name>php70</name> 34 <range><lt>7.0.14</lt></range> 35 </package> 36 </affects> 37 <description> 38 <body xmlns="http://www.w3.org/1999/xhtml"> 39 <p>Check Point reports:</p> 40 <blockquote cite="http://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7/"> 41 <p>... discovered 3 fresh and previously unknown vulnerabilities 42 (CVE-2016-7479, CVE-2016-7480, CVE-2016-7478) in the PHP 7 43 unserialize mechanism.</p> 44 <p>The first two vulnerabilities allow attackers to take full control 45 over servers, allowing them to do anything they want with the 46 website, from spreading malware to defacing it or stealing customer 47 data.</p> 48 <p>The last vulnerability generates a Denial of Service attack which 49 basically hangs the website, exhausts its memory consumption, and 50 shuts it down.</p> 51 <p>The PHP security team issued fixes for two of the vulnerabilities 52 on the 13th of October and 1st of December.</p> 53 </blockquote> 54 </body> 55 </description> 56 <references> 57 <url>http://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7/</url> 58 <cvename>CVE-2016-7478</cvename> 59 <cvename>CVE-2016-7479</cvename> 60 <cvename>CVE-2016-7480</cvename> 61 </references> 62 <dates> 63 <discovery>2016-12-27</discovery> 64 <entry>2016-12-29</entry> 65 <modified>2017-01-04</modified> 66 </dates> 67 </vuln> 68 69 <vuln vid="6972668d-cdb7-11e6-a9a5-b499baebfeaf"> 70 <topic>PHP -- multiple vulnerabilities</topic> 71 <affects> 72 <package> 73 <name>php70</name> 74 <range><lt>7.0.14</lt></range> 75 </package> 76 </affects> 77 <description> 78 <body xmlns="http://www.w3.org/1999/xhtml"> 79 <p>The PHP project reports:</p> 80 <blockquote cite="http://php.net/ChangeLog-7.php#7.0.14"> 81 <ul> 82 <li>Use After Free Vulnerability in unserialize() (CVE-2016-9936)</li> 83 <li>Invalid read when wddx decodes empty boolean element 84 (CVE-2016-9935)</li> 85 </ul> 86 </blockquote> 87 </body> 88 </description> 89 <references> 90 <url>http://php.net/ChangeLog-7.php#7.0.14</url> 91 <cvename>CVE-2016-9935</cvename> 92 <cvename>CVE-2016-9936</cvename> 93 </references> 94 <dates> 95 <discovery>2016-12-08</discovery> 96 <entry>2016-12-29</entry> 97 </dates> 98 </vuln> 99 100 <vuln vid="3c4693de-ccf7-11e6-a9a5-b499baebfeaf"> 101 <topic>phpmailer -- Remote Code Execution</topic> 102 <affects> 103 <package> 104 <name>phpmailer</name> 105 <range><lt>5.2.20</lt></range> 106 </package> 107 <package> 108 <name>tt-rss</name> 109 <range><lt>29.12.2016.04.37</lt></range> 110 </package> 111 </affects> 112 <description> 113 <body xmlns="http://www.w3.org/1999/xhtml"> 114 <p>Legal Hackers reports:</p> 115 <blockquote cite="https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html"> 116 <p>An independent research uncovered a critical vulnerability in 117 PHPMailer that could potentially be used by (unauthenticated) 118 remote attackers to achieve remote arbitrary code execution in 119 the context of the web server user and remotely compromise the 120 target web application.</p> 121 <p>To exploit the vulnerability an attacker could target common 122 website components such as contact/feedback forms, registration 123 forms, password email resets and others that send out emails with 124 the help of a vulnerable version of the PHPMailer class.</p> 125 <p>The first patch of the vulnerability CVE-2016-10033 was incomplete. 126 This advisory demonstrates the bypass of the patch. The bypass allows 127 to carry out Remote Code Execution on all current versions (including 128 5.2.19).</p> 129 </blockquote> 130 </body> 131 </description> 132 <references> 133 <url>https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html</url> 134 <cvename>CVE-2016-10045</cvename> 135 </references> 136 <dates> 137 <discovery>2016-12-28</discovery> 138 <entry>2016-12-28</entry> 139 </dates> 140 </vuln> 141 142 <vuln vid="e4bc323f-cc73-11e6-b704-000c292e4fd8"> 143 <topic>samba -- multiple vulnerabilities</topic> 144 <affects> 145 <package> 146 <name>samba36</name> 147 <range><ge>3.6.0</ge><le>3.6.25_4</le></range> 148 </package> 149 <package> 150 <name>samba4</name> 151 <range><ge>4.0.0</ge><le>4.0.26</le></range> 152 </package> 153 <package> 154 <name>samba41</name> 155 <range><ge>4.1.0</ge><le>4.1.23</le></range> 156 </package> 157 <package> 158 <name>samba42</name> 159 <range><ge>4.2.0</ge><le>4.2.14</le></range> 160 </package> 161 <package> 162 <name>samba43</name> 163 <range><ge>4.3.0</ge><lt>4.3.13</lt></range> 164 </package> 165 <package> 166 <name>samba44</name> 167 <range><ge>4.4.0</ge><lt>4.4.8</lt></range> 168 </package> 169 <package> 170 <name>samba45</name> 171 <range><ge>4.5.0</ge><lt>4.5.3</lt></range> 172 </package> 173 </affects> 174 <description> 175 <body xmlns="http://www.w3.org/1999/xhtml"> 176 <p>Samba team reports:</p> 177 <blockquote cite="https://www.samba.org/samba/latest_news.html#4.5.3"> 178 <p>[CVE-2016-2123] Authenticated users can supply malicious dnsRecord attributes 179 on DNS objects and trigger a controlled memory corruption.</p> 180 <p>[CVE-2016-2125] Samba client code always requests a forwardable ticket 181 when using Kerberos authentication. This means the target server, which must be in the current or trusted 182 domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to 183 fully impersonate the authenticated user or service.</p> 184 <p>[CVE-2016-2126] A remote, authenticated, attacker can cause the winbindd process 185 to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum. 186 A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions.</p> 187 </blockquote> 188 </body> 189 </description> 190 <references> 191 <cvename>CVE-2016-2123</cvename> 192 <url>https://www.samba.org/samba/security/CVE-2016-2123.html</url> 193 <cvename>CVE-2016-2125</cvename> 194 <url>https://www.samba.org/samba/security/CVE-2016-2125.html</url> 195 <cvename>CVE-2016-2126</cvename> 196 <url>https://www.samba.org/samba/security/CVE-2016-2126.html</url> 197 </references> 198 <dates> 199 <discovery>2016-12-19</discovery> 200 <entry>2016-12-26</entry> 201 <modified>2016-12-26</modified> 202 </dates> 203 </vuln> 204 205 <vuln vid="244c8288-cc4a-11e6-a475-bcaec524bf84"> 206 <topic>upnp -- multiple vulnerabilities</topic> 207 <affects> 208 <package> 209 <name>upnp</name> 210 <range><lt>1.6.21</lt></range> 211 </package> 212 </affects> 213 <description> 214 <body xmlns="http://www.w3.org/1999/xhtml"> 215 <p>Matthew Garett reports:</p> 216 <blockquote cite="https://twitter.com/mjg59/status/755062278513319936"> 217 <p>Reported this to upstream 8 months ago without response, 218 so: libupnp's default behaviour allows anyone to write to your 219 filesystem. Seriously. Find a device running a libupnp based server 220 (Shodan says there's rather a lot), and POST a file to /testfile. 221 Then GET /testfile ... and yeah if the server is running as root 222 (it is) and is using / as the web root (probably not, but maybe) 223 this gives full host fs access.</p> 224 </blockquote> 225 <p>Scott Tenaglia reports:</p> 226 <blockquote cite="https://sourceforge.net/p/pupnp/bugs/133/"> 227 <p>There is a heap buffer overflow vulnerability in the 228 create_url_list function in upnp/src/gena/gena_device.c.</p> 229 </blockquote> 230 </body> 231 </description> 232 <references> 233 <url>https://twitter.com/mjg59/status/755062278513319936</url> 234 <url>https://sourceforge.net/p/pupnp/bugs/133/</url> 235 <cvename>CVE-2016-6255</cvename> 236 <cvename>CVE-2016-8863</cvename> 237 </references> 238 <dates> 239 <discovery>2016-02-23</discovery> 240 <entry>2016-12-27</entry> 241 </dates> 242 </vuln> 243 244 <vuln vid="c7656d4c-cb60-11e6-a9a5-b499baebfeaf"> 245 <topic>phpmailer -- Remote Code Execution</topic> 246 <affects> 247 <package> 248 <name>phpmailer</name> 249 <range><lt>5.2.18</lt></range> 250 </package> 251 <package> 252 <name>tt-rss</name> 253 <range><lt>26.12.2016.07.29</lt></range> 254 </package> 255 </affects> 256 <description> 257 <body xmlns="http://www.w3.org/1999/xhtml"> 258 <p>Legal Hackers reports:</p> 259 <blockquote cite="http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"> 260 <p>An independent research uncovered a critical vulnerability in 261 PHPMailer that could potentially be used by (unauthenticated) 262 remote attackers to achieve remote arbitrary code execution in 263 the context of the web server user and remotely compromise the 264 target web application.</p> 265 <p>To exploit the vulnerability an attacker could target common 266 website components such as contact/feedback forms, registration 267 forms, password email resets and others that send out emails with 268 the help of a vulnerable version of the PHPMailer class.</p> 269 </blockquote> 270 </body> 271 </description> 272 <references> 273 <url>http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html</url> 274 <url>https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md</url> 275 <cvename>CVE-2016-10033</cvename> 276 </references> 277 <dates> 278 <discovery>2016-12-26</discovery> 279 <entry>2016-12-26</entry> 280 </dates> 281 </vuln> 282 283 <vuln vid="e7002b26-caaa-11e6-a76a-9f7324e5534e"> 284 <topic>exim -- DKIM private key leak</topic> 285 <affects> 286 <package> 287 <name>exim</name> 288 <range><gt>4.69</gt><lt>4.87.1</lt></range> 289 </package> 290 </affects> 291 <description> 292 <body xmlns="http://www.w3.org/1999/xhtml"> 293 <p>The Exim project reports:</p> 294 <blockquote cite="https://exim.org/static/doc/CVE-2016-9963.txt"> 295 <p>Exim leaks the private DKIM signing key to the log files. 296 Additionally, if the build option EXPERIMENTAL_DSN_INFO=yes is used, 297 the key material is included in the bounce message.</p> 298 </blockquote> 299 </body> 300 </description> 301 <references> 302 <url>https://exim.org/static/doc/CVE-2016-9963.txt</url> 303 <cvename>CVE-2016-9963</cvename> 304 </references> 305 <dates> 306 <discovery>2016-12-15</discovery> 307 <entry>2016-12-25</entry> 308 </dates> 309 </vuln> 310 311 <vuln vid="2aedd15f-ca8b-11e6-a9a5-b499baebfeaf"> 312 <cancelled superseded="2c948527-d823-11e6-9171-14dae9d210b8"/> 313 </vuln> 314 315 <vuln vid="c40ca16c-4d9f-4d70-8b6c-4d53aeb8ead4"> 316 <topic>cURL -- uninitialized random vulnerability</topic> 317 <affects> 318 <package> 319 <name>curl</name> 320 <range><ge>7.52.0</ge><lt>7.52.1</lt></range> 321 </package> 322 </affects> 323 <description> 324 <body xmlns="http://www.w3.org/1999/xhtml"> 325 <p>Project curl Security Advisory:</p> 326 <blockquote cite="https://curl.haxx.se/docs/adv_20161223.html"> 327 <p>libcurl's (new) internal function that returns a good 32bit 328 random value was implemented poorly and overwrote the pointer 329 instead of writing the value into the buffer the pointer 330 pointed to.</p> 331 <p>This random value is used to generate nonces for Digest and 332 NTLM authentication, for generating boundary strings in HTTP 333 formposts and more. Having a weak or virtually non-existent 334 random there makes these operations vulnerable.</p> 335 <p>This function is brand new in 7.52.0 and is the result of an 336 overhaul to make sure libcurl uses strong random as much as 337 possible - provided by the backend TLS crypto libraries when 338 present. The faulty function was introduced in this commit.</p> 339 <p>We are not aware of any exploit of this flaw.</p> 340 </blockquote> 341 </body> 342 </description> 343 <references> 344 <url>https://curl.haxx.se/docs/adv_20161223.html</url> 345 <cvename>CVE-2016-9594</cvename> 346 </references> 347 <dates> 348 <discovery>2016-12-23</discovery> 349 <entry>2016-12-24</entry> 350 </dates> 351 </vuln> 352 353 <vuln vid="41f8af15-c8b9-11e6-ae1b-002590263bf5"> 354 <topic>squid -- multiple vulnerabilities</topic> 355 <affects> 356 <package> 357 <name>squid</name> 358 <range><ge>3.1</ge><lt>3.5.23</lt></range> 359 </package> 360 <package> 361 <name>squid-devel</name> 362 <range><ge>4.0</ge><lt>4.0.17</lt></range> 363 </package> 364 </affects> 365 <description> 366 <body xmlns="http://www.w3.org/1999/xhtml"> 367 <p>Squid security advisory 2016:10 reports:</p> 368 <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_10.txt"> 369 <p>Due to incorrect comparison of request headers Squid can deliver 370 responses containing private data to clients it should not have 371 reached.</p> 372 <p>This problem allows a remote attacker to discover private and 373 sensitive information about another clients browsing session. 374 Potentially including credentials which allow access to further 375 sensitive resources. This problem only affects Squid configured 376 to use the Collapsed Forwarding feature. It is of particular 377 importance for HTTPS reverse-proxy sites with Collapsed 378 Forwarding.</p> 379 </blockquote> 380 <p>Squid security advisory 2016:11 reports:</p> 381 <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_11.txt"> 382 <p>Due to incorrect HTTP conditional request handling Squid can 383 deliver responses containing private data to clients it should not 384 have reached.</p> 385 <p>This problem allows a remote attacker to discover private and 386 sensitive information about another clients browsing session. 387 Potentially including credentials which allow access to further 388 sensitive resources..</p> 389 </blockquote> 390 </body> 391 </description> 392 <references> 393 <cvename>CVE-2016-10002</cvename> 394 <cvename>CVE-2016-10003</cvename> 395 <freebsdpr>ports/215416</freebsdpr> 396 <freebsdpr>ports/215418</freebsdpr> 397 <url>http://www.squid-cache.org/Advisories/SQUID-2016_10.txt</url> 398 <url>http://www.squid-cache.org/Advisories/SQUID-2016_11.txt</url> 399 </references> 400 <dates> 401 <discovery>2016-12-16</discovery> 402 <entry>2016-12-23</entry> 403 </dates> 404 </vuln> 405 406 <vuln vid="c11629d3-c8ad-11e6-ae1b-002590263bf5"> 407 <topic>vim -- arbitrary command execution</topic> 408 <affects> 409 <package> 410 <name>vim</name> 411 <name>vim-console</name> 412 <name>vim-lite</name> 413 <range><lt>8.0.0056</lt></range> 414 </package> 415 <package> 416 <name>neovim</name> 417 <range><lt>0.1.7</lt></range> 418 </package> 419 </affects> 420 <description> 421 <body xmlns="http://www.w3.org/1999/xhtml"> 422 <p>Mitre reports:</p> 423 <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1248"> 424 <p>vim before patch 8.0.0056 does not properly validate values for the 425 'filetype', 'syntax' and 'keymap' options, which may result in the 426 execution of arbitrary code if a file with a specially crafted 427 modeline is opened.</p> 428 </blockquote> 429 </body> 430 </description> 431 <references> 432 <cvename>CVE-2016-1248</cvename> 433 <bid>94478</bid> 434 <url>https://github.com/vim/vim/commit/d0b5138ba4bccff8a744c99836041ef6322ed39a</url> 435 <url>https://github.com/neovim/neovim/commit/4fad66fbe637818b6b3d6bc5d21923ba72795040</url> 436 </references> 437 <dates> 438 <discovery>2016-11-22</discovery> 439 <entry>2016-12-23</entry> 440 </dates> 441 </vuln> 442 443 <vuln vid="c290f093-c89e-11e6-821e-68f7288bdf41"> 444 <topic>Pligg CMS -- XSS Vulnerability</topic> 445 <affects> 446 <package> 447 <name>pligg</name> 448 <range><le>2.0.2,1</le></range> 449 </package> 450 </affects> 451 <description> 452 <body xmlns="http://www.w3.org/1999/xhtml"> 453 <p>Netsparker reports: </p> 454 <blockquote cite="https://www.netsparker.com/web-applications-advisories/ns-15-011-xss-vulnerability-identified-in-pligg-cms/"> 455 <p>Proof of Concept URL for XSS in Pligg CMS:</p> 456 <p>Page: groups.php</p> 457 <p>Parameter Name: keyword</p> 458 <p>Parameter Type: GET</p> 459 <p>Attack Pattern: http://example.com/pligg-cms-2.0.2/groups.php?view=search&keyword='+alert(0x000D82)+'</p> 460 <p>For more information on cross-site scripting vulnerabilities read the article Cross-site Scripting (XSS).</p> 461 </blockquote> 462 </body> 463 </description> 464 <references> 465 <url>https://www.netsparker.com/web-applications-advisories/ns-15-011-xss-vulnerability-identified-in-pligg-cms/</url> 466 </references> 467 <dates> 468 <discovery>2015-05-13</discovery> 469 <entry>2016-12-22</entry> 470 </dates> 471 </vuln> 472 473 <vuln vid="fcedcdbb-c86e-11e6-b1cf-14dae9d210b8"> 474 <topic>FreeBSD -- Multiple vulnerabilities of ntp</topic> 475 <affects> 476 <package> 477 <name>FreeBSD</name> 478 <range><ge>11.0</ge><lt>11.0_6</lt></range> 479 <range><ge>10.3</ge><lt>10.3_15</lt></range> 480 <range><ge>10.2</ge><lt>10.2_28</lt></range> 481 <range><ge>10.1</ge><lt>10.1_45</lt></range> 482 <range><ge>9.3</ge><lt>9.3_53</lt></range> 483 </package> 484 </affects> 485 <description> 486 <body xmlns="http://www.w3.org/1999/xhtml"> 487 <h1>Problem Description:</h1> 488 <p>Multiple vulnerabilities have been discovered in the NTP 489 suite:</p> 490 <p>CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy 491 of Cisco ASIG.</p> 492 <p>CVE-2016-9310: Mode 6 unauthenticated trap information 493 disclosure and DDoS vector. Reported by Matthew Van Gundy 494 of Cisco ASIG.</p> 495 <p>CVE-2016-7427: Broadcast Mode Replay Prevention DoS. 496 Reported by Matthew Van Gundy of Cisco ASIG.</p> 497 <p>CVE-2016-7428: Broadcast Mode Poll Interval Enforcement 498 DoS. Reported by Matthew Van Gundy of Cisco ASIG.</p> 499 <p>CVE-2016-7431: Regression: 010-origin: Zero Origin 500 Timestamp Bypass. Reported by Sharon Goldberg and Aanchal 501 Malhotra of Boston University.</p> 502 <p>CVE-2016-7434: Null pointer dereference in 503 _IO_str_init_static_internal(). Reported by Magnus Stubman.</p> 504 <p>CVE-2016-7426: Client rate limiting and server responses. 505 Reported by Miroslav Lichvar of Red Hat.</p> 506 <p>CVE-2016-7433: Reboot sync calculation problem. Reported 507 independently by Brian Utterback of Oracle, and by Sharon 508 Goldberg and Aanchal Malhotra of Boston University.</p> 509 <h1>Impact:</h1> 510 <p>A remote attacker who can send a specially crafted packet 511 to cause a NULL pointer dereference that will crash ntpd, 512 resulting in a Denial of Service. [CVE-2016-9311]</p> 513 <p>An exploitable configuration modification vulnerability 514 exists in the control mode (mode 6) functionality of ntpd. 515 If, against long-standing BCP recommendations, "restrict 516 default noquery ..." is not specified, a specially crafted 517 control mode packet can set ntpd traps, providing information 518 disclosure and DDoS amplification, and unset ntpd traps, 519 disabling legitimate monitoring by an attacker from remote. 520 [CVE-2016-9310]</p> 521 <p>An attacker with access to the NTP broadcast domain can 522 periodically inject specially crafted broadcast mode NTP 523 packets into the broadcast domain which, while being logged 524 by ntpd, can cause ntpd to reject broadcast mode packets 525 from legitimate NTP broadcast servers. [CVE-2016-7427]</p> 526 <p>An attacker with access to the NTP broadcast domain can 527 send specially crafted broadcast mode NTP packets to the 528 broadcast domain which, while being logged by ntpd, will 529 cause ntpd to reject broadcast mode packets from legitimate 530 NTP broadcast servers. [CVE-2016-7428]</p> 531 <p>Origin timestamp problems were fixed in ntp 4.2.8p6. 532 However, subsequent timestamp validation checks introduced 533 a regression in the handling of some Zero origin timestamp 534 checks. [CVE-2016-7431]</p> 535 <p>If ntpd is configured to allow mrulist query requests 536 from a server that sends a crafted malicious packet, ntpd 537 will crash on receipt of that crafted malicious mrulist 538 query packet. [CVE-2016-7434]</p> 539 <p>An attacker who knows the sources (e.g., from an IPv4 540 refid in server response) and knows the system is (mis)configured 541 in this way can periodically send packets with spoofed 542 source address to keep the rate limiting activated and 543 prevent ntpd from accepting valid responses from its sources. 544 [CVE-2016-7426]</p> 545 <p>Ntp Bug 2085 described a condition where the root delay 546 was included twice, causing the jitter value to be higher 547 than expected. Due to a misinterpretation of a small-print 548 variable in The Book, the fix for this problem was incorrect, 549 resulting in a root distance that did not include the peer 550 dispersion. The calculations and formulas have been reviewed 551 and reconciled, and the code has been updated accordingly. 552 [CVE-2016-7433]</p> 553 </body> 554 </description> 555 <references> 556 <cvename>CVE-2016-7426</cvename> 557 <cvename>CVE-2016-7427</cvename> 558 <cvename>CVE-2016-7428</cvename> 559 <cvename>CVE-2016-7431</cvename> 560 <cvename>CVE-2016-7433</cvename> 561 <cvename>CVE-2016-7434</cvename> 562 <cvename>CVE-2016-9310</cvename> 563 <cvename>CVE-2016-9311</cvename> 564 <freebsdsa>SA-16:39.ntp</freebsdsa> 565 </references> 566 <dates> 567 <discovery>2016-12-22</discovery> 568 <entry>2016-12-22</entry> 569 </dates> 570 </vuln> 571 572 <vuln vid="42880202-c81c-11e6-a9a5-b499baebfeaf"> 573 <topic>cURL -- buffer overflow</topic> 574 <affects> 575 <package> 576 <name>curl</name> 577 <range><ge>7.1</ge><lt>7.52</lt></range> 578 </package> 579 </affects> 580 <description> 581 <body xmlns="http://www.w3.org/1999/xhtml"> 582 <p>The cURL project reports:</p> 583 <blockquote cite="https://curl.haxx.se/docs/vuln-7.51.0.html"> 584 <h2>printf floating point buffer overflow</h2> 585 <p>libcurl's implementation of the printf() functions triggers a 586 buffer overflow when doing a large floating point output. The bug 587 occurs when the conversion outputs more than 255 bytes.</p> 588 </blockquote> 589 </body> 590 </description> 591 <references> 592 <url>https://curl.haxx.se/docs/vuln-7.51.0.html</url> 593 <cvename>CVE-2016-9586</cvename> 594 </references> 595 <dates> 596 <discovery>2016-12-21</discovery> 597 <entry>2016-12-22</entry> 598 </dates> 599 </vuln> 600 601 <vuln vid="624b45c0-c7f3-11e6-ae1b-002590263bf5"> 602 <topic>Joomla! -- multiple vulnerabilities</topic> 603 <affects> 604 <package> 605 <name>joomla3</name> 606 <range><ge>1.6.0</ge><lt>3.6.5</lt></range> 607 </package> 608 </affects> 609 <description> 610 <body xmlns="http://www.w3.org/1999/xhtml"> 611 <p>The JSST and the Joomla! Security Center report:</p> 612 <blockquote cite="https://developer.joomla.org/security-centre/664-20161201-core-elevated-privileges.html"> 613 <h2>[20161201] - Core - Elevated Privileges</h2> 614 <p>Incorrect use of unfiltered data stored to the session on a form 615 validation failure allows for existing user accounts to be modified; 616 to include resetting their username, password, and user group 617 assignments.</p> 618 </blockquote> 619 <blockquote cite="https://developer.joomla.org/security-centre/665-20161202-core-shell-upload.html"> 620 <h2>[20161202] - Core - Shell Upload</h2> 621 <p>Inadequate filesystem checks allowed files with alternative PHP 622 file extensions to be uploaded.</p> 623 </blockquote> 624 <blockquote cite="https://developer.joomla.org/security-centre/666-20161203-core-information-disclosure.html"> 625 <h2>[20161203] - Core - Information Disclosure</h2> 626 <p>Inadequate ACL checks in the Beez3 com_content article layout 627 override enables a user to view restricted content.</p> 628 </blockquote> 629 </body> 630 </description> 631 <references> 632 <cvename>CVE-2016-9836</cvename> 633 <cvename>CVE-2016-9837</cvename> 634 <cvename>CVE-2016-9838</cvename> 635 <url>https://developer.joomla.org/security-centre/664-20161201-core-elevated-privileges.html</url> 636 <url>https://developer.joomla.org/security-centre/665-20161202-core-shell-upload.html</url> 637 <url>https://developer.joomla.org/security-centre/666-20161203-core-information-disclosure.html</url> 638 <url>https://www.joomla.org/announcements/release-news/5693-joomla-3-6-5-released.html</url> 639 </references> 640 <dates> 641 <discovery>2016-12-06</discovery> 642 <entry>2016-12-22</entry> 643 </dates> 644 </vuln> 645 646 <vuln vid="a27d234a-c7f2-11e6-ae1b-002590263bf5"> 647 <topic>Joomla! -- multiple vulnerabilities</topic> 648 <affects> 649 <package> 650 <name>joomla3</name> 651 <range><ge>3.4.4</ge><lt>3.6.4</lt></range> 652 </package> 653 </affects> 654 <description> 655 <body xmlns="http://www.w3.org/1999/xhtml"> 656 <p>The JSST and the Joomla! Security Center report:</p> 657 <blockquote cite="https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html"> 658 <h2>[20161001] - Core - Account Creation</h2> 659 <p>Inadequate checks allows for users to register on a site when 660 registration has been disabled.</p> 661 </blockquote> 662 <blockquote cite="https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html"> 663 <h2>[20161002] - Core - Elevated Privilege</h2> 664 <p>Incorrect use of unfiltered data allows for users to register on a 665 site with elevated privileges.</p> 666 </blockquote> 667 <blockquote cite="https://developer.joomla.org/security-centre/661-20161003-core-account-modifications.html"> 668 <h2>[20161003] - Core - Account Modifications</h2> 669 <p>Incorrect use of unfiltered data allows for existing user accounts 670 to be modified; to include resetting their username, password, and 671 user group assignments.</p> 672 </blockquote> 673 </body> 674 </description> 675 <references> 676 <cvename>CVE-2016-8869</cvename> 677 <cvename>CVE-2016-8870</cvename> 678 <cvename>CVE-2016-9081</cvename> 679 <url>https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html</url> 680 <url>https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html</url> 681 <url>https://developer.joomla.org/security-centre/661-20161003-core-account-modifications.html</url> 682 <url>https://www.joomla.org/announcements/release-news/5678-joomla-3-6-4-released.html</url> 683 </references> 684 <dates> 685 <discovery>2016-10-25</discovery> 686 <entry>2016-12-22</entry> 687 </dates> 688 </vuln> 689 690 <vuln vid="f0806cad-c7f1-11e6-ae1b-002590263bf5"> 691 <topic>Joomla! -- multiple vulnerabilities</topic> 692 <affects> 693 <package> 694 <name>joomla3</name> 695 <range><ge>1.6.0</ge><lt>3.6.1</lt></range> 696 </package> 697 </affects> 698 <description> 699 <body xmlns="http://www.w3.org/1999/xhtml"> 700 <p>The JSST and the Joomla! Security Center report:</p> 701 <blockquote cite="https://developer.joomla.org/security-centre/652-20160801-core-core-acl-violations.html"> 702 <h2>[20160801] - Core - ACL Violation</h2> 703 <p>Inadequate ACL checks in com_content provide potential read access 704 to data which should be access restricted to users with edit_own 705 level.</p> 706 </blockquote> 707 <blockquote cite="https://developer.joomla.org/security-centre/653-20160802-core-xss-vulnerability.html"> 708 <h2>[20160802] - Core - XSS Vulnerability</h2> 709 <p>Inadequate escaping leads to XSS vulnerability in mail component. 710 </p> 711 </blockquote> 712 <blockquote cite="https://developer.joomla.org/security-centre/654-20160803-core-csrf.html"> 713 <h2>[20160803] - Core - CSRF</h2> 714 <p>Add additional CSRF hardening in com_joomlaupdate.</p> 715 </blockquote> 716 </body> 717 </description> 718 <references> 719 <url>https://developer.joomla.org/security-centre/652-20160801-core-core-acl-violations.html</url> 720 <url>https://developer.joomla.org/security-centre/653-20160802-core-xss-vulnerability.html</url> 721 <url>https://developer.joomla.org/security-centre/654-20160803-core-csrf.html</url> 722 <url>https://www.joomla.org/announcements/release-news/5665-joomla-3-6-1-released.html</url> 723 </references> 724 <dates> 725 <discovery>2016-08-03</discovery> 726 <entry>2016-12-22</entry> 727 </dates> 728 </vuln> 729 730 <vuln vid="c0ef061a-c7f0-11e6-ae1b-002590263bf5"> 731 <topic>Joomla! -- multiple vulnerabilities</topic> 732 <affects> 733 <package> 734 <name>joomla3</name> 735 <range><ge>1.5.0</ge><lt>3.4.7</lt></range> 736 </package> 737 </affects> 738 <description> 739 <body xmlns="http://www.w3.org/1999/xhtml"> 740 <p>The JSST and the Joomla! Security Center report:</p> 741 <blockquote cite="https://developer.joomla.org/security-centre/639-20151206-core-session-hardening.html"> 742 <h2>[20151206] - Core - Session Hardening</h2> 743 <p>The Joomla Security Strike team has been following up on the 744 critical security vulnerability patched last week. Since the recent 745 update it has become clear that the root cause is a bug in PHP 746 itself. This was fixed by PHP in September of 2015 with the releases 747 of PHP 5.4.45, 5.5.29, 5.6.13 (Note that this is fixed in all 748 versions of PHP 7 and has been back-ported in some specific Linux 749 LTS versions of PHP 5.3). This fixes the bug across all supported 750 PHP versions.</p> 751 </blockquote> 752 <blockquote cite="https://developer.joomla.org/security-centre/640-20151207-core-sql-injection.html"> 753 <h2>[20151207] - Core - SQL Injection</h2> 754 <p>Inadequate filtering of request data leads to a SQL Injection 755 vulnerability.</p> 756 </blockquote> 757 </body> 758 </description> 759 <references> 760 <url>https://developer.joomla.org/security-centre/639-20151206-core-session-hardening.html</url> 761 <url>https://developer.joomla.org/security-centre/640-20151207-core-sql-injection.html</url> 762 <url>https://www.joomla.org/announcements/release-news/5643-joomla-3-4-7.html</url> 763 </references> 764 <dates> 765 <discovery>2015-12-21</discovery> 766 <entry>2016-12-22</entry> 767 </dates> 768 </vuln> 769 770 <vuln vid="3ae078ca-c7eb-11e6-ae1b-002590263bf5"> 771 <topic>xen-kernel -- x86 PV guests may be able to mask interrupts</topic> 772 <affects> 773 <package> 774 <name>xen-kernel</name> 775 <range><lt>4.7.1_3</lt></range> 776 </package> 777 </affects> 778 <description> 779 <body xmlns="http://www.w3.org/1999/xhtml"> 780 <p>The Xen Project reports:</p> 781 <blockquote cite="https://xenbits.xen.org/xsa/advisory-202.html"> 782 <p>Certain PV guest kernel operations (page table writes in 783 particular) need emulation, and use Xen's general x86 instruction 784 emulator. This allows a malicious guest kernel which asynchronously 785 modifies its instruction stream to effect the clearing of EFLAGS.IF 786 from the state used to return to guest context.</p> 787 <p>A malicious guest kernel administrator can cause a host hang or 788 crash, resulting in a Denial of Service.</p> 789 </blockquote> 790 </body> 791 </description> 792 <references> 793 <cvename>CVE-2016-10024</cvename> 794 <url>https://xenbits.xen.org/xsa/advisory-202.html</url> 795 </references> 796 <dates> 797 <discovery>2016-12-21</discovery> 798 <entry>2016-12-22</entry> 799 </dates> 800 </vuln> 801 802 <vuln vid="862d6ab3-c75e-11e6-9f98-20cf30e32f6d"> 803 <topic>Apache httpd -- several vulnerabilities</topic> 804 <affects> 805 <package> 806 <name>apache24</name> 807 <range><lt>2.4.25</lt></range> 808 </package> 809 </affects> 810 <description> 811 <body xmlns="http://www.w3.org/1999/xhtml"> 812 <p>Apache Software Foundation reports:</p> 813 <blockquote cite="http://httpd.apache.org/security/vulnerabilities_24.html"> 814 <p>Please reference CVE/URL list for details</p> 815 </blockquote> 816 </body> 817 </description> 818 <references> 819 <url>http://httpd.apache.org/security/vulnerabilities_24.html</url> 820 <cvename>CVE-2016-8743</cvename> 821 <cvename>CVE-2016-2161</cvename> 822 <cvename>CVE-2016-0736</cvename> 823 <cvename>CVE-2016-8740</cvename> 824 <cvename>CVE-2016-5387</cvename> 825 </references> 826 <dates> 827 <discovery>2016-12-20</discovery> 828 <entry>2016-12-21</entry> 829 <modified>2016-12-22</modified> 830 </dates> 831 </vuln> 832 833 <vuln vid="942433db-c661-11e6-ae1b-002590263bf5"> 834 <topic>xen-kernel -- x86: Mishandling of SYSCALL singlestep during emulation</topic> 835 <affects> 836 <package> 837 <name>xen-kernel</name> 838 <range><lt>4.7.1_2</lt></range> 839 </package> 840 </affects> 841 <description> 842 <body xmlns="http://www.w3.org/1999/xhtml"> 843 <p>The Xen Project reports:</p> 844 <blockquote cite="http://xenbits.xen.org/xsa/advisory-204.html"> 845 <p>The typical behaviour of singlestepping exceptions is determined at 846 the start of the instruction, with a #DB trap being raised at the 847 end of the instruction. SYSCALL (and SYSRET, although we don't 848 implement it) behave differently because the typical behaviour 849 allows userspace to escalate its privilege. (This difference in 850 behaviour seems to be undocumented.) Xen wrongly raised the 851 exception based on the flags at the start of the instruction.</p> 852 <p>Guest userspace which can invoke the instruction emulator can use 853 this flaw to escalate its privilege to that of the guest kernel.</p> 854 </blockquote> 855 </body> 856 </description> 857 <references> 858 <cvename>CVE-2016-10013</cvename> 859 <url>http://xenbits.xen.org/xsa/advisory-204.html</url> 860 </references> 861 <dates> 862 <discovery>2016-12-19</discovery> 863 <entry>2016-12-20</entry> 864 </dates> 865 </vuln> 866 867 <vuln vid="e47ab5db-c333-11e6-ae1b-002590263bf5"> 868 <topic>atheme-services -- multiple vulnerabilities</topic> 869 <affects> 870 <package> 871 <name>atheme-services</name> 872 <range><lt>7.2.7</lt></range> 873 </package> 874 </affects> 875 <description> 876 <body xmlns="http://www.w3.org/1999/xhtml"> 877 <p>Mitre reports:</p> 878 <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9773"> 879 <p>modules/chanserv/flags.c in Atheme before 7.2.7 allows remote 880 attackers to modify the Anope FLAGS behavior by registering and 881 dropping the (1) LIST, (2) CLEAR, or (3) MODIFY keyword nicks.</p> 882 </blockquote> 883 <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4478"> 884 <p>Buffer overflow in the xmlrpc_char_encode function in 885 modules/transport/xmlrpc/xmlrpclib.c in Atheme before 7.2.7 allows 886 remote attackers to cause a denial of service via vectors related 887 to XMLRPC response encoding.</p> 888 </blockquote> 889 </body> 890 </description> 891 <references> 892 <freebsdpr>ports/209217</freebsdpr> 893 <cvename>CVE-2014-9773</cvename> 894 <cvename>CVE-2016-4478</cvename> 895 <url>https://github.com/atheme/atheme/commit/87580d767868360d2fed503980129504da84b63e</url> 896 <url>https://github.com/atheme/atheme/commit/c597156adc60a45b5f827793cd420945f47bc03b</url> 897 </references> 898 <dates> 899 <discovery>2016-01-09</discovery> 900 <entry>2016-12-16</entry> 901 </dates> 902 </vuln> 903 904 <vuln vid="512c0ffd-cd39-4da4-b2dc-81ff4ba8e238"> 905 <topic>mozilla -- multiple vulnerabilities</topic> 906 <affects> 907 <package> 908 <name>firefox</name> 909 <range><lt>50.1.0_1,1</lt></range> 910 </package> 911 <package> 912 <name>seamonkey</name> 913 <name>linux-seamonkey</name> 914 <range><lt>2.47</lt></range> 915 </package> 916 <package> 917 <name>firefox-esr</name> 918 <range><lt>45.6.0,1</lt></range> 919 </package> 920 <package> 921 <name>linux-firefox</name> 922 <range><lt>45.6.0,2</lt></range> 923 </package> 924 <package> 925 <name>libxul</name> 926 <name>thunderbird</name> 927 <name>linux-thunderbird</name> 928 <range><lt>45.6.0</lt></range> 929 </package> 930 </affects> 931 <description> 932 <body xmlns="http://www.w3.org/1999/xhtml"> 933 <p>Mozilla Foundation reports:</p> 934 <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/"> 935 <p>CVE-2016-9894: Buffer overflow in SkiaGL</p> 936 <p>CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements</p> 937 <p>CVE-2016-9895: CSP bypass using marquee tag</p> 938 <p>CVE-2016-9896: Use-after-free with WebVR</p> 939 <p>CVE-2016-9897: Memory corruption in libGLES</p> 940 <p>CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees</p> 941 <p>CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs</p> 942 <p>CVE-2016-9904: Cross-origin information leak in shared atoms</p> 943 <p>CVE-2016-9901: Data from Pocket server improperly sanitized before execution</p> 944 <p>CVE-2016-9902: Pocket extension does not validate the origin of events</p> 945 <p>CVE-2016-9903: XSS injection vulnerability in add-ons SDK</p> 946 <p>CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1</p> 947 <p>CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6</p> 948 </blockquote> 949 </body> 950 </description> 951 <references> 952 <cvename>CVE-2016-9894</cvename> 953 <cvename>CVE-2016-9899</cvename> 954 <cvename>CVE-2016-9895</cvename> 955 <cvename>CVE-2016-9896</cvename> 956 <cvename>CVE-2016-9897</cvename> 957 <cvename>CVE-2016-9898</cvename> 958 <cvename>CVE-2016-9900</cvename> 959 <cvename>CVE-2016-9904</cvename> 960 <cvename>CVE-2016-9901</cvename> 961 <cvename>CVE-2016-9902</cvename> 962 <cvename>CVE-2016-9903</cvename> 963 <cvename>CVE-2016-9080</cvename> 964 <cvename>CVE-2016-9893</cvename> 965 <url>https://www.mozilla.org/security/advisories/mfsa2016-94/</url> 966 <url>https://www.mozilla.org/security/advisories/mfsa2016-95/</url> 967 </references> 968 <dates> 969 <discovery>2016-12-13</discovery> 970 <entry>2016-12-14</entry> 971 </dates> 972 </vuln> 973 974 <vuln vid="54e50cd9-c1a8-11e6-ae1b-002590263bf5"> 975 <topic>wordpress -- multiple vulnerabilities</topic> 976 <affects> 977 <package> 978 <name>wordpress</name> 979 <range><lt>4.6.1,1</lt></range> 980 </package> 981 <package> 982 <name>de-wordpress</name> 983 <name>ja-wordpress</name> 984 <name>ru-wordpress</name> 985 <name>zh-wordpress-zh_CN</name> 986 <name>zh-wordpress-zh_TW</name> 987 <range><lt>4.6.1</lt></range> 988 </package> 989 </affects> 990 <description> 991 <body xmlns="http://www.w3.org/1999/xhtml"> 992 <p>Jeremy Felt reports:</p> 993 <blockquote cite="https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/"> 994 <p>WordPress versions 4.6 and earlier are affected by two security 995 issues: a cross-site scripting vulnerability via image filename, 996 reported by SumOfPwn researcher Cengiz Han Sahin; and a path 997 traversal vulnerability in the upgrade package uploader, reported 998 by Dominik Schilling from the WordPress security team.</p> 999 </blockquote> 1000 </body> 1001 </description> 1002 <references> 1003 <url>https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/</url> 1004 </references> 1005 <dates> 1006 <discovery>2016-09-07</discovery> 1007 <entry>2016-12-14</entry> 1008 </dates> 1009 </vuln> 1010 1011 <vuln vid="80a897a2-c1a6-11e6-ae1b-002590263bf5"> 1012 <topic>xen-kernel -- x86 CMPXCHG8B emulation fails to ignore operand size override</topic> 1013 <affects> 1014 <package> 1015 <name>xen-kernel</name> 1016 <range><lt>4.7.1_1</lt></range> 1017 </package> 1018 </affects> 1019 <description> 1020 <body xmlns="http://www.w3.org/1999/xhtml"> 1021 <p>The Xen Project reports:</p> 1022 <blockquote cite="http://xenbits.xen.org/xsa/advisory-200.html"> 1023 <p>The x86 instruction CMPXCHG8B is supposed to ignore legacy operand 1024 size overrides; it only honors the REX.W override (making it 1025 CMPXCHG16B). So, the operand size is always 8 or 16. When support 1026 for CMPXCHG16B emulation was added to the instruction emulator, 1027 this restriction on the set of possible operand sizes was relied on 1028 in some parts of the emulation; but a wrong, fully general, operand 1029 size value was used for other parts of the emulation. As a result, 1030 if a guest uses a supposedly-ignored operand size prefix, a small 1031 amount of hypervisor stack data is leaked to the guests: a 96 bit 1032 leak to guests running in 64-bit mode; or, a 32 bit leak to other 1033 guests.</p> 1034 <p>A malicious unprivileged guest may be able to obtain sensitive 1035 information from the host.</p> 1036 </blockquote> 1037 </body> 1038 </description> 1039 <references> 1040 <cvename>CVE-2016-9932</cvename> 1041 <url>http://xenbits.xen.org/xsa/advisory-200.html</url> 1042 </references> 1043 <dates> 1044 <discovery>2016-12-13</discovery> 1045 <entry>2016-12-14</entry> 1046 </dates> 1047 </vuln> 1048 1049 <vuln vid="2d56308b-c0a8-11e6-a9a5-b499baebfeaf"> 1050 <topic>PHP -- Multiple vulnerabilities</topic> 1051 <affects> 1052 <package> 1053 <name>php56</name> 1054 <range><lt>5.6.29</lt></range> 1055 </package> 1056 <package> 1057 <name>php70</name> 1058 <range><lt>7.0.14</lt></range> 1059 </package> 1060 </affects> 1061 <description> 1062 <body xmlns="http://www.w3.org/1999/xhtml"> 1063 <p>The PHP project reports:</p> 1064 <blockquote cite="http://php.net/archive/2016.php#id2016-12-08-1"> 1065 <p>This is a security release. Several security bugs were fixed in 1066 this release.</p> 1067 </blockquote> 1068 </body> 1069 </description> 1070 <references> 1071 <url>http://php.net/archive/2016.php#id2016-12-08-1</url> 1072 <url>http://php.net/archive/2016.php#id2016-12-08-2</url> 1073 </references> 1074 <dates> 1075 <discovery>2016-12-12</discovery> 1076 <entry>2016-12-12</entry> 1077 </dates> 1078 </vuln> 1079 1080 <vuln vid="c0b13887-be44-11e6-b04f-001999f8d30b"> 1081 <topic>asterisk -- Authentication Bypass</topic> 1082 <affects> 1083 <package> 1084 <name>asterisk11</name> 1085 <range><lt>11.25.1</lt></range> 1086 </package> 1087 <package> 1088 <name>asterisk13</name> 1089 <range><lt>13.13.1</lt></range> 1090 </package> 1091 </affects> 1092 <description> 1093 <body xmlns="http://www.w3.org/1999/xhtml"> 1094 <p>The Asterisk project reports:</p> 1095 <blockquote cite="http://www.asterisk.org/downloads/security-advisories"> 1096 <p>The chan_sip channel driver has a liberal definition 1097 for whitespace when attempting to strip the content between 1098 a SIP header name and a colon character. Rather than 1099 following RFC 3261 and stripping only spaces and horizontal 1100 tabs, Asterisk treats any non-printable ASCII character 1101 as if it were whitespace.</p> 1102 <p>This mostly does not pose a problem until Asterisk is 1103 placed in tandem with an authenticating SIP proxy. In 1104 such a case, a crafty combination of valid and invalid 1105 To headers can cause a proxy to allow an INVITE request 1106 into Asterisk without authentication since it believes 1107 the request is an in-dialog request. However, because of 1108 the bug described above, the request will look like an 1109 out-of-dialog request to Asterisk. Asterisk will then 1110 process the request as a new call. The result is that 1111 Asterisk can process calls from unvetted sources without 1112 any authentication.</p> 1113 <p>If you do not use a proxy for authentication, then 1114 this issue does not affect you.</p> 1115 <p>If your proxy is dialog-aware (meaning that the proxy 1116 keeps track of what dialogs are currently valid), then 1117 this issue does not affect you.</p> 1118 <p>If you use chan_pjsip instead of chan_sip, then this 1119 issue does not affect you.</p> 1120 </blockquote> 1121 </body> 1122 </description> 1123 <references> 1124 <url>http://downloads.digium.com/pub/security/ASTERISK-2016-009.html</url> 1125 </references> 1126 <dates> 1127 <discovery>2016-11-28</discovery> 1128 <entry>2016-12-09</entry> 1129 </dates> 1130 </vuln> 1131 1132 <vuln vid="9e6640fe-be3a-11e6-b04f-001999f8d30b"> 1133 <topic>asterisk -- Crash on SDP offer or answer from endpoint using Opus</topic> 1134 <affects> 1135 <package> 1136 <name>asterisk13</name> 1137 <range><ge>13.12.0</ge><lt>13.13.1</lt></range> 1138 </package> 1139 </affects> 1140 <description> 1141 <body xmlns="http://www.w3.org/1999/xhtml"> 1142 <p>The Asterisk project reports:</p> 1143 <blockquote cite="http://www.asterisk.org/downloads/security-advisories"> 1144 <p>If an SDP offer or answer is received with the Opus 1145 codec and with the format parameters separated using a 1146 space the code responsible for parsing will recursively 1147 call itself until it crashes. This occurs as the code 1148 does not properly handle spaces separating the parameters. 1149 This does NOT require the endpoint to have Opus configured 1150 in Asterisk. This also does not require the endpoint to 1151 be authenticated. If guest is enabled for chan_sip or 1152 anonymous in chan_pjsip an SDP offer or answer is still 1153 processed and the crash occurs.</p> 1154 </blockquote> 1155 </body> 1156 </description> 1157 <references> 1158 <url>http://downloads.asterisk.org/pub/security/AST-2016-008.html</url> 1159 </references> 1160 <dates> 1161 <discovery>2016-11-11</discovery> 1162 <entry>2016-12-09</entry> 1163 </dates> 1164 </vuln> 1165 1166 <vuln vid="eab68cff-bc0c-11e6-b2ca-001b3856973b"> 1167 <topic>cryptopp -- multiple vulnerabilities</topic> 1168 <affects> 1169 <package> 1170 <name>cryptopp</name> 1171 <range><lt>5.6.5</lt></range> 1172 </package> 1173 </affects> 1174 <description> 1175 <body xmlns="http://www.w3.org/1999/xhtml"> 1176 <p>Multiple sources report:</p> 1177 <blockquote cite="https://eprint.iacr.org/2015/368"> 1178 <p>CVE-2015-2141: The InvertibleRWFunction::CalculateInverse function 1179 in rw.cpp in libcrypt++ 5.6.2 does not properly blind private key 1180 operations for the Rabin-Williams digital signature algorithm, which 1181 allows remote attackers to obtain private keys via a timing attack. 1182 Fixed in 5.6.3.</p> 1183 </blockquote> 1184 <blockquote cite="https://github.com/weidai11/cryptopp/issues/146"> 1185 <p>CVE-2016-3995: Incorrect implementation of Rijndael timing attack 1186 countermeasure. Fixed in 5.6.4.</p> 1187 </blockquote> 1188 <blockquote cite="https://github.com/weidai11/cryptopp/issues/277"> 1189 <p>CVE-2016-7420: Library built without -DNDEBUG could egress sensitive 1190 information to the filesystem via a core dump if an assert was triggered. 1191 Fixed in 5.6.5.</p> 1192 </blockquote> 1193 </body> 1194 </description> 1195 <references> 1196 <url>https://eprint.iacr.org/2015/368</url> 1197 <url>https://github.com/weidai11/cryptopp/issues/146</url> 1198 <url>https://github.com/weidai11/cryptopp/issues/277</url> 1199 <cvename>CVE-2015-2141</cvename> 1200 <cvename>CVE-2016-3995</cvename> 1201 <cvename>CVE-2016-7420</cvename> 1202 </references> 1203 <dates> 1204 <discovery>2015-02-27</discovery> 1205 <entry>2016-12-06</entry> 1206 </dates> 1207 </vuln> 1208 1209 <vuln vid="e722e3c6-bbee-11e6-b1cf-14dae9d210b8"> 1210 <topic>FreeBSD -- bhyve(8) virtual machine escape</topic> 1211 <affects> 1212 <package> 1213 <name>FreeBSD</name> 1214 <range><ge>11.0</ge><lt>11.0_4</lt></range> 1215 <range><ge>10.3</ge><lt>10.3_13</lt></range> 1216 <range><ge>10.2</ge><lt>10.2_26</lt></range> 1217 <range><ge>10.1</ge><lt>10.1_43</lt></range> 1218 </package> 1219 </affects> 1220 <description> 1221 <body xmlns="http://www.w3.org/1999/xhtml"> 1222 <h1>Problem Description:</h1> 1223 <p>The bounds checking of accesses to guest memory greater 1224 than 4GB by device emulations is subject to integer 1225 overflow.</p> 1226 <h1>Impact:</h1> 1227 <p>For a bhyve virtual machine with more than 3GB of guest 1228 memory configured, a malicious guest could craft device 1229 descriptors that could give it access to the heap of the 1230 bhyve process. Since the bhyve process is running as root, 1231 this may allow guests to obtain full control of the hosts 1232 they're running on.</p> 1233 </body> 1234 </description> 1235 <references> 1236 <cvename>CVE-2016-1889</cvename> 1237 <freebsdsa>SA-16:38.bhyve</freebsdsa> 1238 </references> 1239 <dates> 1240 <discovery>2016-12-06</discovery> 1241 <entry>2016-12-06</entry> 1242 </dates> 1243 </vuln> 1244 1245 <vuln vid="0282269d-bbee-11e6-b1cf-14dae9d210b8"> 1246 <topic>FreeBSD -- link_ntoa(3) buffer overflow</topic> 1247 <affects> 1248 <package> 1249 <name>FreeBSD</name> 1250 <range><ge>11.0</ge><lt>11.0_5</lt></range> 1251 <range><ge>10.3</ge><lt>10.3_14</lt></range> 1252 <range><ge>10.2</ge><lt>10.2_27</lt></range> 1253 <range><ge>10.1</ge><lt>10.1_44</lt></range> 1254 <range><ge>9.3</ge><lt>9.3_52</lt></range> 1255 </package> 1256 </affects> 1257 <description> 1258 <body xmlns="http://www.w3.org/1999/xhtml"> 1259 <h1>Problem Description:</h1> 1260 <p>A specially crafted argument can trigger a static buffer 1261 overflow in the library, with possibility to rewrite following 1262 static buffers that belong to other library functions.</p> 1263 <h1>Impact:</h1> 1264 <p>Due to very limited use of the function in the existing 1265 applications, and limited length of the overflow, exploitation 1266 of the vulnerability does not seem feasible. None of the 1267 utilities and daemons in the base system are known to be 1268 vulnerable. However, careful review of third party software 1269 that may use the function was not performed.</p> 1270 </body> 1271 </description> 1272 <references> 1273 <cvename>CVE-2016-6559</cvename> 1274 <freebsdsa>SA-16:37.libc</freebsdsa> 1275 </references> 1276 <dates> 1277 <discovery>2016-12-06</discovery> 1278 <entry>2016-12-06</entry> 1279 <modified>2016-12-08</modified> 1280 </dates> 1281 </vuln> 1282 1283 <vuln vid="e00304d2-bbed-11e6-b1cf-14dae9d210b8"> 1284 <topic>FreeBSD -- Possible login(1) argument injection in telnetd(8)</topic> 1285 <affects> 1286 <package> 1287 <name>FreeBSD</name> 1288 <range><ge>11.0</ge><lt>11.0_4</lt></range> 1289 <range><ge>10.3</ge><lt>10.3_13</lt></range> 1290 <range><ge>10.2</ge><lt>10.2_26</lt></range> 1291 <range><ge>10.1</ge><lt>10.1_43</lt></range> 1292 <range><ge>9.3</ge><lt>9.3_51</lt></range> 1293 </package> 1294 </affects> 1295 <description> 1296 <body xmlns="http://www.w3.org/1999/xhtml"> 1297 <h1>Problem Description:</h1> 1298 <p>An unexpected sequence of memory allocation failures 1299 combined with insufficient error checking could result in 1300 the construction and execution of an argument sequence that 1301 was not intended.</p> 1302 <h1>Impact:</h1> 1303 <p>An attacker who controls the sequence of memory allocation 1304 failures and success may cause login(1) to run without 1305 authentication and may be able to cause misbehavior of 1306 login(1) replacements.</p> 1307 <p>No practical way of controlling these memory allocation 1308 failures is known at this time.</p> 1309 </body> 1310 </description> 1311 <references> 1312 <cvename>CVE-2016-1888</cvename> 1313 <freebsdsa>SA-16:36.telnetd</freebsdsa> 1314 </references> 1315 <dates> 1316 <discovery>2016-12-06</discovery> 1317 <entry>2016-12-06</entry> 1318 </dates> 1319 </vuln> 1320 1321 <vuln vid="cb0bf1ec-bb92-11e6-a9a5-b499baebfeaf"> 1322 <topic>Apache httpd -- denial of service in HTTP/2</topic> 1323 <affects> 1324 <package> 1325 <name>apache24</name> 1326 <range><ge>2.4.17</ge><le>2.4.23_1</le></range> 1327 </package> 1328 <package> 1329 <name>mod_http2-devel</name> 1330 <range><lt>1.8.3</lt></range> 1331 </package> 1332 </affects> 1333 <description> 1334 <body xmlns="http://www.w3.org/1999/xhtml"> 1335 <p>mod_http2 reports:</p> 1336 <blockquote cite="http://mail-archives.apache.org/mod_mbox/httpd-announce/201612.mbox/%3C1A097A43-7CCB-4BA1-861F-E0C7EEE83A4B%40apache.org%3E"> 1337 <p>The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply 1338 limitations on request headers correctly when experimental module 1339 for the HTTP/2 protocol is used to access a resource.</p> 1340 <p>The net result is that a the server allocates too much memory 1341 instead of denying the request. This can lead to memory exhaustion 1342 of the server by a properly crafted request.</p> 1343 </blockquote> 1344 </body> 1345 </description> 1346 <references> 1347 <url>http://mail-archives.apache.org/mod_mbox/httpd-announce/201612.mbox/%3C1A097A43-7CCB-4BA1-861F-E0C7EEE83A4B%40apache.org%3E</url> 1348 <url>https://github.com/icing/mod_h2/releases/tag/v1.8.3</url> 1349 <cvename>CVE-2016-8740</cvename> 1350 </references> 1351 <dates> 1352 <discovery>2016-12-06</discovery> 1353 <entry>2016-12-06</entry> 1354 </dates> 1355 </vuln> 1356 1357 <vuln vid="603fe0a1-bb26-11e6-8e5a-3065ec8fd3ec"> 1358 <topic>chromium -- multiple vulnerabilities</topic> 1359 <affects> 1360 <package> 1361 <name>chromium</name> 1362 <name>chromium-npapi</name> 1363 <name>chromium-pulse</name> 1364 <range><lt>55.0.2883.75</lt></range> 1365 </package> 1366 </affects> 1367 <description> 1368 <body xmlns="http://www.w3.org/1999/xhtml"> 1369 <p>Google Chrome Releases reports:</p> 1370 <blockquote cite="https://googlechromereleases.blogspot.nl/2016/12/stable-channel-update-for-desktop.html"> 1371 <p>36 security fixes in this release</p> 1372 <p>Please reference CVE/URL list for details</p> 1373 </blockquote> 1374 </body> 1375 </description> 1376 <references> 1377 <cvename>CVE-2016-9651</cvename> 1378 <cvename>CVE-2016-5208</cvename> 1379 <cvename>CVE-2016-5207</cvename> 1380 <cvename>CVE-2016-5206</cvename> 1381 <cvename>CVE-2016-5205</cvename> 1382 <cvename>CVE-2016-5204</cvename> 1383 <cvename>CVE-2016-5209</cvename> 1384 <cvename>CVE-2016-5203</cvename> 1385 <cvename>CVE-2016-5210</cvename> 1386 <cvename>CVE-2016-5212</cvename> 1387 <cvename>CVE-2016-5211</cvename> 1388 <cvename>CVE-2016-5213</cvename> 1389 <cvename>CVE-2016-5214</cvename> 1390 <cvename>CVE-2016-5216</cvename> 1391 <cvename>CVE-2016-5215</cvename> 1392 <cvename>CVE-2016-5217</cvename> 1393 <cvename>CVE-2016-5218</cvename> 1394 <cvename>CVE-2016-5219</cvename> 1395 <cvename>CVE-2016-5221</cvename> 1396 <cvename>CVE-2016-5220</cvename> 1397 <cvename>CVE-2016-5222</cvename> 1398 <cvename>CVE-2016-9650</cvename> 1399 <cvename>CVE-2016-5223</cvename> 1400 <cvename>CVE-2016-5226</cvename> 1401 <cvename>CVE-2016-5225</cvename> 1402 <cvename>CVE-2016-5224</cvename> 1403 <cvename>CVE-2016-9652</cvename> 1404 <url>https://googlechromereleases.blogspot.nl/2016/12/stable-channel-update-for-desktop.html</url> 1405 </references> 1406 <dates> 1407 <discovery>2016-12-01</discovery> 1408 <entry>2016-12-05</entry> 1409 </dates> 1410 </vuln> 1411 1412 <vuln vid="e1f67063-aab4-11e6-b2d3-60a44ce6887b"> 1413 <topic>ImageMagick7 -- multiple vulnerabilities</topic> 1414 <affects> 1415 <package> 1416 <name>ImageMagick7</name> 1417 <name>ImageMagick7-nox11</name> 1418 <range><lt>7.0.3.6</lt></range> 1419 </package> 1420 </affects> 1421 <description> 1422 <body xmlns="http://www.w3.org/1999/xhtml"> 1423 <p>Multiple sources report:</p> 1424 <blockquote cite="https://github.com/ImageMagick/ImageMagick/issues/296"> 1425 <p>CVE-2016-9298: heap overflow in WaveletDenoiseImage(), fixed in ImageMagick7-7.0.3.6, discovered 2016-10-31</p> 1426 </blockquote> 1427 <blockquote cite="https://blogs.gentoo.org/ago/2016/10/20/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862/"> 1428 <p>CVE-2016-8866: memory allocation failure in AcquireMagickMemory (incomplete previous fix for CVE-2016-8862), not fixed yet with the release of this announcement, re-discovered 2016-10-13.</p> 1429 </blockquote> 1430 <blockquote cite="https://blogs.gentoo.org/ago/2016/10/17/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c/"> 1431 <p>CVE-2016-8862: memory allocation failure in AcquireMagickMemory, initially partially fixed in ImageMagick7-7.0.3.3, discovered 2016-09-14.</p> 1432 </blockquote> 1433 </body> 1434 </description> 1435 <references> 1436 <url>https://github.com/ImageMagick/ImageMagick/issues/296</url> 1437 <url>https://blogs.gentoo.org/ago/2016/10/20/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862/</url> 1438 <url>https://blogs.gentoo.org/ago/2016/10/17/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c/</url> 1439 <cvename>CVE-2016-9298</cvename> 1440 <cvename>CVE-2016-8866</cvename> 1441 <cvename>CVE-2016-8862</cvename> 1442 <freebsdpr>ports/214514</freebsdpr> 1443 </references> 1444 <dates> 1445 <discovery>2016-09-14</discovery> 1446 <entry>2016-12-04</entry> 1447 </dates> 1448 </vuln> 1449 1450 <vuln vid="bc4898d5-a794-11e6-b2d3-60a44ce6887b"> 1451 <topic>Pillow -- multiple vulnerabilities</topic> 1452 <affects> 1453 <package> 1454 <name>py27-pillow</name> 1455 <name>py33-pillow</name> 1456 <name>py34-pillow</name> 1457 <name>py35-pillow</name> 1458 <range><lt>3.3.2</lt></range> 1459 </package> 1460 </affects> 1461 <description> 1462 <body xmlns="http://www.w3.org/1999/xhtml"> 1463 <p>Pillow reports:</p> 1464 <blockquote cite="http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html"> 1465 <p>Pillow prior to 3.3.2 may experience integer overflow 1466 errors in map.c when reading specially crafted image files. This may 1467 lead to memory disclosure or corruption.</p> 1468 <p>Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check 1469 for negative image sizes in ImagingNew in Storage.c. A negative image 1470 size can lead to a smaller allocation than expected, leading to arbi 1471 trary writes.</p> 1472 </blockquote> 1473 </body> 1474 </description> 1475 <references> 1476 <url>http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html</url> 1477 <url>https://github.com/python-pillow/Pillow/issues/2105</url> 1478 <cvename>CVE-2016-9189</cvename> 1479 <cvename>CVE-2016-9190</cvename> 1480 <freebsdpr>ports/214410</freebsdpr> 1481 </references> 1482 <dates> 1483 <discovery>2016-09-06</discovery> 1484 <entry>2016-12-04</entry> 1485 </dates> 1486 </vuln> 1487 1488 <vuln vid="19d35b0f-ba73-11e6-b1cf-14dae9d210b8"> 1489 <topic>ImageMagick -- heap overflow vulnerability</topic> 1490 <affects> 1491 <package> 1492 <name>ImageMagick</name> 1493 <name>ImageMagick-nox11</name> 1494 <range><lt>6.9.6.4,1</lt></range> 1495 </package> 1496 <package> 1497 <name>ImageMagick7</name> 1498 <name>ImageMagick7-nox11</name> 1499 <range><lt>7.0.3.7</lt></range> 1500 </package> 1501 </affects> 1502 <description> 1503 <body xmlns="http://www.w3.org/1999/xhtml"> 1504 <p>Bastien Roucaries reports:</p> 1505 <blockquote cite="http://seclists.org/oss-sec/2016/q4/413"> 1506 <p>Imagemagick before 3cbfb163cff9e5b8cdeace8312e9bfee810ed02b 1507 suffer from a heap overflow in WaveletDenoiseImage(). This problem is 1508 easily trigerrable from a Perl script.</p> 1509 </blockquote> 1510 </body> 1511 </description> 1512 <references> 1513 <url>http://seclists.org/oss-sec/2016/q4/413</url> 1514 <url>https://github.com/ImageMagick/ImageMagick/issues/296</url> 1515 <cvename>CVE-2016-9298</cvename> 1516 <freebsdpr>ports/214517</freebsdpr> 1517 <freebsdpr>ports/214511</freebsdpr> 1518 <freebsdpr>ports/214520</freebsdpr> 1519 </references> 1520 <dates> 1521 <discovery>2016-11-13</discovery> 1522 <entry>2016-12-04</entry> 1523 </dates> 1524 </vuln> 1525 1526 <vuln vid="e5dcb942-ba6f-11e6-b1cf-14dae9d210b8"> 1527 <topic>py-cryptography -- vulnerable HKDF key generation</topic> 1528 <affects> 1529 <package> 1530 <name>py27-cryptography</name> 1531 <name>py33-cryptography</name> 1532 <name>py34-cryptography</name> 1533 <name>py35-cryptography</name> 1534 <range><lt>1.5.3</lt></range> 1535 </package> 1536 </affects> 1537 <description> 1538 <body xmlns="http://www.w3.org/1999/xhtml"> 1539 <p>Alex Gaynor reports:</p> 1540 <blockquote cite="https://github.com/pyca/cryptography/commit/b94cacf2ae6e75e4007a79709bbf5360435b512d"> 1541 <p>Fixed a bug where ``HKDF`` would return an empty 1542 byte-string if used with a ``length`` less than 1543 ``algorithm.digest_size``.</p> 1544 </blockquote> 1545 </body> 1546 </description> 1547 <references> 1548 <url>https://github.com/pyca/cryptography/commit/b94cacf2ae6e75e4007a79709bbf5360435b512d</url> 1549 <cvename>CVE-2016-9243</cvename> 1550 <freebsdpr>ports/214915</freebsdpr> 1551 </references> 1552 <dates> 1553 <discovery>2016-11-05</discovery> 1554 <entry>2016-12-04</entry> 1555 <modified>2016-12-06</modified> 1556 </dates> 1557 </vuln> 1558 1559 <vuln vid="a228c7a0-ba66-11e6-b1cf-14dae9d210b8"> 1560 <topic>qemu -- denial of service vulnerability</topic> 1561 <affects> 1562 <package> 1563 <name>qemu</name> 1564 <name>qemu-devel</name> 1565 <name>qemu-sbruno</name> 1566 <range><lt>2.3.0</lt></range> 1567 </package> 1568 </affects> 1569 <description> 1570 <body xmlns="http://www.w3.org/1999/xhtml"> 1571 <p>Daniel P. Berrange reports:</p> 1572 <blockquote cite="https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04895.html"> 1573 <p>The VNC server websockets decoder will read and buffer data 1574 from websockets clients until it sees the end of the HTTP headers, 1575 as indicated by \r\n\r\n. In theory this allows a malicious to 1576 trick QEMU into consuming an arbitrary amount of RAM.</p> 1577 </blockquote> 1578 </body> 1579 </description> 1580 <references> 1581 <url>https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04895.html</url> 1582 <cvename>CVE-2015-1779</cvename> 1583 <freebsdpr>ports/206725</freebsdpr> 1584 </references> 1585 <dates> 1586 <discovery>2015-03-23</discovery> 1587 <entry>2016-12-04</entry> 1588 <modified>2016-12-06</modified> 1589 </dates> 1590 </vuln> 1591 1592 <vuln vid="59f79c99-ba4d-11e6-ae1b-002590263bf5"> 1593 <topic>xen-tools -- delimiter injection vulnerabilities in pygrub</topic> 1594 <affects> 1595 <package> 1596 <name>xen-tools</name> 1597 <range><lt>4.7.1</lt></range> 1598 </package> 1599 </affects> 1600 <description> 1601 <body xmlns="http://www.w3.org/1999/xhtml"> 1602 <p>The Xen Project reports:</p> 1603 <blockquote cite="https://xenbits.xen.org/xsa/advisory-198.html"> 1604 <p>pygrub, the boot loader emulator, fails to quote (or sanity check) 1605 its results when reporting them to its caller.</p> 1606 <p>A malicious guest administrator can obtain the contents of 1607 sensitive host files (an information leak). Additionally, a 1608 malicious guest administrator can cause files on the host to be 1609 removed, causing a denial of service. In some unusual host 1610 configurations, ability to remove certain files may be usable for 1611 privilege escalation.</p> 1612 </blockquote> 1613 </body> 1614 </description> 1615 <references> 1616 <cvename>CVE-2016-9379</cvename> 1617 <cvename>CVE-2016-9380</cvename> 1618 <freebsdpr>ports/214936</freebsdpr> 1619 <url>https://xenbits.xen.org/xsa/advisory-198.html</url> 1620 </references> 1621 <dates> 1622 <discovery>2016-11-22</discovery> 1623 <entry>2016-12-04</entry> 1624 </dates> 1625 </vuln> 1626 1627 <vuln vid="58685e23-ba4d-11e6-ae1b-002590263bf5"> 1628 <topic>xen-tools -- qemu incautious about shared ring processing</topic> 1629 <affects> 1630 <package> 1631 <name>xen-tools</name> 1632 <range><lt>4.7.1</lt></range> 1633 </package> 1634 </affects> 1635 <description> 1636 <body xmlns="http://www.w3.org/1999/xhtml"> 1637 <p>The Xen Project reports:</p> 1638 <blockquote cite="https://xenbits.xen.org/xsa/advisory-197.html"> 1639 <p>The compiler can emit optimizations in qemu which can lead to 1640 double fetch vulnerabilities. Specifically data on the rings shared 1641 between qemu and the hypervisor (which the guest under control can 1642 obtain mappings of) can be fetched twice (during which time the 1643 guest can alter the contents) possibly leading to arbitrary code 1644 execution in qemu.</p> 1645 <p>Malicious administrators can exploit this vulnerability to take 1646 over the qemu process, elevating its privilege to that of the qemu 1647 process.</p> 1648 <p>In a system not using a device model stub domain (or other 1649 techniques for deprivileging qemu), malicious guest administrators 1650 can thus elevate their privilege to that of the host.</p> 1651 </blockquote> 1652 </body> 1653 </description> 1654 <references> 1655 <cvename>CVE-2016-9381</cvename> 1656 <freebsdpr>ports/214936</freebsdpr> 1657 <url>https://xenbits.xen.org/xsa/advisory-197.html</url> 1658 </references> 1659 <dates> 1660 <discovery>2016-11-22</discovery> 1661 <entry>2016-12-04</entry> 1662 </dates> 1663 </vuln> 1664 1665 <vuln vid="56f0f11e-ba4d-11e6-ae1b-002590263bf5"> 1666 <topic>xen-kernel -- x86 64-bit bit test instruction emulation broken</topic> 1667 <affects> 1668 <package> 1669 <name>xen-kernel</name> 1670 <range><lt>4.7.1</lt></range> 1671 </package> 1672 </affects> 1673 <description> 1674 <body xmlns="http://www.w3.org/1999/xhtml"> 1675 <p>The Xen Project reports:</p> 1676 <blockquote cite="https://xenbits.xen.org/xsa/advisory-195.html"> 1677 <p>The x86 instructions BT, BTC, BTR, and BTS, when used with a 1678 destination memory operand and a source register rather than an 1679 immediate operand, access a memory location offset from that 1680 specified by the memory operand as specified by the high bits of 1681 the register source.</p> 1682 <p>A malicious guest can modify arbitrary memory, allowing for 1683 arbitrary code execution (and therefore privilege escalation 1684 affecting the whole host), a crash of the host (leading to a DoS), 1685 or information leaks. The vulnerability is sometimes exploitable 1686 by unprivileged guest user processes.</p> 1687 </blockquote> 1688 </body> 1689 </description> 1690 <references> 1691 <cvename>CVE-2016-9383</cvename> 1692 <freebsdpr>ports/214936</freebsdpr> 1693 <url>https://xenbits.xen.org/xsa/advisory-195.html</url> 1694 </references> 1695 <dates> 1696 <discovery>2016-11-22</discovery> 1697 <entry>2016-12-04</entry> 1698 </dates> 1699 </vuln> 1700 1701 <vuln vid="5555120d-ba4d-11e6-ae1b-002590263bf5"> 1702 <topic>xen-kernel -- guest 32-bit ELF symbol table load leaking host data</topic> 1703 <affects> 1704 <package> 1705 <name>xen-kernel</name> 1706 <range><ge>4.7</ge><lt>4.7.1</lt></range> 1707 </package> 1708 </affects> 1709 <description> 1710 <body xmlns="http://www.w3.org/1999/xhtml"> 1711 <p>The Xen Project reports:</p> 1712 <blockquote cite="https://xenbits.xen.org/xsa/advisory-194.html"> 1713 <p>Along with their main kernel binary, unprivileged guests may 1714 arrange to have their Xen environment load (kernel) symbol tables 1715 for their use. The ELF image metadata created for this purpose has a 1716 few unused bytes when the symbol table binary is in 32-bit ELF 1717 format. These unused bytes were not properly cleared during symbol 1718 table loading.</p> 1719 <p>A malicious unprivileged guest may be able to obtain sensitive 1720 information from the host.</p> 1721 <p>The information leak is small and not under the control of the 1722 guest, so effectively exploiting this vulnerability is probably 1723 difficult.</p> 1724 </blockquote> 1725 </body> 1726 </description> 1727 <references> 1728 <cvename>CVE-2016-9384</cvename> 1729 <freebsdpr>ports/214936</freebsdpr> 1730 <url>https://xenbits.xen.org/xsa/advisory-194.html</url> 1731 </references> 1732 <dates> 1733 <discovery>2016-11-22</discovery> 1734 <entry>2016-12-04</entry> 1735 </dates> 1736 </vuln> 1737 1738 <vuln vid="53dbd096-ba4d-11e6-ae1b-002590263bf5"> 1739 <topic>xen-kernel -- x86 segment base write emulation lacking canonical address checks</topic> 1740 <affects> 1741 <package> 1742 <name>xen-kernel</name> 1743 <range><ge>4.4</ge><lt>4.7.1</lt></range> 1744 </package> 1745 </affects> 1746 <description> 1747 <body xmlns="http://www.w3.org/1999/xhtml"> 1748 <p>The Xen Project reports:</p> 1749 <blockquote cite="https://xenbits.xen.org/xsa/advisory-193.html"> 1750 <p>Both writes to the FS and GS register base MSRs as well as the 1751 WRFSBASE and WRGSBASE instructions require their input values to be 1752 canonical, or a #GP fault will be raised. When the use of those 1753 instructions by the hypervisor was enabled, the previous guard 1754 against #GP faults (having recovery code attached) was accidentally 1755 removed.</p> 1756 <p>A malicious guest administrator can crash the host, leading to a 1757 DoS.</p> 1758 </blockquote> 1759 </body> 1760 </description> 1761 <references> 1762 <cvename>CVE-2016-9385</cvename> 1763 <freebsdpr>ports/214936</freebsdpr> 1764 <url>https://xenbits.xen.org/xsa/advisory-193.html</url> 1765 </references> 1766 <dates> 1767 <discovery>2016-11-22</discovery> 1768 <entry>2016-12-04</entry> 1769 </dates> 1770 </vuln> 1771 1772 <vuln vid="523bb0b7-ba4d-11e6-ae1b-002590263bf5"> 1773 <topic>xen-kernel -- x86 task switch to VM86 mode mis-handled</topic> 1774 <affects> 1775 <package> 1776 <name>xen-kernel</name> 1777 <range><lt>4.7.1</lt></range> 1778 </package> 1779 </affects> 1780 <description> 1781 <body xmlns="http://www.w3.org/1999/xhtml"> 1782 <p>The Xen Project reports:</p> 1783 <blockquote cite="https://xenbits.xen.org/xsa/advisory-192.html"> 1784 <p>LDTR, just like TR, is purely a protected mode facility. Hence even 1785 when switching to a VM86 mode task, LDTR loading needs to follow 1786 protected mode semantics. This was violated by the code.</p> 1787 <p>On SVM (AMD hardware): a malicious unprivileged guest process can 1788 escalate its privilege to that of the guest operating system.</p> 1789 <p>On both SVM and VMX (Intel hardware): a malicious unprivileged 1790 guest process can crash the guest.</p> 1791 </blockquote> 1792 </body> 1793 </description> 1794 <references> 1795 <cvename>CVE-2016-9382</cvename> 1796 <freebsdpr>ports/214936</freebsdpr> 1797 <url>https://xenbits.xen.org/xsa/advisory-192.html</url> 1798 </references> 1799 <dates> 1800 <discovery>2016-11-22</discovery> 1801 <entry>2016-12-04</entry> 1802 </dates> 1803 </vuln> 1804 1805 <vuln vid="50ac2e96-ba4d-11e6-ae1b-002590263bf5"> 1806 <topic>xen-kernel -- x86 null segments not always treated as unusable</topic> 1807 <affects> 1808 <package> 1809 <name>xen-kernel</name> 1810 <range><lt>4.7.1</lt></range> 1811 </package> 1812 </affects> 1813 <description> 1814 <body xmlns="http://www.w3.org/1999/xhtml"> 1815 <p>The Xen Project reports:</p> 1816 <blockquote cite="https://xenbits.xen.org/xsa/advisory-191.html"> 1817 <p>The Xen x86 emulator erroneously failed to consider the unusability 1818 of segments when performing memory accesses.</p> 1819 <p> The intended behaviour is as follows: The user data segment (%ds, 1820 %es, %fs and %gs) selectors may be NULL in 32-bit to prevent access. 1821 In 64-bit, NULL has a special meaning for user segments, and there 1822 is no way of preventing access. However, in both 32-bit and 64-bit, 1823 a NULL LDT system segment is intended to prevent access.</p> 1824 <p>On Intel hardware, loading a NULL selector zeros the base as well 1825 as most attributes, but sets the limit field to its largest possible 1826 value. On AMD hardware, loading a NULL selector zeros the attributes, 1827 leaving the stale base and limit intact.</p> 1828 <p>Xen may erroneously permit the access using unexpected base/limit 1829 values.</p> 1830 <p>Ability to exploit this vulnerability on Intel is easy, but on AMD 1831 depends in a complicated way on how the guest kernel manages LDTs. 1832 </p> 1833 <p>An unprivileged guest user program may be able to elevate its 1834 privilege to that of the guest operating system.</p> 1835 </blockquote> 1836 </body> 1837 </description> 1838 <references> 1839 <cvename>CVE-2016-9386</cvename> 1840 <freebsdpr>ports/214936</freebsdpr> 1841 <url>https://xenbits.xen.org/xsa/advisory-191.html</url> 1842 </references> 1843 <dates> 1844 <discovery>2016-11-22</discovery> 1845 <entry>2016-12-04</entry> 1846 </dates> 1847 </vuln> 1848 1849 <vuln vid="4d7cf654-ba4d-11e6-ae1b-002590263bf5"> 1850 <topic>xen-kernel -- CR0.TS and CR0.EM not always honored for x86 HVM guests</topic> 1851 <affects> 1852 <package> 1853 <name>xen-kernel</name> 1854 <range><lt>4.7.1</lt></range> 1855 </package> 1856 </affects> 1857 <description> 1858 <body xmlns="http://www.w3.org/1999/xhtml"> 1859 <p>The Xen Project reports:</p> 1860 <blockquote cite="https://xenbits.xen.org/xsa/advisory-190.html"> 1861 <p>Instructions touching FPU, MMX, or XMM registers are required to 1862 raise a Device Not Available Exception (#NM) when either CR0.EM or 1863 CR0.TS are set. (Their AVX or AVX-512 extensions would consider only 1864 CR0.TS.) While during normal operation this is ensured by the 1865 hardware, if a guest modifies instructions while the hypervisor is 1866 preparing to emulate them, the #NM delivery could be missed.</p> 1867 <p>Guest code in one task may thus (unintentionally or maliciously) 1868 read or modify register state belonging to another task in the same 1869 VM.</p> 1870 <p>A malicious unprivileged guest user may be able to obtain or 1871 corrupt sensitive information (including cryptographic material) in 1872 other programs in the same guest.</p> 1873 </blockquote> 1874 </body> 1875 </description> 1876 <references> 1877 <cvename>CVE-2016-7777</cvename> 1878 <freebsdpr>ports/214936</freebsdpr> 1879 <url>https://xenbits.xen.org/xsa/advisory-190.html</url> 1880 </references> 1881 <dates> 1882 <discovery>2016-10-04</discovery> 1883 <entry>2016-12-04</entry> 1884 </dates> 1885 </vuln> 1886 1887 <vuln vid="4bf57137-ba4d-11e6-ae1b-002590263bf5"> 1888 <topic>xen-kernel -- use after free in FIFO event channel code</topic> 1889 <affects> 1890 <package> 1891 <name>xen-kernel</name> 1892 <range><ge>4.4</ge><lt>4.5</lt></range> 1893 </package> 1894 </affects> 1895 <description> 1896 <body xmlns="http://www.w3.org/1999/xhtml"> 1897 <p>The Xen Project reports:</p> 1898 <blockquote cite="https://xenbits.xen.org/xsa/advisory-188.html"> 1899 <p>When the EVTCHNOP_init_control operation is called with a bad guest 1900 frame number, it takes an error path which frees a control structure 1901 without also clearing the corresponding pointer. Certain subsequent 1902 operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control), 1903 upon finding the non-NULL pointer, continue operation assuming it 1904 points to allocated memory.</p> 1905 <p>A malicious guest administrator can crash the host, leading to a 1906 DoS. Arbitrary code execution (and therefore privilege escalation), 1907 and information leaks, cannot be excluded.</p> 1908 </blockquote> 1909 </body> 1910 </description> 1911 <references> 1912 <cvename>CVE-2016-7154</cvename> 1913 <freebsdpr>ports/214936</freebsdpr> 1914 <url>https://xenbits.xen.org/xsa/advisory-188.html</url> 1915 </references> 1916 <dates> 1917 <discovery>2016-09-08</discovery> 1918 <entry>2016-12-04</entry> 1919 </dates> 1920 </vuln> 1921 1922 <vuln vid="4aae54be-ba4d-11e6-ae1b-002590263bf5"> 1923 <topic>xen-kernel -- x86 HVM: Overflow of sh_ctxt->seg_reg[]</topic> 1924 <affects> 1925 <package> 1926 <name>xen-kernel</name> 1927 <range><lt>4.7.1</lt></range> 1928 </package> 1929 </affects> 1930 <description> 1931 <body xmlns="http://www.w3.org/1999/xhtml"> 1932 <p>The Xen Project reports:</p> 1933 <blockquote cite="https://xenbits.xen.org/xsa/advisory-187.html"> 1934 <p>x86 HVM guests running with shadow paging use a subset of the x86 1935 emulator to handle the guest writing to its own pagetables. There 1936 are situations a guest can provoke which result in exceeding the 1937 space allocated for internal state.</p> 1938 <p>A malicious HVM guest administrator can cause Xen to fail a bug 1939 check, causing a denial of service to the host.</p> 1940 </blockquote> 1941 </body> 1942 </description> 1943 <references> 1944 <cvename>CVE-2016-7094</cvename> 1945 <freebsdpr>ports/214936</freebsdpr> 1946 <url>https://xenbits.xen.org/xsa/advisory-187.html</url> 1947 </references> 1948 <dates> 1949 <discovery>2016-09-08</discovery> 1950 <entry>2016-12-04</entry> 1951 </dates> 1952 </vuln> 1953 1954 <vuln vid="49211361-ba4d-11e6-ae1b-002590263bf5"> 1955 <topic>xen-kernel -- x86: Mishandling of instruction pointer truncation during emulation</topic> 1956 <affects> 1957 <package> 1958 <name>xen-kernel</name> 1959 <range><eq>4.5.3</eq></range> 1960 <range><eq>4.6.3</eq></range> 1961 <range><ge>4.7.0</ge><lt>4.7.1</lt></range> 1962 </package> 1963 </affects> 1964 <description> 1965 <body xmlns="http://www.w3.org/1999/xhtml"> 1966 <p>The Xen Project reports:</p> 1967 <blockquote cite="https://xenbits.xen.org/xsa/advisory-186.html"> 1968 <p>When emulating HVM instructions, Xen uses a small i-cache for 1969 fetches from guest memory. The code that handles cache misses does 1970 not check if the address from which it fetched lies within the cache 1971 before blindly writing to it. As such it is possible for the guest 1972 to overwrite hypervisor memory.</p> 1973 <p>It is currently believed that the only way to trigger this bug is 1974 to use the way that Xen currently incorrectly wraps CS:IP in 16 bit 1975 modes. The included patch prevents such wrapping.</p> 1976 <p>A malicious HVM guest administrator can escalate their privilege to 1977 that of the host.</p> 1978 </blockquote> 1979 </body> 1980 </description> 1981 <references> 1982 <cvename>CVE-2016-7093</cvename> 1983 <freebsdpr>ports/214936</freebsdpr> 1984 <url>https://xenbits.xen.org/xsa/advisory-186.html</url> 1985 </references> 1986 <dates> 1987 <discovery>2016-09-08</discovery> 1988 <entry>2016-12-04</entry> 1989 </dates> 1990 </vuln> 1991 1992 <vuln vid="45ca25b5-ba4d-11e6-ae1b-002590263bf5"> 1993 <topic>xen-kernel -- x86: Disallow L3 recursive pagetable for 32-bit PV guests</topic> 1994 <affects> 1995 <package> 1996 <name>xen-kernel</name> 1997 <range><lt>4.7.1</lt></range> 1998 </package> 1999 </affects> 2000 <description> 2001 <body xmlns="http://www.w3.org/1999/xhtml"> 2002 <p>The Xen Project reports:</p> 2003 <blockquote cite="https://xenbits.xen.org/xsa/advisory-185.html"> 2004 <p>On real hardware, a 32-bit PAE guest must leave the USER and RW bit 2005 clear in L3 pagetable entries, but the pagetable walk behaves as if 2006 they were set. (The L3 entries are cached in processor registers, 2007 and don't actually form part of the pagewalk.)</p> 2008 <p>When running a 32-bit PV guest on a 64-bit Xen, Xen must always OR 2009 in the USER and RW bits for L3 updates for the guest to observe 2010 architectural behaviour. This is unsafe in combination with 2011 recursive pagetables.</p> 2012 <p>As there is no way to construct an L3 recursive pagetable in native 2013 32-bit PAE mode, disallow this option in 32-bit PV guests.</p> 2014 <p>A malicious 32-bit PV guest administrator can escalate their 2015 privilege to that of the host.</p> 2016 </blockquote> 2017 </body> 2018 </description> 2019 <references> 2020 <cvename>CVE-2016-7092</cvename> 2021 <freebsdpr>ports/214936</freebsdpr> 2022 <url>https://xenbits.xen.org/xsa/advisory-185.html</url> 2023 </references> 2024 <dates> 2025 <discovery>2016-09-08</discovery> 2026 <entry>2016-12-04</entry> 2027 </dates> 2028 </vuln> 2029 2030 <vuln vid="7fff2b16-b0ee-11e6-86b8-589cfc054129"> 2031 <topic>wireshark -- multiple vulnerabilities</topic> 2032 <affects> 2033 <package> 2034 <name>tshark</name> 2035 <range><lt>2.2.2</lt></range> 2036 </package> 2037 <package> 2038 <name>tshark-lite</name> 2039 <range><lt>2.2.2</lt></range> 2040 </package> 2041 <package> 2042 <name>wireshark</name> 2043 <range><lt>2.2.2</lt></range> 2044 </package> 2045 <package> 2046 <name>wireshark-lite</name> 2047 <range><lt>2.2.2</lt></range> 2048 </package> 2049 <package> 2050 <name>wireshark-qt5</name> 2051 <range><lt>2.2.2</lt></range> 2052 </package> 2053 </affects> 2054 <description> 2055 <body xmlns="http://www.w3.org/1999/xhtml"> 2056 <p>Wireshark project reports:</p> 2057 <blockquote cite="://www.wireshark.org/docs/relnotes/wireshark-2.2.2.html"> 2058 <p>Wireshark project is releasing Wireshark 2.2.2, which addresses:</p> 2059 <ul> 2060 <li>wnpa-sec-2016-58: Profinet I/O long loop - CVE-2016-9372</li> 2061 <li>wnpa-sec-2016-59: AllJoyn crash - CVE-2016-9374</li> 2062 <li>wnpa-sec-2016-60: OpenFlow crash - CVE-2016-9376</li> 2063 <li>wnpa-sec-2016-61: DCERPC crash - CVE-2016-9373</li> 2064 <li>wnpa-sec-2016-62: DTN infinite loop - CVE-2016-9375</li> 2065 </ul> 2066 </blockquote> 2067 </body> 2068 </description> 2069 <references> 2070 <url>https://www.wireshark.org/docs/relnotes/wireshark-2.2.2.html</url> 2071 <cvename>CVE-2016-9372</cvename> 2072 <cvename>CVE-2016-9373</cvename> 2073 <cvename>CVE-2016-9374</cvename> 2074 <cvename>CVE-2016-9375</cvename> 2075 <cvename>CVE-2016-9376</cvename> 2076 </references> 2077 <dates> 2078 <discovery>2016-11-16</discovery> 2079 <entry>2016-12-01</entry> 2080 </dates> 2081 </vuln> 2082 2083 <vuln vid="18f39fb6-7400-4063-acaf-0806e92c094f"> 2084 <topic>Mozilla -- SVG Animation Remote Code Execution</topic> 2085 <affects> 2086 <package> 2087 <name>firefox</name> 2088 <range><lt>50.0.2,1</lt></range> 2089 </package> 2090 <package> 2091 <name>firefox-esr</name> 2092 <range><lt>45.5.1,1</lt></range> 2093 </package> 2094 <package> 2095 <name>linux-firefox</name> 2096 <range><lt>45.5.1,2</lt></range> 2097 </package> 2098 <package> 2099 <name>seamonkey</name> 2100 <range><lt>2.46</lt></range> 2101 </package> 2102 <package> 2103 <name>linux-seamonkey</name> 2104 <range><lt>2.46</lt></range> 2105 </package> 2106 <package> 2107 <name>libxul</name> 2108 <range><lt>45.5.1</lt></range> 2109 </package> 2110 <package> 2111 <name>thunderbird</name> 2112 <range><lt>45.5.1</lt></range> 2113 </package> 2114 <package> 2115 <name>linux-thunderbird</name> 2116 <range><lt>45.5.1</lt></range> 2117 </package> 2118 </affects> 2119 <description> 2120 <body xmlns="http://www.w3.org/1999/xhtml"> 2121 <p>The Mozilla Foundation reports:</p> 2122 <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/"> 2123 <p>A use-after-free vulnerability in SVG Animation has been 2124 discovered. An exploit built on this vulnerability has been 2125 discovered in the wild targeting Firefox and Tor Browser 2126 users on Windows.</p> 2127 </blockquote> 2128 </body> 2129 </description> 2130 <references> 2131 <cvename>CVE-2016-9079</cvename> 2132 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/</url> 2133 </references> 2134 <dates> 2135 <discovery>2016-11-30</discovery> 2136 <entry>2016-12-01</entry> 2137 <modified>2016-12-16</modified> 2138 </dates> 2139 </vuln> 2140 2141 <vuln vid="479c5b91-b6cc-11e6-a04e-3417eb99b9a0"> 2142 <topic>wget -- Access List Bypass / Race Condition</topic> 2143 <affects> 2144 <package> 2145 <name>wget</name> 2146 <range><le>1.17</le></range> 2147 </package> 2148 </affects> 2149 <description> 2150 <body xmlns="http://www.w3.org/1999/xhtml"> 2151 <p>Dawid Golunski reports:</p> 2152 <blockquote cite="https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html"> 2153 <p>GNU wget in version 1.17 and earlier, when used in 2154 mirroring/recursive mode, is affected by a Race Condition 2155 vulnerability that might allow remote attackers to bypass intended 2156 wget access list restrictions specified with -A parameter. 2157 </p> 2158 </blockquote> 2159 </body> 2160 </description> 2161 <references> 2162 <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7098</url> 2163 <cvename>CVE-2016-7098</cvename> 2164 </references> 2165 <dates> 2166 <discovery>2016-11-24</discovery> 2167 <entry>2016-11-30</entry> 2168 </dates> 2169 </vuln> 2170 2171 <vuln vid="48e83187-b6e9-11e6-b6cf-5453ed2e2b49"> 2172 <topic>p7zip -- Null pointer dereference</topic> 2173 <affects> 2174 <package> 2175 <name>p7zip</name> 2176 <range><lt>15.14_2</lt></range> 2177 </package> 2178 </affects> 2179 <description> 2180 <body xmlns="http://www.w3.org/1999/xhtml"> 2181 <p>MITRE reports:</p> 2182 <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9296"> 2183 <p>A null pointer dereference bug affects the 16.02 and many old 2184 versions of p7zip. A lack of null pointer check for the variable 2185 <code>folders.PackPositions</code> in function 2186 <code>CInArchive::ReadAndDecodePackedStreams</code>, as used in 2187 the 7z.so library and in 7z applications, will cause a crash and a 2188 denial of service when decoding malformed 7z files.</p> 2189 </blockquote> 2190 </body> 2191 </description> 2192 <references> 2193 <cvename>CVE-2016-9296</cvename> 2194 <url>https://sourceforge.net/p/p7zip/discussion/383043/thread/648d34db/</url> 2195 <url>https://sourceforge.net/p/p7zip/bugs/185/</url> 2196 <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9296</url> 2197 </references> 2198 <dates> 2199 <discovery>2016-07-17</discovery> 2200 <entry>2016-11-30</entry> 2201 </dates> 2202 </vuln> 2203 2204 <vuln vid="ac256985-b6a9-11e6-a3bf-206a8a720317"> 2205 <topic>subversion -- Unrestricted XML entity expansion in mod_dontdothat and Subversionclients using http(s)</topic> 2206 <affects> 2207 <package> 2208 <name>subversion18</name> 2209 <range><lt>1.8.17</lt></range> 2210 </package> 2211 <package> 2212 <name>subversion</name> 2213 <range><lt>1.9.5</lt></range> 2214 </package> 2215 </affects> 2216 <description> 2217 <body xmlns="http://www.w3.org/1999/xhtml"> 2218 <p>The Apache Software Foundation reports:</p> 2219 <blockquote cite="http://subversion.apache.org/security/CVE-2016-8734-advisory.txt"> 2220 <p>The mod_dontdothat module of subversion and subversion clients using 2221 http(s):// are vulnerable to a denial-of-service attack, caused by 2222 exponential XML entity expansion. The attack targets XML parsers 2223 causing targeted process to consume excessive amounts of resources. 2224 The attack is also known as the "billions of laughs attack."</p> 2225 </blockquote> 2226 </body> 2227 </description> 2228 <references> 2229 <url>http://subversion.apache.org/security/CVE-2016-8734-advisory.txt</url> 2230 <cvename>CVE-2016-8734</cvename> 2231 </references> 2232 <dates> 2233 <discovery>2016-11-29</discovery> 2234 <entry>2016-11-29</entry> 2235 </dates> 2236 </vuln> 2237 2238 <vuln vid="18449f92-ab39-11e6-8011-005056925db4"> 2239 <topic>libwww -- multiple vulnerabilities</topic> 2240 <affects> 2241 <package> 2242 <name>libwww</name> 2243 <range><lt>5.4.0_6</lt></range> 2244 </package> 2245 </affects> 2246 <description> 2247 <body xmlns="http://www.w3.org/1999/xhtml"> 2248 <p>Mitre reports:</p> 2249 <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3183"> 2250 <p>The HTBoundary_put_block function in HTBound.c for W3C libwww 2251 (w3c-libwww) allows remote servers to cause a denial of service 2252 (segmentation fault) via a crafted multipart/byteranges MIME message 2253 that triggers an out-of-bounds read.</p> 2254 </blockquote> 2255 <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560"> 2256 <p>The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, 2257 as used in the XML-Twig module for Perl, allows context-dependent 2258 attackers to cause a denial of service (application crash) via an XML 2259 document with malformed UTF-8 sequences that trigger a buffer 2260 over-read, related to the doProlog function in lib/xmlparse.c, a 2261 different vulnerability than CVE-2009-2625 and CVE-2009-3720.</p> 2262 </blockquote> 2263 <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720"> 2264 <p>The updatePosition function in lib/xmltok_impl.c in libexpat in 2265 Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other 2266 software, allows context-dependent attackers to cause a denial of 2267 service (application crash) via an XML document with crafted UTF-8 2268 sequences that trigger a buffer over-read, a different vulnerability 2269 than CVE-2009-2625.</p> 2270 </blockquote> 2271 </body> 2272 </description> 2273 <references> 2274 <bid>15035</bid> 2275 <cvename>CVE-2005-3183</cvename> 2276 <cvename>CVE-2009-3560</cvename> 2277 <cvename>CVE-2009-3720</cvename> 2278 <freebsdpr>ports/214546</freebsdpr> 2279 <url>https://bugzilla.redhat.com/show_bug.cgi?id=170518</url> 2280 </references> 2281 <dates> 2282 <discovery>2005-10-12</discovery> 2283 <entry>2016-11-29</entry> 2284 </dates> 2285 </vuln> 2286 2287 <vuln vid="f90fce70-ecfa-4f4d-9ee8-c476dbf4bf0e"> 2288 <topic>mozilla -- data: URL can inherit wrong origin after an HTTP redirect</topic> 2289 <affects> 2290 <package> 2291 <name>firefox</name> 2292 <range><lt>50.0.1,1</lt></range> 2293 </package> 2294 </affects> 2295 <description> 2296 <body xmlns="http://www.w3.org/1999/xhtml"> 2297 <p>The Mozilla Foundation reports:</p> 2298 <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-91/"> 2299 <p>Redirection from an HTTP connection to a data: URL 2300 assigns the referring site's origin to the data: URL in some 2301 circumstances. This can result in same-origin violations 2302 against a domain if it loads resources from malicious 2303 sites. Cross-origin setting of cookies has been demonstrated 2304 without the ability to read them.</p> 2305 </blockquote> 2306 </body> 2307 </description> 2308 <references> 2309 <cvename>CVE-2016-9078</cvename> 2310 <url>https://www.mozilla.org/security/advisories/mfsa2016-91/</url> 2311 </references> 2312 <dates> 2313 <discovery>2016-11-28</discovery> 2314 <entry>2016-11-29</entry> 2315 </dates> 2316 </vuln> 2317 2318 <vuln vid="125f5958-b611-11e6-a9a5-b499baebfeaf"> 2319 <topic>Roundcube -- arbitrary command execution</topic> 2320 <affects> 2321 <package> 2322 <name>roundcube</name> 2323 <range><lt>1.2.3,1</lt></range> 2324 </package> 2325 </affects> 2326 <description> 2327 <body xmlns="http://www.w3.org/1999/xhtml"> 2328 <p>The Roundcube project reports</p> 2329 <blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-9920"> 2330 <p>steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 2331 1.2.3, when no SMTP server is configured and the sendmail program is 2332 enabled, does not properly restrict the use of custom envelope-from 2333 addresses on the sendmail command line, which allows remote 2334 authenticated users to execute arbitrary code via a modified HTTP 2335 request that sends a crafted e-mail message.</p> 2336 </blockquote> 2337 </body> 2338 </description> 2339 <references> 2340 <cvename>CVE-2016-9920</cvename> 2341 <bid>94858</bid> 2342 <url>http://www.openwall.com/lists/oss-security/2016/12/08/17</url> 2343 <url>https://github.com/roundcube/roundcubemail/wiki/Changelog#release-123</url> 2344 </references> 2345 <dates> 2346 <discovery>2016-11-29</discovery> 2347 <entry>2016-11-29</entry> 2348 <modified>2016-12-14</modified> 2349 </dates> 2350 </vuln> 2351 2352 <vuln vid="8db24888-b2f5-11e6-8153-00248c0c745d"> 2353 <topic>Drupal Code -- Multiple Vulnerabilities</topic> 2354 <affects> 2355 <package> 2356 <name>drupal7</name> 2357 <range><ge>7.0</ge><lt>7.52</lt></range> 2358 </package> 2359 <package> 2360 <name>drupal8</name> 2361 <range><ge>8.0.0</ge><lt>8.2.3</lt></range> 2362 </package> 2363 </affects> 2364 <description> 2365 <body xmlns="http://www.w3.org/1999/xhtml"> 2366 <p>The Drupal development team reports:</p> 2367 <blockquote cite="https://www.drupal.org/SA-CORE-2016-005"> 2368 <h3>Inconsistent name for term access query (Less critical - Drupal 2369 7 and Drupal 8)</h3> 2370 <p>Drupal provides a mechanism to alter database SELECT queries before 2371 they are executed. Contributed and custom modules may use this 2372 mechanism to restrict access to certain entities by implementing 2373 hook_query_alter() or hook_query_TAG_alter() in order to add 2374 additional conditions. Queries can be distinguished by means of 2375 query tags. As the documentation on EntityFieldQuery::addTag() 2376 suggests, access-tags on entity queries normally follow the form 2377 ENTITY_TYPE_access (e.g. node_access). However, the taxonomy 2378 module's access query tag predated this system and used term_access 2379 as the query tag instead of taxonomy_term_access.</p> 2380 <p>As a result, before this security release modules wishing to 2381 restrict access to taxonomy terms may have implemented an 2382 unsupported tag, or needed to look for both tags (term_access and 2383 taxonomy_term_access) in order to be compatible with queries 2384 generated both by Drupal core as well as those generated by 2385 contributed modules like Entity Reference. Otherwise information 2386 on taxonomy terms might have been disclosed to unprivileged users. 2387 </p> 2388 <h3>Incorrect cache context on password reset page (Less critical - 2389 Drupal 8)</h3> 2390 <p>The user password reset form does not specify a proper cache 2391 context, which can lead to cache poisoning and unwanted content on 2392 the page.</p> 2393 <h3>Confirmation forms allow external URLs to be injected (Moderately 2394 critical - Drupal 7)</h3> 2395 <p>Under certain circumstances, malicious users could construct a URL 2396 to a confirmation form that would trick users into being redirected 2397 to a 3rd party website after interacting with the form, thereby 2398 exposing the users to potential social engineering attacks.</p> 2399 <h3>Denial of service via transliterate mechanism (Moderately critical 2400 - Drupal 8)</h3> 2401 <p>A specially crafted URL can cause a denial of service via the 2402 transliterate mechanism.</p> 2403 </blockquote> 2404 </body> 2405 </description> 2406 <references> 2407 <cvename>CVE-2016-9449</cvename> 2408 <cvename>CVE-2016-9450</cvename> 2409 <cvename>CVE-2016-9451</cvename> 2410 <cvename>CVE-2016-9452</cvename> 2411 </references> 2412 <dates> 2413 <discovery>2016-11-16</discovery> 2414 <entry>2016-11-25</entry> 2415 <modified>2016-11-27</modified> 2416 </dates> 2417 </vuln> 2418 2419 <vuln vid="6fe72178-b2e3-11e6-8b2a-6805ca0b3d42"> 2420 <topic>phpMyAdmin -- multiple vulnerabilities</topic> 2421 <affects> 2422 <package> 2423 <name>phpMyAdmin</name> 2424 <range><ge>4.6.0</ge><lt>4.6.5</lt></range> 2425 </package> 2426 </affects> 2427 <description> 2428 <body xmlns="http://www.w3.org/1999/xhtml"> 2429 <p>Please reference CVE/URL list for details</p> 2430 </body> 2431 </description> 2432 <references> 2433 <url>https://www.phpmyadmin.net/security/PMASA-2016-57/</url> 2434 <url>https://www.phpmyadmin.net/security/PMASA-2016-58/</url> 2435 <url>https://www.phpmyadmin.net/security/PMASA-2016-59/</url> 2436 <url>https://www.phpmyadmin.net/security/PMASA-2016-60/</url> 2437 <url>https://www.phpmyadmin.net/security/PMASA-2016-61/</url> 2438 <url>https://www.phpmyadmin.net/security/PMASA-2016-62/</url> 2439 <url>https://www.phpmyadmin.net/security/PMASA-2016-63/</url> 2440 <url>https://www.phpmyadmin.net/security/PMASA-2016-64/</url> 2441 <url>https://www.phpmyadmin.net/security/PMASA-2016-65/</url> 2442 <url>https://www.phpmyadmin.net/security/PMASA-2016-66/</url> 2443 <url>https://www.phpmyadmin.net/security/PMASA-2016-67/</url> 2444 <url>https://www.phpmyadmin.net/security/PMASA-2016-68/</url> 2445 <url>https://www.phpmyadmin.net/security/PMASA-2016-69/</url> 2446 <url>https://www.phpmyadmin.net/security/PMASA-2016-70/</url> 2447 <url>https://www.phpmyadmin.net/security/PMASA-2016-71/</url> 2448 <cvename>CVE-2016-6632</cvename> 2449 <cvename>CVE-2016-6633</cvename> 2450 <cvename>CVE-2016-4412</cvename> 2451 </references> 2452 <dates> 2453 <discovery>2016-11-25</discovery> 2454 <entry>2016-11-25</entry> 2455 </dates> 2456 </vuln> 2457 2458 <vuln vid="dc596a17-7a9e-11e6-b034-f0def167eeea"> 2459 <topic>Remote-Code-Execution vulnerability in mysql and its variants CVE 2016-6662</topic> 2460 <affects> 2461 <package> 2462 <name>mysql57-client</name> 2463 <name>mysql57-server</name> 2464 <range><lt>5.7.15</lt></range> 2465 </package> 2466 <package> 2467 <name>mysql56-client</name> 2468 <name>mysql56-server</name> 2469 <range><lt>5.6.33</lt></range> 2470 </package> 2471 <package> 2472 <name>mysql55-client</name> 2473 <name>mysql55-server</name> 2474 <range><lt>5.5.52</lt></range> 2475 </package> 2476 </affects> 2477 <description> 2478 <body xmlns="http://www.w3.org/1999/xhtml"> 2479 <p>LegalHackers' reports:</p> 2480 <blockquote cite="http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html"> 2481 <p>RCE Bugs discovered in MySQL and its variants like MariaDB. 2482 It works by manipulating my.cnf files and using --malloc-lib. 2483 The bug seems fixed in MySQL 5.7.15 by Oracle</p> 2484 </blockquote> 2485 </body> 2486 </description> 2487 <references> 2488 <url>http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html</url> 2489 <url>https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html</url> 2490 </references> 2491 <dates> 2492 <discovery>2016-09-12</discovery> 2493 <entry>2016-11-24</entry> 2494 <modified>2016-11-24</modified> 2495 </dates> 2496 </vuln> 2497 2498 <vuln vid="8db8d62a-b08b-11e6-8eba-d050996490d0"> 2499 <topic>ntp -- multiple vulnerabilities</topic> 2500 <affects> 2501 <package> 2502 <name>ntp</name> 2503 <range><lt>4.2.8p9</lt></range> 2504 </package> 2505 <package> 2506 <name>ntp-devel</name> 2507 <range><gt>0</gt></range> 2508 </package> 2509 </affects> 2510 <description> 2511 <body xmlns="http://www.w3.org/1999/xhtml"> 2512 <p>Network Time Foundation reports:</p> 2513 <blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se"> 2514 <p>NTF's NTP Project is releasing ntp-4.2.8p9, which addresses:</p> 2515 <ul> 2516 <li>1 HIGH severity vulnerability that only affects Windows</li> 2517 <li>2 MEDIUM severity vulnerabilities</li> 2518 <li>2 MEDIUM/LOW severity vulnerabilities</li> 2519 <li>5 LOW severity vulnerabilities</li> 2520 <li>28 other non-security fixes and improvements</li> 2521 </ul> 2522 <p>All of the security issues in this release are listed in 2523 <a href="http://www.kb.cert.org/vuls/id/633847">VU#633847</a>.</p> 2524 </blockquote> 2525 </body> 2526 </description> 2527 <references> 2528 <cvename>CVE-2016-7426</cvename> 2529 <cvename>CVE-2016-7427</cvename> 2530 <cvename>CVE-2016-7428</cvename> 2531 <cvename>CVE-2016-7429</cvename> 2532 <cvename>CVE-2016-7431</cvename> 2533 <cvename>CVE-2016-7433</cvename> 2534 <cvename>CVE-2016-7434</cvename> 2535 <cvename>CVE-2016-9310</cvename> 2536 <cvename>CVE-2016-9311</cvename> 2537 <cvename>CVE-2016-9312</cvename> 2538 <url>http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se</url> 2539 <url>http://www.kb.cert.org/vuls/id/633847</url> 2540 </references> 2541 <dates> 2542 <discovery>2016-11-21</discovery> 2543 <entry>2016-11-22</entry> 2544 </dates> 2545 </vuln> 2546 2547 <vuln vid="81fc7705-b002-11e6-b20a-14dae9d5a9d2"> 2548 <topic>teeworlds -- Remote code execution</topic> 2549 <affects> 2550 <package> 2551 <name>teeworlds</name> 2552 <range><lt>0.6.4</lt></range> 2553 </package> 2554 </affects> 2555 <description> 2556 <body xmlns="http://www.w3.org/1999/xhtml"> 2557 <p>Teeworlds project reports:</p> 2558 <blockquote cite="https://www.teeworlds.com/?page=news&id=12086"> 2559 <p>Attacker controlled memory-writes and possibly arbitrary code 2560 execution on the client, abusable by any server the client joins</p> 2561 </blockquote> 2562 </body> 2563 </description> 2564 <references> 2565 <url>https://www.teeworlds.com/?page=news&id=12086</url> 2566 </references> 2567 <dates> 2568 <discovery>2016-11-13</discovery> 2569 <entry>2016-11-21</entry> 2570 </dates> 2571 </vuln> 2572 2573 <vuln vid="27eee66d-9474-44a5-b830-21ec12a1c307"> 2574 <topic>jenkins -- Remote code execution vulnerability in remoting module</topic> 2575 <affects> 2576 <package> 2577 <name>jenkins</name> 2578 <range><le>2.31</le></range> 2579 </package> 2580 <package> 2581 <name>jenkins-lts</name> 2582 <range><le>2.19.2</le></range> 2583 </package> 2584 </affects> 2585 <description> 2586 <body xmlns="http://www.w3.org/1999/xhtml"> 2587 <p>Jenkins Security Advisory:</p> 2588 <blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16"> 2589 <p>An unauthenticated remote code execution vulnerability allowed 2590 attackers to transfer a serialized Java object to the Jenkins CLI, 2591 making Jenkins connect to an attacker-controlled LDAP server, which 2592 in turn can send a serialized payload leading to code execution, 2593 bypassing existing protection mechanisms.</p> 2594 </blockquote> 2595 </body> 2596 </description> 2597 <references> 2598 <cvename>CVE-2016-9299</cvename> 2599 <url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16</url> 2600 </references> 2601 <dates> 2602 <discovery>2016-11-11</discovery> 2603 <entry>2016-11-16</entry> 2604 </dates> 2605 </vuln> 2606 2607 <vuln vid="f6565fbf-ab9e-11e6-ae1b-002590263bf5"> 2608 <topic>moodle -- multiple vulnerabilities</topic> 2609 <affects> 2610 <package> 2611 <name>moodle29</name> 2612 <range><lt>2.9.9</lt></range> 2613 </package> 2614 <package> 2615 <name>moodle30</name> 2616 <range><lt>3.0.7</lt></range> 2617 </package> 2618 <package> 2619 <name>moodle31</name> 2620 <range><lt>3.1.3</lt></range> 2621 </package> 2622 </affects> 2623 <description> 2624 <body xmlns="http://www.w3.org/1999/xhtml"> 2625 <p>Marina Glancy reports:</p> 2626 <blockquote cite="https://moodle.org/security/"> 2627 <ul> 2628 <li><p>MSA-16-0023: Question engine allows access to files that 2629 should not be available</p></li> 2630 <li><p>MSA-16-0024: Non-admin site managers may accidentally edit 2631 admins via web services</p></li> 2632 <li><p>MSA-16-0025: Capability to view course notes is checked in 2633 the wrong context</p></li> 2634 <li><p>MSA-16-0026: When debugging is enabled, error exceptions 2635 returned from webservices could contain private data</p></li> 2636 </ul> 2637 </blockquote> 2638 </body> 2639 </description> 2640 <references> 2641 <cvename>CVE-2016-8642</cvename> 2642 <cvename>CVE-2016-8643</cvename> 2643 <cvename>CVE-2016-8644</cvename> 2644 <url>https://moodle.org/security/</url> 2645 </references> 2646 <dates> 2647 <discovery>2016-11-14</discovery> 2648 <entry>2016-11-16</entry> 2649 <modified>2016-11-27</modified> 2650 </dates> 2651 </vuln> 2652 2653 <vuln vid="ab02f981-ab9e-11e6-ae1b-002590263bf5"> 2654 <topic>moodle -- multiple vulnerabilities</topic> 2655 <affects> 2656 <package> 2657 <name>moodle29</name> 2658 <range><lt>2.9.8</lt></range> 2659 </package> 2660 <package> 2661 <name>moodle30</name> 2662 <range><lt>3.0.6</lt></range> 2663 </package> 2664 <package> 2665 <name>moodle31</name> 2666 <range><lt>3.1.2</lt></range> 2667 </package> 2668 </affects> 2669 <description> 2670 <body xmlns="http://www.w3.org/1999/xhtml"> 2671 <p>Marina Glancy reports:</p> 2672 <blockquote cite="https://moodle.org/security/"> 2673 <ul> 2674 <li><p>MSA-16-0022: Web service tokens should be invalidated when 2675 the user password is changed or forced to be changed.</p></li> 2676 </ul> 2677 </blockquote> 2678 </body> 2679 </description> 2680 <references> 2681 <cvename>CVE-2016-7038</cvename> 2682 <url>https://moodle.org/security/</url> 2683 </references> 2684 <dates> 2685 <discovery>2016-09-12</discovery> 2686 <entry>2016-11-16</entry> 2687 </dates> 2688 </vuln> 2689 2690 <vuln vid="d1853110-07f4-4645-895b-6fd462ad0589"> 2691 <topic>mozilla -- multiple vulnerabilities</topic> 2692 <affects> 2693 <package> 2694 <name>firefox</name> 2695 <range><lt>50.0_1,1</lt></range> 2696 </package> 2697 <package> 2698 <name>seamonkey</name> 2699 <name>linux-seamonkey</name> 2700 <range><lt>2.47</lt></range> 2701 </package> 2702 <package> 2703 <name>firefox-esr</name> 2704 <range><lt>45.5.0,1</lt></range> 2705 </package> 2706 <package> 2707 <name>linux-firefox</name> 2708 <range><lt>45.5.0,2</lt></range> 2709 </package> 2710 <package> 2711 <name>libxul</name> 2712 <name>thunderbird</name> 2713 <name>linux-thunderbird</name> 2714 <range><lt>45.5.0</lt></range> 2715 </package> 2716 </affects> 2717 <description> 2718 <body xmlns="http://www.w3.org/1999/xhtml"> 2719 <p>Mozilla Foundation reports:</p> 2720 <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/"> 2721 <p>Please reference CVE/URL list for details</p> 2722 </blockquote> 2723 </body> 2724 </description> 2725 <references> 2726 <cvename>CVE-2016-5289</cvename> 2727 <cvename>CVE-2016-5290</cvename> 2728 <cvename>CVE-2016-5291</cvename> 2729 <cvename>CVE-2016-5292</cvename> 2730 <cvename>CVE-2016-5293</cvename> 2731 <cvename>CVE-2016-5294</cvename> 2732 <cvename>CVE-2016-5295</cvename> 2733 <cvename>CVE-2016-5296</cvename> 2734 <cvename>CVE-2016-5297</cvename> 2735 <cvename>CVE-2016-5298</cvename> 2736 <cvename>CVE-2016-5299</cvename> 2737 <cvename>CVE-2016-9061</cvename> 2738 <cvename>CVE-2016-9062</cvename> 2739 <cvename>CVE-2016-9063</cvename> 2740 <cvename>CVE-2016-9064</cvename> 2741 <cvename>CVE-2016-9065</cvename> 2742 <cvename>CVE-2016-9066</cvename> 2743 <cvename>CVE-2016-9067</cvename> 2744 <cvename>CVE-2016-9068</cvename> 2745 <cvename>CVE-2016-9070</cvename> 2746 <cvename>CVE-2016-9071</cvename> 2747 <cvename>CVE-2016-9072</cvename> 2748 <cvename>CVE-2016-9073</cvename> 2749 <cvename>CVE-2016-9074</cvename> 2750 <cvename>CVE-2016-9075</cvename> 2751 <cvename>CVE-2016-9076</cvename> 2752 <cvename>CVE-2016-9077</cvename> 2753 <url>https://www.mozilla.org/security/advisories/mfsa2016-89/</url> 2754 <url>https://www.mozilla.org/security/advisories/mfsa2016-90/</url> 2755 </references> 2756 <dates> 2757 <discovery>2016-11-15</discovery> 2758 <entry>2016-11-16</entry> 2759 </dates> 2760 </vuln> 2761 2762 <vuln vid="a8e9d834-a916-11e6-b9b4-bcaec524bf84"> 2763 <topic>lives -- insecure files permissions</topic> 2764 <affects> 2765 <package> 2766 <name>lives</name> 2767 <range><lt>2.8.1</lt></range> 2768 </package> 2769 </affects> 2770 <description> 2771 <body xmlns="http://www.w3.org/1999/xhtml"> 2772 <p>Debian reports:</p> 2773 <blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756565"> 2774 <p>smogrify script creates insecure temporary files.</p> 2775 </blockquote> 2776 <blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798043"> 2777 <p>lives creates and uses world-writable directory.</p> 2778 </blockquote> 2779 </body> 2780 </description> 2781 <references> 2782 <url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756565</url> 2783 <url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798043</url> 2784 </references> 2785 <dates> 2786 <discovery>2016-07-30</discovery> 2787 <entry>2016-11-12</entry> 2788 </dates> 2789 </vuln> 2790 2791 <vuln vid="50751310-a763-11e6-a881-b499baebfeaf"> 2792 <topic>openssl -- multiple vulnerabilities</topic> 2793 <affects> 2794 <package> 2795 <name>openssl-devel</name> 2796 <range><lt>1.1.0c</lt></range> 2797 </package> 2798 </affects> 2799 <description> 2800 <body xmlns="http://www.w3.org/1999/xhtml"> 2801 <p>OpenSSL reports:</p> 2802 <blockquote cite="https://www.openssl.org/news/secadv/20161110.txt"> 2803 <ul> 2804 <li>ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)<br/> 2805 Severity: High<br/> 2806 TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS 2807 attack by corrupting larger payloads. This can result in an OpenSSL crash. This 2808 issue is not considered to be exploitable beyond a DoS.</li> 2809 <li>CMS Null dereference (CVE-2016-7053)<br/> 2810 Severity: Medium<br/> 2811 Applications parsing invalid CMS structures can crash with a NULL pointer 2812 dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type 2813 in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure 2814 callback if an attempt is made to free certain invalid encodings. Only CHOICE 2815 structures using a callback which do not handle NULL value are affected.</li> 2816 <li>Montgomery multiplication may produce incorrect results (CVE-2016-7055)i<br/> 2817 Severity: Low<br/> 2818 There is a carry propagating bug in the Broadwell-specific Montgomery 2819 multiplication procedure that handles input lengths divisible by, but 2820 longer than 256 bits.</li> 2821 </ul> 2822 </blockquote> 2823 </body> 2824 </description> 2825 <references> 2826 <url>https://www.openssl.org/news/secadv/20161110.txt</url> 2827 <cvename>CVE-2016-7054</cvename> 2828 <cvename>CVE-2016-7053</cvename> 2829 <cvename>CVE-2016-7055</cvename> 2830 </references> 2831 <dates> 2832 <discovery>2016-11-10</discovery> 2833 <entry>2016-11-10</entry> 2834 <modified>2016-11-11</modified> 2835 </dates> 2836 </vuln> 2837 2838 <vuln vid="a3473f5a-a739-11e6-afaa-e8e0b747a45a"> 2839 <topic>chromium -- multiple vulnerabilities</topic> 2840 <affects> 2841 <package> 2842 <name>chromium</name> 2843 <name>chromium-npapi</name> 2844 <name>chromium-pulse</name> 2845 <range><lt>54.0.2840.100</lt></range> 2846 </package> 2847 </affects> 2848 <description> 2849 <body xmlns="http://www.w3.org/1999/xhtml"> 2850 <p>Google Chrome Releases reports:</p> 2851 <blockquote cite="https://googlechromereleases.blogspot.nl/2016/11/stable-channel-update-for-desktop_9.html"> 2852 <p>4 security fixes in this release, including:</p> 2853 <ul> 2854 <li>[643948] High CVE-2016-5199: Heap corruption in FFmpeg. Credit to 2855 Paul Mehta</li> 2856 <li>[658114] High CVE-2016-5200: Out of bounds memory access in V8. Credit to 2857 Choongwoo Han</li> 2858 <li>[660678] Medium CVE-2016-5201: Info leak in extensions. Credit to 2859 Rob Wu</li> 2860 <li>[662843] CVE-2016-5202: Various fixes from internal audits, 2861 fuzzing and other initiatives</li> 2862 </ul> 2863 </blockquote> 2864 </body> 2865 </description> 2866 <references> 2867 <cvename>CVE-2016-5199</cvename> 2868 <cvename>CVE-2016-5200</cvename> 2869 <cvename>CVE-2016-5201</cvename> 2870 <cvename>CVE-2016-5202</cvename> 2871 <url>https://googlechromereleases.blogspot.nl/2016/11/stable-channel-update-for-desktop_9.html</url> 2872 </references> 2873 <dates> 2874 <discovery>2016-11-09</discovery> 2875 <entry>2016-11-10</entry> 2876 </dates> 2877 </vuln> 2878 2879 <vuln vid="96f6bf10-a731-11e6-95ca-0011d823eebd"> 2880 <topic>flash -- multiple vulnerabilities</topic> 2881 <affects> 2882 <package> 2883 <name>linux-c6-flashplugin</name> 2884 <name>linux-c7-flashplugin</name> 2885 <name>linux-f10-flashplugin</name> 2886 <range><lt>11.2r202.644</lt></range> 2887 </package> 2888 </affects> 2889 <description> 2890 <body xmlns="http://www.w3.org/1999/xhtml"> 2891 <p>Adobe reports:</p> 2892 <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-37.html"> 2893 <ul> 2894 <li>These updates resolve type confusion vulnerabilities that 2895 could lead to code execution (CVE-2016-7860, CVE-2016-7861, 2896 CVE-2016-7865).</li> 2897 <li>These updates resolve use-after-free vulnerabilities that 2898 could lead to code execution (CVE-2016-7857, CVE-2016-7858, 2899 CVE-2016-7859, CVE-2016-7862, CVE-2016-7863, CVE-2016-7864).</li> 2900 </ul> 2901 </blockquote> 2902 </body> 2903 </description> 2904 <references> 2905 <url>https://helpx.adobe.com/security/products/flash-player/apsb16-37.html</url> 2906 <cvename>CVE-2016-7857</cvename> 2907 <cvename>CVE-2016-7858</cvename> 2908 <cvename>CVE-2016-7859</cvename> 2909 <cvename>CVE-2016-7860</cvename> 2910 <cvename>CVE-2016-7861</cvename> 2911 <cvename>CVE-2016-7862</cvename> 2912 <cvename>CVE-2016-7863</cvename> 2913 <cvename>CVE-2016-7864</cvename> 2914 <cvename>CVE-2016-7865</cvename> 2915 </references> 2916 <dates> 2917 <discovery>2016-11-08</discovery> 2918 <entry>2016-11-10</entry> 2919 </dates> 2920 </vuln> 2921 2922 <vuln vid="10968dfd-a687-11e6-b2d3-60a44ce6887b"> 2923 <topic>gitlab -- Directory traversal via "import/export" feature</topic> 2924 <affects> 2925 <package> 2926 <name>gitlab</name> 2927 <range><ge>8.10.0</ge><le>8.10.12</le></range> 2928 <range><ge>8.11.0</ge><le>8.11.9</le></range> 2929 <range><ge>8.12.0</ge><le>8.12.7</le></range> 2930 <range><ge>8.13.0</ge><le>8.13.2</le></range> 2931 </package> 2932 </affects> 2933 <description> 2934 <body xmlns="http://www.w3.org/1999/xhtml"> 2935 <p>GitLab reports:</p> 2936 <blockquote cite="https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/"> 2937 <p>The import/export feature did not properly check for symbolic links 2938 in user-provided archives and therefore it was possible for an 2939 authenticated user to retrieve the contents of any file 2940 accessible to the GitLab service account. This included 2941 sensitive files such as those that contain secret tokens used 2942 by the GitLab service to authenticate users.</p> 2943 </blockquote> 2944 </body> 2945 </description> 2946 <references> 2947 <url>https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/</url> 2948 <cvename>CVE-2016-9086</cvename> 2949 <freebsdpr>ports/214360</freebsdpr> 2950 </references> 2951 <dates> 2952 <discovery>2016-11-02</discovery> 2953 <entry>2016-11-09</entry> 2954 <modified>2017-05-18</modified> 2955 </dates> 2956 </vuln> 2957 2958 <vuln vid="ae9cb9b8-a203-11e6-a265-3065ec8fd3ec"> 2959 <topic>chromium -- out-of-bounds memory access</topic> 2960 <affects> 2961 <package> 2962 <name>chromium</name> 2963 <name>chromium-npapi</name> 2964 <name>chromium-pulse</name> 2965 <range><lt>54.0.2840.90</lt></range> 2966 </package> 2967 </affects> 2968 <description> 2969 <body xmlns="http://www.w3.org/1999/xhtml"> 2970 <p>Google Chrome Releases reports:</p> 2971 <blockquote cite="https://googlechromereleases.blogspot.nl/2016/11/stable-channel-update-for-desktop.html"> 2972 <p>[659475] High CVE-2016-5198: Out of bounds memory access in V8. 2973 Credit to Tencent Keen Security Lab, working with Trend Micro's 2974 Zero Day Initiative.</p> 2975 </blockquote> 2976 </body> 2977 </description> 2978 <references> 2979 <cvename>CVE-2016-5198</cvename> 2980 <url>https://googlechromereleases.blogspot.nl/2016/11/stable-channel-update-for-desktop.html</url> 2981 </references> 2982 <dates> 2983 <discovery>2016-11-01</discovery> 2984 <entry>2016-11-03</entry> 2985 </dates> 2986 </vuln> 2987 2988 <vuln vid="0fcd3af0-a0fe-11e6-b1cf-14dae9d210b8"> 2989 <topic>FreeBSD -- OpenSSL Remote DoS vulnerability</topic> 2990 <affects> 2991 <package> 2992 <name>FreeBSD</name> 2993 <range><ge>10.3</ge><lt>10.3_12</lt></range> 2994 <range><ge>10.2</ge><lt>10.2_25</lt></range> 2995 <range><ge>10.1</ge><lt>10.1_42</lt></range> 2996 <range><ge>9.3</ge><lt>9.3_50</lt></range> 2997 </package> 2998 <package> 2999 <name>openssl</name> 3000 <range><lt>1.0.2i,1</lt></range> 3001 </package> 3002 <package> 3003 <name>openssl-devel</name> 3004 <range><lt>1.1.0a</lt></range> 3005 </package> 3006 <package> 3007 <name>linux-c6-openssl</name> 3008 <range><lt>1.0.1e_13</lt></range> 3009 </package> 3010 <package> 3011 <name>linux-c7-openssl-libs</name> 3012 <range><lt>1.0.1e_3</lt></range> 3013 </package> 3014 </affects> 3015 <description> 3016 <body xmlns="http://www.w3.org/1999/xhtml"> 3017 <h1>Problem Description:</h1> 3018 <p>Due to improper handling of alert packets, OpenSSL would 3019 consume an excessive amount of CPU time processing undefined 3020 alert messages.</p> 3021 <h1>Impact:</h1> 3022 <p>A remote attacker who can initiate handshakes with an 3023 OpenSSL based server can cause the server to consume a lot 3024 of computation power with very little bandwidth usage, and 3025 may be able to use this technique in a leveraged Denial of 3026 Service attack.</p> 3027 </body> 3028 </description> 3029 <references> 3030 <cvename>CVE-2016-8610</cvename> 3031 <freebsdsa>SA-16:35.openssl</freebsdsa> 3032 <url>http://seclists.org/oss-sec/2016/q4/224</url> 3033 </references> 3034 <dates> 3035 <discovery>2016-11-02</discovery> 3036 <entry>2016-11-02</entry> 3037 <modified>2017-02-22</modified> 3038 </dates> 3039 </vuln> 3040 3041 <vuln vid="cb116651-79db-4c09-93a2-c38f9df46724"> 3042 <topic>django -- multiple vulnerabilities</topic> 3043 <affects> 3044 <package> 3045 <name>py27-django</name> 3046 <name>py33-django</name> 3047 <name>py34-django</name> 3048 <name>py35-django</name> 3049 <range><lt>1.8.16</lt></range> 3050 </package> 3051 <package> 3052 <name>py27-django18</name> 3053 <name>py33-django18</name> 3054 <name>py34-django18</name> 3055 <name>py35-django18</name> 3056 <range><lt>1.8.16</lt></range> 3057 </package> 3058 <package> 3059 <name>py27-django19</name> 3060 <name>py33-django19</name> 3061 <name>py34-django19</name> 3062 <name>py35-django19</name> 3063 <range><lt>1.9.11</lt></range> 3064 </package> 3065 <package> 3066 <name>py27-django110</name> 3067 <name>py33-django110</name> 3068 <name>py34-django110</name> 3069 <name>py35-django110</name> 3070 <range><lt>1.10.3</lt></range> 3071 </package> 3072 </affects> 3073 <description> 3074 <body xmlns="http://www.w3.org/1999/xhtml"> 3075 <p>The Django project reports:</p> 3076 <blockquote cite="https://www.djangoproject.com/weblog/2016/nov/01/security-releases/"> 3077 <p>Today the Django team released Django 1.10.3, Django 1.9.11, 3078 and 1.8.16. These releases addresses two security issues 3079 detailed below. We encourage all users of Django to upgrade 3080 as soon as possible.</p> 3081 <ul> 3082 <li>User with hardcoded password created when running tests on Oracle</li> 3083 <li>DNS rebinding vulnerability when DEBUG=True</li> 3084 </ul> 3085 </blockquote> 3086 </body> 3087 </description> 3088 <references> 3089 <url>https://www.djangoproject.com/weblog/2016/nov/01/security-releases/</url> 3090 <cvename>CVE-2016-9013</cvename> 3091 <cvename>CVE-2016-9014</cvename> 3092 </references> 3093 <dates> 3094 <discovery>2016-11-01</discovery> 3095 <entry>2016-11-02</entry> 3096 </dates> 3097 </vuln> 3098 3099 <vuln vid="765feb7d-a0d1-11e6-a881-b499baebfeaf"> 3100 <topic>cURL -- multiple vulnerabilities</topic> 3101 <affects> 3102 <package> 3103 <name>curl</name> 3104 <range><ge>7.1</ge><lt>7.51.0</lt></range> 3105 </package> 3106 </affects> 3107 <description> 3108 <body xmlns="http://www.w3.org/1999/xhtml"> 3109 <p>The cURL project reports</p> 3110 <blockquote cite="https://curl.haxx.se/docs/security.html"> 3111 <ul> 3112 <li>cookie injection for other servers</li> 3113 <li>case insensitive password comparison</li> 3114 <li>OOB write via unchecked multiplication</li> 3115 <li>double-free in curl_maprintf</li> 3116 <li>double-free in krb5 code</li> 3117 <li>glob parser write/read out of bounds</li> 3118 <li>curl_getdate read out of bounds</li> 3119 <li>URL unescape heap overflow via integer truncation</li> 3120 <li>Use-after-free via shared cookies</li> 3121 <li>invalid URL parsing with '#'</li> 3122 <li>IDNA 2003 makes curl use wrong host</li> 3123 </ul> 3124 </blockquote> 3125 </body> 3126 </description> 3127 <references> 3128 <url>https://curl.haxx.se/docs/security.html</url> 3129 <cvename>CVE-2016-8615</cvename> 3130 <cvename>CVE-2016-8616</cvename> 3131 <cvename>CVE-2016-8617</cvename> 3132 <cvename>CVE-2016-8618</cvename> 3133 <cvename>CVE-2016-8619</cvename> 3134 <cvename>CVE-2016-8620</cvename> 3135 <cvename>CVE-2016-8621</cvename> 3136 <cvename>CVE-2016-8622</cvename> 3137 <cvename>CVE-2016-8623</cvename> 3138 <cvename>CVE-2016-8624</cvename> 3139 <cvename>CVE-2016-8625</cvename> 3140 </references> 3141 <dates> 3142 <discovery>2016-11-02</discovery> 3143 <entry>2016-11-02</entry> 3144 </dates> 3145 </vuln> 3146 3147 <vuln vid="0b8d01a4-a0d2-11e6-9ca2-d050996490d0"> 3148 <topic>BIND -- Remote Denial of Service vulnerability</topic> 3149 <affects> 3150 <package> 3151 <name>bind99</name> 3152 <range><lt>9.9.9P4</lt></range> 3153 </package> 3154 <package> 3155 <name>bind910</name> 3156 <range><lt>9.10.4P4</lt></range> 3157 </package> 3158 <package> 3159 <name>bind911</name> 3160 <range><lt>9.11.0P1</lt></range> 3161 </package> 3162 <package> 3163 <name>bind9-devel</name> 3164 <range><le>9.12.0.a.2016.10.21</le></range> 3165 </package> 3166 <package> 3167 <name>FreeBSD</name> 3168 <range><ge>9.3</ge><lt>9.3_50</lt></range> 3169 </package> 3170 </affects> 3171 <description> 3172 <body xmlns="http://www.w3.org/1999/xhtml"> 3173 <p>ISC reports:</p> 3174 <blockquote cite="https://kb.isc.org/article/AA-01434/"> 3175 <p>A defect in BIND's handling of responses containing 3176 a DNAME answer can cause a resolver to exit after 3177 encountering an assertion failure in db.c or 3178 resolver.c</p> 3179 </blockquote> 3180 </body> 3181 </description> 3182 <references> 3183 <cvename>CVE-2016-8864</cvename> 3184 <freebsdsa>SA-16:34.bind</freebsdsa> 3185 <url>https://kb.isc.org/article/AA-01434/</url> 3186 </references> 3187 <dates> 3188 <discovery>2016-11-01</discovery> 3189 <entry>2016-11-02</entry> 3190 </dates> 3191 </vuln> 3192 3193 <vuln vid="f4bf713f-6ac7-4b76-8980-47bf90c5419f"> 3194 <topic>memcached -- multiple vulnerabilities</topic> 3195 <affects> 3196 <package> 3197 <name>memcached</name> 3198 <range><lt>1.4.33</lt></range> 3199 </package> 3200 </affects> 3201 <description> 3202 <body xmlns="http://www.w3.org/1999/xhtml"> 3203 <p>Cisco Talos reports:</p> 3204 <blockquote cite="http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html"> 3205 <p>Multiple integer overflow vulnerabilities exist within Memcached 3206 that could be exploited to achieve remote code execution on the 3207 targeted system. These vulnerabilities manifest in various Memcached 3208 functions that are used in inserting, appending, prepending, or 3209 modifying key-value data pairs. Systems which also have Memcached 3210 compiled with support for SASL authentication are also vulnerable to 3211 a third flaw due to how Memcached handles SASL authentication 3212 commands.</p> 3213 <p>An attacker could exploit these vulnerabilities by sending a 3214 specifically crafted Memcached command to the targeted server. 3215 Additionally, these vulnerabilities could also be exploited to leak 3216 sensitive process information which an attacker could use to bypass 3217 common exploitation mitigations, such as ASLR, and can be triggered 3218 multiple times. This enables reliable exploitation which makes these 3219 vulnerabilities severe.</p> 3220 </blockquote> 3221 </body> 3222 </description> 3223 <references> 3224 <url>http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html</url> 3225 <cvename>CVE-2016-8704</cvename> 3226 <cvename>CVE-2016-8705</cvename> 3227 <cvename>CVE-2016-8706</cvename> 3228 </references> 3229 <dates> 3230 <discovery>2016-10-31</discovery> 3231 <entry>2016-11-02</entry> 3232 </dates> 3233 </vuln> 3234 3235 <vuln vid="9bc14850-a070-11e6-a881-b499baebfeaf"> 3236 <topic>MySQL -- multiple vulnerabilities</topic> 3237 <affects> 3238 <package> 3239 <name>mariadb55-server</name> 3240 <name>mysql55-server</name> 3241 <range><lt>5.5.53</lt></range> 3242 </package> 3243 <package> 3244 <name>mysql56-server</name> 3245 <range><lt>5.6.34</lt></range> 3246 </package> 3247 <package> 3248 <name>mysql57-server</name> 3249 <range><lt>5.7.15</lt></range> 3250 </package> 3251 </affects> 3252 <description> 3253 <body xmlns="http://www.w3.org/1999/xhtml"> 3254 <p>The MariaDB project reports:</p> 3255 <blockquote cite="https://mariadb.com/kb/en/mariadb/mariadb-5553-release-notes/"> 3256 <p>Fixes for the following security vulnerabilities:</p> 3257 <ul> 3258 <li>CVE-2016-7440</li> 3259 <li>CVE-2016-5584</li> 3260 </ul> 3261 </blockquote> 3262 </body> 3263 </description> 3264 <references> 3265 <url>https://mariadb.com/kb/en/mariadb/mariadb-5553-release-notes/</url> 3266 <cvename>CVE-2016-7440</cvename> 3267 <cvename>CVE-2016-5584</cvename> 3268 </references> 3269 <dates> 3270 <discovery>2016-10-17</discovery> 3271 <entry>2016-11-01</entry> 3272 </dates> 3273 </vuln> 3274 3275 <vuln vid="9118961b-9fa5-11e6-a265-3065ec8fd3ec"> 3276 <topic>chromium -- multiple vulnerabilities</topic> 3277 <affects> 3278 <package> 3279 <name>chromium</name> 3280 <name>chromium-npapi</name> 3281 <name>chromium-pulse</name> 3282 <range><lt>54.0.2840.59</lt></range> 3283 </package> 3284 </affects> 3285 <description> 3286 <body xmlns="http://www.w3.org/1999/xhtml"> 3287 <p>Google Chrome Releases reports:</p> 3288 <blockquote cite="https://googlechromereleases.blogspot.nl/2016/10/stable-channel-update-for-desktop.html"> 3289 <p>21 security fixes in this release, including:</p> 3290 <ul> 3291 <li>[645211] High CVE-2016-5181: Universal XSS in Blink. Credit to 3292 Anonymous</li> 3293 <li>[638615] High CVE-2016-5182: Heap overflow in Blink. Credit to 3294 Giwan Go of STEALIEN</li> 3295 <li>[645122] High CVE-2016-5183: Use after free in PDFium. Credit 3296 to Anonymous</li> 3297 <li>[630654] High CVE-2016-5184: Use after free in PDFium. Credit 3298 to Anonymous</li> 3299 <li>[621360] High CVE-2016-5185: Use after free in Blink. Credit to 3300 cloudfuzzer</li> 3301 <li>[639702] High CVE-2016-5187: URL spoofing. Credit to Luan 3302 Herrera</li> 3303 <li>[565760] Medium CVE-2016-5188: UI spoofing. Credit to Luan 3304 Herrera</li> 3305 <li>[633885] Medium CVE-2016-5192: Cross-origin bypass in Blink. 3306 Credit to haojunhou@gmail.com</li> 3307 <li>[646278] Medium CVE-2016-5189: URL spoofing. Credit to xisigr 3308 of Tencent's Xuanwu Lab</li> 3309 <li>[644963] Medium CVE-2016-5186: Out of bounds read in DevTools. 3310 Credit to Abdulrahman Alqabandi (@qab)</li> 3311 <li>[639126] Medium CVE-2016-5191: Universal XSS in Bookmarks. 3312 Credit to Gareth Hughes</li> 3313 <li>[642067] Medium CVE-2016-5190: Use after free in Internals. 3314 Credit to Atte Kettunen of OUSPG</li> 3315 <li>[639658] Low CVE-2016-5193: Scheme bypass. Credit to Yuyang 3316 ZHOU (martinzhou96)</li> 3317 <li>[654782] CVE-2016-5194: Various fixes from internal audits, 3318 fuzzing and other initiatives</li> 3319 </ul> 3320 </blockquote> 3321 </body> 3322 </description> 3323 <references> 3324 <cvename>CVE-2016-5181</cvename> 3325 <cvename>CVE-2016-5182</cvename> 3326 <cvename>CVE-2016-5183</cvename> 3327 <cvename>CVE-2016-5184</cvename> 3328 <cvename>CVE-2016-5185</cvename> 3329 <cvename>CVE-2016-5186</cvename> 3330 <cvename>CVE-2016-5187</cvename> 3331 <cvename>CVE-2016-5188</cvename> 3332 <cvename>CVE-2016-5189</cvename> 3333 <cvename>CVE-2016-5190</cvename> 3334 <cvename>CVE-2016-5191</cvename> 3335 <cvename>CVE-2016-5192</cvename> 3336 <cvename>CVE-2016-5193</cvename> 3337 <cvename>CVE-2016-5194</cvename> 3338 <url>https://googlechromereleases.blogspot.nl/2016/10/stable-channel-update-for-desktop.html</url> 3339 </references> 3340 <dates> 3341 <discovery>2016-10-12</discovery> 3342 <entry>2016-10-31</entry> 3343 </dates> 3344 </vuln> 3345 3346 <vuln vid="9c135c7e-9fa4-11e6-a265-3065ec8fd3ec"> 3347 <topic>chromium -- multiple vulnerabilities</topic> 3348 <affects> 3349 <package> 3350 <name>chromium</name> 3351 <name>chromium-npapi</name> 3352 <name>chromium-pulse</name> 3353 <range><lt>53.0.2785.143</lt></range> 3354 </package> 3355 </affects> 3356 <description> 3357 <body xmlns="http://www.w3.org/1999/xhtml"> 3358 <p>Google Chrome Releases reports:</p> 3359 <blockquote cite="https://googlechromereleases.blogspot.nl/2016/09/stable-channel-update-for-desktop_29.html"> 3360 <p>3 security fixes in this release, including:</p> 3361 <ul> 3362 <li>[642496] High CVE-2016-5177: Use after free in V8. Credit to 3363 Anonymous</li> 3364 <li>[651092] CVE-2016-5178: Various fixes from internal audits, 3365fuzzing and other initiatives.</li> 3366 </ul> 3367 </blockquote> 3368 </body> 3369 </description> 3370 <references> 3371 <cvename>CVE-2016-5177</cvename> 3372 <cvename>CVE-2016-5178</cvename> 3373 <url>https://googlechromereleases.blogspot.nl/2016/09/stable-channel-update-for-desktop_29.html</url> 3374 </references> 3375 <dates> 3376 <discovery>2016-09-29</discovery> 3377 <entry>2016-10-31</entry> 3378 </dates> 3379 </vuln> 3380 3381 <vuln vid="6a2cfcdc-9dea-11e6-a298-14dae9d210b8"> 3382 <topic>FreeBSD -- OpenSSH Remote Denial of Service vulnerability</topic> 3383 <affects> 3384 <package> 3385 <name>openssh-portable</name> 3386 <range><lt>7.3p1_1</lt></range> 3387 </package> 3388 <package> 3389 <name>FreeBSD</name> 3390 <range><ge>11.0</ge><lt>11.0_3</lt></range> 3391 <range><ge>10.3</ge><lt>10.3_12</lt></range> 3392 </package> 3393 </affects> 3394 <description> 3395 <body xmlns="http://www.w3.org/1999/xhtml"> 3396 <h1>Problem Description:</h1> 3397 <p>When processing the SSH_MSG_KEXINIT message, the server 3398 could allocate up to a few hundreds of megabytes of memory 3399 per each connection, before any authentication take place.</p> 3400 <h1>Impact:</h1> 3401 <p>A remote attacker may be able to cause a SSH server to 3402 allocate an excessive amount of memory. Note that the default 3403 MaxStartups setting on FreeBSD will limit the effectiveness 3404 of this attack.</p> 3405 </body> 3406 </description> 3407 <references> 3408 <url>http://seclists.org/oss-sec/2016/q4/191</url> 3409 <cvename>CVE-2016-8858</cvename> 3410 <freebsdsa>SA-16:33.openssh</freebsdsa> 3411 </references> 3412 <dates> 3413 <discovery>2016-10-19</discovery> 3414 <entry>2016-10-29</entry> 3415 <modified>2016-11-02</modified> 3416 </dates> 3417 </vuln> 3418 3419 <vuln vid="2e4fbc9a-9d23-11e6-a298-14dae9d210b8"> 3420 <topic>sudo -- Potential bypass of sudo_noexec.so via wordexp()</topic> 3421 <affects> 3422 <package> 3423 <name>sudo</name> 3424 <range><ge>1.6.8</ge><lt>1.8.18p1</lt></range> 3425 </package> 3426 </affects> 3427 <description> 3428 <body xmlns="http://www.w3.org/1999/xhtml"> 3429 <p>Todd C. Miller reports:</p> 3430 <blockquote cite="https://www.sudo.ws/alerts/noexec_wordexp.html"> 3431 <p>A flaw exists in sudo's noexec functionality that may allow 3432 a user with sudo privileges to run additional commands even when the 3433 NOEXEC tag has been applied to a command that uses the wordexp() 3434 function.</p> 3435 </blockquote> 3436 </body> 3437 </description> 3438 <references> 3439 <url>https://www.sudo.ws/alerts/noexec_wordexp.html</url> 3440 <cvename>CVE-2016-7076</cvename> 3441 </references> 3442 <dates> 3443 <discovery>2016-10-28</discovery> 3444 <entry>2016-10-28</entry> 3445 </dates> 3446 </vuln> 3447 3448 <vuln vid="ac18046c-9b08-11e6-8011-005056925db4"> 3449 <topic>Axis2 -- Security vulnerabilities on dependency Apache HttpClient</topic> 3450 <affects> 3451 <package> 3452 <name>axis2</name> 3453 <range><lt>1.7.4</lt></range> 3454 </package> 3455 </affects> 3456 <description> 3457 <body xmlns="http://www.w3.org/1999/xhtml"> 3458 <p>Apache Axis2 reports:</p> 3459 <blockquote cite="http://axis.apache.org/axis2/java/core/release-notes/1.7.4.html"> 3460 <p>Apache Axis2 1.7.4 is a maintenance release that includes fixes for 3461 several issues, including the following security issues: 3462 Session fixation (AXIS2-4739) and XSS (AXIS2-5683) vulnerabilities 3463 affecting the admin console. 3464 A dependency on an Apache HttpClient version affected by known security 3465 vulnerabilities (CVE-2012-6153 and CVE-2014-3577); see AXIS2-5757.</p> 3466 </blockquote> 3467 </body> 3468 </description> 3469 <references> 3470 <url>http://axis.apache.org/axis2/java/core/release-notes/1.7.4.html</url> 3471 <url>https://issues.apache.org/jira/browse/AXIS2-4739</url> 3472 <url>https://issues.apache.org/jira/browse/AXIS2-5683</url> 3473 <url>https://issues.apache.org/jira/browse/AXIS2-5757</url> 3474 <cvename>CVE-2012-6153</cvename> 3475 <cvename>CVE-2014-3577</cvename> 3476 </references> 3477 <dates> 3478 <discovery>2012-12-06</discovery> 3479 <entry>2016-10-28</entry> 3480 </dates> 3481 </vuln> 3482 3483 <vuln vid="28bb6ee5-9b5c-11e6-b799-19bef72f4b7c"> 3484 <topic>node.js -- ares_create_query single byte out of buffer write</topic> 3485 <affects> 3486 <package> 3487 <name>node010</name> 3488 <range><lt>0.10.48</lt></range> 3489 </package> 3490 <package> 3491 <name>node012</name> 3492 <range><lt>0.12.17</lt></range> 3493 </package> 3494 <package> 3495 <name>node4</name> 3496 <range><lt>4.6.1</lt></range> 3497 </package> 3498 </affects> 3499 <description> 3500 <body xmlns="http://www.w3.org/1999/xhtml"> 3501 <p>Node.js has released new versions containing the following security fix:</p> 3502 <blockquote cite="https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/"> 3503 <p>The following releases all contain fixes for CVE-2016-5180 "ares_create_query single 3504 byte out of buffer write": Node.js v0.10.48 (Maintenance), Node.js v0.12.17 (Maintenance), 3505 Node.js v4.6.1 (LTS "Argon") 3506 </p> 3507 <p>While this is not a critical update, all users of these release lines should upgrade at 3508 their earliest convenience. 3509 </p> 3510 </blockquote> 3511 </body> 3512 </description> 3513 <references> 3514 <url>https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/</url> 3515 <cvename>CVE-2016-5180</cvename> 3516 <freebsdpr>ports/213800</freebsdpr> 3517 </references> 3518 <dates> 3519 <discovery>2016-10-18</discovery> 3520 <entry>2016-10-26</entry> 3521 </dates> 3522 </vuln> 3523 3524 <vuln vid="27180c99-9b5c-11e6-b799-19bef72f4b7c"> 3525 <topic>node.js -- multiple vulnerabilities</topic> 3526 <affects> 3527 <package> 3528 <name>node</name> 3529 <range><ge>6.0.0</ge><lt>6.9.0</lt></range> 3530 </package> 3531 </affects> 3532 <description> 3533 <body xmlns="http://www.w3.org/1999/xhtml"> 3534 <p>Node.js v6.9.0 LTS contains the following security fixes, specific to v6.x:</p> 3535 <blockquote cite="https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/"> 3536 <p>Disable auto-loading of openssl.cnf: Don't automatically attempt to load an OpenSSL 3537 configuration file, from the OPENSSL_CONF environment variable or from the default 3538 location for the current platform. Always triggering a configuration file load attempt 3539 may allow an attacker to load compromised OpenSSL configuration into a Node.js process 3540 if they are able to place a file in a default location. 3541 </p> 3542 <p>Patched V8 arbitrary memory read (CVE-2016-5172): The V8 parser mishandled scopes, 3543 potentially allowing an attacker to obtain sensitive information from arbitrary memory 3544 locations via crafted JavaScript code. This vulnerability would require an attacker to 3545 be able to execute arbitrary JavaScript code in a Node.js process. 3546 </p> 3547 <p>Create a unique v8_inspector WebSocket address: Generate a UUID for each execution of 3548 the inspector. This provides additional security to prevent unauthorized clients from 3549 connecting to the Node.js process via the v8_inspector port when running with --inspect. 3550 Since the debugging protocol allows extensive access to the internals of a running process, 3551 and the execution of arbitrary code, it is important to limit connections to authorized 3552 tools only. Note that the v8_inspector protocol in Node.js is still considered an 3553 experimental feature. Vulnerability originally reported by Jann Horn. 3554 </p> 3555 <p>All of these vulnerabilities are considered low-severity for Node.js users, however, 3556 users of Node.js v6.x should upgrade at their earliest convenience.</p> 3557 </blockquote> 3558 </body> 3559 </description> 3560 <references> 3561 <url>https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/</url> 3562 <cvename>CVE-2016-5172</cvename> 3563 </references> 3564 <dates> 3565 <discovery>2016-10-18</discovery> 3566 <entry>2016-10-28</entry> 3567 </dates> 3568 </vuln> 3569 3570 <vuln vid="c5c6e293-9cc7-11e6-823f-b8aeed92ecc4"> 3571 <topic>urllib3 -- certificate verification failure</topic> 3572 <affects> 3573 <package> 3574 <name>py-urllib3</name> 3575 <range><lt>1.18</lt></range> 3576 </package> 3577 </affects> 3578 <description> 3579 <body xmlns="http://www.w3.org/1999/xhtml"> 3580 <p>urllib3 reports:</p> 3581 <blockquote cite="https://github.com/shazow/urllib3/blob/1.18.1/CHANGES.rst"> 3582 <p>CVE-2016-9015: Certification verification failure</p> 3583 </blockquote> 3584 </body> 3585 </description> 3586 <references> 3587 <cvename>CVE-2016-9015</cvename> 3588 <url>https://github.com/shazow/urllib3/blob/1.18.1/CHANGES.rst</url> 3589 </references> 3590 <dates> 3591 <discovery>2016-10-27</discovery> 3592 <entry>2016-10-28</entry> 3593 </dates> 3594 </vuln> 3595 3596 <vuln vid="de6d01d5-9c44-11e6-ba67-0011d823eebd"> 3597 <topic>flash -- remote code execution</topic> 3598 <affects> 3599 <package> 3600 <name>linux-f10-flashplugin</name> 3601 <name>linux-c6-flashplugin</name> 3602 <name>linux-c7-flashplugin</name> 3603 <range><lt>11.2r202.643</lt></range> 3604 </package> 3605 </affects> 3606 <description> 3607 <body xmlns="http://www.w3.org/1999/xhtml"> 3608 <p>Adobe reports:</p> 3609 <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-36.html"> 3610 <p>Adobe has released security updates for Adobe Flash Player for 3611 Windows, Macintosh, Linux and Chrome OS. These updates address a 3612 critical vulnerability that could potentially allow an attacker to 3613 take control of the affected system.</p> 3614 <p>Adobe is aware of a report that an exploit for CVE-2016-7855 3615 exists in the wild, and is being used in limited, targeted attacks 3616 against users running Windows versions 7, 8.1 and 10.</p> 3617 </blockquote> 3618 </body> 3619 </description> 3620 <references> 3621 <cvename>CVE-2016-7855</cvename> 3622 <url>https://helpx.adobe.com/security/products/flash-player/apsb16-36.html</url> 3623 </references> 3624 <dates> 3625 <discovery>2016-10-26</discovery> 3626 <entry>2016-10-27</entry> 3627 </dates> 3628 </vuln> 3629 3630 <vuln vid="a479a725-9adb-11e6-a298-14dae9d210b8"> 3631 <topic>FreeBSD -- bhyve - privilege escalation vulnerability</topic> 3632 <affects> 3633 <package> 3634 <name>FreeBSD-kernel</name> 3635 <range><ge>11.0</ge><lt>11.0_2</lt></range> 3636 </package> 3637 </affects> 3638 <description> 3639 <body xmlns="http://www.w3.org/1999/xhtml"> 3640 <h1>Problem Description:</h1> 3641 <p>An unchecked array reference in the VGA device emulation 3642 code could potentially allow guests access to the heap of 3643 the bhyve process. Since the bhyve process is running as 3644 root, this may allow guests to obtain full control of the 3645 hosts they are running on.</p> 3646 <h1>Impact:</h1> 3647 <p>For bhyve virtual machines with the "fbuf" framebuffer 3648 device configured, if exploited, a malicious guest could 3649 obtain full access to not just the host system, but to other 3650 virtual machines running on the system.</p> 3651 </body> 3652 </description> 3653 <references> 3654 <freebsdsa>SA-16:32.bhyve</freebsdsa> 3655 </references> 3656 <dates> 3657 <discovery>2016-10-25</discovery> 3658 <entry>2016-10-25</entry> 3659 <modified>2016-10-25</modified> 3660 </dates> 3661 </vuln> 3662 3663 <vuln vid="2482c798-93c6-11e6-846f-bc5ff4fb5ea1"> 3664 <topic>flash -- multiple vulnerabilities</topic> 3665 <affects> 3666 <package> 3667 <name>linux-c6-flashplugin</name> 3668 <name>linux-c6_64-flashplugin</name> 3669 <name>linux-c7-flashplugin</name> 3670 <name>linux-f10-flashplugin</name> 3671 <range><lt>11.2r202.637</lt></range> 3672 </package> 3673 </affects> 3674 <description> 3675 <body xmlns="http://www.w3.org/1999/xhtml"> 3676 <p>Adobe reports:</p> 3677 <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-32.html"> 3678 <p>Adobe has released security updates for Adobe Flash Player for 3679 Windows, Macintosh, Linux and ChromeOS. These updates address 3680 critical vulnerabilities that could potentially allow an attacker 3681 to take control of the affected system.</p> 3682 <p>These updates resolve a type confusion vulnerability that could 3683 lead to code execution (CVE-2016-6992).</p> 3684 <p>These updates resolve use-after-free vulnerabilities that could 3685 lead to code execution (CVE-2016-6981, CVE-2016-6987).</p> 3686 <p>These updates resolve a security bypass vulnerability 3687 (CVE-2016-4286).</p> 3688 <p>These updates resolve memory corruption vulnerabilities that could 3689 lead to code execution (CVE-2016-4273, CVE-2016-6982, 3690 CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986, 3691 CVE-2016-6989, CVE-2016-6990).</p> 3692 </blockquote> 3693 </body> 3694 </description> 3695 <references> 3696 <cvename>CVE-2016-4273</cvename> 3697 <cvename>CVE-2016-4286</cvename> 3698 <cvename>CVE-2016-6981</cvename> 3699 <cvename>CVE-2016-6982</cvename> 3700 <cvename>CVE-2016-6983</cvename> 3701 <cvename>CVE-2016-6984</cvename> 3702 <cvename>CVE-2016-6985</cvename> 3703 <cvename>CVE-2016-6986</cvename> 3704 <cvename>CVE-2016-6987</cvename> 3705 <cvename>CVE-2016-6989</cvename> 3706 <cvename>CVE-2016-6990</cvename> 3707 <cvename>CVE-2016-6992</cvename> 3708 <url>https://helpx.adobe.com/security/products/flash-player/apsb16-32.html</url> 3709 </references> 3710 <dates> 3711 <discovery>2016-10-11</discovery> 3712 <entry>2016-10-24</entry> 3713 </dates> 3714 </vuln> 3715 3716 <vuln vid="aaa9f3db-13b5-4a0e-9ed7-e5ab287098fa"> 3717 <topic>mozilla -- multiple vulnerabilities</topic> 3718 <affects> 3719 <package> 3720 <name>firefox</name> 3721 <range><lt>49.0.2,1</lt></range> 3722 </package> 3723 </affects> 3724 <description> 3725 <body xmlns="http://www.w3.org/1999/xhtml"> 3726 <p>Mozilla Foundation reports:</p> 3727 <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/"> 3728 <p>CVE-2016-5287: Crash in nsTArray_base<T>::SwapArrayElements</p> 3729 <p>CVE-2016-5288: Web content can read cache entries</p> 3730 </blockquote> 3731 </body> 3732 </description> 3733 <references> 3734 <cvename>CVE-2016-5287</cvename> 3735 <cvename>CVE-2016-5288</cvename> 3736 <url>https://www.mozilla.org/security/advisories/mfsa2016-87/</url> 3737 </references> 3738 <dates> 3739 <discovery>2016-10-20</discovery> 3740 <entry>2016-10-21</entry> 3741 </dates> 3742 </vuln> 3743 3744 <vuln vid="0baadc45-92d0-11e6-8011-005056925db4"> 3745 <topic>Axis2 -- Cross-site scripting (XSS) vulnerability</topic> 3746 <affects> 3747 <package> 3748 <name>axis2</name> 3749 <range><lt>1.7.3</lt></range> 3750 </package> 3751 </affects> 3752 <description> 3753 <body xmlns="http://www.w3.org/1999/xhtml"> 3754 <p>Apache Axis2 reports:</p> 3755 <blockquote cite="http://axis.apache.org/axis2/java/core/release-notes/1.7.3.html"> 3756 <p>Apache Axis2 1.7.3 is a security release that contains a fix 3757 for CVE-2010-3981. That security vulnerability affects the admin console 3758 that is part of the Axis2 Web application and was originally reported 3759 for SAP BusinessObjects (which includes a version of Axis2). That report 3760 didn’t mention Axis2 at all and the Axis2 project only recently became 3761 aware (thanks to Devesh Bhatt and Nishant Agarwala) that the issue 3762 affects Apache Axis2 as well.</p> 3763 </blockquote> 3764 </body> 3765 </description> 3766 <references> 3767 <url>http://axis.apache.org/axis2/java/core/release-notes/1.7.3.html</url> 3768 <cvename>CVE-2010-3981</cvename> 3769 <freebsdpr>ports/213546</freebsdpr> 3770 </references> 3771 <dates> 3772 <discovery>2010-10-18</discovery> 3773 <entry>2016-10-18</entry> 3774 </dates> 3775 </vuln> 3776 3777 <vuln vid="c1dc55dc-9556-11e6-b154-3065ec8fd3ec"> 3778 <topic>Tor -- remote denial of service</topic> 3779 <affects> 3780 <package> 3781 <name>tor</name> 3782 <range><lt>0.2.8.9</lt></range> 3783 </package> 3784 <package> 3785 <name>tor-devel</name> 3786 <range><lt>0.2.9.4-alpha</lt></range> 3787 </package> 3788 </affects> 3789 <description> 3790 <body xmlns="http://www.w3.org/1999/xhtml"> 3791 <p>The Tor Blog reports:</p> 3792 <blockquote cite="https://blog.torproject.org/blog/tor-0289-released-important-fixes"> 3793 <p>Prevent a class of security bugs caused by treating the contents 3794 of a buffer chunk as if they were a NUL-terminated string. At least 3795 one such bug seems to be present in all currently used versions of 3796 Tor, and would allow an attacker to remotely crash most Tor 3797 instances, especially those compiled with extra compiler hardening. 3798 With this defense in place, such bugs can't crash Tor, though we 3799 should still fix them as they occur. Closes ticket 20384 3800 (TROVE-2016-10-001).</p> 3801 </blockquote> 3802 </body> 3803 </description> 3804 <references> 3805 <url>https://blog.torproject.org/blog/tor-0289-released-important-fixes</url> 3806 </references> 3807 <dates> 3808 <discovery>2016-10-17</discovery> 3809 <entry>2016-10-18</entry> 3810 </dates> 3811 </vuln> 3812 3813 <vuln vid="43f1c867-654a-11e6-8286-00248c0c745d"> 3814 <topic>Rails 4 -- Possible XSS Vulnerability in Action View</topic> 3815 <affects> 3816 <package> 3817 <name>rubygem-actionview</name> 3818 <range><gt>3.0.0</gt><lt>4.2.7.1</lt></range> 3819 </package> 3820 </affects> 3821 <description> 3822 <body xmlns="http://www.w3.org/1999/xhtml"> 3823 <p>Ruby Security team reports:</p> 3824 <blockquote cite="https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE"> 3825 <p>There is a possible XSS vulnerability in Action View. Text declared as "HTML 3826safe" will not have quotes escaped when used as attribute values in tag 3827helpers. This vulnerability has been assigned the CVE identifier 3828CVE-2016-6316.</p> 3829 </blockquote> 3830 </body> 3831 </description> 3832 <references> 3833 <url>https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE</url> 3834 <cvename>CVE-2016-6316</cvename> 3835 </references> 3836 <dates> 3837 <discovery>2016-08-11</discovery> 3838 <entry>2016-08-18</entry> 3839 </dates> 3840 </vuln> 3841 3842 <vuln vid="7e61cf44-6549-11e6-8286-00248c0c745d"> 3843 <topic>Rails 4 -- Unsafe Query Generation Risk in Active Record</topic> 3844 <affects> 3845 <package> 3846 <name>rubygem-activerecord4</name> 3847 <range><gt>4.2.0</gt><lt>4.2.7.1</lt></range> 3848 </package> 3849 </affects> 3850 <description> 3851 <body xmlns="http://www.w3.org/1999/xhtml"> 3852 <p>Ruby Security team reports:</p> 3853 <blockquote cite="https://groups.google.com/forum/#!topic/ruby-security-ann/WccgKSKiPZA"> 3854 <p>There is a vulnerability when Active Record is used in conjunction with JSON 3855parameter parsing. This vulnerability has been assigned the CVE identifier 3856CVE-2016-6317. This vulnerability is similar to CVE-2012-2660, CVE-2012-2694 3857and CVE-2013-0155.</p> 3858 </blockquote> 3859 </body> 3860 </description> 3861 <references> 3862 <url>https://groups.google.com/forum/#!topic/ruby-security-ann/WccgKSKiPZA</url> 3863 <cvename>CVE-2016-6317</cvename> 3864 </references> 3865 <dates> 3866 <discovery>2016-08-11</discovery> 3867 <entry>2016-08-18</entry> 3868 </dates> 3869 </vuln> 3870 3871 <vuln vid="f471032a-8700-11e6-8d93-00248c0c745d"> 3872 <topic>PHP -- multiple vulnerabilities</topic> 3873 <affects> 3874 <package> 3875 <name>php70</name> 3876 <range><lt>7.0.11</lt></range> 3877 </package> 3878 </affects> 3879 <description> 3880 <body xmlns="http://www.w3.org/1999/xhtml"> 3881 <p>PHP reports:</p> 3882 <blockquote cite="http://php.net/ChangeLog-7.php#7.0.11"> 3883 <ul> 3884 <li><p>Fixed bug #73007 (add locale length check)</p></li> 3885 <li><p>Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields)</p></li> 3886 <li><p>Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile)</p></li> 3887 <li><p>Fixed bug #73029 (Missing type check when unserializing SplArray)</p></li> 3888 <li><p>Fixed bug #73052 (Memory Corruption in During Deserialized-object Destruction)</p></li> 3889 <li><p>Fixed bug #72860 (wddx_deserialize use-after-free)</p></li> 3890 <li><p>Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element)</p></li> 3891 </ul> 3892 </blockquote> 3893 </body> 3894 </description> 3895 <references> 3896 <url>http://php.net/ChangeLog-7.php#7.0.11</url> 3897 <cvename>CVE-2016-7416</cvename> 3898 <cvename>CVE-2016-7412</cvename> 3899 <cvename>CVE-2016-7414</cvename> 3900 <cvename>CVE-2016-7417</cvename> 3901 <cvename>CVE-2016-7413</cvename> 3902 <cvename>CVE-2016-7418</cvename> 3903 </references> 3904 <dates> 3905 <discovery>2016-09-15</discovery> 3906 <entry>2016-09-30</entry> 3907 </dates> 3908 </vuln> 3909 3910 <vuln vid="8d5180a6-86fe-11e6-8d93-00248c0c745d"> 3911 <topic>PHP -- multiple vulnerabilities</topic> 3912 <affects> 3913 <package> 3914 <name>php56</name> 3915 <range><lt>5.6.26</lt></range> 3916 </package> 3917 </affects> 3918 <description> 3919 <body xmlns="http://www.w3.org/1999/xhtml"> 3920 <p>PHP reports:</p> 3921 <blockquote cite="http://php.net/ChangeLog-5.php#5.6.26"> 3922 <ul> 3923 <li><p>Fixed bug #73007 (add locale length check)</p></li> 3924 <li><p>Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields)</p></li> 3925 <li><p>Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile)</p></li> 3926 <li><p>Fixed bug #73029 (Missing type check when unserializing SplArray)</p></li> 3927 <li><p>Fixed bug #73052 (Memory Corruption in During Deserialized-object Destruction)</p></li> 3928 <li><p>Fixed bug #72860 (wddx_deserialize use-after-free)</p></li> 3929 <li><p>Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element)</p></li> 3930 </ul> 3931 </blockquote> 3932 </body> 3933 </description> 3934 <references> 3935 <url>http://php.net/ChangeLog-5.php#5.6.26</url> 3936 <cvename>CVE-2016-7416</cvename> 3937 <cvename>CVE-2016-7412</cvename> 3938 <cvename>CVE-2016-7414</cvename> 3939 <cvename>CVE-2016-7417</cvename> 3940 <cvename>CVE-2016-7411</cvename> 3941 <cvename>CVE-2016-7413</cvename> 3942 <cvename>CVE-2016-7418</cvename> 3943 </references> 3944 <dates> 3945 <discovery>2016-09-16</discovery> 3946 <entry>2016-09-30</entry> 3947 </dates> 3948 </vuln> 3949 3950 <vuln vid="ad479f89-9020-11e6-a590-14dae9d210b8"> 3951 <topic>file-roller -- path traversal vulnerability</topic> 3952 <affects> 3953 <package> 3954 <name>file-roller</name> 3955 <range><ge>3.5.4,1</ge><lt>3.20.2,1</lt></range> 3956 </package> 3957 </affects> 3958 <description> 3959 <body xmlns="http://www.w3.org/1999/xhtml"> 3960 <p> reports:</p> 3961 <blockquote cite="http://www.openwall.com/lists/oss-security/2016/09/08/4"> 3962 <p>File Roller 3.5.4 through 3.20.2 was affected by a path 3963 traversal bug that could result in deleted files if a user 3964 were tricked into opening a malicious archive.</p> 3965 </blockquote> 3966 </body> 3967 </description> 3968 <references> 3969 <url>http://www.openwall.com/lists/oss-security/2016/09/08/4</url> 3970 <cvename>CVE-2016-7162</cvename> 3971 <freebsdpr>ports/213199</freebsdpr> 3972 </references> 3973 <dates> 3974 <discovery>2016-09-08</discovery> 3975 <entry>2016-10-12</entry> 3976 <modified>2016-10-18</modified> 3977 </dates> 3978 </vuln> 3979 3980 <vuln vid="7d40edd1-901e-11e6-a590-14dae9d210b8"> 3981 <topic>VirtualBox -- undisclosed vulnerabilities</topic> 3982 <affects> 3983 <package> 3984 <name>virtualbox-ose</name> 3985 <range><ge>5.0</ge><lt>5.0.8</lt></range> 3986 <range><ge>4.3</ge><lt>4.3.32</lt></range> 3987 <range><ge>4.2</ge><lt>4.2.34</lt></range> 3988 <range><ge>4.1</ge><lt>4.1.42</lt></range> 3989 <range><ge>4.0</ge><lt>4.0.34</lt></range> 3990 </package> 3991 </affects> 3992 <description> 3993 <body xmlns="http://www.w3.org/1999/xhtml"> 3994 <p>Oracle reports reports:</p> 3995 <blockquote cite="http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"> 3996 <p>Unspecified vulnerability in the Oracle VM VirtualBox 3997 component in Oracle Virtualization VirtualBox prior to 4.0.34, 4.1.42, 3998 4.2.34, 4.3.32, and 5.0.8, when using a Windows guest, allows local 3999 users to affect availability via unknown vectors related to Core.</p> 4000 <p>Unspecified vulnerability in the Oracle VM VirtualBox 4001 component in Oracle Virtualization VirtualBox before 4.0.34, 4.1.42, 4002 4.2.34, 4.3.32, and 5.0.8, when a VM has the Remote Display feature 4003 (RDP) enabled, allows remote attackers to affect availability via 4004 unknown vectors related to Core.</p> 4005 </blockquote> 4006 </body> 4007 </description> 4008 <references> 4009 <url>http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html</url> 4010 <cvename>CVE-2015-4813</cvename> 4011 <cvename>CVE-2015-4896</cvename> 4012 <freebsdpr>ports/204406</freebsdpr> 4013 </references> 4014 <dates> 4015 <discovery>2015-10-01</discovery> 4016 <entry>2016-10-12</entry> 4017 <modified>2016-10-18</modified> 4018 </dates> 4019 </vuln> 4020 4021 <vuln vid="10f7f782-901c-11e6-a590-14dae9d210b8"> 4022 <topic>ImageMagick -- multiple vulnerabilities</topic> 4023 <affects> 4024 <package> 4025 <name>ImageMagick</name> 4026 <name>ImageMagick-nox11</name> 4027 <range><lt>6.9.5.10,1</lt></range> 4028 </package> 4029 </affects> 4030 <description> 4031 <body xmlns="http://www.w3.org/1999/xhtml"> 4032 <p>Debian reports:</p> 4033 <blockquote cite="https://www.debian.org/security/2016/dsa-3675"> 4034 <p>Various memory handling problems and cases of missing or 4035 incomplete input sanitizing may result in denial of service or the 4036 execution of arbitrary code if malformed SIXEL, PDB, MAP, SGI, TIFF and 4037 CALS files are processed.</p> 4038 </blockquote> 4039 </body> 4040 </description> 4041 <references> 4042 <url>https://www.debian.org/security/2016/dsa-3675</url> 4043 <freebsdpr>ports/213032</freebsdpr> 4044 </references> 4045 <dates> 4046 <discovery>2016-09-23</discovery> 4047 <entry>2016-10-12</entry> 4048 <modified>2016-10-18</modified> 4049 </dates> 4050 </vuln> 4051 4052 <vuln vid="2a526c78-84ab-11e6-a4a1-60a44ce6887b"> 4053 <topic>libgd -- integer overflow which could lead to heap buffer overflow</topic> 4054 <affects> 4055 <package> 4056 <name>gd</name> 4057 <range><le>2.2.3</le></range> 4058 </package> 4059 <package> 4060 <name>php70-gd</name> 4061 <range><le>7.0.11</le></range> 4062 </package> 4063 <package> 4064 <name>php56-gd</name> 4065 <range><le>5.6.26</le></range> 4066 </package> 4067 </affects> 4068 <description> 4069 <body xmlns="http://www.w3.org/1999/xhtml"> 4070 <p>LibGD reports:</p> 4071 <blockquote cite="https://github.com/libgd/libgd/issues/308"> 4072 <p>An integer overflow issue was found in function gdImageWebpCtx of file gd_webp.c which could lead to heap buffer overflow.</p> 4073 </blockquote> 4074 </body> 4075 </description> 4076 <references> 4077 <url>https://github.com/libgd/libgd/issues/308</url> 4078 <url>https://bugs.php.net/bug.php?id=73003</url> 4079 <freebsdpr>ports/213023</freebsdpr> 4080 </references> 4081 <dates> 4082 <discovery>2016-09-02</discovery> 4083 <entry>2016-10-11</entry> 4084 <modified>2016-10-18</modified> 4085 </dates> 4086 </vuln> 4087 4088 <vuln vid="cb3f036d-8c7f-11e6-924a-60a44ce6887b"> 4089 <topic>libvncserver -- multiple security vulnerabilities</topic> 4090 <affects> 4091 <package> 4092 <name>libvncserver</name> 4093 <range><lt>0.9.10</lt></range> 4094 </package> 4095 </affects> 4096 <description> 4097 <body xmlns="http://www.w3.org/1999/xhtml"> 4098 <p>Nicolas Ruff reports:</p> 4099 <blockquote cite="http://seclists.org/oss-sec/2014/q3/639"> 4100 <p>Integer overflow in MallocFrameBuffer() on client side.</p> 4101 <p>Lack of malloc() return value checking on client side.</p> 4102 <p>Server crash on a very large ClientCutText message.</p> 4103 <p>Server crash when scaling factor is set to zero.</p> 4104 <p>Multiple stack overflows in File Transfer feature.</p> 4105 </blockquote> 4106 </body> 4107 </description> 4108 <references> 4109 <url>http://seclists.org/oss-sec/2014/q3/639</url> 4110 <cvename>CVE-2014-6051</cvename> 4111 <cvename>CVE-2014-6052</cvename> 4112 <cvename>CVE-2014-6053</cvename> 4113 <cvename>CVE-2014-6054</cvename> 4114 <cvename>CVE-2014-6055</cvename> 4115 <freebsdpr>ports/212380</freebsdpr> 4116 </references> 4117 <dates> 4118 <discovery>2014-09-23</discovery> 4119 <entry>2016-10-11</entry> 4120 <modified>2016-10-18</modified> 4121 </dates> 4122 </vuln> 4123 4124 <vuln vid="ab947396-9018-11e6-a590-14dae9d210b8"> 4125 <topic>openoffice -- information disclosure vulnerability</topic> 4126 <affects> 4127 <package> 4128 <name>apache-openoffice</name> 4129 <name>apache-openoffice-devel</name> 4130 <range><lt>4.1.1</lt></range> 4131 </package> 4132 </affects> 4133 <description> 4134 <body xmlns="http://www.w3.org/1999/xhtml"> 4135 <p>Apache reports:</p> 4136 <blockquote cite="http://www.openoffice.org/security/cves/CVE-2014-3575.html"> 4137 <p>The exposure exploits the way OLE previews are generated to 4138 embed arbitrary file data into a specially crafted document when it is 4139 opened. Data exposure is possible if the updated document is distributed 4140 to other parties.</p> 4141 </blockquote> 4142 </body> 4143 </description> 4144 <references> 4145 <url>http://www.openoffice.org/security/cves/CVE-2014-3575.html</url> 4146 <cvename>CVE-2014-3575</cvename> 4147 <freebsdpr>ports/212379</freebsdpr> 4148 </references> 4149 <dates> 4150 <discovery>2014-08-21</discovery> 4151 <entry>2016-10-12</entry> 4152 <modified>2016-10-18</modified> 4153 </dates> 4154 </vuln> 4155 4156 <vuln vid="47157c14-9013-11e6-a590-14dae9d210b8"> 4157 <topic>mupdf -- multiple vulnerabilities</topic> 4158 <affects> 4159 <package> 4160 <name>mupdf</name> 4161 <range><lt>1.9a_1,1</lt></range> 4162 </package> 4163 <package> 4164 <name>llpp</name> 4165 <range><lt>22_2</lt></range> 4166 </package> 4167 <package> 4168 <name>zathura-pdf-mupdf</name> 4169 <range><lt>0.3.0_2</lt></range> 4170 </package> 4171 </affects> 4172 <description> 4173 <body xmlns="http://www.w3.org/1999/xhtml"> 4174 <p>Tobias Kortkamp reports:</p> 4175 <blockquote cite="http://openbsd-archive.7691.n7.nabble.com/mupdf-CVE-2016-6525-amp-CVE-2016-6265-td302904.html"> 4176 <p>Heap-based buffer overflow in the pdf_load_mesh_params 4177 function in pdf/pdf-shade.c in MuPDF allows remote attackers to cause a 4178 denial of service (crash) or execute arbitrary code via a large decode 4179 array.</p> 4180 <p>Use-after-free vulnerability in the pdf_load_xref function in 4181 pdf/pdf-xref.c in MuPDF allows remote attackers to cause a denial of 4182 service (crash) via a crafted PDF file.</p> 4183 </blockquote> 4184 </body> 4185 </description> 4186 <references> 4187 <url>http://openbsd-archive.7691.n7.nabble.com/mupdf-CVE-2016-6525-amp-CVE-2016-6265-td302904.html</url> 4188 <url>http://bugs.ghostscript.com/show_bug.cgi?id=696941</url> 4189 <url>http://bugs.ghostscript.com/show_bug.cgi?id=696954</url> 4190 <cvename>CVE-2016-6525</cvename> 4191 <cvename>CVE-2016-6265</cvename> 4192 <freebsdpr>ports/212207</freebsdpr> 4193 </references> 4194 <dates> 4195 <discovery>2016-08-27</discovery> 4196 <entry>2016-10-12</entry> 4197 <modified>2016-10-18</modified> 4198 </dates> 4199 </vuln> 4200 4201 <vuln vid="b7d56d0b-7a11-11e6-af78-589cfc0654e1"> 4202 <topic>openjpeg -- multiple vulnerabilities</topic> 4203 <affects> 4204 <package> 4205 <name>openjpeg</name> 4206 <range><lt>2.1.1_1</lt></range> 4207 </package> 4208 </affects> 4209 <description> 4210 <body xmlns="http://www.w3.org/1999/xhtml"> 4211 <p>Tencent's Xuanwu LAB reports:</p> 4212 <blockquote cite="http://www.openwall.com/lists/oss-security/2016/09/08/2"> 4213 <p>A Heap Buffer Overflow (Out-of-Bounds Write) issue was found in 4214 function opj_dwt_interleave_v of dwt.c. This vulnerability allows 4215 remote attackers to execute arbitrary code on vulnerable installations 4216 of OpenJPEG.</p> 4217 <p>An integer overflow issue exists in function opj_pi_create_decode of 4218 pi.c. It can lead to Out-Of-Bounds Read and Out-Of-Bounds Write in 4219 function opj_pi_next_cprl of pi.c (function opj_pi_next_lrcp, 4220 opj_pi_next_rlcp, opj_pi_next_rpcl, opj_pi_next_pcrl may also be 4221 vulnerable). This vulnerability allows remote attackers to execute 4222 arbitrary code on vulnerable installations of OpenJPEG.</p> 4223 </blockquote> 4224 </body> 4225 </description> 4226 <references> 4227 <url>"http://www.openwall.com/lists/oss-security/2016/09/08/2"</url> 4228 <url>"http://www.openwall.com/lists/oss-security/2016/09/08/3"</url> 4229 <cvename>CVE-2016-5157</cvename> 4230 <cvename>CVE-2016-7163</cvename> 4231 </references> 4232 <dates> 4233 <discovery>2016-09-08</discovery> 4234 <entry>2016-10-11</entry> 4235 </dates> 4236 </vuln> 4237 4238 <vuln vid="fa175f30-8c75-11e6-924a-60a44ce6887b"> 4239 <topic>redis -- sensitive information leak through command history file</topic> 4240 <affects> 4241 <package> 4242 <name>redis</name> 4243 <name>redis-devel</name> 4244 <range><lt>3.2.3</lt></range> 4245 </package> 4246 </affects> 4247 <description> 4248 <body xmlns="http://www.w3.org/1999/xhtml"> 4249 <p>Redis team reports:</p> 4250 <blockquote cite="https://github.com/antirez/redis/pull/1418"> 4251 <p>The redis-cli history file (in linenoise) is created with the 4252 default OS umask value which makes it world readable in most systems 4253 and could potentially expose authentication credentials to other 4254 users.</p> 4255 </blockquote> 4256 </body> 4257 </description> 4258 <references> 4259 <url>https://github.com/antirez/redis/pull/1418</url> 4260 <url>https://github.com/antirez/redis/issues/3284</url> 4261 <cvename>CVE-2013-7458</cvename> 4262 </references> 4263 <dates> 4264 <discovery>2013-11-30</discovery> 4265 <entry>2016-10-11</entry> 4266 </dates> 4267 </vuln> 4268 4269 <vuln vid="1a71a972-8ee7-11e6-a590-14dae9d210b8"> 4270 <topic>FreeBSD -- Multiple libarchive vulnerabilities</topic> 4271 <affects> 4272 <package> 4273 <name>FreeBSD</name> 4274 <range><ge>11.0</ge><lt>11.0_1</lt></range> 4275 <range><ge>10.3</ge><lt>10.3_10</lt></range> 4276 <range><ge>10.2</ge><lt>10.2_23</lt></range> 4277 <range><ge>10.1</ge><lt>10.1_40</lt></range> 4278 </package> 4279 </affects> 4280 <description> 4281 <body xmlns="http://www.w3.org/1999/xhtml"> 4282 <h1>Problem Description:</h1> 4283 <p>Flaws in libarchive's handling of symlinks and hard links 4284 allow overwriting files outside the extraction directory, 4285 or permission changes to a directory outside the extraction 4286 directory.</p> 4287 <h1>Impact:</h1> 4288 <p>An attacker who can control freebsd-update's or portsnap's 4289 input to tar(1) can change file content or permissions on 4290 files outside of the update tool's working sandbox.</p> 4291 </body> 4292 </description> 4293 <references> 4294 <freebsdsa>SA-16:31.libarchive</freebsdsa> 4295 </references> 4296 <dates> 4297 <discovery>2016-10-05</discovery> 4298 <entry>2016-10-10</entry> 4299 </dates> 4300 </vuln> 4301 4302 <vuln vid="e7dcd69d-8ee6-11e6-a590-14dae9d210b8"> 4303 <topic>FreeBSD -- Multiple portsnap vulnerabilities</topic> 4304 <affects> 4305 <package> 4306 <name>FreeBSD</name> 4307 <range><ge>11.0</ge><lt>11.0_1</lt></range> 4308 <range><ge>10.3</ge><lt>10.3_10</lt></range> 4309 <range><ge>10.2</ge><lt>10.2_23</lt></range> 4310 <range><ge>10.1</ge><lt>10.1_40</lt></range> 4311 <range><ge>9.3</ge><lt>9.3_48</lt></range> 4312 </package> 4313 </affects> 4314 <description> 4315 <body xmlns="http://www.w3.org/1999/xhtml"> 4316 <h1>Problem Description:</h1> 4317 <p>Flaws in portsnap's verification of downloaded tar files 4318 allows additional files to be included without causing the 4319 verification to fail. Portsnap may then use or execute these 4320 files.</p> 4321 <h1>Impact:</h1> 4322 <p>An attacker who can conduct man in the middle attack on 4323 the network at the time when portsnap is run can cause 4324 portsnap to execute arbitrary commands under the credentials 4325 of the user who runs portsnap, typically root.</p> 4326 </body> 4327 </description> 4328 <references> 4329 <freebsdsa>SA-16:30.portsnap</freebsdsa> 4330 </references> 4331 <dates> 4332 <discovery>2016-10-10</discovery> 4333 <entry>2016-10-10</entry> 4334 </dates> 4335 </vuln> 4336 4337 <vuln vid="ce808022-8ee6-11e6-a590-14dae9d210b8"> 4338 <topic>FreeBSD -- Heap overflow vulnerability in bspatch</topic> 4339 <affects> 4340 <package> 4341 <name>FreeBSD</name> 4342 <range><ge>11.0</ge><lt>11.0_1</lt></range> 4343 <range><ge>10.3</ge><lt>10.3_10</lt></range> 4344 <range><ge>10.2</ge><lt>10.2_23</lt></range> 4345 <range><ge>10.1</ge><lt>10.1_40</lt></range> 4346 <range><ge>9.3</ge><lt>9.3_48</lt></range> 4347 </package> 4348 </affects> 4349 <description> 4350 <body xmlns="http://www.w3.org/1999/xhtml"> 4351 <h1>Problem Description:</h1> 4352 <p>The implementation of bspatch is susceptible to integer 4353 overflows with carefully crafted input, potentially allowing 4354 an attacker who can control the patch file to write at 4355 arbitrary locations in the heap. This issue was partially 4356 addressed in FreeBSD-SA-16:25.bspatch, but some possible 4357 integer overflows remained.</p> 4358 <h1>Impact:</h1> 4359 <p>An attacker who can control the patch file can cause a 4360 crash or run arbitrary code under the credentials of the 4361 user who runs bspatch, in many cases, root.</p> 4362 </body> 4363 </description> 4364 <references> 4365 <freebsdsa>SA-16:29.bspatch</freebsdsa> 4366 </references> 4367 <dates> 4368 <discovery>2016-10-10</discovery> 4369 <entry>2016-10-10</entry> 4370 </dates> 4371 </vuln> 4372 4373 <vuln vid="aeb7874e-8df1-11e6-a082-5404a68ad561"> 4374 <topic>mkvtoolnix -- code execution via specially crafted files</topic> 4375 <affects> 4376 <package> 4377 <name>mkvtoolnix</name> 4378 <range><lt>9.4.1</lt></range> 4379 </package> 4380 </affects> 4381 <description> 4382 <body xmlns="http://www.w3.org/1999/xhtml"> 4383 <p>Moritz Bunkus reports:</p> 4384 <blockquote cite="https://mkvtoolnix.download/doc/ChangeLog"> 4385 <p>most of the bugs fixed on 2016-09-06 and 2016-09-07 for 4386 issue #1780 are potentially exploitable. The scenario is arbitrary 4387 code execution with specially-crafted files.</p> 4388 </blockquote> 4389 </body> 4390 </description> 4391 <references> 4392 <url>https://mkvtoolnix.download/doc/ChangeLog</url> 4393 </references> 4394 <dates> 4395 <discovery>2016-09-07</discovery> 4396 <entry>2016-10-09</entry> 4397 </dates> 4398 </vuln> 4399 4400 <vuln vid="1cf65085-a760-41d2-9251-943e1af62eb8"> 4401 <topic>X.org libraries -- multiple vulnerabilities</topic> 4402 <affects> 4403 <package> 4404 <name>libX11</name> 4405 <range><lt>1.6.4,1</lt></range> 4406 </package> 4407 <package> 4408 <name>libXfixes</name> 4409 <range><lt>5.0.3</lt></range> 4410 </package> 4411 <package> 4412 <name>libXi</name> 4413 <range><lt>1.7.7,1</lt></range> 4414 </package> 4415 <package> 4416 <name>libXrandr</name> 4417 <range><lt>1.5.1</lt></range> 4418 </package> 4419 <package> 4420 <name>libXrender</name> 4421 <range><lt>0.9.10</lt></range> 4422 </package> 4423 <package> 4424 <name>libXtst</name> 4425 <range><lt>1.2.3</lt></range> 4426 </package> 4427 <package> 4428 <name>libXv</name> 4429 <range><lt>1.0.11,1</lt></range> 4430 </package> 4431 <package> 4432 <name>libXvMC</name> 4433 <range><lt>1.0.10</lt></range> 4434 </package> 4435 </affects> 4436 <description> 4437 <body xmlns="http://www.w3.org/1999/xhtml"> 4438 <p>Matthieu Herrb reports:</p> 4439 <blockquote cite="https://lists.x.org/archives/xorg-announce/2016-October/002720.html"> 4440 <p>Tobias Stoeckmann from the OpenBSD project has discovered a 4441 number of issues in the way various X client libraries handle 4442 the responses they receive from servers, and has worked with 4443 X.Org's security team to analyze, confirm, and fix these issues. 4444 These issue come in addition to the ones discovered by Ilja van 4445 Sprundel in 2013.</p> 4446 4447 <p>Most of these issues stem from the client libraries trusting 4448 the server to send correct protocol data, and not verifying 4449 that the values will not overflow or cause other damage. Most 4450 of the time X clients and servers are run by the same user, with 4451 the server more privileged than the clients, so this is not a 4452 problem, but there are scenarios in which a privileged client 4453 can be connected to an unprivileged server, for instance, 4454 connecting a setuid X client (such as a screen lock program) 4455 to a virtual X server (such as Xvfb or Xephyr) which the user 4456 has modified to return invalid data, potentially allowing the 4457 user to escalate their privileges.</p> 4458 </blockquote> 4459 </body> 4460 </description> 4461 <references> 4462 <url>https://lists.x.org/archives/xorg-announce/2016-October/002720.html</url> 4463 <cvename>CVE-2016-5407</cvename> 4464 </references> 4465 <dates> 4466 <discovery>2016-10-04</discovery> 4467 <entry>2016-10-07</entry> 4468 <modified>2016-10-10</modified> 4469 </dates> 4470 </vuln> 4471 4472 <vuln vid="c8d902b1-8550-11e6-81e7-d050996490d0"> 4473 <topic>BIND -- Remote Denial of Service vulnerability</topic> 4474 <affects> 4475 <package> 4476 <name>bind99</name> 4477 <range><lt>9.9.9P3</lt></range> 4478 </package> 4479 <package> 4480 <name>bind910</name> 4481 <range><lt>9.10.4P3</lt></range> 4482 </package> 4483 <package> 4484 <name>bind911</name> 4485 <range><lt>9.11.0.rc3</lt></range> 4486 </package> 4487 <package> 4488 <name>bind9-devel</name> 4489 <range><lt>9.12.0.a.2016.09.10</lt></range> 4490 </package> 4491 <package> 4492 <name>FreeBSD</name> 4493 <range><ge>9.3</ge><lt>9.3_48</lt></range> 4494 </package> 4495 </affects> 4496 <description> 4497 <body xmlns="http://www.w3.org/1999/xhtml"> 4498 <p>ISC reports:</p> 4499 <blockquote cite="https://kb.isc.org/article/AA-01419"> 4500 <p>Testing by ISC has uncovered a critical error condition 4501 which can occur when a nameserver is constructing a 4502 response. A defect in the rendering of messages into 4503 packets can cause named to exit with an assertion 4504 failure in buffer.c while constructing a response 4505 to a query that meets certain criteria.</p> 4506 </blockquote> 4507 </body> 4508 </description> 4509 <references> 4510 <cvename>CVE-2016-2776</cvename> 4511 <freebsdsa>SA-16:28.bind</freebsdsa> 4512 <url>https://kb.isc.org/article/AA-01419</url> 4513 </references> 4514 <dates> 4515 <discovery>2016-09-27</discovery> 4516 <entry>2016-09-28</entry> 4517 <modified>2016-10-10</modified> 4518 </dates> 4519 </vuln> 4520 4521 <vuln vid="bb022643-84fb-11e6-a4a1-60a44ce6887b"> 4522 <topic>django -- CSRF protection bypass on a site with Google Analytics</topic> 4523 <affects> 4524 <package> 4525 <name>py-django19</name> 4526 <range><lt>1.9.10</lt></range> 4527 </package> 4528 <package> 4529 <name>py-django18</name> 4530 <range><lt>1.8.15</lt></range> 4531 </package> 4532 <package> 4533 <name>py-django</name> 4534 <range><lt>1.8.15</lt></range> 4535 </package> 4536 </affects> 4537 <description> 4538 <body xmlns="http://www.w3.org/1999/xhtml"> 4539 <p>Django Software Foundation reports:</p> 4540 <blockquote cite="https://www.djangoproject.com/weblog/2016/sep/26/security-releases/"> 4541 <p>An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection.</p> 4542 </blockquote> 4543 </body> 4544 </description> 4545 <references> 4546 <url>https://www.djangoproject.com/weblog/2016/sep/26/security-releases/</url> 4547 <cvename>CVE-2016-7401</cvename> 4548 </references> 4549 <dates> 4550 <discovery>2016-09-26</discovery> 4551 <entry>2016-09-27</entry> 4552 </dates> 4553 </vuln> 4554 4555 <vuln vid="91a337d8-83ed-11e6-bf52-b499baebfeaf"> 4556 <topic>OpenSSL -- multiple vulnerabilities</topic> 4557 <affects> 4558 <package> 4559 <name>openssl</name> 4560 <range><lt>1.0.2j,1</lt></range> 4561 </package> 4562 <package> 4563 <name>openssl-devel</name> 4564 <range><lt>1.1.0b</lt></range> 4565 </package> 4566 <package> 4567 <name>libressl</name> 4568 <range><lt>2.4.3</lt></range> 4569 </package> 4570 <package> 4571 <name>libressl-devel</name> 4572 <range><lt>2.4.3</lt></range> 4573 </package> 4574 <package> 4575 <name>FreeBSD</name> 4576 <range><ge>11.0</ge><lt>11.0_1</lt></range> 4577 </package> 4578 </affects> 4579 <description> 4580 <body xmlns="http://www.w3.org/1999/xhtml"> 4581 <p>OpenSSL reports:</p> 4582 <blockquote cite="https://www.openssl.org/news/secadv/20160926.txt"> 4583 <p>Critical vulnerability in OpenSSL 1.1.0a<br/> 4584 Fix Use After Free for large message sizes (CVE-2016-6309)</p> 4585 <p>Moderate vulnerability in OpenSSL 1.0.2i<br/> 4586 Missing CRL sanity check (CVE-2016-7052)</p> 4587 </blockquote> 4588 </body> 4589 </description> 4590 <references> 4591 <url>https://www.openssl.org/news/secadv/20160926.txt</url> 4592 <cvename>CVE-2016-6309</cvename> 4593 <cvename>CVE-2016-7052</cvename> 4594 <freebsdsa>SA-16:27.openssl</freebsdsa> 4595 </references> 4596 <dates> 4597 <discovery>2016-09-26</discovery> 4598 <entry>2016-09-26</entry> 4599 <modified>2016-10-10</modified> 4600 </dates> 4601 </vuln> 4602 4603 <vuln vid="43eaa656-80bc-11e6-bf52-b499baebfeaf"> 4604 <topic>OpenSSL -- multiple vulnerabilities</topic> 4605 <affects> 4606 <package> 4607 <name>openssl-devel</name> 4608 <range><ge>1.1.0</ge><lt>1.1.0_1</lt></range> 4609 </package> 4610 <package> 4611 <name>openssl</name> 4612 <range><lt>1.0.2i,1</lt></range> 4613 </package> 4614 <package> 4615 <name>linux-c6-openssl</name> 4616 <range><lt>1.0.1e_11</lt></range> 4617 </package> 4618 <package> 4619 <name>FreeBSD</name> 4620 <range><ge>10.3</ge><lt>10.3_8</lt></range> 4621 <range><ge>10.2</ge><lt>10.2_21</lt></range> 4622 <range><ge>10.1</ge><lt>10.1_38</lt></range> 4623 <range><ge>9.3</ge><lt>9.3_46</lt></range> 4624 </package> 4625 </affects> 4626 <description> 4627 <body xmlns="http://www.w3.org/1999/xhtml"> 4628 <p>OpenSSL reports:</p> 4629 <blockquote cite="https://www.openssl.org/news/secadv/20160922.txt"> 4630 <p>High: OCSP Status Request extension unbounded memory growth</p> 4631 <p>SSL_peek() hang on empty record</p> 4632 <p>SWEET32 Mitigation</p> 4633 <p>OOB write in MDC2_Update()</p> 4634 <p>Malformed SHA512 ticket DoS</p> 4635 <p>OOB write in BN_bn2dec()</p> 4636 <p>OOB read in TS_OBJ_print_bio()</p> 4637 <p>Pointer arithmetic undefined behaviour</p> 4638 <p>Constant time flag not preserved in DSA signing</p> 4639 <p>DTLS buffered message DoS</p> 4640 <p>DTLS replay protection DoS</p> 4641 <p>Certificate message OOB reads</p> 4642 <p>Excessive allocation of memory in tls_get_message_header()</p> 4643 <p>Excessive allocation of memory in dtls1_preprocess_fragment()</p> 4644 <p>NB: LibreSSL is only affected by CVE-2016-6304</p> 4645 </blockquote> 4646 </body> 4647 </description> 4648 <references> 4649 <url>https://www.openssl.org/news/secadv/20160922.txt</url> 4650 <cvename>CVE-2016-6304</cvename> 4651 <cvename>CVE-2016-6305</cvename> 4652 <cvename>CVE-2016-2183</cvename> 4653 <cvename>CVE-2016-6303</cvename> 4654 <cvename>CVE-2016-6302</cvename> 4655 <cvename>CVE-2016-2182</cvename> 4656 <cvename>CVE-2016-2180</cvename> 4657 <cvename>CVE-2016-2177</cvename> 4658 <cvename>CVE-2016-2178</cvename> 4659 <cvename>CVE-2016-2179</cvename> 4660 <cvename>CVE-2016-2181</cvename> 4661 <cvename>CVE-2016-6306</cvename> 4662 <cvename>CVE-2016-6307</cvename> 4663 <cvename>CVE-2016-6308</cvename> 4664 <freebsdsa>SA-16:26.openssl</freebsdsa> 4665 </references> 4666 <dates> 4667 <discovery>2016-09-22</discovery> 4668 <entry>2016-09-22</entry> 4669 <modified>2016-10-11</modified> 4670 </dates> 4671 </vuln> 4672 4673 <vuln vid="e78261e4-803d-11e6-a590-14dae9d210b8"> 4674 <topic>irssi -- heap corruption and missing boundary checks</topic> 4675 <affects> 4676 <package> 4677 <name>irssi</name> 4678 <name>zh-irssi</name> 4679 <range><ge>0.8.17</ge><lt>0.8.20</lt></range> 4680 </package> 4681 </affects> 4682 <description> 4683 <body xmlns="http://www.w3.org/1999/xhtml"> 4684 <p>Irssi reports:</p> 4685 <blockquote cite="https://irssi.org/security/irssi_sa_2016.txt"> 4686 <p>Remote crash and heap corruption. Remote code execution seems 4687 difficult since only Nuls are written.</p> 4688 </blockquote> 4689 </body> 4690 </description> 4691 <references> 4692 <url>https://irssi.org/security/irssi_sa_2016.txt</url> 4693 <cvename>CVE-2016-7044</cvename> 4694 <cvename>CVE-2016-7045</cvename> 4695 </references> 4696 <dates> 4697 <discovery>2016-09-21</discovery> 4698 <entry>2016-09-21</entry> 4699 <modified>2016-09-22</modified> 4700 </dates> 4701 </vuln> 4702 4703 <vuln vid="2c57c47e-8bb3-4694-83c8-9fc3abad3964"> 4704 <topic>mozilla -- multiple vulnerabilities</topic> 4705 <affects> 4706 <package> 4707 <name>firefox</name> 4708 <range><lt>49.0,1</lt></range> 4709 </package> 4710 <package> 4711 <name>seamonkey</name> 4712 <name>linux-seamonkey</name> 4713 <range><lt>2.46</lt></range> 4714 </package> 4715 <package> 4716 <name>firefox-esr</name> 4717 <range><lt>45.4.0,1</lt></range> 4718 </package> 4719 <package> 4720 <name>linux-firefox</name> 4721 <range><lt>45.4.0,2</lt></range> 4722 </package> 4723 <package> 4724 <name>libxul</name> 4725 <name>thunderbird</name> 4726 <name>linux-thunderbird</name> 4727 <range><lt>45.4.0</lt></range> 4728 </package> 4729 </affects> 4730 <description> 4731 <body xmlns="http://www.w3.org/1999/xhtml"> 4732 <p>Mozilla Foundation reports:</p> 4733 <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-85/"> 4734 <p>CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]</p> 4735 <p>CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]</p> 4736 <p>CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]</p> 4737 <p>CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]</p> 4738 <p>CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]</p> 4739 <p>CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]</p> 4740 <p>CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]</p> 4741 <p>CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]</p> 4742 <p>CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]</p> 4743 <p>CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]</p> 4744 <p>CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]</p> 4745 <p>CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]</p> 4746 <p>CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]</p> 4747 <p>CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]</p> 4748 <p>CVE-2016-5281 - use-after-free in DOMSVGLength [high]</p> 4749 <p>CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]</p> 4750 <p>CVE-2016-5283 - <iframe src> fragment timing attack can reveal cross-origin data [high]</p> 4751 <p>CVE-2016-5284 - Add-on update site certificate pin expiration [high]</p> 4752 </blockquote> 4753 </body> 4754 </description> 4755 <references> 4756 <cvename>CVE-2016-2827</cvename> 4757 <cvename>CVE-2016-5256</cvename> 4758 <cvename>CVE-2016-5257</cvename> 4759 <cvename>CVE-2016-5270</cvename> 4760 <cvename>CVE-2016-5271</cvename> 4761 <cvename>CVE-2016-5272</cvename> 4762 <cvename>CVE-2016-5273</cvename> 4763 <cvename>CVE-2016-5274</cvename> 4764 <cvename>CVE-2016-5275</cvename> 4765 <cvename>CVE-2016-5276</cvename> 4766 <cvename>CVE-2016-5277</cvename> 4767 <cvename>CVE-2016-5278</cvename> 4768 <cvename>CVE-2016-5279</cvename> 4769 <cvename>CVE-2016-5280</cvename> 4770 <cvename>CVE-2016-5281</cvename> 4771 <cvename>CVE-2016-5282</cvename> 4772 <cvename>CVE-2016-5283</cvename> 4773 <cvename>CVE-2016-5284</cvename> 4774 <url>https://www.mozilla.org/security/advisories/mfsa2016-85/</url> 4775 <url>https://www.mozilla.org/security/advisories/mfsa2016-86/</url> 4776 <url>https://www.mozilla.org/security/advisories/mfsa2016-88/</url> 4777 </references> 4778 <dates> 4779 <discovery>2016-09-13</discovery> 4780 <entry>2016-09-20</entry> 4781 <modified>2016-10-21</modified> 4782 </dates> 4783 </vuln> 4784 4785 <vuln vid="653a8059-7c49-11e6-9242-3065ec8fd3ec"> 4786 <topic>chromium -- multiple vulnerabilities</topic> 4787 <affects> 4788 <package> 4789 <name>chromium</name> 4790 <name>chromium-npapi</name> 4791 <name>chromium-pulse</name> 4792 <range><lt>53.0.2785.113</lt></range> 4793 </package> 4794 </affects> 4795 <description> 4796 <body xmlns="http://www.w3.org/1999/xhtml"> 4797 <p>Google Chrome Releases reports:</p> 4798 <blockquote cite="https://googlechromereleases.blogspot.nl/2016/09/stable-channel-update-for-desktop_13.html"> 4799 <p>Several security fixes in this release, including:</p> 4800 <ul> 4801 <li>[641101] High CVE-2016-5170: Use after free in Blink.Credit to 4802 Anonymous</li> 4803 <li>[643357] High CVE-2016-5171: Use after free in Blink. Credit to 4804 Anonymous</li> 4805 <li>[616386] Medium CVE-2016-5172: Arbitrary Memory Read in v8. 4806 Credit to Choongwoo Han</li> 4807 <li>[468931] Medium CVE-2016-5173: Extension resource access. 4808 Credit to Anonymous</li> 4809 <li>[579934] Medium CVE-2016-5174: Popup not correctly suppressed. 4810 Credit to Andrey Kovalev (@L1kvID) Yandex Security Team</li> 4811 <li>[646394] CVE-2016-5175: Various fixes from internal audits, 4812 fuzzing and other initiatives.</li> 4813 </ul> 4814 </blockquote> 4815 </body> 4816 </description> 4817 <references> 4818 <cvename>CVE-2016-5170</cvename> 4819 <cvename>CVE-2016-5171</cvename> 4820 <cvename>CVE-2016-5172</cvename> 4821 <cvename>CVE-2016-5173</cvename> 4822 <cvename>CVE-2016-5174</cvename> 4823 <cvename>CVE-2016-5175</cvename> 4824 <url>https://googlechromereleases.blogspot.nl/2016/09/stable-channel-update-for-desktop_13.html</url> 4825 </references> 4826 <dates> 4827 <discovery>2016-09-13</discovery> 4828 <entry>2016-09-16</entry> 4829 </dates> 4830 </vuln> 4831 4832 <vuln vid="b64a7389-7c27-11e6-8aaa-5404a68ad561"> 4833 <topic>Remote-Code-Execution vulnerability in mysql and its variants CVE 2016-6662</topic> 4834 <affects> 4835 <package> 4836 <name>mysql57-client</name> 4837 <name>mysql57-server</name> 4838 <range><lt>5.7.15</lt></range> 4839 </package> 4840 </affects> 4841 <description> 4842 <body xmlns="http://www.w3.org/1999/xhtml"> 4843 <p>LegalHackers' reports:</p> 4844 <blockquote cite="http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html"> 4845 <p>RCE Bugs discovered in MySQL and its variants like MariaDB. 4846 It works by manipulating my.cnf files and using --malloc-lib. 4847 The bug seems fixed in MySQL 5.7.15 by Oracle</p> 4848 </blockquote> 4849 </body> 4850 </description> 4851 <references> 4852 <cvename>CVE-2016-6662</cvename> 4853 <url>http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html</url> 4854 <url>https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html</url> 4855 </references> 4856 <dates> 4857 <discovery>2016-09-12</discovery> 4858 <entry>2016-09-14</entry> 4859 </dates> 4860 </vuln> 4861 4862 <vuln vid="bc19dcca-7b13-11e6-b99e-589cfc0654e1"> 4863 <topic>dropbear -- multiple vulnerabilities</topic> 4864 <affects> 4865 <package> 4866 <name>dropbear</name> 4867 <range><lt>2016.74</lt></range> 4868 </package> 4869 </affects> 4870 <description> 4871 <body xmlns="http://www.w3.org/1999/xhtml"> 4872 <p>Matt Johnston reports:</p> 4873 <blockquote cite="http://www.openwall.com/lists/oss-security/2016/09/15/2"> 4874 <p>If specific usernames including "%" symbols can be created on a system 4875 (validated by getpwnam()) then an attacker could run arbitrary code as root 4876 when connecting to Dropbear server. 4877 4878 A dbclient user who can control username or host arguments could potentially 4879 run arbitrary code as the dbclient user. This could be a problem if scripts 4880 or webpages pass untrusted input to the dbclient program.</p> 4881 <p>dropbearconvert import of OpenSSH keys could run arbitrary code as 4882 the local dropbearconvert user when parsing malicious key files.</p> 4883 <p>dbclient could run arbitrary code as the local dbclient user if 4884 particular -m or -c arguments are provided. This could be an issue where 4885 dbclient is used in scripts.</p> 4886 <p>dbclient or dropbear server could expose process memory to the 4887 running user if compiled with DEBUG_TRACE and running with -v</p> 4888 </blockquote> 4889 </body> 4890 </description> 4891 <references> 4892 <url>"http://www.openwall.com/lists/oss-security/2016/09/15/2"</url> 4893 <cvename>CVE-2016-7406</cvename> 4894 <cvename>CVE-2016-7407</cvename> 4895 <cvename>CVE-2016-7408</cvename> 4896 <cvename>CVE-2016-7409</cvename> 4897 </references> 4898 <dates> 4899 <discovery>2016-07-12</discovery> 4900 <entry>2016-09-15</entry> 4901 </dates> 4902 </vuln> 4903 4904 <vuln vid="08664d42-7989-11e6-b7a8-74d02b9a84d5"> 4905 <topic>h2o -- fix DoS attack vector</topic> 4906 <affects> 4907 <package> 4908 <name>h2o</name> 4909 <range> 4910 <lt>2.0.4</lt> 4911 </range> 4912 </package> 4913 </affects> 4914 <description> 4915 <body xmlns="http://www.w3.org/1999/xhtml"> 4916 <p>Frederik Deweerdt reported a denial-of-service attack vector 4917 due to an unhandled error condition during socket connection.</p> 4918 </body> 4919 </description> 4920 <references> 4921 <url>https://github.com/h2o/h2o/issues/1077</url> 4922 <cvename>CVE-2016-4864</cvename> 4923 </references> 4924 <dates> 4925 <discovery>2016-06-09</discovery> 4926 <entry>2016-09-14</entry> 4927 </dates> 4928 </vuln> 4929 4930 <vuln vid="b018121b-7a4b-11e6-bf52-b499baebfeaf"> 4931 <topic>cURL -- Escape and unescape integer overflows</topic> 4932 <affects> 4933 <package> 4934 <name>curl</name> 4935 <range><ge>7.11.1</ge><lt>7.50.3</lt></range> 4936 </package> 4937 </affects> 4938 <description> 4939 <body xmlns="http://www.w3.org/1999/xhtml"> 4940 <p>The cURL project reports</p> 4941 <blockquote cite="https://curl.haxx.se/docs/adv_20160914.html"> 4942 <p>The four libcurl functions curl_escape(), curl_easy_escape(), 4943 curl_unescape and curl_easy_unescape perform string URL percent 4944 escaping and unescaping. They accept custom string length inputs 4945 in signed integer arguments.</p> 4946 <p>The provided string length arguments were not properly checked 4947 and due to arithmetic in the functions, passing in the length 4948 0xffffffff (2^32-1 or UINT_MAX or even just -1) would end up 4949 causing an allocation of zero bytes of heap memory that curl 4950 would attempt to write gigabytes of data into.</p> 4951 </blockquote> 4952 </body> 4953 </description> 4954 <references> 4955 <url>https://curl.haxx.se/docs/adv_20160914.html</url> 4956 <cvename>CVE-2016-7167</cvename> 4957 </references> 4958 <dates> 4959 <discovery>2016-09-14</discovery> 4960 <entry>2016-09-14</entry> 4961 </dates> 4962 </vuln> 4963 4964 <vuln vid="769ba449-79e1-11e6-bf75-3065ec8fd3ec"> 4965 <topic>chromium -- multiple vulnerabilities</topic> 4966 <affects> 4967 <package> 4968 <name>chromium</name> 4969 <name>chromium-npapi</name> 4970 <name>chromium-pulse</name> 4971 <range><lt>53.0.2785.92</lt></range> 4972 </package> 4973 </affects> 4974 <description> 4975 <body xmlns="http://www.w3.org/1999/xhtml"> 4976 <p>Google Chrome Releases reports:</p> 4977 <blockquote cite="https://googlechromereleases.blogspot.nl/2016/08/stable-channel-update-for-desktop_31.html"> 4978 <p>33 security fixes in this release</p> 4979 <p>Please reference CVE/URL list for details</p> 4980 </blockquote> 4981 </body> 4982 </description> 4983 <references> 4984 <cvename>CVE-2016-5147</cvename> 4985 <cvename>CVE-2016-5148</cvename> 4986 <cvename>CVE-2016-5149</cvename> 4987 <cvename>CVE-2016-5150</cvename> 4988 <cvename>CVE-2016-5151</cvename> 4989 <cvename>CVE-2016-5152</cvename> 4990 <cvename>CVE-2016-5153</cvename> 4991 <cvename>CVE-2016-5154</cvename> 4992 <cvename>CVE-2016-5155</cvename> 4993 <cvename>CVE-2016-5156</cvename> 4994 <cvename>CVE-2016-5157</cvename> 4995 <cvename>CVE-2016-5158</cvename> 4996 <cvename>CVE-2016-5159</cvename> 4997 <cvename>CVE-2016-5160</cvename> 4998 <cvename>CVE-2016-5161</cvename> 4999 <cvename>CVE-2016-5162</cvename> 5000 <cvename>CVE-2016-5163</cvename> 5001 <cvename>CVE-2016-5164</cvename> 5002 <cvename>CVE-2016-5165</cvename> 5003 <cvename>CVE-2016-5166</cvename> 5004 <cvename>CVE-2016-5167</cvename> 5005 <url>https://googlechromereleases.blogspot.nl/2016/08/stable-channel-update-for-desktop_31.html</url> 5006 </references> 5007 <dates> 5008 <discovery>2016-08-31</discovery> 5009 <entry>2016-09-13</entry> 5010 </dates> 5011 </vuln> 5012 5013 <vuln vid="958b9cee-79da-11e6-bf75-3065ec8fd3ec"> 5014 <topic>chromium -- multiple vulnerabilities</topic> 5015 <affects> 5016 <package> 5017 <name>chromium</name> 5018 <name>chromium-npapi</name> 5019 <name>chromium-pulse</name> 5020 <range><lt>52.0.2743.116</lt></range> 5021 </package> 5022 </affects> 5023 <description> 5024 <body xmlns="http://www.w3.org/1999/xhtml"> 5025 <p>Google Chrome Releases reports:</p> 5026 <blockquote cite="https://googlechromereleases.blogspot.nl/2016/08/stable-channel-update-for-desktop.html"> 5027 <p>10 security fixes in this release, including:</p> 5028 <ul> 5029 <li>[629542] High CVE-2016-5141 Address bar spoofing. Credit to 5030 anonymous</li> 5031 <li>[626948] High CVE-2016-5142 Use-after-free in Blink. Credit to 5032 anonymous</li> 5033 <li>[625541] High CVE-2016-5139 Heap overflow in pdfium. Credit to 5034 GiWan Go of Stealien</li> 5035 <li>[619405] High CVE-2016-5140 Heap overflow in pdfium. Credit to 5036 Ke Liu of Tencent's Xuanwu LAB</li> 5037 <li>[623406] Medium CVE-2016-5145 Same origin bypass for images in 5038 Blink. Credit to anonymous</li> 5039 <li>[619414] Medium CVE-2016-5143 Parameter sanitization failure in 5040 DevTools. Credit to Gregory Panakkal</li> 5041 <li>[618333] Medium CVE-2016-5144 Parameter sanitization failure in 5042 DevTools. Credit to Gregory Panakkal</li> 5043 <li>[633486] CVE-2016-5146: Various fixes from internal audits, 5044 fuzzing and other initiatives.</li> 5045 </ul> 5046 </blockquote> 5047 </body> 5048 </description> 5049 <references> 5050 <cvename>CVE-2016-5139</cvename> 5051 <cvename>CVE-2016-5140</cvename> 5052 <cvename>CVE-2016-5141</cvename> 5053 <cvename>CVE-2016-5142</cvename> 5054 <cvename>CVE-2016-5143</cvename> 5055 <cvename>CVE-2016-5144</cvename> 5056 <cvename>CVE-2016-5145</cvename> 5057 <cvename>CVE-2016-5146</cvename> 5058 <url>https://googlechromereleases.blogspot.nl/2016/08/stable-channel-update-for-desktop.html</url> 5059 </references> 5060 <dates> 5061 <discovery>2016-08-03</discovery> 5062 <entry>2016-09-13</entry> 5063 </dates> 5064 </vuln> 5065 5066 <vuln vid="856b88bf-7984-11e6-81e7-d050996490d0"> 5067 <topic>mysql -- Remote Root Code Execution</topic> 5068 <affects> 5069 <package> 5070 <name>mariadb55-server</name> 5071 <range><lt>5.5.51</lt></range> 5072 </package> 5073 <package> 5074 <name>mariadb100-server</name> 5075 <range><lt>10.0.27</lt></range> 5076 </package> 5077 <package> 5078 <name>mariadb101-server</name> 5079 <range><lt>10.1.17</lt></range> 5080 </package> 5081 <package> 5082 <name>mysql55-server</name> 5083 <range><lt>5.5.52</lt></range> 5084 </package> 5085 <package> 5086 <name>mysql56-server</name> 5087 <range><lt>5.6.33</lt></range> 5088 </package> 5089 <package> 5090 <name>mysql57-server</name> 5091 <range><lt>5.7.15</lt></range> 5092 </package> 5093 <package> 5094 <name>percona55-server</name> 5095 <range><lt>5.5.51.38.1</lt></range> 5096 </package> 5097 <package> 5098 <name>percona56-server</name> 5099 <range><lt>5.6.32.78.0</lt></range> 5100 </package> 5101 <package> 5102 <name>percona57-server</name> 5103 <range><lt>5.7.14.7</lt></range> 5104 </package> 5105 </affects> 5106 <description> 5107 <body xmlns="http://www.w3.org/1999/xhtml"> 5108 <p>Dawid Golunski reports:</p> 5109 <blockquote cite="http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt"> 5110 <p>An independent research has revealed multiple severe MySQL 5111 vulnerabilities. This advisory focuses on a critical 5112 vulnerability with a CVEID of CVE-2016-6662 which can allow 5113 attackers to (remotely) inject malicious settings into MySQL 5114 configuration files (my.cnf) leading to critical 5115 consequences.</p> 5116 </blockquote> 5117 </body> 5118 </description> 5119 <references> 5120 <cvename>CVE-2016-6662</cvename> 5121 <url>http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt</url> 5122 <url>https://jira.mariadb.org/browse/MDEV-10465</url> 5123 <url>https://www.percona.com/blog/2016/09/12/percona-server-critical-update-cve-2016-6662/</url> 5124 <url>https://www.percona.com/blog/2016/09/12/database-affected-cve-2016-6662/</url> 5125 <url>https://www.psce.com/blog/2016/09/12/how-to-quickly-patch-mysql-server-against-cve-2016-6662/</url> 5126 </references> 5127 <dates> 5128 <discovery>2016-09-12</discovery> 5129 <entry>2016-09-13</entry> 5130 </dates> 5131 </vuln> 5132 5133 <vuln vid="331eabb3-85b1-466a-a2af-66ac864d395a"> 5134 <topic>wolfssl -- leakage of private key information</topic> 5135 <affects> 5136 <package> 5137 <name>wolfssl</name> 5138 <range><lt>3.6.8</lt></range> 5139 </package> 5140 </affects> 5141 <description> 5142 <body xmlns="http://www.w3.org/1999/xhtml"> 5143 <p>Florian Weimer of Redhat discovered that an optimization in 5144 RSA signature validation can result in disclosure of the 5145 server's private key under certain fault conditions.</p> 5146 </body> 5147 </description> 5148 <references> 5149 <url>https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found%2C_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html</url> 5150 <url>https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/</url> 5151 <cvename>CVE-2015-7744</cvename> 5152 </references> 5153 <dates> 5154 <discovery>2015-09-17</discovery> 5155 <entry>2016-01-05</entry> 5156 </dates> 5157 </vuln> 5158 5159 <vuln vid="3d1372e1-7822-4fd8-b56e-5ee832afbd96"> 5160 <topic>wolfssl -- DDoS amplification in DTLS</topic> 5161 <affects> 5162 <package> 5163 <name>wolfssl</name> 5164 <range><lt>3.6.8</lt></range> 5165 </package> 5166 </affects> 5167 <description> 5168 <body xmlns="http://www.w3.org/1999/xhtml"> 5169 <p>Sebastian Ramacher identified an error in wolfSSL's implementation 5170 of the server side of the DTLS handshake, which could be abused 5171 for DDoS amplification or a DoS on the DTLS server itself.</p> 5172 </body> 5173 </description> 5174 <references> 5175 <url>https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found%2C_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html</url> 5176 <url>https://github.com/IAIK/wolfSSL-DoS</url> 5177 <cvename>CVE-2015-6925</cvename> 5178 </references> 5179 <dates> 5180 <discovery>2015-09-18</discovery> 5181 <entry>2016-01-05</entry> 5182 </dates> 5183 </vuln> 5184 5185 <vuln vid="a0128291-7690-11e6-95a8-0011d823eebd"> 5186 <topic>gnutls -- OCSP validation issue</topic> 5187 <affects> 5188 <package> 5189 <name>gnutls</name> 5190 <range><lt>3.4.15</lt></range> 5191 </package> 5192 </affects> 5193 <description> 5194 <body xmlns="http://www.w3.org/1999/xhtml"> 5195 <p>gnutls.org reports:</p> 5196 <blockquote cite="https://gnutls.org/security.html#GNUTLS-SA-2016-3"> 5197 <p>Stefan Bühler discovered an issue that affects validation 5198 of certificates using OCSP responses, which can falsely report a 5199 certificate as valid under certain circumstances.</p> 5200 </blockquote> 5201 </body> 5202 </description> 5203 <references> 5204 <url>https://gnutls.org/security.html#GNUTLS-SA-2016-3</url> 5205 </references> 5206 <dates> 5207 <discovery>2016-09-08</discovery> 5208 <entry>2016-09-09</entry> 5209 </dates> 5210 </vuln> 5211 5212 <vuln vid="aa1aefe3-6e37-47db-bfda-343ef4acb1b5"> 5213 <topic>Mozilla -- multiple vulnerabilities</topic> 5214 <affects> 5215 <package> 5216 <name>firefox</name> 5217 <range><lt>48.0,1</lt></range> 5218 </package> 5219 <package> 5220 <name>seamonkey</name> 5221 <name>linux-seamonkey</name> 5222 <range><lt>2.45</lt></range> 5223 </package> 5224 <package> 5225 <name>firefox-esr</name> 5226 <range><lt>45.3.0,1</lt></range> 5227 </package> 5228 <package> 5229 <name>linux-firefox</name> 5230 <range><lt>45.3.0,2</lt></range> 5231 </package> 5232 <package> 5233 <name>libxul</name> 5234 <name>thunderbird</name> 5235 <name>linux-thunderbird</name> 5236 <range><lt>45.3.0</lt></range> 5237 </package> 5238 </affects> 5239 <description> 5240 <body xmlns="http://www.w3.org/1999/xhtml"> 5241 <p>Mozilla Foundation reports:</p> 5242 <blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox48"> 5243 <p>Please reference CVE/URL list for details</p> 5244 </blockquote> 5245 </body> 5246 </description> 5247 <references> 5248 <cvename>CVE-2016-0718</cvename> 5249 <cvename>CVE-2016-2830</cvename> 5250 <cvename>CVE-2016-2835</cvename> 5251 <cvename>CVE-2016-2836</cvename> 5252 <cvename>CVE-2016-2837</cvename> 5253 <cvename>CVE-2016-2838</cvename> 5254 <cvename>CVE-2016-2839</cvename> 5255 <cvename>CVE-2016-5250</cvename> 5256 <cvename>CVE-2016-5251</cvename> 5257 <cvename>CVE-2016-5252</cvename> 5258 <cvename>CVE-2016-5253</cvename> 5259 <cvename>CVE-2016-5254</cvename> 5260 <cvename>CVE-2016-5255</cvename> 5261 <cvename>CVE-2016-5258</cvename> 5262 <cvename>CVE-2016-5259</cvename> 5263 <cvename>CVE-2016-5260</cvename> 5264 <cvename>CVE-2016-5261</cvename> 5265 <cvename>CVE-2016-5262</cvename> 5266 <cvename>CVE-2016-5263</cvename> 5267 <cvename>CVE-2016-5264</cvename> 5268 <cvename>CVE-2016-5265</cvename> 5269 <cvename>CVE-2016-5266</cvename> 5270 <cvename>CVE-2016-5267</cvename> 5271 <cvename>CVE-2016-5268</cvename> 5272 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-62/</url> 5273 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-63/</url> 5274 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-64/</url> 5275 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-65/</url> 5276 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-66/</url> 5277 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-67/</url> 5278 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-68/</url> 5279 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-69/</url> 5280 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-70/</url> 5281 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-71/</url> 5282 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-72/</url> 5283 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-73/</url> 5284 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-74/</url> 5285 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-75/</url> 5286 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-76/</url> 5287 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-77/</url> 5288 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-78/</url> 5289 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-79/</url> 5290 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-80/</url> 5291 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-81/</url> 5292 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-82/</url> 5293 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-83/</url> 5294 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-84/</url> 5295 </references> 5296 <dates> 5297 <discovery>2016-08-02</discovery> 5298 <entry>2016-09-07</entry> 5299 <modified>2016-09-20</modified> 5300 </dates> 5301 </vuln> 5302 5303 <vuln vid="5cb18881-7604-11e6-b362-001999f8d30b"> 5304 <topic>asterisk -- RTP Resource Exhaustion</topic> 5305 <affects> 5306 <package> 5307 <name>asterisk11</name> 5308 <range><lt>11.23.1</lt></range> 5309 </package> 5310 <package> 5311 <name>asterisk13</name> 5312 <range><lt>13.11.1</lt></range> 5313 </package> 5314 </affects> 5315 <description> 5316 <body xmlns="http://www.w3.org/1999/xhtml"> 5317 <p>The Asterisk project reports:</p> 5318 <blockquote cite="http://www.asterisk.org/downloads/security-advisories"> 5319 <p>The overlap dialing feature in chan_sip allows chan_sip 5320 to report to a device that the number that has been dialed 5321 is incomplete and more digits are required. If this 5322 functionality is used with a device that has performed 5323 username/password authentication RTP resources are leaked. 5324 This occurs because the code fails to release the old RTP 5325 resources before allocating new ones in this scenario. 5326 If all resources are used then RTP port exhaustion will 5327 occur and no RTP sessions are able to be set up.</p> 5328 <p>If overlap dialing support is not needed the "allowoverlap" 5329 option can be set to no. This will stop any usage of the 5330 scenario which causes the resource exhaustion.</p> 5331 </blockquote> 5332 </body> 5333 </description> 5334 <references> 5335 <url>http://downloads.asterisk.org/pub/security/AST-2016-007.html</url> 5336 </references> 5337 <dates> 5338 <discovery>2016-08-05</discovery> 5339 <entry>2016-09-08</entry> 5340 </dates> 5341 </vuln> 5342 5343 <vuln vid="7fda7920-7603-11e6-b362-001999f8d30b"> 5344 <topic>asterisk -- Crash on ACK from unknown endpoint</topic> 5345 <affects> 5346 <package> 5347 <name>asterisk13</name> 5348 <range><ge>13.10.0</ge><lt>13.11.1</lt></range> 5349 </package> 5350 </affects> 5351 <description> 5352 <body xmlns="http://www.w3.org/1999/xhtml"> 5353 <p>The Asterisk project reports:</p> 5354 <blockquote cite="http://www.asterisk.org/downloads/security-advisories"> 5355 <p>Asterisk can be crashed remotely by sending an ACK to 5356 it from an endpoint username that Asterisk does not 5357 recognize. Most SIP request types result in an "artificial" 5358 endpoint being looked up, but ACKs bypass this lookup. 5359 The resulting NULL pointer results in a crash when 5360 attempting to determine if ACLs should be applied.</p> 5361 <p>This issue was introduced in the Asterisk 13.10 release 5362 and only affects that release.</p> 5363 <p>This issue only affects users using the PJSIP stack 5364 with Asterisk. Those users that use chan_sip are 5365 unaffected.</p> 5366 </blockquote> 5367 </body> 5368 </description> 5369 <references> 5370 <url>http://downloads.asterisk.org/pub/security/AST-2016-006.html</url> 5371 </references> 5372 <dates> 5373 <discovery>2016-08-03</discovery> 5374 <entry>2016-09-08</entry> 5375 </dates> 5376 </vuln> 5377 5378 <vuln vid="70c85c93-743c-11e6-a590-14dae9d210b8"> 5379 <topic>inspircd -- authentication bypass vulnerability</topic> 5380 <affects> 5381 <package> 5382 <name>inspircd</name> 5383 <range><lt>2.0.23</lt></range> 5384 </package> 5385 </affects> 5386 <description> 5387 <body xmlns="http://www.w3.org/1999/xhtml"> 5388 <p>Adam reports:</p> 5389 <blockquote cite="http://www.inspircd.org/2016/09/03/v2023-released.html"> 5390 <p>A serious vulnerability exists in when using m_sasl in 5391 combination with any services that support SASL EXTERNAL. 5392 To be vulnerable you must have m_sasl loaded, and have services which 5393 support SASL EXTERNAL authentication.</p> 5394 </blockquote> 5395 </body> 5396 </description> 5397 <references> 5398 <url>http://www.inspircd.org/2016/09/03/v2023-released.html</url> 5399 </references> 5400 <dates> 5401 <discovery>2016-09-03</discovery> 5402 <entry>2016-09-06</entry> 5403 </dates> 5404 </vuln> 5405 5406 <vuln vid="9e50dcc3-740b-11e6-94a2-080027ef73ec"> 5407 <topic>mailman -- CSRF hardening in parts of the web interface</topic> 5408 <affects> 5409 <package> 5410 <name>mailman</name> 5411 <range><lt>2.1.15</lt></range> 5412 </package> 5413 </affects> 5414 <description> 5415 <body xmlns="http://www.w3.org/1999/xhtml"> 5416 <p>The late Tokio Kikuchi reported:</p> 5417 <blockquote cite="https://bugs.launchpad.net/mailman/+bug/775294"> 5418 <p>We may have to set lifetime for input forms because of recent 5419 activities on cross-site request forgery (CSRF). The form lifetime 5420 is successfully deployed in frameworks like web.py or plone etc. 5421 Proposed branch lp:~tkikuchi/mailman/form-lifetime implement 5422 lifetime in admin, admindb, options and edithtml interfaces. 5423 [...]</p> 5424 </blockquote> 5425 <blockquote cite="https://launchpad.net/mailman/2.1/2.1.15"> 5426 <p>The web admin interface has been hardened against CSRF attacks by 5427 adding a hidden, encrypted token with a time stamp to form submissions 5428 and not accepting authentication by cookie if the token is missing, 5429 invalid or older than the new mm_cfg.py setting FORM_LIFETIME which 5430 defaults to one hour. Posthumous thanks go to Tokio Kikuchi for this implementation [...].</p> 5431 </blockquote> 5432 </body> 5433 </description> 5434 <references> 5435 <url>https://bugs.launchpad.net/mailman/+bug/775294</url> 5436 <url>https://launchpad.net/mailman/2.1/2.1.15</url> 5437 <cvename>CVE-2016-7123</cvename> 5438 </references> 5439 <dates> 5440 <discovery>2011-05-02</discovery> 5441 <entry>2016-09-06</entry> 5442 </dates> 5443 </vuln> 5444 5445 <vuln vid="adccefd1-7080-11e6-a2cb-c80aa9043978"> 5446 <topic>openssh -- sshd -- remote valid user discovery and PAM /bin/login attack</topic> 5447 <affects> 5448 <package> 5449 <name>openssh-portable</name> 5450 <range><lt>7.3.p1,1</lt></range> 5451 </package> 5452 </affects> 5453 <description> 5454 <body xmlns="http://www.w3.org/1999/xhtml"> 5455 <p>The OpenSSH project reports:</p> 5456 <blockquote cite="http://www.openssh.com/txt/release-7.3"> 5457 <p>* sshd(8): Mitigate timing differences in password authentication 5458 that could be used to discern valid from invalid account names 5459 when long passwords were sent and particular password hashing 5460 algorithms are in use on the server. CVE-2016-6210, reported by 5461 EddieEzra.Harari at verint.com 5462 </p> 5463 <p> * sshd(8): (portable only) Ignore PAM environment vars when 5464 UseLogin=yes. If PAM is configured to read user-specified 5465 environment variables and UseLogin=yes in sshd_config, then a 5466 hostile local user may attack /bin/login via LD_PRELOAD or 5467 similar environment variables set via PAM. CVE-2015-8325, 5468 found by Shayan Sadigh. 5469 </p> 5470 </blockquote> 5471 </body> 5472 </description> 5473 <references> 5474 <url>http://www.openssh.com/txt/release-7.3</url> 5475 <cvename>CVE-2016-6210</cvename> 5476 <cvename>CVE-2015-8325</cvename> 5477 </references> 5478 <dates> 5479 <discovery>2016-08-01</discovery> 5480 <entry>2016-09-01</entry> 5481 </dates> 5482 </vuln> 5483 5484 <vuln vid="b11ab01b-6e19-11e6-ab24-080027ef73ec"> 5485 <topic>mailman -- CSRF protection enhancements</topic> 5486 <affects> 5487 <package> 5488 <name>mailman</name> 5489 <range><lt>2.1.23</lt></range> 5490 </package> 5491 </affects> 5492 <description> 5493 <body xmlns="http://www.w3.org/1999/xhtml"> 5494 <p>Mark Sapiro reports:</p> 5495 <blockquote cite="http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1668"> 5496 <p>CSRF protection has been extended to the user options page. This 5497 was actually fixed by Tokio Kikuchi as part of the fix for LP: 5498 #775294 and intended for Mailman 2.1.15, but that fix wasn't 5499 completely merged at the time. The full fix also addresses the 5500 admindb, and edithtml pages as well as the user options page and the 5501 previously fixed admin pages. Thanks to Nishant Agarwala for reporting the issue.</p> 5502 </blockquote> 5503 </body> 5504 </description> 5505 <references> 5506 <url>http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1668</url> 5507 <url>https://mail.python.org/pipermail/mailman-announce/2016-August/000226.html</url> 5508 <cvename>CVE-2016-6893</cvename> 5509 </references> 5510 <dates> 5511 <discovery>2016-08-19</discovery> 5512 <entry>2016-08-29</entry> 5513 </dates> 5514 </vuln> 5515 5516 <vuln vid="e195679d-045b-4953-bb33-be0073ba2ac6"> 5517 <topic>libxml2 -- multiple vulnerabilities</topic> 5518 <affects> 5519 <package> 5520 <name>libxml2</name> 5521 <range><lt>2.9.4</lt></range> 5522 </package> 5523 </affects> 5524 <description> 5525 <body xmlns="http://www.w3.org/1999/xhtml"> 5526 <p>Daniel Veillard reports:</p> 5527 <blockquote cite="https://mail.gnome.org/archives/xml/2016-May/msg00023.html"> 5528 <p>More format string warnings with possible format string 5529 vulnerability (David Kilzer)</p> 5530 <p>Avoid building recursive entities (Daniel Veillard)</p> 5531 <p>Heap-based buffer overread in htmlCurrentChar (Pranjal Jumde)</p> 5532 <p>Heap-based buffer-underreads due to xmlParseName (David Kilzer)</p> 5533 <p>Heap use-after-free in xmlSAX2AttributeNs (Pranjal Jumde)</p> 5534 <p>Heap use-after-free in htmlParsePubidLiteral and 5535 htmlParseSystemiteral (Pranjal Jumde)</p> 5536 <p>Fix some format string warnings with possible format string 5537 vulnerability (David Kilzer)</p> 5538 <p>Detect change of encoding when parsing HTML names (Hugh Davenport)</p> 5539 <p>Fix inappropriate fetch of entities content (Daniel Veillard)</p> 5540 <p>Bug 759398: Heap use-after-free in xmlDictComputeFastKey 5541 (Pranjal Jumde)</p> 5542 <p>Bug 758605: Heap-based buffer overread in xmlDictAddString 5543 (Pranjal Jumde)</p> 5544 <p>Bug 758588: Heap-based buffer overread in 5545 xmlParserPrintFileContextInternal (David Kilzer)</p> 5546 <p>Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup 5547 (Pranjal Jumde)</p> 5548 <p>Add missing increments of recursion depth counter to XML parser. 5549 (Peter Simons)</p> 5550 <p>Fix NULL pointer deref in XPointer range-to</p> 5551 </blockquote> 5552 </body> 5553 </description> 5554 <references> 5555 <url>https://mail.gnome.org/archives/xml/2016-May/msg00023.html</url> 5556 <url>https://bugzilla.gnome.org/show_bug.cgi?id=759398</url> 5557 <url>https://bugzilla.gnome.org/show_bug.cgi?id=758605</url> 5558 <url>https://bugzilla.gnome.org/show_bug.cgi?id=758588</url> 5559 <url>https://bugzilla.gnome.org/show_bug.cgi?id=757711</url> 5560 <url>https://git.gnome.org/browse/libxml2/patch/?id=d8083bf77955b7879c1290f0c0a24ab8cc70f7fb</url> 5561 <cvename>CVE-2016-1762</cvename> 5562 <cvename>CVE-2016-1833</cvename> 5563 <cvename>CVE-2016-1834</cvename> 5564 <cvename>CVE-2016-1835</cvename> 5565 <cvename>CVE-2016-1836</cvename> 5566 <cvename>CVE-2016-1837</cvename> 5567 <cvename>CVE-2016-1838</cvename> 5568 <cvename>CVE-2016-1839</cvename> 5569 <cvename>CVE-2016-1840</cvename> 5570 <cvename>CVE-2016-3627</cvename> 5571 <cvename>CVE-2016-3705</cvename> 5572 <cvename>CVE-2016-4449</cvename> 5573 <cvename>CVE-2016-4483</cvename> 5574 </references> 5575 <dates> 5576 <discovery>2016-05-23</discovery> 5577 <entry>2016-08-28</entry> 5578 </dates> 5579 </vuln> 5580 5581 <vuln vid="4472ab39-6c66-11e6-9ca5-50e549ebab6c"> 5582 <topic>kdelibs -- directory traversal vulnerability</topic> 5583 <affects> 5584 <package> 5585 <name>kdelibs</name> 5586 <range><lt>4.14.10_7</lt></range> 5587 </package> 5588 </affects> 5589 <description> 5590 <body xmlns="http://www.w3.org/1999/xhtml"> 5591 <p>David Faure reports:</p> 5592 <blockquote cite="https://www.kde.org/info/security/advisory-20160724-1.txt"> 5593 <p>A maliciously crafted archive (.zip or .tar.bz2) with "../" in the 5594 file paths could be offered for download via the KNewStuff 5595 framework (e.g. on www.kde-look.org), and upon extraction would 5596 install files anywhere in the user's home directory.</p> 5597 </blockquote> 5598 </body> 5599 </description> 5600 <references> 5601 <cvename>CVE-2016-6232</cvename> 5602 <url>https://www.kde.org/info/security/advisory-20160724-1.txt</url> 5603 </references> 5604 <dates> 5605 <discovery>2016-07-24</discovery> 5606 <entry>2016-08-27</entry> 5607 </dates> 5608 </vuln> 5609 5610 <vuln vid="f5035ead-688b-11e6-8b1d-c86000169601"> 5611 <topic>eog -- out-of-bounds write</topic> 5612 <affects> 5613 <package> 5614 <name>eog</name> 5615 <range><lt>3.18.3</lt></range> 5616 </package> 5617 </affects> 5618 <description> 5619 <body xmlns="http://www.w3.org/1999/xhtml"> 5620 <p>Felix Riemann reports:</p> 5621 <blockquote cite="https://mail.gnome.org/archives/ftp-release-list/2016-August/msg00123.html"> 5622 <p>CVE-2016-6855 out-of-bounds write in eog 3.10.2.</p> 5623 </blockquote> 5624 </body> 5625 </description> 5626 <references> 5627 <url>https://mail.gnome.org/archives/ftp-release-list/2016-August/msg00123.html</url> 5628 <cvename>CVE-2016-6855</cvename> 5629 </references> 5630 <dates> 5631 <discovery>2016-08-21</discovery> 5632 <entry>2016-08-22</entry> 5633 </dates> 5634 </vuln> 5635 5636 <vuln vid="44989c29-67d1-11e6-8b1d-c86000169601"> 5637 <topic>fontconfig -- insufficiently cache file validation</topic> 5638 <affects> 5639 <package> 5640 <name>fontconfig</name> 5641 <range><lt>1.12.1</lt></range> 5642 </package> 5643 </affects> 5644 <description> 5645 <body xmlns="http://www.w3.org/1999/xhtml"> 5646 <p>Debian security team reports:</p> 5647 <blockquote cite="https://packetstormsecurity.com/files/138236/Debian-Security-Advisory-3644-1.html"> 5648 <p>Tobias Stoeckmann discovered that cache files are insufficiently 5649 validated in fontconfig, a generic font configuration library. An 5650 attacker can trigger arbitrary free() calls, which in turn allows 5651 double free attacks and therefore arbitrary code execution. In 5652 combination with setuid binaries using crafted cache files, this 5653 could allow privilege escalation.</p> 5654 </blockquote> 5655 </body> 5656 </description> 5657 <references> 5658 <url>https://packetstormsecurity.com/files/138236/Debian-Security-Advisory-3644-1.html</url> 5659 <cvename>CVE-2016-5384</cvename> 5660 </references> 5661 <dates> 5662 <discovery>2016-08-05</discovery> 5663 <entry>2016-08-21</entry> 5664 </dates> 5665 </vuln> 5666 5667 <vuln vid="7fe7df75-6568-11e6-a590-14dae9d210b8"> 5668 <topic>End of Life Ports</topic> 5669 <affects> 5670 <package> 5671 <name>python32</name> 5672 <name>python31</name> 5673 <name>python30</name> 5674 <name>python26</name> 5675 <name>python25</name> 5676 <name>python24</name> 5677 <name>python23</name> 5678 <name>python22</name> 5679 <name>python21</name> 5680 <name>python20</name> 5681 <name>python15</name> 5682 <range><ge>0</ge></range> 5683 </package> 5684 <package> 5685 <name>php54</name> 5686 <name>php53</name> 5687 <name>php52</name> 5688 <name>php5</name> 5689 <name>php4</name> 5690 <range><ge>0</ge></range> 5691 </package> 5692 <package> 5693 <name>perl5</name> 5694 <range><lt>5.18</lt></range> 5695 </package> 5696 <package> 5697 <name>perl5.16</name> 5698 <name>perl5.14</name> 5699 <name>perl5.12</name> 5700 <name>perl</name> <!-- Perl 5.10 and earlier were called "perl" --> 5701 <range><ge>0</ge></range> 5702 </package> 5703 <package> 5704 <name>ruby</name> 5705 <name>ruby_static</name> 5706 <range><lt>2.1,1</lt></range> 5707 </package> 5708 <package> 5709 <name>unifi2</name> 5710 <name>unifi3</name> 5711 <range><ge>0</ge></range> 5712 </package> 5713 <package> 5714 <name>apache21</name> 5715 <name>apache20</name> 5716 <name>apache13</name> 5717 <range><ge>0</ge></range> 5718 </package> 5719 <package> 5720 <name>tomcat55</name> 5721 <name>tomcat41</name> 5722 <range><ge>0</ge></range> 5723 </package> 5724 <package> 5725 <name>mysql51-client</name> 5726 <name>mysql51-server</name> 5727 <name>mysql50-client</name> 5728 <name>mysql50-server</name> 5729 <name>mysql41-client</name> 5730 <name>mysql41-server</name> 5731 <name>mysql40-client</name> 5732 <name>mysql40-server</name> 5733 <range><ge>0</ge></range> 5734 </package> 5735 <package> 5736 <name>postgresql90-client</name> 5737 <name>postgresql90-server</name> 5738 <name>postgresql84-client</name> 5739 <name>postgresql84-server</name> 5740 <name>postgresql83-client</name> 5741 <name>postgresql83-server</name> 5742 <name>postgresql82-client</name> 5743 <name>postgresql82-server</name> 5744 <name>postgresql81-client</name> 5745 <name>postgresql81-server</name> 5746 <name>postgresql80-client</name> 5747 <name>postgresql80-server</name> 5748 <name>postgresql74-client</name> 5749 <name>postgresql74-server</name> 5750 <name>postgresql73-client</name> 5751 <name>postgresql73-server</name> 5752 <name>postgresql72-client</name> 5753 <name>postgresql72-server</name> 5754 <name>postgresql71-client</name> 5755 <name>postgresql71-server</name> 5756 <name>postgresql7-client</name> 5757 <name>postgresql7-server</name> 5758 <range><ge>0</ge></range> 5759 </package> 5760 </affects> 5761 <description> 5762 <body xmlns="http://www.w3.org/1999/xhtml"> 5763 <p>These packages have reached End of Life status and/or have 5764 been removed from the Ports Tree. They may contain undocumented 5765 security issues. Please take caution and find alternative 5766 software as soon as possible.</p> 5767 </body> 5768 </description> 5769 <references> 5770 <freebsdpr>ports/211975</freebsdpr> 5771 </references> 5772 <dates> 5773 <discovery>2016-08-18</discovery> 5774 <entry>2016-08-18</entry> 5775 <modified>2016-10-18</modified> 5776 </dates> 5777 </vuln> 5778 5779 <vuln vid="e1c71d8d-64d9-11e6-b38a-25a46b33f2ed"> 5780 <topic>gnupg -- attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output</topic> 5781 <affects> 5782 <package> 5783 <name>gnupg1</name> 5784 <range><lt>1.4.21</lt></range> 5785 </package> 5786 <package> 5787 <name>libgcrypt</name> 5788 <range><lt>1.7.3</lt></range> 5789 </package> 5790 <package> 5791 <name>linux-c6-libgcrypt</name> 5792 <range><lt>1.4.5_4</lt></range> 5793 </package> 5794 <package> 5795 <name>linux-c7-libgcrypt</name> 5796 <range><lt>1.5.3_1</lt></range> 5797 </package> 5798 </affects> 5799 <description> 5800 <body xmlns="http://www.w3.org/1999/xhtml"> 5801 <p>Werner Koch reports:</p> 5802 <blockquote cite="https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html"> 5803 <p>There was a bug in the mixing functions of Libgcrypt's random 5804 number generator: An attacker who obtains 4640 bits from the RNG can 5805 trivially predict the next 160 bits of output. This bug exists since 5806 1998 in all GnuPG and Libgcrypt versions.</p> 5807 </blockquote> 5808 </body> 5809 </description> 5810 <references> 5811 <url>https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html</url> 5812 <cvename>CVE-2016-6313</cvename> 5813 </references> 5814 <dates> 5815 <discovery>2016-08-17</discovery> 5816 <entry>2016-08-18</entry> 5817 <modified>2016-11-30</modified> 5818 </dates> 5819 </vuln> 5820 5821 <vuln vid="ef70b201-645d-11e6-9cdc-6805ca0b3d42"> 5822 <topic>phpmyadmin -- multiple vulnerabilities</topic> 5823 <affects> 5824 <package> 5825 <name>phpmyadmin</name> 5826 <range><ge>4.6.0</ge><lt>4.6.4</lt></range> 5827 </package> 5828 </affects> 5829 <description> 5830 <body xmlns="http://www.w3.org/1999/xhtml"> 5831 <p>The phpmyadmin development team reports:</p> 5832 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-29/"> 5833 <p>Weakness with cookie encryption</p> 5834 </blockquote> 5835 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-30/"> 5836 <p>Multiple XSS vulnerabilities</p> 5837 </blockquote> 5838 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-31/"> 5839 <p>Multiple XSS vulnerabilities</p> 5840 </blockquote> 5841 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-32/"> 5842 <p>PHP code injection</p> 5843 </blockquote> 5844 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-33/"> 5845 <p>Full path disclosure</p> 5846 </blockquote> 5847 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-34/"> 5848 <p>SQL injection attack</p> 5849 </blockquote> 5850 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-35/"> 5851 <p>Local file exposure</p> 5852 </blockquote> 5853 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-36/"> 5854 <p>Local file exposure through symlinks with 5855 UploadDir</p> 5856 </blockquote> 5857 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-37/"> 5858 <p>Path traversal with SaveDir and UploadDir</p> 5859 </blockquote> 5860 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-38/"> 5861 <p>Multiple XSS vulnerabilities</p> 5862 </blockquote> 5863 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-39/"> 5864 <p>SQL injection attack</p> 5865 </blockquote> 5866 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-40/"> 5867 <p>SQL injection attack</p> 5868 </blockquote> 5869 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-41/"> 5870 <p>Denial of service (DOS) attack in transformation 5871 feature</p> 5872 </blockquote> 5873 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-42/"> 5874 <p>SQL injection attack as control user</p> 5875 </blockquote> 5876 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-43/"> 5877 <p>Unvalidated data passed to unserialize()</p> 5878 </blockquote> 5879 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-45/"> 5880 <p>DOS attack with forced persistent connections</p> 5881 </blockquote> 5882 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-46/"> 5883 <p>Denial of service (DOS) attack by for loops</p> 5884 </blockquote> 5885 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-47/"> 5886 <p>IPv6 and proxy server IP-based authentication rule 5887 circumvention</p> 5888 </blockquote> 5889 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-48/"> 5890 <p>Detect if user is logged in</p> 5891 </blockquote> 5892 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-49/"> 5893 <p>Bypass URL redirect protection</p> 5894 </blockquote> 5895 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-50/"> 5896 <p>Referrer leak in url.php</p> 5897 </blockquote> 5898 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-51/"> 5899 <p>Reflected File Download attack</p> 5900 </blockquote> 5901 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-52/"> 5902 <p>ArbitraryServerRegexp bypass</p> 5903 </blockquote> 5904 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-53/"> 5905 <p>Denial of service (DOS) attack by changing password to a 5906 very long string</p> 5907 </blockquote> 5908 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-54/"> 5909 <p>Remote code execution vulnerability when run as CGI</p> 5910 </blockquote> 5911 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-55/"> 5912 <h3>Summary</h3> 5913 <p>Denial of service (DOS) attack with dbase extension</p> 5914 </blockquote> 5915 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-56/"> 5916 <p>Remote code execution vulnerability when PHP is running 5917 with dbase extension</p> 5918 </blockquote> 5919 </body> 5920 </description> 5921 <references> 5922 <url>https://www.phpmyadmin.net/security/PMASA-2016-29/</url> 5923 <url>https://www.phpmyadmin.net/security/PMASA-2016-30/</url> 5924 <url>https://www.phpmyadmin.net/security/PMASA-2016-31/</url> 5925 <url>https://www.phpmyadmin.net/security/PMASA-2016-32/</url> 5926 <url>https://www.phpmyadmin.net/security/PMASA-2016-33/</url> 5927 <url>https://www.phpmyadmin.net/security/PMASA-2016-34/</url> 5928 <url>https://www.phpmyadmin.net/security/PMASA-2016-35/</url> 5929 <url>https://www.phpmyadmin.net/security/PMASA-2016-36/</url> 5930 <url>https://www.phpmyadmin.net/security/PMASA-2016-37/</url> 5931 <url>https://www.phpmyadmin.net/security/PMASA-2016-38/</url> 5932 <url>https://www.phpmyadmin.net/security/PMASA-2016-39/</url> 5933 <url>https://www.phpmyadmin.net/security/PMASA-2016-40/</url> 5934 <url>https://www.phpmyadmin.net/security/PMASA-2016-41/</url> 5935 <url>https://www.phpmyadmin.net/security/PMASA-2016-42/</url> 5936 <url>https://www.phpmyadmin.net/security/PMASA-2016-43/</url> 5937 <url>https://www.phpmyadmin.net/security/PMASA-2016-45/</url> 5938 <url>https://www.phpmyadmin.net/security/PMASA-2016-46/</url> 5939 <url>https://www.phpmyadmin.net/security/PMASA-2016-47/</url> 5940 <url>https://www.phpmyadmin.net/security/PMASA-2016-48/</url> 5941 <url>https://www.phpmyadmin.net/security/PMASA-2016-49/</url> 5942 <url>https://www.phpmyadmin.net/security/PMASA-2016-50/</url> 5943 <url>https://www.phpmyadmin.net/security/PMASA-2016-51/</url> 5944 <url>https://www.phpmyadmin.net/security/PMASA-2016-52/</url> 5945 <url>https://www.phpmyadmin.net/security/PMASA-2016-53/</url> 5946 <url>https://www.phpmyadmin.net/security/PMASA-2016-54/</url> 5947 <url>https://www.phpmyadmin.net/security/PMASA-2016-55/</url> 5948 <url>https://www.phpmyadmin.net/security/PMASA-2016-56/</url> 5949 <cvename>CVE-2016-6606</cvename> 5950 <cvename>CVE-2016-6607</cvename> 5951 <cvename>CVE-2016-6608</cvename> 5952 <cvename>CVE-2016-6609</cvename> 5953 <cvename>CVE-2016-6610</cvename> 5954 <cvename>CVE-2016-6611</cvename> 5955 <cvename>CVE-2016-6612</cvename> 5956 <cvename>CVE-2016-6613</cvename> 5957 <cvename>CVE-2016-6614</cvename> 5958 <cvename>CVE-2016-6615</cvename> 5959 <cvename>CVE-2016-6616</cvename> 5960 <cvename>CVE-2016-6617</cvename> 5961 <cvename>CVE-2016-6618</cvename> 5962 <cvename>CVE-2016-6619</cvename> 5963 <cvename>CVE-2016-6620</cvename> 5964 <cvename>CVE-2016-6622</cvename> 5965 <cvename>CVE-2016-6623</cvename> 5966 <cvename>CVE-2016-6624</cvename> 5967 <cvename>CVE-2016-6625</cvename> 5968 <cvename>CVE-2016-6626</cvename> 5969 <cvename>CVE-2016-6627</cvename> 5970 <cvename>CVE-2016-6628</cvename> 5971 <cvename>CVE-2016-6629</cvename> 5972 <cvename>CVE-2016-6630</cvename> 5973 <cvename>CVE-2016-6631</cvename> 5974 <cvename>CVE-2016-6632</cvename> 5975 <cvename>CVE-2016-6633</cvename> 5976 </references> 5977 <dates> 5978 <discovery>2016-08-17</discovery> 5979 <entry>2016-08-17</entry> 5980 </dates> 5981 </vuln> 5982 5983 <vuln vid="f7dd2d09-625e-11e6-828b-fcaa14edc6a6"> 5984 <topic>TeamSpeak Server 3 -- Multiple vulnerabilities including Remote Code Execution</topic> 5985 <affects> 5986 <package> 5987 <name>teamspeak3-server</name> 5988 <range><le>3.0.13_1,1</le></range> 5989 </package> 5990 </affects> 5991 <description> 5992 <body xmlns="http://www.w3.org/1999/xhtml"> 5993 <p>Hanz Jenson audit report:</p> 5994 <blockquote cite="http://seclists.org/fulldisclosure/2016/Aug/61"> 5995 <p>I found 10 vulnerabilities. Some of these are critical and allow remote code 5996 execution. For the average user, that means that these vulnerabilities can be 5997 exploited by a malicious attacker in order to take over any Teamspeak server, 5998 not only becoming serveradmin, but getting a shell on the affected machine.</p> 5999 </blockquote> 6000 </body> 6001 </description> 6002 <references> 6003 <url>http://seclists.org/fulldisclosure/2016/Aug/61</url> 6004 </references> 6005 <dates> 6006 <discovery>2016-08-12</discovery> 6007 <entry>2016-08-14</entry> 6008 </dates> 6009 </vuln> 6010 6011 <vuln vid="df502a2f-61f6-11e6-a461-643150d3111d"> 6012 <topic>puppet-agent MCollective plugin -- Remote Code Execution vulnerability</topic> 6013 <affects> 6014 <package> 6015 <name>mcollective-puppet-agent</name> 6016 <range><lt>1.11.1</lt></range> 6017 </package> 6018 </affects> 6019 <description> 6020 <body xmlns="http://www.w3.org/1999/xhtml"> 6021 <p>Puppet reports:</p> 6022 <blockquote cite="https://puppet.com/security/cve/cve-2015-7331"> 6023 <p>Puppet Enterprise previously included a puppet-agent MCollective plugin that allowed you to pass the `--server` argument to MCollective. This insecure argument enabled remote code execution via connection to an untrusted host. The puppet-agent MCollective version included in PE 2016.2.1, this option is disabled by default.</p> 6024 </blockquote> 6025 </body> 6026 </description> 6027 <references> 6028 <url>https://puppet.com/security/cve/cve-2015-7331</url> 6029 <cvename>CVE-2015-7331</cvename> 6030 </references> 6031 <dates> 6032 <discovery>2016-08-09</discovery> 6033 <entry>2016-08-15</entry> 6034 </dates> 6035 </vuln> 6036 6037 <vuln vid="7d4f4955-600a-11e6-a6c3-14dae9d210b8"> 6038 <topic>FreeBSD -- Heap vulnerability in bspatch</topic> 6039 <affects> 6040 <package> 6041 <name>FreeBSD</name> 6042 <range><ge>10.3</ge><lt>10.3_6</lt></range> 6043 <range><ge>10.2</ge><lt>10.2_20</lt></range> 6044 <range><ge>10.1</ge><lt>10.1_37</lt></range> 6045 <range><ge>9.3</ge><lt>9.3_45</lt></range> 6046 </package> 6047 </affects> 6048 <description> 6049 <body xmlns="http://www.w3.org/1999/xhtml"> 6050 <h1>Problem Description:</h1> 6051 <p>The implementation of bspatch does not check for a 6052 negative value on numbers of bytes read from the diff and 6053 extra streams, allowing an attacker who can control the 6054 patch file to write at arbitrary locations in the heap.</p> 6055 <p>This issue was first discovered by The Chromium Project 6056 and reported independently by Lu Tung-Pin to the FreeBSD 6057 project.</p> 6058 <h1>Impact:</h1> 6059 <p>An attacker who can control the patch file can cause a 6060 crash or run arbitrary code under the credentials of the 6061 user who runs bspatch, in many cases, root.</p> 6062 </body> 6063 </description> 6064 <references> 6065 <cvename>CVE-2014-9862</cvename> 6066 <freebsdsa>SA-16:25.bspatch</freebsdsa> 6067 </references> 6068 <dates> 6069 <discovery>2016-07-25</discovery> 6070 <entry>2016-08-11</entry> 6071 </dates> 6072 </vuln> 6073 6074 <vuln vid="7cfcea05-600a-11e6-a6c3-14dae9d210b8"> 6075 <topic>FreeBSD -- Multiple ntp vulnerabilities</topic> 6076 <affects> 6077 <package> 6078 <name>FreeBSD</name> 6079 <range><ge>10.3</ge><lt>10.3_5</lt></range> 6080 <range><ge>10.2</ge><lt>10.2_19</lt></range> 6081 <range><ge>10.1</ge><lt>10.1_36</lt></range> 6082 <range><ge>9.3</ge><lt>9.3_44</lt></range> 6083 </package> 6084 </affects> 6085 <description> 6086 <body xmlns="http://www.w3.org/1999/xhtml"> 6087 <h1>Problem Description:</h1> 6088 <p>Multiple vulnerabilities have been discovered in the NTP 6089 suite:</p> 6090 <p>The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that 6091 could cause ntpd to crash. [CVE-2016-4957, Reported by 6092 Nicolas Edet of Cisco]</p> 6093 <p>An attacker who knows the origin timestamp and can send 6094 a spoofed packet containing a CRYPTO-NAK to an ephemeral 6095 peer target before any other response is sent can demobilize 6096 that association. [CVE-2016-4953, Reported by Miroslav 6097 Lichvar of Red Hat]</p> 6098 <p>An attacker who is able to spoof packets with correct 6099 origin timestamps from enough servers before the expected 6100 response packets arrive at the target machine can affect 6101 some peer variables and, for example, cause a false leap 6102 indication to be set. [CVE-2016-4954, Reported by Jakub 6103 Prokes of Red Hat]</p> 6104 <p>An attacker who is able to spoof a packet with a correct 6105 origin timestamp before the expected response packet arrives 6106 at the target machine can send a CRYPTO_NAK or a bad MAC 6107 and cause the association's peer variables to be cleared. 6108 If this can be done often enough, it will prevent that 6109 association from working. [CVE-2016-4955, Reported by 6110 Miroslav Lichvar of Red Hat]</p> 6111 <p>The fix for NtpBug2978 does not cover broadcast associations, 6112 so broadcast clients can be triggered to flip into interleave 6113 mode. [CVE-2016-4956, Reported by Miroslav Lichvar of Red 6114 Hat.]</p> 6115 <h1>Impact:</h1> 6116 <p>Malicious remote attackers may be able to break time 6117 synchronization, or cause the ntpd(8) daemon to crash.</p> 6118 </body> 6119 </description> 6120 <references> 6121 <cvename>CVE-2016-4953</cvename> 6122 <cvename>CVE-2016-4954</cvename> 6123 <cvename>CVE-2016-4955</cvename> 6124 <cvename>CVE-2016-4956</cvename> 6125 <cvename>CVE-2016-4957</cvename> 6126 <freebsdsa>SA-16:24.ntp</freebsdsa> 6127 </references> 6128 <dates> 6129 <discovery>2016-06-04</discovery> 6130 <entry>2016-08-11</entry> 6131 </dates> 6132 </vuln> 6133 6134 <vuln vid="7cad4795-600a-11e6-a6c3-14dae9d210b8"> 6135 <topic>FreeBSD -- Kernel stack disclosure in 4.3BSD compatibility layer</topic> 6136 <affects> 6137 <package> 6138 <name>FreeBSD-kernel</name> 6139 <range><ge>10.3</ge><lt>10.3_4</lt></range> 6140 <range><ge>10.2</ge><lt>10.2_18</lt></range> 6141 <range><ge>10.1</ge><lt>10.1_35</lt></range> 6142 <range><ge>9.3</ge><lt>9.3_43</lt></range> 6143 </package> 6144 </affects> 6145 <description> 6146 <body xmlns="http://www.w3.org/1999/xhtml"> 6147 <h1>Problem Description:</h1> 6148 <p>The implementation of historic stat(2) system call does 6149 not clear the output struct before copying it out to 6150 userland.</p> 6151 <h1>Impact:</h1> 6152 <p>An unprivileged user can read a portion of uninitialised 6153 kernel stack data, which may contain sensitive information, 6154 such as the stack guard, portions of the file cache or 6155 terminal buffers, which an attacker might leverage to obtain 6156 elevated privileges.</p> 6157 </body> 6158 </description> 6159 <references> 6160 <freebsdsa>SA-16:21.43bsd</freebsdsa> 6161 </references> 6162 <dates> 6163 <discovery>2016-05-31</discovery> 6164 <entry>2016-08-11</entry> 6165 </dates> 6166 </vuln> 6167 6168 <vuln vid="7c5d64dd-600a-11e6-a6c3-14dae9d210b8"> 6169 <topic>FreeBSD -- Kernel stack disclosure in Linux compatibility layer</topic> 6170 <affects> 6171 <package> 6172 <name>FreeBSD-kernel</name> 6173 <range><ge>10.3</ge><lt>10.3_4</lt></range> 6174 <range><ge>10.2</ge><lt>10.2_18</lt></range> 6175 <range><ge>10.1</ge><lt>10.1_35</lt></range> 6176 <range><ge>9.3</ge><lt>9.3_43</lt></range> 6177 </package> 6178 </affects> 6179 <description> 6180 <body xmlns="http://www.w3.org/1999/xhtml"> 6181 <h1>Problem Description:</h1> 6182 <p>The implementation of the TIOCGSERIAL ioctl(2) does not 6183 clear the output struct before copying it out to userland.</p> 6184 <p>The implementation of the Linux sysinfo() system call 6185 does not clear the output struct before copying it out to 6186 userland.</p> 6187 <h1>Impact:</h1> 6188 <p>An unprivileged user can read a portion of uninitialised 6189 kernel stack data, which may contain sensitive information, 6190 such as the stack guard, portions of the file cache or 6191 terminal buffers, which an attacker might leverage to obtain 6192 elevated privileges.</p> 6193 </body> 6194 </description> 6195 <references> 6196 <freebsdsa>SA-16:20.linux</freebsdsa> 6197 </references> 6198 <dates> 6199 <discovery>2016-05-31</discovery> 6200 <entry>2016-08-11</entry> 6201 </dates> 6202 </vuln> 6203 6204 <vuln vid="7c0bac69-600a-11e6-a6c3-14dae9d210b8"> 6205 <topic>FreeBSD -- Incorrect argument handling in sendmsg(2)</topic> 6206 <affects> 6207 <package> 6208 <name>FreeBSD-kernel</name> 6209 <range><ge>10.3</ge><lt>10.3_3</lt></range> 6210 <range><ge>10.2</ge><lt>10.2_17</lt></range> 6211 <range><ge>10.1</ge><lt>10.1_34</lt></range> 6212 </package> 6213 </affects> 6214 <description> 6215 <body xmlns="http://www.w3.org/1999/xhtml"> 6216 <h1>Problem Description:</h1> 6217 <p>Incorrect argument handling in the socket code allows 6218 malicious local user to overwrite large portion of the 6219 kernel memory.</p> 6220 <h1>Impact:</h1> 6221 <p>Malicious local user may crash kernel or execute arbitrary 6222 code in the kernel, potentially gaining superuser privileges.</p> 6223 </body> 6224 </description> 6225 <references> 6226 <cvename>CVE-2016-1887</cvename> 6227 <freebsdsa>SA-16:19.sendmsg</freebsdsa> 6228 </references> 6229 <dates> 6230 <discovery>2016-05-17</discovery> 6231 <entry>2016-08-11</entry> 6232 </dates> 6233 </vuln> 6234 6235 <vuln vid="7bbc0e8c-600a-11e6-a6c3-14dae9d210b8"> 6236 <topic>FreeBSD -- Buffer overflow in keyboard driver</topic> 6237 <affects> 6238 <package> 6239 <name>FreeBSD-kernel</name> 6240 <range><ge>10.3</ge><lt>10.3_3</lt></range> 6241 <range><ge>10.2</ge><lt>10.2_17</lt></range> 6242 <range><ge>10.1</ge><lt>10.1_34</lt></range> 6243 <range><ge>9.3</ge><lt>9.3_42</lt></range> 6244 </package> 6245 </affects> 6246 <description> 6247 <body xmlns="http://www.w3.org/1999/xhtml"> 6248 <h1>Problem Description:</h1> 6249 <p>Incorrect signedness comparison in the ioctl(2) handler 6250 allows a malicious local user to overwrite a portion of the 6251 kernel memory.</p> 6252 <h1>Impact:</h1> 6253 <p>A local user may crash the kernel, read a portion of 6254 kernel memory and execute arbitrary code in kernel context. 6255 The result of executing an arbitrary kernel code is privilege 6256 escalation.</p> 6257 </body> 6258 </description> 6259 <references> 6260 <cvename>CVE-2016-1886</cvename> 6261 <freebsdsa>SA-16:18.atkbd</freebsdsa> 6262 </references> 6263 <dates> 6264 <discovery>2016-05-17</discovery> 6265 <entry>2016-08-11</entry> 6266 </dates> 6267 </vuln> 6268 6269 <vuln vid="7b6a11b5-600a-11e6-a6c3-14dae9d210b8"> 6270 <topic>FreeBSD -- Incorrect argument validation in sysarch(2)</topic> 6271 <affects> 6272 <package> 6273 <name>FreeBSD-kernel</name> 6274 <range><ge>11.0</ge><lt>11.0_2</lt></range> 6275 <range><ge>10.3</ge><lt>10.3_11</lt></range> 6276 <range><ge>10.2</ge><lt>10.2_24</lt></range> 6277 <range><ge>10.1</ge><lt>10.1_41</lt></range> 6278 <range><ge>9.3</ge><lt>9.3_49</lt></range> 6279 </package> 6280 </affects> 6281 <description> 6282 <body xmlns="http://www.w3.org/1999/xhtml"> 6283 <h1>Problem Description:</h1> 6284 <p>A special combination of sysarch(2) arguments, specify 6285 a request to uninstall a set of descriptors from the LDT. 6286 The start descriptor is cleared and the number of descriptors 6287 are provided. Due to lack of sufficient bounds checking 6288 during argument validity verification, unbound zero'ing of 6289 the process LDT and adjacent memory can be initiated from 6290 usermode.</p> 6291 <h1>Impact:</h1> 6292 <p>This vulnerability could cause the kernel to panic. In 6293 addition it is possible to perform a local Denial of Service 6294 against the system by unprivileged processes.</p> 6295 </body> 6296 </description> 6297 <references> 6298 <cvename>CVE-2016-1885</cvename> 6299 <freebsdsa>SA-16:15.sysarch</freebsdsa> 6300 </references> 6301 <dates> 6302 <discovery>2016-03-16</discovery> 6303 <entry>2016-08-11</entry> 6304 <modified>2016-10-25</modified> 6305 </dates> 6306 </vuln> 6307 6308 <vuln vid="7b1a4a27-600a-11e6-a6c3-14dae9d210b8"> 6309 <topic>FreeBSD -- Multiple OpenSSL vulnerabilities</topic> 6310 <affects> 6311 <package> 6312 <name>FreeBSD</name> 6313 <range><ge>10.2</ge><lt>10.2_13</lt></range> 6314 <range><ge>10.1</ge><lt>10.1_30</lt></range> 6315 <range><ge>9.3</ge><lt>9.3_38</lt></range> 6316 </package> 6317 </affects> 6318 <description> 6319 <body xmlns="http://www.w3.org/1999/xhtml"> 6320 <h1>Problem Description:</h1> 6321 <p>A cross-protocol attack was discovered that could lead 6322 to decryption of TLS sessions by using a server supporting 6323 SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA 6324 padding oracle. Note that traffic between clients and 6325 non-vulnerable servers can be decrypted provided another 6326 server supporting SSLv2 and EXPORT ciphers (even with a 6327 different protocol such as SMTP, IMAP or POP3) shares the 6328 RSA keys of the non-vulnerable server. This vulnerability 6329 is known as DROWN. [CVE-2016-0800]</p> 6330 <p>A double free bug was discovered when OpenSSL parses 6331 malformed DSA private keys and could lead to a DoS attack 6332 or memory corruption for applications that receive DSA 6333 private keys from untrusted sources. This scenario is 6334 considered rare. [CVE-2016-0705]</p> 6335 <p>The SRP user database lookup method SRP_VBASE_get_by_user 6336 had confusing memory management semantics; the returned 6337 pointer was sometimes newly allocated, and sometimes owned 6338 by the callee. The calling code has no way of distinguishing 6339 these two cases. [CVE-2016-0798]</p> 6340 <p>In the BN_hex2bn function, the number of hex digits is 6341 calculated using an int value |i|. Later |bn_expand| is 6342 called with a value of |i * 4|. For large values of |i| 6343 this can result in |bn_expand| not allocating any memory 6344 because |i * 4| is negative. This can leave the internal 6345 BIGNUM data field as NULL leading to a subsequent NULL 6346 pointer dereference. For very large values of |i|, the 6347 calculation |i * 4| could be a positive value smaller than 6348 |i|. In this case memory is allocated to the internal BIGNUM 6349 data field, but it is insufficiently sized leading to heap 6350 corruption. A similar issue exists in BN_dec2bn. This could 6351 have security consequences if BN_hex2bn/BN_dec2bn is ever 6352 called by user applications with very large untrusted hex/dec 6353 data. This is anticipated to be a rare occurrence. 6354 [CVE-2016-0797]</p> 6355 <p>The internal |fmtstr| function used in processing a "%s" 6356 formatted string in the BIO_*printf functions could overflow 6357 while calculating the length of a string and cause an 6358 out-of-bounds read when printing very long strings. 6359 [CVE-2016-0799]</p> 6360 <p>A side-channel attack was found which makes use of 6361 cache-bank conflicts on the Intel Sandy-Bridge microarchitecture 6362 which could lead to the recovery of RSA keys. [CVE-2016-0702]</p> 6363 <p>s2_srvr.c did not enforce that clear-key-length is 0 for 6364 non-export ciphers. If clear-key bytes are present for these 6365 ciphers, they displace encrypted-key bytes. [CVE-2016-0703]</p> 6366 <p>s2_srvr.c overwrites the wrong bytes in the master key 6367 when applying Bleichenbacher protection for export cipher 6368 suites. [CVE-2016-0704]</p> 6369 <h1>Impact:</h1> 6370 <p>Servers that have SSLv2 protocol enabled are vulnerable 6371 to the "DROWN" attack which allows a remote attacker to 6372 fast attack many recorded TLS connections made to the server, 6373 even when the client did not make any SSLv2 connections 6374 themselves.</p> 6375 <p>An attacker who can supply malformed DSA private keys 6376 to OpenSSL applications may be able to cause memory corruption 6377 which would lead to a Denial of Service condition. 6378 [CVE-2016-0705]</p> 6379 <p>An attacker connecting with an invalid username can cause 6380 memory leak, which could eventually lead to a Denial of 6381 Service condition. [CVE-2016-0798]</p> 6382 <p>An attacker who can inject malformed data into an 6383 application may be able to cause memory corruption which 6384 would lead to a Denial of Service condition. [CVE-2016-0797, 6385 CVE-2016-0799]</p> 6386 <p>A local attacker who has control of code in a thread 6387 running on the same hyper-threaded core as the victim thread 6388 which is performing decryptions could recover RSA keys. 6389 [CVE-2016-0702]</p> 6390 <p>An eavesdropper who can intercept SSLv2 handshake can 6391 conduct an efficient divide-and-conquer key recovery attack 6392 and use the server as an oracle to determine the SSLv2 6393 master-key, using only 16 connections to the server and 6394 negligible computation. [CVE-2016-0703]</p> 6395 <p>An attacker can use the Bleichenbacher oracle, which 6396 enables more efficient variant of the DROWN attack. 6397 [CVE-2016-0704]</p> 6398 </body> 6399 </description> 6400 <references> 6401 <cvename>CVE-2016-0702</cvename> 6402 <cvename>CVE-2016-0703</cvename> 6403 <cvename>CVE-2016-0704</cvename> 6404 <cvename>CVE-2016-0705</cvename> 6405 <cvename>CVE-2016-0797</cvename> 6406 <cvename>CVE-2016-0798</cvename> 6407 <cvename>CVE-2016-0799</cvename> 6408 <cvename>CVE-2016-0800</cvename> 6409 <freebsdsa>SA-16:12.openssl</freebsdsa> 6410 </references> 6411 <dates> 6412 <discovery>2016-03-10</discovery> 6413 <entry>2016-08-11</entry> 6414 </dates> 6415 </vuln> 6416 6417 <vuln vid="7ac28df1-600a-11e6-a6c3-14dae9d210b8"> 6418 <topic>FreeBSD -- Linux compatibility layer issetugid(2) system call</topic> 6419 <affects> 6420 <package> 6421 <name>FreeBSD-kernel</name> 6422 <range><ge>10.2</ge><lt>10.2_11</lt></range> 6423 <range><ge>10.1</ge><lt>10.1_28</lt></range> 6424 <range><ge>9.3</ge><lt>9.3_35</lt></range> 6425 </package> 6426 </affects> 6427 <description> 6428 <body xmlns="http://www.w3.org/1999/xhtml"> 6429 <h1>Problem Description:</h1> 6430 <p>A programming error in the Linux compatibility layer 6431 could cause the issetugid(2) system call to return incorrect 6432 information.</p> 6433 <h1>Impact:</h1> 6434 <p>If an application relies on output of the issetugid(2) 6435 system call and that information is incorrect, this could 6436 lead to a privilege escalation.</p> 6437 </body> 6438 </description> 6439 <references> 6440 <cvename>CVE-2016-1883</cvename> 6441 <freebsdsa>SA-16:10.linux</freebsdsa> 6442 </references> 6443 <dates> 6444 <discovery>2016-01-27</discovery> 6445 <entry>2016-08-11</entry> 6446 </dates> 6447 </vuln> 6448 6449 <vuln vid="7a31dfba-600a-11e6-a6c3-14dae9d210b8"> 6450 <topic>FreeBSD -- Insecure default snmpd.config permissions</topic> 6451 <affects> 6452 <package> 6453 <name>FreeBSD</name> 6454 <range><ge>10.2</ge><lt>10.2_9</lt></range> 6455 <range><ge>10.1</ge><lt>10.1_26</lt></range> 6456 <range><ge>9.3</ge><lt>9.3_33</lt></range> 6457 </package> 6458 </affects> 6459 <description> 6460 <body xmlns="http://www.w3.org/1999/xhtml"> 6461 <h1>Problem Description:</h1> 6462 <p>The SNMP protocol supports an authentication model called 6463 USM, which relies on a shared secret. The default permission 6464 of the snmpd configuration file, /etc/snmpd.config, is 6465 weak and does not provide adequate protection against local 6466 unprivileged users.</p> 6467 <h1>Impact:</h1> 6468 <p>A local user may be able to read the shared secret, if 6469 configured and used by the system administrator.</p> 6470 </body> 6471 </description> 6472 <references> 6473 <cvename>CVE-2015-5677</cvename> 6474 <freebsdsa>SA-16:06.bsnmpd</freebsdsa> 6475 </references> 6476 <dates> 6477 <discovery>2016-01-14</discovery> 6478 <entry>2016-08-11</entry> 6479 </dates> 6480 </vuln> 6481 6482 <vuln vid="79dfc135-600a-11e6-a6c3-14dae9d210b8"> 6483 <topic>FreeBSD -- TCP MD5 signature denial of service</topic> 6484 <affects> 6485 <package> 6486 <name>FreeBSD-kernel</name> 6487 <range><ge>10.2</ge><lt>10.2_9</lt></range> 6488 <range><ge>10.1</ge><lt>10.1_26</lt></range> 6489 <range><ge>9.3</ge><lt>9.3_33</lt></range> 6490 </package> 6491 </affects> 6492 <description> 6493 <body xmlns="http://www.w3.org/1999/xhtml"> 6494 <h1>Problem Description:</h1> 6495 <p>A programming error in processing a TCP connection with 6496 both TCP_MD5SIG and TCP_NOOPT socket options may lead to 6497 kernel crash.</p> 6498 <h1>Impact:</h1> 6499 <p>A local attacker can crash the kernel, resulting in a 6500 denial-of-service.</p> 6501 <p>A remote attack is theoretically possible, if server has 6502 a listening socket with TCP_NOOPT set, and server is either 6503 out of SYN cache entries, or SYN cache is disabled by 6504 configuration.</p> 6505 </body> 6506 </description> 6507 <references> 6508 <cvename>CVE-2016-1882</cvename> 6509 <freebsdsa>SA-16:05.tcp</freebsdsa> 6510 </references> 6511 <dates> 6512 <discovery>2016-01-14</discovery> 6513 <entry>2016-08-11</entry> 6514 </dates> 6515 </vuln> 6516 6517 <vuln vid="798f63e0-600a-11e6-a6c3-14dae9d210b8"> 6518 <topic>FreeBSD -- Linux compatibility layer setgroups(2) system call</topic> 6519 <affects> 6520 <package> 6521 <name>FreeBSD-kernel</name> 6522 <range><ge>10.2</ge><lt>10.2_9</lt></range> 6523 <range><ge>10.1</ge><lt>10.1_26</lt></range> 6524 <range><ge>9.3</ge><lt>9.3_33</lt></range> 6525 </package> 6526 </affects> 6527 <description> 6528 <body xmlns="http://www.w3.org/1999/xhtml"> 6529 <h1>Problem Description:</h1> 6530 <p>A programming error in the Linux compatibility layer 6531 setgroups(2) system call can lead to an unexpected results, 6532 such as overwriting random kernel memory contents.</p> 6533 <h1>Impact:</h1> 6534 <p>It is possible for a local attacker to overwrite portions 6535 of kernel memory, which may result in a privilege escalation 6536 or cause a system panic.</p> 6537 </body> 6538 </description> 6539 <references> 6540 <cvename>CVE-2016-1881</cvename> 6541 <freebsdsa>SA-16:04.linux</freebsdsa> 6542 </references> 6543 <dates> 6544 <discovery>2016-01-14</discovery> 6545 <entry>2016-08-11</entry> 6546 </dates> 6547 </vuln> 6548 6549 <vuln vid="793fb19c-600a-11e6-a6c3-14dae9d210b8"> 6550 <topic>FreeBSD -- Linux compatibility layer incorrect futex handling</topic> 6551 <affects> 6552 <package> 6553 <name>FreeBSD-kernel</name> 6554 <range><ge>10.2</ge><lt>10.2_9</lt></range> 6555 <range><ge>10.1</ge><lt>10.1_26</lt></range> 6556 <range><ge>9.3</ge><lt>9.3_33</lt></range> 6557 </package> 6558 </affects> 6559 <description> 6560 <body xmlns="http://www.w3.org/1999/xhtml"> 6561 <h1>Problem Description:</h1> 6562 <p>A programming error in the handling of Linux futex robust 6563 lists may result in incorrect memory locations being 6564 accessed.</p> 6565 <h1>Impact:</h1> 6566 <p>It is possible for a local attacker to read portions of 6567 kernel memory, which may result in a privilege escalation.</p> 6568 </body> 6569 </description> 6570 <references> 6571 <cvename>CVE-2016-1880</cvename> 6572 <freebsdsa>SA-16:03.linux</freebsdsa> 6573 </references> 6574 <dates> 6575 <discovery>2016-01-14</discovery> 6576 <entry>2016-08-11</entry> 6577 </dates> 6578 </vuln> 6579 6580 <vuln vid="78f06a6c-600a-11e6-a6c3-14dae9d210b8"> 6581 <topic>FreeBSD -- SCTP ICMPv6 error message vulnerability</topic> 6582 <affects> 6583 <package> 6584 <name>FreeBSD-kernel</name> 6585 <range><ge>10.2</ge><lt>10.2_9</lt></range> 6586 <range><ge>10.1</ge><lt>10.1_26</lt></range> 6587 <range><ge>9.3</ge><lt>9.3_33</lt></range> 6588 </package> 6589 </affects> 6590 <description> 6591 <body xmlns="http://www.w3.org/1999/xhtml"> 6592 <h1>Problem Description:</h1> 6593 <p>A lack of proper input checks in the ICMPv6 processing 6594 in the SCTP stack can lead to either a failed kernel assertion 6595 or to a NULL pointer dereference. In either case, a kernel 6596 panic will follow.</p> 6597 <h1>Impact:</h1> 6598 <p>A remote, unauthenticated attacker can reliably trigger 6599 a kernel panic in a vulnerable system running IPv6. Any 6600 kernel compiled with both IPv6 and SCTP support is vulnerable. 6601 There is no requirement to have an SCTP socket open.</p> 6602 <p>IPv4 ICMP processing is not impacted by this vulnerability.</p> 6603 </body> 6604 </description> 6605 <references> 6606 <cvename>CVE-2016-1879</cvename> 6607 <freebsdsa>SA-16:01.sctp</freebsdsa> 6608 </references> 6609 <dates> 6610 <discovery>2016-01-14</discovery> 6611 <entry>2016-08-11</entry> 6612 </dates> 6613 </vuln> 6614 6615 <vuln vid="0e5d6969-600a-11e6-a6c3-14dae9d210b8"> 6616 <topic>FreeBSD -- rpcbind(8) remote denial of service [REVISED]</topic> 6617 <affects> 6618 <package> 6619 <name>FreeBSD</name> 6620 <range><ge>10.2</ge><lt>10.2_5</lt></range> 6621 <range><ge>10.1</ge><lt>10.1_22</lt></range> 6622 <range><ge>9.3</ge><lt>9.3_28</lt></range> 6623 </package> 6624 </affects> 6625 <description> 6626 <body xmlns="http://www.w3.org/1999/xhtml"> 6627 <h1>Problem Description:</h1> 6628 <p>In rpcbind(8), netbuf structures are copied directly, 6629 which would result in two netbuf structures that reference 6630 to one shared address buffer. When one of the two netbuf 6631 structures is freed, access to the other netbuf structure 6632 would result in an undefined result that may crash the 6633 rpcbind(8) daemon.</p> 6634 <h1>Impact:</h1> 6635 <p>A remote attacker who can send specifically crafted 6636 packets to the rpcbind(8) daemon can cause it to crash, 6637 resulting in a denial of service condition.</p> 6638 </body> 6639 </description> 6640 <references> 6641 <cvename>CVE-2015-7236</cvename> 6642 <freebsdsa>SA-15:24.rpcbind</freebsdsa> 6643 </references> 6644 <dates> 6645 <discovery>2015-09-29</discovery> 6646 <entry>2016-08-11</entry> 6647 </dates> 6648 </vuln> 6649 6650 <vuln vid="0dfa5dde-600a-11e6-a6c3-14dae9d210b8"> 6651 <topic>FreeBSD -- Local privilege escalation in IRET handler</topic> 6652 <affects> 6653 <package> 6654 <name>FreeBSD-kernel</name> 6655 <range><ge>10.1</ge><lt>10.1_19</lt></range> 6656 <range><ge>9.3</ge><lt>9.3_24</lt></range> 6657 </package> 6658 </affects> 6659 <description> 6660 <body xmlns="http://www.w3.org/1999/xhtml"> 6661 <h1>Problem Description:</h1> 6662 <p>If the kernel-mode IRET instruction generates an #SS or 6663 #NP exception, but the exception handler does not properly 6664 ensure that the right GS register base for kernel is reloaded, 6665 the userland GS segment may be used in the context of the 6666 kernel exception handler.</p> 6667 <h1>Impact:</h1> 6668 <p>By causing an IRET with #SS or #NP exceptions, a local 6669 attacker can cause the kernel to use an arbitrary GS base, 6670 which may allow escalated privileges or panic the system.</p> 6671 </body> 6672 </description> 6673 <references> 6674 <cvename>CVE-2015-5675</cvename> 6675 <freebsdsa>SA-15:21.amd64</freebsdsa> 6676 </references> 6677 <dates> 6678 <discovery>2015-08-25</discovery> 6679 <entry>2016-08-11</entry> 6680 </dates> 6681 </vuln> 6682 6683 <vuln vid="0da8a68e-600a-11e6-a6c3-14dae9d210b8"> 6684 <topic>FreeBSD -- Multiple integer overflows in expat (libbsdxml) XML parser</topic> 6685 <affects> 6686 <package> 6687 <name>FreeBSD</name> 6688 <range><ge>10.1</ge><lt>10.1_18</lt></range> 6689 <range><ge>10.2</ge><lt>10.2_1</lt></range> 6690 <range><ge>9.3</ge><lt>9.3_23</lt></range> 6691 </package> 6692 </affects> 6693 <description> 6694 <body xmlns="http://www.w3.org/1999/xhtml"> 6695 <h1>Problem Description:</h1> 6696 <p>Multiple integer overflows have been discovered in the 6697 XML_GetBuffer() function in the expat library.</p> 6698 <h1>Impact:</h1> 6699 <p>The integer overflows may be exploited by using specifically 6700 crafted XML data and lead to infinite loop, or a heap buffer 6701 overflow, which results in a Denial of Service condition, 6702 or enables remote attackers to execute arbitrary code.</p> 6703 </body> 6704 </description> 6705 <references> 6706 <cvename>CVE-2015-1283</cvename> 6707 <freebsdsa>SA-15:20.expat</freebsdsa> 6708 </references> 6709 <dates> 6710 <discovery>2015-08-18</discovery> 6711 <entry>2016-08-11</entry> 6712 </dates> 6713 </vuln> 6714 6715 <vuln vid="0d584493-600a-11e6-a6c3-14dae9d210b8"> 6716 <topic>FreeBSD -- routed(8) remote denial of service vulnerability</topic> 6717 <affects> 6718 <package> 6719 <name>FreeBSD</name> 6720 <range><ge>10.1</ge><lt>10.1_17</lt></range> 6721 <range><ge>9.3</ge><lt>9.3_22</lt></range> 6722 </package> 6723 </affects> 6724 <description> 6725 <body xmlns="http://www.w3.org/1999/xhtml"> 6726 <h1>Problem Description:</h1> 6727 <p>The input path in routed(8) will accept queries from any 6728 source and attempt to answer them. However, the output path 6729 assumes that the destination address for the response is 6730 on a directly connected network.</p> 6731 <h1>Impact:</h1> 6732 <p>Upon receipt of a query from a source which is not on a 6733 directly connected network, routed(8) will trigger an 6734 assertion and terminate. The affected system's routing table 6735 will no longer be updated. If the affected system is a 6736 router, its routes will eventually expire from other routers' 6737 routing tables, and its networks will no longer be reachable 6738 unless they are also connected to another router.</p> 6739 </body> 6740 </description> 6741 <references> 6742 <cvename>CVE-2015-5674</cvename> 6743 <freebsdsa>SA-15:19.routed</freebsdsa> 6744 </references> 6745 <dates> 6746 <discovery>2015-08-05</discovery> 6747 <entry>2016-08-11</entry> 6748 </dates> 6749 </vuln> 6750 6751 <vuln vid="0d090952-600a-11e6-a6c3-14dae9d210b8"> 6752 <topic>FreeBSD -- shell injection vulnerability in patch(1)</topic> 6753 <affects> 6754 <package> 6755 <name>FreeBSD</name> 6756 <range><ge>10.1</ge><lt>10.1_17</lt></range> 6757 </package> 6758 </affects> 6759 <description> 6760 <body xmlns="http://www.w3.org/1999/xhtml"> 6761 <h1>Problem Description:</h1> 6762 <p>Due to insufficient sanitization of the input patch 6763 stream, it is possible for a patch file to cause patch(1) 6764 to pass certain ed(1) scripts to the ed(1) editor, which 6765 would run commands.</p> 6766 <h1>Impact:</h1> 6767 <p>This issue could be exploited to execute arbitrary 6768 commands as the user invoking patch(1) against a specially 6769 crafted patch file, which could be leveraged to obtain 6770 elevated privileges.</p> 6771 </body> 6772 </description> 6773 <references> 6774 <cvename>CVE-2015-1418</cvename> 6775 <freebsdsa>SA-15:18.bsdpatch</freebsdsa> 6776 </references> 6777 <dates> 6778 <discovery>2015-08-05</discovery> 6779 <entry>2016-08-11</entry> 6780 </dates> 6781 </vuln> 6782 6783 <vuln vid="0cb9d5bb-600a-11e6-a6c3-14dae9d210b8"> 6784 <topic>FreeBSD -- Resource exhaustion in TCP reassembly</topic> 6785 <affects> 6786 <package> 6787 <name>FreeBSD-kernel</name> 6788 <range><ge>10.1</ge><lt>10.1_16</lt></range> 6789 <range><ge>9.3</ge><lt>9.3_21</lt></range> 6790 <range><ge>8.4</ge><lt>8.4_35</lt></range> 6791 </package> 6792 </affects> 6793 <description> 6794 <body xmlns="http://www.w3.org/1999/xhtml"> 6795 <h1>Problem Description:</h1> 6796 <p>There is a mistake with the introduction of VNET, which 6797 converted the global limit on the number of segments that 6798 could belong to reassembly queues into a per-VNET limit. 6799 Because mbufs are allocated from a global pool, in the 6800 presence of a sufficient number of VNETs, the total number 6801 of mbufs attached to reassembly queues can grow to the total 6802 number of mbufs in the system, at which point all network 6803 traffic would cease.</p> 6804 <h1>Impact:</h1> 6805 <p>An attacker who can establish concurrent TCP connections 6806 across a sufficient number of VNETs and manipulate the 6807 inbound packet streams such that the maximum number of mbufs 6808 are enqueued on each reassembly queue can cause mbuf cluster 6809 exhaustion on the target system, resulting in a Denial of 6810 Service condition.</p> 6811 <p>As the default per-VNET limit on the number of segments 6812 that can belong to reassembly queues is 1/16 of the total 6813 number of mbuf clusters in the system, only systems that 6814 have 16 or more VNET instances are vulnerable.</p> 6815 </body> 6816 </description> 6817 <references> 6818 <cvename>CVE-2015-1417</cvename> 6819 <freebsdsa>SA-15:15.tcp</freebsdsa> 6820 </references> 6821 <dates> 6822 <discovery>2015-07-28</discovery> 6823 <entry>2016-08-11</entry> 6824 </dates> 6825 </vuln> 6826 6827 <vuln vid="0c6759dd-600a-11e6-a6c3-14dae9d210b8"> 6828 <topic>FreeBSD -- shell injection vulnerability in patch(1)</topic> 6829 <affects> 6830 <package> 6831 <name>FreeBSD</name> 6832 <range><ge>10.1</ge><lt>10.1_16</lt></range> 6833 </package> 6834 </affects> 6835 <description> 6836 <body xmlns="http://www.w3.org/1999/xhtml"> 6837 <h1>Problem Description:</h1> 6838 <p>Due to insufficient sanitization of the input patch 6839 stream, it is possible for a patch file to cause patch(1) 6840 to run commands in addition to the desired SCCS or RCS 6841 commands.</p> 6842 <h1>Impact:</h1> 6843 <p>This issue could be exploited to execute arbitrary 6844 commands as the user invoking patch(1) against a specially 6845 crafted patch file, which could be leveraged to obtain 6846 elevated privileges.</p> 6847 </body> 6848 </description> 6849 <references> 6850 <cvename>CVE-2015-1416</cvename> 6851 <freebsdsa>SA-15:14.bsdpatch</freebsdsa> 6852 </references> 6853 <dates> 6854 <discovery>2015-07-28</discovery> 6855 <entry>2016-08-11</entry> 6856 </dates> 6857 </vuln> 6858 6859 <vuln vid="0c064c43-600a-11e6-a6c3-14dae9d210b8"> 6860 <topic>FreeBSD -- Resource exhaustion due to sessions stuck in LAST_ACK state</topic> 6861 <affects> 6862 <package> 6863 <name>FreeBSD-kernel</name> 6864 <range><ge>10.1</ge><lt>10.1_15</lt></range> 6865 <range><ge>9.3</ge><lt>9.3_20</lt></range> 6866 <range><ge>8.4</ge><lt>8.4_34</lt></range> 6867 </package> 6868 </affects> 6869 <description> 6870 <body xmlns="http://www.w3.org/1999/xhtml"> 6871 <h1>Problem Description:</h1> 6872 <p>TCP connections transitioning to the LAST_ACK state can 6873 become permanently stuck due to mishandling of protocol 6874 state in certain situations, which in turn can lead to 6875 accumulated consumption and eventual exhaustion of system 6876 resources, such as mbufs and sockets.</p> 6877 <h1>Impact:</h1> 6878 <p>An attacker who can repeatedly establish TCP connections 6879 to a victim system (for instance, a Web server) could create 6880 many TCP connections that are stuck in LAST_ACK state and 6881 cause resource exhaustion, resulting in a denial of service 6882 condition. This may also happen in normal operation where 6883 no intentional attack is conducted, but an attacker who can 6884 send specifically crafted packets can trigger this more 6885 reliably.</p> 6886 </body> 6887 </description> 6888 <references> 6889 <cvename>CVE-2015-5358</cvename> 6890 <freebsdsa>SA-15:13.tcp</freebsdsa> 6891 </references> 6892 <dates> 6893 <discovery>2015-07-21</discovery> 6894 <entry>2016-08-11</entry> 6895 </dates> 6896 </vuln> 6897 6898 <vuln vid="0bb55a18-600a-11e6-a6c3-14dae9d210b8"> 6899 <topic>FreeBSD -- Denial of Service with IPv6 Router Advertisements</topic> 6900 <affects> 6901 <package> 6902 <name>FreeBSD-kernel</name> 6903 <range><ge>10.1</ge><lt>10.1_9</lt></range> 6904 <range><ge>9.3</ge><lt>9.3_13</lt></range> 6905 <range><ge>8.4</ge><lt>8.4_27</lt></range> 6906 </package> 6907 </affects> 6908 <description> 6909 <body xmlns="http://www.w3.org/1999/xhtml"> 6910 <h1>Problem Description:</h1> 6911 <p>The Neighbor Discover Protocol allows a local router to 6912 advertise a suggested Current Hop Limit value of a link, 6913 which will replace Current Hop Limit on an interface connected 6914 to the link on the FreeBSD system.</p> 6915 <h1>Impact:</h1> 6916 <p>When the Current Hop Limit (similar to IPv4's TTL) is 6917 small, IPv6 packets may get dropped before they reached 6918 their destinations.</p> 6919 <p>By sending specifically crafted Router Advertisement 6920 packets, an attacker on the local network can cause the 6921 FreeBSD system to lose the ability to communicate with 6922 another IPv6 node on a different network.</p> 6923 </body> 6924 </description> 6925 <references> 6926 <cvename>CVE-2015-2923</cvename> 6927 <freebsdsa>SA-15:09.ipv6</freebsdsa> 6928 </references> 6929 <dates> 6930 <discovery>2015-04-07</discovery> 6931 <entry>2016-08-11</entry> 6932 </dates> 6933 </vuln> 6934 6935 <vuln vid="0b65f297-600a-11e6-a6c3-14dae9d210b8"> 6936 <topic>FreeBSD -- Insecure default GELI keyfile permissions</topic> 6937 <affects> 6938 <package> 6939 <name>FreeBSD</name> 6940 <range><ge>10.1</ge><lt>10.1_9</lt></range> 6941 </package> 6942 </affects> 6943 <description> 6944 <body xmlns="http://www.w3.org/1999/xhtml"> 6945 <h1>Problem Description:</h1> 6946 <p>The default permission set by bsdinstall(8) installer 6947 when configuring full disk encrypted ZFS is too open.</p> 6948 <h1>Impact:</h1> 6949 <p>A local attacker may be able to get a copy of the geli(8) 6950 provider's keyfile which is located at a fixed location.</p> 6951 </body> 6952 </description> 6953 <references> 6954 <cvename>CVE-2015-1415</cvename> 6955 <freebsdsa>SA-15:08.bsdinstall</freebsdsa> 6956 </references> 6957 <dates> 6958 <discovery>2015-04-07</discovery> 6959 <entry>2016-08-11</entry> 6960 </dates> 6961 </vuln> 6962 6963 <vuln vid="0afe8b29-600a-11e6-a6c3-14dae9d210b8"> 6964 <topic>FreeBSD -- Integer overflow in IGMP protocol</topic> 6965 <affects> 6966 <package> 6967 <name>FreeBSD-kernel</name> 6968 <range><ge>10.1</ge><lt>10.1_9</lt></range> 6969 <range><ge>9.3</ge><lt>9.3_13</lt></range> 6970 <range><ge>8.4</ge><lt>8.4_27</lt></range> 6971 </package> 6972 </affects> 6973 <description> 6974 <body xmlns="http://www.w3.org/1999/xhtml"> 6975 <h1>Problem Description:</h1> 6976 <p>An integer overflow in computing the size of IGMPv3 data 6977 buffer can result in a buffer which is too small for the 6978 requested operation.</p> 6979 <h1>Impact:</h1> 6980 <p>An attacker who can send specifically crafted IGMP packets 6981 could cause a denial of service situation by causing the 6982 kernel to crash.</p> 6983 </body> 6984 </description> 6985 <references> 6986 <cvename>CVE-2015-1414</cvename> 6987 <freebsdsa>SA-15:04.igmp</freebsdsa> 6988 </references> 6989 <dates> 6990 <discovery>2015-02-25</discovery> 6991 <entry>2016-08-11</entry> 6992 </dates> 6993 </vuln> 6994 6995 <vuln vid="0aad3ce5-600a-11e6-a6c3-14dae9d210b8"> 6996 <topic>FreeBSD -- SCTP stream reset vulnerability</topic> 6997 <affects> 6998 <package> 6999 <name>FreeBSD-kernel</name> 7000 <range><ge>10.1</ge><lt>10.1_5</lt></range> 7001 <range><ge>10.0</ge><lt>10.0_17</lt></range> 7002 <range><ge>9.3</ge><lt>9.3_9</lt></range> 7003 <range><ge>8.4</ge><lt>8.4_23</lt></range> 7004 </package> 7005 </affects> 7006 <description> 7007 <body xmlns="http://www.w3.org/1999/xhtml"> 7008 <h1>Problem Description:</h1> 7009 <p>The input validation of received SCTP RE_CONFIG chunks 7010 is insufficient, and can result in a NULL pointer deference 7011 later.</p> 7012 <h1>Impact:</h1> 7013 <p>A remote attacker who can send a malformed SCTP packet 7014 to a FreeBSD system that serves SCTP can cause a kernel 7015 panic, resulting in a Denial of Service.</p> 7016 </body> 7017 </description> 7018 <references> 7019 <cvename>CVE-2014-8613</cvename> 7020 <freebsdsa>SA-15:03.sctp</freebsdsa> 7021 </references> 7022 <dates> 7023 <discovery>2015-01-27</discovery> 7024 <entry>2016-08-11</entry> 7025 </dates> 7026 </vuln> 7027 7028 <vuln vid="0a5cf6d8-600a-11e6-a6c3-14dae9d210b8"> 7029 <topic>FreeBSD -- SCTP SCTP_SS_VALUE kernel memory corruption and disclosure</topic> 7030 <affects> 7031 <package> 7032 <name>FreeBSD-kernel</name> 7033 <range><ge>10.1</ge><lt>10.1_5</lt></range> 7034 <range><ge>10.0</ge><lt>10.0_17</lt></range> 7035 <range><ge>9.3</ge><lt>9.3_9</lt></range> 7036 <range><ge>8.4</ge><lt>8.4_23</lt></range> 7037 </package> 7038 </affects> 7039 <description> 7040 <body xmlns="http://www.w3.org/1999/xhtml"> 7041 <h1>Problem Description:</h1> 7042 <p>Due to insufficient validation of the SCTP stream ID, 7043 which serves as an array index, a local unprivileged attacker 7044 can read or write 16-bits of kernel memory.</p> 7045 <h1>Impact:</h1> 7046 <p>An unprivileged process can read or modify 16-bits of 7047 memory which belongs to the kernel. This may lead to 7048 exposure of sensitive information or allow privilege 7049 escalation.</p> 7050 </body> 7051 </description> 7052 <references> 7053 <cvename>CVE-2014-8612</cvename> 7054 <freebsdsa>SA-15:02.kmem</freebsdsa> 7055 </references> 7056 <dates> 7057 <discovery>2015-01-27</discovery> 7058 <entry>2016-08-11</entry> 7059 </dates> 7060 </vuln> 7061 7062 <vuln vid="74ded00e-6007-11e6-a6c3-14dae9d210b8"> 7063 <topic>FreeBSD -- Buffer overflow in stdio</topic> 7064 <affects> 7065 <package> 7066 <name>FreeBSD</name> 7067 <range><ge>10.1</ge><lt>10.1_1</lt></range> 7068 </package> 7069 </affects> 7070 <description> 7071 <body xmlns="http://www.w3.org/1999/xhtml"> 7072 <h1>Problem Description:</h1> 7073 <p>A programming error in the standard I/O library's 7074 __sflush() function could erroneously adjust the buffered 7075 stream's internal state even when no write actually occurred 7076 in the case when write(2) system call returns an error.</p> 7077 <h1>Impact:</h1> 7078 <p>The accounting mismatch would accumulate, if the caller 7079 does not check for stream status and will eventually lead 7080 to a heap buffer overflow.</p> 7081 <p>Such overflows may lead to data corruption or the execution 7082 of arbitrary code at the privilege level of the calling 7083 program.</p> 7084 </body> 7085 </description> 7086 <references> 7087 <cvename>CVE-2014-8611</cvename> 7088 <freebsdsa>SA-14:27.stdio</freebsdsa> 7089 </references> 7090 <dates> 7091 <discovery>2014-12-10</discovery> 7092 <entry>2016-08-11</entry> 7093 </dates> 7094 </vuln> 7095 7096 <vuln vid="7488378d-6007-11e6-a6c3-14dae9d210b8"> 7097 <topic>FreeBSD -- Remote command execution in ftp(1)</topic> 7098 <affects> 7099 <package> 7100 <name>FreeBSD</name> 7101 <range><ge>10.0</ge><lt>10.0_12</lt></range> 7102 <range><ge>9.3</ge><lt>9.3_5</lt></range> 7103 <range><ge>9.2</ge><lt>9.2_15</lt></range> 7104 <range><ge>9.1</ge><lt>9.1_22</lt></range> 7105 <range><ge>8.4</ge><lt>8.4_19</lt></range> 7106 </package> 7107 </affects> 7108 <description> 7109 <body xmlns="http://www.w3.org/1999/xhtml"> 7110 <h1>Problem Description:</h1> 7111 <p>A malicious HTTP server could cause ftp(1) to execute 7112 arbitrary commands.</p> 7113 <h1>Impact:</h1> 7114 <p>When operating on HTTP URIs, the ftp(1) client follows 7115 HTTP redirects, and uses the part of the path after the 7116 last '/' from the last resource it accesses as the output 7117 filename if '-o' is not specified.</p> 7118 <p>If the output file name provided by the server begins 7119 with a pipe ('|'), the output is passed to popen(3), which 7120 might be used to execute arbitrary commands on the ftp(1) 7121 client machine.</p> 7122 </body> 7123 </description> 7124 <references> 7125 <cvename>CVE-2014-8517</cvename> 7126 <freebsdsa>SA-14:26.ftp</freebsdsa> 7127 </references> 7128 <dates> 7129 <discovery>2014-11-04</discovery> 7130 <entry>2016-08-11</entry> 7131 </dates> 7132 </vuln> 7133 7134 <vuln vid="74389f22-6007-11e6-a6c3-14dae9d210b8"> 7135 <topic>FreeBSD -- Kernel stack disclosure in setlogin(2) / getlogin(2)</topic> 7136 <affects> 7137 <package> 7138 <name>FreeBSD-kernel</name> 7139 <range><ge>10.0</ge><lt>10.0_12</lt></range> 7140 <range><ge>9.3</ge><lt>9.3_5</lt></range> 7141 <range><ge>9.2</ge><lt>9.2_15</lt></range> 7142 <range><ge>9.1</ge><lt>9.1_22</lt></range> 7143 <range><ge>8.4</ge><lt>8.4_19</lt></range> 7144 </package> 7145 </affects> 7146 <description> 7147 <body xmlns="http://www.w3.org/1999/xhtml"> 7148 <h1>Problem Description:</h1> 7149 <p>When setlogin(2) is called while setting up a new login 7150 session, the login name is copied into an uninitialized 7151 stack buffer, which is then copied into a buffer of the 7152 same size in the session structure. The getlogin(2) system 7153 call returns the entire buffer rather than just the portion 7154 occupied by the login name associated with the session.</p> 7155 <h1>Impact:</h1> 7156 <p>An unprivileged user can access this memory by calling 7157 getlogin(2) and reading beyond the terminating NUL character 7158 of the resulting string. Up to 16 (FreeBSD 8) or 32 (FreeBSD 7159 9 and 10) bytes of kernel memory may be leaked in this 7160 manner for each invocation of setlogin(2).</p> 7161 <p>This memory may contain sensitive information, such as 7162 portions of the file cache or terminal buffers, which an 7163 attacker might leverage to obtain elevated privileges.</p> 7164 </body> 7165 </description> 7166 <references> 7167 <cvename>CVE-2014-8476</cvename> 7168 <freebsdsa>SA-14:25.setlogin</freebsdsa> 7169 </references> 7170 <dates> 7171 <discovery>2014-11-04</discovery> 7172 <entry>2016-08-11</entry> 7173 </dates> 7174 </vuln> 7175 7176 <vuln vid="73e9a137-6007-11e6-a6c3-14dae9d210b8"> 7177 <topic>FreeBSD -- Denial of service attack against sshd(8)</topic> 7178 <affects> 7179 <package> 7180 <name>FreeBSD</name> 7181 <range><ge>10.0</ge><lt>10.0_12</lt></range> 7182 <range><ge>9.2</ge><lt>9.2_15</lt></range> 7183 <range><ge>9.1</ge><lt>9.1_22</lt></range> 7184 </package> 7185 </affects> 7186 <description> 7187 <body xmlns="http://www.w3.org/1999/xhtml"> 7188 <h1>Problem Description:</h1> 7189 <p>Although OpenSSH is not multithreaded, when OpenSSH is 7190 compiled with Kerberos support, the Heimdal libraries bring 7191 in the POSIX thread library as a dependency. Due to incorrect 7192 library ordering while linking sshd(8), symbols in the C 7193 library which are shadowed by the POSIX thread library may 7194 not be resolved correctly at run time.</p> 7195 <p>Note that this problem is specific to the FreeBSD build 7196 system and does not affect other operating systems or the 7197 version of OpenSSH available from the FreeBSD ports tree.</p> 7198 <h1>Impact:</h1> 7199 <p>An incorrectly linked sshd(8) child process may deadlock 7200 while handling an incoming connection. The connection may 7201 then time out or be interrupted by the client, leaving the 7202 deadlocked sshd(8) child process behind. Eventually, the 7203 sshd(8) parent process stops accepting new connections.</p> 7204 <p>An attacker may take advantage of this by repeatedly 7205 connecting and then dropping the connection after having 7206 begun, but not completed, the authentication process.</p> 7207 </body> 7208 </description> 7209 <references> 7210 <cvename>CVE-2014-8475</cvename> 7211 <freebsdsa>SA-14:24.sshd</freebsdsa> 7212 </references> 7213 <dates> 7214 <discovery>2014-11-04</discovery> 7215 <entry>2016-08-11</entry> 7216 </dates> 7217 </vuln> 7218 7219 <vuln vid="73964eac-6007-11e6-a6c3-14dae9d210b8"> 7220 <topic>FreeBSD -- memory leak in sandboxed namei lookup</topic> 7221 <affects> 7222 <package> 7223 <name>FreeBSD-kernel</name> 7224 <range><ge>10.0</ge><lt>10.0_10</lt></range> 7225 <range><ge>9.3</ge><lt>9.3_3</lt></range> 7226 <range><ge>9.2</ge><lt>9.2_13</lt></range> 7227 <range><ge>9.1</ge><lt>9.1_20</lt></range> 7228 </package> 7229 </affects> 7230 <description> 7231 <body xmlns="http://www.w3.org/1999/xhtml"> 7232 <h1>Problem Description:</h1> 7233 <p>The namei facility will leak a small amount of kernel 7234 memory every time a sandboxed process looks up a nonexistent 7235 path name.</p> 7236 <h1>Impact:</h1> 7237 <p>A remote attacker that can cause a sandboxed process 7238 (for instance, a web server) to look up a large number of 7239 nonexistent path names can cause memory exhaustion.</p> 7240 </body> 7241 </description> 7242 <references> 7243 <cvename>CVE-2014-3711</cvename> 7244 <freebsdsa>SA-14:22.namei</freebsdsa> 7245 </references> 7246 <dates> 7247 <discovery>2014-10-21</discovery> 7248 <entry>2016-08-11</entry> 7249 </dates> 7250 </vuln> 7251 7252 <vuln vid="734233f4-6007-11e6-a6c3-14dae9d210b8"> 7253 <topic>FreeBSD -- routed(8) remote denial of service vulnerability</topic> 7254 <affects> 7255 <package> 7256 <name>FreeBSD</name> 7257 <range><ge>10.0</ge><lt>10.0_10</lt></range> 7258 <range><ge>9.3</ge><lt>9.3_3</lt></range> 7259 <range><ge>9.2</ge><lt>9.2_13</lt></range> 7260 <range><ge>9.1</ge><lt>9.1_20</lt></range> 7261 <range><ge>8.4</ge><lt>8.4_17</lt></range> 7262 </package> 7263 </affects> 7264 <description> 7265 <body xmlns="http://www.w3.org/1999/xhtml"> 7266 <h1>Problem Description:</h1> 7267 <p>The input path in routed(8) will accept queries from any 7268 source and attempt to answer them. However, the output path 7269 assumes that the destination address for the response is 7270 on a directly connected network.</p> 7271 <h1>Impact:</h1> 7272 <p>Upon receipt of a query from a source which is not on a 7273 directly connected network, routed(8) will trigger an 7274 assertion and terminate. The affected system's routing table 7275 will no longer be updated. If the affected system is a 7276 router, its routes will eventually expire from other routers' 7277 routing tables, and its networks will no longer be reachable 7278 unless they are also connected to another router.</p> 7279 </body> 7280 </description> 7281 <references> 7282 <cvename>CVE-2014-3955</cvename> 7283 <freebsdsa>SA-14:21.routed</freebsdsa> 7284 </references> 7285 <dates> 7286 <discovery>2014-10-21</discovery> 7287 <entry>2016-08-11</entry> 7288 </dates> 7289 </vuln> 7290 7291 <vuln vid="72ee7111-6007-11e6-a6c3-14dae9d210b8"> 7292 <topic>FreeBSD -- rtsold(8) remote buffer overflow vulnerability</topic> 7293 <affects> 7294 <package> 7295 <name>FreeBSD</name> 7296 <range><ge>10.0</ge><lt>10.0_10</lt></range> 7297 <range><ge>9.3</ge><lt>9.3_3</lt></range> 7298 <range><ge>9.2</ge><lt>9.2_13</lt></range> 7299 <range><ge>9.1</ge><lt>9.1_20</lt></range> 7300 </package> 7301 </affects> 7302 <description> 7303 <body xmlns="http://www.w3.org/1999/xhtml"> 7304 <h1>Problem Description:</h1> 7305 <p>Due to a missing length check in the code that handles 7306 DNS parameters, a malformed router advertisement message 7307 can result in a stack buffer overflow in rtsold(8).</p> 7308 <h1>Impact:</h1> 7309 <p>Receipt of a router advertisement message with a malformed 7310 DNSSL option, for instance from a compromised host on the 7311 same network, can cause rtsold(8) to crash.</p> 7312 <p>While it is theoretically possible to inject code into 7313 rtsold(8) through malformed router advertisement messages, 7314 it is normally compiled with stack protection enabled, 7315 rendering such an attack extremely difficult.</p> 7316 <p>When rtsold(8) crashes, the existing DNS configuration 7317 will remain in force, and the kernel will continue to receive 7318 and process periodic router advertisements.</p> 7319 </body> 7320 </description> 7321 <references> 7322 <cvename>CVE-2014-3954</cvename> 7323 <freebsdsa>SA-14:20.rtsold</freebsdsa> 7324 </references> 7325 <dates> 7326 <discovery>2014-10-21</discovery> 7327 <entry>2016-08-11</entry> 7328 </dates> 7329 </vuln> 7330 7331 <vuln vid="729c4a9f-6007-11e6-a6c3-14dae9d210b8"> 7332 <topic>FreeBSD -- Denial of Service in TCP packet processing</topic> 7333 <affects> 7334 <package> 7335 <name>FreeBSD-kernel</name> 7336 <range><ge>10.0</ge><lt>10.0_9</lt></range> 7337 <range><ge>9.3</ge><lt>9.3_2</lt></range> 7338 <range><ge>9.2</ge><lt>9.2_12</lt></range> 7339 <range><ge>9.1</ge><lt>9.1_19</lt></range> 7340 <range><ge>8.4</ge><lt>8.4_16</lt></range> 7341 </package> 7342 </affects> 7343 <description> 7344 <body xmlns="http://www.w3.org/1999/xhtml"> 7345 <h1>Problem Description:</h1> 7346 <p>When a segment with the SYN flag for an already existing 7347 connection arrives, the TCP stack tears down the connection, 7348 bypassing a check that the sequence number in the segment 7349 is in the expected window.</p> 7350 <h1>Impact:</h1> 7351 <p>An attacker who has the ability to spoof IP traffic can 7352 tear down a TCP connection by sending only 2 packets, if 7353 they know both TCP port numbers. In case one of the two 7354 port numbers is unknown, a successful attack requires less 7355 than 2**17 packets spoofed, which can be generated within 7356 less than a second on a decent connection to the Internet.</p> 7357 </body> 7358 </description> 7359 <references> 7360 <cvename>CVE-2004-0230</cvename> 7361 <freebsdsa>SA-14:19.tcp</freebsdsa> 7362 </references> 7363 <dates> 7364 <discovery>2014-09-16</discovery> 7365 <entry>2016-08-11</entry> 7366 </dates> 7367 </vuln> 7368 7369 <vuln vid="7240de58-6007-11e6-a6c3-14dae9d210b8"> 7370 <topic>FreeBSD -- Kernel memory disclosure in control messages and SCTP</topic> 7371 <affects> 7372 <package> 7373 <name>FreeBSD-kernel</name> 7374 <range><ge>10.0</ge><lt>10.0_7</lt></range> 7375 <range><ge>9.2</ge><lt>9.2_10</lt></range> 7376 <range><ge>9.1</ge><lt>9.1_17</lt></range> 7377 <range><ge>8.4</ge><lt>8.4_14</lt></range> 7378 </package> 7379 </affects> 7380 <description> 7381 <body xmlns="http://www.w3.org/1999/xhtml"> 7382 <h1>Problem Description:</h1> 7383 <p>Buffer between control message header and data may not 7384 be completely initialized before being copied to userland. 7385 [CVE-2014-3952]</p> 7386 <p>Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO, 7387 have implicit padding that may not be completely initialized 7388 before being copied to userland. In addition, three SCTP 7389 notifications, SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR and 7390 SCTP_AUTHENTICATION_EVENT, have padding in the returning 7391 data structure that may not be completely initialized before 7392 being copied to userland. [CVE-2014-3953]</p> 7393 <h1>Impact:</h1> 7394 <p>An unprivileged local process may be able to retrieve 7395 portion of kernel memory.</p> 7396 <p>For the generic control message, the process may be able 7397 to retrieve a maximum of 4 bytes of kernel memory.</p> 7398 <p>For SCTP, the process may be able to retrieve 2 bytes 7399 of kernel memory for all three control messages, plus 92 7400 bytes for SCTP_SNDRCV and 76 bytes for SCTP_EXTRCV. If the 7401 local process is permitted to receive SCTP notification, a 7402 maximum of 112 bytes of kernel memory may be returned to 7403 userland.</p> 7404 <p>This information might be directly useful, or it might 7405 be leveraged to obtain elevated privileges in some way. For 7406 example, a terminal buffer might include a user-entered 7407 password.</p> 7408 </body> 7409 </description> 7410 <references> 7411 <cvename>CVE-2014-3952</cvename> 7412 <cvename>CVE-2014-3953</cvename> 7413 <freebsdsa>SA-14:17.kmem</freebsdsa> 7414 </references> 7415 <dates> 7416 <discovery>2014-07-08</discovery> 7417 <entry>2016-08-11</entry> 7418 </dates> 7419 </vuln> 7420 7421 <vuln vid="70140f20-6007-11e6-a6c3-14dae9d210b8"> 7422 <topic>FreeBSD -- Multiple vulnerabilities in file(1) and libmagic(3)</topic> 7423 <affects> 7424 <package> 7425 <name>FreeBSD</name> 7426 <range><ge>10.0</ge><lt>10.0_6</lt></range> 7427 <range><ge>9.2</ge><lt>9.2_9</lt></range> 7428 <range><ge>9.1</ge><lt>9.1_16</lt></range> 7429 <range><ge>8.4</ge><lt>8.4_13</lt></range> 7430 </package> 7431 </affects> 7432 <description> 7433 <body xmlns="http://www.w3.org/1999/xhtml"> 7434 <h1>Problem Description:</h1> 7435 <p>A specifically crafted Composite Document File (CDF) 7436 file can trigger an out-of-bounds read or an invalid pointer 7437 dereference. [CVE-2012-1571]</p> 7438 <p>A flaw in regular expression in the awk script detector 7439 makes use of multiple wildcards with unlimited repetitions. 7440 [CVE-2013-7345]</p> 7441 <p>A malicious input file could trigger infinite recursion 7442 in libmagic(3). [CVE-2014-1943]</p> 7443 <p>A specifically crafted Portable Executable (PE) can 7444 trigger out-of-bounds read. [CVE-2014-2270]</p> 7445 <h1>Impact:</h1> 7446 <p>An attacker who can cause file(1) or any other applications 7447 using the libmagic(3) library to be run on a maliciously 7448 constructed input can the application to crash or consume 7449 excessive CPU resources, resulting in a denial-of-service.</p> 7450 </body> 7451 </description> 7452 <references> 7453 <cvename>CVE-2012-1571</cvename> 7454 <cvename>CVE-2013-7345</cvename> 7455 <cvename>CVE-2014-1943</cvename> 7456 <cvename>CVE-2014-2270</cvename> 7457 <freebsdsa>SA-14:16.file</freebsdsa> 7458 </references> 7459 <dates> 7460 <discovery>2014-06-24</discovery> 7461 <entry>2016-08-11</entry> 7462 </dates> 7463 </vuln> 7464 7465 <vuln vid="6f91a709-6007-11e6-a6c3-14dae9d210b8"> 7466 <topic>FreeBSD -- iconv(3) NULL pointer dereference and out-of-bounds array access</topic> 7467 <affects> 7468 <package> 7469 <name>FreeBSD</name> 7470 <range><ge>10.0</ge><lt>10.0_6</lt></range> 7471 </package> 7472 </affects> 7473 <description> 7474 <body xmlns="http://www.w3.org/1999/xhtml"> 7475 <h1>Problem Description:</h1> 7476 <p>A NULL pointer dereference in the initialization code 7477 of the HZ module and an out of bounds array access in the 7478 initialization code of the VIQR module make iconv_open(3) 7479 calls involving HZ or VIQR result in an application crash.</p> 7480 <h1>Impact:</h1> 7481 <p>Services where an attacker can control the arguments of 7482 an iconv_open(3) call can be caused to crash resulting in 7483 a denial-of-service. For example, an email encoded in HZ 7484 may cause an email delivery service to crash if it converts 7485 emails to a more generic encoding like UTF-8 before applying 7486 filtering rules.</p> 7487 </body> 7488 </description> 7489 <references> 7490 <cvename>CVE-2014-3951</cvename> 7491 <freebsdsa>SA-14:15.iconv</freebsdsa> 7492 </references> 7493 <dates> 7494 <discovery>2014-06-24</discovery> 7495 <entry>2016-08-11</entry> 7496 </dates> 7497 </vuln> 7498 7499 <vuln vid="6e8f9003-6007-11e6-a6c3-14dae9d210b8"> 7500 <topic>FreeBSD -- Incorrect error handling in PAM policy parser</topic> 7501 <affects> 7502 <package> 7503 <name>FreeBSD</name> 7504 <range><ge>9.2</ge><lt>9.2_7</lt></range> 7505 <range><ge>10.0</ge><lt>10.0_4</lt></range> 7506 </package> 7507 </affects> 7508 <description> 7509 <body xmlns="http://www.w3.org/1999/xhtml"> 7510 <h1>Problem Description:</h1> 7511 <p>The OpenPAM library searches for policy definitions in 7512 several locations. While doing so, the absence of a policy 7513 file is a soft failure (handled by searching in the next 7514 location) while the presence of an invalid file is a hard 7515 failure (handled by returning an error to the caller).</p> 7516 <p>The policy parser returns the same error code (ENOENT) 7517 when a syntactically valid policy references a non-existent 7518 module as when the requested policy file does not exist. 7519 The search loop regards this as a soft failure and looks 7520 for the next similarly-named policy, without discarding the 7521 partially-loaded configuration.</p> 7522 <p>A similar issue can arise if a policy contains an include 7523 directive that refers to a non-existent policy.</p> 7524 <h1>Impact:</h1> 7525 <p>If a module is removed, or the name of a module is 7526 misspelled in the policy file, the PAM library will proceed 7527 with a partially loaded configuration. Depending on the 7528 exact circumstances, this may result in a fail-open scenario 7529 where users are allowed to log in without a password, or 7530 with an incorrect password.</p> 7531 <p>In particular, if a policy references a module installed 7532 by a package or port, and that package or port is being 7533 reinstalled or upgraded, there is a brief window of time 7534 during which the module is absent and policies that use it 7535 may fail open. This can be especially damaging to Internet-facing 7536 SSH servers, which are regularly subjected to brute-force 7537 scans.</p> 7538 </body> 7539 </description> 7540 <references> 7541 <cvename>CVE-2014-3879</cvename> 7542 <freebsdsa>SA-14:13.pam</freebsdsa> 7543 </references> 7544 <dates> 7545 <discovery>2014-06-03</discovery> 7546 <entry>2016-08-11</entry> 7547 </dates> 7548 </vuln> 7549 7550 <vuln vid="6e04048b-6007-11e6-a6c3-14dae9d210b8"> 7551 <topic>FreeBSD -- ktrace kernel memory disclosure</topic> 7552 <affects> 7553 <package> 7554 <name>FreeBSD-kernel</name> 7555 <range><ge>9.2</ge><lt>9.2_7</lt></range> 7556 <range><ge>9.1</ge><lt>9.1_14</lt></range> 7557 <range><ge>8.4</ge><lt>8.4_11</lt></range> 7558 </package> 7559 </affects> 7560 <description> 7561 <body xmlns="http://www.w3.org/1999/xhtml"> 7562 <h1>Problem Description:</h1> 7563 <p>Due to an overlooked merge to -STABLE branches, the size 7564 for page fault kernel trace entries was set incorrectly.</p> 7565 <h1>Impact:</h1> 7566 <p>A user who can enable kernel process tracing could end 7567 up reading the contents of kernel memory.</p> 7568 <p>Such memory might contain sensitive information, such 7569 as portions of the file cache or terminal buffers. This 7570 information might be directly useful, or it might be leveraged 7571 to obtain elevated privileges in some way; for example, a 7572 terminal buffer might include a user-entered password.</p> 7573 </body> 7574 </description> 7575 <references> 7576 <cvename>CVE-2014-3873</cvename> 7577 <freebsdsa>SA-14:12.ktrace</freebsdsa> 7578 </references> 7579 <dates> 7580 <discovery>2014-06-03</discovery> 7581 <entry>2016-08-11</entry> 7582 </dates> 7583 </vuln> 7584 7585 <vuln vid="6d9eadaf-6007-11e6-a6c3-14dae9d210b8"> 7586 <topic>FreeBSD -- sendmail improper close-on-exec flag handling</topic> 7587 <affects> 7588 <package> 7589 <name>FreeBSD</name> 7590 <range><ge>10.0</ge><lt>10.0_4</lt></range> 7591 <range><ge>9.2</ge><lt>9.2_7</lt></range> 7592 <range><ge>9.1</ge><lt>9.1_14</lt></range> 7593 <range><ge>8.4</ge><lt>8.4_11</lt></range> 7594 </package> 7595 </affects> 7596 <description> 7597 <body xmlns="http://www.w3.org/1999/xhtml"> 7598 <h1>Problem Description:</h1> 7599 <p>There is a programming error in sendmail(8) that prevented 7600 open file descriptors have close-on-exec properly set. 7601 Consequently a subprocess will be able to access all open 7602 files that the parent process have open.</p> 7603 <h1>Impact:</h1> 7604 <p>A local user who can execute their own program for mail 7605 delivery will be able to interfere with an open SMTP 7606 connection.</p> 7607 </body> 7608 </description> 7609 <references> 7610 <freebsdsa>SA-14:11.sendmail</freebsdsa> 7611 </references> 7612 <dates> 7613 <discovery>2014-06-03</discovery> 7614 <entry>2016-08-11</entry> 7615 </dates> 7616 </vuln> 7617 7618 <vuln vid="6d472244-6007-11e6-a6c3-14dae9d210b8"> 7619 <topic>FreeBSD -- TCP reassembly vulnerability</topic> 7620 <affects> 7621 <package> 7622 <name>FreeBSD-kernel</name> 7623 <range><ge>8.4</ge><lt>8.4_9</lt></range> 7624 <range><ge>8.3</ge><lt>8.3_16</lt></range> 7625 <range><ge>9.2</ge><lt>9.2_5</lt></range> 7626 <range><ge>9.1</ge><lt>9.1_12</lt></range> 7627 <range><ge>10.0</ge><lt>10.0_2</lt></range> 7628 </package> 7629 </affects> 7630 <description> 7631 <body xmlns="http://www.w3.org/1999/xhtml"> 7632 <h1>Problem Description:</h1> 7633 <p>FreeBSD may add a reassemble queue entry on the stack 7634 into the segment list when the reassembly queue reaches its 7635 limit. The memory from the stack is undefined after the 7636 function returns. Subsequent iterations of the reassembly 7637 function will attempt to access this entry.</p> 7638 <h1>Impact:</h1> 7639 <p>An attacker who can send a series of specifically crafted 7640 packets with a connection could cause a denial of service 7641 situation by causing the kernel to crash.</p> 7642 <p>Additionally, because the undefined on stack memory may 7643 be overwritten by other kernel threads, while extremely 7644 difficult, it may be possible for an attacker to construct 7645 a carefully crafted attack to obtain portion of kernel 7646 memory via a connected socket. This may result in the 7647 disclosure of sensitive information such as login credentials, 7648 etc. before or even without crashing the system.</p> 7649 </body> 7650 </description> 7651 <references> 7652 <cvename>CVE-2014-3000</cvename> 7653 <freebsdsa>SA-14:08.tcp</freebsdsa> 7654 </references> 7655 <dates> 7656 <discovery>2014-04-30</discovery> 7657 <entry>2016-08-11</entry> 7658 </dates> 7659 </vuln> 7660 7661 <vuln vid="6b6ca5b6-6007-11e6-a6c3-14dae9d210b8"> 7662 <topic>FreeBSD -- devfs rules not applied by default for jails</topic> 7663 <affects> 7664 <package> 7665 <name>FreeBSD</name> 7666 <range><ge>10.0</ge><lt>10.0_2</lt></range> 7667 </package> 7668 </affects> 7669 <description> 7670 <body xmlns="http://www.w3.org/1999/xhtml"> 7671 <h1>Problem Description:</h1> 7672 <p>The default devfs rulesets are not loaded on boot, even 7673 when jails are used. Device nodes will be created in the 7674 jail with their normal default access permissions, while 7675 most of them should be hidden and inaccessible.</p> 7676 <h1>Impact:</h1> 7677 <p>Jailed processes can get access to restricted resources 7678 on the host system. For jailed processes running with 7679 superuser privileges this implies access to all devices on 7680 the system. This level of access could lead to information 7681 leakage and privilege escalation.</p> 7682 </body> 7683 </description> 7684 <references> 7685 <cvename>CVE-2014-3001</cvename> 7686 <freebsdsa>SA-14:07.devfs</freebsdsa> 7687 </references> 7688 <dates> 7689 <discovery>2014-04-30</discovery> 7690 <entry>2016-08-11</entry> 7691 </dates> 7692 </vuln> 7693 7694 <vuln vid="6a384960-6007-11e6-a6c3-14dae9d210b8"> 7695 <topic>FreeBSD -- Deadlock in the NFS server</topic> 7696 <affects> 7697 <package> 7698 <name>FreeBSD-kernel</name> 7699 <range><ge>10.0</ge><lt>10.0_1</lt></range> 7700 <range><ge>9.2</ge><lt>9.2_4</lt></range> 7701 <range><ge>9.1</ge><lt>9.1_11</lt></range> 7702 <range><ge>8.4</ge><lt>8.4_8</lt></range> 7703 <range><ge>8.3</ge><lt>8.3_15</lt></range> 7704 </package> 7705 </affects> 7706 <description> 7707 <body xmlns="http://www.w3.org/1999/xhtml"> 7708 <h1>Problem Description:</h1> 7709 <p>The kernel holds a lock over the source directory vnode 7710 while trying to convert the target directory file handle 7711 to a vnode, which needs to be returned with the lock held, 7712 too. This order may be in violation of normal lock order, 7713 which in conjunction with other threads that grab locks in 7714 the right order, constitutes a deadlock condition because 7715 no thread can proceed.</p> 7716 <h1>Impact:</h1> 7717 <p>An attacker on a trusted client could cause the NFS 7718 server become deadlocked, resulting in a denial of service.</p> 7719 </body> 7720 </description> 7721 <references> 7722 <cvename>CVE-2014-1453</cvename> 7723 <freebsdsa>SA-14:05.nfsserver</freebsdsa> 7724 </references> 7725 <dates> 7726 <discovery>2014-04-08</discovery> 7727 <entry>2016-08-11</entry> 7728 </dates> 7729 </vuln> 7730 7731 <vuln vid="4c96ecf2-5fd9-11e6-a6c3-14dae9d210b8"> 7732 <topic>FreeBSD -- bsnmpd remote denial of service vulnerability</topic> 7733 <affects> 7734 <package> 7735 <name>FreeBSD</name> 7736 <range><ge>9.2</ge><lt>9.2_3</lt></range> 7737 <range><ge>9.1</ge><lt>9.1_10</lt></range> 7738 <range><ge>8.4</ge><lt>8.4_7</lt></range> 7739 <range><ge>8.3</ge><lt>8.3_14</lt></range> 7740 </package> 7741 </affects> 7742 <description> 7743 <body xmlns="http://www.w3.org/1999/xhtml"> 7744 <p>Problem Description:</p> 7745 <p>The bsnmpd(8) daemon is prone to a stack-based 7746 buffer-overflow when it has received a specifically crafted 7747 GETBULK PDU request.</p> 7748 <p>Impact:</p> 7749 <p>This issue could be exploited to execute arbitrary code in 7750 the context of the service daemon, or crash the service daemon, causing 7751 a denial-of-service.</p> 7752 </body> 7753 </description> 7754 <references> 7755 <cvename>CVE-2014-1452</cvename> 7756 <freebsdsa>SA-14:01.bsnmpd</freebsdsa> 7757 </references> 7758 <dates> 7759 <discovery>2014-01-14</discovery> 7760 <entry>2016-08-11</entry> 7761 </dates> 7762 </vuln> 7763 7764 <vuln vid="ca16fd0b-5fd1-11e6-a6f2-6cc21735f730"> 7765 <topic>PostgreSQL -- Denial-of-Service and Code Injection Vulnerabilities</topic> 7766 <affects> 7767 <package> 7768 <name>postgresql91-server</name> 7769 <range><ge>9.1.0</ge><lt>9.1.23</lt></range> 7770 </package> 7771 <package> 7772 <name>postgresql92-server</name> 7773 <range><ge>9.2.0</ge><lt>9.2.18</lt></range> 7774 </package> 7775 <package> 7776 <name>postgresql93-server</name> 7777 <range><ge>9.3.0</ge><lt>9.3.11</lt></range> 7778 </package> 7779 <package> 7780 <name>postgresql94-server</name> 7781 <range><ge>9.4.0</ge><lt>9.4.9</lt></range> 7782 </package> 7783 <package> 7784 <name>postgresql95-server</name> 7785 <range><ge>9.5.0</ge><lt>9.5.4</lt></range> 7786 </package> 7787 </affects> 7788 <description> 7789 <body xmlns="http://www.w3.org/1999/xhtml"> 7790 <p>PostgreSQL project reports:</p> 7791 <blockquote cite="http://www.postgresql.org/about/news/1688/"> 7792 <p> 7793 Security Fixes nested CASE expressions + 7794 database and role names with embedded special characters 7795 </p> 7796 <ul> 7797 <li>CVE-2016-5423: certain nested CASE expressions can cause the 7798 server to crash. 7799 </li> 7800 <li>CVE-2016-5424: database and role names with embedded special 7801 characters can allow code injection during administrative operations 7802 like pg_dumpall. 7803 </li> 7804 </ul> 7805 </blockquote> 7806 </body> 7807 </description> 7808 <references> 7809 <cvename>CVE-2016-5423</cvename> 7810 <cvename>CVE-2016-5424</cvename> 7811 </references> 7812 <dates> 7813 <discovery>2016-08-11</discovery> 7814 <entry>2016-08-11</entry> 7815 </dates> 7816 </vuln> 7817 7818 <vuln vid="28bf62ef-5e2c-11e6-a15f-00248c0c745d"> 7819 <topic>piwik -- XSS vulnerability</topic> 7820 <affects> 7821 <package> 7822 <name>piwik</name> 7823 <range><lt>2.16.2</lt></range> 7824 </package> 7825 </affects> 7826 <description> 7827 <body xmlns="http://www.w3.org/1999/xhtml"> 7828 <p>Piwik reports:</p> 7829 <blockquote cite="https://piwik.org/changelog/piwik-2-16-2/"> 7830 <p>We have identified and fixed several XSS security issues in this release.</p> 7831 </blockquote> 7832 </body> 7833 </description> 7834 <references> 7835 <url>We have identified and fixed several XSS security issues in this release.</url> 7836 </references> 7837 <dates> 7838 <discovery>2016-08-03</discovery> 7839 <entry>2016-08-09</entry> 7840 </dates> 7841 </vuln> 7842 7843 <vuln vid="7d08e608-5e95-11e6-b334-002590263bf5"> 7844 <topic>BIND,Knot,NSD,PowerDNS -- denial over service via oversized zone transfers</topic> 7845 <affects> 7846 <package> 7847 <name>bind99</name> 7848 <range><le>9.9.9P2</le></range> 7849 </package> 7850 <package> 7851 <name>bind910</name> 7852 <range><le>9.10.4P2</le></range> 7853 </package> 7854 <package> 7855 <name>bind911</name> 7856 <range><le>9.11.0.b2</le></range> 7857 </package> 7858 <package> 7859 <name>bind9-devel</name> 7860 <range><le>9.12.0.a.2016.11.02</le></range> 7861 </package> 7862 <package> 7863 <name>knot</name> 7864 <name>knot1</name> 7865 <range><lt>1.6.8</lt></range> 7866 </package> 7867 <package> 7868 <name>knot2</name> 7869 <range><lt>2.3.0</lt></range> 7870 </package> 7871 <package> 7872 <name>nsd</name> 7873 <range><lt>4.1.11</lt></range> 7874 </package> 7875 <package> 7876 <name>powerdns</name> 7877 <range><lt>4.0.1</lt></range> 7878 </package> 7879 </affects> 7880 <description> 7881 <body xmlns="http://www.w3.org/1999/xhtml"> 7882 <p>ISC reports:</p> 7883 <blockquote cite="https://kb.isc.org/article/AA-01390"> 7884 <p>DNS protocols were designed with the assumption that a certain 7885 amount of trust could be presumed between the operators of primary 7886 and secondary servers for a given zone. However, in current 7887 practice some organizations have scenarios which require them to 7888 accept zone data from sources that are not fully trusted (for 7889 example: providers of secondary name service). A party who is 7890 allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS 7891 updates) can overwhelm the server which is accepting data by 7892 intentionally or accidentally exhausting that server's memory.</p> 7893 </blockquote> 7894 </body> 7895 </description> 7896 <references> 7897 <cvename>CVE-2016-6170</cvename> 7898 <cvename>CVE-2016-6171</cvename> 7899 <cvename>CVE-2016-6172</cvename> 7900 <cvename>CVE-2016-6173</cvename> 7901 <url>https://kb.isc.org/article/AA-01390</url> 7902 <mlist>http://www.openwall.com/lists/oss-security/2016/07/06/4</mlist> 7903 </references> 7904 <dates> 7905 <discovery>2016-07-06</discovery> 7906 <entry>2016-08-10</entry> 7907 <modified>2017-04-24</modified> 7908 </dates> 7909 </vuln> 7910 7911 <vuln vid="dd48d9b9-5e7e-11e6-a6c3-14dae9d210b8"> 7912 <topic>FreeBSD -- Kernel memory disclosure in sctp(4)</topic> 7913 <affects> 7914 <package> 7915 <name>FreeBSD-kernel</name> 7916 <range><ge>9.1</ge><lt>9.1_6</lt></range> 7917 <range><ge>8.4</ge><lt>8.4_3</lt></range> 7918 <range><ge>8.3</ge><lt>8.3_10</lt></range> 7919 </package> 7920 </affects> 7921 <description> 7922 <body xmlns="http://www.w3.org/1999/xhtml"> 7923 <p>Problem Description:</p> 7924 <p>When initializing the SCTP state cookie being sent in INIT-ACK chunks, 7925 a buffer allocated from the kernel stack is not completely initialized.</p> 7926 <p>Impact:</p> 7927 <p>Fragments of kernel memory may be included in SCTP packets and 7928 transmitted over the network. For each SCTP session, there are two 7929 separate instances in which a 4-byte fragment may be transmitted.</p> 7930 <p>This memory might contain sensitive information, such as portions of the 7931 file cache or terminal buffers. This information might be directly 7932 useful, or it might be leveraged to obtain elevated privileges in 7933 some way. For example, a terminal buffer might include a user-entered 7934 password.</p> 7935 </body> 7936 </description> 7937 <references> 7938 <freebsdsa>SA-13:10.sctp</freebsdsa> 7939 <cvename>CVE-2013-5209</cvename> 7940 </references> 7941 <dates> 7942 <discovery>2013-08-22</discovery> 7943 <entry>2016-08-09</entry> 7944 </dates> 7945 </vuln> 7946 7947 <vuln vid="0844632f-5e78-11e6-a6c3-14dae9d210b8"> 7948 <topic>FreeBSD -- integer overflow in IP_MSFILTER</topic> 7949 <affects> 7950 <package> 7951 <name>FreeBSD-kernel</name> 7952 <range><ge>9.1</ge><lt>9.1_6</lt></range> 7953 <range><ge>8.4</ge><lt>8.4_3</lt></range> 7954 <range><ge>8.3</ge><lt>8.3_10</lt></range> 7955 </package> 7956 </affects> 7957 <description> 7958 <body xmlns="http://www.w3.org/1999/xhtml"> 7959 <p>Problem Description:</p> 7960 <p>An integer overflow in computing the size of a temporary 7961 buffer can result in a buffer which is too small for the requested 7962 operation.</p> 7963 <p>Impact:</p> 7964 <p>An unprivileged process can read or write pages of memory 7965 which belong to the kernel. These may lead to exposure of sensitive 7966 information or allow privilege escalation.</p> 7967 </body> 7968 </description> 7969 <references> 7970 <cvename>CVE-2013-3077</cvename> 7971 <freebsdsa>SA-13:09.ip_multicast</freebsdsa> 7972 </references> 7973 <dates> 7974 <discovery>2013-08-22</discovery> 7975 <entry>2016-08-09</entry> 7976 </dates> 7977 </vuln> 7978 7979 <vuln vid="e5d2442d-5e76-11e6-a6c3-14dae9d210b8"> 7980 <topic>FreeBSD -- Incorrect privilege validation in the NFS server</topic> 7981 <affects> 7982 <package> 7983 <name>FreeBSD-kernel</name> 7984 <range><ge>9.1</ge><lt>9.1_5</lt></range> 7985 <range><ge>8.3</ge><lt>8.3_9</lt></range> 7986 </package> 7987 </affects> 7988 <description> 7989 <body xmlns="http://www.w3.org/1999/xhtml"> 7990 <p>Problem Description:</p> 7991 <p>The kernel incorrectly uses client supplied credentials 7992 instead of the one configured in exports(5) when filling out the 7993 anonymous credential for a NFS export, when -network or -host 7994 restrictions are used at the same time.</p> 7995 <p>Impact:</p> 7996 <p>The remote client may supply privileged credentials (e.g. the 7997 root user) when accessing a file under the NFS share, which will bypass 7998 the normal access checks.</p> 7999 </body> 8000 </description> 8001 <references> 8002 <cvename>CVE-2013-4851</cvename> 8003 <freebsdsa>SA-13:08.nfsserver</freebsdsa> 8004 </references> 8005 <dates> 8006 <discovery>2013-07-06</discovery> 8007 <entry>2016-08-09</entry> 8008 </dates> 8009 </vuln> 8010 8011 <vuln vid="6da45e38-5b55-11e6-8859-000c292ee6b8"> 8012 <topic>collectd -- Network plugin heap overflow</topic> 8013 <affects> 8014 <package> 8015 <name>collectd5</name> 8016 <range><lt>5.5.2</lt></range> 8017 </package> 8018 </affects> 8019 <description> 8020 <body xmlns="http://www.w3.org/1999/xhtml"> 8021 <p>The collectd Project reports:</p> 8022 <blockquote cite="http://collectd.org/news.shtml#news98"> 8023 <p>Emilien Gaspar has identified a heap overflow in collectd's 8024 network plugin which can be triggered remotely and is potentially 8025 exploitable.</p> 8026 </blockquote> 8027 </body> 8028 </description> 8029 <references> 8030 <cvename>CVE-2016-6254</cvename> 8031 <url>http://collectd.org/news.shtml#news98</url> 8032 </references> 8033 <dates> 8034 <discovery>2016-07-26</discovery> 8035 <entry>2016-08-05</entry> 8036 </dates> 8037 </vuln> 8038 8039 <vuln vid="3ddcb42b-5b78-11e6-b334-002590263bf5"> 8040 <topic>moodle -- multiple vulnerabilities</topic> 8041 <affects> 8042 <package> 8043 <name>moodle28</name> 8044 <range><le>2.8.12</le></range> 8045 </package> 8046 <package> 8047 <name>moodle29</name> 8048 <range><lt>2.9.7</lt></range> 8049 </package> 8050 <package> 8051 <name>moodle30</name> 8052 <range><lt>3.0.5</lt></range> 8053 </package> 8054 <package> 8055 <name>moodle31</name> 8056 <range><lt>3.1.1</lt></range> 8057 </package> 8058 </affects> 8059 <description> 8060 <body xmlns="http://www.w3.org/1999/xhtml"> 8061 <p>Marina Glancy reports:</p> 8062 <blockquote cite="https://moodle.org/security/"> 8063 <ul> 8064 <li><p>MSA-16-0019: Glossary search displays entries without 8065 checking user permissions to view them</p></li> 8066 <li><p>MSA-16-0020: Text injection in email headers</p></li> 8067 <li><p>MSA-16-0021: Unenrolled user still receives event monitor 8068 notifications even though they can no longer access course</p></li> 8069 </ul> 8070 </blockquote> 8071 </body> 8072 </description> 8073 <references> 8074 <cvename>CVE-2016-5012</cvename> 8075 <cvename>CVE-2016-5013</cvename> 8076 <cvename>CVE-2016-5014</cvename> 8077 <url>https://moodle.org/security/</url> 8078 </references> 8079 <dates> 8080 <discovery>2016-07-19</discovery> 8081 <entry>2016-08-06</entry> 8082 </dates> 8083 </vuln> 8084 8085 <vuln vid="7a31e0de-5b6d-11e6-b334-002590263bf5"> 8086 <topic>bind -- denial of service vulnerability</topic> 8087 <affects> 8088 <package> 8089 <name>bind99</name> 8090 <range><lt>9.9.9P2</lt></range> 8091 </package> 8092 <package> 8093 <name>bind910</name> 8094 <range><lt>9.10.4P2</lt></range> 8095 </package> 8096 <package> 8097 <name>bind911</name> 8098 <range><lt>9.11.0.b2</lt></range> 8099 </package> 8100 <package> 8101 <name>bind9-devel</name> 8102 <range><lt>9.12.0.a.2016.07.14</lt></range> 8103 </package> 8104 </affects> 8105 <description> 8106 <body xmlns="http://www.w3.org/1999/xhtml"> 8107 <p>ISC reports:</p> 8108 <blockquote cite="https://kb.isc.org/article/AA-01393"> 8109 <p>A query name which is too long can cause a segmentation fault in 8110 lwresd.</p> 8111 </blockquote> 8112 </body> 8113 </description> 8114 <references> 8115 <cvename>CVE-2016-2775</cvename> 8116 <url>https://kb.isc.org/article/AA-01393</url> 8117 </references> 8118 <dates> 8119 <discovery>2016-07-18</discovery> 8120 <entry>2016-08-06</entry> 8121 </dates> 8122 </vuln> 8123 8124 <vuln vid="610101ea-5b6a-11e6-b334-002590263bf5"> 8125 <topic>wireshark -- multiple vulnerabilities</topic> 8126 <affects> 8127 <package> 8128 <name>wireshark</name> 8129 <name>wireshark-lite</name> 8130 <name>wireshark-qt5</name> 8131 <name>tshark</name> 8132 <name>tshark-lite</name> 8133 <range><lt>2.0.5</lt></range> 8134 </package> 8135 </affects> 8136 <description> 8137 <body xmlns="http://www.w3.org/1999/xhtml"> 8138 <p>Wireshark development team reports:</p> 8139 <blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.5.html"> 8140 <p>The following vulnerabilities have been fixed:</p> 8141 <ul> 8142 <li><p>wnpa-sec-2016-41</p> 8143 <p>PacketBB crash. (Bug 12577)</p></li> 8144 <li><p>wnpa-sec-2016-42</p> 8145 <p>WSP infinite loop. (Bug 12594)</p></li> 8146 <li><p>wnpa-sec-2016-44</p> 8147 <p>RLC long loop. (Bug 12660)</p></li> 8148 <li><p>wnpa-sec-2016-45</p> 8149 <p>LDSS dissector crash. (Bug 12662)</p></li> 8150 <li><p>wnpa-sec-2016-46</p> 8151 <p>RLC dissector crash. (Bug 12664)</p></li> 8152 <li><p>wnpa-sec-2016-47</p> 8153 <p>OpenFlow long loop. (Bug 12659)</p></li> 8154 <li><p>wnpa-sec-2016-48</p> 8155 <p>MMSE, WAP, WBXML, and WSP infinite loop. (Bug 12661)</p></li> 8156 <li><p>wnpa-sec-2016-49</p> 8157 <p>WBXML crash. (Bug 12663)</p></li> 8158 </ul> 8159 </blockquote> 8160 </body> 8161 </description> 8162 <references> 8163 <cvename>CVE-2016-6505</cvename> 8164 <cvename>CVE-2016-6506</cvename> 8165 <cvename>CVE-2016-6508</cvename> 8166 <cvename>CVE-2016-6509</cvename> 8167 <cvename>CVE-2016-6510</cvename> 8168 <cvename>CVE-2016-6511</cvename> 8169 <cvename>CVE-2016-6512</cvename> 8170 <cvename>CVE-2016-6513</cvename> 8171 <url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.5.html</url> 8172 <url>http://www.openwall.com/lists/oss-security/2016/08/01/4</url> 8173 </references> 8174 <dates> 8175 <discovery>2016-07-27</discovery> 8176 <entry>2016-08-06</entry> 8177 </dates> 8178 </vuln> 8179 8180 <vuln vid="3e08047f-5a6c-11e6-a6c3-14dae9d210b8"> 8181 <topic>p5-XSLoader -- local arbitrary code execution</topic> 8182 <affects> 8183 <package> 8184 <name>p5-XSLoader</name> 8185 <range><lt>0.22</lt></range> 8186 </package> 8187 <package> 8188 <name>perl5</name> 8189 <name>perl5.18</name> 8190 <name>perl5.20</name> 8191 <name>perl5.22</name> 8192 <name>perl5.24</name> 8193 <name>perl5-devel</name> 8194 <range><lt>5.18.4_24</lt></range> 8195 <range><ge>5.20</ge><lt>5.20.3_15</lt></range> 8196 <range><ge>5.21</ge><lt>5.22.3.r2</lt></range> 8197 <range><ge>5.23</ge><lt>5.24.1.r2</lt></range> 8198 <range><ge>5.25</ge><lt>5.25.2.87</lt></range> 8199 </package> 8200 <package> 8201 <name>perl</name> 8202 <range><ge>0</ge></range> 8203 </package> 8204 </affects> 8205 <description> 8206 <body xmlns="http://www.w3.org/1999/xhtml"> 8207 <p>Jakub Wilk reports:</p> 8208 <blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829578"> 8209 <p>XSLoader tries to load code from a subdirectory in the cwd when 8210 called inside a string eval</p> 8211 </blockquote> 8212 </body> 8213 </description> 8214 <references> 8215 <url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829578</url> 8216 <cvename>CVE-2016-6185</cvename> 8217 </references> 8218 <dates> 8219 <discovery>2016-06-30</discovery> 8220 <entry>2016-08-04</entry> 8221 <modified>2016-08-22</modified> 8222 </dates> 8223 </vuln> 8224 8225 <vuln vid="72bfbb09-5a6a-11e6-a6c3-14dae9d210b8"> 8226 <topic>perl -- local arbitrary code execution</topic> 8227 <affects> 8228 <package> 8229 <name>perl5</name> 8230 <name>perl5.18</name> 8231 <name>perl5.20</name> 8232 <name>perl5.22</name> 8233 <name>perl5.24</name> 8234 <name>perl5-devel</name> 8235 <range><lt>5.18.4_23</lt></range> 8236 <range><ge>5.20</ge><lt>5.20.3_14</lt></range> 8237 <range><ge>5.21</ge><lt>5.22.3.r2</lt></range> 8238 <range><ge>5.23</ge><lt>5.24.1.r2</lt></range> 8239 <range><ge>5.25</ge><lt>5.25.3.18</lt></range> 8240 </package> 8241 <package> 8242 <name>perl</name> 8243 <range><ge>0</ge></range> 8244 </package> 8245 </affects> 8246 <description> 8247 <body xmlns="http://www.w3.org/1999/xhtml"> 8248 <p>Sawyer X reports:</p> 8249 <blockquote cite="http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html"> 8250 <p>Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do 8251 not properly remove . (period) characters from the end of the includes 8252 directory array, which might allow local users to gain privileges via a 8253 Trojan horse module under the current working directory.</p> 8254 </blockquote> 8255 </body> 8256 </description> 8257 <references> 8258 <url>http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html</url> 8259 <cvename>CVE-2016-1238</cvename> 8260 </references> 8261 <dates> 8262 <discovery>2016-07-21</discovery> 8263 <entry>2016-08-04</entry> 8264 <modified>2016-08-22</modified> 8265 </dates> 8266 </vuln> 8267 8268 <vuln vid="556d2286-5a51-11e6-a6c3-14dae9d210b8"> 8269 <topic>gd -- multiple vulnerabilities</topic> 8270 <affects> 8271 <package> 8272 <name>gd</name> 8273 <range><lt>2.2.3,1</lt></range> 8274 </package> 8275 </affects> 8276 <description> 8277 <body xmlns="http://www.w3.org/1999/xhtml"> 8278 <p>Pierre Joye reports:</p> 8279 <blockquote cite="https://github.com/libgd/libgd/releases/tag/gd-2.2.3"> 8280 <ul> 8281 <li><p>fix php bug 72339, Integer Overflow in _gd2GetHeader 8282 (CVE-2016-5766)</p></li> 8283 <li><p>gd: Buffer over-read issue when parsing crafted TGA 8284 file (CVE-2016-6132)</p></li> 8285 <li><p>Integer overflow error within _gdContributionsAlloc() 8286 (CVE-2016-6207)</p></li> 8287 <li><p>fix php bug 72494, invalid color index not handled, can 8288 lead to crash ( CVE-2016-6128)</p></li> 8289 </ul> 8290 </blockquote> 8291 </body> 8292 </description> 8293 <references> 8294 <url>https://github.com/libgd/libgd/releases/tag/gd-2.2.3</url> 8295 <cvename>CVE-2016-5766</cvename> 8296 <cvename>CVE-2016-6132</cvename> 8297 <cvename>CVE-2016-6207</cvename> 8298 <cvename>CVE-2016-6128</cvename> 8299 </references> 8300 <dates> 8301 <discovery>2016-07-21</discovery> 8302 <entry>2016-08-04</entry> 8303 </dates> 8304 </vuln> 8305 8306 <vuln vid="e4bc70fc-5a2f-11e6-a1bc-589cfc0654e1"> 8307 <topic>Vulnerabilities in Curl</topic> 8308 <affects> 8309 <package> 8310 <name>curl</name> 8311 <range><ge>7.32.0</ge><lt>7.50.1</lt></range> 8312 </package> 8313 </affects> 8314 <description> 8315 <body xmlns="http://www.w3.org/1999/xhtml"> 8316 <p>Curl security team reports:</p> 8317 <blockquote cite="https://curl.haxx.se/docs/security.html"> 8318 <p>CVE-2016-5419 - TLS session resumption client cert bypass</p> 8319 <p>CVE-2016-5420 - Re-using connections with wrong client cert</p> 8320 <p>CVE-2016-5421 - use of connection struct after free</p> 8321 </blockquote> 8322 </body> 8323 </description> 8324 <references> 8325 <cvename>CVE-2016-5419</cvename> 8326 <cvename>CVE-2016-5420</cvename> 8327 <cvename>CVE-2016-5421</cvename> 8328 <url>https://curl.haxx.se/docs/adv_20160803A.html</url> 8329 <url>https://curl.haxx.se/docs/adv_20160803B.html</url> 8330 <url>https://curl.haxx.se/docs/adv_20160803C.html</url> 8331 </references> 8332 <dates> 8333 <discovery>2016-08-03</discovery> 8334 <entry>2016-08-04</entry> 8335 </dates> 8336 </vuln> 8337 8338 <vuln vid="ef0033ad-5823-11e6-80cc-001517f335e2"> 8339 <topic>lighttpd - multiple vulnerabilities</topic> 8340 <affects> 8341 <package> 8342 <name>lighttpd</name> 8343 <range><lt>1.4.41</lt></range> 8344 </package> 8345 </affects> 8346 <description> 8347 <body xmlns="http://www.w3.org/1999/xhtml"> 8348 <p>Lighttpd Project reports:</p> 8349 <blockquote cite="http://www.lighttpd.net/2016/7/31/1.4.41/"> 8350 <p>Security fixes for Lighttpd:</p> 8351 <ul> 8352 <li><p>security: encode quoting chars in HTML and XML</p></li> 8353 <li><p>security: ensure gid != 0 if server.username is set, but not server.groupname</p></li> 8354 <li><p>security: disable stat_cache if server.follow-symlink = “disable”</p></li> 8355 <li><p>security: httpoxy defense: do not emit HTTP_PROXY to CGI env</p></li> 8356 </ul> 8357 </blockquote> 8358 </body> 8359 </description> 8360 <references> 8361 <url>http://www.lighttpd.net/2016/7/31/1.4.41/</url> 8362 <freebsdpr>ports/211495</freebsdpr> 8363 </references> 8364 <dates> 8365 <discovery>2016-07-31</discovery> 8366 <entry>2016-08-03</entry> 8367 </dates> 8368 </vuln> 8369 8370 <vuln vid="06574c62-5854-11e6-b334-002590263bf5"> 8371 <topic>xen-tools -- virtio: unbounded memory allocation issue</topic> 8372 <affects> 8373 <package> 8374 <name>xen-tools</name> 8375 <range><lt>4.7.0_4</lt></range> 8376 </package> 8377 </affects> 8378 <description> 8379 <body xmlns="http://www.w3.org/1999/xhtml"> 8380 <p>The Xen Project reports:</p> 8381 <blockquote cite="http://xenbits.xen.org/xsa/advisory-184.html"> 8382 <p>A guest can submit virtio requests without bothering to wait for 8383 completion and is therefore not bound by virtqueue size...</p> 8384 <p>A malicious guest administrator can cause unbounded memory 8385 allocation in QEMU, which can cause an Out-of-Memory condition 8386 in the domain running qemu. Thus, a malicious guest administrator 8387 can cause a denial of service affecting the whole host.</p> 8388 </blockquote> 8389 </body> 8390 </description> 8391 <references> 8392 <cvename>CVE-2016-5403</cvename> 8393 <freebsdpr>ports/211482</freebsdpr> 8394 <url>http://xenbits.xen.org/xsa/advisory-184.html</url> 8395 </references> 8396 <dates> 8397 <discovery>2016-07-27</discovery> 8398 <entry>2016-08-02</entry> 8399 </dates> 8400 </vuln> 8401 8402 <vuln vid="04cf89e3-5854-11e6-b334-002590263bf5"> 8403 <topic>xen-kernel -- x86: Missing SMAP whitelisting in 32-bit exception / event delivery</topic> 8404 <affects> 8405 <package> 8406 <name>xen-kernel</name> 8407 <range><gt>4.5</gt><lt>4.7.0_3</lt></range> 8408 </package> 8409 </affects> 8410 <description> 8411 <body xmlns="http://www.w3.org/1999/xhtml"> 8412 <p>The Xen Project reports:</p> 8413 <blockquote cite="http://xenbits.xen.org/xsa/advisory-183.html"> 8414 <p>Supervisor Mode Access Prevention is a hardware feature designed 8415 to make an Operating System more robust, by raising a pagefault 8416 rather than accidentally following a pointer into userspace. 8417 However, legitimate accesses into userspace require whitelisting, 8418 and the exception delivery mechanism for 32bit PV guests wasn't 8419 whitelisted.</p> 8420 <p>A malicious 32-bit PV guest kernel can trigger a safety check, 8421 crashing the hypervisor and causing a denial of service to other 8422 VMs on the host.</p> 8423 </blockquote> 8424 </body> 8425 </description> 8426 <references> 8427 <cvename>CVE-2016-6259</cvename> 8428 <freebsdpr>ports/211482</freebsdpr> 8429 <url>http://xenbits.xen.org/xsa/advisory-183.html</url> 8430 </references> 8431 <dates> 8432 <discovery>2016-07-26</discovery> 8433 <entry>2016-08-02</entry> 8434 </dates> 8435 </vuln> 8436 8437 <vuln vid="032aa524-5854-11e6-b334-002590263bf5"> 8438 <topic>xen-kernel -- x86: Privilege escalation in PV guests</topic> 8439 <affects> 8440 <package> 8441 <name>xen-kernel</name> 8442 <range><lt>4.7.0_3</lt></range> 8443 </package> 8444 </affects> 8445 <description> 8446 <body xmlns="http://www.w3.org/1999/xhtml"> 8447 <p>The Xen Project reports:</p> 8448 <blockquote cite="http://xenbits.xen.org/xsa/advisory-182.html"> 8449 <p>The PV pagetable code has fast-paths for making updates to 8450 pre-existing pagetable entries, to skip expensive re-validation 8451 in safe cases (e.g. clearing only Access/Dirty bits). The bits 8452 considered safe were too broad, and not actually safe.</p> 8453 <p>A malicious PV guest administrator can escalate their privilege to 8454 that of the host.</p> 8455 </blockquote> 8456 </body> 8457 </description> 8458 <references> 8459 <cvename>CVE-2016-6258</cvename> 8460 <freebsdpr>ports/211482</freebsdpr> 8461 <url>http://xenbits.xen.org/xsa/advisory-182.html</url> 8462 </references> 8463 <dates> 8464 <discovery>2016-07-26</discovery> 8465 <entry>2016-08-02</entry> 8466 </dates> 8467 </vuln> 8468 8469 <vuln vid="cb5189eb-572f-11e6-b334-002590263bf5"> 8470 <topic>libidn -- multiple vulnerabilities</topic> 8471 <affects> 8472 <package> 8473 <name>libidn</name> 8474 <range><lt>1.33</lt></range> 8475 </package> 8476 </affects> 8477 <description> 8478 <body xmlns="http://www.w3.org/1999/xhtml"> 8479 <p>Simon Josefsson reports:</p> 8480 <blockquote cite="https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html"> 8481 <p>libidn: Fix out-of-bounds stack read in idna_to_ascii_4i.</p> 8482 <p>idn: Solve out-of-bounds-read when reading one zero byte as input. 8483 Also replaced fgets with getline.</p> 8484 <p>libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8. It was 8485 always documented to only accept UTF-8 data, but now it doesn't 8486 crash when presented with such data.</p> 8487 </blockquote> 8488 </body> 8489 </description> 8490 <references> 8491 <cvename>CVE-2016-6261</cvename> 8492 <cvename>CVE-2015-8948</cvename> 8493 <cvename>CVE-2016-6262</cvename> 8494 <cvename>CVE-2016-6263</cvename> 8495 <url>https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html</url> 8496 <url>http://www.openwall.com/lists/oss-security/2016/07/21/4</url> 8497 </references> 8498 <dates> 8499 <discovery>2016-07-20</discovery> 8500 <entry>2016-07-31</entry> 8501 </dates> 8502 </vuln> 8503 8504 <vuln vid="6fb8a90f-c9d5-4d14-b940-aed3d63c2edc"> 8505 <topic>The GIMP -- Use after Free vulnerability</topic> 8506 <affects> 8507 <package> 8508 <name>gimp-app</name> 8509 <range><lt>2.8.18,1</lt></range> 8510 </package> 8511 </affects> 8512 <description> 8513 <body xmlns="http://www.w3.org/1999/xhtml"> 8514 <p>The GIMP team reports:</p> 8515 <blockquote cite="https://mail.gnome.org/archives/gimp-developer-list/2016-July/msg00020.html"> 8516 <p>A Use-after-free vulnerability was found in the xcf_load_image function.</p> 8517 </blockquote> 8518 </body> 8519 </description> 8520 <references> 8521 <url>https://mail.gnome.org/archives/gimp-developer-list/2016-July/msg00020.html</url> 8522 <url>https://bugzilla.gnome.org/show_bug.cgi?id=767873</url> 8523 <cvename>CVE-2016-4994</cvename> 8524 </references> 8525 <dates> 8526 <discovery>2016-06-20</discovery> 8527 <entry>2016-07-19</entry> 8528 </dates> 8529 </vuln> 8530 8531 <vuln vid="cb09a7aa-5344-11e6-a7bd-14dae9d210b8"> 8532 <topic>xercesi-c3 -- multiple vulnerabilities</topic> 8533 <affects> 8534 <package> 8535 <name>xerces-c3</name> 8536 <range><lt>3.1.4</lt></range> 8537 </package> 8538 </affects> 8539 <description> 8540 <body xmlns="http://www.w3.org/1999/xhtml"> 8541 <p>Apache reports:</p> 8542 <blockquote cite="https://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt"> 8543 <p>The Xerces-C XML parser fails to successfully parse a 8544 DTD that is deeply nested, and this causes a stack overflow, which 8545 makes a denial of service attack against many applications possible 8546 by an unauthenticated attacker.</p> 8547 <p>Also, CVE-2016-2099: Use-after-free vulnerability in 8548 validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier 8549 allows context-dependent attackers to have unspecified impact via an 8550 invalid character in an XML document.</p> 8551 </blockquote> 8552 </body> 8553 </description> 8554 <references> 8555 <url>https://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt</url> 8556 <url>http://www.openwall.com/lists/oss-security/2016/05/09/7</url> 8557 <cvename>CVE-2016-2099</cvename> 8558 <cvename>CVE-2016-4463</cvename> 8559 </references> 8560 <dates> 8561 <discovery>2016-05-09</discovery> 8562 <entry>2016-07-26</entry> 8563 </dates> 8564 </vuln> 8565 8566 <vuln vid="b6402385-533b-11e6-a7bd-14dae9d210b8"> 8567 <topic>php -- multiple vulnerabilities</topic> 8568 <affects> 8569 <package> 8570 <name>php55</name> 8571 <range><lt>5.5.38</lt></range> 8572 </package> 8573 <package> 8574 <name>php56</name> 8575 <range><lt>5.6.24</lt></range> 8576 </package> 8577 <package> 8578 <name>php70</name> 8579 <range><lt>7.0.9</lt></range> 8580 </package> 8581 <package> 8582 <name>php70-curl</name> 8583 <range><lt>7.0.9</lt></range> 8584 </package> 8585 <package> 8586 <name>php55-bz2</name> 8587 <range><lt>5.5.38</lt></range> 8588 </package> 8589 <package> 8590 <name>php56-bz2</name> 8591 <range><lt>5.6.24</lt></range> 8592 </package> 8593 <package> 8594 <name>php70-bz2</name> 8595 <range><lt>7.0.9</lt></range> 8596 </package> 8597 <package> 8598 <name>php55-exif</name> 8599 <range><lt>5.5.38</lt></range> 8600 </package> 8601 <package> 8602 <name>php56-exif</name> 8603 <range><lt>5.6.24</lt></range> 8604 </package> 8605 <package> 8606 <name>php70-exif</name> 8607 <range><lt>7.0.9</lt></range> 8608 </package> 8609 <package> 8610 <name>php55-gd</name> 8611 <range><lt>5.5.38</lt></range> 8612 </package> 8613 <package> 8614 <name>php56-gd</name> 8615 <range><lt>5.6.24</lt></range> 8616 </package> 8617 <package> 8618 <name>php70-gd</name> 8619 <range><lt>7.0.9</lt></range> 8620 </package> 8621 <package> 8622 <name>php70-mcrypt</name> 8623 <range><lt>7.0.9</lt></range> 8624 </package> 8625 <package> 8626 <name>php55-odbc</name> 8627 <range><lt>5.5.38</lt></range> 8628 </package> 8629 <package> 8630 <name>php56-odbc</name> 8631 <range><lt>5.6.24</lt></range> 8632 </package> 8633 <package> 8634 <name>php70-odbc</name> 8635 <range><lt>7.0.9</lt></range> 8636 </package> 8637 <package> 8638 <name>php55-snmp</name> 8639 <range><lt>5.5.38</lt></range> 8640 </package> 8641 <package> 8642 <name>php56-snmp</name> 8643 <range><lt>5.6.24</lt></range> 8644 </package> 8645 <package> 8646 <name>php70-snmp</name> 8647 <range><lt>7.0.9</lt></range> 8648 </package> 8649 <package> 8650 <name>php55-xmlrpc</name> 8651 <range><lt>5.5.38</lt></range> 8652 </package> 8653 <package> 8654 <name>php56-xmlrpc</name> 8655 <range><lt>5.6.24</lt></range> 8656 </package> 8657 <package> 8658 <name>php70-xmlrpc</name> 8659 <range><lt>7.0.9</lt></range> 8660 </package> 8661 <package> 8662 <name>php55-zip</name> 8663 <range><lt>5.5.38</lt></range> 8664 </package> 8665 <package> 8666 <name>php56-zip</name> 8667 <range><lt>5.6.24</lt></range> 8668 </package> 8669 <package> 8670 <name>php70-zip</name> 8671 <range><lt>7.0.9</lt></range> 8672 </package> 8673 </affects> 8674 <description> 8675 <body xmlns="http://www.w3.org/1999/xhtml"> 8676 <p>PHP reports:</p> 8677 <blockquote cite="http://www.php.net/ChangeLog-5.php#5.5.38"> 8678 <ul> 8679 <li><p>Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns)</p></li> 8680 <li><p>Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()).</p></li> 8681 <li><p>Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access).</p></li> 8682 <li><p>Fixed bug #72519 (imagegif/output out-of-bounds access).</p></li> 8683 <li><p>Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener).</p></li> 8684 <li><p>Fixed bug #72533 (locale_accept_from_http out-of-bounds access).</p></li> 8685 <li><p>Fixed bug #72541 (size_t overflow lead to heap corruption).</p></li> 8686 <li><p>Fixed bug #72551, bug #72552 (Incorrect casting from size_t to int lead to heap overflow in mdecrypt_generic).</p></li> 8687 <li><p>Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).</p></li> 8688 <li><p>Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications).</p></li> 8689 <li><p>Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).</p></li> 8690 <li><p>Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).</p></li> 8691 <li><p>Fixed bug #72613 (Inadequate error handling in bzread()).</p></li> 8692 <li><p>Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).</p></li> 8693 </ul> 8694 </blockquote> 8695 </body> 8696 </description> 8697 <references> 8698 <url>http://www.php.net/ChangeLog-5.php#5.5.38</url> 8699 <url>http://www.php.net/ChangeLog-5.php#5.6.24</url> 8700 <url>http://www.php.net/ChangeLog-7.php#7.0.8</url> 8701 <url>http://seclists.org/oss-sec/2016/q3/121</url> 8702 <cvename>CVE-2015-8879</cvename> 8703 <cvename>CVE-2016-5385</cvename> 8704 <cvename>CVE-2016-5399</cvename> 8705 <cvename>CVE-2016-6288</cvename> 8706 <cvename>CVE-2016-6289</cvename> 8707 <cvename>CVE-2016-6290</cvename> 8708 <cvename>CVE-2016-6291</cvename> 8709 <cvename>CVE-2016-6292</cvename> 8710 <cvename>CVE-2016-6294</cvename> 8711 <cvename>CVE-2016-6295</cvename> 8712 <cvename>CVE-2016-6296</cvename> 8713 <cvename>CVE-2016-6297</cvename> 8714 </references> 8715 <dates> 8716 <discovery>2016-07-21</discovery> 8717 <entry>2016-07-26</entry> 8718 </dates> 8719 </vuln> 8720 8721 <vuln vid="6fae9fe1-5048-11e6-8aa7-3065ec8fd3ec"> 8722 <topic>chromium -- multiple vulnerabilities</topic> 8723 <affects> 8724 <package> 8725 <name>chromium</name> 8726 <name>chromium-npapi</name> 8727 <name>chromium-pulse</name> 8728 <range><lt>52.0.2743.82</lt></range> 8729 </package> 8730 </affects> 8731 <description> 8732 <body xmlns="http://www.w3.org/1999/xhtml"> 8733 <p>Google Chrome Releases reports:</p> 8734 <blockquote cite="https://googlechromereleases.blogspot.nl/2016/07/stable-channel-update.html"> 8735 <p>48 security fixes in this release, including:</p> 8736 <ul> 8737 <li>[610600] High CVE-2016-1706: Sandbox escape in PPAPI. Credit to 8738 Pinkie Pie xisigr of Tencent's Xuanwu Lab</li> 8739 <li>[613949] High CVE-2016-1708: Use-after-free in Extensions. 8740 Credit to Adam Varsan</li> 8741 <li>[614934] High CVE-2016-1709: Heap-buffer-overflow in sfntly. 8742 Credit to ChenQin of Topsec Security Team</li> 8743 <li>[616907] High CVE-2016-1710: Same-origin bypass in Blink. 8744 Credit to Mariusz Mlynski</li> 8745 <li>[617495] High CVE-2016-1711: Same-origin bypass in Blink. 8746 Credit to Mariusz Mlynski</li> 8747 <li>[618237] High CVE-2016-5127: Use-after-free in Blink. Credit 8748 to cloudfuzzer</li> 8749 <li>[619166] High CVE-2016-5128: Same-origin bypass in V8. Credit 8750 to Anonymous</li> 8751 <li>[620553] High CVE-2016-5129: Memory corruption in V8. Credit to 8752 Jeonghoon Shin</li> 8753 <li>[623319] High CVE-2016-5130: URL spoofing. Credit to Wadih 8754 Matar</li> 8755 <li>[623378] High CVE-2016-5131: Use-after-free in libxml. Credit 8756 to Nick Wellnhofer</li> 8757 <li>[607543] Medium CVE-2016-5132: Limited same-origin bypass in 8758 Service Workers. Credit to Ben Kelly</li> 8759 <li>[613626] Medium CVE-2016-5133: Origin confusion in proxy 8760 authentication. Credit to Patch Eudor</li> 8761 <li>[593759] Medium CVE-2016-5134: URL leakage via PAC script. 8762 Credit to Paul Stone</li> 8763 <li>[605451] Medium CVE-2016-5135: Content-Security-Policy bypass. 8764 Credit to kingxwy</li> 8765 <li>[625393] Medium CVE-2016-5136: Use after free in extensions. 8766 Credit to Rob Wu</li> 8767 <li>[625945] Medium CVE-2016-5137: History sniffing with HSTS and 8768 CSP. Credit to Xiaoyin Liu</li> 8769 <li>[629852] CVE-2016-1705: Various fixes from internal audits, 8770 fuzzing and other initiatives.</li> 8771 </ul> 8772 </blockquote> 8773 </body> 8774 </description> 8775 <references> 8776 <cvename>CVE-2016-1705</cvename> 8777 <cvename>CVE-2016-1706</cvename> 8778 <cvename>CVE-2016-1708</cvename> 8779 <cvename>CVE-2016-1709</cvename> 8780 <cvename>CVE-2016-1710</cvename> 8781 <cvename>CVE-2016-1711</cvename> 8782 <cvename>CVE-2016-5127</cvename> 8783 <cvename>CVE-2016-5128</cvename> 8784 <cvename>CVE-2016-5129</cvename> 8785 <cvename>CVE-2016-5130</cvename> 8786 <cvename>CVE-2016-5131</cvename> 8787 <cvename>CVE-2016-5132</cvename> 8788 <cvename>CVE-2016-5133</cvename> 8789 <cvename>CVE-2016-5134</cvename> 8790 <cvename>CVE-2016-5135</cvename> 8791 <cvename>CVE-2016-5136</cvename> 8792 <cvename>CVE-2016-5137</cvename> 8793 <url>https://googlechromereleases.blogspot.nl/2016/07/stable-channel-update.html</url> 8794 </references> 8795 <dates> 8796 <discovery>2016-07-20</discovery> 8797 <entry>2016-07-22</entry> 8798 </dates> 8799 </vuln> 8800 8801 <vuln vid="62d45229-4fa0-11e6-9d13-206a8a720317"> 8802 <topic>krb5 -- KDC denial of service vulnerability</topic> 8803 <affects> 8804 <package> 8805 <name>krb5-113</name> 8806 <range><lt>1.13.6</lt></range> 8807 </package> 8808 <package> 8809 <name>krb5-114</name> 8810 <range><lt>1.14.3</lt></range> 8811 </package> 8812 </affects> 8813 <description> 8814 <body xmlns="http://www.w3.org/1999/xhtml"> 8815 <p>Major changes in krb5 1.14.3 and krb5 1.13.6:</p> 8816 <blockquote cite="http://web.mit.edu/kerberos/krb5-1.14/"> 8817 <p>Fix a rare KDC denial of service vulnerability when anonymous 8818 client principals are restricted to obtaining TGTs only 8819 [CVE-2016-3120] .</p> 8820 </blockquote> 8821 </body> 8822 </description> 8823 <references> 8824 <cvename>CVE-2016-3120</cvename> 8825 <url>http://web.mit.edu/kerberos/krb5-1.14/</url> 8826 </references> 8827 <dates> 8828 <discovery>2016-07-20</discovery> 8829 <entry>2016-07-21</entry> 8830 <modified>2016-07-26</modified> 8831 </dates> 8832 </vuln> 8833 8834 <vuln vid="72f71e26-4f69-11e6-ac37-ac9e174be3af"> 8835 <topic>Apache OpenOffice 4.1.2 -- Memory Corruption Vulnerability (Impress Presentations)</topic> 8836 <affects> 8837 <package> 8838 <name>apache-openoffice</name> 8839 <range><lt>4.1.2_8</lt></range> 8840 </package> 8841 <package> 8842 <name>apache-openoffice-devel</name> 8843 <range><lt>4.2.1753426,4</lt></range> 8844 </package> 8845 </affects> 8846 <description> 8847 <body xmlns="http://www.w3.org/1999/xhtml"> 8848 <p>The Apache OpenOffice Project reports:</p> 8849 <blockquote cite="http://www.openoffice.org/security/cves/CVE-2016-1513.html"> 8850 <p>An OpenDocument Presentation .ODP or Presentation Template 8851 .OTP file can contain invalid presentation elements that lead 8852 to memory corruption when the document is loaded in Apache 8853 OpenOffice Impress. The defect may cause the document to appear 8854 as corrupted and OpenOffice may crash in a recovery-stuck mode 8855 requiring manual intervention. A crafted exploitation of the 8856 defect can allow an attacker to cause denial of service 8857 (memory corruption and application crash) and possible 8858 execution of arbitrary code.</p> 8859 </blockquote> 8860 </body> 8861 </description> 8862 <references> 8863 <cvename>CVE-2016-1513</cvename> 8864 <url>http://www.openoffice.org/security/cves/CVE-2015-4551.html</url> 8865 </references> 8866 <dates> 8867 <discovery>2016-07-17</discovery> 8868 <entry>2016-07-21</entry> 8869 </dates> 8870 </vuln> 8871 8872 <vuln vid="ca5cb202-4f51-11e6-b2ec-b499baebfeaf"> 8873 <topic>MySQL -- Multiple vulnerabilities</topic> 8874 <affects> 8875 <package> 8876 <name>mariadb55-server</name> 8877 <range><le>5.5.49</le></range> 8878 </package> 8879 <package> 8880 <name>mariadb100-server</name> 8881 <range><le>10.0.25</le></range> 8882 </package> 8883 <package> 8884 <name>mariadb101-server</name> 8885 <range><le>10.1.14</le></range> 8886 </package> 8887 <package> 8888 <name>mysql55-server</name> 8889 <range><le>5.5.49</le></range> 8890 </package> 8891 <package> 8892 <name>mysql56-server</name> 8893 <range><lt>5.6.30</lt></range> 8894 </package> 8895 <package> 8896 <name>mysql57-server</name> 8897 <range><lt>5.7.12_1</lt></range> 8898 </package> 8899 <package> 8900 <name>percona55-server</name> 8901 <range><le>5.5.49</le></range> 8902 </package> 8903 <package> 8904 <name>percona56-server</name> 8905 <range><le>5.6.30</le></range> 8906 </package> 8907 </affects> 8908 <description> 8909 <body xmlns="http://www.w3.org/1999/xhtml"> 8910 <p>Oracle reports:</p> 8911 <blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL"> 8912 <p>The quarterly Critical Patch Update contains 22 new security fixes for 8913 Oracle MySQL 5.5.49, 5.6.30, 5.7.13 and earlier</p> 8914 </blockquote> 8915 </body> 8916 </description> 8917 <references> 8918 <url>http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL</url> 8919 <cvename>CVE-2016-3477</cvename> 8920 <cvename>CVE-2016-3440</cvename> 8921 <cvename>CVE-2016-2105</cvename> 8922 <cvename>CVE-2016-3471</cvename> 8923 <cvename>CVE-2016-3486</cvename> 8924 <cvename>CVE-2016-3501</cvename> 8925 <cvename>CVE-2016-3518</cvename> 8926 <cvename>CVE-2016-3521</cvename> 8927 <cvename>CVE-2016-3588</cvename> 8928 <cvename>CVE-2016-3615</cvename> 8929 <cvename>CVE-2016-3614</cvename> 8930 <cvename>CVE-2016-5436</cvename> 8931 <cvename>CVE-2016-3459</cvename> 8932 <cvename>CVE-2016-5437</cvename> 8933 <cvename>CVE-2016-3424</cvename> 8934 <cvename>CVE-2016-5439</cvename> 8935 <cvename>CVE-2016-5440</cvename> 8936 <cvename>CVE-2016-5441</cvename> 8937 <cvename>CVE-2016-5442</cvename> 8938 <cvename>CVE-2016-5443</cvename> 8939 <cvename>CVE-2016-5444</cvename> 8940 <cvename>CVE-2016-3452</cvename> 8941 </references> 8942 <dates> 8943 <discovery>2016-07-20</discovery> 8944 <entry>2016-07-21</entry> 8945 <modified>2016-08-08</modified> 8946 </dates> 8947 </vuln> 8948 8949 <vuln vid="3caf4e6c-4cef-11e6-a15f-00248c0c745d"> 8950 <topic>typo3 -- Missing access check in Extbase</topic> 8951 <affects> 8952 <package> 8953 <name>typo3</name> 8954 <range><lt>7.6.8</lt></range> 8955 </package> 8956 <package> 8957 <name>typo3-lts</name> 8958 <range><lt>6.2.24</lt></range> 8959 </package> 8960 </affects> 8961 <description> 8962 <body xmlns="http://www.w3.org/1999/xhtml"> 8963 <p>TYPO3 reports:</p> 8964 <blockquote cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/"> 8965 <p>Extbase request handling fails to implement a proper access check for 8966 requested controller/ action combinations, which makes it possible for an 8967 attacker to execute arbitrary Extbase actions by crafting a special request. To 8968 successfully exploit this vulnerability, an attacker must have access to at 8969 least one Extbase plugin or module action in a TYPO3 installation. The missing 8970 access check inevitably leads to information disclosure or remote code 8971 execution, depending on the action that an attacker is able to execute.</p> 8972 </blockquote> 8973 </body> 8974 </description> 8975 <references> 8976 <cvename>CVE-2016-5091</cvename> 8977 <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/</url> 8978 <url>https://wiki.typo3.org/TYPO3_CMS_7.6.8</url> 8979 <url>https://wiki.typo3.org/TYPO3_CMS_6.2.24</url> 8980 </references> 8981 <dates> 8982 <discovery>2016-05-24</discovery> 8983 <entry>2016-07-18</entry> 8984 </dates> 8985 </vuln> 8986 8987 <vuln vid="cf0b5668-4d1b-11e6-b2ec-b499baebfeaf"> 8988 <cancelled/> 8989 </vuln> 8990 8991 <vuln vid="00cb1469-4afc-11e6-97ea-002590263bf5"> 8992 <topic>atutor -- multiple vulnerabilities</topic> 8993 <affects> 8994 <package> 8995 <name>atutor</name> 8996 <range><lt>2.2.2</lt></range> 8997 </package> 8998 </affects> 8999 <description> 9000 <body xmlns="http://www.w3.org/1999/xhtml"> 9001 <p>ATutor reports:</p> 9002 <blockquote cite="https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2"> 9003 <p>Security Fixes: Added a new layer of security over all php 9004 superglobals, fixed several XSS, CSRF, and SQL injection 9005 vulnerabilities.</p> 9006 </blockquote> 9007 </body> 9008 </description> 9009 <references> 9010 <url>https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2</url> 9011 </references> 9012 <dates> 9013 <discovery>2016-07-01</discovery> 9014 <entry>2016-07-16</entry> 9015 </dates> 9016 </vuln> 9017 9018 <vuln vid="ffa8ca79-4afb-11e6-97ea-002590263bf5"> 9019 <topic>atutor -- multiple vulnerabilities</topic> 9020 <affects> 9021 <package> 9022 <name>atutor</name> 9023 <range><lt>2.2.1</lt></range> 9024 </package> 9025 </affects> 9026 <description> 9027 <body xmlns="http://www.w3.org/1999/xhtml"> 9028 <p>ATutor reports:</p> 9029 <blockquote cite="https://github.com/atutor/ATutor/releases/tag/atutor_2_2_1"> 9030 <p>Security Fixes: A number of minor XSS vulnerabilities discovered in 9031 the previous version of ATutor have been corrected.</p> 9032 </blockquote> 9033 </body> 9034 </description> 9035 <references> 9036 <url>https://github.com/atutor/ATutor/releases/tag/atutor_2_2_1</url> 9037 </references> 9038 <dates> 9039 <discovery>2016-01-30</discovery> 9040 <entry>2016-07-16</entry> 9041 </dates> 9042 </vuln> 9043 9044 <vuln vid="a522d6ac-4aed-11e6-97ea-002590263bf5"> 9045 <topic>flash -- multiple vulnerabilities</topic> 9046 <affects> 9047 <package> 9048 <name>linux-c6-flashplugin</name> 9049 <name>linux-c6_64-flashplugin</name> 9050 <name>linux-f10-flashplugin</name> 9051 <range><lt>11.2r202.632</lt></range> 9052 </package> 9053 </affects> 9054 <description> 9055 <body xmlns="http://www.w3.org/1999/xhtml"> 9056 <p>Adobe reports:</p> 9057 <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-25.htmL"> 9058 <p>These updates resolve a race condition vulnerability that could 9059 lead to information disclosure (CVE-2016-4247).</p> 9060 <p>These updates resolve type confusion vulnerabilities that could 9061 lead to code execution (CVE-2016-4223, CVE-2016-4224, 9062 CVE-2016-4225).</p> 9063 <p>These updates resolve use-after-free vulnerabilities that could 9064 lead to code execution (CVE-2016-4173, CVE-2016-4174, CVE-2016-4222, 9065 CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, 9066 CVE-2016-4230, CVE-2016-4231, CVE-2016-4248).</p> 9067 <p>These updates resolve a heap buffer overflow vulnerability that 9068 could lead to code execution (CVE-2016-4249).</p> 9069 <p>These updates resolve memory corruption vulnerabilities that could 9070 lead to code execution (CVE-2016-4172, CVE-2016-4175, CVE-2016-4179, 9071 CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183, 9072 CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187, 9073 CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217, 9074 CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221, 9075 CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236, 9076 CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240, 9077 CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244, 9078 CVE-2016-4245, CVE-2016-4246).</p> 9079 <p>These updates resolve a memory leak vulnerability (CVE-2016-4232). 9080 </p> 9081 <p>These updates resolve stack corruption vulnerabilities that could 9082 lead to code execution (CVE-2016-4176, CVE-2016-4177).</p> 9083 <p>These updates resolve a security bypass vulnerability that could 9084 lead to information disclosure (CVE-2016-4178).</p> 9085 </blockquote> 9086 </body> 9087 </description> 9088 <references> 9089 <cvename>CVE-2016-4172</cvename> 9090 <cvename>CVE-2016-4173</cvename> 9091 <cvename>CVE-2016-4174</cvename> 9092 <cvename>CVE-2016-4175</cvename> 9093 <cvename>CVE-2016-4176</cvename> 9094 <cvename>CVE-2016-4177</cvename> 9095 <cvename>CVE-2016-4178</cvename> 9096 <cvename>CVE-2016-4179</cvename> 9097 <cvename>CVE-2016-4180</cvename> 9098 <cvename>CVE-2016-4181</cvename> 9099 <cvename>CVE-2016-4182</cvename> 9100 <cvename>CVE-2016-4183</cvename> 9101 <cvename>CVE-2016-4184</cvename> 9102 <cvename>CVE-2016-4185</cvename> 9103 <cvename>CVE-2016-4186</cvename> 9104 <cvename>CVE-2016-4187</cvename> 9105 <cvename>CVE-2016-4188</cvename> 9106 <cvename>CVE-2016-4189</cvename> 9107 <cvename>CVE-2016-4190</cvename> 9108 <cvename>CVE-2016-4217</cvename> 9109 <cvename>CVE-2016-4218</cvename> 9110 <cvename>CVE-2016-4219</cvename> 9111 <cvename>CVE-2016-4220</cvename> 9112 <cvename>CVE-2016-4221</cvename> 9113 <cvename>CVE-2016-4222</cvename> 9114 <cvename>CVE-2016-4223</cvename> 9115 <cvename>CVE-2016-4224</cvename> 9116 <cvename>CVE-2016-4225</cvename> 9117 <cvename>CVE-2016-4226</cvename> 9118 <cvename>CVE-2016-4227</cvename> 9119 <cvename>CVE-2016-4228</cvename> 9120 <cvename>CVE-2016-4229</cvename> 9121 <cvename>CVE-2016-4230</cvename> 9122 <cvename>CVE-2016-4231</cvename> 9123 <cvename>CVE-2016-4232</cvename> 9124 <cvename>CVE-2016-4233</cvename> 9125 <cvename>CVE-2016-4234</cvename> 9126 <cvename>CVE-2016-4235</cvename> 9127 <cvename>CVE-2016-4236</cvename> 9128 <cvename>CVE-2016-4237</cvename> 9129 <cvename>CVE-2016-4238</cvename> 9130 <cvename>CVE-2016-4239</cvename> 9131 <cvename>CVE-2016-4240</cvename> 9132 <cvename>CVE-2016-4241</cvename> 9133 <cvename>CVE-2016-4242</cvename> 9134 <cvename>CVE-2016-4243</cvename> 9135 <cvename>CVE-2016-4244</cvename> 9136 <cvename>CVE-2016-4245</cvename> 9137 <cvename>CVE-2016-4246</cvename> 9138 <cvename>CVE-2016-4247</cvename> 9139 <cvename>CVE-2016-4248</cvename> 9140 <cvename>CVE-2016-4249</cvename> 9141 <url>https://helpx.adobe.com/security/products/flash-player/apsb16-25.html</url> 9142 </references> 9143 <dates> 9144 <discovery>2016-07-12</discovery> 9145 <entry>2016-07-16</entry> 9146 </dates> 9147 </vuln> 9148 9149 <vuln vid="61b8c359-4aab-11e6-a7bd-14dae9d210b8"> 9150 <cancelled superseded="cbceeb49-3bc7-11e6-8e82-002590263bf5"/> 9151 </vuln> 9152 9153 <vuln vid="3159cd70-4aaa-11e6-a7bd-14dae9d210b8"> 9154 <topic>libreoffice -- use-after-free vulnerability</topic> 9155 <affects> 9156 <package> 9157 <name>libreoffice</name> 9158 <range><lt>5.1.4</lt></range> 9159 </package> 9160 </affects> 9161 <description> 9162 <body xmlns="http://www.w3.org/1999/xhtml"> 9163 <p>Talos reports:</p> 9164 <blockquote cite="http://www.talosintelligence.com/reports/TALOS-2016-0126/"> 9165 <p>An exploitable Use After Free vulnerability exists in the 9166 RTF parser LibreOffice. A specially crafted file can cause a use after 9167 free resulting in a possible arbitrary code execution. To exploit the 9168 vulnerability a malicious file needs to be opened by the user via 9169 vulnerable application.</p> 9170 </blockquote> 9171 </body> 9172 </description> 9173 <references> 9174 <url>http://www.talosintelligence.com/reports/TALOS-2016-0126/</url> 9175 <url>http://www.libreoffice.org/about-us/security/advisories/cve-2016-4324/</url> 9176 <cvename>CVE-2016-4324</cvename> 9177 </references> 9178 <dates> 9179 <discovery>2016-06-27</discovery> 9180 <entry>2016-07-15</entry> 9181 </dates> 9182 </vuln> 9183 9184 <vuln vid="c17fe91d-4aa6-11e6-a7bd-14dae9d210b8"> 9185 <cancelled/> 9186 </vuln> 9187 9188 <vuln vid="0ab66088-4aa5-11e6-a7bd-14dae9d210b8"> 9189 <topic>tiff -- buffer overflow</topic> 9190 <affects> 9191 <package> 9192 <name>tiff</name> 9193 <range><lt>4.0.6_2</lt></range> 9194 </package> 9195 <package> 9196 <name>linux-c6-tiff</name> 9197 <range><lt>3.9.4_2</lt></range> 9198 </package> 9199 <package> 9200 <name>linux-f10-tiff</name> 9201 <range><ge>*</ge></range> 9202 </package> 9203 </affects> 9204 <description> 9205 <body xmlns="http://www.w3.org/1999/xhtml"> 9206 <p>Mathias Svensson reports:</p> 9207 <blockquote cite="https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2"> 9208 <p>potential buffer write overrun in PixarLogDecode() on 9209 corrupted/unexpected images</p> 9210 </blockquote> 9211 </body> 9212 </description> 9213 <references> 9214 <url>https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2</url> 9215 <cvename>CVE-2016-5314</cvename> 9216 <cvename>CVE-2016-5320</cvename> 9217 <cvename>CVE-2016-5875</cvename> 9218 </references> 9219 <dates> 9220 <discovery>2016-06-28</discovery> 9221 <entry>2016-07-15</entry> 9222 <modified>2016-09-06</modified> 9223 </dates> 9224 </vuln> 9225 9226 <vuln vid="42ecf370-4aa4-11e6-a7bd-14dae9d210b8"> 9227 <cancelled/> 9228 </vuln> 9229 9230 <vuln vid="d706a3a3-4a7c-11e6-97f7-5453ed2e2b49"> 9231 <topic>p7zip -- out-of-bounds read vulnerability</topic> 9232 <affects> 9233 <package> 9234 <name>p7zip</name> 9235 <range><lt>15.14_1</lt></range> 9236 </package> 9237 </affects> 9238 <description> 9239 <body xmlns="http://www.w3.org/1999/xhtml"> 9240 <p>Cisco Talos reports:</p> 9241 <blockquote cite="http://www.talosintelligence.com/reports/TALOS-2016-0094/"> 9242 <p>An out-of-bounds read vulnerability exists in the way 7-Zip 9243 handles Universal Disk Format (UDF) files.</p> 9244 <p>Central to 7-Zip’s processing of UDF files is the 9245 CInArchive::ReadFileItem method. Because volumes can have more than 9246 one partition map, their objects are kept in an object vector. To 9247 start looking for an item, this method tries to reference the proper 9248 object using the partition map’s object vector and the "PartitionRef" 9249 field from the Long Allocation Descriptor. Lack of checking whether 9250 the "PartitionRef" field is bigger than the available amount of 9251 partition map objects causes a read out-of-bounds and can lead, in 9252 some circumstances, to arbitrary code execution.</p> 9253 </blockquote> 9254 </body> 9255 </description> 9256 <references> 9257 <cvename>CVE-2016-2335</cvename> 9258 <url>http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html</url> 9259 </references> 9260 <dates> 9261 <discovery>2016-05-11</discovery> 9262 <entry>2016-07-15</entry> 9263 </dates> 9264 </vuln> 9265 9266 <vuln vid="a9bcaf57-4a7b-11e6-97f7-5453ed2e2b49"> 9267 <topic>p7zip -- heap overflow vulnerability</topic> 9268 <affects> 9269 <package> 9270 <name>p7zip</name> 9271 <range><lt>15.14_1</lt></range> 9272 </package> 9273 </affects> 9274 <description> 9275 <body xmlns="http://www.w3.org/1999/xhtml"> 9276 <p>Cisco Talos reports:</p> 9277 <blockquote cite="http://www.talosintelligence.com/reports/TALOS-2016-0093/"> 9278 <p>An exploitable heap overflow vulnerability exists in the 9279 NArchive::NHfs::CHandler::ExtractZlibFile method functionality of 9280 7zip that can lead to arbitrary code execution.</p> 9281 </blockquote> 9282 </body> 9283 </description> 9284 <references> 9285 <cvename>CVE-2016-2334</cvename> 9286 <url>http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html</url> 9287 </references> 9288 <dates> 9289 <discovery>2016-05-11</discovery> 9290 <entry>2016-07-15</entry> 9291 </dates> 9292 </vuln> 9293 9294 <vuln vid="4729c849-4897-11e6-b704-000c292e4fd8"> 9295 <topic>samba -- client side SMB2/3 required signing can be downgraded</topic> 9296 <affects> 9297 <package> 9298 <name>samba4</name> 9299 <range><ge>4.0.0</ge><le>4.0.26</le></range> 9300 </package> 9301 <package> 9302 <name>samba41</name> 9303 <range><ge>4.1.0</ge><le>4.1.23</le></range> 9304 </package> 9305 <package> 9306 <name>samba42</name> 9307 <range><ge>4.2.0</ge><lt>4.2.14</lt></range> 9308 </package> 9309 <package> 9310 <name>samba43</name> 9311 <range><ge>4.3.0</ge><lt>4.3.11</lt></range> 9312 </package> 9313 <package> 9314 <name>samba44</name> 9315 <range><ge>4.4.0</ge><lt>4.4.5</lt></range> 9316 </package> 9317 </affects> 9318 <description> 9319 <body xmlns="http://www.w3.org/1999/xhtml"> 9320 <p>Samba team reports:</p> 9321 <blockquote cite="https://www.samba.org/samba/security/CVE-2016-2119.html"> 9322 <p>A man in the middle attack can disable client signing over 9323 SMB2/3, even if enforced by configuration parameters.</p> 9324 </blockquote> 9325 </body> 9326 </description> 9327 <references> 9328 <cvename>CVE-2016-2119</cvename> 9329 <url>https://www.samba.org/samba/security/CVE-2016-2119.html</url> 9330 </references> 9331 <dates> 9332 <discovery>2016-07-07</discovery> 9333 <entry>2016-07-13</entry> 9334 </dates> 9335 </vuln> 9336 9337 <vuln vid="3fcd52b2-4510-11e6-a15f-00248c0c745d"> 9338 <topic>ruby-saml -- XML signature wrapping attack</topic> 9339 <affects> 9340 <package> 9341 <name>rubygem-ruby-saml</name> 9342 <range><lt>1.3.0</lt></range> 9343 </package> 9344 </affects> 9345 <description> 9346 <body xmlns="http://www.w3.org/1999/xhtml"> 9347 <p>RubySec reports:</p> 9348 <blockquote cite="http://rubysec.com/advisories/CVE-2016-5697/"> 9349 <p>ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack 9350 in the specific scenario where there was a signature that referenced at the same 9351 time 2 elements (but past the scheme validator process since 1 of the element was 9352 inside the encrypted assertion).</p> 9353 <p>ruby-saml users must update to 1.3.0, which implements 3 extra validations to 9354 mitigate this kind of attack.</p> 9355 </blockquote> 9356 </body> 9357 </description> 9358 <references> 9359 <cvename>CVE-2016-5697</cvename> 9360 <url>http://rubysec.com/advisories/CVE-2016-5697/</url> 9361 <url>https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995</url> 9362 </references> 9363 <dates> 9364 <discovery>2016-06-24</discovery> 9365 <entry>2016-07-08</entry> 9366 </dates> 9367 </vuln> 9368 9369 <vuln vid="7d64d00c-43e3-11e6-ab34-002590263bf5"> 9370 <topic>quassel -- remote denial of service</topic> 9371 <affects> 9372 <package> 9373 <name>quassel</name> 9374 <range><lt>0.12.4</lt></range> 9375 </package> 9376 </affects> 9377 <description> 9378 <body xmlns="http://www.w3.org/1999/xhtml"> 9379 <p>Mitre reports:</p> 9380 <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4414"> 9381 <p>The onReadyRead function in core/coreauthhandler.cpp in Quassel 9382 before 0.12.4 allows remote attackers to cause a denial of service 9383 (NULL pointer dereference and crash) via invalid handshake data.</p> 9384 </blockquote> 9385 </body> 9386 </description> 9387 <references> 9388 <cvename>CVE-2016-4414</cvename> 9389 <url>http://quassel-irc.org/node/129</url> 9390 <url>https://github.com/quassel/quassel/commit/e678873</url> 9391 <url>http://www.openwall.com/lists/oss-security/2016/04/30/2</url> 9392 <url>http://www.openwall.com/lists/oss-security/2016/04/30/4</url> 9393 </references> 9394 <dates> 9395 <discovery>2016-04-24</discovery> 9396 <entry>2016-07-07</entry> 9397 </dates> 9398 </vuln> 9399 9400 <vuln vid="e9d1e040-42c9-11e6-9608-20cf30e32f6d"> 9401 <topic>apache24 -- X509 Client certificate based authentication can be bypassed when HTTP/2 is used</topic> 9402 <affects> 9403 <package> 9404 <name>apache24</name> 9405 <range><ge>2.4.18</ge><lt>2.4.23</lt></range> 9406 </package> 9407 </affects> 9408 <description> 9409 <body xmlns="http://www.w3.org/1999/xhtml"> 9410 <p>Apache Software Foundation reports:</p> 9411 <blockquote cite="INSERT URL HERE"> 9412 <p>The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509 9413 client certificate correctly when experimental module for the HTTP/2 9414 protocol is used to access a resource.</p> 9415 <p>The net result is that a resource that should require a valid client 9416 certificate in order to get access can be accessed without that credential.</p> 9417 </blockquote> 9418 </body> 9419 </description> 9420 <references> 9421 <cvename>CVE-2016-4979</cvename> 9422 <url>http://mail-archives.apache.org/mod_mbox/httpd-announce/201607.mbox/CVE-2016-4979-68283</url> 9423 </references> 9424 <dates> 9425 <discovery>2016-07-01</discovery> 9426 <entry>2016-07-05</entry> 9427 </dates> 9428 </vuln> 9429 9430 <vuln vid="e800cd4b-4212-11e6-942d-bc5ff45d0f28"> 9431 <topic>xen-tools -- Unrestricted qemu logging</topic> 9432 <affects> 9433 <package> 9434 <name>xen-tools</name> 9435 <range><lt>4.7.0_2</lt></range> 9436 </package> 9437 </affects> 9438 <description> 9439 <body xmlns="http://www.w3.org/1999/xhtml"> 9440 <p>The Xen Project reports:</p> 9441 <blockquote cite="http://xenbits.xen.org/xsa/advisory-180.html"> 9442 <p>When the libxl toolstack launches qemu for HVM guests, it pipes the 9443 output of stderr to a file in /var/log/xen. This output is not 9444 rate-limited in any way. The guest can easily cause qemu to print 9445 messages to stderr, causing this file to become arbitrarily large. 9446 </p> 9447 <p>The disk containing the logfile can be exhausted, possibly causing a 9448 denial-of-service (DoS).</p> 9449 </blockquote> 9450 </body> 9451 </description> 9452 <references> 9453 <cvename>CVE-2014-3672</cvename> 9454 <url>http://xenbits.xen.org/xsa/advisory-180.html</url> 9455 </references> 9456 <dates> 9457 <discovery>2016-05-23</discovery> 9458 <entry>2016-07-04</entry> 9459 </dates> 9460 </vuln> 9461 9462 <vuln vid="e6ce6f50-4212-11e6-942d-bc5ff45d0f28"> 9463 <topic>xen-tools -- QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks</topic> 9464 <affects> 9465 <package> 9466 <name>xen-tools</name> 9467 <range><lt>4.7.0_2</lt></range> 9468 </package> 9469 </affects> 9470 <description> 9471 <body xmlns="http://www.w3.org/1999/xhtml"> 9472 <p>The Xen Project reports:</p> 9473 <blockquote cite="http://xenbits.xen.org/xsa/advisory-179.html"> 9474 <p>Qemu VGA module allows banked access to video memory using the 9475 window at 0xa00000 and it supports different access modes with 9476 different address calculations.</p> 9477 <p>Qemu VGA module allows guest to edit certain registers in 'vbe' 9478 and 'vga' modes.</p> 9479 <p>A privileged guest user could use CVE-2016-3710 to exceed the bank 9480 address window and write beyond the said memory area, potentially 9481 leading to arbitrary code execution with privileges of the Qemu 9482 process. If the system is not using stubdomains, this will be in 9483 domain 0.</p> 9484 <p>A privileged guest user could use CVE-2016-3712 to cause potential 9485 integer overflow or OOB read access issues in Qemu, resulting in a DoS 9486 of the guest itself. More dangerous effect, such as data leakage or 9487 code execution, are not known but cannot be ruled out.</p> 9488 </blockquote> 9489 </body> 9490 </description> 9491 <references> 9492 <cvename>CVE-2016-3710</cvename> 9493 <cvename>CVE-2016-3712</cvename> 9494 <url>http://xenbits.xen.org/xsa/advisory-179.html</url> 9495 </references> 9496 <dates> 9497 <discovery>2016-05-09</discovery> 9498 <entry>2016-07-04</entry> 9499 </dates> 9500 </vuln> 9501 9502 <vuln vid="e589ae90-4212-11e6-942d-bc5ff45d0f28"> 9503 <topic>xen-tools -- Unsanitised driver domain input in libxl device handling</topic> 9504 <affects> 9505 <package> 9506 <name>xen-tools</name> 9507 <range><lt>4.7.0_1</lt></range> 9508 </package> 9509 </affects> 9510 <description> 9511 <body xmlns="http://www.w3.org/1999/xhtml"> 9512 <p>The Xen Project reports:</p> 9513 <blockquote cite="http://xenbits.xen.org/xsa/advisory-178.html"> 9514 <p>libxl's device-handling code freely uses and trusts information 9515 from the backend directories in xenstore.</p> 9516 <p>A malicious driver domain can deny service to management tools.</p> 9517 </blockquote> 9518 </body> 9519 </description> 9520 <references> 9521 <cvename>CVE-2016-4963</cvename> 9522 <url>http://xenbits.xen.org/xsa/advisory-178.html</url> 9523 </references> 9524 <dates> 9525 <discovery>2016-06-02</discovery> 9526 <entry>2016-07-04</entry> 9527 </dates> 9528 </vuln> 9529 9530 <vuln vid="e43b210a-4212-11e6-942d-bc5ff45d0f28"> 9531 <topic>xen-kernel -- x86 software guest page walk PS bit handling flaw</topic> 9532 <affects> 9533 <package> 9534 <name>xen-kernel</name> 9535 <range><lt>4.7.0</lt></range> 9536 </package> 9537 </affects> 9538 <description> 9539 <body xmlns="http://www.w3.org/1999/xhtml"> 9540 <p>The Xen Project reports:</p> 9541 <blockquote cite="http://xenbits.xen.org/xsa/advisory-176.html"> 9542 <p>The Page Size (PS) page table entry bit exists at all page table 9543 levels other than L1. Its meaning is reserved in L4, and 9544 conditionally reserved in L3 and L2 (depending on hardware 9545 capabilities). The software page table walker in the hypervisor, 9546 however, so far ignored that bit in L4 and (on respective hardware) 9547 L3 entries, resulting in pages to be treated as page tables which 9548 the guest OS may not have designated as such. If the page in 9549 question is writable by an unprivileged user, then that user will 9550 be able to map arbitrary guest memory.</p> 9551 <p>On vulnerable OSes, guest user mode code may be able to establish 9552 mappings of arbitrary memory inside the guest, allowing it to 9553 elevate its privileges inside the guest.</p> 9554 </blockquote> 9555 </body> 9556 </description> 9557 <references> 9558 <cvename>CVE-2016-4480</cvename> 9559 <url>http://xenbits.xen.org/xsa/advisory-176.html</url> 9560 </references> 9561 <dates> 9562 <discovery>2016-05-17</discovery> 9563 <entry>2016-07-04</entry> 9564 </dates> 9565 </vuln> 9566 9567 <vuln vid="e2fca11b-4212-11e6-942d-bc5ff45d0f28"> 9568 <topic>xen-tools -- Unsanitised guest input in libxl device handling code</topic> 9569 <affects> 9570 <package> 9571 <name>xen-tools</name> 9572 <range><lt>4.7.0_1</lt></range> 9573 </package> 9574 </affects> 9575 <description> 9576 <body xmlns="http://www.w3.org/1999/xhtml"> 9577 <p>The Xen Project reports:</p> 9578 <blockquote cite="http://xenbits.xen.org/xsa/advisory-175.html"> 9579 <p>Various parts of libxl device-handling code inappropriately use 9580 information from (partially) guest controlled areas of xenstore.</p> 9581 <p>A malicious guest administrator can cause denial of service by 9582 resource exhaustion.</p> 9583 <p>A malicious guest administrator can confuse and/or deny service to 9584 management facilities.</p> 9585 <p>A malicious guest administrator of a guest configured with channel 9586 devices may be able to escalate their privilege to that of the 9587 backend domain (i.e., normally, to that of the host).</p> 9588 </blockquote> 9589 </body> 9590 </description> 9591 <references> 9592 <cvename>CVE-2016-4962</cvename> 9593 <url>http://xenbits.xen.org/xsa/advisory-175.html</url> 9594 </references> 9595 <dates> 9596 <discovery>2016-06-02</discovery> 9597 <entry>2016-07-04</entry> 9598 </dates> 9599 </vuln> 9600 9601 <vuln vid="d51ced72-4212-11e6-942d-bc5ff45d0f28"> 9602 <topic>xen-kernel -- x86 shadow pagetables: address width overflow</topic> 9603 <affects> 9604 <package> 9605 <name>xen-kernel</name> 9606 <range><ge>3.4</ge><lt>4.7.0</lt></range> 9607 </package> 9608 </affects> 9609 <description> 9610 <body xmlns="http://www.w3.org/1999/xhtml"> 9611 <p>The Xen Project reports:</p> 9612 <blockquote cite="http://xenbits.xen.org/xsa/advisory-173.html"> 9613 <p>In the x86 shadow pagetable code, the guest frame number of a 9614 superpage mapping is stored in a 32-bit field. If a shadowed guest 9615 can cause a superpage mapping of a guest-physical address at or 9616 above 2^44 to be shadowed, the top bits of the address will be lost, 9617 causing an assertion failure or NULL dereference later on, in code 9618 that removes the shadow.</p> 9619 <p>A HVM guest using shadow pagetables can cause the host to crash. 9620 </p> 9621 <p>A PV guest using shadow pagetables (i.e. being migrated) with PV 9622 superpages enabled (which is not the default) can crash the host, or 9623 corrupt hypervisor memory, and so a privilege escalation cannot be 9624 ruled out.</p> 9625 </blockquote> 9626 </body> 9627 </description> 9628 <references> 9629 <cvename>CVE-2016-3960</cvename> 9630 <url>http://xenbits.xen.org/xsa/advisory-173.html</url> 9631 </references> 9632 <dates> 9633 <discovery>2016-04-18</discovery> 9634 <entry>2016-07-04</entry> 9635 </dates> 9636 </vuln> 9637 9638 <vuln vid="313e9557-41e8-11e6-ab34-002590263bf5"> 9639 <topic>wireshark -- multiple vulnerabilities</topic> 9640 <affects> 9641 <package> 9642 <name>wireshark</name> 9643 <name>wireshark-lite</name> 9644 <name>wireshark-qt5</name> 9645 <name>tshark</name> 9646 <name>tshark-lite</name> 9647 <range><lt>2.0.4</lt></range> 9648 </package> 9649 </affects> 9650 <description> 9651 <body xmlns="http://www.w3.org/1999/xhtml"> 9652 <p>Wireshark development team reports:</p> 9653 <blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.4.html"> 9654 <p>The following vulnerabilities have been fixed:</p> 9655 <ul> 9656 <li><p>wnpa-sec-2016-29</p> 9657 <p>The SPOOLS dissector could go into an infinite loop. Discovered 9658 by the CESG.</p></li> 9659 <li><p>wnpa-sec-2016-30</p> 9660 <p>The IEEE 802.11 dissector could crash. (Bug 11585)</p></li> 9661 <li><p>wnpa-sec-2016-31</p> 9662 <p>The IEEE 802.11 dissector could crash. Discovered by Mateusz 9663 Jurczyk. (Bug 12175)</p></li> 9664 <li><p>wnpa-sec-2016-32</p> 9665 <p>The UMTS FP dissector could crash. (Bug 12191)</p></li> 9666 <li><p>wnpa-sec-2016-33</p> 9667 <p>Some USB dissectors could crash. Discovered by Mateusz 9668 Jurczyk. (Bug 12356)</p></li> 9669 <li><p>wnpa-sec-2016-34</p> 9670 <p>The Toshiba file parser could crash. Discovered by iDefense 9671 Labs. (Bug 12394)</p></li> 9672 <li><p>wnpa-sec-2016-35</p> 9673 <p>The CoSine file parser could crash. Discovered by iDefense 9674 Labs. (Bug 12395)</p></li> 9675 <li><p>wnpa-sec-2016-36</p> 9676 <p>The NetScreen file parser could crash. Discovered by iDefense 9677 Labs. (Bug 12396)</p></li> 9678 <li><p>wnpa-sec-2016-37</p> 9679 <p>The Ethernet dissector could crash. (Bug 12440)</p></li> 9680 </ul> 9681 </blockquote> 9682 </body> 9683 </description> 9684 <references> 9685 <cvename>CVE-2016-5350</cvename> 9686 <cvename>CVE-2016-5351</cvename> 9687 <cvename>CVE-2016-5352</cvename> 9688 <cvename>CVE-2016-5353</cvename> 9689 <cvename>CVE-2016-5354</cvename> 9690 <cvename>CVE-2016-5355</cvename> 9691 <cvename>CVE-2016-5356</cvename> 9692 <cvename>CVE-2016-5357</cvename> 9693 <cvename>CVE-2016-5358</cvename> 9694 <url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.4.html</url> 9695 <url>http://www.openwall.com/lists/oss-security/2016/06/09/4</url> 9696 </references> 9697 <dates> 9698 <discovery>2016-06-07</discovery> 9699 <entry>2016-07-04</entry> 9700 </dates> 9701 </vuln> 9702 9703 <vuln vid="8656cf5f-4170-11e6-8dfe-002590263bf5"> 9704 <topic>moodle -- multiple vulnerabilities</topic> 9705 <affects> 9706 <package> 9707 <name>moodle28</name> 9708 <range><lt>2.8.12</lt></range> 9709 </package> 9710 <package> 9711 <name>moodle29</name> 9712 <range><lt>2.9.6</lt></range> 9713 </package> 9714 <package> 9715 <name>moodle30</name> 9716 <range><lt>3.0.4</lt></range> 9717 </package> 9718 </affects> 9719 <description> 9720 <body xmlns="http://www.w3.org/1999/xhtml"> 9721 <p>Marina Glancy reports:</p> 9722 <blockquote cite="https://moodle.org/security/"> 9723 <ul> 9724 <li><p>MSA-16-0013: Users are able to change profile fields that 9725 were locked by the administrator.</p></li> 9726 <li><p>MSA-16-0015: Information disclosure of hidden forum names 9727 and sub-names.</p></li> 9728 <li><p>MSA-16-0016: User can view badges of other users without 9729 proper permissions.</p></li> 9730 <li><p>MSA-16-0017: Course idnumber not protected from teacher 9731 restore.</p></li> 9732 <li><p>MSA-16-0018: CSRF in script marking forum posts as read.</p> 9733 </li> 9734 </ul> 9735 </blockquote> 9736 </body> 9737 </description> 9738 <references> 9739 <cvename>CVE-2016-3729</cvename> 9740 <cvename>CVE-2016-3731</cvename> 9741 <cvename>CVE-2016-3732</cvename> 9742 <cvename>CVE-2016-3733</cvename> 9743 <cvename>CVE-2016-3734</cvename> 9744 <url>https://moodle.org/security/</url> 9745 </references> 9746 <dates> 9747 <discovery>2016-05-18</discovery> 9748 <entry>2016-07-03</entry> 9749 </dates> 9750 </vuln> 9751 9752 <vuln vid="ad9b77f6-4163-11e6-b05b-14dae9d210b8"> 9753 <topic>icingaweb2 -- remote code execution</topic> 9754 <affects> 9755 <package> 9756 <name>icingaweb2</name> 9757 <range><lt>2.3.4</lt></range> 9758 </package> 9759 </affects> 9760 <description> 9761 <body xmlns="http://www.w3.org/1999/xhtml"> 9762 <p>Eric Lippmann reports:</p> 9763 <blockquote cite="https://www.icinga.org/2016/06/23/icinga-web-2-v2-3-4-v2-2-2-and-v2-1-4-releases/"> 9764 <p>Possibility of remote code execution via the remote command 9765 transport.</p> 9766 </blockquote> 9767 </body> 9768 </description> 9769 <references> 9770 <url>https://www.icinga.org/2016/06/23/icinga-web-2-v2-3-4-v2-2-2-and-v2-1-4-releases/</url> 9771 </references> 9772 <dates> 9773 <discovery>2016-06-23</discovery> 9774 <entry>2016-07-03</entry> 9775 </dates> 9776 </vuln> 9777 9778 <vuln vid="a5c204b5-4153-11e6-8dfe-002590263bf5"> 9779 <topic>hive -- authorization logic vulnerability</topic> 9780 <affects> 9781 <package> 9782 <name>hive</name> 9783 <range><lt>2.0.0</lt></range> 9784 </package> 9785 </affects> 9786 <description> 9787 <body xmlns="http://www.w3.org/1999/xhtml"> 9788 <p>Sushanth Sowmyan reports:</p> 9789 <blockquote cite="http://mail-archives.apache.org/mod_mbox/hive-user/201601.mbox/%3C20160128205008.2154F185EB%40minotaur.apache.org%3E"> 9790 <p>Some partition-level operations exist that do not explicitly also 9791 authorize privileges of the parent table. This can lead to issues when 9792 the parent table would have denied the operation, but no denial occurs 9793 because the partition-level privilege is not checked by the 9794 authorization framework, which defines authorization entities only 9795 from the table level upwards.</p> 9796 </blockquote> 9797 </body> 9798 </description> 9799 <references> 9800 <cvename>CVE-2015-7521</cvename> 9801 <url>http://mail-archives.apache.org/mod_mbox/hive-user/201601.mbox/%3C20160128205008.2154F185EB%40minotaur.apache.org%3E</url> 9802 </references> 9803 <dates> 9804 <discovery>2016-01-28</discovery> 9805 <entry>2016-07-03</entry> 9806 </dates> 9807 </vuln> 9808 9809 <vuln vid="546deeea-3fc6-11e6-a671-60a44ce6887b"> 9810 <topic>SQLite3 -- Tempdir Selection Vulnerability</topic> 9811 <affects> 9812 <package> 9813 <name>sqlite3</name> 9814 <range><lt>3.13.0</lt></range> 9815 </package> 9816 </affects> 9817 <description> 9818 <body xmlns="http://www.w3.org/1999/xhtml"> 9819 <p>KoreLogic security reports:</p> 9820 <blockquote cite="https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt"> 9821 <p>Affected versions of SQLite reject potential tempdir locations if 9822 they are not readable, falling back to '.'. Thus, SQLite will favor 9823 e.g. using cwd for tempfiles on such a system, even if cwd is an 9824 unsafe location. Notably, SQLite also checks the permissions of 9825 '.', but ignores the results of that check.</p> 9826 </blockquote> 9827 </body> 9828 </description> 9829 <references> 9830 <cvename>CVE-2016-6153</cvename> 9831 <freebsdpr>ports/209827</freebsdpr> 9832 <url>https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt</url> 9833 <url>http://openwall.com/lists/oss-security/2016/07/01/2</url> 9834 <url>http://www.sqlite.org/cgi/src/info/67985761aa93fb61</url> 9835 <url>http://www.sqlite.org/cgi/src/info/b38fe522cfc971b3</url> 9836 <url>http://www.sqlite.org/cgi/src/info/614bb709d34e1148</url> 9837 </references> 9838 <dates> 9839 <discovery>2016-07-01</discovery> 9840 <entry>2016-07-03</entry> 9841 </dates> 9842 </vuln> 9843 9844 <vuln vid="8d5368ef-40fe-11e6-b2ec-b499baebfeaf"> 9845 <topic>Python -- smtplib StartTLS stripping vulnerability</topic> 9846 <affects> 9847 <package> 9848 <name>python27</name> 9849 <range><lt>2.7.12</lt></range> 9850 </package> 9851 <package> 9852 <name>python33</name> 9853 <range><gt>0</gt></range> 9854 </package> 9855 <package> 9856 <name>python34</name> 9857 <range><lt>3.4.5</lt></range> 9858 </package> 9859 <package> 9860 <name>python35</name> 9861 <range><lt>3.5.2</lt></range> 9862 </package> 9863 </affects> 9864 <description> 9865 <body xmlns="http://www.w3.org/1999/xhtml"> 9866 <p>Red Hat reports:</p> 9867 <blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772"> 9868 <p>A vulnerability in smtplib allowing MITM attacker to perform a 9869 startTLS stripping attack. smtplib does not seem to raise an exception 9870 when the remote end (smtp server) is capable of negotiating starttls but 9871 fails to respond with 220 (ok) to an explicit call of SMTP.starttls(). 9872 This may allow a malicious MITM to perform a startTLS stripping attack 9873 if the client code does not explicitly check the response code for startTLS.</p> 9874 </blockquote> 9875 </body> 9876 </description> 9877 <references> 9878 <url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772</url> 9879 <cvename>CVE-2016-0772</cvename> 9880 </references> 9881 <dates> 9882 <discovery>2016-06-14</discovery> 9883 <entry>2016-07-03</entry> 9884 </dates> 9885 </vuln> 9886 9887 <vuln vid="e7028e1d-3f9b-11e6-81f9-6805ca0b3d42"> 9888 <topic>phpMyAdmin -- multiple vulnerabilities</topic> 9889 <affects> 9890 <package> 9891 <name>phpmyadmin</name> 9892 <range><ge>4.6.0</ge><lt>4.6.3</lt></range> 9893 </package> 9894 </affects> 9895 <description> 9896 <body xmlns="http://www.w3.org/1999/xhtml"> 9897 <p>Please reference CVE/URL list for details</p> 9898 </body> 9899 </description> 9900 <references> 9901 <url>https://www.phpmyadmin.net/security/PMASA-2016-17/</url> 9902 <url>https://www.phpmyadmin.net/security/PMASA-2016-18/</url> 9903 <url>https://www.phpmyadmin.net/security/PMASA-2016-19/</url> 9904 <url>https://www.phpmyadmin.net/security/PMASA-2016-20/</url> 9905 <url>https://www.phpmyadmin.net/security/PMASA-2016-21/</url> 9906 <url>https://www.phpmyadmin.net/security/PMASA-2016-22/</url> 9907 <url>https://www.phpmyadmin.net/security/PMASA-2016-23/</url> 9908 <url>https://www.phpmyadmin.net/security/PMASA-2016-24/</url> 9909 <url>https://www.phpmyadmin.net/security/PMASA-2016-25/</url> 9910 <url>https://www.phpmyadmin.net/security/PMASA-2016-26/</url> 9911 <url>https://www.phpmyadmin.net/security/PMASA-2016-27/</url> 9912 <url>https://www.phpmyadmin.net/security/PMASA-2016-28/</url> 9913 <cvename>CVE-2016-5701</cvename> 9914 <cvename>CVE-2016-5702</cvename> 9915 <cvename>CVE-2016-5703</cvename> 9916 <cvename>CVE-2016-5704</cvename> 9917 <cvename>CVE-2016-5705</cvename> 9918 <cvename>CVE-2016-5706</cvename> 9919 <cvename>CVE-2016-5730</cvename> 9920 <cvename>CVE-2016-5731</cvename> 9921 <cvename>CVE-2016-5732</cvename> 9922 <cvename>CVE-2016-5733</cvename> 9923 <cvename>CVE-2016-5734</cvename> 9924 <cvename>CVE-2016-5739</cvename> 9925 </references> 9926 <dates> 9927 <discovery>2016-06-23</discovery> 9928 <entry>2016-07-01</entry> 9929 </dates> 9930 </vuln> 9931 9932 <vuln vid="f1c219ba-3f14-11e6-b3c8-14dae9d210b8"> 9933 <topic>haproxy -- denial of service</topic> 9934 <affects> 9935 <package> 9936 <name>haproxy</name> 9937 <range><ge>1.6.0</ge><lt>1.6.5_1</lt></range> 9938 </package> 9939 </affects> 9940 <description> 9941 <body xmlns="http://www.w3.org/1999/xhtml"> 9942 <p>HAproxy reports:</p> 9943 <blockquote cite="http://www.openwall.com/lists/oss-security/2016/06/09/5"> 9944 <p>HAproxy 1.6.x before 1.6.6, when a deny comes from a 9945 reqdeny rule, allows remote attackers to cause a denial of service 9946 (uninitialized memory access and crash) or possibly have unspecified 9947 other impact via unknown vectors.</p> 9948 </blockquote> 9949 </body> 9950 </description> 9951 <references> 9952 <url>http://www.openwall.com/lists/oss-security/2016/06/09/5</url> 9953 <cvename>CVE-2016-5360</cvename> 9954 </references> 9955 <dates> 9956 <discovery>2016-06-09</discovery> 9957 <entry>2016-06-30</entry> 9958 </dates> 9959 </vuln> 9960 9961 <vuln vid="093584f2-3f14-11e6-b3c8-14dae9d210b8"> 9962 <topic>libtorrent-rasterbar -- denial of service</topic> 9963 <affects> 9964 <package> 9965 <name>libtorrent-rasterbar</name> 9966 <range><lt>1.1.1</lt></range> 9967 </package> 9968 </affects> 9969 <description> 9970 <body xmlns="http://www.w3.org/1999/xhtml"> 9971 <p>Brandon Perry reports:</p> 9972 <blockquote cite="https://github.com/arvidn/libtorrent/issues/780"> 9973 <p>The parse_chunk_header function in libtorrent before 1.1.1 9974 allows remote attackers to cause a denial of service (crash) via a 9975 crafted (1) HTTP response or possibly a (2) UPnP broadcast.</p> 9976 </blockquote> 9977 </body> 9978 </description> 9979 <references> 9980 <url>https://github.com/arvidn/libtorrent/issues/780</url> 9981 <cvename>CVE-2016-5301</cvename> 9982 </references> 9983 <dates> 9984 <discovery>2016-06-03</discovery> 9985 <entry>2016-06-30</entry> 9986 </dates> 9987 </vuln> 9988 9989 <vuln vid="ff76f0e0-3f11-11e6-b3c8-14dae9d210b8"> 9990 <topic>expat2 -- denial of service</topic> 9991 <affects> 9992 <package> 9993 <name>expat</name> 9994 <range><lt>2.1.1_2</lt></range> 9995 </package> 9996 </affects> 9997 <description> 9998 <body xmlns="http://www.w3.org/1999/xhtml"> 9999 <p>Adam Maris reports:</p> 10000 <blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=1344251"> 10001 <p>It was found that original patch for issues CVE-2015-1283 10002 and CVE-2015-2716 used overflow checks that could be optimized out by 10003 some compilers applying certain optimization settings, which can cause 10004 the vulnerability to remain even after applying the patch.</p> 10005 </blockquote> 10006 </body> 10007 </description> 10008 <references> 10009 <url>https://bugzilla.redhat.com/show_bug.cgi?id=1344251</url> 10010 <cvename>CVE-2016-4472</cvename> 10011 </references> 10012 <dates> 10013 <discovery>2016-06-09</discovery> 10014 <entry>2016-06-30</entry> 10015 <modified>2016-11-30</modified> 10016 </dates> 10017 </vuln> 10018 10019 <vuln vid="875e4cf8-3f0e-11e6-b3c8-14dae9d210b8"> 10020 <topic>dnsmasq -- denial of service</topic> 10021 <affects> 10022 <package> 10023 <name>dnsmasq</name> 10024 <range><lt>2.76,1</lt></range> 10025 </package> 10026 <package> 10027 <name>dnsmasq-devel</name> 10028 <range><lt>2.76.0test1</lt></range> 10029 </package> 10030 </affects> 10031 <description> 10032 <body xmlns="http://www.w3.org/1999/xhtml"> 10033 <p> reports:</p> 10034 <blockquote cite="http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html"> 10035 <p>Dnsmasq before 2.76 allows remote servers to cause a denial 10036 of service (crash) via a reply with an empty DNS address that has an (1) 10037 A or (2) AAAA record defined locally.</p> 10038 </blockquote> 10039 </body> 10040 </description> 10041 <references> 10042 <url>http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html</url> 10043 <url>http://www.openwall.com/lists/oss-security/2016/06/03/7</url> 10044 <cvename>CVE-2015-8899</cvename> 10045 </references> 10046 <dates> 10047 <discovery>2016-04-18</discovery> 10048 <entry>2016-06-30</entry> 10049 <modified>2016-06-30</modified> 10050 </dates> 10051 </vuln> 10052 10053 <vuln vid="a61374fc-3a4d-11e6-a671-60a44ce6887b"> 10054 <topic>Python -- HTTP Header Injection in Python urllib</topic> 10055 <affects> 10056 <package> 10057 <name>python27</name> 10058 <range><lt>2.7.10</lt></range> 10059 </package> 10060 <package> 10061 <name>python33</name> 10062 <range><ge>0</ge></range> 10063 </package> 10064 <package> 10065 <name>python34</name> 10066 <range><lt>3.4.4</lt></range> 10067 </package> 10068 <package> 10069 <name>python35</name> 10070 <range><lt>3.5.0</lt></range> 10071 </package> 10072 </affects> 10073 <description> 10074 <body xmlns="http://www.w3.org/1999/xhtml"> 10075 <p>Guido Vranken reports:</p> 10076 <blockquote cite="https://bugs.python.org/issue22928"> 10077 <p>HTTP header injection in urrlib2/urllib/httplib/http.client with 10078 newlines in header values, where newlines have a semantic consequence of 10079 denoting the start of an additional header line.</p> 10080 </blockquote> 10081 </body> 10082 </description> 10083 <references> 10084 <url>https://bugs.python.org/issue22928</url> 10085 <url>http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html</url> 10086 <url>http://www.openwall.com/lists/oss-security/2016/06/14/7</url> 10087 <cvename>CVE-2016-5699</cvename> 10088 </references> 10089 <dates> 10090 <discovery>2014-11-24</discovery> 10091 <entry>2016-06-30</entry> 10092 <modified>2016-07-04</modified> 10093 </dates> 10094 </vuln> 10095 10096 <vuln vid="0ca24682-3f03-11e6-b3c8-14dae9d210b8"> 10097 <topic>openssl -- denial of service</topic> 10098 <affects> 10099 <package> 10100 <name>openssl</name> 10101 <range><lt>1.0.2_14</lt></range> 10102 </package> 10103 </affects> 10104 <description> 10105 <body xmlns="http://www.w3.org/1999/xhtml"> 10106 <p>Mitre reports:</p> 10107 <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177"> 10108 <p>OpenSSL through 1.0.2h incorrectly uses pointer arithmetic 10109 for heap-buffer boundary checks, which might allow remote attackers to 10110 cause a denial of service (integer overflow and application crash) or 10111 possibly have unspecified other impact by leveraging unexpected malloc 10112 behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.</p> 10113 </blockquote> 10114 </body> 10115 </description> 10116 <references> 10117 <url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177</url> 10118 <url>ihttps://bugzilla.redhat.com/show_bug.cgi?id=1341705</url> 10119 <url>https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/</url> 10120 <cvename>CVE-2016-2177</cvename> 10121 </references> 10122 <dates> 10123 <discovery>2016-06-01</discovery> 10124 <entry>2016-06-30</entry> 10125 </dates> 10126 </vuln> 10127 10128 <vuln vid="cbceeb49-3bc7-11e6-8e82-002590263bf5"> 10129 <topic>Apache Commons FileUpload -- denial of service (DoS) vulnerability</topic> 10130 <affects> 10131 <package> 10132 <name>tomcat7</name> 10133 <range><lt>7.0.70</lt></range> 10134 </package> 10135 <package> 10136 <name>tomcat8</name> 10137 <range><lt>8.0.36</lt></range> 10138 </package> 10139 <package> 10140 <name>apache-struts</name> 10141 <range><lt>2.5.2</lt></range> 10142 </package> 10143 </affects> 10144 <description> 10145 <body xmlns="http://www.w3.org/1999/xhtml"> 10146 <p>Mark Thomas reports:</p> 10147 <blockquote cite="http://mail-archives.apache.org/mod_mbox/tomcat-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832%40apache.org%3E"> 10148 <p>CVE-2016-3092 is a denial of service vulnerability that has been 10149 corrected in the Apache Commons FileUpload component. It occurred 10150 when the length of the multipart boundary was just below the size of 10151 the buffer (4096 bytes) used to read the uploaded file. This caused 10152 the file upload process to take several orders of magnitude longer 10153 than if the boundary length was the typical tens of bytes.</p> 10154 </blockquote> 10155 </body> 10156 </description> 10157 <references> 10158 <cvename>CVE-2016-3092</cvename> 10159 <freebsdpr>ports/209669</freebsdpr> 10160 <url>http://tomcat.apache.org/security-7.html</url> 10161 <url>http://tomcat.apache.org/security-8.html</url> 10162 <url>http://mail-archives.apache.org/mod_mbox/tomcat-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832%40apache.org%3E</url> 10163 <url>http://jvn.jp/en/jp/JVN89379547/index.html</url> 10164 </references> 10165 <dates> 10166 <discovery>2016-06-20</discovery> 10167 <entry>2016-06-26</entry> 10168 <modified>2017-08-10</modified> 10169 </dates> 10170 </vuln> 10171 10172 <vuln vid="bfcc23b6-3b27-11e6-8e82-002590263bf5"> 10173 <topic>wordpress -- multiple vulnerabilities</topic> 10174 <affects> 10175 <package> 10176 <name>wordpress</name> 10177 <range><lt>4.5.3,1</lt></range> 10178 </package> 10179 <package> 10180 <name>de-wordpress</name> 10181 <name>ja-wordpress</name> 10182 <name>ru-wordpress</name> 10183 <name>zh-wordpress-zh_CN</name> 10184 <name>zh-wordpress-zh_TW</name> 10185 <range><lt>4.5.3</lt></range> 10186 </package> 10187 </affects> 10188 <description> 10189 <body xmlns="http://www.w3.org/1999/xhtml"> 10190 <p>Adam Silverstein reports:</p> 10191 <blockquote cite="https://wordpress.org/news/2016/06/wordpress-4-5-3/"> 10192 <p>WordPress 4.5.3 is now available. This is a security release for 10193 all previous versions and we strongly encourage you to update your 10194 sites immediately.</p> 10195 <p>WordPress versions 4.5.2 and earlier are affected by several 10196 security issues: redirect bypass in the customizer, reported by 10197 Yassine Aboukir; two different XSS problems via attachment names, 10198 reported by Jouko Pynnönenand Divyesh Prajapati; revision history 10199 information disclosure, reported independently by John Blackbourn 10200 from the WordPress security team and by Dan Moen from the Wordfence 10201 Research Team; oEmbed denial of service reported by Jennifer Dodd 10202 from Automattic; unauthorized category removal from a post, reported 10203 by David Herrera from Alley Interactive; password change via stolen 10204 cookie, reported by Michael Adams from the WordPress security team; 10205 and some less secure sanitize_file_name edge cases reported by Peter 10206 Westwood of the WordPress security team.</p> 10207 </blockquote> 10208 </body> 10209 </description> 10210 <references> 10211 <cvename>CVE-2016-5832</cvename> 10212 <cvename>CVE-2016-5833</cvename> 10213 <cvename>CVE-2016-5834</cvename> 10214 <cvename>CVE-2016-5835</cvename> 10215 <cvename>CVE-2016-5836</cvename> 10216 <cvename>CVE-2016-5837</cvename> 10217 <cvename>CVE-2016-5838</cvename> 10218 <cvename>CVE-2016-5839</cvename> 10219 <freebsdpr>ports/210480</freebsdpr> 10220 <freebsdpr>ports/210581</freebsdpr> 10221 <url>https://wordpress.org/news/2016/06/wordpress-4-5-3/</url> 10222 <url>http://www.openwall.com/lists/oss-security/2016/06/23/9</url> 10223 </references> 10224 <dates> 10225 <discovery>2016-06-18</discovery> 10226 <entry>2016-06-25</entry> 10227 </dates> 10228 </vuln> 10229 10230 <vuln vid="66d77c58-3b1d-11e6-8e82-002590263bf5"> 10231 <topic>php -- multiple vulnerabilities</topic> 10232 <affects> 10233 <package> 10234 <name>php55</name> 10235 <name>php55-gd</name> 10236 <name>php55-mbstring</name> 10237 <name>php55-wddx</name> 10238 <name>php55-zip</name> 10239 <range><lt>5.5.37</lt></range> 10240 </package> 10241 <package> 10242 <name>php56</name> 10243 <name>php56-gd</name> 10244 <name>php56-mbstring</name> 10245 <name>php56-phar</name> 10246 <name>php56-wddx</name> 10247 <name>php56-zip</name> 10248 <range><lt>5.6.23</lt></range> 10249 </package> 10250 <package> 10251 <name>php70</name> 10252 <name>php70-gd</name> 10253 <name>php70-mbstring</name> 10254 <name>php70-phar</name> 10255 <name>php70-wddx</name> 10256 <name>php70-zip</name> 10257 <range><lt>7.0.8</lt></range> 10258 </package> 10259 </affects> 10260 <description> 10261 <body xmlns="http://www.w3.org/1999/xhtml"> 10262 <p>The PHP Group reports:</p> 10263 <blockquote cite="http://php.net/ChangeLog-5.php#5.5.37"> 10264 <p>Please reference CVE/URL list for details</p> 10265 </blockquote> 10266 </body> 10267 </description> 10268 <references> 10269 <cvename>CVE-2015-8874</cvename> 10270 <cvename>CVE-2016-5766</cvename> 10271 <cvename>CVE-2016-5767</cvename> 10272 <cvename>CVE-2016-5768</cvename> 10273 <cvename>CVE-2016-5769</cvename> 10274 <cvename>CVE-2016-5770</cvename> 10275 <cvename>CVE-2016-5771</cvename> 10276 <cvename>CVE-2016-5772</cvename> 10277 <cvename>CVE-2016-5773</cvename> 10278 <freebsdpr>ports/210491</freebsdpr> 10279 <freebsdpr>ports/210502</freebsdpr> 10280 <url>http://php.net/ChangeLog-5.php#5.5.37</url> 10281 <url>http://php.net/ChangeLog-5.php#5.6.23</url> 10282 <url>http://php.net/ChangeLog-7.php#7.0.8</url> 10283 </references> 10284 <dates> 10285 <discovery>2016-06-23</discovery> 10286 <entry>2016-06-25</entry> 10287 </dates> 10288 </vuln> 10289 10290 <vuln vid="4a0d9b53-395d-11e6-b3c8-14dae9d210b8"> 10291 <topic>libarchive -- multiple vulnerabilities</topic> 10292 <affects> 10293 <package> 10294 <name>libarchive</name> 10295 <range><lt>3.2.1,1</lt></range> 10296 </package> 10297 </affects> 10298 <description> 10299 <body xmlns="http://www.w3.org/1999/xhtml"> 10300 <p>Hanno Bock and Cisco Talos report:</p> 10301 <blockquote cite="http://openwall.com/lists/oss-security/2016/06/23/6"> 10302 <ul> 10303 <li><p>Out of bounds heap read in RAR parser</p></li> 10304 <li><p>Signed integer overflow in ISO parser</p></li> 10305 <li><p>TALOS-2016-0152 [CVE-2016-4300]: 7-Zip 10306 read_SubStreamsInfo Integer Overflow</p></li> 10307 <li><p>TALOS-2016-0153 [CVE-2016-4301]: mtree parse_device Stack 10308 Based Buffer Overflow</p></li> 10309 <li><p>TALOS-2016-0154 [CVE-2016-4302]: Libarchive Rar RestartModel 10310 Heap Overflow</p></li> 10311 </ul> 10312 </blockquote> 10313 </body> 10314 </description> 10315 <references> 10316 <url>http://openwall.com/lists/oss-security/2016/06/23/6</url> 10317 <url>https://github.com/libarchive/libarchive/issues/521</url> 10318 <url>https://github.com/libarchive/libarchive/issues/717#event-697151157</url> 10319 <url>http://blog.talosintel.com/2016/06/the-poisoned-archives.html</url> 10320 <cvename>CVE-2015-8934</cvename> 10321 <cvename>CVE-2016-4300</cvename> 10322 <cvename>CVE-2016-4301</cvename> 10323 <cvename>CVE-2016-4302</cvename> 10324 </references> 10325 <dates> 10326 <discovery>2016-06-23</discovery> 10327 <entry>2016-06-23</entry> 10328 </dates> 10329 </vuln> 10330 10331 <vuln vid="22775cdd-395a-11e6-b3c8-14dae9d210b8"> 10332 <topic>piwik -- XSS vulnerability</topic> 10333 <affects> 10334 <package> 10335 <name>piwik</name> 10336 <range><lt>2.16.1</lt></range> 10337 </package> 10338 </affects> 10339 <description> 10340 <body xmlns="http://www.w3.org/1999/xhtml"> 10341 <p>Piwik reports:</p> 10342 <blockquote cite="http://piwik.org/changelog/piwik-2-16-1/"> 10343 <p>The Piwik Security team is grateful for the responsible 10344 disclosures by our security researchers: Egidio Romano (granted a 10345 critical security bounty), James Kettle and Paweł Bartunek (XSS) and 10346 Emanuel Bronshtein (limited XSS).</p> 10347 </blockquote> 10348 </body> 10349 </description> 10350 <references> 10351 <url>http://piwik.org/changelog/piwik-2-16-1/</url> 10352 </references> 10353 <dates> 10354 <discovery>2016-04-11</discovery> 10355 <entry>2016-06-23</entry> 10356 </dates> 10357 </vuln> 10358 10359 <vuln vid="6df56c60-3738-11e6-a671-60a44ce6887b"> 10360 <topic>wget -- HTTP to FTP redirection file name confusion vulnerability</topic> 10361 <affects> 10362 <package> 10363 <name>wget</name> 10364 <range><lt>1.18</lt></range> 10365 </package> 10366 </affects> 10367 <description> 10368 <body xmlns="http://www.w3.org/1999/xhtml"> 10369 <p>Giuseppe Scrivano reports:</p> 10370 <blockquote cite="http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html"> 10371 <p>On a server redirect from HTTP to a FTP resource, wget would trust the 10372 HTTP server and uses the name in the redirected URL as the destination 10373 filename.</p> 10374 </blockquote> 10375 </body> 10376 </description> 10377 <references> 10378 <url>http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html</url> 10379 <cvename>CVE-2016-4971</cvename> 10380 </references> 10381 <dates> 10382 <discovery>2016-06-09</discovery> 10383 <entry>2016-06-21</entry> 10384 </dates> 10385 </vuln> 10386 10387 <vuln vid="1a2aa04f-3718-11e6-b3c8-14dae9d210b8"> 10388 <topic>libxslt -- Denial of Service</topic> 10389 <affects> 10390 <package> 10391 <name>libxslt</name> 10392 <range><lt>1.1.29</lt></range> 10393 </package> 10394 </affects> 10395 <description> 10396 <body xmlns="http://www.w3.org/1999/xhtml"> 10397 <p>Google reports:</p> 10398 <blockquote cite="http://seclists.org/bugtraq/2016/Jun/81"> 10399 <ul> 10400 <li>[583156] Medium CVE-2016-1683: Out-of-bounds access in libxslt. 10401 Credit to Nicolas Gregoire.</li> 10402 <li>[583171] Medium CVE-2016-1684: Integer overflow in libxslt. 10403 Credit to Nicolas Gregoire.</li> 10404 </ul> 10405 </blockquote> 10406 </body> 10407 </description> 10408 <references> 10409 <url>http://googlechromereleases.blogspot.com/2016/05/stable-channel-update_25.html</url> 10410 <cvename>CVE-2016-1683</cvename> 10411 <cvename>CVE-2016-1684</cvename> 10412 </references> 10413 <dates> 10414 <discovery>2016-05-25</discovery> 10415 <entry>2016-06-20</entry> 10416 </dates> 10417 </vuln> 10418 10419 <vuln vid="0e3dfdde-35c4-11e6-8e82-002590263bf5"> 10420 <topic>flash -- multiple vulnerabilities</topic> 10421 <affects> 10422 <package> 10423 <name>linux-c6-flashplugin</name> 10424 <name>linux-c6_64-flashplugin</name> 10425 <name>linux-f10-flashplugin</name> 10426 <range><lt>11.2r202.626</lt></range> 10427 </package> 10428 </affects> 10429 <description> 10430 <body xmlns="http://www.w3.org/1999/xhtml"> 10431 <p>Adobe reports:</p> 10432 <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-18.html"> 10433 <p>These updates resolve type confusion vulnerabilities that could 10434 lead to code execution (CVE-2016-4144, CVE-2016-4149).</p> 10435 <p>These updates resolve use-after-free vulnerabilities that could 10436 lead to code execution (CVE-2016-4142, CVE-2016-4143, CVE-2016-4145, 10437 CVE-2016-4146, CVE-2016-4147, CVE-2016-4148).</p> 10438 <p>These updates resolve heap buffer overflow vulnerabilities that 10439 could lead to code execution (CVE-2016-4135, CVE-2016-4136, 10440 CVE-2016-4138).</p> 10441 <p>These updates resolve memory corruption vulnerabilities that could 10442 lead to code execution (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, 10443 CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, 10444 CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, 10445 CVE-2016-4134, CVE-2016-4137, CVE-2016-4141, CVE-2016-4150, 10446 CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, 10447 CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171).</p> 10448 <p>These updates resolve a vulnerability in the directory search path 10449 used to find resources that could lead to code execution 10450 (CVE-2016-4140).</p> 10451 <p>These updates resolve a vulnerability that could be exploited to 10452 bypass the same-origin-policy and lead to information disclosure 10453 (CVE-2016-4139).</p> 10454 </blockquote> 10455 </body> 10456 </description> 10457 <references> 10458 <cvename>CVE-2016-4122</cvename> 10459 <cvename>CVE-2016-4123</cvename> 10460 <cvename>CVE-2016-4124</cvename> 10461 <cvename>CVE-2016-4125</cvename> 10462 <cvename>CVE-2016-4127</cvename> 10463 <cvename>CVE-2016-4128</cvename> 10464 <cvename>CVE-2016-4129</cvename> 10465 <cvename>CVE-2016-4130</cvename> 10466 <cvename>CVE-2016-4131</cvename> 10467 <cvename>CVE-2016-4132</cvename> 10468 <cvename>CVE-2016-4133</cvename> 10469 <cvename>CVE-2016-4134</cvename> 10470 <cvename>CVE-2016-4135</cvename> 10471 <cvename>CVE-2016-4136</cvename> 10472 <cvename>CVE-2016-4137</cvename> 10473 <cvename>CVE-2016-4138</cvename> 10474 <cvename>CVE-2016-4139</cvename> 10475 <cvename>CVE-2016-4140</cvename> 10476 <cvename>CVE-2016-4141</cvename> 10477 <cvename>CVE-2016-4142</cvename> 10478 <cvename>CVE-2016-4143</cvename> 10479 <cvename>CVE-2016-4144</cvename> 10480 <cvename>CVE-2016-4145</cvename> 10481 <cvename>CVE-2016-4146</cvename> 10482 <cvename>CVE-2016-4147</cvename> 10483 <cvename>CVE-2016-4148</cvename> 10484 <cvename>CVE-2016-4149</cvename> 10485 <cvename>CVE-2016-4150</cvename> 10486 <cvename>CVE-2016-4151</cvename> 10487 <cvename>CVE-2016-4152</cvename> 10488 <cvename>CVE-2016-4153</cvename> 10489 <cvename>CVE-2016-4154</cvename> 10490 <cvename>CVE-2016-4155</cvename> 10491 <cvename>CVE-2016-4156</cvename> 10492 <cvename>CVE-2016-4166</cvename> 10493 <cvename>CVE-2016-4171</cvename> 10494 <url>https://helpx.adobe.com/security/products/flash-player/apsb16-18.html</url> 10495 </references> 10496 <dates> 10497 <discovery>2016-06-16</discovery> 10498 <entry>2016-06-19</entry> 10499 </dates> 10500 </vuln> 10501 10502 <vuln vid="0c6b008d-35c4-11e6-8e82-002590263bf5"> 10503 <topic>flash -- multiple vulnerabilities</topic> 10504 <affects> 10505 <package> 10506 <name>linux-c6-flashplugin</name> 10507 <name>linux-c6_64-flashplugin</name> 10508 <name>linux-f10-flashplugin</name> 10509 <range><lt>11.2r202.621</lt></range> 10510 </package> 10511 </affects> 10512 <description> 10513 <body xmlns="http://www.w3.org/1999/xhtml"> 10514 <p>Adobe reports:</p> 10515 <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-15.html"> 10516 <p>These updates resolve type confusion vulnerabilities that could 10517 lead to code execution (CVE-2016-1105, CVE-2016-4117).</p> 10518 <p>These updates resolve use-after-free vulnerabilities that could 10519 lead to code execution (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, 10520 CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, 10521 CVE-2016-4110, CVE-2016-4121).</p> 10522 <p>These updates resolve a heap buffer overflow vulnerability that 10523 could lead to code execution (CVE-2016-1101).</p> 10524 <p>These updates resolve a buffer overflow vulnerability that could 10525 lead to code execution (CVE-2016-1103).</p> 10526 <p>These updates resolve memory corruption vulnerabilities that could 10527 lead to code execution (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, 10528 CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, 10529 CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, 10530 CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161, 10531 CVE-2016-4162, CVE-2016-4163).</p> 10532 <p>These updates resolve a vulnerability in the directory search path 10533 used to find resources that could lead to code execution 10534 (CVE-2016-4116).</p> 10535 </blockquote> 10536 </body> 10537 </description> 10538 <references> 10539 <cvename>CVE-2016-1096</cvename> 10540 <cvename>CVE-2016-1097</cvename> 10541 <cvename>CVE-2016-1098</cvename> 10542 <cvename>CVE-2016-1099</cvename> 10543 <cvename>CVE-2016-1100</cvename> 10544 <cvename>CVE-2016-1101</cvename> 10545 <cvename>CVE-2016-1102</cvename> 10546 <cvename>CVE-2016-1103</cvename> 10547 <cvename>CVE-2016-1104</cvename> 10548 <cvename>CVE-2016-1105</cvename> 10549 <cvename>CVE-2016-1106</cvename> 10550 <cvename>CVE-2016-1107</cvename> 10551 <cvename>CVE-2016-1108</cvename> 10552 <cvename>CVE-2016-1109</cvename> 10553 <cvename>CVE-2016-1110</cvename> 10554 <cvename>CVE-2016-4108</cvename> 10555 <cvename>CVE-2016-4109</cvename> 10556 <cvename>CVE-2016-4110</cvename> 10557 <cvename>CVE-2016-4111</cvename> 10558 <cvename>CVE-2016-4112</cvename> 10559 <cvename>CVE-2016-4113</cvename> 10560 <cvename>CVE-2016-4114</cvename> 10561 <cvename>CVE-2016-4115</cvename> 10562 <cvename>CVE-2016-4116</cvename> 10563 <cvename>CVE-2016-4117</cvename> 10564 <cvename>CVE-2016-4120</cvename> 10565 <cvename>CVE-2016-4121</cvename> 10566 <cvename>CVE-2016-4160</cvename> 10567 <cvename>CVE-2016-4161</cvename> 10568 <cvename>CVE-2016-4162</cvename> 10569 <cvename>CVE-2016-4163</cvename> 10570 <url>https://helpx.adobe.com/security/products/flash-player/apsb16-15.html</url> 10571 </references> 10572 <dates> 10573 <discovery>2016-05-12</discovery> 10574 <entry>2016-06-19</entry> 10575 </dates> 10576 </vuln> 10577 10578 <vuln vid="07888b49-35c4-11e6-8e82-002590263bf5"> 10579 <topic>flash -- multiple vulnerabilities</topic> 10580 <affects> 10581 <package> 10582 <name>linux-c6-flashplugin</name> 10583 <name>linux-c6_64-flashplugin</name> 10584 <name>linux-f10-flashplugin</name> 10585 <range><lt>11.2r202.616</lt></range> 10586 </package> 10587 </affects> 10588 <description> 10589 <body xmlns="http://www.w3.org/1999/xhtml"> 10590 <p>Adobe reports:</p> 10591 <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-10.html"> 10592 <p>These updates harden a mitigation against JIT spraying attacks that 10593 could be used to bypass memory layout randomization mitigations 10594 (CVE-2016-1006).</p> 10595 <p>These updates resolve type confusion vulnerabilities that could 10596 lead to code execution (CVE-2016-1015, CVE-2016-1019).</p> 10597 <p>These updates resolve use-after-free vulnerabilities that could 10598 lead to code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, 10599 CVE-2016-1017, CVE-2016-1031).</p> 10600 <p>These updates resolve memory corruption vulnerabilities that could 10601 lead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, 10602 CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, 10603 CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, 10604 CVE-2016-1032, CVE-2016-1033).</p> 10605 <p>These updates resolve a stack overflow vulnerability that could 10606 lead to code execution (CVE-2016-1018).</p> 10607 <p>These updates resolve a security bypass vulnerability 10608 (CVE-2016-1030).</p> 10609 <p>These updates resolve a vulnerability in the directory search path 10610 used to find resources that could lead to code execution 10611 (CVE-2016-1014).</p> 10612 </blockquote> 10613 </body> 10614 </description> 10615 <references> 10616 <cvename>CVE-2016-1006</cvename> 10617 <cvename>CVE-2016-1011</cvename> 10618 <cvename>CVE-2016-1012</cvename> 10619 <cvename>CVE-2016-1013</cvename> 10620 <cvename>CVE-2016-1014</cvename> 10621 <cvename>CVE-2016-1015</cvename> 10622 <cvename>CVE-2016-1016</cvename> 10623 <cvename>CVE-2016-1017</cvename> 10624 <cvename>CVE-2016-1018</cvename> 10625 <cvename>CVE-2016-1019</cvename> 10626 <cvename>CVE-2016-1020</cvename> 10627 <cvename>CVE-2016-1021</cvename> 10628 <cvename>CVE-2016-1022</cvename> 10629 <cvename>CVE-2016-1023</cvename> 10630 <cvename>CVE-2016-1024</cvename> 10631 <cvename>CVE-2016-1025</cvename> 10632 <cvename>CVE-2016-1026</cvename> 10633 <cvename>CVE-2016-1027</cvename> 10634 <cvename>CVE-2016-1028</cvename> 10635 <cvename>CVE-2016-1029</cvename> 10636 <cvename>CVE-2016-1030</cvename> 10637 <cvename>CVE-2016-1031</cvename> 10638 <cvename>CVE-2016-1032</cvename> 10639 <cvename>CVE-2016-1033</cvename> 10640 <url>https://helpx.adobe.com/security/products/flash-player/apsb16-10.html</url> 10641 </references> 10642 <dates> 10643 <discovery>2016-04-07</discovery> 10644 <entry>2016-06-19</entry> 10645 </dates> 10646 </vuln> 10647 10648 <vuln vid="d59ebed4-34be-11e6-be25-3065ec8fd3ec"> 10649 <topic>chromium -- multiple vulnerabilities</topic> 10650 <affects> 10651 <package> 10652 <name>chromium</name> 10653 <name>chromium-npapi</name> 10654 <name>chromium-pulse</name> 10655 <range><lt>51.0.2704.103</lt></range> 10656 </package> 10657 </affects> 10658 <description> 10659 <body xmlns="http://www.w3.org/1999/xhtml"> 10660 <p>Google Chrome Releases reports:</p> 10661 <blockquote cite="https://googlechromereleases.blogspot.nl/2016/06/stable-channel-update_16.html"> 10662 <p>3 security fixes in this release, including:</p> 10663 <ul> 10664 <li>[620742] CVE-2016-1704: Various fixes from internal audits, 10665 fuzzing and other initiatives.</li> 10666 </ul> 10667 </blockquote> 10668 </body> 10669 </description> 10670 <references> 10671 <cvename>CVE-2016-1704</cvename> 10672 <url>https://googlechromereleases.blogspot.nl/2016/06/stable-channel-update_16.html</url> 10673 </references> 10674 <dates> 10675 <discovery>2016-06-16</discovery> 10676 <entry>2016-06-17</entry> 10677 </dates> 10678 </vuln> 10679 10680 <vuln vid="1d0f6852-33d8-11e6-a671-60a44ce6887b"> 10681 <topic>Python -- Integer overflow in zipimport module</topic> 10682 <affects> 10683 <package> 10684 <name>python35</name> 10685 <range><lt>3.5.1_3</lt></range> 10686 </package> 10687 <package> 10688 <name>python34</name> 10689 <range><lt>3.4.4_3</lt></range> 10690 </package> 10691 <package> 10692 <name>python33</name> 10693 <range><lt>3.3.6_5</lt></range> 10694 </package> 10695 <package> 10696 <name>python27</name> 10697 <range><lt>2.7.11_3</lt></range> 10698 </package> 10699 </affects> 10700 <description> 10701 <body xmlns="http://www.w3.org/1999/xhtml"> 10702 <p>Python reports:</p> 10703 <blockquote cite="http://bugs.python.org/issue26171"> 10704 <p>Possible integer overflow and heap corruption in 10705 zipimporter.get_data()</p> 10706 </blockquote> 10707 </body> 10708 </description> 10709 <references> 10710 <url>http://bugs.python.org/issue26171</url> 10711 <cvename>CVE-2016-5636</cvename> 10712 </references> 10713 <dates> 10714 <discovery>2016-01-21</discovery> 10715 <entry>2016-06-17</entry> 10716 </dates> 10717 </vuln> 10718 10719 <vuln vid="7932548e-3427-11e6-8e82-002590263bf5"> 10720 <topic>drupal -- multiple vulnerabilities</topic> 10721 <affects> 10722 <package> 10723 <name>drupal7</name> 10724 <range><lt>7.44</lt></range> 10725 </package> 10726 <package> 10727 <name>drupal8</name> 10728 <range><lt>8.1.3</lt></range> 10729 </package> 10730 </affects> 10731 <description> 10732 <body xmlns="http://www.w3.org/1999/xhtml"> 10733 <p>Drupal Security Team reports:</p> 10734 <blockquote cite="https://www.drupal.org/SA-CORE-2016-002"> 10735 <ul> 10736 <li><p>Saving user accounts can sometimes grant the user all roles 10737 (User module - Drupal 7 - Moderately Critical)</p></li> 10738 <li><p>Views can allow unauthorized users to see Statistics 10739 information (Views module - Drupal 8 - Less Critical)</p></li> 10740 </ul> 10741 </blockquote> 10742 </body> 10743 </description> 10744 <references> 10745 <cvename>CVE-2016-6211</cvename> 10746 <cvename>CVE-2016-6212</cvename> 10747 <url>https://www.drupal.org/SA-CORE-2016-002</url> 10748 <url>http://www.openwall.com/lists/oss-security/2016/07/13/7</url> 10749 </references> 10750 <dates> 10751 <discovery>2016-06-15</discovery> 10752 <entry>2016-06-17</entry> 10753 <modified>2016-07-16</modified> 10754 </dates> 10755 </vuln> 10756 10757 <vuln vid="ac0900df-31d0-11e6-8e82-002590263bf5"> 10758 <topic>botan -- multiple vulnerabilities</topic> 10759 <affects> 10760 <package> 10761 <name>botan110</name> 10762 <range><lt>1.10.13</lt></range> 10763 </package> 10764 </affects> 10765 <description> 10766 <body xmlns="http://www.w3.org/1999/xhtml"> 10767 <p>Jack Lloyd reports:</p> 10768 <blockquote cite="https://lists.randombit.net/pipermail/botan-devel/2016-April/002101.html"> 10769 <p>Botan 1.10.13 has been released backporting some side channel 10770 protections for ECDSA signatures (CVE-2016-2849) and PKCS #1 RSA 10771 decryption (CVE-2015-7827).</p> 10772 </blockquote> 10773 </body> 10774 </description> 10775 <references> 10776 <cvename>CVE-2016-2849</cvename> 10777 <cvename>CVE-2015-7827</cvename> 10778 <url>https://lists.randombit.net/pipermail/botan-devel/2016-April/002101.html</url> 10779 </references> 10780 <dates> 10781 <discovery>2016-04-28</discovery> 10782 <entry>2016-06-14</entry> 10783 </dates> 10784 </vuln> 10785 10786 <vuln vid="f771880c-31cf-11e6-8e82-002590263bf5"> 10787 <topic>botan -- cryptographic vulnerability</topic> 10788 <affects> 10789 <package> 10790 <name>botan110</name> 10791 <range><lt>1.10.8</lt></range> 10792 </package> 10793 </affects> 10794 <description> 10795 <body xmlns="http://www.w3.org/1999/xhtml"> 10796 <p>MITRE reports:</p> 10797 <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9742"> 10798 <p>The Miller-Rabin primality check in Botan before 1.10.8 and 1.11.x 10799 before 1.11.9 improperly uses a single random base, which makes it 10800 easier for remote attackers to defeat cryptographic protection 10801 mechanisms via a DH group.</p> 10802 </blockquote> 10803 </body> 10804 </description> 10805 <references> 10806 <cvename>CVE-2014-9742</cvename> 10807 </references> 10808 <dates> 10809 <discovery>2014-04-11</discovery> 10810 <entry>2016-06-14</entry> 10811 </dates> 10812 </vuln> 10813 10814 <vuln vid="6d402857-2fba-11e6-9f31-5404a68ad561"> 10815 <topic>VLC -- Possibly remote code execution via crafted file</topic> 10816 <affects> 10817 <package> 10818 <name>vlc</name> 10819 <range><lt>2.2.4,4</lt></range> 10820 </package> 10821 <package> 10822 <name>vlc-qt4</name> 10823 <range><lt>2.2.4,4</lt></range> 10824 </package> 10825 </affects> 10826 <description> 10827 <body xmlns="http://www.w3.org/1999/xhtml"> 10828 <p>The VLC project reports:</p> 10829 <blockquote cite="https://www.videolan.org/developers/vlc-branch/NEWS"> 10830 <p>Fix out-of-bound write in adpcm QT IMA codec (CVE-2016-5108)</p> 10831 </blockquote> 10832 </body> 10833 </description> 10834 <references> 10835 <cvename>CVE-2016-5108</cvename> 10836 </references> 10837 <dates> 10838 <discovery>2016-05-25</discovery> 10839 <entry>2016-06-11</entry> 10840 </dates> 10841 </vuln> 10842 10843 <vuln vid="97e86d10-2ea7-11e6-ae88-002590263bf5"> 10844 <topic>roundcube -- XSS vulnerability</topic> 10845 <affects> 10846 <package> 10847 <name>roundcube</name> 10848 <range><lt>1.1.5_1,1</lt></range> 10849 </package> 10850 </affects> 10851 <description> 10852 <body xmlns="http://www.w3.org/1999/xhtml"> 10853 <p>Roundcube reports:</p> 10854 <blockquote cite="https://github.com/roundcube/roundcubemail/wiki/Changelog"> 10855 <p>Fix XSS issue in href attribute on area tag (#5240).</p> 10856 </blockquote> 10857 </body> 10858 </description> 10859 <references> 10860 <cvename>CVE-2016-5103</cvename> 10861 <freebsdpr>ports/209841</freebsdpr> 10862 <url>https://github.com/roundcube/roundcubemail/issues/5240</url> 10863 <url>http://seclists.org/oss-sec/2016/q2/414</url> 10864 </references> 10865 <dates> 10866 <discovery>2016-05-06</discovery> 10867 <entry>2016-06-10</entry> 10868 </dates> 10869 </vuln> 10870 10871 <vuln vid="6f0529e2-2e82-11e6-b2ec-b499baebfeaf"> 10872 <topic>OpenSSL -- vulnerability in DSA signing</topic> 10873 <affects> 10874 <package> 10875 <name>openssl</name> 10876 <range><lt>1.0.2_13</lt></range> 10877 </package> 10878 <package> 10879 <name>libressl</name> 10880 <range><lt>2.2.9</lt></range> 10881 <range><ge>2.3.0</ge><lt>2.3.6</lt></range> 10882 </package> 10883 <package> 10884 <name>libressl-devel</name> 10885 <range><lt>2.4.1</lt></range> 10886 </package> 10887 </affects> 10888 <description> 10889 <body xmlns="http://www.w3.org/1999/xhtml"> 10890 <p>The OpenSSL team reports:</p> 10891 <blockquote cite="https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2"> 10892 <p>Operations in the DSA signing algorithm should run in constant time 10893 in order to avoid side channel attacks. A flaw in the OpenSSL DSA 10894 implementation means that a non-constant time codepath is followed for 10895 certain operations. This has been demonstrated through a cache-timing 10896 attack to be sufficient for an attacker to recover the private DSA key. 10897 </p> 10898 </blockquote> 10899 </body> 10900 </description> 10901 <references> 10902 <url>https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2</url> 10903 <cvename>CVE-2016-2178</cvename> 10904 </references> 10905 <dates> 10906 <discovery>2016-06-09</discovery> 10907 <entry>2016-06-09</entry> 10908 <modified>2016-12-20</modified> 10909 </dates> 10910 </vuln> 10911 10912 <vuln vid="c9c252f5-2def-11e6-ae88-002590263bf5"> 10913 <topic>expat -- multiple vulnerabilities</topic> 10914 <affects> 10915 <package> 10916 <name>expat</name> 10917 <range><lt>2.1.1_1</lt></range> 10918 </package> 10919 </affects> 10920 <description> 10921 <body xmlns="http://www.w3.org/1999/xhtml"> 10922 <p>Sebastian Pipping reports:</p> 10923 <blockquote cite="https://sourceforge.net/p/expat/code_git/ci/07cc2fcacf81b32b2e06aa918df51756525240c0/"> 10924 <p>CVE-2012-6702 -- Resolve troublesome internal call to srand that 10925 was introduced with Expat 2.1.0 when addressing CVE-2012-0876 10926 (issue #496)</p> 10927 <p>CVE-2016-5300 -- Use more entropy for hash initialization than the 10928 original fix to CVE-2012-0876.</p> 10929 </blockquote> 10930 </body> 10931 </description> 10932 <references> 10933 <cvename>CVE-2012-6702</cvename> 10934 <cvename>CVE-2016-5300</cvename> 10935 <freebsdpr>ports/210155</freebsdpr> 10936 <url>https://sourceforge.net/p/expat/code_git/ci/07cc2fcacf81b32b2e06aa918df51756525240c0/</url> 10937 <url>http://www.openwall.com/lists/oss-security/2016/03/18/3</url> 10938 </references> 10939 <dates> 10940 <discovery>2016-03-18</discovery> 10941 <entry>2016-06-09</entry> 10942 <modified>2016-11-06</modified> 10943 </dates> 10944 </vuln> 10945 10946 <vuln vid="d6bbf2d8-2cfc-11e6-800b-080027468580"> 10947 <topic>iperf3 -- buffer overflow</topic> 10948 <affects> 10949 <package> 10950 <name>iperf3</name> 10951 <range><ge>3.1</ge><lt>3.1.3</lt></range> 10952 <range><ge>3.0</ge><lt>3.0.12</lt></range> 10953 </package> 10954 </affects> 10955 <description> 10956 <body xmlns="http://www.w3.org/1999/xhtml"> 10957 <p>ESnet reports:</p> 10958 <blockquote cite="https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc"> 10959 <p>A malicious process can connect to an iperf3 server and, 10960 by sending a malformed message on the control channel, 10961 corrupt the server process's heap area. This can lead to a 10962 crash (and a denial of service), or theoretically a remote 10963 code execution as the user running the iperf3 server. A 10964 malicious iperf3 server could potentially mount a similar 10965 attack on an iperf3 client. 10966 </p> 10967 </blockquote> 10968 </body> 10969 </description> 10970 <references> 10971 <cvename>CVE-2016-4303</cvename> 10972 <url>https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc</url> 10973 </references> 10974 <dates> 10975 <discovery>2016-06-08</discovery> 10976 <entry>2016-06-08</entry> 10977 </dates> 10978 </vuln> 10979 10980 <vuln vid="9c196cfd-2ccc-11e6-94b0-0011d823eebd"> 10981 <topic>gnutls -- file overwrite by setuid programs</topic> 10982 <affects> 10983 <package> 10984 <name>gnutls</name> 10985 <range><ge>3.4.12</ge><lt>3.4.13</lt></range> 10986 </package> 10987 </affects> 10988 <description> 10989 <body xmlns="http://www.w3.org/1999/xhtml"> 10990 <p>gnutls.org reports:</p> 10991 <blockquote cite="https://gnutls.org/security.html#GNUTLS-SA-2016-1"> 10992 <p>Setuid programs using GnuTLS 3.4.12 could potentially allow an 10993 attacker to overwrite and corrupt arbitrary files in the 10994 filesystem.</p> 10995 </blockquote> 10996 </body> 10997 </description> 10998 <references> 10999 <url>https://gnutls.org/security.html#GNUTLS-SA-2016-1</url> 11000 </references> 11001 <dates> 11002 <discovery>2016-06-06</discovery> 11003 <entry>2016-06-07</entry> 11004 </dates> 11005 </vuln> 11006 11007 <vuln vid="32166082-53fa-41fa-b081-207e7a989a0a"> 11008 <topic>NSS -- multiple vulnerabilities</topic> 11009 <affects> 11010 <package> 11011 <name>nss</name> 11012 <range><lt>3.23</lt></range> 11013 </package> 11014 <package> 11015 <name>linux-c6-nss</name> 11016 <name>linux-c7-nss</name> 11017 <range><lt>3.21.3</lt></range> 11018 </package> 11019 <package> 11020 <name>linux-seamonkey</name> 11021 <range><lt>2.44</lt></range> 11022 </package> 11023 </affects> 11024 <description> 11025 <body xmlns="http://www.w3.org/1999/xhtml"> 11026 <p>Mozilla Foundation reports:</p> 11027 <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-61/"> 11028 <p>Mozilla has updated the version of Network Security 11029 Services (NSS) library used in Firefox to NSS 3.23. This 11030 addresses four moderate rated networking security issues 11031 reported by Mozilla engineers Tyson Smith and Jed Davis.</p> 11032 </blockquote> 11033 </body> 11034 </description> 11035 <references> 11036 <cvename>CVE-2016-2834</cvename> 11037 <url>https://www.mozilla.org/security/advisories/mfsa2016-61/</url> 11038 <url>https://hg.mozilla.org/projects/nss/rev/1ba7cd83c672</url> 11039 <url>https://hg.mozilla.org/projects/nss/rev/8d78a5ae260a</url> 11040 <url>https://hg.mozilla.org/projects/nss/rev/5fde729fdbff</url> 11041 <url>https://hg.mozilla.org/projects/nss/rev/329932eb1700</url> 11042 </references> 11043 <dates> 11044 <discovery>2016-06-07</discovery> 11045 <entry>2016-06-07</entry> 11046 <modified>2016-11-23</modified> 11047 </dates> 11048 </vuln> 11049 11050 <vuln vid="8065d37b-8e7c-4707-a608-1b0a2b8509c3"> 11051 <topic>mozilla -- multiple vulnerabilities</topic> 11052 <affects> 11053 <package> 11054 <name>firefox</name> 11055 <range><lt>47.0,1</lt></range> 11056 </package> 11057 <package> 11058 <name>seamonkey</name> 11059 <name>linux-seamonkey</name> 11060 <range><lt>2.44</lt></range> 11061 </package> 11062 <package> 11063 <name>firefox-esr</name> 11064 <range><lt>45.2.0,1</lt></range> 11065 </package> 11066 <package> 11067 <name>linux-firefox</name> 11068 <range><lt>45.2.0,2</lt></range> 11069 </package> 11070 <package> 11071 <name>libxul</name> 11072 <name>thunderbird</name> 11073 <name>linux-thunderbird</name> 11074 <range><lt>45.2.0</lt></range> 11075 </package> 11076 </affects> 11077 <description> 11078 <body xmlns="http://www.w3.org/1999/xhtml"> 11079 <p>Mozilla Foundation reports:</p> 11080 <blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox47"> 11081 <p>MFSA 2016-49 Miscellaneous memory safety hazards (rv:47.0 / 11082 rv:45.2)</p> 11083 <p>MFSA 2016-50 Buffer overflow parsing HTML5 fragments</p> 11084 <p>MFSA 2016-51 Use-after-free deleting tables from a 11085 contenteditable document</p> 11086 <p>MFSA 2016-52 Addressbar spoofing though the SELECT element</p> 11087 <p>MFSA 2016-54 Partial same-origin-policy through setting 11088 location.host through data URI</p> 11089 <p>MFSA 2016-56 Use-after-free when textures are used in WebGL 11090 operations after recycle pool destruction</p> 11091 <p>MFSA 2016-57 Incorrect icon displayed on permissions 11092 notifications</p> 11093 <p>MFSA 2016-58 Entering fullscreen and persistent pointerlock 11094 without user permission</p> 11095 <p>MFSA 2016-59 Information disclosure of disabled plugins 11096 through CSS pseudo-classes</p> 11097 <p>MFSA 2016-60 Java applets bypass CSP protections</p> 11098 </blockquote> 11099 </body> 11100 </description> 11101 <references> 11102 <cvename>CVE-2016-2815</cvename> 11103 <cvename>CVE-2016-2818</cvename> 11104 <cvename>CVE-2016-2819</cvename> 11105 <cvename>CVE-2016-2821</cvename> 11106 <cvename>CVE-2016-2822</cvename> 11107 <cvename>CVE-2016-2825</cvename> 11108 <cvename>CVE-2016-2828</cvename> 11109 <cvename>CVE-2016-2829</cvename> 11110 <cvename>CVE-2016-2831</cvename> 11111 <cvename>CVE-2016-2832</cvename> 11112 <cvename>CVE-2016-2833</cvename> 11113 <url>https://www.mozilla.org/security/advisories/mfsa2016-49/</url> 11114 <url>https://www.mozilla.org/security/advisories/mfsa2016-50/</url> 11115 <url>https://www.mozilla.org/security/advisories/mfsa2016-51/</url> 11116 <url>https://www.mozilla.org/security/advisories/mfsa2016-52/</url> 11117 <url>https://www.mozilla.org/security/advisories/mfsa2016-54/</url> 11118 <url>https://www.mozilla.org/security/advisories/mfsa2016-56/</url> 11119 <url>https://www.mozilla.org/security/advisories/mfsa2016-57/</url> 11120 <url>https://www.mozilla.org/security/advisories/mfsa2016-58/</url> 11121 <url>https://www.mozilla.org/security/advisories/mfsa2016-59/</url> 11122 <url>https://www.mozilla.org/security/advisories/mfsa2016-60/</url> 11123 </references> 11124 <dates> 11125 <discovery>2016-06-07</discovery> 11126 <entry>2016-06-07</entry> 11127 </dates> 11128 </vuln> 11129 11130 <vuln vid="c039a761-2c29-11e6-8912-3065ec8fd3ec"> 11131 <topic>chromium -- multiple vulnerabilities</topic> 11132 <affects> 11133 <package> 11134 <name>chromium</name> 11135 <name>chromium-npapi</name> 11136 <name>chromium-pulse</name> 11137 <range><lt>51.0.2704.79</lt></range> 11138 </package> 11139 </affects> 11140 <description> 11141 <body xmlns="http://www.w3.org/1999/xhtml"> 11142 <p>Google Chrome Releases reports:</p> 11143 <blockquote cite="http://googlechromereleases.blogspot.nl/2016/06/stable-channel-update.html"> 11144 <p>15 security fixes in this release, including:</p> 11145 <ul> 11146 <li>601073] High CVE-2016-1696: Cross-origin bypass in Extension 11147 bindings. Credit to anonymous.</li> 11148 <li>[613266] High CVE-2016-1697: Cross-origin bypass in Blink. 11149 Credit to Mariusz Mlynski.</li> 11150 <li>[603725] Medium CVE-2016-1698: Information leak in Extension 11151 bindings. Credit to Rob Wu.</li> 11152 <li>[607939] Medium CVE-2016-1699: Parameter sanitization failure 11153 in DevTools. Credit to Gregory Panakkal.</li> 11154 <li>[608104] Medium CVE-2016-1700: Use-after-free in Extensions. 11155 Credit to Rob Wu.</li> 11156 <li>[608101] Medium CVE-2016-1701: Use-after-free in Autofill. 11157 Credit to Rob Wu.</li> 11158 <li>[609260] Medium CVE-2016-1702: Out-of-bounds read in Skia. 11159 Credit to cloudfuzzer.</li> 11160 <li>[616539] CVE-2016-1703: Various fixes from internal audits, 11161 fuzzing and other initiatives.</li> 11162 </ul> 11163 </blockquote> 11164 </body> 11165 </description> 11166 <references> 11167 <cvename>CVE-2016-1695</cvename> 11168 <cvename>CVE-2016-1696</cvename> 11169 <cvename>CVE-2016-1697</cvename> 11170 <cvename>CVE-2016-1698</cvename> 11171 <cvename>CVE-2016-1699</cvename> 11172 <cvename>CVE-2016-1700</cvename> 11173 <cvename>CVE-2016-1701</cvename> 11174 <cvename>CVE-2016-1702</cvename> 11175 <cvename>CVE-2016-1703</cvename> 11176 <url>http://googlechromereleases.blogspot.nl/2016/06/stable-channel-update.html</url> 11177 </references> 11178 <dates> 11179 <discovery>2016-06-01</discovery> 11180 <entry>2016-06-06</entry> 11181 </dates> 11182 </vuln> 11183 11184 <vuln vid="bcbd3fe0-2b46-11e6-ae88-002590263bf5"> 11185 <topic>openafs -- multiple vulnerabilities</topic> 11186 <affects> 11187 <package> 11188 <name>openafs</name> 11189 <range><lt>1.6.17</lt></range> 11190 </package> 11191 </affects> 11192 <description> 11193 <body xmlns="http://www.w3.org/1999/xhtml"> 11194 <p>The OpenAFS development team reports:</p> 11195 <blockquote cite="http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt"> 11196 <p>Foreign users can bypass access controls to create groups as 11197 system:administrators, including in the user namespace and the 11198 system: namespace.</p> 11199 </blockquote> 11200 <blockquote cite="http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt"> 11201 <p>The contents of uninitialized memory are sent on the wire when 11202 clients perform certain RPCs. Depending on the RPC, the information 11203 leaked may come from kernel memory or userspace.</p> 11204 </blockquote> 11205 </body> 11206 </description> 11207 <references> 11208 <cvename>CVE-2016-2860</cvename> 11209 <cvename>CVE-2016-4536</cvename> 11210 <freebsdpr>ports/209534</freebsdpr> 11211 <url>http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt</url> 11212 <url>http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt</url> 11213 </references> 11214 <dates> 11215 <discovery>2016-03-16</discovery> 11216 <entry>2016-06-05</entry> 11217 </dates> 11218 </vuln> 11219 11220 <vuln vid="2e8fe57e-2b46-11e6-ae88-002590263bf5"> 11221 <topic>openafs -- local DoS vulnerability</topic> 11222 <affects> 11223 <package> 11224 <name>openafs</name> 11225 <range><lt>1.6.16</lt></range> 11226 </package> 11227 </affects> 11228 <description> 11229 <body xmlns="http://www.w3.org/1999/xhtml"> 11230 <p>The OpenAFS development team reports:</p> 11231 <blockquote cite="https://www.openafs.org/dl/1.6.16/RELNOTES-1.6.16"> 11232 <p>Avoid a potential denial of service issue, by fixing a bug in 11233 pioctl logic that allowed a local user to overrun a kernel buffer 11234 with a single NUL byte.</p> 11235 </blockquote> 11236 </body> 11237 </description> 11238 <references> 11239 <cvename>CVE-2015-8312</cvename> 11240 <url>https://www.openafs.org/dl/1.6.16/RELNOTES-1.6.16</url> 11241 </references> 11242 <dates> 11243 <discovery>2016-03-16</discovery> 11244 <entry>2016-06-05</entry> 11245 </dates> 11246 </vuln> 11247 11248 <vuln vid="0297b260-2b3b-11e6-ae88-002590263bf5"> 11249 <topic>ikiwiki -- XSS vulnerability</topic> 11250 <affects> 11251 <package> 11252 <name>ikiwiki</name> 11253 <range><lt>3.20160509</lt></range> 11254 </package> 11255 </affects> 11256 <description> 11257 <body xmlns="http://www.w3.org/1999/xhtml"> 11258 <p>Mitre reports:</p> 11259 <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4561"> 11260 <p>Cross-site scripting (XSS) vulnerability in the cgierror function 11261 in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers 11262 to inject arbitrary web script or HTML via unspecified vectors 11263 involving an error message.</p> 11264 </blockquote> 11265 </body> 11266 </description> 11267 <references> 11268 <cvename>CVE-2016-4561</cvename> 11269 <freebsdpr>ports/209593</freebsdpr> 11270 </references> 11271 <dates> 11272 <discovery>2016-05-04</discovery> 11273 <entry>2016-06-05</entry> 11274 </dates> 11275 </vuln> 11276 11277 <vuln vid="65bb1858-27de-11e6-b714-74d02b9a84d5"> 11278 <topic>h2o -- use after free on premature connection close</topic> 11279 <affects> 11280 <package> 11281 <name>h2o</name> 11282 <range><lt>1.7.3</lt></range> 11283 </package> 11284 </affects> 11285 <description> 11286 <body xmlns="http://www.w3.org/1999/xhtml"> 11287 <p>Tim Newsha reports:</p> 11288 <blockquote cite="http://h2o.examp1e.net/vulnerabilities.html"> 11289 <p>When H2O tries to disconnect a premature HTTP/2 connection, it 11290 calls free(3) to release memory allocated for the connection and 11291 immediately after then touches the memory. No malloc-related 11292 operation is performed by the same thread between the time it calls 11293 free and the time the memory is touched. Fixed by Frederik 11294 Deweerdt.</p> 11295 </blockquote> 11296 </body> 11297 </description> 11298 <references> 11299 <url>https://h2o.examp1e.net/vulnerabilities.html</url> 11300 </references> 11301 <dates> 11302 <discovery>2016-05-17</discovery> 11303 <entry>2016-06-01</entry> 11304 </dates> 11305 </vuln> 11306 11307 <vuln vid="36cf7670-2774-11e6-af29-f0def16c5c1b"> 11308 <topic>nginx -- a specially crafted request might result in worker process crash</topic> 11309 <affects> 11310 <package> 11311 <name>nginx</name> 11312 <range><ge>1.4.0</ge><lt>1.8.1_3,2</lt></range> 11313 <range><ge>1.10.0,2</ge><lt>1.10.1,2</lt></range> 11314 </package> 11315 <package> 11316 <name>nginx-devel</name> 11317 <range><ge>1.3.9</ge><lt>1.9.15_1</lt></range> 11318 <range><ge>1.10.0</ge><lt>1.11.1</lt></range> 11319 </package> 11320 </affects> 11321 <description> 11322 <body xmlns="http://www.w3.org/1999/xhtml"> 11323 <p>Maxim Dounin reports:</p> 11324 <blockquote cite="http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html"> 11325 <p>A problem was identified in nginx code responsible for saving 11326 client request body to a temporary file. A specially crafted 11327 request might result in worker process crash due to a NULL 11328 pointer dereference while writing client request body to a 11329 temporary file.</p> 11330 </blockquote> 11331 </body> 11332 </description> 11333 <references> 11334 <url>http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html</url> 11335 <cvename>CVE-2016-4450</cvename> 11336 </references> 11337 <dates> 11338 <discovery>2016-05-31</discovery> 11339 <entry>2016-05-31</entry> 11340 <modified>2016-06-05</modified> 11341 </dates> 11342 </vuln> 11343 11344 <vuln vid="6167b341-250c-11e6-a6fb-003048f2e514"> 11345 <topic>cacti -- multiple vulnerabilities</topic> 11346 <affects> 11347 <package> 11348 <name>cacti</name> 11349 <range><lt>0.8.8h</lt></range> 11350 </package> 11351 </affects> 11352 <description> 11353 <body xmlns="http://www.w3.org/1999/xhtml"> 11354 <p>The Cacti Group, Inc. reports:</p> 11355 <blockquote cite="http://www.cacti.net/release_notes_0_8_8h.php"> 11356 <p>Changelog</p> 11357 <ul> 11358 <li>bug:0002667: Cacti SQL Injection Vulnerability</li> 11359 <li>bug:0002673: CVE-2016-3659 - Cacti graph_view.php SQL Injection 11360 Vulnerability</li> 11361 <li>bug:0002656: Authentication using web authentication as a user 11362 not in the cacti database allows complete access (regression)</li> 11363 </ul> 11364 </blockquote> 11365 </body> 11366 </description> 11367 <references> 11368 <cvename>CVE-2016-3659</cvename> 11369 <url>http://www.cacti.net/release_notes_0_8_8h.php</url> 11370 <url>http://bugs.cacti.net/view.php?id=2673</url> 11371 <url>http://seclists.org/fulldisclosure/2016/Apr/4</url> 11372 <url>http://packetstormsecurity.com/files/136547/Cacti-0.8.8g-SQL-Injection.html</url> 11373 </references> 11374 <dates> 11375 <discovery>2016-04-04</discovery> 11376 <entry>2016-05-28</entry> 11377 </dates> 11378 </vuln> 11379 11380 <vuln vid="b53bbf58-257f-11e6-9f4d-20cf30e32f6d"> 11381 <topic>openvswitch -- MPLS buffer overflow</topic> 11382 <affects> 11383 <package> 11384 <name>openvswitch</name> 11385 <range><ge>2.2.0</ge><lt>2.3.3</lt></range> 11386 <range><ge>2.4.0</ge><lt>2.4.1</lt></range> 11387 </package> 11388 </affects> 11389 <description> 11390 <body xmlns="http://www.w3.org/1999/xhtml"> 11391 <p>Open vSwitch reports:</p> 11392 <blockquote cite="http://openvswitch.org/pipermail/announce/2016-March/000082.html"> 11393 <p>Multiple versions of Open vSwitch are vulnerable to remote buffer 11394 overflow attacks, in which crafted MPLS packets could overflow the 11395 buffer reserved for MPLS labels in an OVS internal data structure. 11396 The MPLS packets that trigger the vulnerability and the potential for 11397 exploitation vary depending on version:</p> 11398 <p>Open vSwitch 2.1.x and earlier are not vulnerable.</p> 11399 <p>In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be 11400 exploited for arbitrary remote code execution.</p> 11401 <p>In Open vSwitch 2.4.x, the MPLS buffer overflow does not obviously lead 11402 to a remote code execution exploit, but testing shows that it can allow a 11403 remote denial of service. See the mitigation section for details.</p> 11404 <p>Open vSwitch 2.5.x is not vulnerable.</p> 11405 </blockquote> 11406 </body> 11407 </description> 11408 <references> 11409 <cvename>CVE-2016-2074</cvename> 11410 <url>http://openvswitch.org/pipermail/announce/2016-March/000082.html</url> 11411 <url>http://openvswitch.org/pipermail/announce/2016-March/000083.html</url> 11412 </references> 11413 <dates> 11414 <discovery>2016-03-28</discovery> 11415 <entry>2016-05-29</entry> 11416 <modified>2016-07-03</modified> 11417 </dates> 11418 </vuln> 11419 11420 <vuln vid="1a6bbb95-24b8-11e6-bd31-3065ec8fd3ec"> 11421 <topic>chromium -- multiple vulnerabilities</topic> 11422 <affects> 11423 <package> 11424 <name>chromium</name> 11425 <name>chromium-npapi</name> 11426 <name>chromium-pulse</name> 11427 <range><lt>51.0.2704.63</lt></range> 11428 </package> 11429 </affects> 11430 <description> 11431 <body xmlns="http://www.w3.org/1999/xhtml"> 11432 <p>Google Chrome Releases reports:</p> 11433 <blockquote cite="http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update_25.html"> 11434 <p>42 security fixes in this release</p> 11435 <p>Please reference CVE/URL list for details</p> 11436 </blockquote> 11437 </body> 11438 </description> 11439 <references> 11440 <cvename>CVE-2016-1672</cvename> 11441 <cvename>CVE-2016-1673</cvename> 11442 <cvename>CVE-2016-1674</cvename> 11443 <cvename>CVE-2016-1675</cvename> 11444 <cvename>CVE-2016-1672</cvename> 11445 <cvename>CVE-2016-1677</cvename> 11446 <cvename>CVE-2016-1678</cvename> 11447 <cvename>CVE-2016-1679</cvename> 11448 <cvename>CVE-2016-1680</cvename> 11449 <cvename>CVE-2016-1681</cvename> 11450 <cvename>CVE-2016-1682</cvename> 11451 <cvename>CVE-2016-1685</cvename> 11452 <cvename>CVE-2016-1686</cvename> 11453 <cvename>CVE-2016-1687</cvename> 11454 <cvename>CVE-2016-1688</cvename> 11455 <cvename>CVE-2016-1689</cvename> 11456 <cvename>CVE-2016-1690</cvename> 11457 <cvename>CVE-2016-1691</cvename> 11458 <cvename>CVE-2016-1692</cvename> 11459 <cvename>CVE-2016-1693</cvename> 11460 <cvename>CVE-2016-1694</cvename> 11461 <cvename>CVE-2016-1695</cvename> 11462 <url>http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update_25.html</url> 11463 </references> 11464 <dates> 11465 <discovery>2016-05-25</discovery> 11466 <entry>2016-05-28</entry> 11467 <modified>2016-06-20</modified> 11468 </dates> 11469 </vuln> 11470 11471 <vuln vid="4dfafa16-24ba-11e6-bd31-3065ec8fd3ec"> 11472 <topic>chromium -- multiple vulnerabilities</topic> 11473 <affects> 11474 <package> 11475 <name>chromium</name> 11476 <name>chromium-npapi</name> 11477 <name>chromium-pulse</name> 11478 <range><lt>50.0.2661.102</lt></range> 11479 </package> 11480 </affects> 11481 <description> 11482 <body xmlns="http://www.w3.org/1999/xhtml"> 11483 <p>Google Chrome Releases reports:</p> 11484 <blockquote cite="http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update.html"> 11485 <p>5 security fixes in this release, including:</p> 11486 <ul> 11487 <li>[605766] High CVE-2016-1667: Same origin bypass in DOM. Credit 11488 to Mariusz Mlynski.</li> 11489 <li>[605910] High CVE-2016-1668: Same origin bypass in Blink V8 11490 bindings. Credit to Mariusz Mlynski.</li> 11491 <li>[606115] High CVE-2016-1669: Buffer overflow in V8. Credit to 11492 Choongwoo Han.</li> 11493 <li>[578882] Medium CVE-2016-1670: Race condition in loader. Credit 11494 to anonymous.</li> 11495 <li>[586657] Medium CVE-2016-1671: Directory traversal using the 11496 file scheme on Android. Credit to Jann Horn.</li> 11497 </ul> 11498 </blockquote> 11499 </body> 11500 </description> 11501 <references> 11502 <cvename>CVE-2016-1667</cvename> 11503 <cvename>CVE-2016-1668</cvename> 11504 <cvename>CVE-2016-1669</cvename> 11505 <cvename>CVE-2016-1670</cvename> 11506 <cvename>CVE-2016-1671</cvename> 11507 <url>http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update.html</url> 11508 </references> 11509 <dates> 11510 <discovery>2016-05-11</discovery> 11511 <entry>2016-05-28</entry> 11512 </dates> 11513 </vuln> 11514 11515 <vuln vid="7da1da96-24bb-11e6-bd31-3065ec8fd3ec"> 11516 <topic>chromium -- multiple vulnerabilities</topic> 11517 <affects> 11518 <package> 11519 <name>chromium</name> 11520 <name>chromium-npapi</name> 11521 <name>chromium-pulse</name> 11522 <range><lt>50.0.2661.94</lt></range> 11523 </package> 11524 </affects> 11525 <description> 11526 <body xmlns="http://www.w3.org/1999/xhtml"> 11527 <p>Google Chrome Releases reports:</p> 11528 <blockquote cite="http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_28.html"> 11529 <p>9 security fixes in this release, including:</p> 11530 <ul> 11531 <li>[574802] High CVE-2016-1660: Out-of-bounds write in Blink. 11532 Credit to Atte Kettunen of OUSPG.</li> 11533 <li>[601629] High CVE-2016-1661: Memory corruption in cross-process 11534 frames. Credit to Wadih Matar.</li> 11535 <li>[603732] High CVE-2016-1662: Use-after-free in extensions. 11536 Credit to Rob Wu.</li> 11537 <li>[603987] High CVE-2016-1663: Use-after-free in Blink's V8 11538 bindings. Credit to anonymous.</li> 11539 <li>[597322] Medium CVE-2016-1664: Address bar spoofing. Credit to 11540 Wadih Matar.</li> 11541 <li>[606181] Medium CVE-2016-1665: Information leak in V8. Credit 11542 to HyungSeok Han.</li> 11543 <li>[607652] CVE-2016-1666: Various fixes from internal audits, 11544 fuzzing and other initiatives.</li> 11545 </ul> 11546 </blockquote> 11547 </body> 11548 </description> 11549 <references> 11550 <cvename>CVE-2016-1660</cvename> 11551 <cvename>CVE-2016-1661</cvename> 11552 <cvename>CVE-2016-1662</cvename> 11553 <cvename>CVE-2016-1663</cvename> 11554 <cvename>CVE-2016-1664</cvename> 11555 <cvename>CVE-2016-1665</cvename> 11556 <cvename>CVE-2016-1666</cvename> 11557 <url>http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_28.html</url> 11558 </references> 11559 <dates> 11560 <discovery>2016-04-28</discovery> 11561 <entry>2016-05-28</entry> 11562 </dates> 11563 </vuln> 11564 11565 <vuln vid="6b110175-246d-11e6-8dd3-002590263bf5"> 11566 <topic>php -- multiple vulnerabilities</topic> 11567 <affects> 11568 <package> 11569 <name>php70-gd</name> 11570 <name>php70-intl</name> 11571 <range><lt>7.0.7</lt></range> 11572 </package> 11573 <package> 11574 <name>php56</name> 11575 <name>php56-gd</name> 11576 <range><lt>5.6.22</lt></range> 11577 </package> 11578 <package> 11579 <name>php55</name> 11580 <name>php55-gd</name> 11581 <name>php55-phar</name> 11582 <range><lt>5.5.36</lt></range> 11583 </package> 11584 </affects> 11585 <description> 11586 <body xmlns="http://www.w3.org/1999/xhtml"> 11587 <p>The PHP Group reports:</p> 11588 <blockquote cite="http://php.net/ChangeLog-5.php#5.5.36"> 11589 <ul><li>Core: 11590 <ul> 11591 <li>Fixed bug #72114 (Integer underflow / arbitrary null write in 11592 fread/gzread). (CVE-2016-5096) (PHP 5.5/5.6 only)</li> 11593 <li>Fixed bug #72135 (Integer Overflow in php_html_entities). 11594 (CVE-2016-5094) (PHP 5.5/5.6 only)</li> 11595 </ul></li> 11596 <li>GD: 11597 <ul> 11598 <li>Fixed bug #72227 (imagescale out-of-bounds read). 11599 (CVE-2013-7456)</li> 11600 </ul></li> 11601 <li>Intl: 11602 <ul> 11603 <li>Fixed bug #72241 (get_icu_value_internal out-of-bounds read). 11604 (CVE-2016-5093)</li> 11605 </ul></li> 11606 <li>Phar: 11607 <ul> 11608 <li>Fixed bug #71331 (Uninitialized pointer in 11609 phar_make_dirstream()). (CVE-2016-4343) (PHP 5.5 only)</li> 11610 </ul></li> 11611 </ul> 11612 </blockquote> 11613 </body> 11614 </description> 11615 <references> 11616 <cvename>CVE-2016-5096</cvename> 11617 <cvename>CVE-2016-5094</cvename> 11618 <cvename>CVE-2013-7456</cvename> 11619 <cvename>CVE-2016-5093</cvename> 11620 <cvename>CVE-2016-4343</cvename> 11621 <freebsdpr>ports/209779</freebsdpr> 11622 <url>http://php.net/ChangeLog-7.php#7.0.7</url> 11623 <url>http://php.net/ChangeLog-5.php#5.6.22</url> 11624 <url>http://php.net/ChangeLog-5.php#5.5.36</url> 11625 </references> 11626 <dates> 11627 <discovery>2016-05-26</discovery> 11628 <entry>2016-05-28</entry> 11629 </dates> 11630 </vuln> 11631 11632 <vuln vid="00ec1be1-22bb-11e6-9ead-6805ca0b3d42"> 11633 <topic>phpmyadmin -- XSS and sensitive data leakage</topic> 11634 <affects> 11635 <package> 11636 <name>phpmyadmin</name> 11637 <range><ge>4.6.0</ge><lt>4.6.2</lt></range> 11638 </package> 11639 </affects> 11640 <description> 11641 <body xmlns="http://www.w3.org/1999/xhtml"> 11642 <p>The phpmyadmin development team reports:</p> 11643 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-14/"> 11644 <h2>Description</h2> 11645 <p>Because user SQL queries are part of the URL, sensitive 11646 information made as part of a user query can be exposed by 11647 clicking on external links to attackers monitoring user GET 11648 query parameters or included in the webserver logs.</p> 11649 <h2>Severity</h2> 11650 <p>We consider this to be non-critical.</p> 11651 </blockquote> 11652 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-16/"> 11653 <h2>Description</h2> 11654 <p>A specially crafted attack could allow for special HTML 11655 characters to be passed as URL encoded values and displayed 11656 back as special characters in the page.</p> 11657 <h2>Severity</h2> 11658 <p>We consider this to be non-critical.</p> 11659 </blockquote> 11660 </body> 11661 </description> 11662 <references> 11663 <url>https://www.phpmyadmin.net/security/PMASA-2016-14/</url> 11664 <url>https://www.phpmyadmin.net/security/PMASA-2016-16/</url> 11665 <cvename>CVE-2016-5097</cvename> 11666 <cvename>CVE-2016-5099</cvename> 11667 </references> 11668 <dates> 11669 <discovery>2016-05-25</discovery> 11670 <entry>2016-05-25</entry> 11671 <modified>2016-05-26</modified> 11672 </dates> 11673 </vuln> 11674 11675 <vuln vid="b50f53ce-2151-11e6-8dd3-002590263bf5"> 11676 <topic>mediawiki -- multiple vulnerabilities</topic> 11677 <affects> 11678 <package> 11679 <name>mediawiki123</name> 11680 <range><lt>1.23.14</lt></range> 11681 </package> 11682 <package> 11683 <name>mediawiki124</name> 11684 <range><le>1.24.6</le></range> 11685 </package> 11686 <package> 11687 <name>mediawiki125</name> 11688 <range><lt>1.25.6</lt></range> 11689 </package> 11690 <package> 11691 <name>mediawiki126</name> 11692 <range><lt>1.26.3</lt></range> 11693 </package> 11694 </affects> 11695 <description> 11696 <body xmlns="http://www.w3.org/1999/xhtml"> 11697 <p>Mediawiki reports:</p> 11698 <blockquote cite="https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html"> 11699 <p>Security fixes:</p> 11700 <p>T122056: Old tokens are remaining valid within a new session</p> 11701 <p>T127114: Login throttle can be tricked using non-canonicalized 11702 usernames</p> 11703 <p>T123653: Cross-domain policy regexp is too narrow</p> 11704 <p>T123071: Incorrectly identifying http link in a's href 11705 attributes, due to m modifier in regex</p> 11706 <p>T129506: MediaWiki:Gadget-popups.js isn't renderable</p> 11707 <p>T125283: Users occasionally logged in as different users after 11708 SessionManager deployment</p> 11709 <p>T103239: Patrol allows click catching and patrolling of any 11710 page</p> 11711 <p>T122807: [tracking] Check php crypto primatives</p> 11712 <p>T98313: Graphs can leak tokens, leading to CSRF</p> 11713 <p>T130947: Diff generation should use PoolCounter</p> 11714 <p>T133507: Careless use of $wgExternalLinkTarget is insecure</p> 11715 <p>T132874: API action=move is not rate limited</p> 11716 </blockquote> 11717 </body> 11718 </description> 11719 <references> 11720 <url>https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html</url> 11721 </references> 11722 <dates> 11723 <discovery>2016-05-20</discovery> 11724 <entry>2016-05-24</entry> 11725 </dates> 11726 </vuln> 11727 11728 <vuln vid="967b852b-1e28-11e6-8dd3-002590263bf5"> 11729 <topic>hostapd and wpa_supplicant -- psk configuration parameter update allowing arbitrary data to be written</topic> 11730 <affects> 11731 <package> 11732 <name>wpa_supplicant</name> 11733 <range><lt>2.5_2</lt></range> 11734 </package> 11735 <package> 11736 <name>hostapd</name> 11737 <range><lt>2.6</lt></range> 11738 </package> 11739 </affects> 11740 <description> 11741 <body xmlns="http://www.w3.org/1999/xhtml"> 11742 <p>Jouni Malinen reports:</p> 11743 <blockquote cite="http://w1.fi/security/2016-1/psk-parameter-config-update.txt"> 11744 <p>psk configuration parameter update allowing arbitrary data to be 11745 written (2016-1 - CVE-2016-4476/CVE-2016-4477).</p> 11746 </blockquote> 11747 </body> 11748 </description> 11749 <references> 11750 <cvename>CVE-2016-4476</cvename> 11751 <cvename>CVE-2016-4477</cvename> 11752 <freebsdpr>ports/209564</freebsdpr> 11753 <url>http://w1.fi/security/2016-1/psk-parameter-config-update.txt</url> 11754 </references> 11755 <dates> 11756 <discovery>2016-05-02</discovery> 11757 <entry>2016-05-20</entry> 11758 <modified>2017-03-22</modified> 11759 </dates> 11760 </vuln> 11761 11762 <vuln vid="57b3aba7-1e25-11e6-8dd3-002590263bf5"> 11763 <topic>expat -- denial of service vulnerability on malformed input</topic> 11764 <affects> 11765 <package> 11766 <name>expat</name> 11767 <range><lt>2.1.1</lt></range> 11768 </package> 11769 <package> 11770 <name>linux-c6-expat</name> 11771 <range><lt>2.0.1_3</lt></range> 11772 </package> 11773 <package> 11774 <name>linux-c7-expat</name> 11775 <range><lt>2.1.0_1</lt></range> 11776 </package> 11777 </affects> 11778 <description> 11779 <body xmlns="http://www.w3.org/1999/xhtml"> 11780 <p>Gustavo Grieco reports:</p> 11781 <blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/17/12"> 11782 <p>The Expat XML parser mishandles certain kinds of malformed input 11783 documents, resulting in buffer overflows during processing and error 11784 reporting. The overflows can manifest as a segmentation fault or as 11785 memory corruption during a parse operation. The bugs allow for a 11786 denial of service attack in many applications by an unauthenticated 11787 attacker, and could conceivably result in remote code execution.</p> 11788 </blockquote> 11789 </body> 11790 </description> 11791 <references> 11792 <cvename>CVE-2016-0718</cvename> 11793 <freebsdpr>ports/209360</freebsdpr> 11794 <url>http://www.openwall.com/lists/oss-security/2016/05/17/12</url> 11795 </references> 11796 <dates> 11797 <discovery>2016-05-17</discovery> 11798 <entry>2016-05-20</entry> 11799 <modified>2016-11-30</modified> 11800 </dates> 11801 </vuln> 11802 11803 <vuln vid="036d6c38-1c5b-11e6-b9e0-20cf30e32f6d"> 11804 <topic>Bugzilla security issues</topic> 11805 <affects> 11806 <package> 11807 <name>bugzilla44</name> 11808 <range><lt>4.4.12</lt></range> 11809 </package> 11810 <package> 11811 <name>bugzilla50</name> 11812 <range><lt>5.0.3</lt></range> 11813 </package> 11814 </affects> 11815 <description> 11816 <body xmlns="http://www.w3.org/1999/xhtml"> 11817 <p>Bugzilla Security Advisory</p> 11818 <blockquote cite="https://www.bugzilla.org/security/4.4.11/"> 11819 <p>A specially crafted bug summary could trigger XSS in dependency graphs. 11820 Due to an incorrect parsing of the image map generated by the dot script, 11821 a specially crafted bug summary could trigger XSS in dependency graphs.</p> 11822 </blockquote> 11823 </body> 11824 </description> 11825 <references> 11826 <cvename>CVE-2016-2803</cvename> 11827 <url>https://bugzilla.mozilla.org/show_bug.cgi?id=1253263</url> 11828 </references> 11829 <dates> 11830 <discovery>2016-03-03</discovery> 11831 <entry>2016-05-17</entry> 11832 </dates> 11833 </vuln> 11834 11835 <vuln vid="0dc8be9e-19af-11e6-8de0-080027ef73ec"> 11836 <topic>OpenVPN -- Buffer overflow in PAM authentication and DoS through port sharing</topic> 11837 <affects> 11838 <package> 11839 <name>openvpn</name> 11840 <range><lt>2.3.11</lt></range> 11841 </package> 11842 <package> 11843 <name>openvpn-polarssl</name> 11844 <range><lt>2.3.11</lt></range> 11845 </package> 11846 </affects> 11847 <description> 11848 <body xmlns="http://www.w3.org/1999/xhtml"> 11849 <p>Samuli Seppänen reports:</p> 11850 <blockquote cite="https://sourceforge.net/p/openvpn/mailman/message/35076507/"> 11851 <p>OpenVPN 2.3.11 [...] fixes two vulnerabilities: a port-share bug 11852 with DoS potential and a buffer overflow by user supplied data when 11853 using pam authentication.[...]</p> 11854 </blockquote> 11855 </body> 11856 </description> 11857 <references> 11858 <url>https://sourceforge.net/p/openvpn/mailman/message/35076507/</url> 11859 <url>https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11</url> 11860 </references> 11861 <dates> 11862 <discovery>2016-03-03</discovery> 11863 <entry>2016-05-14</entry> 11864 </dates> 11865 </vuln> 11866 11867 <vuln vid="82b702e0-1907-11e6-857b-00221503d280"> 11868 <topic>imagemagick -- buffer overflow</topic> 11869 <affects> 11870 <package> 11871 <name>ImageMagick</name> 11872 <name>ImageMagick-nox11</name> 11873 <range><lt>6.9.4.1,1</lt></range> 11874 </package> 11875 <package> 11876 <name>ImageMagick7</name> 11877 <name>ImageMagick7-nox11</name> 11878 <range><ge>7.0.0.0.b20150715</ge><lt>7.0.1.3</lt></range> 11879 </package> 11880 </affects> 11881 <description> 11882 <body xmlns="http://www.w3.org/1999/xhtml"> 11883 <p>ImageMagick reports:</p> 11884 <blockquote cite="http://legacy.imagemagick.org/script/changelog.php"> 11885 <p>Fix a buffer overflow in magick/drag.c/DrawStrokePolygon().</p> 11886 </blockquote> 11887 </body> 11888 </description> 11889 <references> 11890 <url>http://legacy.imagemagick.org/script/changelog.php</url> 11891 </references> 11892 <dates> 11893 <discovery>2016-05-09</discovery> 11894 <entry>2016-05-13</entry> 11895 </dates> 11896 </vuln> 11897 11898 <vuln vid="e387834a-17ef-11e6-9947-7054d2909b71"> 11899 <topic>jenkins -- multiple vulnerabilities</topic> 11900 <affects> 11901 <package> 11902 <name>jenkins</name> 11903 <range><le>2.2</le></range> 11904 </package> 11905 <package> 11906 <name>jenkins2</name> 11907 <range><le>2.2</le></range> 11908 </package> 11909 <package> 11910 <name>jenkins-lts</name> 11911 <range><le>1.651.1</le></range> 11912 </package> 11913 </affects> 11914 <description> 11915 <body xmlns="http://www.w3.org/1999/xhtml"> 11916 <p>Jenkins Security Advisory:</p> 11917 <blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11"> 11918 <h1>Description</h1> 11919 <h5>SECURITY-170 / CVE-2016-3721</h5> 11920 <p>Arbitrary build parameters are passed to build scripts as environment variables</p> 11921 <h5>SECURITY-243 / CVE-2016-3722</h5> 11922 <p>Malicious users with multiple user accounts can prevent other users from logging in</p> 11923 <h5>SECURITY-250 / CVE-2016-3723</h5> 11924 <p>Information on installed plugins exposed via API</p> 11925 <h5>SECURITY-266 / CVE-2016-3724</h5> 11926 <p>Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration</p> 11927 <h5>SECURITY-273 / CVE-2016-3725</h5> 11928 <p>Regular users can trigger download of update site metadata</p> 11929 <h5>SECURITY-276 / CVE-2016-3726</h5> 11930 <p>Open redirect to scheme-relative URLs</p> 11931 <h5>SECURITY-281 / CVE-2016-3727</h5> 11932 <p>Granting the permission to read node configurations allows access to overall system configuration</p> 11933 </blockquote> 11934 </body> 11935 </description> 11936 <references> 11937 <cvename>CVE-2016-3721</cvename> 11938 <cvename>CVE-2016-3722</cvename> 11939 <cvename>CVE-2016-3723</cvename> 11940 <cvename>CVE-2016-3724</cvename> 11941 <cvename>CVE-2016-3725</cvename> 11942 <cvename>CVE-2016-3726</cvename> 11943 <cvename>CVE-2016-3727</cvename> 11944 <url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11</url> 11945 </references> 11946 <dates> 11947 <discovery>2016-05-11</discovery> 11948 <entry>2016-05-12</entry> 11949 </dates> 11950 </vuln> 11951 11952 <vuln vid="d9f99491-1656-11e6-94fa-002590263bf5"> 11953 <topic>perl5 -- taint mechanism bypass vulnerability</topic> 11954 <affects> 11955 <package> 11956 <name>perl5</name> 11957 <range><lt>5.18.4_21</lt></range> 11958 <range><ge>5.20.0</ge><lt>5.20.3_12</lt></range> 11959 <range><ge>5.22.0</ge><lt>5.22.1_8</lt></range> 11960 </package> 11961 <package> 11962 <name>perl5.18</name> 11963 <range><ge>5.18.0</ge><lt>5.18.4_21</lt></range> 11964 </package> 11965 <package> 11966 <name>perl5.20</name> 11967 <range><ge>5.20.0</ge><lt>5.20.3_12</lt></range> 11968 </package> 11969 <package> 11970 <name>perl5.22</name> 11971 <range><ge>5.22.0</ge><lt>5.22.1_8</lt></range> 11972 </package> 11973 <package> 11974 <name>perl</name> 11975 <range><ge>0</ge></range> 11976 </package> 11977 </affects> 11978 <description> 11979 <body xmlns="http://www.w3.org/1999/xhtml"> 11980 <p>MITRE reports:</p> 11981 <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2381"> 11982 <p>Perl might allow context-dependent attackers to bypass the taint 11983 protection mechanism in a child process via duplicate environment 11984 variables in envp.</p> 11985 </blockquote> 11986 </body> 11987 </description> 11988 <references> 11989 <cvename>CVE-2016-2381</cvename> 11990 <freebsdpr>ports/208879</freebsdpr> 11991 </references> 11992 <dates> 11993 <discovery>2016-04-08</discovery> 11994 <entry>2016-05-10</entry> 11995 <modified>2016-08-22</modified> 11996 </dates> 11997 </vuln> 11998 11999 <vuln vid="3686917b-164d-11e6-94fa-002590263bf5"> 12000 <topic>wordpress -- multiple vulnerabilities</topic> 12001 <affects> 12002 <package> 12003 <name>wordpress</name> 12004 <range><lt>4.5.2,1</lt></range> 12005 </package> 12006 <package> 12007 <name>de-wordpress</name> 12008 <name>ja-wordpress</name> 12009 <name>ru-wordpress</name> 12010 <name>zh-wordpress-zh_CN</name> 12011 <name>zh-wordpress-zh_TW</name> 12012 <range><lt>4.5.2</lt></range> 12013 </package> 12014 </affects> 12015 <description> 12016 <body xmlns="http://www.w3.org/1999/xhtml"> 12017 <p>Helen Hou-Sandi reports:</p> 12018 <blockquote cite="https://wordpress.org/news/2016/05/wordpress-4-5-2/"> 12019 <p>WordPress 4.5.2 is now available. This is a security release for 12020 all previous versions and we strongly encourage you to update your 12021 sites immediately.</p> 12022 <p>WordPress versions 4.5.1 and earlier are affected by a SOME 12023 vulnerability through Plupload, the third-party library WordPress 12024 uses for uploading files. WordPress versions 4.2 through 4.5.1 are 12025 vulnerable to reflected XSS using specially crafted URIs through 12026 MediaElement.js, the third-party library used for media players. 12027 MediaElement.js and Plupload have also released updates fixing 12028 these issues.</p> 12029 </blockquote> 12030 </body> 12031 </description> 12032 <references> 12033 <cvename>CVE-2016-4566</cvename> 12034 <cvename>CVE-2016-4567</cvename> 12035 <url>https://wordpress.org/news/2016/05/wordpress-4-5-2/</url> 12036 <url>http://www.openwall.com/lists/oss-security/2016/05/07/7</url> 12037 </references> 12038 <dates> 12039 <discovery>2016-05-06</discovery> 12040 <entry>2016-05-10</entry> 12041 </dates> 12042 </vuln> 12043 12044 <vuln vid="2b4c8e1f-1609-11e6-b55e-b499baebfeaf"> 12045 <topic>libarchive -- RCE vulnerability</topic> 12046 <affects> 12047 <package> 12048 <name>libarchive</name> 12049 <range><lt>3.2.0,1</lt></range> 12050 </package> 12051 </affects> 12052 <description> 12053 <body xmlns="http://www.w3.org/1999/xhtml"> 12054 <p>The libarchive project reports:</p> 12055 <blockquote cite="https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7"> 12056 <p>Heap-based buffer overflow in the zip_read_mac_metadata function 12057 in archive_read_support_format_zip.c in libarchive before 3.2.0 12058 allows remote attackers to execute arbitrary code via crafted 12059 entry-size values in a ZIP archive.</p> 12060 </blockquote> 12061 </body> 12062 </description> 12063 <references> 12064 <cvename>CVE-2016-1541</cvename> 12065 <url>https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7</url> 12066 </references> 12067 <dates> 12068 <discovery>2016-05-01</discovery> 12069 <entry>2016-05-09</entry> 12070 <modified>2016-05-10</modified> 12071 </dates> 12072 </vuln> 12073 12074 <vuln vid="25e5205b-1447-11e6-9ead-6805ca0b3d42"> 12075 <topic>squid -- multiple vulnerabilities</topic> 12076 <affects> 12077 <package> 12078 <name>squid</name> 12079 <range><ge>3.0.0</ge><lt>3.5.18</lt></range> 12080 </package> 12081 <package> 12082 <name>squid-devel</name> 12083 <range><ge>4.0.0</ge><lt>4.0.10</lt></range> 12084 </package> 12085 </affects> 12086 <description> 12087 <body xmlns="http://www.w3.org/1999/xhtml"> 12088 <p>The squid development team reports:</p> 12089 <p>Please reference CVE/URL list for details</p> 12090 </body> 12091 </description> 12092 <references> 12093 <cvename>CVE-2016-4553</cvename> 12094 <cvename>CVE-2016-4554</cvename> 12095 <cvename>CVE-2016-4555</cvename> 12096 <cvename>CVE-2016-4556</cvename> 12097 <url>http://www.squid-cache.org/Advisories/SQUID-2016_7.txt</url> 12098 <url>http://www.squid-cache.org/Advisories/SQUID-2016_8.txt</url> 12099 <url>http://www.squid-cache.org/Advisories/SQUID-2016_9.txt</url> 12100 </references> 12101 <dates> 12102 <discovery>2016-05-06</discovery> 12103 <entry>2016-05-07</entry> 12104 <modified>2016-05-09</modified> 12105 </dates> 12106 </vuln> 12107 12108 <vuln vid="0d724b05-687f-4527-9c03-af34d3b094ec"> 12109 <topic>ImageMagick -- multiple vulnerabilities</topic> 12110 <affects> 12111 <package> 12112 <name>ImageMagick</name> 12113 <name>ImageMagick-nox11</name> 12114 <range><lt>6.9.3.9_1,1</lt></range> 12115 </package> 12116 <package> 12117 <name>ImageMagick7</name> 12118 <name>ImageMagick7-nox11</name> 12119 <range><ge>7.0.0.0.b20150715</ge><lt>7.0.1.0_1</lt></range> 12120 </package> 12121 </affects> 12122 <description> 12123 <body xmlns="http://www.w3.org/1999/xhtml"> 12124 <p>Openwall reports:</p> 12125 <blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/03/18"> 12126 <p>Insufficient filtering for filename passed to delegate's command 12127 allows remote code execution during conversion of several file 12128 formats. Any service which uses ImageMagick to process user 12129 supplied images and uses default delegates.xml / policy.xml, 12130 may be vulnerable to this issue.</p> 12131 <p>It is possible to make ImageMagick perform a HTTP GET or FTP 12132 request</p> 12133 <p>It is possible to delete files by using ImageMagick's 'ephemeral' 12134 pseudo protocol which deletes files after reading.</p> 12135 <p>It is possible to move image files to file with any extension 12136 in any folder by using ImageMagick's 'msl' pseudo protocol. 12137 msl.txt and image.gif should exist in known location - /tmp/ 12138 for PoC (in real life it may be web service written in PHP, 12139 which allows to upload raw txt files and process images with 12140 ImageMagick).</p> 12141 <p>It is possible to get content of the files from the server 12142 by using ImageMagick's 'label' pseudo protocol.</p> 12143 </blockquote> 12144 </body> 12145 </description> 12146 <references> 12147 <cvename>CVE-2016-3714</cvename> 12148 <cvename>CVE-2016-3715</cvename> 12149 <cvename>CVE-2016-3716</cvename> 12150 <cvename>CVE-2016-3717</cvename> 12151 <cvename>CVE-2016-3718</cvename> 12152 <url>http://www.openwall.com/lists/oss-security/2016/05/03/18</url> 12153 <url>https://imagetragick.com/</url> 12154 </references> 12155 <dates> 12156 <discovery>2016-05-03</discovery> 12157 <entry>2016-05-06</entry> 12158 <modified>2016-05-07</modified> 12159 </dates> 12160 </vuln> 12161 12162 <vuln vid="a6cd01fa-11bd-11e6-bb3c-9cb654ea3e1c"> 12163 <topic>jansson -- local denial of service vulnerabilities</topic> 12164 <affects> 12165 <package> 12166 <name>jansson</name> 12167 <range><lt>2.7_2</lt></range> 12168 </package> 12169 </affects> 12170 <description> 12171 <body xmlns="http://www.w3.org/1999/xhtml"> 12172 <p>QuickFuzz reports:</p> 12173 <blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/01/5"> 12174 <p>A crash caused by stack exhaustion parsing a JSON was found.</p> 12175 </blockquote> 12176 </body> 12177 </description> 12178 <references> 12179 <url>http://www.openwall.com/lists/oss-security/2016/05/01/5</url> 12180 <url>http://www.openwall.com/lists/oss-security/2016/05/02/1</url> 12181 <cvename>CVE-2016-4425</cvename> 12182 </references> 12183 <dates> 12184 <discovery>2016-05-01</discovery> 12185 <entry>2016-05-04</entry> 12186 </dates> 12187 </vuln> 12188 12189 <vuln vid="01d729ca-1143-11e6-b55e-b499baebfeaf"> 12190 <topic>OpenSSL -- multiple vulnerabilities</topic> 12191 <affects> 12192 <package> 12193 <name>openssl</name> 12194 <range><lt>1.0.2_11</lt></range> 12195 </package> 12196 <package> 12197 <name>linux-c6-openssl</name> 12198 <range><lt>1.0.1e_8</lt></range> 12199 </package> 12200 <package> 12201 <name>libressl</name> 12202 <range><ge>2.3.0</ge><lt>2.3.4</lt></range> 12203 <range><lt>2.2.7</lt></range> 12204 </package> 12205 <package> 12206 <name>libressl-devel</name> 12207 <range><lt>2.3.4</lt></range> 12208 </package> 12209 <package> 12210 <name>FreeBSD</name> 12211 <range><ge>10.3</ge><lt>10.3_2</lt></range> 12212 <range><ge>10.2</ge><lt>10.2_16</lt></range> 12213 <range><ge>10.1</ge><lt>10.1_33</lt></range> 12214 <range><ge>9.3</ge><lt>9.3_41</lt></range> 12215 </package> 12216 </affects> 12217 <description> 12218 <body xmlns="http://www.w3.org/1999/xhtml"> 12219 <p>OpenSSL reports:</p> 12220 <blockquote cite="https://www.openssl.org/news/secadv/20160503.txt"> 12221 <p>Memory corruption in the ASN.1 encoder</p> 12222 <p>Padding oracle in AES-NI CBC MAC check</p> 12223 <p>EVP_EncodeUpdate overflow</p> 12224 <p>EVP_EncryptUpdate overflow</p> 12225 <p>ASN.1 BIO excessive memory allocation</p> 12226 <p>EBCDIC overread (OpenSSL only)</p> 12227 </blockquote> 12228 </body> 12229 </description> 12230 <references> 12231 <url>https://www.openssl.org/news/secadv/20160503.txt</url> 12232 <url>https://marc.info/?l=openbsd-tech&m=146228598730414</url> 12233 <cvename>CVE-2016-2105</cvename> 12234 <cvename>CVE-2016-2106</cvename> 12235 <cvename>CVE-2016-2107</cvename> 12236 <cvename>CVE-2016-2108</cvename> 12237 <cvename>CVE-2016-2109</cvename> 12238 <cvename>CVE-2016-2176</cvename> 12239 <freebsdsa>SA-16:17.openssl</freebsdsa> 12240 </references> 12241 <dates> 12242 <discovery>2016-05-03</discovery> 12243 <entry>2016-05-03</entry> 12244 <modified>2016-08-09</modified> 12245 </dates> 12246 </vuln> 12247 12248 <vuln vid="95564990-1138-11e6-b55e-b499baebfeaf"> 12249 <cancelled superseded="01d729ca-1143-11e6-b55e-b499baebfeaf"/> 12250 </vuln> 12251 12252 <vuln vid="be72e773-1131-11e6-94fa-002590263bf5"> 12253 <topic>gitlab -- privilege escalation via "impersonate" feature</topic> 12254 <affects> 12255 <package> 12256 <name>gitlab</name> 12257 <range><ge>8.2.0</ge><lt>8.2.5</lt></range> 12258 <range><ge>8.3.0</ge><lt>8.3.9</lt></range> 12259 <range><ge>8.4.0</ge><lt>8.4.10</lt></range> 12260 <range><ge>8.5.0</ge><lt>8.5.12</lt></range> 12261 <range><ge>8.6.0</ge><lt>8.6.8</lt></range> 12262 <range><ge>8.7.0</ge><lt>8.7.1</lt></range> 12263 </package> 12264 </affects> 12265 <description> 12266 <body xmlns="http://www.w3.org/1999/xhtml"> 12267 <p>GitLab reports:</p> 12268 <blockquote cite="https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/"> 12269 <p>During an internal code review, we discovered a critical security 12270 flaw in the "impersonate" feature of GitLab. Added in GitLab 8.2, 12271 this feature was intended to allow an administrator to simulate 12272 being logged in as any other user.</p> 12273 <p>A part of this feature was not properly secured and it was possible 12274 for any authenticated user, administrator or not, to "log in" as any 12275 other user, including administrators. Please see the issue for more 12276 details.</p> 12277 </blockquote> 12278 </body> 12279 </description> 12280 <references> 12281 <cvename>CVE-2016-4340</cvename> 12282 <freebsdpr>ports/209225</freebsdpr> 12283 <url>https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/</url> 12284 <url>https://gitlab.com/gitlab-org/gitlab-ce/issues/15548</url> 12285 </references> 12286 <dates> 12287 <discovery>2016-05-02</discovery> 12288 <entry>2016-05-03</entry> 12289 </dates> 12290 </vuln> 12291 12292 <vuln vid="5764c634-10d2-11e6-94fa-002590263bf5"> 12293 <topic>php -- multiple vulnerabilities</topic> 12294 <affects> 12295 <package> 12296 <name>php70</name> 12297 <name>php70-bcmath</name> 12298 <name>php70-exif</name> 12299 <name>php70-gd</name> 12300 <name>php70-xml</name> 12301 <range><lt>7.0.6</lt></range> 12302 </package> 12303 <package> 12304 <name>php56</name> 12305 <name>php56-bcmath</name> 12306 <name>php56-exif</name> 12307 <name>php56-gd</name> 12308 <name>php56-xml</name> 12309 <range><lt>5.6.21</lt></range> 12310 </package> 12311 <package> 12312 <name>php55</name> 12313 <name>php55-bcmath</name> 12314 <name>php55-exif</name> 12315 <name>php55-gd</name> 12316 <name>php55-xml</name> 12317 <range><lt>5.5.35</lt></range> 12318 </package> 12319 </affects> 12320 <description> 12321 <body xmlns="http://www.w3.org/1999/xhtml"> 12322 <p>The PHP Group reports:</p> 12323 <blockquote cite="http://www.php.net/ChangeLog-5.php#5.5.35"> 12324 <ul><li>BCMath: 12325 <ul> 12326 <li>Fixed bug #72093 (bcpowmod accepts negative scale and corrupts 12327 _one_ definition).</li> 12328 </ul></li> 12329 <li>Exif: 12330 <ul> 12331 <li>Fixed bug #72094 (Out of bounds heap read access in exif header 12332 processing).</li> 12333 </ul></li> 12334 <li>GD: 12335 <ul> 12336 <li>Fixed bug #71912 (libgd: signedness vulnerability). 12337 (CVE-2016-3074)</li> 12338 </ul></li> 12339 <li>Intl: 12340 <ul> 12341 <li>Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos 12342 with negative offset).</li> 12343 </ul></li> 12344 <li>XML: 12345 <ul> 12346 <li>Fixed bug #72099 (xml_parse_into_struct segmentation fault). 12347 </li> 12348 </ul></li> 12349 </ul> 12350 </blockquote> 12351 </body> 12352 </description> 12353 <references> 12354 <cvename>CVE-2016-3074</cvename> 12355 <freebsdpr>ports/209145</freebsdpr> 12356 <url>http://www.php.net/ChangeLog-7.php#7.0.6</url> 12357 <url>http://www.php.net/ChangeLog-5.php#5.6.21</url> 12358 <url>http://www.php.net/ChangeLog-5.php#5.5.35</url> 12359 </references> 12360 <dates> 12361 <discovery>2016-04-28</discovery> 12362 <entry>2016-05-03</entry> 12363 </dates> 12364 </vuln> 12365 12366 <vuln vid="a1134048-10c6-11e6-94fa-002590263bf5"> 12367 <topic>libksba -- local denial of service vulnerabilities</topic> 12368 <affects> 12369 <package> 12370 <name>libksba</name> 12371 <range><lt>1.3.3</lt></range> 12372 </package> 12373 </affects> 12374 <description> 12375 <body xmlns="http://www.w3.org/1999/xhtml"> 12376 <p>Martin Prpic, Red Hat Product Security Team, reports:</p> 12377 <blockquote cite="http://www.openwall.com/lists/oss-security/2016/04/29/5"> 12378 <p>Denial of Service due to stack overflow in src/ber-decoder.c.</p> 12379 <p>Integer overflow in the BER decoder src/ber-decoder.c.</p> 12380 <p>Integer overflow in the DN decoder src/dn.c.</p> 12381 </blockquote> 12382 </body> 12383 </description> 12384 <references> 12385 <cvename>CVE-2016-4353</cvename> 12386 <cvename>CVE-2016-4354</cvename> 12387 <cvename>CVE-2016-4355</cvename> 12388 <cvename>CVE-2016-4356</cvename> 12389 <url>http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=07116a314f4dcd4d96990bbd74db95a03a9f650a</url> 12390 <url>http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=aea7b6032865740478ca4b706850a5217f1c3887</url> 12391 <url>http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=243d12fdec66a4360fbb3e307a046b39b5b4ffc3</url> 12392 <url>https://security.gentoo.org/glsa/201604-04</url> 12393 <mlist>http://www.openwall.com/lists/oss-security/2016/04/29/5</mlist> 12394 </references> 12395 <dates> 12396 <discovery>2015-04-08</discovery> 12397 <entry>2016-05-03</entry> 12398 </dates> 12399 </vuln> 12400 12401 <vuln vid="7e36c369-10c0-11e6-94fa-002590263bf5"> 12402 <topic>wireshark -- multiple vulnerabilities</topic> 12403 <affects> 12404 <package> 12405 <name>wireshark</name> 12406 <name>wireshark-lite</name> 12407 <name>wireshark-qt5</name> 12408 <name>tshark</name> 12409 <name>tshark-lite</name> 12410 <range><lt>2.0.3</lt></range> 12411 </package> 12412 </affects> 12413 <description> 12414 <body xmlns="http://www.w3.org/1999/xhtml"> 12415 <p>Wireshark development team reports:</p> 12416 <blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.3.html"> 12417 <p>The following vulnerabilities have been fixed:</p> 12418 <ul> 12419 <li><p>wnpa-sec-2016-19</p> 12420 <p>The NCP dissector could crash. (Bug 11591)</p></li> 12421 <li><p>wnpa-sec-2016-20</p> 12422 <p>TShark could crash due to a packet reassembly bug. (Bug 11799) 12423 </p></li> 12424 <li><p>wnpa-sec-2016-21</p> 12425 <p>The IEEE 802.11 dissector could crash. (Bug 11824, Bug 12187) 12426 </p></li> 12427 <li><p>wnpa-sec-2016-22</p> 12428 <p>The PKTC dissector could crash. (Bug 12206)</p></li> 12429 <li><p>wnpa-sec-2016-23</p> 12430 <p>The PKTC dissector could crash. (Bug 12242)</p></li> 12431 <li><p>wnpa-sec-2016-24</p> 12432 <p>The IAX2 dissector could go into an infinite loop. (Bug 12433 12260)</p></li> 12434 <li><p>wnpa-sec-2016-25</p> 12435 <p>Wireshark and TShark could exhaust the stack. (Bug 12268)</p> 12436 </li> 12437 <li><p>wnpa-sec-2016-26</p> 12438 <p>The GSM CBCH dissector could crash. (Bug 12278)</p></li> 12439 <li><p>wnpa-sec-2016-27</p> 12440 <p>MS-WSP dissector crash. (Bug 12341)</p></li> 12441 </ul> 12442 </blockquote> 12443 </body> 12444 </description> 12445 <references> 12446 <cvename>CVE-2016-4076</cvename> 12447 <cvename>CVE-2016-4077</cvename> 12448 <cvename>CVE-2016-4078</cvename> 12449 <cvename>CVE-2016-4079</cvename> 12450 <cvename>CVE-2016-4080</cvename> 12451 <cvename>CVE-2016-4081</cvename> 12452 <cvename>CVE-2016-4006</cvename> 12453 <cvename>CVE-2016-4082</cvename> 12454 <cvename>CVE-2016-4083</cvename> 12455 <cvename>CVE-2016-4084</cvename> 12456 <url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.3.html</url> 12457 <url>http://www.openwall.com/lists/oss-security/2016/04/25/2</url> 12458 </references> 12459 <dates> 12460 <discovery>2016-04-22</discovery> 12461 <entry>2016-05-02</entry> 12462 <modified>2016-07-04</modified> 12463 </dates> 12464 </vuln> 12465 12466 <vuln vid="78abc022-0fee-11e6-9a1c-0014a5a57822"> 12467 <topic>mercurial -- arbitrary code execution vulnerability</topic> 12468 <affects> 12469 <package> 12470 <name>mercurial</name> 12471 <range><lt>3.8.1</lt></range> 12472 </package> 12473 </affects> 12474 <description> 12475 <body xmlns="http://www.w3.org/1999/xhtml"> 12476 <p>Mercurial reports:</p> 12477 <blockquote cite="https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.8_.2F_3.8.1_.282016-5-1.29"> 12478 <p>CVE-2016-3105: Arbitrary code execution when converting 12479 Git repos</p> 12480 </blockquote> 12481 </body> 12482 </description> 12483 <references> 12484 <cvename>CVE-2016-3105</cvename> 12485 <url>https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.8_.2F_3.8.1_.282016-5-1.29</url> 12486 </references> 12487 <dates> 12488 <discovery>2016-05-01</discovery> 12489 <entry>2016-05-01</entry> 12490 </dates> 12491 </vuln> 12492 12493 <vuln vid="8c2b2f11-0ebe-11e6-b55e-b499baebfeaf"> 12494 <topic>MySQL -- multiple vulnerabilities</topic> 12495 <affects> 12496 <package> 12497 <name>mariadb55-server</name> 12498 <range><lt>5.5.49</lt></range> 12499 </package> 12500 <package> 12501 <name>mariadb100-server</name> 12502 <range><lt>10.0.25</lt></range> 12503 </package> 12504 <package> 12505 <name>mariadb101-server</name> 12506 <range><lt>10.1.12</lt></range> 12507 </package> 12508 <package> 12509 <name>mysql55-server</name> 12510 <range><lt>5.5.49</lt></range> 12511 </package> 12512 <package> 12513 <name>mysql56-server</name> 12514 <range><lt>5.6.30</lt></range> 12515 </package> 12516 <package> 12517 <name>mysql57-server</name> 12518 <range><lt>5.7.12</lt></range> 12519 </package> 12520 <package> 12521 <name>percona55-server</name> 12522 <range><lt>5.5.49</lt></range> 12523 </package> 12524 <package> 12525 <name>percona-server</name> 12526 <range><lt>5.6.30</lt></range> 12527 </package> 12528 </affects> 12529 <description> 12530 <body xmlns="http://www.w3.org/1999/xhtml"> 12531 <p>Oracle reports reports:</p> 12532 <blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html#AppendixMSQL"> 12533 <p>Critical Patch Update contains 31 new security fixes for Oracle MySQL 12534 5.5.48, 5.6.29, 5.7.11 and earlier</p> 12535 </blockquote> 12536 </body> 12537 </description> 12538 <references> 12539 <url>http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html#AppendixMSQL</url> 12540 <url>https://mariadb.com/kb/en/mariadb/mariadb-5549-release-notes/</url> 12541 <url>https://mariadb.com/kb/en/mariadb/mariadb-10025-release-notes/</url> 12542 <url>https://mariadb.com/kb/en/mariadb/mariadb-10112-release-notes/</url> 12543 <cvename>CVE-2016-0705</cvename> 12544 <cvename>CVE-2016-0639</cvename> 12545 <cvename>CVE-2015-3194</cvename> 12546 <cvename>CVE-2016-0640</cvename> 12547 <cvename>CVE-2016-0641</cvename> 12548 <cvename>CVE-2016-3461</cvename> 12549 <cvename>CVE-2016-2047</cvename> 12550 <cvename>CVE-2016-0642</cvename> 12551 <cvename>CVE-2016-0643</cvename> 12552 <cvename>CVE-2016-0644</cvename> 12553 <cvename>CVE-2016-0646</cvename> 12554 <cvename>CVE-2016-0647</cvename> 12555 <cvename>CVE-2016-0648</cvename> 12556 <cvename>CVE-2016-0649</cvename> 12557 <cvename>CVE-2016-0650</cvename> 12558 <cvename>CVE-2016-0652</cvename> 12559 <cvename>CVE-2016-0653</cvename> 12560 <cvename>CVE-2016-0654</cvename> 12561 <cvename>CVE-2016-0655</cvename> 12562 <cvename>CVE-2016-0656</cvename> 12563 <cvename>CVE-2016-0657</cvename> 12564 <cvename>CVE-2016-0658</cvename> 12565 <cvename>CVE-2016-0651</cvename> 12566 <cvename>CVE-2016-0659</cvename> 12567 <cvename>CVE-2016-0661</cvename> 12568 <cvename>CVE-2016-0662</cvename> 12569 <cvename>CVE-2016-0663</cvename> 12570 <cvename>CVE-2016-0665</cvename> 12571 <cvename>CVE-2016-0666</cvename> 12572 <cvename>CVE-2016-0667</cvename> 12573 <cvename>CVE-2016-0668</cvename> 12574 </references> 12575 <dates> 12576 <discovery>2016-04-19</discovery> 12577 <entry>2016-04-30</entry> 12578 </dates> 12579 </vuln> 12580 12581 <vuln vid="f2d4f879-0d7c-11e6-925f-6805ca0b3d42"> 12582 <topic>logstash -- password disclosure vulnerability</topic> 12583 <affects> 12584 <package> 12585 <name>logstash</name> 12586 <range><ge>2.1.0</ge><lt>2.3.2</lt></range> 12587 </package> 12588 </affects> 12589 <description> 12590 <body xmlns="http://www.w3.org/1999/xhtml"> 12591 <p>Logstash developers report:</p> 12592 <blockquote cite="https://www.elastic.co/blog/logstash-2.3.1-and-2.2.4-released#Passwords_Printed_in_Log_Files_under_Some_Conditions_18"> 12593 <h2>Passwords Printed in Log Files under Some Conditions</h2> 12594 <p>It was discovered that, in Logstash 2.1.0+, log messages 12595 generated by a stalled pipeline during shutdown will print 12596 plaintext contents of password fields. While investigating 12597 this issue we also discovered that debug logging has 12598 included this data for quite some time. Our latest releases 12599 fix both leaks. You will want to scrub old log files if this 12600 is of particular concern to you. This was fixed in issue 12601 #4965</p> 12602 </blockquote> 12603 </body> 12604 </description> 12605 <references> 12606 <url>https://www.elastic.co/blog/logstash-2.3.1-and-2.2.4-released#Passwords_Printed_in_Log_Files_under_Some_Conditions_18</url> 12607 <url>https://github.com/elastic/logstash/pull/4965</url> 12608 </references> 12609 <dates> 12610 <discovery>2016-04-01</discovery> 12611 <entry>2016-04-28</entry> 12612 </dates> 12613 </vuln> 12614 12615 <vuln vid="c8174b63-0d3a-11e6-b06e-d43d7eed0ce2"> 12616 <topic>subversion -- multiple vulnerabilities</topic> 12617 <affects> 12618 <package> 12619 <name>subversion</name> 12620 <range><ge>1.9.0</ge><lt>1.9.4</lt></range> 12621 <range><ge>1.0.0</ge><lt>1.8.15</lt></range> 12622 </package> 12623 <package> 12624 <name>subversion18</name> 12625 <range><ge>1.0.0</ge><lt>1.8.15</lt></range> 12626 </package> 12627 </affects> 12628 <description> 12629 <body xmlns="http://www.w3.org/1999/xhtml"> 12630 <p>Subversion project reports:</p> 12631 <blockquote cite="http://subversion.apache.org/security/CVE-2016-2167-advisory.txt"> 12632 <p>svnserve, the svn:// protocol server, can optionally use the Cyrus 12633 SASL library for authentication, integrity protection, and encryption. 12634 Due to a programming oversight, authentication against Cyrus SASL 12635 would permit the remote user to specify a realm string which is 12636 a prefix of the expected realm string.</p> 12637 </blockquote> 12638 <blockquote cite="http://subversion.apache.org/security/CVE-2016-2168-advisory.txt"> 12639 <p>Subversion's httpd servers are vulnerable to a remotely triggerable crash 12640 in the mod_authz_svn module. The crash can occur during an authorization 12641 check for a COPY or MOVE request with a specially crafted header value.</p> 12642 <p>This allows remote attackers to cause a denial of service.</p> 12643 </blockquote> 12644 </body> 12645 </description> 12646 <references> 12647 <cvename>CVE-2016-2167</cvename> 12648 <url>http://subversion.apache.org/security/CVE-2016-2167-advisory.txt</url> 12649 <cvename>CVE-2016-2168</cvename> 12650 <url>http://subversion.apache.org/security/CVE-2016-2168-advisory.txt</url> 12651 </references> 12652 <dates> 12653 <discovery>2016-04-21</discovery> 12654 <entry>2016-04-28</entry> 12655 </dates> 12656 </vuln> 12657 12658 <vuln vid="b2487d9a-0c30-11e6-acd0-d050996490d0"> 12659 <topic>ntp -- multiple vulnerabilities</topic> 12660 <affects> 12661 <package> 12662 <name>ntp</name> 12663 <range><lt>4.2.8p7</lt></range> 12664 </package> 12665 <package> 12666 <name>ntp-devel</name> 12667 <range><lt>4.3.92</lt></range> 12668 </package> 12669 <package> 12670 <name>FreeBSD</name> 12671 <range><ge>10.3</ge><lt>10.3_1</lt></range> 12672 <range><ge>10.2</ge><lt>10.2_15</lt></range> 12673 <range><ge>10.1</ge><lt>10.1_32</lt></range> 12674 <range><ge>9.3</ge><lt>9.3_40</lt></range> 12675 </package> 12676 </affects> 12677 <description> 12678 <body xmlns="http://www.w3.org/1999/xhtml"> 12679 <p>Network Time Foundation reports:</p> 12680 <blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security"> 12681 <p>NTF's NTP Project has been notified of the following low- 12682 and medium-severity vulnerabilities that are fixed in 12683 ntp-4.2.8p7, released on Tuesday, 26 April 2016:</p> 12684 <ul> 12685 <li>Bug 3020 / CVE-2016-1551: Refclock impersonation 12686 vulnerability, AKA: refclock-peering. Reported by 12687 Matt Street and others of Cisco ASIG</li> 12688 <li>Bug 3012 / CVE-2016-1549: Sybil vulnerability: 12689 ephemeral association attack, AKA: ntp-sybil - 12690 MITIGATION ONLY. Reported by Matthew Van Gundy 12691 of Cisco ASIG</li> 12692 <li>Bug 3011 / CVE-2016-2516: Duplicate IPs on 12693 unconfig directives will cause an assertion botch. 12694 Reported by Yihan Lian of the Cloud Security Team, 12695 Qihoo 360</li> 12696 <li>Bug 3010 / CVE-2016-2517: Remote configuration 12697 trustedkey/requestkey values are not properly 12698 validated. Reported by Yihan Lian of the Cloud 12699 Security Team, Qihoo 360</li> 12700 <li>Bug 3009 / CVE-2016-2518: Crafted addpeer with 12701 hmode > 7 causes array wraparound with MATCH_ASSOC. 12702 Reported by Yihan Lian of the Cloud Security Team, 12703 Qihoo 360</li> 12704 <li>Bug 3008 / CVE-2016-2519: ctl_getitem() return 12705 value not always checked. Reported by Yihan Lian 12706 of the Cloud Security Team, Qihoo 360</li> 12707 <li>Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, 12708 AKA: nak-dos. Reported by Stephen Gray and 12709 Matthew Van Gundy of Cisco ASIG</li> 12710 <li>Bug 2978 / CVE-2016-1548: Interleave-pivot - 12711 MITIGATION ONLY. Reported by Miroslav Lichvar of 12712 RedHat and separately by Jonathan Gardner of 12713 Cisco ASIG.</li> 12714 <li>Bug 2952 / CVE-2015-7704: KoD fix: peer 12715 associations were broken by the fix for 12716 NtpBug2901, AKA: Symmetric active/passive mode 12717 is broken. Reported by Michael Tatarinov, 12718 NTP Project Developer Volunteer</li> 12719 <li>Bug 2945 / Bug 2901 / CVE-2015-8138: Zero 12720 Origin Timestamp Bypass, AKA: Additional KoD Checks. 12721 Reported by Jonathan Gardner of Cisco ASIG</li> 12722 <li>Bug 2879 / CVE-2016-1550: Improve NTP security 12723 against buffer comparison timing attacks, 12724 authdecrypt-timing, AKA: authdecrypt-timing. 12725 Reported independently by Loganaden Velvindron, 12726 and Matthew Van Gundy and Stephen Gray of 12727 Cisco ASIG.</li> 12728 </ul> 12729 </blockquote> 12730 </body> 12731 </description> 12732 <references> 12733 <freebsdsa>SA-16:16.ntp</freebsdsa> 12734 <cvename>CVE-2015-7704</cvename> 12735 <cvename>CVE-2015-8138</cvename> 12736 <cvename>CVE-2016-1547</cvename> 12737 <cvename>CVE-2016-1548</cvename> 12738 <cvename>CVE-2016-1549</cvename> 12739 <cvename>CVE-2016-1550</cvename> 12740 <cvename>CVE-2016-1551</cvename> 12741 <cvename>CVE-2016-2516</cvename> 12742 <cvename>CVE-2016-2517</cvename> 12743 <cvename>CVE-2016-2518</cvename> 12744 <cvename>CVE-2016-2519</cvename> 12745 <url>http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security</url> 12746 </references> 12747 <dates> 12748 <discovery>2016-04-26</discovery> 12749 <entry>2016-04-27</entry> 12750 <modified>2016-08-09</modified> 12751 </dates> 12752 </vuln> 12753 12754 <vuln vid="92d44f83-a7bf-41cf-91ee-3d1b8ecf579f"> 12755 <topic>mozilla -- multiple vulnerabilities</topic> 12756 <affects> 12757 <package> 12758 <name>firefox</name> 12759 <name>linux-firefox</name> 12760 <range><lt>46.0,1</lt></range> 12761 </package> 12762 <package> 12763 <name>seamonkey</name> 12764 <name>linux-seamonkey</name> 12765 <range><lt>2.43</lt></range> 12766 </package> 12767 <package> 12768 <name>firefox-esr</name> 12769 <range><ge>39.0,1</ge><lt>45.1.0,1</lt></range> 12770 <range><lt>38.8.0,1</lt></range> 12771 </package> 12772 <package> 12773 <name>libxul</name> 12774 <name>thunderbird</name> 12775 <name>linux-thunderbird</name> 12776 <range><ge>39.0</ge><lt>45.1.0</lt></range> 12777 <range><lt>38.8.0</lt></range> 12778 </package> 12779 </affects> 12780 <description> 12781 <body xmlns="http://www.w3.org/1999/xhtml"> 12782 <p>Mozilla Foundation reports:</p> 12783 <blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox46"> 12784 <p>MFSA 2016-39 Miscellaneous memory safety hazards (rv:46.0 / 12785 rv:45.1 / rv:38.8)</p> 12786 <p>MFSA 2016-42 Use-after-free and buffer overflow 12787 in Service Workers</p> 12788 <p>MFSA 2016-44 Buffer overflow in libstagefright with 12789 CENC offsets</p> 12790 <p>MFSA 2016-45 CSP not applied to pages sent with 12791 multipart/x-mixed-replace</p> 12792 <p>MFSA 2016-46 Elevation of privilege with 12793 chrome.tabs.update API in web extensions</p> 12794 <p>MFSA 2016-47 Write to invalid HashMap entry through 12795 JavaScript.watch()</p> 12796 <p>MFSA 2016-48 Firefox Health Reports could accept events 12797 from untrusted domains</p> 12798 </blockquote> 12799 </body> 12800 </description> 12801 <references> 12802 <cvename>CVE-2016-2804</cvename> 12803 <cvename>CVE-2016-2805</cvename> 12804 <cvename>CVE-2016-2806</cvename> 12805 <cvename>CVE-2016-2807</cvename> 12806 <cvename>CVE-2016-2808</cvename> 12807 <cvename>CVE-2016-2811</cvename> 12808 <cvename>CVE-2016-2812</cvename> 12809 <cvename>CVE-2016-2814</cvename> 12810 <cvename>CVE-2016-2816</cvename> 12811 <cvename>CVE-2016-2817</cvename> 12812 <cvename>CVE-2016-2820</cvename> 12813 <url>https://www.mozilla.org/security/advisories/mfsa2016-39/</url> 12814 <url>https://www.mozilla.org/security/advisories/mfsa2016-42/</url> 12815 <url>https://www.mozilla.org/security/advisories/mfsa2016-44/</url> 12816 <url>https://www.mozilla.org/security/advisories/mfsa2016-45/</url> 12817 <url>https://www.mozilla.org/security/advisories/mfsa2016-46/</url> 12818 <url>https://www.mozilla.org/security/advisories/mfsa2016-47/</url> 12819 <url>https://www.mozilla.org/security/advisories/mfsa2016-48/</url> 12820 </references> 12821 <dates> 12822 <discovery>2016-04-26</discovery> 12823 <entry>2016-04-26</entry> 12824 </dates> 12825 </vuln> 12826 12827 <vuln vid="f87a9376-0943-11e6-8fc4-00a0986f28c4"> 12828 <topic>phpmyfaq -- cross-site request forgery vulnerability</topic> 12829 <affects> 12830 <package> 12831 <name>phpmyfaq</name> 12832 <range><lt>2.8.27</lt></range> 12833 </package> 12834 </affects> 12835 <description> 12836 <body xmlns="http://www.w3.org/1999/xhtml"> 12837 <p>The phpMyFAQ team reports:</p> 12838 <blockquote cite="http://www.phpmyfaq.de/security/advisory-2016-04-11"> 12839 <p>The vulnerability exists due to application does not properly 12840 verify origin of HTTP requests in "Interface Translation" 12841 functionality.: A remote unauthenticated attacker can create 12842 a specially crafted malicious web page with CSRF exploit, trick 12843 a logged-in administrator to visit the page, spoof the HTTP 12844 request, as if it was coming from the legitimate user, inject 12845 and execute arbitrary PHP code on the target system with privileges 12846 of the webserver.</p> 12847 </blockquote> 12848 </body> 12849 </description> 12850 <references> 12851 <url>http://www.phpmyfaq.de/security/advisory-2016-04-11</url> 12852 <url>https://www.htbridge.com/advisory/HTB23300</url> 12853 </references> 12854 <dates> 12855 <discovery>2016-04-11</discovery> 12856 <entry>2016-04-23</entry> 12857 </dates> 12858 </vuln> 12859 12860 <vuln vid="1b0d2938-0766-11e6-94fa-002590263bf5"> 12861 <topic>libtasn1 -- denial of service parsing malicious DER certificates</topic> 12862 <affects> 12863 <package> 12864 <name>libtasn1</name> 12865 <range><lt>4.8</lt></range> 12866 </package> 12867 </affects> 12868 <description> 12869 <body xmlns="http://www.w3.org/1999/xhtml"> 12870 <p>GNU Libtasn1 NEWS reports:</p> 12871 <blockquote cite="http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=blob_plain;f=NEWS;hb=e9bcdc86b920d72c9cffc2570d14eea2f6365b37"> 12872 <p>Fixes to avoid an infinite recursion when decoding without the 12873 ASN1_DECODE_FLAG_STRICT_DER flag. Reported by Pascal Cuoq.</p> 12874 </blockquote> 12875 </body> 12876 </description> 12877 <references> 12878 <cvename>CVE-2016-4008</cvename> 12879 <url>http://www.openwall.com/lists/oss-security/2016/04/13/3</url> 12880 <url>http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=blob_plain;f=NEWS;hb=e9bcdc86b920d72c9cffc2570d14eea2f6365b37</url> 12881 </references> 12882 <dates> 12883 <discovery>2016-04-11</discovery> 12884 <entry>2016-04-21</entry> 12885 </dates> 12886 </vuln> 12887 12888 <vuln vid="e05bfc92-0763-11e6-94fa-002590263bf5"> 12889 <topic>squid -- multiple vulnerabilities</topic> 12890 <affects> 12891 <package> 12892 <name>squid</name> 12893 <range><lt>3.5.17</lt></range> 12894 </package> 12895 </affects> 12896 <description> 12897 <body xmlns="http://www.w3.org/1999/xhtml"> 12898 <p>Squid security advisory 2016:5 reports:</p> 12899 <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_5.txt"> 12900 <p>Due to incorrect buffer management Squid cachemgr.cgi tool is 12901 vulnerable to a buffer overflow when processing remotely supplied 12902 inputs relayed to it from Squid.</p> 12903 <p>This problem allows any client to seed the Squid manager reports 12904 with data that will cause a buffer overflow when processed by the 12905 cachemgr.cgi tool. However, this does require manual administrator 12906 actions to take place. Which greatly reduces the impact and 12907 possible uses.</p> 12908 </blockquote> 12909 <p>Squid security advisory 2016:6 reports:</p> 12910 <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_6.txt"> 12911 <p>Due to buffer overflow issues Squid is vulnerable to a denial of 12912 service attack when processing ESI responses. Due to incorrect input 12913 validation Squid is vulnerable to public information disclosure of 12914 the server stack layout when processing ESI responses. Due to 12915 incorrect input validation and buffer overflow Squid is vulnerable 12916 to remote code execution when processing ESI responses.</p> 12917 <p>These problems allow ESI components to be used to perform a denial 12918 of service attack on the Squid service and all other services on the 12919 same machine. Under certain build conditions these problems allow 12920 remote clients to view large sections of the server memory. However, 12921 the bugs are exploitable only if you have built and configured the 12922 ESI features to be used by a reverse-proxy and if the ESI components 12923 being processed by Squid can be controlled by an attacker.</p> 12924 </blockquote> 12925 </body> 12926 </description> 12927 <references> 12928 <cvename>CVE-2016-4051</cvename> 12929 <cvename>CVE-2016-4052</cvename> 12930 <cvename>CVE-2016-4053</cvename> 12931 <cvename>CVE-2016-4054</cvename> 12932 <freebsdpr>ports/208939</freebsdpr> 12933 <url>http://www.squid-cache.org/Advisories/SQUID-2016_5.txt</url> 12934 <url>http://www.squid-cache.org/Advisories/SQUID-2016_6.txt</url> 12935 </references> 12936 <dates> 12937 <discovery>2016-04-20</discovery> 12938 <entry>2016-04-21</entry> 12939 </dates> 12940 </vuln> 12941 12942 <vuln vid="253c6889-06f0-11e6-925f-6805ca0b3d42"> 12943 <topic>ansible -- use of predictable paths in lxc_container</topic> 12944 <affects> 12945 <package> 12946 <name>ansible</name> 12947 <range><ge>2.0.0.0</ge><lt>2.0.2.0</lt></range> 12948 </package> 12949 <package> 12950 <name>ansible1</name> 12951 <range><lt>1.9.6</lt></range> 12952 </package> 12953 </affects> 12954 <description> 12955 <body xmlns="http://www.w3.org/1999/xhtml"> 12956 <p>Ansible developers report:</p> 12957 <blockquote cite="https://github.com/ansible/ansible-modules-extras/pull/1941/commits/8c6fe646ee79f5e55361b885b7efed5bec72d4a4"> 12958 <p>CVE-2016-3096: do not use predictable paths in lxc_container</p> 12959 12960 <ul> 12961 <li>do not use a predictable filename for the LXC attach 12962 script</li> 12963 <li>don't use predictable filenames for LXC attach script 12964 logging</li> 12965 <li>don't set a predictable archive_path</li> 12966 </ul> 12967 12968 <p>this should prevent symlink attacks which could result 12969 in</p> 12970 12971 <ul> 12972 <li>data corruption</li> 12973 <li>data leakage</li> 12974 <li>privilege escalation</li> 12975 </ul> 12976 </blockquote> 12977 </body> 12978 </description> 12979 <references> 12980 <cvename>CVE-2016-3096</cvename> 12981 <url>https://github.com/ansible/ansible-modules-extras/pull/1941/commits/8c6fe646ee79f5e55361b885b7efed5bec72d4a4</url> 12982 <url>https://bugzilla.redhat.com/show_bug.cgi?id=1322925</url> 12983 </references> 12984 <dates> 12985 <discovery>2016-04-02</discovery> 12986 <entry>2016-04-20</entry> 12987 </dates> 12988 </vuln> 12989 12990 <vuln vid="a733b5ca-06eb-11e6-817f-3085a9a4510d"> 12991 <topic>proftpd -- vulnerability in mod_tls</topic> 12992 <affects> 12993 <package> 12994 <name>proftpd</name> 12995 <range><lt>1.3.5b</lt></range> 12996 <range><eq>1.3.6.r1</eq></range> 12997 </package> 12998 </affects> 12999 <description> 13000 <body xmlns="http://www.w3.org/1999/xhtml"> 13001 <p>MITRE reports:</p> 13002 <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3125"> 13003 <p>The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 13004 1.3.6rc2 does not properly handle the TLSDHParamFile directive, which 13005 might cause a weaker than intended Diffie-Hellman (DH) key to be used 13006 and consequently allow attackers to have unspecified impact via 13007 unknown vectors.</p> 13008 </blockquote> 13009 </body> 13010 </description> 13011 <references> 13012 <cvename>CVE-2016-3125</cvename> 13013 </references> 13014 <dates> 13015 <discovery>2016-03-08</discovery> 13016 <entry>2016-04-20</entry> 13017 </dates> 13018 </vuln> 13019 13020 <vuln vid="6d8505f0-0614-11e6-b39c-00262d5ed8ee"> 13021 <topic>chromium -- multiple vulnerabilities</topic> 13022 <affects> 13023 <package> 13024 <name>chromium</name> 13025 <name>chromium-npapi</name> 13026 <name>chromium-pulse</name> 13027 <range><lt>50.0.2661.75</lt></range> 13028 </package> 13029 </affects> 13030 <description> 13031 <body xmlns="http://www.w3.org/1999/xhtml"> 13032 <p>Google Chrome Releases reports:</p> 13033 <blockquote cite="http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_13.html"> 13034 <p>20 security fixes in this release, including:</p> 13035 <ul> 13036 <li>[590275] High CVE-2016-1652: Universal XSS in extension 13037 bindings. Credit to anonymous.</li> 13038 <li>[589792] High CVE-2016-1653: Out-of-bounds write in V8. Credit 13039 to Choongwoo Han.</li> 13040 <li>[591785] Medium CVE-2016-1651: Out-of-bounds read in Pdfium 13041 JPEG2000 decoding. Credit to kdot working with HP's Zero Day 13042 Initiative.</li> 13043 <li>[589512] Medium CVE-2016-1654: Uninitialized memory read in 13044 media. Credit to Atte Kettunen of OUSPG.</li> 13045 <li>[582008] Medium CVE-2016-1655: Use-after-free related to 13046 extensions. Credit to Rob Wu.</li> 13047 <li>[570750] Medium CVE-2016-1656: Android downloaded file path 13048 restriction bypass. Credit to Dzmitry Lukyanenko.</li> 13049 <li>[567445] Medium CVE-2016-1657: Address bar spoofing. Credit to 13050 Luan Herrera.</li> 13051 <li>[573317] Low CVE-2016-1658: Potential leak of sensitive 13052 information to malicious extensions. Credit to Antonio Sanso 13053 (@asanso) of Adobe.</li> 13054 <li>[602697] CVE-2016-1659: Various fixes from internal audits, 13055 fuzzing and other initiatives.</li> 13056 </ul> 13057 </blockquote> 13058 </body> 13059 </description> 13060 <references> 13061 <cvename>CVE-2016-1651</cvename> 13062 <cvename>CVE-2016-1652</cvename> 13063 <cvename>CVE-2016-1653</cvename> 13064 <cvename>CVE-2016-1654</cvename> 13065 <cvename>CVE-2016-1655</cvename> 13066 <cvename>CVE-2016-1656</cvename> 13067 <cvename>CVE-2016-1657</cvename> 13068 <cvename>CVE-2016-1658</cvename> 13069 <cvename>CVE-2016-1659</cvename> 13070 <url>http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_13.html</url> 13071 </references> 13072 <dates> 13073 <discovery>2016-04-13</discovery> 13074 <entry>2016-04-19</entry> 13075 </dates> 13076 </vuln> 13077 13078 <vuln vid="976567f6-05c5-11e6-94fa-002590263bf5"> 13079 <topic>hostapd and wpa_supplicant -- multiple vulnerabilities</topic> 13080 <affects> 13081 <package> 13082 <name>wpa_supplicant</name> 13083 <range><lt>2.5_1</lt></range> 13084 </package> 13085 <package> 13086 <name>hostapd</name> 13087 <range><lt>2.6</lt></range> 13088 </package> 13089 </affects> 13090 <description> 13091 <body xmlns="http://www.w3.org/1999/xhtml"> 13092 <p>Jouni Malinen reports:</p> 13093 <blockquote cite="http://w1.fi/security/2015-6/wpa_supplicant-unauthorized-wnm-sleep-mode-gtk-control.txt"> 13094 <p>wpa_supplicant unauthorized WNM Sleep Mode GTK control. (2015-6 - 13095 CVE-2015-5310)</p> 13096 </blockquote> 13097 <blockquote cite="http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt"> 13098 <p>EAP-pwd missing last fragment length validation. (2015-7 - 13099 CVE-2015-5315)</p> 13100 </blockquote> 13101 <blockquote cite="http://w1.fi/security/2015-8/eap-pwd-unexpected-confirm.txt"> 13102 <p>EAP-pwd peer error path failure on unexpected Confirm message. 13103 (2015-8 - CVE-2015-5316)</p> 13104 </blockquote> 13105 </body> 13106 </description> 13107 <references> 13108 <cvename>CVE-2015-5310</cvename> 13109 <cvename>CVE-2015-5315</cvename> 13110 <cvename>CVE-2015-5316</cvename> 13111 <freebsdpr>ports/208482</freebsdpr> 13112 <url>http://w1.fi/security/2015-6/wpa_supplicant-unauthorized-wnm-sleep-mode-gtk-control.txt</url> 13113 <url>http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt</url> 13114 <url>http://w1.fi/security/2015-8/eap-pwd-unexpected-confirm.txt</url> 13115 </references> 13116 <dates> 13117 <discovery>2015-11-10</discovery> 13118 <entry>2016-04-19</entry> 13119 <modified>2017-03-22</modified> 13120 </dates> 13121 </vuln> 13122 13123 <vuln vid="092156c9-04d7-11e6-b1ce-002590263bf5"> 13124 <topic>dhcpcd -- remote code execution/denial of service</topic> 13125 <affects> 13126 <package> 13127 <name>dhcpcd</name> 13128 <range><lt>6.9.1</lt></range> 13129 </package> 13130 </affects> 13131 <description> 13132 <body xmlns="http://www.w3.org/1999/xhtml"> 13133 <p>MITRE reports:</p> 13134 <blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7912"> 13135 <p>The get_option function in dhcp.c in dhcpcd before 6.2.0, as used 13136 in dhcpcd 5.x in Android before 5.1 and other products, does not 13137 validate the relationship between length fields and the amount of 13138 data, which allows remote DHCP servers to execute arbitrary code or 13139 cause a denial of service (memory corruption) via a large length 13140 value of an option in a DHCPACK message.</p> 13141 </blockquote> 13142 </body> 13143 </description> 13144 <references> 13145 <cvename>CVE-2014-7912</cvename> 13146 <url>http://roy.marples.name/projects/dhcpcd/info/d71cfd8aa203bffe</url> 13147 </references> 13148 <dates> 13149 <discovery>2015-06-19</discovery> 13150 <entry>2016-04-17</entry> 13151 </dates> 13152 </vuln> 13153 13154 <vuln vid="6ec9f210-0404-11e6-9aee-bc5ff4fb5ea1"> 13155 <topic>dhcpcd -- remote code execution/denial of service</topic> 13156 <affects> 13157 <package> 13158 <name>dhcpcd</name> 13159 <range><lt>6.10.2</lt></range> 13160 </package> 13161 </affects> 13162 <description> 13163 <body xmlns="http://www.w3.org/1999/xhtml"> 13164 <p>MITRE reports:</p> 13165 <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7913"> 13166 <p>The print_option function in dhcp-common.c in dhcpcd through 6.9.1, 13167 as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other 13168 products, misinterprets the return value of the snprintf function, 13169 which allows remote DHCP servers to execute arbitrary code or cause 13170 a denial of service (memory corruption) via a crafted message.</p> 13171 </blockquote> 13172 </body> 13173 </description> 13174 <references> 13175 <cvename>CVE-2014-7913</cvename> 13176 <freebsdpr>ports/208702</freebsdpr> 13177 <url>http://roy.marples.name/projects/dhcpcd/info/528541c4c619520e</url> 13178 </references> 13179 <dates> 13180 <discovery>2016-01-22</discovery> 13181 <entry>2016-04-17</entry> 13182 </dates> 13183 </vuln> 13184 13185 <vuln vid="e21474c6-031a-11e6-aa86-001999f8d30b"> 13186 <topic>PJSIP -- TCP denial of service in PJProject</topic> 13187 <affects> 13188 <package> 13189 <name>pjsip</name> 13190 <range><le>2.4.5</le></range> 13191 </package> 13192 <package> 13193 <name>pjsip-extsrtp</name> 13194 <range><le>2.4.5</le></range> 13195 </package> 13196 </affects> 13197 <description> 13198 <body xmlns="http://www.w3.org/1999/xhtml"> 13199 <p>The Asterisk project reports:</p> 13200 <blockquote cite="http://www.asterisk.org/downloads/security-advisories"> 13201 <p>PJProject has a limit on the number of TCP connections 13202 that it can accept. Furthermore, PJProject does not close 13203 TCP connections it accepts. By default, this value is 13204 approximately 60.</p> 13205 <p>An attacker can deplete the number of allowed TCP 13206 connections by opening TCP connections and sending no 13207 data to Asterisk.</p> 13208 <p>If PJProject has been compiled in debug mode, then 13209 once the number of allowed TCP connections has been 13210 depleted, the next attempted TCP connection to Asterisk 13211 will crash due to an assertion in PJProject.</p> 13212 <p>If PJProject has not been compiled in debug mode, then 13213 any further TCP connection attempts will be rejected. 13214 This makes Asterisk unable to process TCP SIP traffic.</p> 13215 <p>Note that this only affects TCP/TLS, since UDP is 13216 connectionless.</p> 13217 </blockquote> 13218 </body> 13219 </description> 13220 <references> 13221 <url>http://downloads.asterisk.org/pub/security/AST-2016-005.html</url> 13222 </references> 13223 <dates> 13224 <discovery>2016-02-15</discovery> 13225 <entry>2016-04-15</entry> 13226 </dates> 13227 </vuln> 13228 13229 <vuln vid="ee50726e-0319-11e6-aa86-001999f8d30b"> 13230 <topic>asterisk -- Long Contact URIs in REGISTER requests can crash Asterisk</topic> 13231 <affects> 13232 <package> 13233 <name>asterisk13</name> 13234 <range><lt>13.8.1</lt></range> 13235 </package> 13236 </affects> 13237 <description> 13238 <body xmlns="http://www.w3.org/1999/xhtml"> 13239 <p>The Asterisk project reports:</p> 13240 <blockquote cite="http://www.asterisk.org/downloads/security-advisories"> 13241 <p>Asterisk may crash when processing an incoming REGISTER 13242 request if that REGISTER contains a Contact header with 13243 a lengthy URI.</p> 13244 <p>This crash will only happen for requests that pass 13245 authentication. Unauthenticated REGISTER requests will 13246 not result in a crash occurring.</p> 13247 <p>This vulnerability only affects Asterisk when using 13248 PJSIP as its SIP stack. The chan_sip module does not have 13249 this problem.</p> 13250 </blockquote> 13251 </body> 13252 </description> 13253 <references> 13254 <url>http://downloads.asterisk.org/pub/security/AST-2016-004.html</url> 13255 </references> 13256 <dates> 13257 <discovery>2016-01-19</discovery> 13258 <entry>2016-04-15</entry> 13259 </dates> 13260 </vuln> 13261 13262 <vuln vid="f2217cdf-01e4-11e6-b1ce-002590263bf5"> 13263 <topic>go -- remote denial of service</topic> 13264 <affects> 13265 <package> 13266 <name>go</name> 13267 <range><lt>1.6.1,1</lt></range> 13268 </package> 13269 </affects> 13270 <description> 13271 <body xmlns="http://www.w3.org/1999/xhtml"> 13272 <p>Jason Buberel reports:</p> 13273 <blockquote cite="http://www.openwall.com/lists/oss-security/2016/04/05/2"> 13274 <p>Go has an infinite loop in several big integer routines that makes 13275 Go programs vulnerable to remote denial of service attacks. Programs 13276 using HTTPS client authentication or the Go ssh server libraries are 13277 both exposed to this vulnerability.</p> 13278 </blockquote> 13279 </body> 13280 </description> 13281 <references> 13282 <cvename>CVE-2016-3959</cvename> 13283 <url>http://www.openwall.com/lists/oss-security/2016/04/05/2</url> 13284 <url>https://golang.org/cl/21533</url> 13285 </references> 13286 <dates> 13287 <discovery>2016-04-05</discovery> 13288 <entry>2016-04-14</entry> 13289 </dates> 13290 </vuln> 13291 13292 <vuln vid="a636fc26-00d9-11e6-b704-000c292e4fd8"> 13293 <topic>samba -- multiple vulnerabilities</topic> 13294 <affects> 13295 <package> 13296 <name>samba36</name> 13297 <range><ge>3.6.0</ge><le>3.6.25_3</le></range> 13298 </package> 13299 <package> 13300 <name>samba4</name> 13301 <range><ge>4.0.0</ge><le>4.0.26</le></range> 13302 </package> 13303 <package> 13304 <name>samba41</name> 13305 <range><ge>4.1.0</ge><le>4.1.23</le></range> 13306 </package> 13307 <package> 13308 <name>samba42</name> 13309 <range><ge>4.2.0</ge><lt>4.2.11</lt></range> 13310 </package> 13311 <package> 13312 <name>samba43</name> 13313 <range><ge>4.3.0</ge><lt>4.3.8</lt></range> 13314 </package> 13315 <package> 13316 <name>samba44</name> 13317 <range><ge>4.4.0</ge><lt>4.4.2</lt></range> 13318 </package> 13319 </affects> 13320 <description> 13321 <body xmlns="http://www.w3.org/1999/xhtml"> 13322 <p>Samba team reports:</p> 13323 <blockquote cite="https://www.samba.org/samba/latest_news.html#4.4.2"> 13324 <p>[CVE-2015-5370] Errors in Samba DCE-RPC code can lead to denial of service 13325 (crashes and high cpu consumption) and man in the middle attacks.</p> 13326 <p>[CVE-2016-2110] The feature negotiation of NTLMSSP is not downgrade protected. 13327 A man in the middle is able to clear even required flags, especially 13328 NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL.</p> 13329 <p>[CVE-2016-2111] When Samba is configured as Domain Controller it allows remote 13330 attackers to spoof the computer name of a secure channel's endpoints, and obtain 13331 sensitive session information, by running a crafted application and leveraging 13332 the ability to sniff network traffic.</p> 13333 <p>[CVE-2016-2112] A man in the middle is able to downgrade LDAP connections 13334 to no integrity protection.</p> 13335 <p>[CVE-2016-2113] Man in the middle attacks are possible for client triggered LDAP 13336 connections (with ldaps://) and ncacn_http connections (with https://).</p> 13337 <p>[CVE-2016-2114] Due to a bug Samba doesn't enforce required smb signing, even if explicitly configured.</p> 13338 <p>[CVE-2016-2115] The protection of DCERPC communication over ncacn_np (which is 13339 the default for most the file server related protocols) is inherited from the underlying SMB connection.</p> 13340 <p>[CVE-2016-2118] a.k.a. BADLOCK. A man in the middle can intercept any DCERPC traffic 13341 between a client and a server in order to impersonate the client and get the same privileges 13342 as the authenticated user account. This is most problematic against active directory domain controllers.</p> 13343 </blockquote> 13344 </body> 13345 </description> 13346 <references> 13347 <cvename>CVE-2015-5370</cvename> 13348 <url>https://www.samba.org/samba/security/CVE-2015-5370.html</url> 13349 <cvename>CVE-2016-2110</cvename> 13350 <url>https://www.samba.org/samba/security/CVE-2016-2110.html</url> 13351 <cvename>CVE-2016-2111</cvename> 13352 <url>https://www.samba.org/samba/security/CVE-2016-2111.html</url> 13353 <cvename>CVE-2016-2112</cvename> 13354 <url>https://www.samba.org/samba/security/CVE-2016-2112.html</url> 13355 <cvename>CVE-2016-2113</cvename> 13356 <url>https://www.samba.org/samba/security/CVE-2016-2113.html</url> 13357 <cvename>CVE-2016-2114</cvename> 13358 <url>https://www.samba.org/samba/security/CVE-2016-2114.html</url> 13359 <cvename>CVE-2016-2115</cvename> 13360 <url>https://www.samba.org/samba/security/CVE-2016-2115.html</url> 13361 <cvename>CVE-2016-2118</cvename> 13362 <url>https://www.samba.org/samba/security/CVE-2016-2118.html</url> 13363 </references> 13364 <dates> 13365 <discovery>2016-04-12</discovery> 13366 <entry>2016-04-12</entry> 13367 <modified>2016-04-12</modified> 13368 </dates> 13369 </vuln> 13370 13371 <vuln vid="482d40cb-f9a3-11e5-92ce-002590263bf5"> 13372 <topic>php -- multiple vulnerabilities</topic> 13373 <affects> 13374 <package> 13375 <name>php70</name> 13376 <name>php70-fileinfo</name> 13377 <name>php70-mbstring</name> 13378 <name>php70-phar</name> 13379 <name>php70-snmp</name> 13380 <range><lt>7.0.5</lt></range> 13381 </package> 13382 <package> 13383 <name>php56</name> 13384 <name>php56-fileinfo</name> 13385 <name>php56-mbstring</name> 13386 <name>php56-phar</name> 13387 <name>php56-snmp</name> 13388 <range><lt>5.6.20</lt></range> 13389 </package> 13390 <package> 13391 <name>php55</name> 13392 <name>php55-fileinfo</name> 13393 <name>php55-mbstring</name> 13394 <name>php55-phar</name> 13395 <name>php55-snmp</name> 13396 <range><lt>5.5.34</lt></range> 13397 </package> 13398 </affects> 13399 <description> 13400 <body xmlns="http://www.w3.org/1999/xhtml"> 13401 <p>The PHP Group reports:</p> 13402 <blockquote cite="http://php.net/ChangeLog-7.php#7.0.5"> 13403 <ul><li>Fileinfo: 13404 <ul> 13405 <li>Fixed bug #71527 (Buffer over-write in finfo_open with 13406 malformed magic file).</li> 13407 </ul></li> 13408 <li>mbstring: 13409 <ul> 13410 <li>Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) 13411 in mbfl_strcut).</li> 13412 </ul></li> 13413 <li>Phar: 13414 <ul> 13415 <li>Fixed bug #71860 (Invalid memory write in phar on filename with 13416 \0 in name).</li> 13417 </ul></li> 13418 <li>SNMP: 13419 <ul> 13420 <li>Fixed bug #71704 (php_snmp_error() Format String Vulnerability). 13421 </li> 13422 </ul></li> 13423 <li>Standard: 13424 <ul> 13425 <li>Fixed bug #71798 (Integer Overflow in php_raw_url_encode).</li> 13426 </ul></li> 13427 </ul> 13428 </blockquote> 13429 </body> 13430 </description> 13431 <references> 13432 <freebsdpr>ports/208465</freebsdpr> 13433 <url>http://php.net/ChangeLog-7.php#7.0.5</url> 13434 <url>http://php.net/ChangeLog-5.php#5.6.20</url> 13435 <url>http://php.net/ChangeLog-5.php#5.5.34</url> 13436 </references> 13437 <dates> 13438 <discovery>2016-03-31</discovery> 13439 <entry>2016-04-03</entry> 13440 </dates> 13441 </vuln> 13442 13443 <vuln vid="497b82e0-f9a0-11e5-92ce-002590263bf5"> 13444 <topic>pcre -- heap overflow vulnerability</topic> 13445 <affects> 13446 <package> 13447 <name>pcre</name> 13448 <range><lt>8.38_1</lt></range> 13449 </package> 13450 </affects> 13451 <description> 13452 <body xmlns="http://www.w3.org/1999/xhtml"> 13453 <p>Mitre reports:</p> 13454 <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1283"> 13455 <p>The pcre_compile2 function in pcre_compile.c in PCRE 8.38 13456 mishandles the /((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/ 13457 pattern and related patterns with named subgroups, which allows 13458 remote attackers to cause a denial of service (heap-based buffer 13459 overflow) or possibly have unspecified other impact via a crafted 13460 regular expression, as demonstrated by a JavaScript RegExp object 13461 encountered by Konqueror.</p> 13462 </blockquote> 13463 </body> 13464 </description> 13465 <references> 13466 <cvename>CVE-2016-1283</cvename> 13467 <freebsdpr>ports/208260</freebsdpr> 13468 <url>https://bugs.exim.org/show_bug.cgi?id=1767</url> 13469 </references> 13470 <dates> 13471 <discovery>2016-02-27</discovery> 13472 <entry>2016-04-03</entry> 13473 </dates> 13474 </vuln> 13475 13476 <vuln vid="df328fac-f942-11e5-92ce-002590263bf5"> 13477 <topic>py-djblets -- Self-XSS vulnerability</topic> 13478 <affects> 13479 <package> 13480 <name>py27-djblets</name> 13481 <name>py32-djblets</name> 13482 <name>py33-djblets</name> 13483 <name>py34-djblets</name> 13484 <name>py35-djblets</name> 13485 <range><lt>0.9.2</lt></range> 13486 </package> 13487 </affects> 13488 <description> 13489 <body xmlns="http://www.w3.org/1999/xhtml"> 13490 <p>Djblets Release Notes reports:</p> 13491 <blockquote cite="https://www.reviewboard.org/docs/releasenotes/djblets/0.9.2/"> 13492 <p>A recently-discovered vulnerability in the datagrid templates allows an 13493 attacker to generate a URL to any datagrid page containing malicious code 13494 in a column sorting value. If the user visits that URL and then clicks 13495 that column, the code will execute.</p> 13496 <p>The cause of the vulnerability was due to a template not escaping 13497 user-provided values.</p> 13498 </blockquote> 13499 </body> 13500 </description> 13501 <references> 13502 <url>https://www.reviewboard.org/docs/releasenotes/djblets/0.9.2/</url> 13503 </references> 13504 <dates> 13505 <discovery>2016-03-01</discovery> 13506 <entry>2016-04-03</entry> 13507 </dates> 13508 </vuln> 13509 13510 <vuln vid="a430e15d-f93f-11e5-92ce-002590263bf5"> 13511 <topic>moodle -- multiple vulnerabilities</topic> 13512 <affects> 13513 <package> 13514 <name>moodle28</name> 13515 <range><lt>2.8.11</lt></range> 13516 </package> 13517 <package> 13518 <name>moodle29</name> 13519 <range><lt>2.9.5</lt></range> 13520 </package> 13521 <package> 13522 <name>moodle30</name> 13523 <range><lt>3.0.3</lt></range> 13524 </package> 13525 </affects> 13526 <description> 13527 <body xmlns="http://www.w3.org/1999/xhtml"> 13528 <p>Marina Glancy reports:</p> 13529 <blockquote cite="https://moodle.org/security/"> 13530 <ul> 13531 <li><p>MSA-16-0003: Incorrect capability check when displaying 13532 users emails in Participants list</p></li> 13533 <li><p>MSA-16-0004: XSS from profile fields from external db</p> 13534 </li> 13535 <li><p>MSA-16-0005: Reflected XSS in mod_data advanced search</p> 13536 </li> 13537 <li><p>MSA-16-0006: Hidden courses are shown to students in Event 13538 Monitor</p></li> 13539 <li><p>MSA-16-0007: Non-Editing Instructor role can edit exclude 13540 checkbox in Single View</p></li> 13541 <li><p>MSA-16-0008: External function get_calendar_events return 13542 events that pertains to hidden activities</p></li> 13543 <li><p>MSA-16-0009: CSRF in Assignment plugin management page</p> 13544 </li> 13545 <li><p>MSA-16-0010: Enumeration of category details possible without 13546 authentication</p></li> 13547 <li><p>MSA-16-0011: Add no referrer to links with _blank target 13548 attribute</p></li> 13549 <li><p>MSA-16-0012: External function mod_assign_save_submission 13550 does not check due dates</p></li> 13551 </ul> 13552 </blockquote> 13553 </body> 13554 </description> 13555 <references> 13556 <cvename>CVE-2016-2151</cvename> 13557 <cvename>CVE-2016-2152</cvename> 13558 <cvename>CVE-2016-2153</cvename> 13559 <cvename>CVE-2016-2154</cvename> 13560 <cvename>CVE-2016-2155</cvename> 13561 <cvename>CVE-2016-2156</cvename> 13562 <cvename>CVE-2016-2157</cvename> 13563 <cvename>CVE-2016-2158</cvename> 13564 <cvename>CVE-2016-2190</cvename> 13565 <cvename>CVE-2016-2159</cvename> 13566 <url>https://moodle.org/security/</url> 13567 </references> 13568 <dates> 13569 <discovery>2016-03-21</discovery> 13570 <entry>2016-04-03</entry> 13571 </dates> 13572 </vuln> 13573 13574 <vuln vid="297117ba-f92d-11e5-92ce-002590263bf5"> 13575 <topic>squid -- multiple vulnerabilities</topic> 13576 <affects> 13577 <package> 13578 <name>squid</name> 13579 <range><lt>3.5.16</lt></range> 13580 </package> 13581 </affects> 13582 <description> 13583 <body xmlns="http://www.w3.org/1999/xhtml"> 13584 <p>Squid security advisory 2016:3 reports:</p> 13585 <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_3.txt"> 13586 <p>Due to a buffer overrun Squid pinger binary is vulnerable to 13587 denial of service or information leak attack when processing 13588 ICMPv6 packets.</p> 13589 <p>This bug also permits the server response to manipulate other 13590 ICMP and ICMPv6 queries processing to cause information leak.</p> 13591 <p>This bug allows any remote server to perform a denial of service 13592 attack on the Squid service by crashing the pinger. This may 13593 affect Squid HTTP routing decisions. In some configurations, 13594 sub-optimal routing decisions may result in serious service 13595 degradation or even transaction failures.</p> 13596 <p>If the system does not contain buffer-overrun protection leading 13597 to that crash this bug will instead allow attackers to leak 13598 arbitrary amounts of information from the heap into Squid log 13599 files. This is of higher importance than usual because the pinger 13600 process operates with root priviliges.</p> 13601 </blockquote> 13602 <p>Squid security advisory 2016:4 reports:</p> 13603 <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_4.txt"> 13604 <p>Due to incorrect bounds checking Squid is vulnerable to a denial 13605 of service attack when processing HTTP responses.</p> 13606 <p>This problem allows a malicious client script and remote server 13607 delivering certain unusual HTTP response syntax to trigger a 13608 denial of service for all clients accessing the Squid service.</p> 13609 </blockquote> 13610 </body> 13611 </description> 13612 <references> 13613 <cvename>CVE-2016-3947</cvename> 13614 <cvename>CVE-2016-3948</cvename> 13615 <freebsdpr>ports/208463</freebsdpr> 13616 <url>http://www.squid-cache.org/Advisories/SQUID-2016_3.txt</url> 13617 <url>http://www.squid-cache.org/Advisories/SQUID-2016_4.txt</url> 13618 </references> 13619 <dates> 13620 <discovery>2016-03-28</discovery> 13621 <entry>2016-04-02</entry> 13622 </dates> 13623 </vuln> 13624 13625 <vuln vid="97a24d2e-f74c-11e5-8458-6cc21735f730"> 13626 <topic>PostgreSQL -- minor security problems.</topic> 13627 <affects> 13628 <package> 13629 <name>postgresql95-server</name> 13630 <name>postgresql95-contrib</name> 13631 <range><ge>9.5.0</ge><lt>9.5.2</lt></range> 13632 </package> 13633 </affects> 13634 <description> 13635 <body xmlns="http://www.w3.org/1999/xhtml"> 13636 <p>PostgreSQL project reports:</p> 13637 <blockquote cite="http://www.postgresql.org/about/news/1656/"> 13638 <p>Security Fixes for RLS, BRIN</p> 13639 <p> 13640 This release closes security hole CVE-2016-2193 13641 (https://access.redhat.com/security/cve/CVE-2016-2193), where a query 13642 plan might get reused for more than one ROLE in the same session. 13643 This could cause the wrong set of Row Level Security (RLS) policies to 13644 be used for the query.</p> 13645 <p> 13646 The update also fixes CVE-2016-3065 13647 (https://access.redhat.com/security/cve/CVE-2016-3065), a server crash 13648 bug triggered by using `pageinspect` with BRIN index pages. Since an 13649 attacker might be able to expose a few bytes of server memory, this 13650 crash is being treated as a security issue.</p> 13651 </blockquote> 13652 </body> 13653 </description> 13654 <references> 13655 <cvename>CVE-2016-2193</cvename> 13656 <cvename>CVE-2016-3065</cvename> 13657 </references> 13658 <dates> 13659 <discovery>2016-03-01</discovery> 13660 <entry>2016-03-31</entry> 13661 </dates> 13662 </vuln> 13663 13664 <vuln vid="f7b3d1eb-f738-11e5-a710-0011d823eebd"> 13665 <topic>flash -- multiple vulnerabilities</topic> 13666 <affects> 13667 <package> 13668 <name>linux-c6-flashplugin</name> 13669 <name>linux-f10-flashplugin</name> 13670 <name>linux-c6_64-flashplugin</name> 13671 <range><lt>11.2r202.577</lt></range> 13672 </package> 13673 </affects> 13674 <description> 13675 <body xmlns="http://www.w3.org/1999/xhtml"> 13676 <p>Adobe reports:</p> 13677 <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-08.html"> 13678 <p>These updates resolve integer overflow vulnerabilities that 13679 could lead to code execution (CVE-2016-0963, CVE-2016-0993, 13680 CVE-2016-1010).</p> 13681 <p>These updates resolve use-after-free vulnerabilities that could 13682 lead to code execution (CVE-2016-0987, CVE-2016-0988, 13683 CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, 13684 CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, 13685 CVE-2016-1000).</p> 13686 <p>These updates resolve a heap overflow vulnerability that could 13687 lead to code execution (CVE-2016-1001).</p> 13688 <p>These updates resolve memory corruption vulnerabilities that 13689 could lead to code execution (CVE-2016-0960, CVE-2016-0961, 13690 CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, 13691 CVE-2016-1002, CVE-2016-1005).</p> 13692 </blockquote> 13693 </body> 13694 </description> 13695 <references> 13696 <cvename>CVE-2016-0960</cvename> 13697 <cvename>CVE-2016-0961</cvename> 13698 <cvename>CVE-2016-0962</cvename> 13699 <cvename>CVE-2016-0963</cvename> 13700 <cvename>CVE-2016-0986</cvename> 13701 <cvename>CVE-2016-0987</cvename> 13702 <cvename>CVE-2016-0988</cvename> 13703 <cvename>CVE-2016-0989</cvename> 13704 <cvename>CVE-2016-0990</cvename> 13705 <cvename>CVE-2016-0991</cvename> 13706 <cvename>CVE-2016-0992</cvename> 13707 <cvename>CVE-2016-0993</cvename> 13708 <cvename>CVE-2016-0994</cvename> 13709 <cvename>CVE-2016-0995</cvename> 13710 <cvename>CVE-2016-0996</cvename> 13711 <cvename>CVE-2016-0997</cvename> 13712 <cvename>CVE-2016-0998</cvename> 13713 <cvename>CVE-2016-0999</cvename> 13714 <cvename>CVE-2016-1000</cvename> 13715 <cvename>CVE-2016-1001</cvename> 13716 <cvename>CVE-2016-1002</cvename> 13717 <cvename>CVE-2016-1005</cvename> 13718 <cvename>CVE-2016-1010</cvename> 13719 <url>https://helpx.adobe.com/security/products/flash-player/apsb16-08.html</url> 13720 </references> 13721 <dates> 13722 <discovery>2016-03-10</discovery> 13723 <entry>2016-03-31</entry> 13724 </dates> 13725 </vuln> 13726 13727 <vuln vid="4cd9b19f-f66d-11e5-b94c-001999f8d30b"> 13728 <topic>Multiple vulnerabilities in Botan</topic> 13729 <affects> 13730 <package> 13731 <name>botan110</name> 13732 <range><lt>1.10.11</lt></range> 13733 </package> 13734 </affects> 13735 <description> 13736 <body xmlns="http://www.w3.org/1999/xhtml"> 13737 <p>The botan developers reports:</p> 13738 <blockquote cite="http://botan.randombit.net/security.html"> 13739 <p>Infinite loop in modular square root algorithm - The ressol function implements the Tonelli-Shanks algorithm for finding square roots could be sent into a nearly infinite loop due to a misplaced conditional check. This could occur if a composite modulus is provided, as this algorithm is only defined for primes. This function is exposed to attacker controlled input via the OS2ECP function during ECC point decompression.</p> 13740 <p>Heap overflow on invalid ECC point - The PointGFp constructor did not check that the affine coordinate arguments were less than the prime, but then in curve multiplication assumed that both arguments if multiplied would fit into an integer twice the size of the prime.</p> 13741 <p>The bigint_mul and bigint_sqr functions received the size of the output buffer, but only used it to dispatch to a faster algorithm in cases where there was sufficient output space to call an unrolled multiplication function.</p> 13742 <p>The result is a heap overflow accessible via ECC point decoding, which accepted untrusted inputs. This is likely exploitable for remote code execution.</p> 13743 <p>On systems which use the mlock pool allocator, it would allow an attacker to overwrite memory held in secure_vector objects. After this point the write will hit the guard page at the end of the mmapped region so it probably could not be used for code execution directly, but would allow overwriting adjacent key material.</p> 13744 </blockquote> 13745 </body> 13746 </description> 13747 <references> 13748 <url>http://botan.randombit.net/security.html</url> 13749 <cvename>CVE-2016-2194</cvename> 13750 <cvename>CVE-2016-2195</cvename> 13751 </references> 13752 <dates> 13753 <discovery>2016-02-01</discovery> 13754 <entry>2016-03-31</entry> 13755 </dates> 13756 </vuln> 13757 13758 <vuln vid="2004616d-f66c-11e5-b94c-001999f8d30b"> 13759 <topic>Botan BER Decoder vulnerabilities</topic> 13760 <affects> 13761 <package> 13762 <name>botan110</name> 13763 <range><lt>1.10.10</lt></range> 13764 </package> 13765 </affects> 13766 <description> 13767 <body xmlns="http://www.w3.org/1999/xhtml"> 13768 <p>The botan developers reports:</p> 13769 <blockquote cite="http://botan.randombit.net/"> 13770 <p>Excess memory allocation in BER decoder - The BER decoder would allocate a fairly arbitrary amount of memory in a length field, even if there was no chance the read request would succeed. This might cause the process to run out of memory or invoke the OOM killer.</p> 13771 <p>Crash in BER decoder - The BER decoder would crash due to reading from offset 0 of an empty vector if it encountered a BIT STRING which did not contain any data at all. This can be used to easily crash applications reading untrusted ASN.1 data, but does not seem exploitable for code execution.</p> 13772 </blockquote> 13773 </body> 13774 </description> 13775 <references> 13776 <url>http://botan.randombit.net/security.html</url> 13777 <cvename>CVE-2015-5726</cvename> 13778 <cvename>CVE-2015-5727</cvename> 13779 </references> 13780 <dates> 13781 <discovery>2015-08-03</discovery> 13782 <entry>2016-03-31</entry> 13783 </dates> 13784 </vuln> 13785 13786 <vuln vid="e1085b15-f609-11e5-a230-0014a5a57822"> 13787 <topic>mercurial -- multiple vulnerabilities</topic> 13788 <affects> 13789 <package> 13790 <name>mercurial</name> 13791 <range><lt>2.7.3</lt></range> 13792 </package> 13793 </affects> 13794 <description> 13795 <body xmlns="http://www.w3.org/1999/xhtml"> 13796 <p>Mercurial reports:</p> 13797 <blockquote cite="https://www.mercurial-scm.org/pipermail/mercurial/2016-March/049452.html"> 13798 <p>CVE-2016-3630: Remote code execution in binary delta decoding</p> 13799 <p>CVE-2016-3068: Arbitrary code execution with Git subrepos</p> 13800 <p>CVE-2016-3069: Arbitrary code execution when converting 13801 Git repos</p> 13802 </blockquote> 13803 </body> 13804 </description> 13805 <references> 13806 <cvename>CVE-2016-3630</cvename> 13807 <cvename>CVE-2016-3068</cvename> 13808 <cvename>CVE-2016-3069</cvename> 13809 <url>https://www.mercurial-scm.org/pipermail/mercurial/2016-March/049452.html</url> 13810 </references> 13811 <dates> 13812 <discovery>2016-03-29</discovery> 13813 <entry>2016-03-29</entry> 13814 </dates> 13815 </vuln> 13816 13817 <vuln vid="8be8ca39-ae70-4422-bf1a-d8fae6911c5e"> 13818 <topic>chromium -- multiple vulnerabilities</topic> 13819 <affects> 13820 <package> 13821 <name>chromium</name> 13822 <name>chromium-npapi</name> 13823 <name>chromium-pulse</name> 13824 <range><lt>49.0.2623.108</lt></range> 13825 </package> 13826 </affects> 13827 <description> 13828 <body xmlns="http://www.w3.org/1999/xhtml"> 13829 <p>Google Chrome Releases reports:</p> 13830 <blockquote cite="http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_24.html"> 13831 <p>[594574] High CVE-2016-1646: Out-of-bounds read in V8.</p> 13832 <p>[590284] High CVE-2016-1647: Use-after-free in Navigation.</p> 13833 <p>[590455] High CVE-2016-1648: Use-after-free in Extensions.</p> 13834 <p>[597518] CVE-2016-1650: Various fixes from internal audits, 13835 fuzzing and other initiatives.</p> 13836 <p>Multiple vulnerabilities in V8 fixed at the tip of the 13837 4.9 branch</p> 13838 </blockquote> 13839 </body> 13840 </description> 13841 <references> 13842 <cvename>CVE-2016-1646</cvename> 13843 <cvename>CVE-2016-1647</cvename> 13844 <cvename>CVE-2016-1648</cvename> 13845 <cvename>CVE-2016-1649</cvename> 13846 <cvename>CVE-2016-1650</cvename> 13847 <url>http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_24.html</url> 13848 </references> 13849 <dates> 13850 <discovery>2016-03-24</discovery> 13851 <entry>2016-03-29</entry> 13852 </dates> 13853 </vuln> 13854 13855 <vuln vid="5c288f68-c7ca-4c0d-b7dc-1ec6295200b3"> 13856 <topic>chromium -- multiple vulnerabilities</topic> 13857 <affects> 13858 <package> 13859 <name>chromium</name> 13860 <name>chromium-npapi</name> 13861 <name>chromium-pulse</name> 13862 <range><lt>49.0.2623.87</lt></range> 13863 </package> 13864 </affects> 13865 <description> 13866 <body xmlns="http://www.w3.org/1999/xhtml"> 13867 <p>Google Chrome Releases reports:</p> 13868 <blockquote cite="http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_8.html"> 13869 <p>[589838] High CVE-2016-1643: Type confusion in Blink.</p> 13870 <p>[590620] High CVE-2016-1644: Use-after-free in Blink.</p> 13871 <p>[587227] High CVE-2016-1645: Out-of-bounds write in PDFium.</p> 13872 </blockquote> 13873 </body> 13874 </description> 13875 <references> 13876 <cvename>CVE-2016-1643</cvename> 13877 <cvename>CVE-2016-1644</cvename> 13878 <cvename>CVE-2016-1645</cvename> 13879 <url>http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_8.html</url> 13880 </references> 13881 <dates> 13882 <discovery>2016-03-08</discovery> 13883 <entry>2016-03-29</entry> 13884 </dates> 13885 </vuln> 13886 13887 <vuln vid="cd409df7-f483-11e5-92ce-002590263bf5"> 13888 <topic>bind -- denial of service vulnerability</topic> 13889 <affects> 13890 <package> 13891 <name>bind910</name> 13892 <range><ge>9.10.0</ge><lt>9.10.3P4</lt></range> 13893 </package> 13894 <package> 13895 <name>bind9-devel</name> 13896 <range><lt>9.11.0.a20160309</lt></range> 13897 </package> 13898 </affects> 13899 <description> 13900 <body xmlns="http://www.w3.org/1999/xhtml"> 13901 <p>ISC reports:</p> 13902 <blockquote cite="https://kb.isc.org/article/AA-01351"> 13903 <p>A response containing multiple DNS cookies causes servers with 13904 cookie support enabled to exit with an assertion failure.</p> 13905 </blockquote> 13906 </body> 13907 </description> 13908 <references> 13909 <cvename>CVE-2016-2088</cvename> 13910 <url>https://kb.isc.org/article/AA-01351</url> 13911 </references> 13912 <dates> 13913 <discovery>2016-03-09</discovery> 13914 <entry>2016-03-28</entry> 13915 </dates> 13916 </vuln> 13917 13918 <vuln vid="cba246d2-f483-11e5-92ce-002590263bf5"> 13919 <topic>bind -- denial of service vulnerability</topic> 13920 <affects> 13921 <package> 13922 <name>bind98</name> 13923 <range><le>9.8.8</le></range> 13924 </package> 13925 <package> 13926 <name>bind99</name> 13927 <range><ge>9.9.0</ge><lt>9.9.8P4</lt></range> 13928 </package> 13929 <package> 13930 <name>bind910</name> 13931 <range><ge>9.10.0</ge><lt>9.10.3P4</lt></range> 13932 </package> 13933 <package> 13934 <name>bind9-devel</name> 13935 <range><lt>9.11.0.a20160309</lt></range> 13936 </package> 13937 <package> 13938 <name>FreeBSD</name> 13939 <range><ge>9.3</ge><lt>9.3_38</lt></range> 13940 </package> 13941 </affects> 13942 <description> 13943 <body xmlns="http://www.w3.org/1999/xhtml"> 13944 <p>ISC reports:</p> 13945 <blockquote cite="https://kb.isc.org/article/AA-01353"> 13946 <p>A problem parsing resource record signatures for DNAME resource 13947 records can lead to an assertion failure in resolver.c or db.c</p> 13948 </blockquote> 13949 </body> 13950 </description> 13951 <references> 13952 <cvename>CVE-2016-1286</cvename> 13953 <freebsdsa>SA-16:13.bind</freebsdsa> 13954 <url>https://kb.isc.org/article/AA-01353</url> 13955 </references> 13956 <dates> 13957 <discovery>2016-03-09</discovery> 13958 <entry>2016-03-28</entry> 13959 <modified>2016-08-09</modified> 13960 </dates> 13961 </vuln> 13962 13963 <vuln vid="c9075321-f483-11e5-92ce-002590263bf5"> 13964 <topic>bind -- denial of service vulnerability</topic> 13965 <affects> 13966 <package> 13967 <name>bind98</name> 13968 <range><le>9.8.8</le></range> 13969 </package> 13970 <package> 13971 <name>bind99</name> 13972 <range><ge>9.9.0</ge><lt>9.9.8P4</lt></range> 13973 </package> 13974 <package> 13975 <name>bind910</name> 13976 <range><ge>9.10.0</ge><lt>9.10.3P4</lt></range> 13977 </package> 13978 <package> 13979 <name>bind9-devel</name> 13980 <range><lt>9.11.0.a20160309</lt></range> 13981 </package> 13982 <package> 13983 <name>FreeBSD</name> 13984 <range><ge>9.3</ge><lt>9.3_38</lt></range> 13985 </package> 13986 </affects> 13987 <description> 13988 <body xmlns="http://www.w3.org/1999/xhtml"> 13989 <p>ISC reports:</p> 13990 <blockquote cite="https://kb.isc.org/article/AA-01352"> 13991 <p>An error parsing input received by the rndc control channel can 13992 cause an assertion failure in sexpr.c or alist.c.</p> 13993 </blockquote> 13994 </body> 13995 </description> 13996 <references> 13997 <cvename>CVE-2016-1285</cvename> 13998 <freebsdsa>SA-16:13.bind</freebsdsa> 13999 <url>https://kb.isc.org/article/AA-01352</url> 14000 </references> 14001 <dates> 14002 <discovery>2016-03-09</discovery> 14003 <entry>2016-03-28</entry> 14004 <modified>2016-08-09</modified> 14005 </dates> 14006 </vuln> 14007 14008 <vuln vid="6d25c306-f3bb-11e5-92ce-002590263bf5"> 14009 <topic>salt -- Insecure configuration of PAM external authentication service</topic> 14010 <affects> 14011 <package> 14012 <name>py27-salt</name> 14013 <name>py32-salt</name> 14014 <name>py33-salt</name> 14015 <name>py34-salt</name> 14016 <name>py35-salt</name> 14017 <range><lt>2015.5.10</lt></range> 14018 <range><ge>2015.8.0</ge><lt>2015.8.8</lt></range> 14019 </package> 14020 </affects> 14021 <description> 14022 <body xmlns="http://www.w3.org/1999/xhtml"> 14023 <p>SaltStack reports:</p> 14024 <blockquote cite="https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html"> 14025 <p>This issue affects all Salt versions prior to 2015.8.8/2015.5.10 14026 when PAM external authentication is enabled. This issue involves 14027 passing an alternative PAM authentication service with a command 14028 that is sent to LocalClient, enabling the attacker to bypass the 14029 configured authentication service.</p> 14030 </blockquote> 14031 </body> 14032 </description> 14033 <references> 14034 <cvename>CVE-2016-3176</cvename> 14035 <url>https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html</url> 14036 </references> 14037 <dates> 14038 <discovery>2016-03-17</discovery> 14039 <entry>2016-03-27</entry> 14040 </dates> 14041 </vuln> 14042 14043 <vuln vid="a258604d-f2aa-11e5-b4a9-ac220bdcec59"> 14044 <topic>activemq -- Unsafe deserialization</topic> 14045 <affects> 14046 <package> 14047 <name>activemq</name> 14048 <range><lt>5.13.0</lt></range> 14049 </package> 14050 </affects> 14051 <description> 14052 <body xmlns="http://www.w3.org/1999/xhtml"> 14053 <p>Alvaro Muatoz, Matthias Kaiser and Christian Schneider reports:</p> 14054 <blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt"> 14055 <p>JMS Object messages depends on Java Serialization for 14056 marshaling/unmashaling of the message payload. There are a couple of places 14057 inside the broker where deserialization can occur, like web console or stomp 14058 object message transformation. As deserialization of untrusted data can lead to 14059 security flaws as demonstrated in various reports, this leaves the broker 14060 vulnerable to this attack vector. Additionally, applications that consume 14061 ObjectMessage type of messages can be vulnerable as they deserialize objects on 14062 ObjectMessage.getObject() calls.</p> 14063 </blockquote> 14064 </body> 14065 </description> 14066 <references> 14067 <url>http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt</url> 14068 <cvename>CVE-2015-5254</cvename> 14069 </references> 14070 <dates> 14071 <discovery>2016-01-08</discovery> 14072 <entry>2016-03-25</entry> 14073 </dates> 14074 </vuln> 14075 14076 <vuln vid="950b2d60-f2a9-11e5-b4a9-ac220bdcec59"> 14077 <topic>activemq -- Web Console Clickjacking</topic> 14078 <affects> 14079 <package> 14080 <name>activemq</name> 14081 <range><lt>5.13.2</lt></range> 14082 </package> 14083 </affects> 14084 <description> 14085 <body xmlns="http://www.w3.org/1999/xhtml"> 14086 <p>Michael Furman reports:</p> 14087 <blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt"> 14088 <p>The web based administration console does not set the 14089 X-Frame-Options header in HTTP responses. This allows the console to be embedded 14090 in a frame or iframe which could then be used to cause a user to perform an 14091 unintended action in the console.</p> 14092 </blockquote> 14093 </body> 14094 </description> 14095 <references> 14096 <url>http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt</url> 14097 <cvename>CVE-2016-0734</cvename> 14098 </references> 14099 <dates> 14100 <discovery>2016-03-10</discovery> 14101 <entry>2016-03-25</entry> 14102 </dates> 14103 </vuln> 14104 14105 <vuln vid="a6cc5753-f29e-11e5-b4a9-ac220bdcec59"> 14106 <topic>activemq -- Web Console Cross-Site Scripting</topic> 14107 <affects> 14108 <package> 14109 <name>activemq</name> 14110 <range><lt>5.13.1</lt></range> 14111 </package> 14112 </affects> 14113 <description> 14114 <body xmlns="http://www.w3.org/1999/xhtml"> 14115 <p>Vladimir Ivanov (Positive Technologies) reports:</p> 14116 <blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt"> 14117 <p>Several instances of cross-site scripting vulnerabilities were 14118 identified to be present in the web based administration console as well as the 14119 ability to trigger a Java memory dump into an arbitrary folder. The root cause 14120 of these issues are improper user data output validation and incorrect 14121 permissions configured on Jolokia.</p> 14122 </blockquote> 14123 </body> 14124 </description> 14125 <references> 14126 <url>http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt</url> 14127 <cvename>CVE-2016-0782</cvename> 14128 </references> 14129 <dates> 14130 <discovery>2016-03-10</discovery> 14131 <entry>2016-03-25</entry> 14132 </dates> 14133 </vuln> 14134 14135 <vuln vid="7033b42d-ef09-11e5-b766-14dae9d210b8"> 14136 <topic>pcre -- stack buffer overflow</topic> 14137 <affects> 14138 <package> 14139 <name>pcre</name> 14140 <range><lt>8.38</lt></range> 14141 </package> 14142 <package> 14143 <name>pcre2</name> 14144 <range><lt>10.20_1</lt></range> 14145 </package> 14146 </affects> 14147 <description> 14148 <body xmlns="http://www.w3.org/1999/xhtml"> 14149 <p>Philip Hazel reports:</p> 14150 <blockquote cite="https://bugs.exim.org/show_bug.cgi?id=1791"> 14151 <p>PCRE does not validate that handling the (*ACCEPT) verb 14152 will occur within the bounds of the cworkspace stack buffer, leading to 14153 a stack buffer overflow.</p> 14154 </blockquote> 14155 </body> 14156 </description> 14157 <references> 14158 <url>https://bugs.exim.org/show_bug.cgi?id=1791</url> 14159 <cvename>CVE-2016-3191</cvename> 14160 </references> 14161 <dates> 14162 <discovery>2016-02-09</discovery> 14163 <entry>2016-03-21</entry> 14164 <modified>2016-03-21</modified> 14165 </dates> 14166 </vuln> 14167 14168 <vuln vid="c428de09-ed69-11e5-92ce-002590263bf5"> 14169 <topic>kamailio -- SEAS Module Heap overflow</topic> 14170 <affects> 14171 <package> 14172 <name>kamailio</name> 14173 <range><lt>4.3.5</lt></range> 14174 </package> 14175 </affects> 14176 <description> 14177 <body xmlns="http://www.w3.org/1999/xhtml"> 14178 <p>Stelios Tsampas reports:</p> 14179 <blockquote cite="http://seclists.org/oss-sec/2016/q1/338"> 14180 <p>A (remotely exploitable) heap overflow vulnerability was found in 14181 Kamailio v4.3.4.</p> 14182 </blockquote> 14183 </body> 14184 </description> 14185 <references> 14186 <cvename>CVE-2016-2385</cvename> 14187 <url>https://github.com/kamailio/kamailio/commit/f50c9c853e7809810099c970780c30b0765b0643</url> 14188 <url>https://census-labs.com/news/2016/03/30/kamailio-seas-heap-overflow/</url> 14189 <url>http://seclists.org/oss-sec/2016/q1/338</url> 14190 </references> 14191 <dates> 14192 <discovery>2016-02-15</discovery> 14193 <entry>2016-03-19</entry> 14194 <modified>2016-04-03</modified> 14195 </dates> 14196 </vuln> 14197 14198 <vuln vid="5dd39f26-ed68-11e5-92ce-002590263bf5"> 14199 <topic>hadoop2 -- unauthorized disclosure of data vulnerability</topic> 14200 <affects> 14201 <package> 14202 <name>hadoop2</name> 14203 <range><ge>2.6</ge><lt>2.7</lt></range> 14204 </package> 14205 </affects> 14206 <description> 14207 <body xmlns="http://www.w3.org/1999/xhtml"> 14208 <p>Arun Suresh reports:</p> 14209 <blockquote cite="http://mail-archives.apache.org/mod_mbox/hadoop-general/201602.mbox/browser"> 14210 <p>RPC traffic from clients, potentially including authentication 14211 credentials, may be intercepted by a malicious user with access to 14212 run tasks or containers on a cluster.</p> 14213 </blockquote> 14214 </body> 14215 </description> 14216 <references> 14217 <cvename>CVE-2015-1776</cvename> 14218 <url>http://mail-archives.apache.org/mod_mbox/hadoop-general/201602.mbox/browser</url> 14219 </references> 14220 <dates> 14221 <discovery>2016-02-15</discovery> 14222 <entry>2016-03-19</entry> 14223 </dates> 14224 </vuln> 14225 14226 <vuln vid="d2a84feb-ebe0-11e5-92ce-002590263bf5"> 14227 <topic>git -- integer overflow</topic> 14228 <affects> 14229 <package> 14230 <name>git</name> 14231 <range><lt>2.4.11</lt></range> 14232 <range><ge>2.5.0</ge><lt>2.5.5</lt></range> 14233 <range><ge>2.6.0</ge><lt>2.6.6</lt></range> 14234 <range><ge>2.7.0</ge><lt>2.7.4</lt></range> 14235 </package> 14236 <package> 14237 <name>git-gui</name> 14238 <range><lt>2.4.11</lt></range> 14239 <range><ge>2.5.0</ge><lt>2.5.5</lt></range> 14240 <range><ge>2.6.0</ge><lt>2.6.6</lt></range> 14241 <range><ge>2.7.0</ge><lt>2.7.4</lt></range> 14242 </package> 14243 <package> 14244 <name>git-lite</name> 14245 <range><lt>2.4.11</lt></range> 14246 <range><ge>2.5.0</ge><lt>2.5.5</lt></range> 14247 <range><ge>2.6.0</ge><lt>2.6.6</lt></range> 14248 <range><ge>2.7.0</ge><lt>2.7.4</lt></range> 14249 </package> 14250 <package> 14251 <name>git-subversion</name> 14252 <range><lt>2.4.11</lt></range> 14253 <range><ge>2.5.0</ge><lt>2.5.5</lt></range> 14254 <range><ge>2.6.0</ge><lt>2.6.6</lt></range> 14255 <range><ge>2.7.0</ge><lt>2.7.4</lt></range> 14256 </package> 14257 </affects> 14258 <description> 14259 <body xmlns="http://www.w3.org/1999/xhtml"> 14260 <p>Debian reports:</p> 14261 <blockquote cite="https://security-tracker.debian.org/tracker/CVE-2016-2324"> 14262 <p>integer overflow due to a loop which adds more to "len".</p> 14263 </blockquote> 14264 </body> 14265 </description> 14266 <references> 14267 <cvename>CVE-2016-2324</cvename> 14268 <url>https://security-tracker.debian.org/tracker/CVE-2016-2324</url> 14269 <url>https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d</url> 14270 </references> 14271 <dates> 14272 <discovery>2016-02-24</discovery> 14273 <entry>2016-03-18</entry> 14274 </dates> 14275 </vuln> 14276 14277 <vuln vid="93ee802e-ebde-11e5-92ce-002590263bf5"> 14278 <topic>git -- potential code execution</topic> 14279 <affects> 14280 <package> 14281 <name>git</name> 14282 <range><lt>2.7.0</lt></range> 14283 </package> 14284 </affects> 14285 <description> 14286 <body xmlns="http://www.w3.org/1999/xhtml"> 14287 <p>Debian reports:</p> 14288 <blockquote cite="https://security-tracker.debian.org/tracker/CVE-2016-2315"> 14289 <p>"int" is the wrong data type for ... nlen assignment.</p> 14290 </blockquote> 14291 </body> 14292 </description> 14293 <references> 14294 <cvename>CVE-2016-2315</cvename> 14295 <url>http://www.openwall.com/lists/oss-security/2016/03/15/6</url> 14296 <url>https://marc.info/?l=oss-security&m=145809217306686&w=2</url> 14297 <url>https://github.com/git/git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305</url> 14298 <url>https://security-tracker.debian.org/tracker/CVE-2016-2315</url> 14299 </references> 14300 <dates> 14301 <discovery>2015-09-24</discovery> 14302 <entry>2016-03-17</entry> 14303 </dates> 14304 </vuln> 14305 14306 <vuln vid="6d33b3e5-ea03-11e5-85be-14dae9d210b8"> 14307 <topic>node -- multiple vulnerabilities</topic> 14308 <affects> 14309 <package> 14310 <name>node</name> 14311 <range><lt>5.7.1</lt></range> 14312 </package> 14313 </affects> 14314 <description> 14315 <body xmlns="http://www.w3.org/1999/xhtml"> 14316 <p>Jeremiah Senkpiel reports:</p> 14317 <blockquote cite="https://github.com/nodejs/node/commit/805f054cc7791c447dbb960fbf3b179ea05294ac"> 14318 <ul> 14319 <li><p>Fix a double-free defect in parsing malformed DSA keys 14320 that may potentially be used for DoS or memory corruption attacks.</p></li> 14321 <li><p>Fix a defect that can cause memory corruption in 14322 certain very rare cases</p></li> 14323 <li><p>Fix a defect that makes the CacheBleed Attack possible</p></li> 14324 </ul> 14325 </blockquote> 14326 </body> 14327 </description> 14328 <references> 14329 <url>https://github.com/nodejs/node/commit/805f054cc7791c447dbb960fbf3b179ea05294ac</url> 14330 <cvename>CVE-2016-0702</cvename> 14331 <cvename>CVE-2016-0705</cvename> 14332 <cvename>CVE-2016-0797</cvename> 14333 </references> 14334 <dates> 14335 <discovery>2016-03-02</discovery> 14336 <entry>2016-03-14</entry> 14337 </dates> 14338 </vuln> 14339 14340 <vuln vid="8eb78cdc-e9ec-11e5-85be-14dae9d210b8"> 14341 <topic>dropbear -- authorized_keys command= bypass</topic> 14342 <affects> 14343 <package> 14344 <name>dropbear</name> 14345 <range><lt>2016.72</lt></range> 14346 </package> 14347 </affects> 14348 <description> 14349 <body xmlns="http://www.w3.org/1999/xhtml"> 14350 <p>Matt Johnson reports:</p> 14351 <blockquote cite="https://matt.ucc.asn.au/dropbear/CHANGES"> 14352 <p>Validate X11 forwarding input. Could allow bypass of 14353 authorized_keys command= restrictions</p> 14354 </blockquote> 14355 </body> 14356 </description> 14357 <references> 14358 <url>https://matt.ucc.asn.au/dropbear/CHANGES</url> 14359 <cvename>CVE-2016-3116</cvename> 14360 </references> 14361 <dates> 14362 <discovery>2016-03-11</discovery> 14363 <entry>2016-03-14</entry> 14364 </dates> 14365 </vuln> 14366 14367 <vuln vid="77b7ffb7-e937-11e5-8bed-5404a68ad561"> 14368 <topic>jpgraph2 -- XSS vulnerability</topic> 14369 <affects> 14370 <package> 14371 <name>jpgraph2</name> 14372 <range><lt>3.0.7_1</lt></range> 14373 </package> 14374 </affects> 14375 <description> 14376 <body xmlns="http://www.w3.org/1999/xhtml"> 14377 <p>Martin Barbella reports:</p> 14378 <blockquote cite="http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded"> 14379 <p>JpGraph is an object oriented library for PHP that can be used to create 14380 various types of graphs which also contains support for client side 14381 image maps. 14382 14383 The GetURLArguments function for the JpGraph's Graph class does not 14384 properly sanitize the names of get and post variables, leading to a 14385 cross site scripting vulnerability.</p> 14386 </blockquote> 14387 </body> 14388 </description> 14389 <references> 14390 <url>http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded</url> 14391 </references> 14392 <dates> 14393 <discovery>2009-12-22</discovery> 14394 <entry>2016-03-13</entry> 14395 </dates> 14396 </vuln> 14397 14398 <vuln vid="5af511e5-e928-11e5-92ce-002590263bf5"> 14399 <topic>php7 -- multiple vulnerabilities</topic> 14400 <affects> 14401 <package> 14402 <name>php70</name> 14403 <name>php70-soap</name> 14404 <range><lt>7.0.4</lt></range> 14405 </package> 14406 </affects> 14407 <description> 14408 <body xmlns="http://www.w3.org/1999/xhtml"> 14409 <p>The PHP Group reports:</p> 14410 <blockquote cite="http://php.net/ChangeLog-7.php#7.0.4"> 14411 <ul><li>Core: 14412 <ul> 14413 <li>Fixed bug #71637 (Multiple Heap Overflow due to integer 14414 overflows in xml/filter_url/addcslashes).</li> 14415 </ul></li> 14416 <li>SOAP: 14417 <ul> 14418 <li>Fixed bug #71610 (Type Confusion Vulnerability - SOAP / 14419 make_http_soap_request()).</li> 14420 </ul></li> 14421 </ul> 14422 </blockquote> 14423 </body> 14424 </description> 14425 <references> 14426 <url>http://php.net/ChangeLog-7.php#7.0.4</url> 14427 </references> 14428 <dates> 14429 <discovery>2016-03-03</discovery> 14430 <entry>2016-03-13</entry> 14431 </dates> 14432 </vuln> 14433 14434 <vuln vid="e991ef79-e920-11e5-92ce-002590263bf5"> 14435 <topic>php5 -- multiple vulnerabilities</topic> 14436 <affects> 14437 <package> 14438 <name>php55-phar</name> 14439 <name>php55-wddx</name> 14440 <range><lt>5.5.33</lt></range> 14441 </package> 14442 <package> 14443 <name>php56-phar</name> 14444 <name>php56-wddx</name> 14445 <range><lt>5.6.19</lt></range> 14446 </package> 14447 </affects> 14448 <description> 14449 <body xmlns="http://www.w3.org/1999/xhtml"> 14450 <p>The PHP Group reports:</p> 14451 <blockquote cite="http://php.net/ChangeLog-5.php#5.6.19"> 14452 <ul><li>Phar: 14453 <ul> 14454 <li>Fixed bug #71498 (Out-of-Bound Read in phar_parse_zipfile()). 14455 </li> 14456 </ul></li> 14457 <li>WDDX: 14458 <ul> 14459 <li>Fixed bug #71587 (Use-After-Free / Double-Free in WDDX 14460 Deserialize).</li> 14461 </ul></li> 14462 </ul> 14463 </blockquote> 14464 </body> 14465 </description> 14466 <references> 14467 <url>http://php.net/ChangeLog-5.php#5.6.19</url> 14468 <url>http://php.net/ChangeLog-5.php#5.5.33</url> 14469 </references> 14470 <dates> 14471 <discovery>2016-03-03</discovery> 14472 <entry>2016-03-13</entry> 14473 </dates> 14474 </vuln> 14475 14476 <vuln vid="e4644df8-e7da-11e5-829d-c80aa9043978"> 14477 <topic>openssh -- command injection when X11Forwarding is enabled</topic> 14478 <affects> 14479 <package> 14480 <name>openssh-portable</name> 14481 <range><lt>7.2.p2,1</lt></range> 14482 </package> 14483 <package> 14484 <name>FreeBSD</name> 14485 <range><ge>10.2</ge><lt>10.2_14</lt></range> 14486 <range><ge>10.1</ge><lt>10.1_31</lt></range> 14487 <range><ge>9.3</ge><lt>9.3_39</lt></range> 14488 </package> 14489 </affects> 14490 <description> 14491 <body xmlns="http://www.w3.org/1999/xhtml"> 14492 <p>The OpenSSH project reports:</p> 14493 <blockquote cite="http://www.openssh.com/txt/x11fwd.adv"> 14494 <p>Missing sanitisation of untrusted input allows an 14495 authenticated user who is able to request X11 forwarding 14496 to inject commands to xauth(1). 14497 </p> 14498 <p>Injection of xauth commands grants the ability to read 14499 arbitrary files under the authenticated user's privilege, 14500 Other xauth commands allow limited information leakage, 14501 file overwrite, port probing and generally expose xauth(1), 14502 which was not written with a hostile user in mind, as an 14503 attack surface. 14504 </p> 14505 <p>Mitigation:</p> 14506 <p>Set X11Forwarding=no in sshd_config. This is the default.</p> 14507 <p>For authorized_keys that specify a "command" restriction, 14508 also set the "restrict" (available in OpenSSH >=7.2) or 14509 "no-x11-forwarding" restrictions. 14510 </p> 14511 </blockquote> 14512 </body> 14513 </description> 14514 <references> 14515 <url>http://www.openssh.com/txt/x11fwd.adv</url> 14516 <cvename>CVE-2016-3115</cvename> 14517 <freebsdsa>SA-16:14.openssh</freebsdsa> 14518 </references> 14519 <dates> 14520 <discovery>2016-03-11</discovery> 14521 <entry>2016-03-11</entry> 14522 <modified>2016-08-09</modified> 14523 </dates> 14524 </vuln> 14525 14526 <vuln vid="70c44cd0-e717-11e5-85be-14dae9d210b8"> 14527 <topic>quagga -- stack based buffer overflow vulnerability</topic> 14528 <affects> 14529 <package> 14530 <name>quagga</name> 14531 <range><lt>1.0.20160309</lt></range> 14532 </package> 14533 </affects> 14534 <description> 14535 <body xmlns="http://www.w3.org/1999/xhtml"> 14536 <p>Donald Sharp reports:</p> 14537 <blockquote cite="https://www.kb.cert.org/vuls/id/270232"> 14538 <p>A malicious BGP peer may execute arbitrary code in 14539 particularly configured remote bgpd hosts.</p> 14540 </blockquote> 14541 </body> 14542 </description> 14543 <references> 14544 <url>https://www.kb.cert.org/vuls/id/270232</url> 14545 <url>http://savannah.nongnu.org/forum/forum.php?forum_id=8476</url> 14546 <cvename>CVE-2016-2342</cvename> 14547 </references> 14548 <dates> 14549 <discovery>2016-01-27</discovery> 14550 <entry>2016-03-10</entry> 14551 </dates> 14552 </vuln> 14553 14554 <vuln vid="d71831ef-e6f8-11e5-85be-14dae9d210b8"> 14555 <topic>ricochet -- information disclosure</topic> 14556 <affects> 14557 <package> 14558 <name>ricochet</name> 14559 <range><lt>1.1.2</lt></range> 14560 </package> 14561 </affects> 14562 <description> 14563 <body xmlns="http://www.w3.org/1999/xhtml"> 14564 <p>special reports:</p> 14565 <blockquote cite="https://github.com/ricochet-im/ricochet/releases/tag/v1.1.2"> 14566 <p>By sending a nickname with some HTML tags in a contact 14567 request, an attacker could cause Ricochet to make network requests 14568 without Tor after the request is accepted, which would reveal the user's 14569 IP address.</p> 14570 </blockquote> 14571 </body> 14572 </description> 14573 <references> 14574 <url>https://github.com/ricochet-im/ricochet/releases/tag/v1.1.2</url> 14575 </references> 14576 <dates> 14577 <discovery>2016-02-15</discovery> 14578 <entry>2016-03-10</entry> 14579 </dates> 14580 </vuln> 14581 14582 <vuln vid="77e0b631-e6cf-11e5-85be-14dae9d210b8"> 14583 <topic>pidgin-otr -- use after free</topic> 14584 <affects> 14585 <package> 14586 <name>pidgin-otr</name> 14587 <range><lt>4.0.2</lt></range> 14588 </package> 14589 </affects> 14590 <description> 14591 <body xmlns="http://www.w3.org/1999/xhtml"> 14592 <p>Hanno Bock reports:</p> 14593 <blockquote cite="http://seclists.org/oss-sec/2016/q1/572"> 14594 <p>The pidgin-otr plugin version 4.0.2 fixes a heap use after 14595 free error. 14596 The bug is triggered when a user tries to authenticate a buddy and 14597 happens in the function create_smp_dialog.</p> 14598 </blockquote> 14599 </body> 14600 </description> 14601 <references> 14602 <url>http://seclists.org/oss-sec/2016/q1/572</url> 14603 <url>https://bugs.otr.im/issues/88</url> 14604 <url>https://bugs.otr.im/issues/128</url> 14605 <cvename>CVE-2015-8833</cvename> 14606 </references> 14607 <dates> 14608 <discovery>2015-04-04</discovery> 14609 <entry>2016-03-10</entry> 14610 </dates> 14611 </vuln> 14612 14613 <vuln vid="c2b1652c-e647-11e5-85be-14dae9d210b8"> 14614 <topic>libotr -- integer overflow</topic> 14615 <affects> 14616 <package> 14617 <name>libotr</name> 14618 <range><lt>4.1.1</lt></range> 14619 </package> 14620 <package> 14621 <name>libotr3</name> 14622 <range><ge>0</ge></range> 14623 </package> 14624 </affects> 14625 <description> 14626 <body xmlns="http://www.w3.org/1999/xhtml"> 14627 <p>X41 D-Sec reports:</p> 14628 <blockquote cite="https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/"> 14629 <p>A remote attacker may crash or execute arbitrary code in 14630 libotr by sending large OTR messages.</p> 14631 </blockquote> 14632 </body> 14633 </description> 14634 <references> 14635 <url>https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/</url> 14636 <cvename>CVE-2016-2851</cvename> 14637 </references> 14638 <dates> 14639 <discovery>2016-02-17</discovery> 14640 <entry>2016-03-09</entry> 14641 <modified>2016-03-09</modified> 14642 </dates> 14643 </vuln> 14644 14645 <vuln vid="1bcfd963-e483-41b8-ab8e-bad5c3ce49c9"> 14646 <topic>brotli -- buffer overflow</topic> 14647 <affects> 14648 <package> 14649 <name>brotli</name> 14650 <range><ge>0.3.0</ge><lt>0.3.0_1</lt></range> 14651 <range><lt>0.2.0_2</lt></range> 14652 </package> 14653 <package> 14654 <name>libbrotli</name> 14655 <range><lt>0.3.0_3</lt></range> 14656 </package> 14657 <package> 14658 <name>chromium</name> 14659 <name>chromium-npapi</name> 14660 <name>chromium-pulse</name> 14661 <range><lt>48.0.2564.109</lt></range> 14662 </package> 14663 <package> 14664 <name>firefox</name> 14665 <name>linux-firefox</name> 14666 <range><lt>45.0,1</lt></range> 14667 </package> 14668 <package> 14669 <name>seamonkey</name> 14670 <name>linux-seamonkey</name> 14671 <range><lt>2.42</lt></range> 14672 </package> 14673 <package> 14674 <name>firefox-esr</name> 14675 <range><lt>38.7.0,1</lt></range> 14676 </package> 14677 <package> 14678 <name>libxul</name> 14679 <name>thunderbird</name> 14680 <name>linux-thunderbird</name> 14681 <range><lt>38.7.0</lt></range> 14682 </package> 14683 </affects> 14684 <description> 14685 <body xmlns="http://www.w3.org/1999/xhtml"> 14686 <p>Google Chrome Releases reports:</p> 14687 <blockquote cite="http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_9.html"> 14688 <p>[583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.</p> 14689 </blockquote> 14690 <p>Mozilla Foundation reports:</p> 14691 <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-30/"> 14692 <p>Security researcher Luke Li reported a pointer underflow 14693 bug in the Brotli library's decompression that leads to a 14694 buffer overflow. This results in a potentially exploitable 14695 crash when triggered.</p> 14696 </blockquote> 14697 </body> 14698 </description> 14699 <references> 14700 <cvename>CVE-2016-1624</cvename> 14701 <cvename>CVE-2016-1968</cvename> 14702 <url>https://github.com/google/brotli/commit/37a320dd81db8d546cd24a45b4c61d87b45dcade</url> 14703 <url>https://chromium.googlesource.com/chromium/src/+/7716418a27d561ee295a99f11fd3865580748de2%5E!/</url> 14704 <url>https://www.mozilla.org/security/advisories/mfsa2016-30/</url> 14705 <url>https://hg.mozilla.org/releases/mozilla-release/rev/4a5d8ade4e3e</url> 14706 </references> 14707 <dates> 14708 <discovery>2016-02-08</discovery> 14709 <entry>2016-03-08</entry> 14710 <modified>2016-03-08</modified> 14711 </dates> 14712 </vuln> 14713 14714 <vuln vid="2225c5b4-1e5a-44fc-9920-b3201c384a15"> 14715 <topic>mozilla -- multiple vulnerabilities</topic> 14716 <affects> 14717 <package> 14718 <name>firefox</name> 14719 <name>linux-firefox</name> 14720 <range><lt>45.0,1</lt></range> 14721 </package> 14722 <package> 14723 <name>seamonkey</name> 14724 <name>linux-seamonkey</name> 14725 <range><lt>2.42</lt></range> 14726 </package> 14727 <package> 14728 <name>firefox-esr</name> 14729 <range><lt>38.7.0,1</lt></range> 14730 </package> 14731 <package> 14732 <name>libxul</name> 14733 <name>thunderbird</name> 14734 <name>linux-thunderbird</name> 14735 <range><lt>38.7.0</lt></range> 14736 </package> 14737 </affects> 14738 <description> 14739 <body xmlns="http://www.w3.org/1999/xhtml"> 14740 <p>Mozilla Foundation reports:</p> 14741 <blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox45"> 14742 <p>MFSA 2016-16 Miscellaneous memory safety hazards (rv:45.0 14743 / rv:38.7)</p> 14744 <p>MFSA 2016-17 Local file overwriting and potential 14745 privilege escalation through CSP reports</p> 14746 <p>MFSA 2016-18 CSP reports fail to strip location 14747 information for embedded iframe pages</p> 14748 <p>MFSA 2016-19 Linux video memory DOS with Intel 14749 drivers</p> 14750 <p>MFSA 2016-20 Memory leak in libstagefright when deleting 14751 an array during MP4 processing</p> 14752 <p>MFSA 2016-21 Displayed page address can be overridden</p> 14753 <p>MFSA 2016-22 Service Worker Manager out-of-bounds read in 14754 Service Worker Manager</p> 14755 <p>MFSA 2016-23 Use-after-free in HTML5 string parser</p> 14756 <p>MFSA 2016-24 Use-after-free in SetBody</p> 14757 <p>MFSA 2016-25 Use-after-free when using multiple WebRTC 14758 data channels</p> 14759 <p>MFSA 2016-26 Memory corruption when modifying a file 14760 being read by FileReader</p> 14761 <p>MFSA 2016-27 Use-after-free during XML 14762 transformations</p> 14763 <p>MFSA 2016-28 Addressbar spoofing though history 14764 navigation and Location protocol property</p> 14765 <p>MFSA 2016-29 Same-origin policy violation using 14766 perfomance.getEntries and history navigation with session 14767 restore</p> 14768 <p>MFSA 2016-31 Memory corruption with malicious NPAPI 14769 plugin</p> 14770 <p>MFSA 2016-32 WebRTC and LibVPX vulnerabilities found 14771 through code inspection</p> 14772 <p>MFSA 2016-33 Use-after-free in GetStaticInstance in 14773 WebRTC</p> 14774 <p>MFSA 2016-34 Out-of-bounds read in HTML parser following 14775 a failed allocation</p> 14776 </blockquote> 14777 </body> 14778 </description> 14779 <references> 14780 <cvename>CVE-2016-1952</cvename> 14781 <cvename>CVE-2016-1953</cvename> 14782 <cvename>CVE-2016-1954</cvename> 14783 <cvename>CVE-2016-1955</cvename> 14784 <cvename>CVE-2016-1956</cvename> 14785 <cvename>CVE-2016-1957</cvename> 14786 <cvename>CVE-2016-1958</cvename> 14787 <cvename>CVE-2016-1959</cvename> 14788 <cvename>CVE-2016-1960</cvename> 14789 <cvename>CVE-2016-1961</cvename> 14790 <cvename>CVE-2016-1962</cvename> 14791 <cvename>CVE-2016-1963</cvename> 14792 <cvename>CVE-2016-1964</cvename> 14793 <cvename>CVE-2016-1965</cvename> 14794 <cvename>CVE-2016-1966</cvename> 14795 <cvename>CVE-2016-1967</cvename> 14796 <cvename>CVE-2016-1970</cvename> 14797 <cvename>CVE-2016-1971</cvename> 14798 <cvename>CVE-2016-1972</cvename> 14799 <cvename>CVE-2016-1973</cvename> 14800 <cvename>CVE-2016-1974</cvename> 14801 <cvename>CVE-2016-1975</cvename> 14802 <cvename>CVE-2016-1976</cvename> 14803 <url>https://www.mozilla.org/security/advisories/mfsa2016-16/</url> 14804 <url>https://www.mozilla.org/security/advisories/mfsa2016-17/</url> 14805 <url>https://www.mozilla.org/security/advisories/mfsa2016-18/</url> 14806 <url>https://www.mozilla.org/security/advisories/mfsa2016-19/</url> 14807 <url>https://www.mozilla.org/security/advisories/mfsa2016-20/</url> 14808 <url>https://www.mozilla.org/security/advisories/mfsa2016-21/</url> 14809 <url>https://www.mozilla.org/security/advisories/mfsa2016-22/</url> 14810 <url>https://www.mozilla.org/security/advisories/mfsa2016-23/</url> 14811 <url>https://www.mozilla.org/security/advisories/mfsa2016-24/</url> 14812 <url>https://www.mozilla.org/security/advisories/mfsa2016-25/</url> 14813 <url>https://www.mozilla.org/security/advisories/mfsa2016-26/</url> 14814 <url>https://www.mozilla.org/security/advisories/mfsa2016-27/</url> 14815 <url>https://www.mozilla.org/security/advisories/mfsa2016-28/</url> 14816 <url>https://www.mozilla.org/security/advisories/mfsa2016-29/</url> 14817 <url>https://www.mozilla.org/security/advisories/mfsa2016-31/</url> 14818 <url>https://www.mozilla.org/security/advisories/mfsa2016-32/</url> 14819 <url>https://www.mozilla.org/security/advisories/mfsa2016-33/</url> 14820 <url>https://www.mozilla.org/security/advisories/mfsa2016-34/</url> 14821 </references> 14822 <dates> 14823 <discovery>2016-03-08</discovery> 14824 <entry>2016-03-08</entry> 14825 <modified>2016-03-08</modified> 14826 </dates> 14827 </vuln> 14828 14829 <vuln vid="adffe823-e692-4921-ae9c-0b825c218372"> 14830 <topic>graphite2 -- multiple vulnerabilities</topic> 14831 <affects> 14832 <package> 14833 <name>graphite2</name> 14834 <range><lt>1.3.6</lt></range> 14835 </package> 14836 <package> 14837 <name>linux-firefox</name> 14838 <range><lt>45.0,1</lt></range> 14839 </package> 14840 <package> 14841 <name>linux-thunderbird</name> 14842 <range><lt>38.7.0</lt></range> 14843 </package> 14844 <package> 14845 <name>linux-seamonkey</name> 14846 <range><lt>2.42</lt></range> 14847 </package> 14848 </affects> 14849 <description> 14850 <body xmlns="http://www.w3.org/1999/xhtml"> 14851 <p>Mozilla Foundation reports:</p> 14852 <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/"> 14853 <p>Security researcher Holger Fuhrmannek and Mozilla 14854 security engineer Tyson Smith reported a number of security 14855 vulnerabilities in the Graphite 2 library affecting version 14856 1.3.5. 14857 14858 The issue reported by Holger Fuhrmannek is a mechanism to 14859 induce stack corruption with a malicious graphite font. This 14860 leads to a potentially exploitable crash when the font is 14861 loaded. 14862 14863 Tyson Smith used the Address Sanitizer tool in concert with 14864 a custom software fuzzer to find a series of uninitialized 14865 memory, out-of-bounds read, and out-of-bounds write errors 14866 when working with fuzzed graphite fonts.</p> 14867 </blockquote> 14868 <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-38/"> 14869 <p>Security researcher James Clawson used the Address 14870 Sanitizer tool to discover an out-of-bounds write in the 14871 Graphite 2 library when loading a crafted Graphite font 14872 file. This results in a potentially exploitable crash.</p> 14873 </blockquote> 14874 </body> 14875 </description> 14876 <references> 14877 <url>https://www.mozilla.org/security/advisories/mfsa2016-37/</url> 14878 <url>https://www.mozilla.org/security/advisories/mfsa2016-38/</url> 14879 <cvename>CVE-2016-1969</cvename> 14880 <cvename>CVE-2016-1977</cvename> 14881 <cvename>CVE-2016-2790</cvename> 14882 <cvename>CVE-2016-2791</cvename> 14883 <cvename>CVE-2016-2792</cvename> 14884 <cvename>CVE-2016-2793</cvename> 14885 <cvename>CVE-2016-2794</cvename> 14886 <cvename>CVE-2016-2795</cvename> 14887 <cvename>CVE-2016-2796</cvename> 14888 <cvename>CVE-2016-2797</cvename> 14889 <cvename>CVE-2016-2798</cvename> 14890 <cvename>CVE-2016-2799</cvename> 14891 <cvename>CVE-2016-2800</cvename> 14892 <cvename>CVE-2016-2801</cvename> 14893 <cvename>CVE-2016-2802</cvename> 14894 </references> 14895 <dates> 14896 <discovery>2016-03-08</discovery> 14897 <entry>2016-03-08</entry> 14898 <modified>2016-03-14</modified> 14899 </dates> 14900 </vuln> 14901 14902 <vuln vid="c4292768-5273-4f17-a267-c5fe35125ce4"> 14903 <topic>NSS -- multiple vulnerabilities</topic> 14904 <affects> 14905 <package> 14906 <name>nss</name> 14907 <range><ge>3.20</ge><lt>3.21.1</lt></range> 14908 <range><lt>3.19.2.3</lt></range> 14909 </package> 14910 <package> 14911 <name>linux-c6-nss</name> 14912 <range><ge>3.20</ge><lt>3.21.0_1</lt></range> 14913 <range><lt>3.19.2.3</lt></range> 14914 </package> 14915 <package> 14916 <name>linux-firefox</name> 14917 <range><lt>45.0,1</lt></range> 14918 </package> 14919 <package> 14920 <name>linux-thunderbird</name> 14921 <range><lt>38.7.0</lt></range> 14922 </package> 14923 <package> 14924 <name>linux-seamonkey</name> 14925 <range><lt>2.42</lt></range> 14926 </package> 14927 </affects> 14928 <description> 14929 <body xmlns="http://www.w3.org/1999/xhtml"> 14930 <p>Mozilla Foundation reports:</p> 14931 <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-35/"> 14932 <p>Security researcher Francis Gabriel reported a heap-based 14933 buffer overflow in the way the Network Security Services 14934 (NSS) libraries parsed certain ASN.1 structures. An attacker 14935 could create a specially-crafted certificate which, when 14936 parsed by NSS, would cause it to crash or execute arbitrary 14937 code with the permissions of the user.</p> 14938 </blockquote> 14939 <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-36/"> 14940 <p>Mozilla developer Tim Taubert used the Address Sanitizer 14941 tool and software fuzzing to discover a use-after-free 14942 vulnerability while processing DER encoded keys in the 14943 Network Security Services (NSS) libraries. The vulnerability 14944 overwrites the freed memory with zeroes.</p> 14945 </blockquote> 14946 </body> 14947 </description> 14948 <references> 14949 <cvename>CVE-2016-1950</cvename> 14950 <cvename>CVE-2016-1979</cvename> 14951 <url>https://www.mozilla.org/security/advisories/mfsa2016-35/</url> 14952 <url>https://www.mozilla.org/security/advisories/mfsa2016-36/</url> 14953 <url>https://hg.mozilla.org/projects/nss/rev/b9a31471759d</url> 14954 <url>https://hg.mozilla.org/projects/nss/rev/7033b1193c94</url> 14955 </references> 14956 <dates> 14957 <discovery>2016-03-08</discovery> 14958 <entry>2016-03-08</entry> 14959 <modified>2016-09-05</modified> 14960 </dates> 14961 </vuln> 14962 14963 <vuln vid="75091516-6f4b-4059-9884-6727023dc366"> 14964 <topic>NSS -- multiple vulnerabilities</topic> 14965 <affects> 14966 <package> 14967 <name>nss</name> 14968 <name>linux-c6-nss</name> 14969 <range><lt>3.21</lt></range> 14970 </package> 14971 <package> 14972 <name>linux-firefox</name> 14973 <range><lt>44.0,1</lt></range> 14974 </package> 14975 <package> 14976 <name>linux-seamonkey</name> 14977 <range><lt>2.41</lt></range> 14978 </package> 14979 </affects> 14980 <description> 14981 <body xmlns="http://www.w3.org/1999/xhtml"> 14982 <p>Mozilla Foundation reports:</p> 14983 <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-07/"> 14984 <p>Security researcher Hanno Böck reported that calculations 14985 with mp_div and mp_exptmod in Network Security Services 14986 (NSS) can produce wrong results in some circumstances. These 14987 functions are used within NSS for a variety of cryptographic 14988 division functions, leading to potential cryptographic 14989 weaknesses.</p> 14990 </blockquote> 14991 <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-15/"> 14992 <p>Mozilla developer Eric Rescorla reported that a failed 14993 allocation during DHE and ECDHE handshakes would lead to a 14994 use-after-free vulnerability.</p> 14995 </blockquote> 14996 </body> 14997 </description> 14998 <references> 14999 <cvename>CVE-2016-1938</cvename> 15000 <cvename>CVE-2016-1978</cvename> 15001 <url>https://www.mozilla.org/security/advisories/mfsa2016-07/</url> 15002 <url>https://www.mozilla.org/security/advisories/mfsa2016-15/</url> 15003 <url>https://hg.mozilla.org/projects/nss/rev/a555bf0fc23a</url> 15004 <url>https://hg.mozilla.org/projects/nss/rev/a245a4ccd354</url> 15005 </references> 15006 <dates> 15007 <discovery>2016-01-26</discovery> 15008 <entry>2016-03-08</entry> 15009 </dates> 15010 </vuln> 15011 15012 <vuln vid="f9e6c0d1-e4cc-11e5-b2bd-002590263bf5"> 15013 <topic>django -- multiple vulnerabilities</topic> 15014 <affects> 15015 <package> 15016 <name>py27-django</name> 15017 <name>py32-django</name> 15018 <name>py33-django</name> 15019 <name>py34-django</name> 15020 <name>py35-django</name> 15021 <range><lt>1.8.10</lt></range> 15022 </package> 15023 <package> 15024 <name>py27-django18</name> 15025 <name>py32-django18</name> 15026 <name>py33-django18</name> 15027 <name>py34-django18</name> 15028 <name>py35-django18</name> 15029 <range><lt>1.8.10</lt></range> 15030 </package> 15031 <package> 15032 <name>py27-django19</name> 15033 <name>py32-django19</name> 15034 <name>py33-django19</name> 15035 <name>py34-django19</name> 15036 <name>py35-django19</name> 15037 <range><lt>1.9.3</lt></range> 15038 </package> 15039 <package> 15040 <name>py27-django-devel</name> 15041 <name>py32-django-devel</name> 15042 <name>py33-django-devel</name> 15043 <name>py34-django-devel</name> 15044 <name>py35-django-devel</name> 15045 <range><le>20150709,1</le></range> 15046 </package> 15047 </affects> 15048 <description> 15049 <body xmlns="http://www.w3.org/1999/xhtml"> 15050 <p>Tim Graham reports:</p> 15051 <blockquote cite="https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/"> 15052 <p>Malicious redirect and possible XSS attack via user-supplied 15053 redirect URLs containing basic auth</p> 15054 <p>User enumeration through timing difference on password hasher work 15055 factor upgrade</p> 15056 </blockquote> 15057 </body> 15058 </description> 15059 <references> 15060 <cvename>CVE-2016-2512</cvename> 15061 <cvename>CVE-2016-2513</cvename> 15062 <url>https://www.djangoproject.com/weblog/2016/mar/01/security-releases/</url> 15063 </references> 15064 <dates> 15065 <discovery>2016-03-01</discovery> 15066 <entry>2016-03-08</entry> 15067 </dates> 15068 </vuln> 15069 15070 <vuln vid="fef03980-e4c6-11e5-b2bd-002590263bf5"> 15071 <topic>wordpress -- multiple vulnerabilities</topic> 15072 <affects> 15073 <package> 15074 <name>wordpress</name> 15075 <range><lt>4.4.2,1</lt></range> 15076 </package> 15077 <package> 15078 <name>de-wordpress</name> 15079 <name>ja-wordpress</name> 15080 <name>ru-wordpress</name> 15081 <name>zh-wordpress-zh_CN</name> 15082 <name>zh-wordpress-zh_TW</name> 15083 <range><lt>4.4.2</lt></range> 15084 </package> 15085 </affects> 15086 <description> 15087 <body xmlns="http://www.w3.org/1999/xhtml"> 15088 <p>Samuel Sidler reports:</p> 15089 <blockquote cite="https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/"> 15090 <p>WordPress 4.4.2 is now available. This is a security release for 15091 all previous versions and we strongly encourage you to update your 15092 sites immediately.</p> 15093 <p>WordPress versions 4.4.1 and earlier are affected by two security 15094 issues: a possible SSRF for certain local URIs, reported by Ronni 15095 Skansing; and an open redirection attack, reported by Shailesh 15096 Suthar.</p> 15097 </blockquote> 15098 </body> 15099 </description> 15100 <references> 15101 <cvename>CVE-2016-2221</cvename> 15102 <cvename>CVE-2016-2222</cvename> 15103 <url>http://www.openwall.com/lists/oss-security/2016/02/04/6</url> 15104 <url>https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/</url> 15105 </references> 15106 <dates> 15107 <discovery>2016-02-02</discovery> 15108 <entry>2016-03-08</entry> 15109 </dates> 15110 </vuln> 15111 15112 <vuln vid="7f0fbb30-e462-11e5-a3f3-080027ef73ec"> 15113 <topic>PuTTY - old-style scp downloads may allow remote code execution</topic> 15114 <affects> 15115 <package> 15116 <name>putty</name> 15117 <range><lt>0.67</lt></range> 15118 </package> 15119 </affects> 15120 <description> 15121 <body xmlns="http://www.w3.org/1999/xhtml"> 15122 <p>Simon G. Tatham reports:</p> 15123 <blockquote cite="http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html"> 15124 <p>Many versions of PSCP prior to 0.67 have a stack corruption 15125 vulnerability in their treatment of the 'sink' direction (i.e. 15126 downloading from server to client) of the old-style SCP protocol. 15127 </p> 15128 <p>In order for this vulnerability to be exploited, the user must 15129 connect to a malicious server and attempt to download any file.[...] 15130 you can work around it in a vulnerable PSCP by using the -sftp 15131 option to force the use of the newer SFTP protocol, provided your 15132 server supports that protocol.</p> 15133 </blockquote> 15134 </body> 15135 </description> 15136 <references> 15137 <url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html</url> 15138 <cvename>CVE-2016-2563</cvename> 15139 <url>https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563</url> 15140 </references> 15141 <dates> 15142 <discovery>2016-02-26</discovery> 15143 <entry>2016-03-07</entry> 15144 </dates> 15145 </vuln> 15146 15147 <vuln vid="12d1b5a6-e39d-11e5-9f77-5453ed2e2b49"> 15148 <topic>websvn -- reflected cross-site scripting</topic> 15149 <affects> 15150 <package> 15151 <name>websvn</name> 15152 <range><lt>2.3.3_1</lt></range> 15153 </package> 15154 </affects> 15155 <description> 15156 <body xmlns="http://www.w3.org/1999/xhtml"> 15157 <p>Sebastien Delafond reports:</p> 15158 <blockquote cite="https://lists.debian.org/debian-security-announce/2016/msg00060.html"> 15159 <p>Jakub Palaczynski discovered that websvn, a web viewer for 15160 Subversion repositories, does not correctly sanitize user-supplied 15161 input, which allows a remote user to run reflected cross-site 15162 scripting attacks.</p> 15163 </blockquote> 15164 </body> 15165 </description> 15166 <references> 15167 <cvename>CVE-2016-2511</cvename> 15168 <url>https://lists.debian.org/debian-security-announce/2016/msg00060.html</url> 15169 <url>http://seclists.org/fulldisclosure/2016/Feb/99</url> 15170 </references> 15171 <dates> 15172 <discovery>2016-02-22</discovery> 15173 <entry>2016-03-06</entry> 15174 </dates> 15175 </vuln> 15176 15177 <vuln vid="f69e1f09-e39b-11e5-9f77-5453ed2e2b49"> 15178 <topic>websvn -- information disclosure</topic> 15179 <affects> 15180 <package> 15181 <name>websvn</name> 15182 <range><lt>2.3.3_1</lt></range> 15183 </package> 15184 </affects> 15185 <description> 15186 <body xmlns="http://www.w3.org/1999/xhtml"> 15187 <p>Thijs Kinkhorst reports:</p> 15188 <blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682"> 15189 <p>James Clawson reported:</p> 15190 <p>"Arbitrary files with a known path can be accessed in websvn by 15191 committing a symlink to a repository and then downloading the file 15192 (using the download link).</p> 15193 <p>An attacker must have write access to the repo, and the download 15194 option must have been enabled in the websvn config file."</p> 15195 </blockquote> 15196 </body> 15197 </description> 15198 <references> 15199 <cvename>CVE-2013-6892</cvename> 15200 <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6892</url> 15201 <url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682</url> 15202 </references> 15203 <dates> 15204 <discovery>2015-01-18</discovery> 15205 <entry>2016-03-06</entry> 15206 </dates> 15207 </vuln> 15208 15209 <vuln vid="5a016dd0-8aa8-490e-a596-55f4cc17e4ef"> 15210 <topic>rails -- multiple vulnerabilities</topic> 15211 <affects> 15212 <package> 15213 <name>rubygem-actionpack</name> 15214 <range><lt>3.2.22.2</lt></range> 15215 </package> 15216 <package> 15217 <name>rubygem-actionpack4</name> 15218 <range><lt>4.2.5.2</lt></range> 15219 </package> 15220 <package> 15221 <name>rubygem-actionview</name> 15222 <range><lt>4.2.5.2</lt></range> 15223 </package> 15224 <package> 15225 <name>rubygem-rails</name> 15226 <range><lt>3.2.22.2</lt></range> 15227 </package> 15228 <package> 15229 <name>rubygem-rails4</name> 15230 <range><lt>4.2.5.2</lt></range> 15231 </package> 15232 </affects> 15233 <description> 15234 <body xmlns="http://www.w3.org/1999/xhtml"> 15235 <p>Ruby on Rails blog:</p> 15236 <blockquote cite="http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/"> 15237 <p>Rails 4.2.5.2, 4.1.14.2, and 3.2.22.2 have been released! These 15238 contain the following important security fixes, and it is 15239 recommended that users upgrade as soon as possible.</p> 15240 </blockquote> 15241 </body> 15242 </description> 15243 <references> 15244 <cvename>CVE-2016-2097</cvename> 15245 <cvename>CVE-2016-2098</cvename> 15246 <url>https://groups.google.com/d/msg/rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ</url> 15247 <url>https://groups.google.com/d/msg/rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ</url> 15248 <url>http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/</url> 15249 </references> 15250 <dates> 15251 <discovery>2016-02-29</discovery> 15252 <entry>2016-03-06</entry> 15253 </dates> 15254 </vuln> 15255 15256 <vuln vid="f85fa236-e2a6-412e-b5c7-c42120892de5"> 15257 <topic>chromium -- multiple vulnerabilities</topic> 15258 <affects> 15259 <package> 15260 <name>chromium</name> 15261 <name>chromium-npapi</name> 15262 <name>chromium-pulse</name> 15263 <range><lt>49.0.2623.75</lt></range> 15264 </package> 15265 </affects> 15266 <description> 15267 <body xmlns="http://www.w3.org/1999/xhtml"> 15268 <p>Google Chrome Releases reports:</p> 15269 <blockquote cite="http://googlechromereleases.blogspot.de/2016/03/stable-channel-update.html"> 15270 <p>[560011] High CVE-2016-1630: Same-origin bypass in Blink.</p> 15271 <p>[569496] High CVE-2016-1631: Same-origin bypass in Pepper Plugin.</p> 15272 <p>[549986] High CVE-2016-1632: Bad cast in Extensions.</p> 15273 <p>[572537] High CVE-2016-1633: Use-after-free in Blink.</p> 15274 <p>[559292] High CVE-2016-1634: Use-after-free in Blink.</p> 15275 <p>[585268] High CVE-2016-1635: Use-after-free in Blink.</p> 15276 <p>[584155] High CVE-2016-1636: SRI Validation Bypass.</p> 15277 <p>[555544] Medium CVE-2016-1637: Information Leak in Skia.</p> 15278 <p>[585282] Medium CVE-2016-1638: WebAPI Bypass.</p> 15279 <p>[572224] Medium CVE-2016-1639: Use-after-free in WebRTC.</p> 15280 <p>[550047] Medium CVE-2016-1640: Origin confusion in Extensions UI.</p> 15281 <p>[583718] Medium CVE-2016-1641: Use-after-free in Favicon.</p> 15282 <p>[591402] CVE-2016-1642: Various fixes from internal audits, fuzzing and other initiatives.</p> 15283 <p>Multiple vulnerabilities in V8 fixed.</p> 15284 </blockquote> 15285 </body> 15286 </description> 15287 <references> 15288 <cvename>CVE-2016-1630</cvename> 15289 <cvename>CVE-2016-1631</cvename> 15290 <cvename>CVE-2016-1632</cvename> 15291 <cvename>CVE-2016-1633</cvename> 15292 <cvename>CVE-2016-1634</cvename> 15293 <cvename>CVE-2016-1635</cvename> 15294 <cvename>CVE-2016-1636</cvename> 15295 <cvename>CVE-2016-1637</cvename> 15296 <cvename>CVE-2016-1638</cvename> 15297 <cvename>CVE-2016-1639</cvename> 15298 <cvename>CVE-2016-1640</cvename> 15299 <cvename>CVE-2016-1641</cvename> 15300 <cvename>CVE-2016-1642</cvename> 15301 <url>http://googlechromereleases.blogspot.de/2016/03/stable-channel-update.html</url> 15302 </references> 15303 <dates> 15304 <discovery>2016-03-02</discovery> 15305 <entry>2016-03-05</entry> 15306 </dates> 15307 </vuln> 15308 15309 <vuln vid="6b3591ea-e2d2-11e5-a6be-5453ed2e2b49"> 15310 <topic>libssh -- weak Diffie-Hellman secret generation</topic> 15311 <affects> 15312 <package> 15313 <name>libssh</name> 15314 <range><lt>0.7.3</lt></range> 15315 </package> 15316 </affects> 15317 <description> 15318 <body xmlns="http://www.w3.org/1999/xhtml"> 15319 <p>Andreas Schneider reports:</p> 15320 <blockquote cite="https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/"> 15321 <p>libssh versions 0.1 and above have a bits/bytes confusion bug and 15322 generate an abnormally short ephemeral secret for the 15323 diffie-hellman-group1 and diffie-hellman-group14 key exchange 15324 methods. The resulting secret is 128 bits long, instead of the 15325 recommended sizes of 1024 and 2048 bits respectively. There are 15326 practical algorithms (Baby steps/Giant steps, Pollard’s rho) that can 15327 solve this problem in O(2^63) operations.</p> 15328 <p>Both client and server are are vulnerable, pre-authentication. 15329 This vulnerability could be exploited by an eavesdropper with enough 15330 resources to decrypt or intercept SSH sessions. The bug was found 15331 during an internal code review by Aris Adamantiadis of the libssh 15332 team.</p> 15333 </blockquote> 15334 </body> 15335 </description> 15336 <references> 15337 <cvename>CVE-2016-0739</cvename> 15338 <url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0739</url> 15339 <url>https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/</url> 15340 </references> 15341 <dates> 15342 <discovery>2016-02-23</discovery> 15343 <entry>2016-03-05</entry> 15344 </dates> 15345 </vuln> 15346 15347 <vuln vid="7d09b9ee-e0ba-11e5-abc4-6fb07af136d2"> 15348 <topic>exim -- local privillege escalation</topic> 15349 <affects> 15350 <package> 15351 <name>exim</name> 15352 <range><lt>4.86.2</lt></range> 15353 <range><lt>4.85.2</lt></range> 15354 <range><lt>4.84.2</lt></range> 15355 </package> 15356 </affects> 15357 <description> 15358 <body xmlns="http://www.w3.org/1999/xhtml"> 15359 <p>The Exim development team reports:</p> 15360 <blockquote cite="https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html"> 15361 <p>All installations having Exim set-uid root and using 'perl_startup' are 15362 vulnerable to a local privilege escalation. Any user who can start an 15363 instance of Exim (and this is normally <strong>any</strong> user) can gain root 15364 privileges. If you do not use 'perl_startup' you <strong>should</strong> be safe.</p> 15365 </blockquote> 15366 </body> 15367 </description> 15368 <references> 15369 <cvename>CVE-2016-1531</cvename> 15370 <url>https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html</url> 15371 </references> 15372 <dates> 15373 <discovery>2016-02-26</discovery> 15374 <entry>2016-03-02</entry> 15375 </dates> 15376 </vuln> 15377 15378 <vuln vid="db3301be-e01c-11e5-b2bd-002590263bf5"> 15379 <topic>cacti -- multiple vulnerabilities</topic> 15380 <affects> 15381 <package> 15382 <name>cacti</name> 15383 <range><lt>0.8.8g</lt></range> 15384 </package> 15385 </affects> 15386 <description> 15387 <body xmlns="http://www.w3.org/1999/xhtml"> 15388 <p>The Cacti Group, Inc. reports:</p> 15389 <blockquote cite="http://www.cacti.net/release_notes_0_8_8g.php"> 15390 <p>Changelog</p> 15391 <ul> 15392 <li>bug:0002652: CVE-2015-8604: SQL injection in graphs_new.php</li> 15393 <li>bug:0002655: CVE-2015-8377: SQL injection vulnerability in the 15394 host_new_graphs_save function in graphs_new.php</li> 15395 <li>bug:0002656: Authentication using web authentication as a user 15396 not in the cacti database allows complete access</li> 15397 </ul> 15398 </blockquote> 15399 </body> 15400 </description> 15401 <references> 15402 <cvename>CVE-2015-8377</cvename> 15403 <cvename>CVE-2015-8604</cvename> 15404 <cvename>CVE-2016-2313</cvename> 15405 <url>http://www.cacti.net/release_notes_0_8_8g.php</url> 15406 <url>http://bugs.cacti.net/view.php?id=2652</url> 15407 <url>http://bugs.cacti.net/view.php?id=2655</url> 15408 <url>http://bugs.cacti.net/view.php?id=2656</url> 15409 <url>http://www.openwall.com/lists/oss-security/2016/02/09/3</url> 15410 </references> 15411 <dates> 15412 <discovery>2016-02-21</discovery> 15413 <entry>2016-03-02</entry> 15414 </dates> 15415 </vuln> 15416 15417 <vuln vid="f682a506-df7c-11e5-81e4-6805ca0b3d42"> 15418 <topic>phpmyadmin -- multiple XSS and a man-in-the-middle vulnerability</topic> 15419 <affects> 15420 <package> 15421 <name>phpmyadmin</name> 15422 <range><ge>4.5.0</ge><lt>4.5.5.1</lt></range> 15423 </package> 15424 </affects> 15425 <description> 15426 <body xmlns="http://www.w3.org/1999/xhtml"> 15427 <p>The phpMyAdmin development team reports:</p> 15428 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-10/"> 15429 <p>XSS vulnerability in SQL parser.</p> 15430 <p>Using a crafted SQL query, it is possible to trigger an XSS 15431 attack through the SQL query page.</p> 15432 <p>We consider this vulnerability to be non-critical.</p> 15433 </blockquote> 15434 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-11/"> 15435 <p>Multiple XSS vulnerabilities.</p> 15436 <p>By sending a specially crafted URL as part of the HOST 15437 header, it is possible to trigger an XSS attack.</p> 15438 <p>A weakness was found that allows an XSS attack with Internet 15439 Explorer versions older than 8 and Safari on Windows using a 15440 specially crafted URL.</p> 15441 <p>Using a crafted SQL query, it is possible to trigger an XSS 15442 attack through the SQL query page.</p> 15443 <p>Using a crafted parameter value, it is possible to trigger 15444 an XSS attack in user accounts page.</p> 15445 <p>Using a crafted parameter value, it is possible to trigger 15446 an XSS attack in zoom search page.</p> 15447 <p>We consider this vulnerability to be non-critical.</p> 15448 </blockquote> 15449 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-12/"> 15450 <p>Multiple XSS vulnerabilities.</p> 15451 <p>With a crafted table/column name it is possible to trigger 15452 an XSS attack in the database normalization page.</p> 15453 <p>With a crafted parameter it is possible to trigger an XSS 15454 attack in the database structure page.</p> 15455 <p>With a crafted parameter it is possible to trigger an XSS 15456 attack in central columns page.</p> 15457 <p>We consider this vulnerability to be non-critical.</p> 15458 </blockquote> 15459 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-13/"> 15460 <p>Vulnerability allowing man-in-the-middle attack on API 15461 call to GitHub.</p> 15462 <p>A vulnerability in the API call to GitHub can be exploited 15463 to perform a man-in-the-middle attack.</p> 15464 <p>We consider this vulnerability to be serious.</p> 15465 </blockquote> 15466 </body> 15467 </description> 15468 <references> 15469 <url>https://www.phpmyadmin.net/security/PMASA-2016-10/</url> 15470 <url>https://www.phpmyadmin.net/security/PMASA-2016-11/</url> 15471 <url>https://www.phpmyadmin.net/security/PMASA-2016-12/</url> 15472 <url>https://www.phpmyadmin.net/security/PMASA-2016-13/</url> 15473 <cvename>CVE-2016-2559</cvename> 15474 <cvename>CVE-2016-2560</cvename> 15475 <cvename>CVE-2016-2561</cvename> 15476 <cvename>CVE-2016-2562</cvename> 15477 </references> 15478 <dates> 15479 <discovery>2016-02-29</discovery> 15480 <entry>2016-03-01</entry> 15481 </dates> 15482 </vuln> 15483 15484 <vuln vid="45117749-df55-11e5-b2bd-002590263bf5"> 15485 <topic>wireshark -- multiple vulnerabilities</topic> 15486 <affects> 15487 <package> 15488 <name>wireshark</name> 15489 <name>wireshark-lite</name> 15490 <name>wireshark-qt5</name> 15491 <name>tshark</name> 15492 <name>tshark-lite</name> 15493 <range><lt>2.0.2</lt></range> 15494 </package> 15495 </affects> 15496 <description> 15497 <body xmlns="http://www.w3.org/1999/xhtml"> 15498 <p>Wireshark development team reports:</p> 15499 <blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.2.html"> 15500 <p>The following vulnerabilities have been fixed:</p> 15501 <ul> 15502 <li><p>wnpa-sec-2016-02</p> 15503 <p>ASN.1 BER dissector crash. (Bug 11828) CVE-2016-2522</p></li> 15504 <li><p>wnpa-sec-2016-03</p> 15505 <p>DNP dissector infinite loop. (Bug 11938) CVE-2016-2523</p></li> 15506 <li><p>wnpa-sec-2016-04</p> 15507 <p>X.509AF dissector crash. (Bug 12002) CVE-2016-2524</p></li> 15508 <li><p>wnpa-sec-2016-05</p> 15509 <p>HTTP/2 dissector crash. (Bug 12077) CVE-2016-2525</p></li> 15510 <li><p>wnpa-sec-2016-06</p> 15511 <p>HiQnet dissector crash. (Bug 11983) CVE-2016-2526</p></li> 15512 <li><p>wnpa-sec-2016-07</p> 15513 <p>3GPP TS 32.423 Trace file parser crash. (Bug 11982) 15514 </p>CVE-2016-2527</li> 15515 <li><p>wnpa-sec-2016-08</p> 15516 <p>LBMC dissector crash. (Bug 11984) CVE-2016-2528</p></li> 15517 <li><p>wnpa-sec-2016-09</p> 15518 <p>iSeries file parser crash. (Bug 11985) CVE-2016-2529</p></li> 15519 <li><p>wnpa-sec-2016-10</p> 15520 <p>RSL dissector crash. (Bug 11829) CVE-2016-2530 15521 CVE-2016-2531</p></li> 15522 <li><p>wnpa-sec-2016-11</p> 15523 <p>LLRP dissector crash. (Bug 12048) CVE-2016-2532</p></li> 15524 <li><p>wnpa-sec-2016-12</p> 15525 <p>Ixia IxVeriWave file parser crash. (Bug 11795)</p></li> 15526 <li><p>wnpa-sec-2016-13</p> 15527 <p>IEEE 802.11 dissector crash. (Bug 11818)</p></li> 15528 <li><p>wnpa-sec-2016-14</p> 15529 <p>GSM A-bis OML dissector crash. (Bug 11825)</p></li> 15530 <li><p>wnpa-sec-2016-15</p> 15531 <p>ASN.1 BER dissector crash. (Bug 12106)</p></li> 15532 <li><p>wnpa-sec-2016-16</p> 15533 <p>SPICE dissector large loop. (Bug 12151)</p></li> 15534 <li><p>wnpa-sec-2016-17</p> 15535 <p>NFS dissector crash.</p></li> 15536 <li><p>wnpa-sec-2016-18</p> 15537 <p>ASN.1 BER dissector crash. (Bug 11822)</p></li> 15538 </ul> 15539 </blockquote> 15540 </body> 15541 </description> 15542 <references> 15543 <cvename>CVE-2016-2522</cvename> 15544 <cvename>CVE-2016-2523</cvename> 15545 <cvename>CVE-2016-2524</cvename> 15546 <cvename>CVE-2016-2525</cvename> 15547 <cvename>CVE-2016-2526</cvename> 15548 <cvename>CVE-2016-2527</cvename> 15549 <cvename>CVE-2016-2528</cvename> 15550 <cvename>CVE-2016-2529</cvename> 15551 <cvename>CVE-2016-2530</cvename> 15552 <cvename>CVE-2016-2531</cvename> 15553 <cvename>CVE-2016-2532</cvename> 15554 <cvename>CVE-2016-4415</cvename> 15555 <cvename>CVE-2016-4416</cvename> 15556 <cvename>CVE-2016-4417</cvename> 15557 <cvename>CVE-2016-4418</cvename> 15558 <cvename>CVE-2016-4419</cvename> 15559 <cvename>CVE-2016-4420</cvename> 15560 <cvename>CVE-2016-4421</cvename> 15561 <url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.2.html</url> 15562 <url>http://www.openwall.com/lists/oss-security/2016/05/01/1</url> 15563 </references> 15564 <dates> 15565 <discovery>2016-02-26</discovery> 15566 <entry>2016-03-01</entry> 15567 <modified>2016-07-04</modified> 15568 </dates> 15569 </vuln> 15570 15571 <vuln vid="42c2c422-df55-11e5-b2bd-002590263bf5"> 15572 <topic>wireshark -- multiple vulnerabilities</topic> 15573 <affects> 15574 <package> 15575 <name>wireshark</name> 15576 <name>wireshark-lite</name> 15577 <name>wireshark-qt5</name> 15578 <name>tshark</name> 15579 <name>tshark-lite</name> 15580 <range><lt>2.0.1</lt></range> 15581 </package> 15582 </affects> 15583 <description> 15584 <body xmlns="http://www.w3.org/1999/xhtml"> 15585 <p>Wireshark development team reports:</p> 15586 <blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.1.html"> 15587 <p>The following vulnerabilities have been fixed:</p> 15588 <ul> 15589 <li><p>wnpa-sec-2015-31</p> 15590 <p>NBAP dissector crashes. (Bug 11602, Bug 11835, Bug 11841)</p> 15591 </li> 15592 <li><p>wnpa-sec-2015-37</p> 15593 <p>NLM dissector crash.</p></li> 15594 <li><p>wnpa-sec-2015-39</p> 15595 <p>BER dissector crash.</p></li> 15596 <li><p>wnpa-sec-2015-40</p> 15597 <p>Zlib decompression crash. (Bug 11548)</p></li> 15598 <li><p>wnpa-sec-2015-41</p> 15599 <p>SCTP dissector crash. (Bug 11767)</p></li> 15600 <li><p>wnpa-sec-2015-42</p> 15601 <p>802.11 decryption crash. (Bug 11790, Bug 11826)</p></li> 15602 <li><p>wnpa-sec-2015-43</p> 15603 <p>DIAMETER dissector crash. (Bug 11792)</p></li> 15604 <li><p>wnpa-sec-2015-44</p> 15605 <p>VeriWave file parser crashes. (Bug 11789, Bug 11791)</p></li> 15606 <li><p>wnpa-sec-2015-45</p> 15607 <p>RSVP dissector crash. (Bug 11793)</p></li> 15608 <li><p>wnpa-sec-2015-46</p> 15609 <p>ANSI A and GSM A dissector crashes. (Bug 11797)</p></li> 15610 <li><p>wnpa-sec-2015-47</p> 15611 <p>Ascend file parser crash. (Bug 11794)</p></li> 15612 <li><p>wnpa-sec-2015-48</p> 15613 <p>NBAP dissector crash. (Bug 11815)</p></li> 15614 <li><p>wnpa-sec-2015-49</p> 15615 <p>RSL dissector crash. (Bug 11829)</p></li> 15616 <li><p>wnpa-sec-2015-50</p> 15617 <p>ZigBee ZCL dissector crash. (Bug 11830)</p></li> 15618 <li><p>wnpa-sec-2015-51</p> 15619 <p>Sniffer file parser crash. (Bug 11827)</p></li> 15620 <li><p>wnpa-sec-2015-52</p> 15621 <p>NWP dissector crash. (Bug 11726)</p></li> 15622 <li><p>wnpa-sec-2015-53</p> 15623 <p>BT ATT dissector crash. (Bug 11817)</p></li> 15624 <li><p>wnpa-sec-2015-54</p> 15625 <p>MP2T file parser crash. (Bug 11820)</p></li> 15626 <li><p>wnpa-sec-2015-55</p> 15627 <p>MP2T file parser crash. (Bug 11821)</p></li> 15628 <li><p>wnpa-sec-2015-56</p> 15629 <p>S7COMM dissector crash. (Bug 11823)</p></li> 15630 <li><p>wnpa-sec-2015-57</p> 15631 <p>IPMI dissector crash. (Bug 11831)</p></li> 15632 <li><p>wnpa-sec-2015-58</p> 15633 <p>TDS dissector crash. (Bug 11846)</p></li> 15634 <li><p>wnpa-sec-2015-59</p> 15635 <p>PPI dissector crash. (Bug 11876)</p></li> 15636 <li><p>wnpa-sec-2015-60</p> 15637 <p>MS-WSP dissector crash. (Bug 11931)</p></li> 15638 </ul> 15639 </blockquote> 15640 </body> 15641 </description> 15642 <references> 15643 <url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.1.html</url> 15644 </references> 15645 <dates> 15646 <discovery>2015-12-29</discovery> 15647 <entry>2016-03-01</entry> 15648 </dates> 15649 </vuln> 15650 15651 <vuln vid="7bbc3016-de63-11e5-8fa8-14dae9d210b8"> 15652 <topic>tomcat -- multiple vulnerabilities</topic> 15653 <affects> 15654 <package> 15655 <name>tomcat7</name> 15656 <range><lt>7.0.68</lt></range> 15657 </package> 15658 <package> 15659 <name>tomcat8</name> 15660 <range><lt>8.0.30</lt></range> 15661 </package> 15662 </affects> 15663 <description> 15664 <body xmlns="http://www.w3.org/1999/xhtml"> 15665 <p>Mark Thomas reports:</p> 15666 <blockquote cite="http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF96.7070701@apache.org%3e"> 15667 <ul> 15668 <li><p>CVE-2015-5346 Apache Tomcat Session fixation</p></li> 15669 <li><p>CVE-2015-5351 Apache Tomcat CSRF token leak</p></li> 15670 <li><p>CVE-2016-0763 Apache Tomcat Security Manager Bypass</p></li> 15671 </ul> 15672 </blockquote> 15673 </body> 15674 </description> 15675 <references> 15676 <url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF96.7070701@apache.org%3e</url> 15677 <url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF7B.1010901@apache.org%3e</url> 15678 <url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEFB2.9030605@apache.org%3e</url> 15679 <cvename>CVE-2015-5346</cvename> 15680 <cvename>CVE-2015-5351</cvename> 15681 <cvename>CVE-2016-0763</cvename> 15682 </references> 15683 <dates> 15684 <discovery>2016-02-22</discovery> 15685 <entry>2016-02-28</entry> 15686 </dates> 15687 </vuln> 15688 15689 <vuln vid="1f1124fe-de5c-11e5-8fa8-14dae9d210b8"> 15690 <topic>tomcat -- multiple vulnerabilities</topic> 15691 <affects> 15692 <package> 15693 <name>tomcat</name> 15694 <range><lt>6.0.45</lt></range> 15695 </package> 15696 <package> 15697 <name>tomcat7</name> 15698 <range><lt>7.0.68</lt></range> 15699 </package> 15700 <package> 15701 <name>tomcat8</name> 15702 <range><lt>8.0.30</lt></range> 15703 </package> 15704 </affects> 15705 <description> 15706 <body xmlns="http://www.w3.org/1999/xhtml"> 15707 <p>Mark Thomas reports:</p> 15708 <blockquote cite="http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF96.7070701@apache.org%3e"> 15709 <ul> 15710 <li><p>CVE-2015-5345 Apache Tomcat Directory disclosure</p></li> 15711 <li><p>CVE-2016-0706 Apache Tomcat Security Manager bypass</p></li> 15712 <li><p>CVE-2016-0714 Apache Tomcat Security Manager Bypass</p></li> 15713 </ul> 15714 </blockquote> 15715 </body> 15716 </description> 15717 <references> 15718 <url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF96.7070701@apache.org%3e</url> 15719 <url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF6A.70703@apache.org%3e</url> 15720 <url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF4F.5090003@apache.org%3e</url> 15721 <cvename>CVE-2015-5345</cvename> 15722 <cvename>CVE-2015-5346</cvename> 15723 <cvename>CVE-2016-0706</cvename> 15724 <cvename>CVE-2016-0714</cvename> 15725 </references> 15726 <dates> 15727 <discovery>2016-02-22</discovery> 15728 <entry>2016-02-28</entry> 15729 <modified>2017-03-18</modified> 15730 </dates> 15731 </vuln> 15732 15733 <vuln vid="a7f2e9c6-de20-11e5-8458-6cc21735f730"> 15734 <topic>xerces-c3 -- Parser Crashes on Malformed Input</topic> 15735 <affects> 15736 <package> 15737 <name>xerces-c3</name> 15738 <range><lt>3.1.3</lt></range> 15739 </package> 15740 </affects> 15741 <description> 15742 <body xmlns="http://www.w3.org/1999/xhtml"> 15743 <p>The Apache Software Foundation reports:</p> 15744 <blockquote cite="http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt"> 15745 <p>The Xerces-C XML parser mishandles certain kinds of malformed input 15746 documents, resulting in buffer overflows during processing and error 15747 reporting. The overflows can manifest as a segmentation fault or as 15748 memory corruption during a parse operation. The bugs allow for a 15749 denial of service attack in many applications by an unauthenticated 15750 attacker, and could conceivably result in remote code execution.</p> 15751 </blockquote> 15752 </body> 15753 </description> 15754 <references> 15755 <cvename>CVE-2016-0729</cvename> 15756 <url>http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt</url> 15757 </references> 15758 <dates> 15759 <discovery>2016-02-25</discovery> 15760 <entry>2016-02-28</entry> 15761 </dates> 15762 </vuln> 15763 15764 <vuln vid="6b1d8a39-ddb3-11e5-8fa8-14dae9d210b8"> 15765 <topic>django -- regression in permissions model</topic> 15766 <affects> 15767 <package> 15768 <name>py27-django19</name> 15769 <name>py33-django19</name> 15770 <name>py34-django19</name> 15771 <name>py35-django19</name> 15772 <range><lt>1.9.2</lt></range> 15773 </package> 15774 <package> 15775 <name>py27-django-devel</name> 15776 <name>py33-django-devel</name> 15777 <name>py34-django-devel</name> 15778 <name>py35-django-devel</name> 15779 <range><le>20150709,1</le></range> 15780 </package> 15781 </affects> 15782 <description> 15783 <body xmlns="http://www.w3.org/1999/xhtml"> 15784 <p>Tim Graham reports:</p> 15785 <blockquote cite="https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/"> 15786 <p>User with "change" but not "add" permission can create 15787 objects for ModelAdmin’s with save_as=True</p> 15788 </blockquote> 15789 </body> 15790 </description> 15791 <references> 15792 <url>https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/</url> 15793 <cvename>CVE-2016-2048</cvename> 15794 </references> 15795 <dates> 15796 <discovery>2016-02-01</discovery> 15797 <entry>2016-02-28</entry> 15798 </dates> 15799 </vuln> 15800 15801 <vuln vid="81f9d6a4-ddaf-11e5-b2bd-002590263bf5"> 15802 <topic>xen-kernel -- VMX: guest user mode may crash guest with non-canonical RIP</topic> 15803 <affects> 15804 <package> 15805 <name>xen-kernel</name> 15806 <range><lt>4.5.2_2</lt></range> 15807 </package> 15808 </affects> 15809 <description> 15810 <body xmlns="http://www.w3.org/1999/xhtml"> 15811 <p>The Xen Project reports:</p> 15812 <blockquote cite="http://xenbits.xen.org/xsa/advisory-170.html"> 15813 <p>VMX refuses attempts to enter a guest with an instruction pointer 15814 which doesn't satisfy certain requirements. In particular, the 15815 instruction pointer needs to be canonical when entering a guest 15816 currently in 64-bit mode. This is the case even if the VM entry 15817 information specifies an exception to be injected immediately (in 15818 which case the bad instruction pointer would possibly never get used 15819 for other than pushing onto the exception handler's stack). 15820 Provided the guest OS allows user mode to map the virtual memory 15821 space immediately below the canonical/non-canonical address 15822 boundary, a non-canonical instruction pointer can result even from 15823 normal user mode execution. VM entry failure, however, is fatal to 15824 the guest.</p> 15825 <p>Malicious HVM guest user mode code may be able to crash the 15826 guest.</p> 15827 </blockquote> 15828 </body> 15829 </description> 15830 <references> 15831 <cvename>CVE-2016-2271</cvename> 15832 <url>http://xenbits.xen.org/xsa/advisory-170.html</url> 15833 </references> 15834 <dates> 15835 <discovery>2016-02-17</discovery> 15836 <entry>2016-02-28</entry> 15837 </dates> 15838 </vuln> 15839 15840 <vuln vid="80adc394-ddaf-11e5-b2bd-002590263bf5"> 15841 <topic>xen-kernel -- VMX: intercept issue with INVLPG on non-canonical address</topic> 15842 <affects> 15843 <package> 15844 <name>xen-kernel</name> 15845 <range><ge>3.3</ge><lt>4.5.2_2</lt></range> 15846 </package> 15847 </affects> 15848 <description> 15849 <body xmlns="http://www.w3.org/1999/xhtml"> 15850 <p>The Xen Project reports:</p> 15851 <blockquote cite="http://xenbits.xen.org/xsa/advisory-168.html"> 15852 <p>While INVLPG does not cause a General Protection Fault when used on 15853 a non-canonical address, INVVPID in its "individual address" 15854 variant, which is used to back the intercepted INVLPG in certain 15855 cases, fails in such cases. Failure of INVVPID results in a 15856 hypervisor bug check.</p> 15857 <p>A malicious guest can crash the host, leading to a Denial of 15858 Service.</p> 15859 </blockquote> 15860 </body> 15861 </description> 15862 <references> 15863 <cvename>CVE-2016-1571</cvename> 15864 <url>http://xenbits.xen.org/xsa/advisory-168.html</url> 15865 </references> 15866 <dates> 15867 <discovery>2016-01-20</discovery> 15868 <entry>2016-02-28</entry> 15869 </dates> 15870 </vuln> 15871 15872 <vuln vid="7ed7c36f-ddaf-11e5-b2bd-002590263bf5"> 15873 <topic>xen-kernel -- PV superpage functionality missing sanity checks</topic> 15874 <affects> 15875 <package> 15876 <name>xen-kernel</name> 15877 <range><eq>3.4.0</eq></range> 15878 <range><eq>3.4.1</eq></range> 15879 <range><ge>4.1</ge><lt>4.5.2_2</lt></range> 15880 </package> 15881 </affects> 15882 <description> 15883 <body xmlns="http://www.w3.org/1999/xhtml"> 15884 <p>The Xen Project reports:</p> 15885 <blockquote cite="http://xenbits.xen.org/xsa/advisory-167.html"> 15886 <p>The PV superpage functionality lacks certain validity checks on 15887 data being passed to the hypervisor by guests. This is the case 15888 for the page identifier (MFN) passed to MMUEXT_MARK_SUPER and 15889 MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as 15890 well as for various forms of page table updates.</p> 15891 <p>Use of the feature, which is disabled by default, may have unknown 15892 effects, ranging from information leaks through Denial of Service to 15893 privilege escalation.</p> 15894 </blockquote> 15895 </body> 15896 </description> 15897 <references> 15898 <cvename>CVE-2016-1570</cvename> 15899 <url>http://xenbits.xen.org/xsa/advisory-167.html</url> 15900 </references> 15901 <dates> 15902 <discovery>2016-01-20</discovery> 15903 <entry>2016-02-28</entry> 15904 </dates> 15905 </vuln> 15906 15907 <vuln vid="2d299950-ddb0-11e5-8fa8-14dae9d210b8"> 15908 <topic>moodle -- multiple vulnerabilities</topic> 15909 <affects> 15910 <package> 15911 <name>moodle28</name> 15912 <range><lt>2.8.10</lt></range> 15913 </package> 15914 <package> 15915 <name>moodle29</name> 15916 <range><lt>2.9.4</lt></range> 15917 </package> 15918 <package> 15919 <name>moodle30</name> 15920 <range><lt>3.0.2</lt></range> 15921 </package> 15922 </affects> 15923 <description> 15924 <body xmlns="http://www.w3.org/1999/xhtml"> 15925 <p>Marina Glancy reports:</p> 15926 <blockquote cite="https://moodle.org/security/"> 15927 <ul> 15928 <li><p>MSA-16-0001: Two enrolment-related web services don't 15929 check course visibility</p></li> 15930 <li><p>MSA-16-0002: XSS Vulnerability in course management 15931 search</p></li> 15932 </ul> 15933 </blockquote> 15934 </body> 15935 </description> 15936 <references> 15937 <url>https://moodle.org/security/</url> 15938 <cvename>CVE-2016-0724</cvename> 15939 <cvename>CVE-2016-0725</cvename> 15940 </references> 15941 <dates> 15942 <discovery>2016-01-18</discovery> 15943 <entry>2016-02-28</entry> 15944 </dates> 15945 </vuln> 15946 15947 <vuln vid="6540c8f0-dca3-11e5-8fa8-14dae9d210b8"> 15948 <topic>pitivi -- code execution</topic> 15949 <affects> 15950 <package> 15951 <name>pitivi</name> 15952 <range><lt>0.95</lt></range> 15953 </package> 15954 </affects> 15955 <description> 15956 <body xmlns="http://www.w3.org/1999/xhtml"> 15957 <p>Luke Farone reports:</p> 15958 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/23/8"> 15959 <p>Double-clicking a file in the user's media library with a 15960 specially-crafted path or filename allows for arbitrary code execution 15961 with the permissions of the user running Pitivi.</p> 15962 </blockquote> 15963 </body> 15964 </description> 15965 <references> 15966 <url>http://www.openwall.com/lists/oss-security/2015/12/23/8</url> 15967 <url>https://git.gnome.org/browse/pitivi/commit/?id=45a4c84edb3b4343f199bba1c65502e3f49f5bb2</url> 15968 <cvename>CVE-2015-0855</cvename> 15969 </references> 15970 <dates> 15971 <discovery>2015-09-13</discovery> 15972 <entry>2016-02-26</entry> 15973 </dates> 15974 </vuln> 15975 15976 <vuln vid="90c8385a-dc9f-11e5-8fa8-14dae9d210b8"> 15977 <topic>giflib -- heap overflow</topic> 15978 <affects> 15979 <package> 15980 <name>giflib</name> 15981 <range><lt>5.1.2</lt></range> 15982 </package> 15983 </affects> 15984 <description> 15985 <body xmlns="http://www.w3.org/1999/xhtml"> 15986 <p>Hans Jerry Illikainen reports:</p> 15987 <blockquote cite="http://seclists.org/bugtraq/2015/Dec/114"> 15988 <p>A heap overflow may occur in the giffix utility included in 15989 giflib-5.1.1 when processing records of the type 15990 `IMAGE_DESC_RECORD_TYPE' due to the allocated size of `LineBuffer' 15991 equaling the value of the logical screen width, `GifFileIn->SWidth', 15992 while subsequently having `GifFileIn->Image.Width' bytes of data written 15993 to it.</p> 15994 </blockquote> 15995 </body> 15996 </description> 15997 <references> 15998 <url>http://seclists.org/bugtraq/2015/Dec/114</url> 15999 <cvename>CVE-2015-7555</cvename> 16000 </references> 16001 <dates> 16002 <discovery>2015-12-21</discovery> 16003 <entry>2016-02-26</entry> 16004 </dates> 16005 </vuln> 16006 16007 <vuln vid="59a0af97-dbd4-11e5-8fa8-14dae9d210b8"> 16008 <topic>drupal -- multiple vulnerabilities</topic> 16009 <affects> 16010 <package> 16011 <name>drupal6</name> 16012 <range><lt>6.38</lt></range> 16013 </package> 16014 <package> 16015 <name>drupal7</name> 16016 <range><lt>7.43</lt></range> 16017 </package> 16018 <package> 16019 <name>drupal8</name> 16020 <range><lt>8.0.4</lt></range> 16021 </package> 16022 </affects> 16023 <description> 16024 <body xmlns="http://www.w3.org/1999/xhtml"> 16025 <p>Drupal Security Team reports:</p> 16026 <blockquote cite="https://www.drupal.org/SA-CORE-2016-001"> 16027 <ul> 16028 <li><p>File upload access bypass and denial of service (File 16029 module - Drupal 7 and 8 - Moderately Critical)</p></li> 16030 <li><p>Brute force amplification attacks via XML-RPC (XML-RPC 16031 server - Drupal 6 and 7 - Moderately Critical)</p></li> 16032 <li><p>Open redirect via path manipulation (Base system - 16033 Drupal 6, 7 and 8 - Moderately Critical) </p></li> 16034 <li><p>Form API ignores access restrictions on submit buttons 16035 (Form API - Drupal 6 - Critical)</p></li> 16036 <li><p>HTTP header injection using line breaks (Base system - 16037 Drupal 6 - Moderately Critical)</p></li> 16038 <li><p>Open redirect via double-encoded 'destination' 16039 parameter (Base system - Drupal 6 - Moderately Critical)</p></li> 16040 <li><p>Reflected file download vulnerability (System module - 16041 Drupal 6 and 7 - Moderately Critical)</p></li> 16042 <li><p>Saving user accounts can sometimes grant the user all 16043 roles (User module - Drupal 6 and 7 - Less Critical)</p></li> 16044 <li><p>Email address can be matched to an account (User module 16045 - Drupal 7 and 8 - Less Critical)</p></li> 16046 <li><p>Session data truncation can lead to unserialization of 16047 user provided data (Base system - Drupal 6 - Less Critical)</p></li> 16048 </ul> 16049 </blockquote> 16050 </body> 16051 </description> 16052 <references> 16053 <url>https://www.drupal.org/SA-CORE-2016-001</url> 16054 </references> 16055 <dates> 16056 <discovery>2016-02-24</discovery> 16057 <entry>2016-02-25</entry> 16058 </dates> 16059 </vuln> 16060 16061 <vuln vid="7e01df39-db7e-11e5-b937-00e0814cab4e"> 16062 <topic>jenkins -- multiple vulnerabilities</topic> 16063 <affects> 16064 <package> 16065 <name>jenkins</name> 16066 <range><le>1.650</le></range> 16067 </package> 16068 <package> 16069 <name>jenkins-lts</name> 16070 <range><le>1.642.2</le></range> 16071 </package> 16072 </affects> 16073 <description> 16074 <body xmlns="http://www.w3.org/1999/xhtml"> 16075 <p>Jenkins Security Advisory:</p> 16076 <blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Security+Advisory+2016-02-24"> 16077 <h1>Description</h1> 16078 <h5>SECURITY-232 / CVE-2016-0788(Remote code execution vulnerability in remoting module)</h5> 16079 <p>A vulnerability in the Jenkins remoting module allowed 16080 unauthenticated remote attackers to open a JRMP listener on the 16081 server hosting the Jenkins master process, which allowed arbitrary 16082 code execution.</p> 16083 <h5>SECURITY-238 / CVE-2016-0789(HTTP response splitting vulnerability)</h5> 16084 <p>An HTTP response splitting vulnerability in the CLI command 16085 documentation allowed attackers to craft Jenkins URLs that serve 16086 malicious content.</p> 16087 <h5>SECURITY-241 / CVE-2016-0790(Non-constant time comparison of API token)</h5> 16088 <p>The verification of user-provided API tokens with the expected 16089 value did not use a constant-time comparison algorithm, potentially 16090 allowing attackers to use statistical methods to determine valid 16091 API tokens using brute-force methods.</p> 16092 <h5>SECURITY-245 / CVE-2016-0791(Non-constant time comparison of CSRF crumbs)</h5> 16093 <p>The verification of user-provided CSRF crumbs with the expected 16094 value did not use a constant-time comparison algorithm, potentially 16095 allowing attackers to use statistical methods to determine valid 16096 CSRF crumbs using brute-force methods.</p> 16097 <h5>SECURITY-247 / CVE-2016-0792(Remote code execution through remote API)</h5> 16098 <p>Jenkins has several API endpoints that allow low-privilege users 16099 to POST XML files that then get deserialized by Jenkins. 16100 Maliciously crafted XML files sent to these API endpoints could 16101 result in arbitrary code execution.</p> 16102 </blockquote> 16103 </body> 16104 </description> 16105 <references> 16106 <url>https://wiki.jenkins-ci.org/display/SECURITY/Security+Advisory+2016-02-24</url> 16107 </references> 16108 <dates> 16109 <discovery>2016-02-24</discovery> 16110 <entry>2016-02-25</entry> 16111 </dates> 16112 </vuln> 16113 16114 <vuln vid="660ebbf5-daeb-11e5-b2bd-002590263bf5"> 16115 <topic>squid -- remote DoS in HTTP response processing</topic> 16116 <affects> 16117 <package> 16118 <name>squid</name> 16119 <range><lt>3.5.15</lt></range> 16120 </package> 16121 </affects> 16122 <description> 16123 <body xmlns="http://www.w3.org/1999/xhtml"> 16124 <p>Squid security advisory 2016:2 reports:</p> 16125 <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_2.txt"> 16126 <p>Due to incorrect bounds checking Squid is vulnerable to a denial 16127 of service attack when processing HTTP responses.</p> 16128 <p>These problems allow remote servers delivering certain unusual 16129 HTTP response syntax to trigger a denial of service for all 16130 clients accessing the Squid service.</p> 16131 <p>HTTP responses containing malformed headers that trigger this 16132 issue are becoming common. We are not certain at this time if 16133 that is a sign of malware or just broken server scripting.</p> 16134 </blockquote> 16135 </body> 16136 </description> 16137 <references> 16138 <cvename>CVE-2016-2569</cvename> 16139 <cvename>CVE-2016-2570</cvename> 16140 <cvename>CVE-2016-2571</cvename> 16141 <freebsdpr>ports/207454</freebsdpr> 16142 <url>http://www.squid-cache.org/Advisories/SQUID-2016_2.txt</url> 16143 <url>http://www.openwall.com/lists/oss-security/2016/02/24/12</url> 16144 </references> 16145 <dates> 16146 <discovery>2016-02-24</discovery> 16147 <entry>2016-02-24</entry> 16148 <modified>2016-02-28</modified> 16149 </dates> 16150 </vuln> 16151 16152 <vuln vid="9e5bbffc-d8ac-11e5-b2bd-002590263bf5"> 16153 <topic>bsh -- remote code execution vulnerability</topic> 16154 <affects> 16155 <package> 16156 <name>bsh</name> 16157 <range><lt>2.0.b6</lt></range> 16158 </package> 16159 </affects> 16160 <description> 16161 <body xmlns="http://www.w3.org/1999/xhtml"> 16162 <p>Stian Soiland-Reyes reports:</p> 16163 <blockquote cite="https://github.com/beanshell/beanshell/releases/tag/2.0b6"> 16164 <p>This release fixes a remote code execution vulnerability that was 16165 identified in BeanShell by Alvaro Muñoz and Christian Schneider. 16166 The BeanShell team would like to thank them for their help and 16167 contributions to this fix!</p> 16168 <p>An application that includes BeanShell on the classpath may be 16169 vulnerable if another part of the application uses Java 16170 serialization or XStream to deserialize data from an untrusted 16171 source.</p> 16172 <p>A vulnerable application could be exploited for remote code 16173 execution, including executing arbitrary shell commands.</p> 16174 <p>This update fixes the vulnerability in BeanShell, but it is worth 16175 noting that applications doing such deserialization might still be 16176 insecure through other libraries. It is recommended that application 16177 developers take further measures such as using a restricted class 16178 loader when deserializing. See notes on Java serialization security 16179 XStream security and How to secure deserialization from untrusted 16180 input without using encryption or sealing.</p> 16181 </blockquote> 16182 </body> 16183 </description> 16184 <references> 16185 <cvename>CVE-2016-2510</cvename> 16186 <freebsdpr>ports/207334</freebsdpr> 16187 <url>https://github.com/beanshell/beanshell/releases/tag/2.0b6</url> 16188 </references> 16189 <dates> 16190 <discovery>2016-02-18</discovery> 16191 <entry>2016-02-21</entry> 16192 </dates> 16193 </vuln> 16194 16195 <vuln vid="6171eb07-d8a9-11e5-b2bd-002590263bf5"> 16196 <topic>libsrtp -- DoS via crafted RTP header vulnerability</topic> 16197 <affects> 16198 <package> 16199 <name>libsrtp</name> 16200 <range><lt>1.5.3</lt></range> 16201 </package> 16202 </affects> 16203 <description> 16204 <body xmlns="http://www.w3.org/1999/xhtml"> 16205 <p>libsrtp reports:</p> 16206 <blockquote cite="https://github.com/cisco/libsrtp/commit/704a31774db0dd941094fd2b47c21638b8dc3de2"> 16207 <p>Prevent potential DoS attack due to lack of bounds checking on RTP 16208 header CSRC count and extension header length. Credit goes to 16209 Randell Jesup and the Firefox team for reporting this issue.</p> 16210 </blockquote> 16211 </body> 16212 </description> 16213 <references> 16214 <cvename>CVE-2015-6360</cvename> 16215 <freebsdpr>ports/207003</freebsdpr> 16216 <url>https://github.com/cisco/libsrtp/releases/tag/v1.5.3</url> 16217 <url>https://github.com/cisco/libsrtp/commit/704a31774db0dd941094fd2b47c21638b8dc3de2</url> 16218 <url>https://github.com/cisco/libsrtp/commit/be95365fbb4788b688cab7af61c65b7989055fb4</url> 16219 <url>https://github.com/cisco/libsrtp/commit/be06686c8e98cc7bd934e10abb6f5e971d03f8ee</url> 16220 <url>https://github.com/cisco/libsrtp/commit/cdc69f2acde796a4152a250f869271298abc233f</url> 16221 </references> 16222 <dates> 16223 <discovery>2015-11-02</discovery> 16224 <entry>2016-02-21</entry> 16225 </dates> 16226 </vuln> 16227 16228 <vuln vid="006e3b7c-d7d7-11e5-b85f-0018fe623f2b"> 16229 <topic>jasper -- multiple vulnerabilities</topic> 16230 <affects> 16231 <package> 16232 <name>jasper</name> 16233 <range><lt>1.900.1_16</lt></range> 16234 </package> 16235 </affects> 16236 <description> 16237 <body xmlns="http://www.w3.org/1999/xhtml"> 16238 <p>oCERT reports:</p> 16239 <blockquote cite="http://www.ocert.org/advisories/ocert-2014-012.html"> 16240 <p>The library is affected by a double-free vulnerability in function 16241 jas_iccattrval_destroy() 16242 as well as a heap-based buffer overflow in function jp2_decode(). 16243 A specially crafted jp2 file can be used to trigger the vulnerabilities.</p> 16244 </blockquote> 16245 <p>oCERT reports:</p> 16246 <blockquote cite="http://www.ocert.org/advisories/ocert-2015-001.html"> 16247 <p>The library is affected by an off-by-one error in a buffer boundary check 16248 in jpc_dec_process_sot(), leading to a heap based buffer overflow, as well 16249 as multiple unrestricted stack memory use issues in jpc_qmfb.c, leading to 16250 stack overflow. 16251 A specially crafted jp2 file can be used to trigger the vulnerabilities.</p> 16252 </blockquote> 16253 <p>oCERT reports:</p> 16254 <blockquote cite="http://www.ocert.org/advisories/ocert-2014-009.html"> 16255 <p>Multiple off-by-one flaws, leading to heap-based buffer overflows, were 16256 found in the way JasPer decoded JPEG 2000 files. A specially crafted file 16257 could cause an application using JasPer to crash or, 16258 possibly, execute arbitrary code.</p> 16259 </blockquote> 16260 <p>limingxing reports:</p> 16261 <blockquote cite="http://seclists.org/oss-sec/2016/q1/233"> 16262 <p>A vulnerability was found in the way the JasPer's jas_matrix_clip() 16263 function parses certain JPEG 2000 image files. A specially crafted file 16264 could cause an application using JasPer to crash.</p> 16265 </blockquote> 16266 </body> 16267 </description> 16268 <references> 16269 <url>http://www.ocert.org/advisories/ocert-2014-012.html</url> 16270 <url>https://bugzilla.redhat.com/show_bug.cgi?id=1173157</url> 16271 <url>https://bugzilla.redhat.com/show_bug.cgi?id=1173162</url> 16272 <url>http://www.ocert.org/advisories/ocert-2015-001.html</url> 16273 <url>https://bugzilla.redhat.com/show_bug.cgi?id=1179282</url> 16274 <url>http://www.ocert.org/advisories/ocert-2014-009.html</url> 16275 <url>https://bugzilla.redhat.com/show_bug.cgi?id=1167537</url> 16276 <url>http://seclists.org/oss-sec/2016/q1/233</url> 16277 <url>https://bugzilla.redhat.com/show_bug.cgi?id=1302636</url> 16278 <cvename>CVE-2014-8137</cvename> 16279 <cvename>CVE-2014-8138</cvename> 16280 <cvename>CVE-2014-8157</cvename> 16281 <cvename>CVE-2014-8158</cvename> 16282 <cvename>CVE-2014-9029</cvename> 16283 <cvename>CVE-2016-2089</cvename> 16284 </references> 16285 <dates> 16286 <discovery>2014-12-10</discovery> 16287 <entry>2016-02-20</entry> 16288 <modified>2016-02-24</modified> 16289 </dates> 16290 </vuln> 16291 16292 <vuln vid="368993bb-d685-11e5-8858-00262d5ed8ee"> 16293 <topic>chromium -- same origin bypass</topic> 16294 <affects> 16295 <package> 16296 <name>chromium</name> 16297 <name>chromium-npapi</name> 16298 <name>chromium-pulse</name> 16299 <range><lt>48.0.2564.116</lt></range> 16300 </package> 16301 </affects> 16302 <description> 16303 <body xmlns="http://www.w3.org/1999/xhtml"> 16304 <p>Google Chrome Releases reports:</p> 16305 <blockquote cite="http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_18.html"> 16306 <p>[583431] Critical CVE-2016-1629: Same-origin bypass in Blink 16307 and Sandbox escape in Chrome. Credit to anonymous.</p> 16308 </blockquote> 16309 </body> 16310 </description> 16311 <references> 16312 <cvename>CVE-2016-1629</cvename> 16313 <url>http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_18.html</url> 16314 </references> 16315 <dates> 16316 <discovery>2016-02-18</discovery> 16317 <entry>2016-02-18</entry> 16318 </dates> 16319 </vuln> 16320 16321 <vuln vid="2dd7e97e-d5e8-11e5-bcbd-bc5ff45d0f28"> 16322 <topic>glibc -- getaddrinfo stack-based buffer overflow</topic> 16323 <affects> 16324 <package> 16325 <name>linux_base-c6</name> 16326 <name>linux_base-c6_64</name> 16327 <range><lt>6.7_1</lt></range> 16328 </package> 16329 <package> 16330 <name>linux_base-f10</name> 16331 <range><ge>0</ge></range> 16332 </package> 16333 </affects> 16334 <description> 16335 <body xmlns="http://www.w3.org/1999/xhtml"> 16336 <p>Fabio Olive Leite reports:</p> 16337 <blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7547"> 16338 <p>A stack-based buffer overflow was found in libresolv when invoked 16339 from nss_dns, allowing specially crafted DNS responses to seize 16340 control of EIP in the DNS client. The buffer overflow occurs in the 16341 functions send_dg (send datagram) and send_vc (send TCP) for the 16342 NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC 16343 family, or in some cases AF_INET6 family. The use of AF_UNSPEC (or 16344 AF_INET6 in some cases) triggers the low-level resolver code to 16345 send out two parallel queries for A and AAAA. A mismanagement of 16346 the buffers used for those queries could result in the response of 16347 a query writing beyond the alloca allocated buffer created by 16348 __res_nquery.</p> 16349 </blockquote> 16350 </body> 16351 </description> 16352 <references> 16353 <cvename>CVE-2015-7547</cvename> 16354 <freebsdpr>ports/207272</freebsdpr> 16355 <url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7547</url> 16356 <url>https://blog.des.no/2016/02/freebsd-and-cve-2015-7547/</url> 16357 <url>https://googleonlinesecurity.blogspot.no/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html</url> 16358 <url>https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html</url> 16359 </references> 16360 <dates> 16361 <discovery>2016-02-16</discovery> 16362 <entry>2016-02-18</entry> 16363 </dates> 16364 </vuln> 16365 16366 <vuln vid="56562efb-d5e4-11e5-b2bd-002590263bf5"> 16367 <topic>squid -- SSL/TLS processing remote DoS</topic> 16368 <affects> 16369 <package> 16370 <name>squid</name> 16371 <range><ge>3.5.13</ge><lt>3.5.14</lt></range> 16372 </package> 16373 </affects> 16374 <description> 16375 <body xmlns="http://www.w3.org/1999/xhtml"> 16376 <p>Squid security advisory 2016:1 reports:</p> 16377 <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_1.txt"> 16378 <p>Due to incorrectly handling server errors Squid is vulnerable to a 16379 denial of service attack when connecting to TLS or SSL servers.</p> 16380 <p>This problem allows any trusted client to perform a denial of 16381 service attack on the Squid service regardless of whether TLS or 16382 SSL is configured for use in the proxy.</p> 16383 <p>Misconfigured client or server software may trigger this issue 16384 to perform a denial of service unintentionally.</p> 16385 <p>However, the bug is exploitable only if Squid is built using the 16386 --with-openssl option.</p> 16387 </blockquote> 16388 <p>The FreeBSD port does not use SSL by default and is not vulnerable 16389 in the default configuration.</p> 16390 </body> 16391 </description> 16392 <references> 16393 <cvename>CVE-2016-2390</cvename> 16394 <freebsdpr>ports/207294</freebsdpr> 16395 <url>http://www.squid-cache.org/Advisories/SQUID-2016_1.txt</url> 16396 </references> 16397 <dates> 16398 <discovery>2016-02-16</discovery> 16399 <entry>2016-02-18</entry> 16400 </dates> 16401 </vuln> 16402 16403 <vuln vid="dd563930-d59a-11e5-8fa8-14dae9d210b8"> 16404 <topic>adminer -- remote code execution</topic> 16405 <affects> 16406 <package> 16407 <name>adminer</name> 16408 <range><lt>4.2.4</lt></range> 16409 </package> 16410 </affects> 16411 <description> 16412 <body xmlns="http://www.w3.org/1999/xhtml"> 16413 <p>Jakub Vrana reports:</p> 16414 <blockquote cite="https://github.com/vrana/adminer/commit/e5352cc5acad21513bb02677e2021b80bf7e7b8b"> 16415 <p>Fix remote code execution in SQLite query</p> 16416 </blockquote> 16417 </body> 16418 </description> 16419 <references> 16420 <url>https://github.com/vrana/adminer/commit/e5352cc5acad21513bb02677e2021b80bf7e7b8b</url> 16421 </references> 16422 <dates> 16423 <discovery>2016-02-06</discovery> 16424 <entry>2016-02-17</entry> 16425 </dates> 16426 </vuln> 16427 16428 <vuln vid="18201a1c-d59a-11e5-8fa8-14dae9d210b8"> 16429 <topic>adminer -- XSS vulnerability</topic> 16430 <affects> 16431 <package> 16432 <name>adminer</name> 16433 <range><lt>4.2.3</lt></range> 16434 </package> 16435 </affects> 16436 <description> 16437 <body xmlns="http://www.w3.org/1999/xhtml"> 16438 <p>Jakub Vrana reports:</p> 16439 <blockquote cite="https://github.com/vrana/adminer/commit/4be0b6655e0bf415960659db2a6dd4e60eebbd66"> 16440 <p>Fix XSS in indexes (non-MySQL only)</p> 16441 </blockquote> 16442 </body> 16443 </description> 16444 <references> 16445 <url>https://github.com/vrana/adminer/commit/4be0b6655e0bf415960659db2a6dd4e60eebbd66</url> 16446 </references> 16447 <dates> 16448 <discovery>2015-11-08</discovery> 16449 <entry>2016-02-17</entry> 16450 </dates> 16451 </vuln> 16452 16453 <vuln vid="ad91ee9b-d599-11e5-8fa8-14dae9d210b8"> 16454 <topic>adminer -- XSS vulnerability</topic> 16455 <affects> 16456 <package> 16457 <name>adminer</name> 16458 <range><lt>4.2.2</lt></range> 16459 </package> 16460 </affects> 16461 <description> 16462 <body xmlns="http://www.w3.org/1999/xhtml"> 16463 <p>Jakub Vrana reports:</p> 16464 <blockquote cite="https://github.com/vrana/adminer/commit/596f8df373cd3efe5bcb6013858bd7a6bb5ecb2c"> 16465 <p>Fix XSS in alter table</p> 16466 </blockquote> 16467 </body> 16468 </description> 16469 <references> 16470 <url>https://github.com/vrana/adminer/commit/596f8df373cd3efe5bcb6013858bd7a6bb5ecb2c</url> 16471 </references> 16472 <dates> 16473 <discovery>2015-08-05</discovery> 16474 <entry>2016-02-17</entry> 16475 </dates> 16476 </vuln> 16477 16478 <vuln vid="8cf54d73-d591-11e5-8fa8-14dae9d210b8"> 16479 <topic>adminer -- XSS vulnerability</topic> 16480 <affects> 16481 <package> 16482 <name>adminer</name> 16483 <range><lt>4.2.0</lt></range> 16484 </package> 16485 </affects> 16486 <description> 16487 <body xmlns="http://www.w3.org/1999/xhtml"> 16488 <p>Jakub Vrana reports:</p> 16489 <blockquote cite="https://github.com/vrana/adminer/commit/c990de3b3ee1816afb130bd0e1570577bf54a8e5"> 16490 <p>Fix XSS in login form</p> 16491 </blockquote> 16492 </body> 16493 </description> 16494 <references> 16495 <url>https://github.com/vrana/adminer/commit/c990de3b3ee1816afb130bd0e1570577bf54a8e5</url> 16496 <url>https://sourceforge.net/p/adminer/bugs-and-features/436/</url> 16497 </references> 16498 <dates> 16499 <discovery>2015-01-30</discovery> 16500 <entry>2016-02-17</entry> 16501 </dates> 16502 </vuln> 16503 16504 <vuln vid="95b92e3b-d451-11e5-9794-e8e0b747a45a"> 16505 <topic>libgcrypt -- side-channel attack on ECDH</topic> 16506 <affects> 16507 <package> 16508 <name>libgcrypt</name> 16509 <range><lt>1.6.5</lt></range> 16510 </package> 16511 </affects> 16512 <description> 16513 <body xmlns="http://www.w3.org/1999/xhtml"> 16514 <p>GnuPG reports:</p> 16515 <blockquote cite="https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html"> 16516 <p>Mitigate side-channel attack on ECDH with Weierstrass curves.</p> 16517 </blockquote> 16518 </body> 16519 </description> 16520 <references> 16521 <cvename>CVE-2015-7511</cvename> 16522 <url>https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html</url> 16523 </references> 16524 <dates> 16525 <discovery>2016-02-09</discovery> 16526 <entry>2016-02-16</entry> 16527 </dates> 16528 </vuln> 16529 16530 <vuln vid="f1bf28c5-d447-11e5-b2bd-002590263bf5"> 16531 <topic>xdelta3 -- buffer overflow vulnerability</topic> 16532 <affects> 16533 <package> 16534 <name>xdelta3</name> 16535 <range><lt>3.0.9,1</lt></range> 16536 </package> 16537 </affects> 16538 <description> 16539 <body xmlns="http://www.w3.org/1999/xhtml"> 16540 <p>Stepan Golosunov reports:</p> 16541 <blockquote cite="http://www.openwall.com/lists/oss-security/2016/02/08/1"> 16542 <p>Buffer overflow was found and fixed in xdelta3 binary diff tool 16543 that allows arbitrary code execution from input files at least on 16544 some systems.</p> 16545 </blockquote> 16546 </body> 16547 </description> 16548 <references> 16549 <cvename>CVE-2014-9765</cvename> 16550 <url>http://www.openwall.com/lists/oss-security/2016/02/08/1</url> 16551 <url>https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2</url> 16552 </references> 16553 <dates> 16554 <discovery>2014-10-08</discovery> 16555 <entry>2016-02-16</entry> 16556 </dates> 16557 </vuln> 16558 16559 <vuln vid="172b22cb-d3f6-11e5-ac9e-485d605f4717"> 16560 <topic>firefox -- Same-origin-policy violation using Service Workers with plugins</topic> 16561 <affects> 16562 <package> 16563 <name>firefox</name> 16564 <range><lt>44.0.2,1</lt></range> 16565 </package> 16566 <package> 16567 <name>linux-firefox</name> 16568 <range><lt>44.0.2,1</lt></range> 16569 </package> 16570 </affects> 16571 <description> 16572 <body xmlns="http://www.w3.org/1999/xhtml"> 16573 <p>The Mozilla Foundation reports:</p> 16574 <blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox44.0.2"> 16575 <p>MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept 16576 responses to plugin network requests made through the browser. Plugins which 16577 make security decisions based on the content of network requests can have these 16578 decisions subverted if a service worker forges responses to those requests. For 16579 example, a forged crossdomain.xml could allow a malicious site to violate the 16580 same-origin policy using the Flash plugin.</p> 16581 </blockquote> 16582 </body> 16583 </description> 16584 <references> 16585 <cvename>CVE-2016-1949</cvename> 16586 <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-13/</url> 16587 </references> 16588 <dates> 16589 <discovery>2016-02-11</discovery> 16590 <entry>2016-02-15</entry> 16591 </dates> 16592 </vuln> 16593 16594 <vuln vid="07718e2b-d29d-11e5-a95f-b499baebfeaf"> 16595 <topic>nghttp2 -- Out of memory in nghttpd, nghttp, and libnghttp2_asio</topic> 16596 <affects> 16597 <package> 16598 <name>nghttp2</name> 16599 <range><lt>1.7.1</lt></range> 16600 </package> 16601 </affects> 16602 <description> 16603 <body xmlns="http://www.w3.org/1999/xhtml"> 16604 <p>Nghttp2 reports:</p> 16605 <blockquote cite="https://nghttp2.org/blog/2016/02/11/nghttp2-v1-7-1/"> 16606 <p>Out of memory in nghttpd, nghttp, and libnghttp2_asio applications 16607 due to unlimited incoming HTTP header fields.</p> 16608 <p>nghttpd, nghttp, and libnghttp2_asio applications do not limit the memory usage 16609 for the incoming HTTP header field. If peer sends specially crafted HTTP/2 16610 HEADERS frames and CONTINUATION frames, they will crash with out of memory 16611 error.</p> 16612 <p>Note that libnghttp2 itself is not affected by this vulnerability.</p> 16613 </blockquote> 16614 </body> 16615 </description> 16616 <references> 16617 <url>http://nghttp2.org/blog/2016/02/11/nghttp2-v1-7-1/</url> 16618 <cvename>CVE-2016-1544</cvename> 16619 </references> 16620 <dates> 16621 <discovery>2016-02-03</discovery> 16622 <entry>2016-02-13</entry> 16623 </dates> 16624 </vuln> 16625 16626 <vuln vid="3aa8b781-d2c4-11e5-b2bd-002590263bf5"> 16627 <topic>horde -- XSS vulnerabilities</topic> 16628 <affects> 16629 <package> 16630 <name>horde</name> 16631 <range><lt>5.2.9</lt></range> 16632 </package> 16633 <package> 16634 <name>pear-Horde_Core</name> 16635 <range><lt>2.22.6</lt></range> 16636 </package> 16637 </affects> 16638 <description> 16639 <body xmlns="http://www.w3.org/1999/xhtml"> 16640 <p>The Horde Team reports:</p> 16641 <blockquote cite="http://lists.horde.org/archives/announce/2016/001149.html"> 16642 <p>Fixed XSS vulnerabilities in menu bar and form renderer.</p> 16643 </blockquote> 16644 </body> 16645 </description> 16646 <references> 16647 <cvename>CVE-2015-8807</cvename> 16648 <cvename>CVE-2016-2228</cvename> 16649 <url>https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253</url> 16650 <url>https://bugs.horde.org/ticket/14213</url> 16651 <url>https://github.com/horde/horde/commit/f03301cf6edcca57121a15e80014c4d0f29d99a0</url> 16652 <url>https://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8</url> 16653 <url>http://www.openwall.com/lists/oss-security/2016/02/06/4</url> 16654 <url>http://lists.horde.org/archives/announce/2016/001149.html</url> 16655 </references> 16656 <dates> 16657 <discovery>2016-02-02</discovery> 16658 <entry>2016-02-14</entry> 16659 </dates> 16660 </vuln> 16661 16662 <vuln vid="e8b6605b-d29f-11e5-8458-6cc21735f730"> 16663 <topic>PostgreSQL -- Security Fixes for Regular Expressions, PL/Java.</topic> 16664 <affects> 16665 <package> 16666 <name>postgresql91-server</name> 16667 <range><ge>9.1.0</ge><lt>9.1.20</lt></range> 16668 </package> 16669 <package> 16670 <name>postgresql92-server</name> 16671 <range><ge>9.2.0</ge><lt>9.2.15</lt></range> 16672 </package> 16673 <package> 16674 <name>postgresql93-server</name> 16675 <range><ge>9.3.0</ge><lt>9.3.11</lt></range> 16676 </package> 16677 <package> 16678 <name>postgresql94-server</name> 16679 <range><ge>9.4.0</ge><lt>9.4.6</lt></range> 16680 </package> 16681 <package> 16682 <name>postgresql95-server</name> 16683 <range><ge>9.5.0</ge><lt>9.5.1</lt></range> 16684 </package> 16685 </affects> 16686 <description> 16687 <body xmlns="http://www.w3.org/1999/xhtml"> 16688 <p>PostgreSQL project reports:</p> 16689 <blockquote cite="http://www.postgresql.org/about/news/1644/"> 16690 <p> 16691 Security Fixes for Regular Expressions, PL/Java 16692 </p> 16693 <ul> 16694 <li>CVE-2016-0773: This release closes security hole CVE-2016-0773, 16695 an issue with regular expression (regex) parsing. Prior code allowed 16696 users to pass in expressions which included out-of-range Unicode 16697 characters, triggering a backend crash. This issue is critical for 16698 PostgreSQL systems with untrusted users or which generate regexes 16699 based on user input. 16700 </li> 16701 <li>CVE-2016-0766: The update also fixes CVE-2016-0766, a privilege 16702 escalation issue for users of PL/Java. Certain custom configuration 16703 settings (GUCS) for PL/Java will now be modifiable only by the 16704 database superuser 16705 </li> 16706 </ul> 16707 </blockquote> 16708 </body> 16709 </description> 16710 <references> 16711 <cvename>CVE-2016-0773</cvename> 16712 <cvename>CVE-2016-0766</cvename> 16713 </references> 16714 <dates> 16715 <discovery>2016-02-08</discovery> 16716 <entry>2016-02-12</entry> 16717 </dates> 16718 </vuln> 16719 16720 <vuln vid="5d8e56c3-9e67-4d5b-81c9-3a409dfd705f"> 16721 <topic>flash -- multiple vulnerabilities</topic> 16722 <affects> 16723 <package> 16724 <name>linux-c6-flashplugin</name> 16725 <name>linux-f10-flashplugin</name> 16726 <name>linux-c6_64-flashplugin</name> 16727 <range><lt>11.2r202.569</lt></range> 16728 </package> 16729 </affects> 16730 <description> 16731 <body xmlns="http://www.w3.org/1999/xhtml"> 16732 <p>Adobe reports:</p> 16733 <blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-04.html"> 16734 <p>These updates resolve a type confusion vulnerability that 16735 could lead to code execution (CVE-2016-0985).</p> 16736 <p>These updates resolve use-after-free vulnerabilities that 16737 could lead to code execution (CVE-2016-0973, CVE-2016-0974, 16738 CVE-2016-0975, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984).</p> 16739 <p>These updates resolve a heap buffer overflow vulnerability 16740 that could lead to code execution (CVE-2016-0971).</p> 16741 <p>These updates resolve memory corruption vulnerabilities 16742 that could lead to code execution (CVE-2016-0964, 16743 CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, CVE-2016-0968, 16744 CVE-2016-0969, CVE-2016-0970, CVE-2016-0972, CVE-2016-0976, 16745 CVE-2016-0977, CVE-2016-0978, CVE-2016-0979, CVE-2016-0980, 16746 CVE-2016-0981).</p> 16747 </blockquote> 16748 </body> 16749 </description> 16750 <references> 16751 <cvename>CVE-2016-0964</cvename> 16752 <cvename>CVE-2016-0965</cvename> 16753 <cvename>CVE-2016-0966</cvename> 16754 <cvename>CVE-2016-0967</cvename> 16755 <cvename>CVE-2016-0968</cvename> 16756 <cvename>CVE-2016-0969</cvename> 16757 <cvename>CVE-2016-0970</cvename> 16758 <cvename>CVE-2016-0971</cvename> 16759 <cvename>CVE-2016-0972</cvename> 16760 <cvename>CVE-2016-0973</cvename> 16761 <cvename>CVE-2016-0974</cvename> 16762 <cvename>CVE-2016-0975</cvename> 16763 <cvename>CVE-2016-0976</cvename> 16764 <cvename>CVE-2016-0977</cvename> 16765 <cvename>CVE-2016-0978</cvename> 16766 <cvename>CVE-2016-0979</cvename> 16767 <cvename>CVE-2016-0980</cvename> 16768 <cvename>CVE-2016-0981</cvename> 16769 <cvename>CVE-2016-0982</cvename> 16770 <cvename>CVE-2016-0983</cvename> 16771 <cvename>CVE-2016-0984</cvename> 16772 <cvename>CVE-2016-0985</cvename> 16773 <url>https://helpx.adobe.com/security/products/flash-player/apsb16-04.html</url> 16774 </references> 16775 <dates> 16776 <discovery>2016-02-09</discovery> 16777 <entry>2016-02-10</entry> 16778 </dates> 16779 </vuln> 16780 16781 <vuln vid="515b4327-cf8a-11e5-96d6-14dae9d210b8"> 16782 <topic>dnscrypt-proxy -- code execution</topic> 16783 <affects> 16784 <package> 16785 <name>dnscrypt-proxy</name> 16786 <range><ge>1.1.0</ge><lt>1.6.1</lt></range> 16787 </package> 16788 </affects> 16789 <description> 16790 <body xmlns="http://www.w3.org/1999/xhtml"> 16791 <p>Frank Denis reports:</p> 16792 <blockquote cite="https://github.com/jedisct1/dnscrypt-proxy/blob/1d129f7d5f0d469308967cbe4eacb4a6919f1fa1/NEWS#L2-L8"> 16793 <p>Malformed packets could lead to denial of service or code 16794 execution.</p> 16795 </blockquote> 16796 </body> 16797 </description> 16798 <references> 16799 <url>https://github.com/jedisct1/dnscrypt-proxy/blob/1d129f7d5f0d469308967cbe4eacb4a6919f1fa1/NEWS#L2-L8</url> 16800 </references> 16801 <dates> 16802 <discovery>2016-02-02</discovery> 16803 <entry>2016-02-10</entry> 16804 <modified>2016-02-14</modified> 16805 </dates> 16806 </vuln> 16807 16808 <vuln vid="36034227-cf81-11e5-9c2b-00262d5ed8ee"> 16809 <topic>chromium -- multiple vulnerabilities</topic> 16810 <affects> 16811 <package> 16812 <name>chromium</name> 16813 <name>chromium-npapi</name> 16814 <name>chromium-pulse</name> 16815 <range><lt>48.0.2564.109</lt></range> 16816 </package> 16817 </affects> 16818 <description> 16819 <body xmlns="http://www.w3.org/1999/xhtml"> 16820 <p>Google Chrome Releases reports:</p> 16821 <blockquote cite="http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_9.html"> 16822 <p>6 security fixes in this release, including:</p> 16823 <ul> 16824 <li>[546677] High CVE-2016-1622: Same-origin bypass in Extensions. 16825 Credit to anonymous.</li> 16826 <li>[577105] High CVE-2016-1623: Same-origin bypass in DOM. Credit 16827 to Mariusz Mlynski.</li> 16828 <li>[509313] Medium CVE-2016-1625: Navigation bypass in Chrome 16829 Instant. Credit to Jann Horn.</li> 16830 <li>[571480] Medium CVE-2016-1626: Out-of-bounds read in PDFium. 16831 Credit to anonymous, working with HP's Zero Day Initiative.</li> 16832 <li>[585517] CVE-2016-1627: Various fixes from internal audits, 16833 fuzzing and other initiatives.</li> 16834 </ul> 16835 </blockquote> 16836 </body> 16837 </description> 16838 <references> 16839 <cvename>CVE-2016-1622</cvename> 16840 <cvename>CVE-2016-1623</cvename> 16841 <cvename>CVE-2016-1625</cvename> 16842 <cvename>CVE-2016-1626</cvename> 16843 <cvename>CVE-2016-1627</cvename> 16844 <url>http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_9.html</url> 16845 </references> 16846 <dates> 16847 <discovery>2016-02-08</discovery> 16848 <entry>2016-02-09</entry> 16849 <modified>2016-03-08</modified> 16850 </dates> 16851 </vuln> 16852 16853 <vuln vid="8f10fa04-cf6a-11e5-96d6-14dae9d210b8"> 16854 <topic>graphite2 -- code execution vulnerability</topic> 16855 <affects> 16856 <package> 16857 <name>graphite2</name> 16858 <range><lt>1.3.5</lt></range> 16859 </package> 16860 <package> 16861 <name>silgraphite</name> 16862 <range><lt>2.3.1_4</lt></range> 16863 </package> 16864 <package> 16865 <name>linux-thunderbird</name> 16866 <range><lt>38.6.0</lt></range> 16867 </package> 16868 </affects> 16869 <description> 16870 <body xmlns="http://www.w3.org/1999/xhtml"> 16871 <p>Talos reports:</p> 16872 <blockquote cite="http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html"> 16873 <ul> 16874 <li><p>An exploitable denial of service vulnerability exists 16875 in the font handling of Libgraphite. A specially crafted font can cause 16876 an out-of-bounds read potentially resulting in an information leak or 16877 denial of service.</p></li> 16878 <li><p>A specially crafted font can cause a buffer overflow 16879 resulting in potential code execution.</p></li> 16880 <li><p>An exploitable NULL pointer dereference exists in the 16881 bidirectional font handling functionality of Libgraphite. A specially 16882 crafted font can cause a NULL pointer dereference resulting in a 16883 crash.</p></li> 16884 </ul> 16885 </blockquote> 16886 </body> 16887 </description> 16888 <references> 16889 <url>http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html</url> 16890 <url>http://www.talosintel.com/reports/TALOS-2016-0061/</url> 16891 <url>https://www.mozilla.org/security/advisories/mfsa2016-14/</url> 16892 <cvename>CVE-2016-1521</cvename> 16893 <cvename>CVE-2016-1522</cvename> 16894 <cvename>CVE-2016-1523</cvename> 16895 <cvename>CVE-2016-1526</cvename> 16896 </references> 16897 <dates> 16898 <discovery>2016-02-05</discovery> 16899 <entry>2016-02-09</entry> 16900 <modified>2016-03-08</modified> 16901 </dates> 16902 </vuln> 16903 16904 <vuln vid="1cecd5e0-c372-11e5-96d6-14dae9d210b8"> 16905 <topic>xymon-server -- multiple vulnerabilities</topic> 16906 <affects> 16907 <package> 16908 <name>xymon-server</name> 16909 <range><lt>4.3.25</lt></range> 16910 </package> 16911 </affects> 16912 <description> 16913 <body xmlns="http://www.w3.org/1999/xhtml"> 16914 <p>J.C. Cleaver reports:</p> 16915 <blockquote cite="http://lists.xymon.com/pipermail/xymon/2016-February/042986.html"> 16916 <ul> 16917 <li><p>CVE-2016-2054: Buffer overflow in xymond handling of 16918 "config" command</p></li> 16919 <li><p> CVE-2016-2055: Access to possibly confidential files 16920 in the Xymon configuration directory</p></li> 16921 <li><p>CVE-2016-2056: Shell command injection in the 16922 "useradm" and "chpasswd" web applications</p></li> 16923 <li><p>CVE-2016-2057: Incorrect permissions on IPC queues 16924 used by the xymond daemon can bypass IP access filtering</p></li> 16925 <li><p>CVE-2016-2058: Javascript injection in "detailed status 16926 webpage" of monitoring items; XSS vulnerability via malformed 16927 acknowledgment messages</p></li> 16928 </ul> 16929 </blockquote> 16930 </body> 16931 </description> 16932 <references> 16933 <url>http://lists.xymon.com/pipermail/xymon/2016-February/042986.html</url> 16934 <cvename>CVE-2016-2054</cvename> 16935 <cvename>CVE-2016-2055</cvename> 16936 <cvename>CVE-2016-2056</cvename> 16937 <cvename>CVE-2016-2057</cvename> 16938 <cvename>CVE-2016-2058</cvename> 16939 </references> 16940 <dates> 16941 <discovery>2016-01-19</discovery> 16942 <entry>2016-02-09</entry> 16943 </dates> 16944 </vuln> 16945 16946 <vuln vid="85eb4e46-cf16-11e5-840f-485d605f4717"> 16947 <topic>php -- multiple vulnerabilities</topic> 16948 <affects> 16949 <package> 16950 <name>php55</name> 16951 <name>php55-phar</name> 16952 <name>php55-wddx</name> 16953 <range><lt>5.5.32</lt></range> 16954 </package> 16955 <package> 16956 <name>php56</name> 16957 <name>php56-phar</name> 16958 <name>php56-wddx</name> 16959 <range><lt>5.6.18</lt></range> 16960 </package> 16961 </affects> 16962 <description> 16963 <body xmlns="http://www.w3.org/1999/xhtml"> 16964 <p>PHP reports:</p> 16965 <blockquote cite="http://php.net/ChangeLog-5.php#5.6.18"> 16966 <ul><li>Core: 16967 <ul> 16968 <li>Fixed bug #71039 (exec functions ignore length but look for NULL 16969 termination).</li> 16970 <li>Fixed bug #71323 (Output of stream_get_meta_data can be 16971 falsified by its input).</li> 16972 <li>Fixed bug #71459 (Integer overflow in iptcembed()).</li> 16973 </ul></li> 16974 <li>PCRE: 16975 <ul> 16976 <li>Upgraded bundled PCRE library to 8.38.(CVE-2015-8383, 16977 CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, 16978 CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)</li> 16979 </ul></li> 16980 <li>Phar: 16981 <ul> 16982 <li>Fixed bug #71354 (Heap corruption in tar/zip/phar parser).</li> 16983 <li>Fixed bug #71391 (NULL Pointer Dereference in 16984 phar_tar_setupmetadata()).</li> 16985 <li>Fixed bug #71488 (Stack overflow when decompressing tar 16986 archives). (CVE-2016-2554)</li> 16987 </ul></li> 16988 <li>WDDX: 16989 <ul> 16990 <li>Fixed bug #71335 (Type Confusion in WDDX Packet 16991 Deserialization).</li> 16992 </ul></li> 16993 </ul> 16994 </blockquote> 16995 </body> 16996 </description> 16997 <references> 16998 <cvename>CVE-2015-8383</cvename> 16999 <cvename>CVE-2015-8386</cvename> 17000 <cvename>CVE-2015-8387</cvename> 17001 <cvename>CVE-2015-8389</cvename> 17002 <cvename>CVE-2015-8390</cvename> 17003 <cvename>CVE-2015-8391</cvename> 17004 <cvename>CVE-2015-8393</cvename> 17005 <cvename>CVE-2015-8394</cvename> 17006 <cvename>CVE-2016-2554</cvename> 17007 <url>http://php.net/ChangeLog-5.php#5.6.18</url> 17008 <url>http://php.net/ChangeLog-5.php#5.5.32</url> 17009 </references> 17010 <dates> 17011 <discovery>2016-02-04</discovery> 17012 <entry>2016-02-09</entry> 17013 <modified>2016-03-13</modified> 17014 </dates> 17015 </vuln> 17016 17017 <vuln vid="a8de962a-cf15-11e5-805c-5453ed2e2b49"> 17018 <topic>py-imaging, py-pillow -- Buffer overflow in PCD decoder</topic> 17019 <affects> 17020 <package> 17021 <name>py27-pillow</name> 17022 <name>py33-pillow</name> 17023 <name>py34-pillow</name> 17024 <name>py35-pillow</name> 17025 <range><lt>2.9.0_1</lt></range> 17026 </package> 17027 <package> 17028 <name>py27-imaging</name> 17029 <range><lt>1.1.7_6</lt></range> 17030 </package> 17031 </affects> 17032 <description> 17033 <body xmlns="http://www.w3.org/1999/xhtml"> 17034 <p>The Pillow maintainers report:</p> 17035 <blockquote cite="https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html"> 17036 <p>In all versions of Pillow, dating back at least to the last PIL 17037 1.1.7 release, PcdDecode.c has a buffer overflow error.</p> 17038 <p>The state.buffer for PcdDecode.c is allocated based on a 3 bytes 17039 per pixel sizing, where PcdDecode.c wrote into the buffer assuming 17040 4 bytes per pixel. This writes 768 bytes beyond the end of the 17041 buffer into other Python object storage. In some cases, this causes 17042 a segfault, in others an internal Python malloc error.</p> 17043 </blockquote> 17044 </body> 17045 </description> 17046 <references> 17047 <mlist>http://openwall.com/lists/oss-security/2016/02/02/5</mlist> 17048 <url>https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4</url> 17049 <url>https://github.com/python-pillow/Pillow/issues/568</url> 17050 </references> 17051 <dates> 17052 <discovery>2016-02-02</discovery> 17053 <entry>2016-02-09</entry> 17054 </dates> 17055 </vuln> 17056 17057 <vuln vid="0519db18-cf15-11e5-805c-5453ed2e2b49"> 17058 <topic>py-pillow -- Integer overflow in Resample.c</topic> 17059 <affects> 17060 <package> 17061 <name>py27-pillow</name> 17062 <name>py33-pillow</name> 17063 <name>py34-pillow</name> 17064 <name>py35-pillow</name> 17065 <range><lt>2.9.0_1</lt></range> 17066 </package> 17067 </affects> 17068 <description> 17069 <body xmlns="http://www.w3.org/1999/xhtml"> 17070 <p>The Pillow maintainers report:</p> 17071 <blockquote cite="https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html"> 17072 <p>If a large value was passed into the new size for an image, it is 17073 possible to overflow an int32 value passed into malloc, leading the 17074 malloc’d buffer to be undersized. These allocations are followed by 17075 a loop that writes out of bounds. This can lead to corruption on 17076 the heap of the Python process with attacker controlled float 17077 data.</p> 17078 <p>This issue was found by Ned Williamson.</p> 17079 </blockquote> 17080 </body> 17081 </description> 17082 <references> 17083 <url>https://github.com/python-pillow/Pillow/commit/41fae6d9e2da741d2c5464775c7f1a609ea03798</url> 17084 <url>https://github.com/python-pillow/Pillow/issues/1710</url> 17085 </references> 17086 <dates> 17087 <discovery>2016-02-05</discovery> 17088 <entry>2016-02-09</entry> 17089 </dates> 17090 </vuln> 17091 17092 <vuln vid="6ea60e00-cf13-11e5-805c-5453ed2e2b49"> 17093 <topic>py-imaging, py-pillow -- Buffer overflow in FLI decoding code</topic> 17094 <affects> 17095 <package> 17096 <name>py27-pillow</name> 17097 <name>py33-pillow</name> 17098 <name>py34-pillow</name> 17099 <name>py35-pillow</name> 17100 <range><lt>2.9.0_1</lt></range> 17101 </package> 17102 <package> 17103 <name>py27-imaging</name> 17104 <range><lt>1.1.7_6</lt></range> 17105 </package> 17106 </affects> 17107 <description> 17108 <body xmlns="http://www.w3.org/1999/xhtml"> 17109 <p>The Pillow maintainers report:</p> 17110 <blockquote cite="https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html"> 17111 <p>In all versions of Pillow, dating back at least to the last PIL 17112 1.1.7 release, FliDecode.c has a buffer overflow error.</p> 17113 <p>There is a memcpy error where x is added to a target buffer 17114 address. X is used in several internal temporary variable roles, 17115 but can take a value up to the width of the image. Im->image[y] 17116 is a set of row pointers to segments of memory that are the size of 17117 the row. At the max y, this will write the contents of the line off 17118 the end of the memory buffer, causing a segfault.</p> 17119 <p>This issue was found by Alyssa Besseling at Atlassian.</p> 17120 </blockquote> 17121 </body> 17122 </description> 17123 <references> 17124 <cvename>CVE-2016-0775</cvename> 17125 <url>https://github.com/python-pillow/Pillow/commit/bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec</url> 17126 </references> 17127 <dates> 17128 <discovery>2016-02-05</discovery> 17129 <entry>2016-02-09</entry> 17130 </dates> 17131 </vuln> 17132 17133 <vuln vid="53252879-cf11-11e5-805c-5453ed2e2b49"> 17134 <topic>py-pillow -- Buffer overflow in TIFF decoding code</topic> 17135 <affects> 17136 <package> 17137 <name>py27-pillow</name> 17138 <name>py33-pillow</name> 17139 <name>py34-pillow</name> 17140 <name>py35-pillow</name> 17141 <range><lt>2.9.0_1</lt></range> 17142 </package> 17143 </affects> 17144 <description> 17145 <body xmlns="http://www.w3.org/1999/xhtml"> 17146 <p>The Pillow maintainers report:</p> 17147 <blockquote cite="https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html"> 17148 <p>Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on 17149 x64 may overflow a buffer when reading a specially crafted tiff 17150 file.</p> 17151 <p>Specifically, libtiff >= 4.0.0 changed the return type of 17152 TIFFScanlineSize from int32 to machine dependent int32|64. If the 17153 scanline is sized so that it overflows an int32, it may be 17154 interpreted as a negative number, which will then pass the size check 17155 in TiffDecode.c line 236. To do this, the logical scanline size has 17156 to be > 2gb, and for the test file, the allocated buffer size is 64k 17157 against a roughly 4gb scan line size. Any image data over 64k is 17158 written over the heap, causing a segfault.</p> 17159 <p>This issue was found by security researcher FourOne.</p> 17160 </blockquote> 17161 </body> 17162 </description> 17163 <references> 17164 <cvename>CVE-2016-0740</cvename> 17165 <url>https://github.com/python-pillow/Pillow/commit/6dcbf5bd96b717c58d7b642949da8d323099928e</url> 17166 </references> 17167 <dates> 17168 <discovery>2016-02-04</discovery> 17169 <entry>2016-02-09</entry> 17170 </dates> 17171 </vuln> 17172 17173 <vuln vid="6ac79ed8-ccc2-11e5-932b-5404a68ad561"> 17174 <topic>ffmpeg -- remote denial of service in JPEG2000 decoder</topic> 17175 <affects> 17176 <package> 17177 <name>ffmpeg</name> 17178 <range><lt>2.8.6,1</lt></range> 17179 </package> 17180 <package> 17181 <name>mplayer</name> 17182 <name>mencoder</name> 17183 <range> 17184 <lt>1.2.r20151219_3</lt> 17185 </range> 17186 </package> 17187 </affects> 17188 <description> 17189 <body xmlns="http://www.w3.org/1999/xhtml"> 17190 <p>FFmpeg security reports:</p> 17191 <blockquote cite="https://www.ffmpeg.org/security.html"> 17192 <p>FFmpeg 2.8.6 fixes the following vulnerabilities: 17193 CVE-2016-2213</p> 17194 </blockquote> 17195 </body> 17196 </description> 17197 <references> 17198 <cvename>CVE-2016-2213</cvename> 17199 <url>https://www.ffmpeg.org/security.html</url> 17200 </references> 17201 <dates> 17202 <discovery>2016-01-27</discovery> 17203 <entry>2016-02-06</entry> 17204 </dates> 17205 </vuln> 17206 17207 <vuln vid="448047e9-030e-4ce4-910b-f21a3ad5d9a0"> 17208 <topic>shotwell -- not verifying certificates</topic> 17209 <affects> 17210 <package> 17211 <name>shotwell</name> 17212 <range><lt>0.22.0.99</lt></range> 17213 </package> 17214 </affects> 17215 <description> 17216 <body xmlns="http://www.w3.org/1999/xhtml"> 17217 <p>Michael Catanzaro reports:</p> 17218 <blockquote cite="https://mail.gnome.org/archives/distributor-list/2016-January/msg00000.html"> 17219 <p>Shotwell has a serious security issue ("Shotwell does not 17220 verify TLS certificates"). Upstream is no longer active and 17221 I do not expect any further upstream releases unless someone 17222 from the community steps up to maintain it.</p> 17223 17224 <p>What is the impact of the issue? If you ever used any of 17225 the publish functionality (publish to Facebook, publish to 17226 Flickr, etc.), your passwords may have been stolen; changing 17227 them is not a bad idea.</p> 17228 17229 <p>What is the risk of the update? Regressions. The easiest 17230 way to validate TLS certificates was to upgrade WebKit; it 17231 seems to work but I don't have accounts with the online 17232 services it supports, so I don't know if photo publishing 17233 still works properly on all the services.</p> 17234 </blockquote> 17235 </body> 17236 </description> 17237 <references> 17238 <url>https://mail.gnome.org/archives/distributor-list/2016-January/msg00000.html</url> 17239 </references> 17240 <dates> 17241 <discovery>2016-01-06</discovery> 17242 <entry>2016-02-05</entry> 17243 </dates> 17244 </vuln> 17245 17246 <vuln vid="1091d2d1-cb2e-11e5-b14b-bcaec565249c"> 17247 <topic>webkit -- UI spoof</topic> 17248 <affects> 17249 <package> 17250 <name>webkit-gtk2</name> 17251 <name>webkit-gtk3</name> 17252 <range><lt>2.4.9_1</lt></range> 17253 </package> 17254 </affects> 17255 <description> 17256 <body xmlns="http://www.w3.org/1999/xhtml"> 17257 <p>webkit reports:</p> 17258 <blockquote cite="http://webkitgtk.org/security/WSA-2015-0002.html"> 17259 <p>The ScrollView::paint function in platform/scroll/ScrollView.cpp 17260 in Blink, as used in Google Chrome before 35.0.1916.114, allows 17261 remote attackers to spoof the UI by extending scrollbar painting 17262 into the parent frame.</p> 17263 </blockquote> 17264 </body> 17265 </description> 17266 <references> 17267 <cvename>CVE-2014-1748</cvename> 17268 <url>http://webkitgtk.org/security/WSA-2015-0002.html</url> 17269 </references> 17270 <dates> 17271 <discovery>2015-12-28</discovery> 17272 <entry>2016-02-04</entry> 17273 </dates> 17274 </vuln> 17275 17276 <vuln vid="e78bfc9d-cb1e-11e5-b251-0050562a4d7b"> 17277 <topic>py-rsa -- Bleichenbacher'06 signature forgery vulnerability</topic> 17278 <affects> 17279 <package> 17280 <name>py27-rsa</name> 17281 <name>py32-rsa</name> 17282 <name>py33-rsa</name> 17283 <name>py34-rsa</name> 17284 <name>py35-rsa</name> 17285 <range><lt>3.3</lt></range> 17286 </package> 17287 </affects> 17288 <description> 17289 <body xmlns="http://www.w3.org/1999/xhtml"> 17290 <p>Filippo Valsorda reports:</p> 17291 <blockquote cite="https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/"> 17292 <p> 17293 python-rsa is vulnerable to a straightforward variant of the 17294 Bleichenbacher'06 attack against RSA signature verification 17295 with low public exponent.</p> 17296 </blockquote> 17297 </body> 17298 </description> 17299 <references> 17300 <cvename>CVE-2016-1494</cvename> 17301 <url>https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/</url> 17302 <url>https://bitbucket.org/sybren/python-rsa/pull-requests/14/security-fix-bb06-attack-in-verify-by</url> 17303 <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1494</url> 17304 <url>http://www.openwall.com/lists/oss-security/2016/01/05/3</url> 17305 <url>http://www.openwall.com/lists/oss-security/2016/01/05/1</url> 17306 </references> 17307 <dates> 17308 <discovery>2016-01-05</discovery> 17309 <entry>2016-02-04</entry> 17310 </dates> 17311 </vuln> 17312 17313 <vuln vid="559f3d1b-cb1d-11e5-80a4-001999f8d30b"> 17314 <topic>asterisk -- Multiple vulnerabilities</topic> 17315 <affects> 17316 <package> 17317 <name>asterisk</name> 17318 <range><lt>1.8.32.3_5</lt></range> 17319 </package> 17320 <package> 17321 <name>asterisk11</name> 17322 <range><lt>11.21.1</lt></range> 17323 </package> 17324 <package> 17325 <name>asterisk13</name> 17326 <range><lt>13.7.1</lt></range> 17327 </package> 17328 </affects> 17329 <description> 17330 <body xmlns="http://www.w3.org/1999/xhtml"> 17331 <p>The Asterisk project reports:</p> 17332 <blockquote cite="http://www.asterisk.org/downloads/security-advisories"> 17333 <p>AST-2016-001 - BEAST vulnerability in HTTP server</p> 17334 <p>AST-2016-002 - File descriptor exhaustion in chan_sip</p> 17335 <p>AST-2016-003 - Remote crash vulnerability when receiving UDPTL FAX data</p> 17336 </blockquote> 17337 </body> 17338 </description> 17339 <references> 17340 <url>http://downloads.asterisk.org/pub/security/AST-2016-001.html</url> 17341 <cvename>CVE-2011-3389</cvename> 17342 <url>http://downloads.asterisk.org/pub/security/AST-2016-002.html</url> 17343 <cvename>CVE-2016-2316</cvename> 17344 <url>http://downloads.asterisk.org/pub/security/AST-2016-003.html</url> 17345 <cvename>CVE-2016-2232</cvename> 17346 </references> 17347 <dates> 17348 <discovery>2016-02-03</discovery> 17349 <entry>2016-02-04</entry> 17350 <modified>2016-03-07</modified> 17351 </dates> 17352 </vuln> 17353 17354 <vuln vid="0652005e-ca96-11e5-96d6-14dae9d210b8"> 17355 <topic>salt -- code execution</topic> 17356 <affects> 17357 <package> 17358 <name>py27-salt</name> 17359 <name>py32-salt</name> 17360 <name>py33-salt</name> 17361 <name>py34-salt</name> 17362 <name>py35-salt</name> 17363 <range><ge>2015.8.0</ge><lt>2015.8.4</lt></range> 17364 </package> 17365 </affects> 17366 <description> 17367 <body xmlns="http://www.w3.org/1999/xhtml"> 17368 <p>SaltStack reports:</p> 17369 <blockquote cite="https://docs.saltstack.com/en/latest/topics/releases/2015.8.4.html"> 17370 <p>Improper handling of clear messages on the minion, which 17371 could result in executing commands not sent by the master.</p> 17372 </blockquote> 17373 </body> 17374 </description> 17375 <references> 17376 <url>https://docs.saltstack.com/en/latest/topics/releases/2015.8.4.html</url> 17377 <url>https://github.com/saltstack/salt/pull/30613/files</url> 17378 <cvename>CVE-2016-1866</cvename> 17379 </references> 17380 <dates> 17381 <discovery>2016-01-25</discovery> 17382 <entry>2016-02-03</entry> 17383 </dates> 17384 </vuln> 17385 17386 <vuln vid="bb0ef21d-0e1b-461b-bc3d-9cba39948888"> 17387 <topic>rails -- multiple vulnerabilities</topic> 17388 <affects> 17389 <package> 17390 <name>rubygem-actionpack</name> 17391 <range><lt>3.2.22.1</lt></range> 17392 </package> 17393 <package> 17394 <name>rubygem-actionpack4</name> 17395 <range><lt>4.2.5.1</lt></range> 17396 </package> 17397 <package> 17398 <name>rubygem-actionview</name> 17399 <range><lt>4.2.5.1</lt></range> 17400 </package> 17401 <package> 17402 <name>rubygem-activemodel4</name> 17403 <range><lt>4.2.5.1</lt></range> 17404 </package> 17405 <package> 17406 <name>rubygem-activerecord</name> 17407 <range><lt>3.2.22.1</lt></range> 17408 </package> 17409 <package> 17410 <name>rubygem-activerecord4</name> 17411 <range><lt>4.2.5.1</lt></range> 17412 </package> 17413 <package> 17414 <name>rubygem-rails</name> 17415 <range><lt>3.2.22.1</lt></range> 17416 </package> 17417 <package> 17418 <name>rubygem-rails-html-sanitizer</name> 17419 <range><lt>1.0.3</lt></range> 17420 </package> 17421 <package> 17422 <name>rubygem-rails4</name> 17423 <range><lt>4.2.5.1</lt></range> 17424 </package> 17425 </affects> 17426 <description> 17427 <body xmlns="http://www.w3.org/1999/xhtml"> 17428 <p>Ruby on Rails blog:</p> 17429 <blockquote cite="http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/"> 17430 <p>Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, and 3.2.22.1 have been 17431 released! These contain important security fixes, and it is 17432 recommended that users upgrade as soon as possible.</p> 17433 </blockquote> 17434 </body> 17435 </description> 17436 <references> 17437 <cvename>CVE-2015-7576</cvename> 17438 <cvename>CVE-2015-7577</cvename> 17439 <cvename>CVE-2015-7581</cvename> 17440 <cvename>CVE-2016-0751</cvename> 17441 <cvename>CVE-2016-0752</cvename> 17442 <cvename>CVE-2016-0753</cvename> 17443 <url>https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ</url> 17444 <url>https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ</url> 17445 <url>https://groups.google.com/d/msg/rubyonrails-security/dthJ5wL69JE/YzPnFelbFQAJ</url> 17446 <url>https://groups.google.com/d/msg/rubyonrails-security/9oLY_FCzvoc/w9oI9XxbFQAJ</url> 17447 <url>https://groups.google.com/d/msg/rubyonrails-security/335P1DcLG00/OfB9_LhbFQAJ</url> 17448 <url>https://groups.google.com/d/msg/rubyonrails-security/6jQVC1geukQ/8oYETcxbFQAJ</url> 17449 <url>http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/</url> 17450 </references> 17451 <dates> 17452 <discovery>2016-01-25</discovery> 17453 <entry>2016-02-02</entry> 17454 </dates> 17455 </vuln> 17456 17457 <vuln vid="a52a7172-c92e-11e5-96d6-14dae9d210b8"> 17458 <topic>socat -- diffie hellman parameter was not prime</topic> 17459 <affects> 17460 <package> 17461 <name>socat</name> 17462 <range><ge>1.7.2.5</ge><lt>1.7.3.1</lt></range> 17463 </package> 17464 </affects> 17465 <description> 17466 <body xmlns="http://www.w3.org/1999/xhtml"> 17467 <p>socat reports:</p> 17468 <blockquote cite="http://www.dest-unreach.org/socat/contrib/socat-secadv7.html"> 17469 <p>In the OpenSSL address implementation the hard coded 1024 17470 bit DH p parameter was not prime. The effective cryptographic strength 17471 of a key exchange using these parameters was weaker than the one one 17472 could get by using a prime p. Moreover, since there is no indication of 17473 how these parameters were chosen, the existence of a trapdoor that makes 17474 possible for an eavesdropper to recover the shared secret from a key 17475 exchange that uses them cannot be ruled out.</p> 17476 </blockquote> 17477 </body> 17478 </description> 17479 <references> 17480 <url>http://www.dest-unreach.org/socat/contrib/socat-secadv7.html</url> 17481 </references> 17482 <dates> 17483 <discovery>2016-02-01</discovery> 17484 <entry>2016-02-01</entry> 17485 </dates> 17486 </vuln> 17487 17488 <vuln vid="4f00dac0-1e18-4481-95af-7aaad63fd303"> 17489 <topic>mozilla -- multiple vulnerabilities</topic> 17490 <affects> 17491 <package> 17492 <name>firefox</name> 17493 <name>linux-firefox</name> 17494 <range><lt>44.0,1</lt></range> 17495 </package> 17496 <package> 17497 <name>seamonkey</name> 17498 <name>linux-seamonkey</name> 17499 <range><lt>2.41</lt></range> 17500 </package> 17501 <package> 17502 <name>firefox-esr</name> 17503 <range><lt>38.6.0,1</lt></range> 17504 </package> 17505 <package> 17506 <name>libxul</name> 17507 <name>thunderbird</name> 17508 <name>linux-thunderbird</name> 17509 <range><lt>38.6.0</lt></range> 17510 </package> 17511 </affects> 17512 <description> 17513 <body xmlns="http://www.w3.org/1999/xhtml"> 17514 <p>Mozilla Foundation reports:</p> 17515 <blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox44"> 17516 <p>MFSA 2016-01 Miscellaneous memory safety hazards (rv:44.0 17517 / rv:38.6)</p> 17518 <p>MFSA 2016-02 Out of Memory crash when parsing GIF format 17519 images</p> 17520 <p>MFSA 2016-03 Buffer overflow in WebGL after out of memory 17521 allocation</p> 17522 <p>MFSA 2016-04 Firefox allows for control characters to be 17523 set in cookie names</p> 17524 <p>MFSA 2016-06 Missing delay following user click events in 17525 protocol handler dialog</p> 17526 <p>MFSA 2016-09 Addressbar spoofing attacks</p> 17527 <p>MFSA 2016-10 Unsafe memory manipulation found through 17528 code inspection</p> 17529 <p>MFSA 2016-11 Application Reputation service disabled in 17530 Firefox 43</p> 17531 </blockquote> 17532 </body> 17533 </description> 17534 <references> 17535 <cvename>CVE-2015-7208</cvename> 17536 <cvename>CVE-2016-1930</cvename> 17537 <cvename>CVE-2016-1931</cvename> 17538 <cvename>CVE-2016-1933</cvename> 17539 <cvename>CVE-2016-1935</cvename> 17540 <cvename>CVE-2016-1937</cvename> 17541 <cvename>CVE-2016-1939</cvename> 17542 <cvename>CVE-2016-1942</cvename> 17543 <cvename>CVE-2016-1943</cvename> 17544 <cvename>CVE-2016-1944</cvename> 17545 <cvename>CVE-2016-1945</cvename> 17546 <cvename>CVE-2016-1946</cvename> 17547 <cvename>CVE-2016-1947</cvename> 17548 <url>https://www.mozilla.org/security/advisories/mfsa2016-01/</url> 17549 <url>https://www.mozilla.org/security/advisories/mfsa2016-02/</url> 17550 <url>https://www.mozilla.org/security/advisories/mfsa2016-03/</url> 17551 <url>https://www.mozilla.org/security/advisories/mfsa2016-04/</url> 17552 <url>https://www.mozilla.org/security/advisories/mfsa2016-06/</url> 17553 <url>https://www.mozilla.org/security/advisories/mfsa2016-09/</url> 17554 <url>https://www.mozilla.org/security/advisories/mfsa2016-10/</url> 17555 <url>https://www.mozilla.org/security/advisories/mfsa2016-11/</url> 17556 </references> 17557 <dates> 17558 <discovery>2016-01-26</discovery> 17559 <entry>2016-02-01</entry> 17560 <modified>2016-03-08</modified> 17561 </dates> 17562 </vuln> 17563 17564 <vuln vid="e00d8b94-c88a-11e5-b5fe-002590263bf5"> 17565 <topic>gdcm -- multiple vulnerabilities</topic> 17566 <affects> 17567 <package> 17568 <name>gdcm</name> 17569 <range><lt>2.6.2</lt></range> 17570 </package> 17571 </affects> 17572 <description> 17573 <body xmlns="http://www.w3.org/1999/xhtml"> 17574 <p>CENSUS S.A. reports:</p> 17575 <blockquote cite="http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/"> 17576 <p>GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are 17577 prone to an integer overflow vulnerability which leads to a buffer 17578 overflow and potentially to remote code execution.</p> 17579 </blockquote> 17580 <blockquote cite="http://census-labs.com/news/2016/01/11/gdcm-out-bounds-read-jpeglscodec-decodeextent/"> 17581 <p>GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are 17582 prone to an out-of-bounds read vulnerability due to missing checks. 17583 </p> 17584 </blockquote> 17585 </body> 17586 </description> 17587 <references> 17588 <cvename>CVE-2015-8396</cvename> 17589 <cvename>CVE-2015-8397</cvename> 17590 <url>http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/</url> 17591 <url>http://census-labs.com/news/2016/01/11/gdcm-out-bounds-read-jpeglscodec-decodeextent/</url> 17592 </references> 17593 <dates> 17594 <discovery>2015-12-23</discovery> 17595 <entry>2016-02-01</entry> 17596 </dates> 17597 </vuln> 17598 17599 <vuln vid="c1c18ee1-c711-11e5-96d6-14dae9d210b8"> 17600 <topic>nginx -- multiple vulnerabilities</topic> 17601 <affects> 17602 <package> 17603 <name>nginx</name> 17604 <range><lt>1.8.1,2</lt></range> 17605 </package> 17606 <package> 17607 <name>nginx-devel</name> 17608 <range><lt>1.9.10</lt></range> 17609 </package> 17610 </affects> 17611 <description> 17612 <body xmlns="http://www.w3.org/1999/xhtml"> 17613 <p>Maxim Dounin reports:</p> 17614 <blockquote cite="http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html"> 17615 <p>Several problems in nginx resolver were identified, which 17616 might allow an attacker to cause worker process crash, or might have 17617 potential other impact if the "resolver" directive 17618 is used in a configuration file.</p> 17619 </blockquote> 17620 </body> 17621 </description> 17622 <references> 17623 <url>http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html</url> 17624 <cvename>CVE-2016-0742</cvename> 17625 <cvename>CVE-2016-0746</cvename> 17626 <cvename>CVE-2016-0747</cvename> 17627 </references> 17628 <dates> 17629 <discovery>2016-01-26</discovery> 17630 <entry>2016-01-30</entry> 17631 </dates> 17632 </vuln> 17633 17634 <vuln vid="a0d77bc8-c6a7-11e5-96d6-14dae9d210b8"> 17635 <topic>typo3 -- multiple vulnerabilities</topic> 17636 <affects> 17637 <package> 17638 <name>typo3</name> 17639 <range><lt>7.6.1</lt></range> 17640 </package> 17641 <package> 17642 <name>typo3-lts</name> 17643 <range><lt>6.2.16</lt></range> 17644 </package> 17645 </affects> 17646 <description> 17647 <body xmlns="http://www.w3.org/1999/xhtml"> 17648 <p>TYPO3 Security Team reports:</p> 17649 <blockquote cite="http://lists.typo3.org/pipermail/typo3-announce/2015/000351.html"> 17650 <p>It has been discovered that TYPO3 CMS is susceptible to 17651 Cross-Site Scripting and Cross-Site Flashing.</p> 17652 </blockquote> 17653 </body> 17654 </description> 17655 <references> 17656 <url>http://lists.typo3.org/pipermail/typo3-announce/2015/000351.html</url> 17657 <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-010/</url> 17658 <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-011/</url> 17659 <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-012/</url> 17660 <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-013/</url> 17661 <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-014/</url> 17662 <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-015/</url> 17663 </references> 17664 <dates> 17665 <discovery>2015-12-15</discovery> 17666 <entry>2016-01-29</entry> 17667 </dates> 17668 </vuln> 17669 17670 <vuln vid="93eadedb-c6a6-11e5-96d6-14dae9d210b8"> 17671 <topic>nghttp2 -- use after free</topic> 17672 <affects> 17673 <package> 17674 <name>nghttp2</name> 17675 <range><lt>1.6.0</lt></range> 17676 </package> 17677 </affects> 17678 <description> 17679 <body xmlns="http://www.w3.org/1999/xhtml"> 17680 <p>nghttp2 reports:</p> 17681 <blockquote cite="https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/"> 17682 <p>This release fixes heap-use-after-free bug in idle stream 17683 handling code. We strongly recommend to upgrade the older installation 17684 to this latest version as soon as possible.</p> 17685 </blockquote> 17686 </body> 17687 </description> 17688 <references> 17689 <url>https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/</url> 17690 <cvename>CVE-2015-8659</cvename> 17691 </references> 17692 <dates> 17693 <discovery>2015-12-23</discovery> 17694 <entry>2016-01-29</entry> 17695 </dates> 17696 </vuln> 17697 17698 <vuln vid="3166222b-c6a4-11e5-96d6-14dae9d210b8"> 17699 <topic>owncloud -- multiple vulnerabilities</topic> 17700 <affects> 17701 <package> 17702 <name>owncloud</name> 17703 <range><lt>8.2.2</lt></range> 17704 </package> 17705 </affects> 17706 <description> 17707 <body xmlns="http://www.w3.org/1999/xhtml"> 17708 <p>Owncloud reports:</p> 17709 <blockquote cite="https://owncloud.org/blog/owncloud-8-2-2-8-1-5-8-0-10-and-7-0-12-here-with-sharing-ldap-fixes/"> 17710 <ul> 17711 <li><p>Reflected XSS in OCS provider discovery 17712 (oC-SA-2016-001)</p></li> 17713 <li><p>Information Exposure Through Directory Listing in the 17714 file scanner (oC-SA-2016-002)</p></li> 17715 <li><p>Disclosure of files that begin with ".v" due to 17716 unchecked return value (oC-SA-2016-003)</p></li> 17717 </ul> 17718 </blockquote> 17719 </body> 17720 </description> 17721 <references> 17722 <url>https://owncloud.org/blog/owncloud-8-2-2-8-1-5-8-0-10-and-7-0-12-here-with-sharing-ldap-fixes/</url> 17723 <url>https://owncloud.org/security/advisory/?id=oc-sa-2016-001</url> 17724 <url>https://owncloud.org/security/advisory/?id=oc-sa-2016-002</url> 17725 <url>https://owncloud.org/security/advisory/?id=oc-sa-2016-003</url> 17726 <cvename>CVE-2016-1498</cvename> 17727 <cvename>CVE-2016-1499</cvename> 17728 <cvename>CVE-2016-1500</cvename> 17729 </references> 17730 <dates> 17731 <discovery>2015-12-23</discovery> 17732 <entry>2016-01-29</entry> 17733 </dates> 17734 </vuln> 17735 17736 <vuln vid="ff824eea-c69c-11e5-96d6-14dae9d210b8"> 17737 <topic>radicale -- multiple vulnerabilities</topic> 17738 <affects> 17739 <package> 17740 <name>py27-radicale</name> 17741 <name>py32-radicale</name> 17742 <name>py33-radicale</name> 17743 <name>py34-radicale</name> 17744 <range><lt>1.1</lt></range> 17745 </package> 17746 </affects> 17747 <description> 17748 <body xmlns="http://www.w3.org/1999/xhtml"> 17749 <p>Radicale reports:</p> 17750 <blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/06/4"> 17751 <p>The multifilesystem backend allows access to arbitrary 17752 files on all platforms.</p> 17753 <p>Prevent regex injection in rights management.</p> 17754 </blockquote> 17755 </body> 17756 </description> 17757 <references> 17758 <url>http://www.openwall.com/lists/oss-security/2016/01/06/4</url> 17759 <cvename>CVE-2015-8747</cvename> 17760 <cvename>CVE-2015-8748</cvename> 17761 </references> 17762 <dates> 17763 <discovery>2015-12-24</discovery> 17764 <entry>2016-01-29</entry> 17765 </dates> 17766 </vuln> 17767 17768 <vuln vid="7a59e283-c60b-11e5-bf36-6805ca0b3d42"> 17769 <topic>phpmyadmin -- XSS vulnerability in SQL editor</topic> 17770 <affects> 17771 <package> 17772 <name>phpmyadmin</name> 17773 <range><ge>4.5.0</ge><lt>4.5.4</lt></range> 17774 </package> 17775 </affects> 17776 <description> 17777 <body xmlns="http://www.w3.org/1999/xhtml"> 17778 <p>The phpMyAdmin development team reports:</p> 17779 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-9/"> 17780 <p>With a crafted SQL query, it is possible to trigger an 17781 XSS attack in the SQL editor.</p> 17782 <p>We consider this vulnerability to be non-critical.</p> 17783 <p>This vulnerability can be triggered only by someone who is 17784 logged in to phpMyAdmin, as the usual token protection 17785 prevents non-logged-in users from accessing the required 17786 pages.</p> 17787 </blockquote> 17788 </body> 17789 </description> 17790 <references> 17791 <url>https://www.phpmyadmin.net/security/PMASA-2016-9/</url> 17792 <cvename>CVE-2016-2045</cvename> 17793 </references> 17794 <dates> 17795 <discovery>2016-01-28</discovery> 17796 <entry>2016-01-28</entry> 17797 </dates> 17798 </vuln> 17799 17800 <vuln vid="78b4ebfb-c60b-11e5-bf36-6805ca0b3d42"> 17801 <topic>phpmyadmin -- Full path disclosure vulnerability in SQL parser</topic> 17802 <affects> 17803 <package> 17804 <name>phpmyadmin</name> 17805 <range><ge>4.5.0</ge><lt>4.5.4</lt></range> 17806 </package> 17807 </affects> 17808 <description> 17809 <body xmlns="http://www.w3.org/1999/xhtml"> 17810 <p>The phpMyAdmin development team reports:</p> 17811 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-8/"> 17812 <p>By calling a particular script that is part of phpMyAdmin 17813 in an unexpected way, it is possible to trigger phpMyAdmin 17814 to display a PHP error message which contains the full path 17815 of the directory where phpMyAdmin is installed.</p> 17816 <p>We consider this vulnerability to be non-critical.</p> 17817 <p>This path disclosure is possible on servers where the 17818 recommended setting of the PHP configuration directive 17819 display_errors is set to on, which is against the 17820 recommendations given in the PHP manual for a production 17821 server.</p> 17822 </blockquote> 17823 </body> 17824 </description> 17825 <references> 17826 <url>https://www.phpmyadmin.net/security/PMASA-2016-8/</url> 17827 <cvename>CVE-2016-2044</cvename> 17828 </references> 17829 <dates> 17830 <discovery>2016-01-28</discovery> 17831 <entry>2016-01-28</entry> 17832 </dates> 17833 </vuln> 17834 17835 <vuln vid="7694927f-c60b-11e5-bf36-6805ca0b3d42"> 17836 <topic>phpmyadmin -- XSS vulnerability in normalization page</topic> 17837 <affects> 17838 <package> 17839 <name>phpmyadmin</name> 17840 <range><ge>4.5.0</ge><lt>4.5.4</lt></range> 17841 </package> 17842 </affects> 17843 <description> 17844 <body xmlns="http://www.w3.org/1999/xhtml"> 17845 <p>The phpMyAdmin development team reports:</p> 17846 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-7/"> 17847 <p>With a crafted table name it is possible to trigger an 17848 XSS attack in the database normalization page.</p> 17849 <p>We consider this vulnerability to be non-critical.</p> 17850 <p>This vulnerability can be triggered only by someone who is 17851 logged in to phpMyAdmin, as the usual token protection 17852 prevents non-logged-in users from accessing the required page.</p> 17853 </blockquote> 17854 </body> 17855 </description> 17856 <references> 17857 <url>https://www.phpmyadmin.net/security/PMASA-2016-7/</url> 17858 <cvename>CVE-2016-2043</cvename> 17859 </references> 17860 <dates> 17861 <discovery>2016-01-28</discovery> 17862 <entry>2016-01-28</entry> 17863 </dates> 17864 </vuln> 17865 17866 <vuln vid="740badcb-c60b-11e5-bf36-6805ca0b3d42"> 17867 <topic>phpmyadmin -- Multiple full path disclosure vulnerabilities</topic> 17868 <affects> 17869 <package> 17870 <name>phpmyadmin</name> 17871 <range><ge>4.5.0</ge><lt>4.5.4</lt></range> 17872 </package> 17873 </affects> 17874 <description> 17875 <body xmlns="http://www.w3.org/1999/xhtml"> 17876 <p>The phpMyAdmin development team reports:</p> 17877 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-6/"> 17878 <p>By calling some scripts that are part of phpMyAdmin in an 17879 unexpected way, it is possible to trigger phpMyAdmin to 17880 display a PHP error message which contains the full path of 17881 the directory where phpMyAdmin is installed.</p> 17882 <p>We consider these vulnerabilities to be non-critical.</p> 17883 <p>This path disclosure is possible on servers where the 17884 recommended setting of the PHP configuration directive 17885 display_errors is set to on, which is against the 17886 recommendations given in the PHP manual for a production 17887 server.</p> 17888 </blockquote> 17889 </body> 17890 </description> 17891 <references> 17892 <url>https://www.phpmyadmin.net/security/PMASA-2016-6/</url> 17893 <cvename>CVE-2016-2042</cvename> 17894 </references> 17895 <dates> 17896 <discovery>2016-01-28</discovery> 17897 <entry>2016-01-28</entry> 17898 </dates> 17899 </vuln> 17900 17901 <vuln vid="71b24d99-c60b-11e5-bf36-6805ca0b3d42"> 17902 <topic>phpmyadmin -- Unsafe comparison of XSRF/CSRF token</topic> 17903 <affects> 17904 <package> 17905 <name>phpmyadmin</name> 17906 <range><ge>4.5.0</ge><lt>4.5.4</lt></range> 17907 </package> 17908 </affects> 17909 <description> 17910 <body xmlns="http://www.w3.org/1999/xhtml"> 17911 <p>The phpMyAdmin development team reports:</p> 17912 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-5/"> 17913 <p>The comparison of the XSRF/CSRF token parameter with the 17914 value saved in the session is vulnerable to timing 17915 attacks. Moreover, the comparison could be bypassed if the 17916 XSRF/CSRF token matches a particular pattern.</p> 17917 <p>We consider this vulnerability to be serious.</p> 17918 </blockquote> 17919 </body> 17920 </description> 17921 <references> 17922 <url>https://www.phpmyadmin.net/security/PMASA-2016-5/</url> 17923 <cvename>CVE-2016-2041</cvename> 17924 </references> 17925 <dates> 17926 <discovery>2016-01-28</discovery> 17927 <entry>2016-01-28</entry> 17928 </dates> 17929 </vuln> 17930 17931 <vuln vid="6f0c2d1b-c60b-11e5-bf36-6805ca0b3d42"> 17932 <topic>phpmyadmin -- Insecure password generation in JavaScript</topic> 17933 <affects> 17934 <package> 17935 <name>phpmyadmin</name> 17936 <range><ge>4.5.0</ge><lt>4.5.4</lt></range> 17937 </package> 17938 </affects> 17939 <description> 17940 <body xmlns="http://www.w3.org/1999/xhtml"> 17941 <p>The phpMyAdmin development team reports:</p> 17942 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-4/"> 17943 <p>Password suggestion functionality uses Math.random() 17944 which does not provide cryptographically secure random 17945 numbers.</p> 17946 <p>We consider this vulnerability to be non-critical.</p> 17947 </blockquote> 17948 </body> 17949 </description> 17950 <references> 17951 <url>https://www.phpmyadmin.net/security/PMASA-2016-4/</url> 17952 <cvename>CVE-2016-1927</cvename> 17953 </references> 17954 <dates> 17955 <discovery>2016-01-28</discovery> 17956 <entry>2016-01-28</entry> 17957 </dates> 17958 </vuln> 17959 17960 <vuln vid="6cc06eec-c60b-11e5-bf36-6805ca0b3d42"> 17961 <topic>phpmyadmin -- Multiple XSS vulnerabilities</topic> 17962 <affects> 17963 <package> 17964 <name>phpmyadmin</name> 17965 <range><ge>4.5.0</ge><lt>4.5.4</lt></range> 17966 </package> 17967 </affects> 17968 <description> 17969 <body xmlns="http://www.w3.org/1999/xhtml"> 17970 <p>The phpMyAdmin development team reports:</p> 17971 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-3/"> 17972 <ul> 17973 <li>With a crafted table name it is possible to trigger 17974 an XSS attack in the database search page.</li> 17975 <li>With a crafted SET value or a crafted search query, it 17976 is possible to trigger an XSS attacks in the zoom search 17977 page.</li> 17978 <li>With a crafted hostname header, it is possible to 17979 trigger an XSS attacks in the home page.</li> 17980 </ul> 17981 <p>We consider these vulnerabilities to be non-critical.</p> 17982 <p>These vulnerabilities can be triggered only by someone 17983 who is logged in to phpMyAdmin, as the usual token 17984 protection prevents non-logged-in users from accessing the 17985 required pages.</p> 17986 </blockquote> 17987 </body> 17988 </description> 17989 <references> 17990 <url>https://www.phpmyadmin.net/security/PMASA-2016-3/</url> 17991 <cvename>CVE-2016-2040</cvename> 17992 </references> 17993 <dates> 17994 <discovery>2016-01-28</discovery> 17995 <entry>2016-01-28</entry> 17996 </dates> 17997 </vuln> 17998 17999 <vuln vid="60ab0e93-c60b-11e5-bf36-6805ca0b3d42"> 18000 <topic>phpmyadmin -- Unsafe generation of XSRF/CSRF token</topic> 18001 <affects> 18002 <package> 18003 <name>phpmyadmin</name> 18004 <range><ge>4.5.0</ge><lt>4.5.4</lt></range> 18005 </package> 18006 </affects> 18007 <description> 18008 <body xmlns="http://www.w3.org/1999/xhtml"> 18009 <p>The phpMyAdmin development team reports:</p> 18010 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-2/"> 18011 <p>The XSRF/CSRF token is generated with a weak algorithm 18012 using functions that do not return cryptographically secure 18013 values.</p> 18014 <p>We consider this vulnerability to be non-critical.</p> 18015 </blockquote> 18016 </body> 18017 </description> 18018 <references> 18019 <url>https://www.phpmyadmin.net/security/PMASA-2016-2/</url> 18020 <cvename>CVE-2016-2039</cvename> 18021 </references> 18022 <dates> 18023 <discovery>2016-01-28</discovery> 18024 <entry>2016-01-28</entry> 18025 </dates> 18026 </vuln> 18027 18028 <vuln vid="5d6a204f-c60b-11e5-bf36-6805ca0b3d42"> 18029 <topic>phpmyadmin -- Multiple full path disclosure vulnerabilities</topic> 18030 <affects> 18031 <package> 18032 <name>phpmyadmin</name> 18033 <range><ge>4.5.0</ge><lt>4.5.4</lt></range> 18034 </package> 18035 </affects> 18036 <description> 18037 <body xmlns="http://www.w3.org/1999/xhtml"> 18038 <p>The phpMyAdmin development team reports:</p> 18039 <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-1/"> 18040 <p>By calling some scripts that are part of phpMyAdmin in an 18041 unexpected way, it is possible to trigger phpMyAdmin to 18042 display a PHP error message which contains the full path of 18043 the directory where phpMyAdmin is installed.</p> 18044 <p>We consider these vulnerabilities to be non-critical.</p> 18045 <p>This path disclosure is possible on servers where the 18046 recommended setting of the PHP configuration directive 18047 display_errors is set to on, which is against the 18048 recommendations given in the PHP manual for a production 18049 server.</p> 18050 </blockquote> 18051 </body> 18052 </description> 18053 <references> 18054 <url>https://www.phpmyadmin.net/security/PMASA-2016-1/</url> 18055 <cvename>CVE-2016-2038</cvename> 18056 </references> 18057 <dates> 18058 <discovery>2016-01-28</discovery> 18059 <entry>2016-01-28</entry> 18060 </dates> 18061 </vuln> 18062 18063 <vuln vid="50394bc9-c5fa-11e5-96a5-d93b343d1ff7"> 18064 <topic>prosody -- user impersonation vulnerability</topic> 18065 <affects> 18066 <package> 18067 <name>prosody</name> 18068 <range><lt>0.9.10</lt></range> 18069 </package> 18070 </affects> 18071 <description> 18072 <body xmlns="http://www.w3.org/1999/xhtml"> 18073 <p>The Prosody team reports:</p> 18074 <blockquote cite="https://prosody.im/security/advisory_20160127/"> 18075 <p>Adopt key generation algorithm from XEP-0185, to 18076 prevent impersonation attacks (CVE-2016-0756)</p> 18077 </blockquote> 18078 </body> 18079 </description> 18080 <references> 18081 <freebsdpr>ports/206707</freebsdpr> 18082 <cvename>CVE-2016-0756</cvename> 18083 <url>https://prosody.im/security/advisory_20160127/</url> 18084 </references> 18085 <dates> 18086 <discovery>2016-01-27</discovery> 18087 <entry>2016-01-28</entry> 18088 </dates> 18089 </vuln> 18090 18091 <vuln vid="3679fd10-c5d1-11e5-b85f-0018fe623f2b"> 18092 <topic>openssl -- multiple vulnerabilities</topic> 18093 <affects> 18094 <package> 18095 <name>openssl</name> 18096 <range><lt>1.0.2_7</lt></range> 18097 </package> 18098 <package> 18099 <name>mingw32-openssl</name> 18100 <range><ge>1.0.1</ge><lt>1.0.2f</lt></range> 18101 </package> 18102 <package> 18103 <name>FreeBSD</name> 18104 <range><ge>10.2</ge><lt>10.2_12</lt></range> 18105 <range><ge>10.1</ge><lt>10.1_29</lt></range> 18106 <range><ge>9.3</ge><lt>9.3_36</lt></range> 18107 </package> 18108 </affects> 18109 <description> 18110 <body xmlns="http://www.w3.org/1999/xhtml"> 18111 <p>OpenSSL project reports:</p> 18112 <blockquote cite="https://www.openssl.org/news/secadv/20160128.txt"> 18113 <ol> 18114 <li>Historically OpenSSL only ever generated DH parameters based on "safe" 18115 primes. More recently (in version 1.0.2) support was provided for 18116 generating X9.42 style parameter files such as those required for RFC 5114 18117 support. The primes used in such files may not be "safe". Where an 18118 application is using DH configured with parameters based on primes that are 18119 not "safe" then an attacker could use this fact to find a peer's private 18120 DH exponent. This attack requires that the attacker complete multiple 18121 handshakes in which the peer uses the same private DH exponent. For example 18122 this could be used to discover a TLS server's private DH exponent if it's 18123 reusing the private DH exponent or it's using a static DH ciphersuite. 18124 OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in 18125 TLS. It is not on by default. If the option is not set then the server 18126 reuses the same private DH exponent for the life of the server process and 18127 would be vulnerable to this attack. It is believed that many popular 18128 applications do set this option and would therefore not be at risk. 18129 (CVE-2016-0701)</li> 18130 <li>A malicious client can negotiate SSLv2 ciphers that have been disabled on 18131 the server and complete SSLv2 handshakes even if all SSLv2 ciphers have 18132 been disabled, provided that the SSLv2 protocol was not also disabled via 18133 SSL_OP_NO_SSLv2. 18134 (CVE-2015-3197)</li> 18135 </ol> 18136 </blockquote> 18137 </body> 18138 </description> 18139 <references> 18140 <freebsdsa>SA-16:11.openssl</freebsdsa> 18141 <cvename>CVE-2016-0701</cvename> 18142 <cvename>CVE-2015-3197</cvename> 18143 <url>https://www.openssl.org/news/secadv/20160128.txt</url> 18144 </references> 18145 <dates> 18146 <discovery>2016-01-22</discovery> 18147 <entry>2016-01-28</entry> 18148 <modified>2016-08-09</modified> 18149 </dates> 18150 </vuln> 18151 18152 <vuln vid="8b27f1bc-c509-11e5-a95f-b499baebfeaf"> 18153 <topic>curl -- Credentials not checked</topic> 18154 <affects> 18155 <package> 18156 <name>curl</name> 18157 <range><ge>7.10.0</ge><lt>7.47.0</lt></range> 18158 </package> 18159 </affects> 18160 <description> 18161 <body xmlns="http://www.w3.org/1999/xhtml"> 18162 <p>The cURL project reports:</p> 18163 <blockquote cite="http://curl.haxx.se/docs/adv_20160127A.html"> 18164 <p>libcurl will reuse NTLM-authenticated proxy connections 18165 without properly making sure that the connection was 18166 authenticated with the same credentials as set for this 18167 transfer.</p> 18168 </blockquote> 18169 </body> 18170 </description> 18171 <references> 18172 <url>http://curl.haxx.se/docs/adv_20160127A.html</url> 18173 <cvename>CVE-2016-0755</cvename> 18174 </references> 18175 <dates> 18176 <discovery>2016-01-27</discovery> 18177 <entry>2016-01-27</entry> 18178 <modified>2017-02-06</modified> 18179 </dates> 18180 </vuln> 18181 18182 <vuln vid="fb754341-c3e2-11e5-b5fe-002590263bf5"> 18183 <topic>wordpress -- XSS vulnerability</topic> 18184 <affects> 18185 <package> 18186 <name>wordpress</name> 18187 <range><lt>4.4.1,1</lt></range> 18188 </package> 18189 <package> 18190 <name>de-wordpress</name> 18191 <name>ja-wordpress</name> 18192 <name>ru-wordpress</name> 18193 <name>zh-wordpress-zh_CN</name> 18194 <name>zh-wordpress-zh_TW</name> 18195 <range><lt>4.4.1</lt></range> 18196 </package> 18197 </affects> 18198 <description> 18199 <body xmlns="http://www.w3.org/1999/xhtml"> 18200 <p>Aaron Jorbin reports:</p> 18201 <blockquote cite="https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/"> 18202 <p>WordPress 4.4.1 is now available. This is a security release for 18203 all previous versions and we strongly encourage you to update your 18204 sites immediately.</p> 18205 <p>WordPress versions 4.4 and earlier are affected by a cross-site 18206 scripting vulnerability that could allow a site to be compromised. 18207 This was reported by Crtc4L.</p> 18208 </blockquote> 18209 </body> 18210 </description> 18211 <references> 18212 <cvename>CVE-2016-1564</cvename> 18213 <url>http://www.openwall.com/lists/oss-security/2016/01/08/3</url> 18214 <url>https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/</url> 18215 </references> 18216 <dates> 18217 <discovery>2016-01-06</discovery> 18218 <entry>2016-01-26</entry> 18219 <modified>2016-03-08</modified> 18220 </dates> 18221 </vuln> 18222 18223 <vuln vid="a763a0e7-c3d9-11e5-b5fe-002590263bf5"> 18224 <topic>privoxy -- multiple vulnerabilities</topic> 18225 <affects> 18226 <package> 18227 <name>privoxy</name> 18228 <range><lt>3.0.24</lt></range> 18229 </package> 18230 </affects> 18231 <description> 18232 <body xmlns="http://www.w3.org/1999/xhtml"> 18233 <p>Privoxy Developers reports:</p> 18234 <blockquote cite="http://www.privoxy.org/3.0.24/user-manual/whatsnew.html"> 18235 <p>Prevent invalid reads in case of corrupt chunk-encoded content. 18236 CVE-2016-1982. Bug discovered with afl-fuzz and AddressSanitizer. 18237 </p> 18238 <p>Remove empty Host headers in client requests. Previously they 18239 would result in invalid reads. CVE-2016-1983. Bug discovered with 18240 afl-fuzz and AddressSanitizer.</p> 18241 </blockquote> 18242 </body> 18243 </description> 18244 <references> 18245 <cvename>CVE-2016-1982</cvename> 18246 <cvename>CVE-2016-1983</cvename> 18247 <freebsdpr>ports/206504</freebsdpr> 18248 <url>http://www.privoxy.org/3.0.24/user-manual/whatsnew.html</url> 18249 <url>http://www.openwall.com/lists/oss-security/2016/01/21/4</url> 18250 </references> 18251 <dates> 18252 <discovery>2016-01-22</discovery> 18253 <entry>2016-01-26</entry> 18254 </dates> 18255 </vuln> 18256 18257 <vuln vid="d9e1b569-c3d8-11e5-b5fe-002590263bf5"> 18258 <topic>privoxy -- multiple vulnerabilities</topic> 18259 <affects> 18260 <package> 18261 <name>privoxy</name> 18262 <range><lt>3.0.23</lt></range> 18263 </package> 18264 </affects> 18265 <description> 18266 <body xmlns="http://www.w3.org/1999/xhtml"> 18267 <p>Privoxy Developers reports:</p> 18268 <blockquote cite="http://www.privoxy.org/3.0.23/user-manual/whatsnew.html"> 18269 <p>Fixed a DoS issue in case of client requests with incorrect 18270 chunk-encoded body. When compiled with assertions enabled (the 18271 default) they could previously cause Privoxy to abort(). Reported 18272 by Matthew Daley. CVE-2015-1380.</p> 18273 <p>Fixed multiple segmentation faults and memory leaks in the pcrs 18274 code. This fix also increases the chances that an invalid pcrs 18275 command is rejected as such. Previously some invalid commands would 18276 be loaded without error. Note that Privoxy's pcrs sources (action 18277 and filter files) are considered trustworthy input and should not be 18278 writable by untrusted third-parties. CVE-2015-1381.</p> 18279 <p>Fixed an 'invalid read' bug which could at least theoretically 18280 cause Privoxy to crash. So far, no crashes have been observed. 18281 CVE-2015-1382.</p> 18282 </blockquote> 18283 </body> 18284 </description> 18285 <references> 18286 <cvename>CVE-2015-1380</cvename> 18287 <cvename>CVE-2015-1381</cvename> 18288 <cvename>CVE-2015-1382</cvename> 18289 <freebsdpr>ports/197089</freebsdpr> 18290 <url>http://www.privoxy.org/3.0.23/user-manual/whatsnew.html</url> 18291 <url>http://www.openwall.com/lists/oss-security/2015/01/26/4</url> 18292 </references> 18293 <dates> 18294 <discovery>2015-01-26</discovery> 18295 <entry>2016-01-26</entry> 18296 </dates> 18297 </vuln> 18298 18299 <vuln vid="89d4ed09-c3d7-11e5-b5fe-002590263bf5"> 18300 <topic>privoxy -- multiple vulnerabilities</topic> 18301 <affects> 18302 <package> 18303 <name>privoxy</name> 18304 <range><lt>3.0.22</lt></range> 18305 </package> 18306 </affects> 18307 <description> 18308 <body xmlns="http://www.w3.org/1999/xhtml"> 18309 <p>Privoxy Developers reports:</p> 18310 <blockquote cite="http://www.privoxy.org/3.0.22/user-manual/whatsnew.html"> 18311 <p>Fixed a memory leak when rejecting client connections due to the 18312 socket limit being reached (CID 66382). This affected Privoxy 3.0.21 18313 when compiled with IPv6 support (on most platforms this is the 18314 default).</p> 18315 <p>Fixed an immediate-use-after-free bug (CID 66394) and two 18316 additional unconfirmed use-after-free complaints made by Coverity 18317 scan (CID 66391, CID 66376).</p> 18318 </blockquote> 18319 <p>MITRE reports:</p> 18320 <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1201"> 18321 <p>Privoxy before 3.0.22 allows remote attackers to cause a denial 18322 of service (file descriptor consumption) via unspecified vectors. 18323 </p> 18324 </blockquote> 18325 </body> 18326 </description> 18327 <references> 18328 <cvename>CVE-2015-1030</cvename> 18329 <cvename>CVE-2015-1031</cvename> 18330 <cvename>CVE-2015-1201</cvename> 18331 <freebsdpr>ports/195468</freebsdpr> 18332 <url>http://www.privoxy.org/3.0.22/user-manual/whatsnew.html</url> 18333 <url>http://www.openwall.com/lists/oss-security/2015/01/11/1</url> 18334 </references> 18335 <dates> 18336 <discovery>2015-01-10</discovery> 18337 <entry>2016-01-26</entry> 18338 </dates> 18339 </vuln> 18340 18341 <vuln vid="ad82b0e9-c3d6-11e5-b5fe-002590263bf5"> 18342 <topic>privoxy -- malicious server spoofing as proxy vulnerability</topic> 18343 <affects> 18344 <package> 18345 <name>privoxy</name> 18346 <range><lt>3.0.21</lt></range> 18347 </package> 18348 </affects> 18349 <description> 18350 <body xmlns="http://www.w3.org/1999/xhtml"> 18351 <p>Privoxy Developers reports:</p> 18352 <blockquote cite="http://www.privoxy.org/3.0.21/user-manual/whatsnew.html"> 18353 <p>Proxy authentication headers are removed unless the new directive 18354 enable-proxy-authentication-forwarding is used. Forwarding the 18355 headers potentially allows malicious sites to trick the user into 18356 providing them with login information. Reported by Chris John Riley. 18357 </p> 18358 </blockquote> 18359 </body> 18360 </description> 18361 <references> 18362 <cvename>CVE-2013-2503</cvename> 18363 <freebsdpr>ports/176813</freebsdpr> 18364 <url>http://www.privoxy.org/3.0.21/user-manual/whatsnew.html</url> 18365 </references> 18366 <dates> 18367 <discovery>2013-03-07</discovery> 18368 <entry>2016-01-26</entry> 18369 </dates> 18370 </vuln> 18371 18372 <vuln vid="2e8cdd36-c3cc-11e5-b5fe-002590263bf5"> 18373 <topic>sudo -- potential privilege escalation via symlink misconfiguration</topic> 18374 <affects> 18375 <package> 18376 <name>sudo</name> 18377 <range><lt>1.8.15</lt></range> 18378 </package> 18379 </affects> 18380 <description> 18381 <body xmlns="http://www.w3.org/1999/xhtml"> 18382 <p>MITRE reports:</p> 18383 <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5602"> 18384 <p>sudoedit in Sudo before 1.8.15 allows local users to gain 18385 privileges via a symlink attack on a file whose full path is defined 18386 using multiple wildcards in /etc/sudoers, as demonstrated by 18387 "/home/*/*/file.txt."</p> 18388 </blockquote> 18389 </body> 18390 </description> 18391 <references> 18392 <cvename>CVE-2015-5602</cvename> 18393 <freebsdpr>ports/206590</freebsdpr> 18394 <url>https://www.exploit-db.com/exploits/37710/</url> 18395 <url>https://bugzilla.sudo.ws/show_bug.cgi?id=707</url> 18396 <url>http://www.sudo.ws/stable.html#1.8.15</url> 18397 </references> 18398 <dates> 18399 <discovery>2015-11-17</discovery> 18400 <entry>2016-01-26</entry> 18401 </dates> 18402 </vuln> 18403 18404 <vuln vid="99d3a8a5-c13c-11e5-96d6-14dae9d210b8"> 18405 <topic>imlib2 -- denial of service vulnerabilities</topic> 18406 <affects> 18407 <package> 18408 <name>imlib2</name> 18409 <range><lt>1.4.7</lt></range> 18410 </package> 18411 </affects> 18412 <description> 18413 <body xmlns="http://www.w3.org/1999/xhtml"> 18414 <p>Enlightenment reports:</p> 18415 <blockquote cite="https://git.enlightenment.org/legacy/imlib2.git/tree/ChangeLog"> 18416 <p>GIF loader: Fix segv on images without colormap</p> 18417 <p>Prevent division-by-zero crashes.</p> 18418 <p>Fix segfault when opening input/queue/id:000007,src:000000,op:flip1,pos:51 with feh</p> 18419 </blockquote> 18420 </body> 18421 </description> 18422 <references> 18423 <url>https://git.enlightenment.org/legacy/imlib2.git/tree/ChangeLog</url> 18424 <url>http://seclists.org/oss-sec/2016/q1/162</url> 18425 <cvename>CVE-2014-9762</cvename> 18426 <cvename>CVE-2014-9763</cvename> 18427 <cvename>CVE-2014-9764</cvename> 18428 </references> 18429 <dates> 18430 <discovery>2013-12-21</discovery> 18431 <entry>2016-01-22</entry> 18432 </dates> 18433 </vuln> 18434 18435 <vuln vid="b4578647-c12b-11e5-96d6-14dae9d210b8"> 18436 <topic>bind -- denial of service vulnerability</topic> 18437 <affects> 18438 <package> 18439 <name>bind99</name> 18440 <range><lt>9.9.8P3</lt></range> 18441 </package> 18442 <package> 18443 <name>bind910</name> 18444 <range><lt>9.10.3P3</lt></range> 18445 </package> 18446 <package> 18447 <name>FreeBSD</name> 18448 <range><ge>9.3</ge><lt>9.3_35</lt></range> 18449 </package> 18450 </affects> 18451 <description> 18452 <body xmlns="http://www.w3.org/1999/xhtml"> 18453 <p>ISC reports:</p> 18454 <blockquote cite="https://kb.isc.org/article/AA-01335"> 18455 <p>Specific APL data could trigger an INSIST in apl_42.c</p> 18456 </blockquote> 18457 </body> 18458 </description> 18459 <references> 18460 <url>https://kb.isc.org/article/AA-01335</url> 18461 <cvename>CVE-2015-8704</cvename> 18462 <freebsdsa>SA-16:08.bind</freebsdsa> 18463 </references> 18464 <dates> 18465 <discovery>2016-01-19</discovery> 18466 <entry>2016-01-22</entry> 18467 <modified>2016-08-09</modified> 18468 </dates> 18469 </vuln> 18470 18471 <vuln vid="371bbea9-3836-4832-9e70-e8e928727f8c"> 18472 <topic>chromium -- multiple vulnerabilities</topic> 18473 <affects> 18474 <package> 18475 <name>chromium</name> 18476 <name>chromium-npapi</name> 18477 <name>chromium-pulse</name> 18478 <range><lt>48.0.2564.82</lt></range> 18479 </package> 18480 </affects> 18481 <description> 18482 <body xmlns="http://www.w3.org/1999/xhtml"> 18483 <p>Google Chrome Releases reports:</p> 18484 <blockquote cite="http://googlechromereleases.blogspot.de/2016/01/stable-channel-update_20.html"> 18485 <p>This update includes 37 security fixes, including:</p> 18486 <ul> 18487 <li>[497632] High CVE-2016-1612: Bad cast in V8.</li> 18488 <li>[572871] High CVE-2016-1613: Use-after-free in PDFium.</li> 18489 <li>[544691] Medium CVE-2016-1614: Information leak in Blink.</li> 18490 <li>[468179] Medium CVE-2016-1615: Origin confusion in Omnibox.</li> 18491 <li>[541415] Medium CVE-2016-1616: URL Spoofing.</li> 18492 <li>[544765] Medium CVE-2016-1617: History sniffing with HSTS and 18493 CSP.</li> 18494 <li>[552749] Medium CVE-2016-1618: Weak random number generator in 18495 Blink.</li> 18496 <li>[557223] Medium CVE-2016-1619: Out-of-bounds read in 18497 PDFium.</li> 18498 <li>[579625] CVE-2016-1620: Various fixes from internal audits, 18499 fuzzing and other initiatives.</li> 18500 <li>Multiple vulnerabilities in V8 fixed at the tip of the 4.8 18501 branch.</li> 18502 </ul> 18503 </blockquote> 18504 </body> 18505 </description> 18506 <references> 18507 <cvename>CVE-2016-1612</cvename> 18508 <cvename>CVE-2016-1613</cvename> 18509 <cvename>CVE-2016-1614</cvename> 18510 <cvename>CVE-2016-1615</cvename> 18511 <cvename>CVE-2016-1616</cvename> 18512 <cvename>CVE-2016-1617</cvename> 18513 <cvename>CVE-2016-1618</cvename> 18514 <cvename>CVE-2016-1619</cvename> 18515 <cvename>CVE-2016-1620</cvename> 18516 <url>http://googlechromereleases.blogspot.de/2016/01/stable-channel-update_20.html</url> 18517 </references> 18518 <dates> 18519 <discovery>2016-01-20</discovery> 18520 <entry>2016-01-21</entry> 18521 </dates> 18522 </vuln> 18523 18524 <vuln vid="5237f5d7-c020-11e5-b397-d050996490d0"> 18525 <topic>ntp -- multiple vulnerabilities</topic> 18526 <affects> 18527 <package> 18528 <name>ntp</name> 18529 <range><lt>4.2.8p6</lt></range> 18530 </package> 18531 <package> 18532 <name>ntp-devel</name> 18533 <range><lt>4.3.90</lt></range> 18534 </package> 18535 <package> 18536 <name>FreeBSD</name> 18537 <range><ge>10.2</ge><lt>10.2_11</lt></range> 18538 <range><ge>10.1</ge><lt>10.1_28</lt></range> 18539 <range><ge>9.3</ge><lt>9.3_35</lt></range> 18540 </package> 18541 </affects> 18542 <description> 18543 <body xmlns="http://www.w3.org/1999/xhtml"> 18544 <p>Network Time Foundation reports:</p> 18545 <blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit"> 18546 <p>NTF's NTP Project has been notified of the following low- 18547 and medium-severity vulnerabilities that are fixed in 18548 ntp-4.2.8p6, released on Tuesday, 19 January 2016:</p> 18549 <ul> 18550 <li>Bug 2948 / CVE-2015-8158: Potential Infinite Loop 18551 in ntpq. Reported by Cisco ASIG.</li> 18552 <li>Bug 2945 / CVE-2015-8138: origin: Zero Origin 18553 Timestamp Bypass. Reported by Cisco ASIG.</li> 18554 <li>Bug 2942 / CVE-2015-7979: Off-path Denial of 18555 Service (DoS) attack on authenticated broadcast 18556 mode. Reported by Cisco ASIG.</li> 18557 <li>Bug 2940 / CVE-2015-7978: Stack exhaustion in 18558 recursive traversal of restriction list. 18559 Reported by Cisco ASIG.</li> 18560 <li>Bug 2939 / CVE-2015-7977: reslist NULL pointer 18561 dereference. Reported by Cisco ASIG.</li> 18562 <li>Bug 2938 / CVE-2015-7976: ntpq saveconfig command 18563 allows dangerous characters in filenames. 18564 Reported by Cisco ASIG.</li> 18565 <li>Bug 2937 / CVE-2015-7975: nextvar() missing length 18566 check. Reported by Cisco ASIG.</li> 18567 <li>Bug 2936 / CVE-2015-7974: Skeleton Key: Missing 18568 key check allows impersonation between authenticated 18569 peers. Reported by Cisco ASIG.</li> 18570 <li>Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on 18571 authenticated broadcast mode. Reported by Cisco ASIG.</li> 18572 </ul> 18573 <p>Additionally, mitigations are published for the following 18574 two issues:</p> 18575 <ul> 18576 <li>Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay 18577 attacks. Reported by Cisco ASIG.</li> 18578 <li>Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, 18579 disclose origin. Reported by Cisco ASIG.</li> 18580 </ul> 18581 </blockquote> 18582 </body> 18583 </description> 18584 <references> 18585 <freebsdsa>SA-16:09.ntp</freebsdsa> 18586 <cvename>CVE-2015-7973</cvename> 18587 <cvename>CVE-2015-7974</cvename> 18588 <cvename>CVE-2015-7975</cvename> 18589 <cvename>CVE-2015-7976</cvename> 18590 <cvename>CVE-2015-7977</cvename> 18591 <cvename>CVE-2015-7978</cvename> 18592 <cvename>CVE-2015-7979</cvename> 18593 <cvename>CVE-2015-8138</cvename> 18594 <cvename>CVE-2015-8139</cvename> 18595 <cvename>CVE-2015-8140</cvename> 18596 <cvename>CVE-2015-8158</cvename> 18597 <url>http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit</url> 18598 </references> 18599 <dates> 18600 <discovery>2016-01-20</discovery> 18601 <entry>2016-01-21</entry> 18602 <modified>2016-08-09</modified> 18603 </dates> 18604 </vuln> 18605 18606 <vuln vid="62c0dbbd-bfce-11e5-b5fe-002590263bf5"> 18607 <topic>cgit -- multiple vulnerabilities</topic> 18608 <affects> 18609 <package> 18610 <name>cgit</name> 18611 <range><lt>0.12</lt></range> 18612 </package> 18613 </affects> 18614 <description> 18615 <body xmlns="http://www.w3.org/1999/xhtml"> 18616 <p>Jason A. Donenfeld reports:</p> 18617 <blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/14/6"> 18618 <p>Reflected Cross Site Scripting and Header Injection in Mimetype 18619 Query String.</p> 18620 <p>Stored Cross Site Scripting and Header Injection in Filename 18621 Parameter.</p> 18622 <p>Integer Overflow resulting in Buffer Overflow.</p> 18623 </blockquote> 18624 </body> 18625 </description> 18626 <references> 18627 <cvename>CVE-2016-1899</cvename> 18628 <cvename>CVE-2016-1900</cvename> 18629 <cvename>CVE-2016-1901</cvename> 18630 <freebsdpr>ports/206417</freebsdpr> 18631 <url>http://lists.zx2c4.com/pipermail/cgit/2016-January/002817.html</url> 18632 <url>http://www.openwall.com/lists/oss-security/2016/01/14/6</url> 18633 </references> 18634 <dates> 18635 <discovery>2016-01-14</discovery> 18636 <entry>2016-01-20</entry> 18637 </dates> 18638 </vuln> 18639 18640 <vuln vid="314830d8-bf91-11e5-96d6-14dae9d210b8"> 18641 <topic>bind -- denial of service vulnerability</topic> 18642 <affects> 18643 <package> 18644 <name>bind910</name> 18645 <range><lt>9.10.3P3</lt></range> 18646 </package> 18647 </affects> 18648 <description> 18649 <body xmlns="http://www.w3.org/1999/xhtml"> 18650 <p>ISC reports:</p> 18651 <blockquote cite="https://kb.isc.org/article/AA-01336"> 18652 <p>Problems converting OPT resource records and ECS options to 18653 text format can cause BIND to terminate</p> 18654 </blockquote> 18655 </body> 18656 </description> 18657 <references> 18658 <url>https://kb.isc.org/article/AA-01336</url> 18659 <cvename>CVE-2015-8705</cvename> 18660 </references> 18661 <dates> 18662 <discovery>2016-01-19</discovery> 18663 <entry>2016-01-20</entry> 18664 <modified>2016-01-22</modified> 18665 </dates> 18666 </vuln> 18667 18668 <vuln vid="51358314-bec8-11e5-82cd-bcaec524bf84"> 18669 <topic>claws-mail -- no bounds checking on the output buffer in conv_jistoeuc, conv_euctojis, conv_sjistoeuc</topic> 18670 <affects> 18671 <package> 18672 <name>claws-mail</name> 18673 <range><lt>3.13.2</lt></range> 18674 </package> 18675 </affects> 18676 <description> 18677 <body xmlns="http://www.w3.org/1999/xhtml"> 18678 <p>DrWhax reports:</p> 18679 <blockquote cite="http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557"> 18680 <p>So in codeconv.c there is a function for Japanese character set 18681 conversion called conv_jistoeuc(). There is no bounds checking on 18682 the output buffer, which is created on the stack with alloca() 18683 Bug can be triggered by sending an email to TAILS_luser@riseup.net 18684 or whatever. 18685 18686 Since my C is completely rusty, you might be able to make a better 18687 judgment on the severity of this issue. Marking critical for now.</p> 18688 </blockquote> 18689 </body> 18690 </description> 18691 <references> 18692 <cvename>CVE-2015-8614</cvename> 18693 <url>https://security-tracker.debian.org/tracker/CVE-2015-8614</url> 18694 </references> 18695 <dates> 18696 <discovery>2015-11-04</discovery> 18697 <entry>2016-01-19</entry> 18698 </dates> 18699 </vuln> 18700 18701 <vuln vid="7c63775e-be31-11e5-b5fe-002590263bf5"> 18702 <topic>libarchive -- multiple vulnerabilities</topic> 18703 <affects> 18704 <package> 18705 <name>libarchive</name> 18706 <range><lt>3.1.2_5,1</lt></range> 18707 </package> 18708 <package> 18709 <name>FreeBSD</name> 18710 <range><ge>10.3</ge><lt>10.3_4</lt></range> 18711 <range><ge>10.2</ge><lt>10.2_18</lt></range> 18712 <range><ge>10.1</ge><lt>10.1_35</lt></range> 18713 <range><ge>9.3</ge><lt>9.3_43</lt></range> 18714 </package> 18715 </affects> 18716 <description> 18717 <body xmlns="http://www.w3.org/1999/xhtml"> 18718 <p>MITRE reports:</p> 18719 <blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0211"> 18720 <p>Integer signedness error in the archive_write_zip_data function in 18721 archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when 18722 running on 64-bit machines, allows context-dependent attackers to 18723 cause a denial of service (crash) via unspecified vectors, which 18724 triggers an improper conversion between unsigned and signed types, 18725 leading to a buffer overflow.</p> 18726 </blockquote> 18727 <blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304"> 18728 <p>Absolute path traversal vulnerability in bsdcpio in libarchive 18729 3.1.2 and earlier allows remote attackers to write to arbitrary 18730 files via a full pathname in an archive.</p> 18731 </blockquote> 18732 <p>Libarchive issue tracker reports:</p> 18733 <blockquote cite="https://github.com/libarchive/libarchive/issues/502"> 18734 <p>Using a crafted tar file bsdtar can perform an out-of-bounds memory 18735 read which will lead to a SEGFAULT. The issue exists when the 18736 executable skips data in the archive. The amount of data to skip is 18737 defined in byte offset [16-19] If ASLR is disabled, the issue can 18738 lead to an infinite loop.</p> 18739 </blockquote> 18740 </body> 18741 </description> 18742 <references> 18743 <cvename>CVE-2013-0211</cvename> 18744 <cvename>CVE-2015-2304</cvename> 18745 <freebsdpr>ports/200176</freebsdpr> 18746 <freebsdsa>SA-16:22.libarchive</freebsdsa> 18747 <freebsdsa>SA-16:23.libarchive</freebsdsa> 18748 <url>https://github.com/libarchive/libarchive/pull/110</url> 18749 <url>https://github.com/libarchive/libarchive/commit/5935715</url> 18750 <url>https://github.com/libarchive/libarchive/commit/2253154</url> 18751 <url>https://github.com/libarchive/libarchive/issues/502</url> 18752 <url>https://github.com/libarchive/libarchive/commit/3865cf2</url> 18753 <url>https://github.com/libarchive/libarchive/commit/e6c9668</url> 18754 <url>https://github.com/libarchive/libarchive/commit/24f5de6</url> 18755 </references> 18756 <dates> 18757 <discovery>2012-12-06</discovery> 18758 <entry>2016-01-18</entry> 18759 <modified>2016-08-09</modified> 18760 </dates> 18761 </vuln> 18762 18763 <vuln vid="6809c6db-bdeb-11e5-b5fe-002590263bf5"> 18764 <topic>go -- information disclosure vulnerability</topic> 18765 <affects> 18766 <package> 18767 <name>go</name> 18768 <range><ge>1.5,1</ge><lt>1.5.3,1</lt></range> 18769 </package> 18770 </affects> 18771 <description> 18772 <body xmlns="http://www.w3.org/1999/xhtml"> 18773 <p>Jason Buberel reports:</p> 18774 <blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/13/7"> 18775 <p>A security-related issue has been reported in Go's math/big 18776 package. The issue was introduced in Go 1.5. We recommend that all 18777 users upgrade to Go 1.5.3, which fixes the issue. Go programs must 18778 be recompiled with Go 1.5.3 in order to receive the fix.</p> 18779 <p>The Go team would like to thank Nick Craig-Wood for identifying the 18780 issue.</p> 18781 <p>This issue can affect RSA computations in crypto/rsa, which is used 18782 by crypto/tls. TLS servers on 32-bit systems could plausibly leak 18783 their RSA private key due to this issue. Other protocol 18784 implementations that create many RSA signatures could also be 18785 impacted in the same way.</p> 18786 <p>Specifically, incorrect results in one part of the RSA Chinese 18787 Remainder computation can cause the result to be incorrect in such a 18788 way that it leaks one of the primes. While RSA blinding should 18789 prevent an attacker from crafting specific inputs that trigger the 18790 bug, on 32-bit systems the bug can be expected to occur at random 18791 around one in 2^26 times. Thus collecting around 64 million 18792 signatures (of known data) from an affected server should be enough 18793 to extract the private key used.</p> 18794 <p>On 64-bit systems, the frequency of the bug is so low (less than 18795 one in 2^50) that it would be very difficult to exploit. 18796 Nonetheless, everyone is strongly encouraged to upgrade.</p> 18797 </blockquote> 18798 </body> 18799 </description> 18800 <references> 18801 <cvename>CVE-2015-8618</cvename> 18802 <url>http://www.openwall.com/lists/oss-security/2016/01/13/7</url> 18803 <url>https://go-review.googlesource.com/#/c/17672/</url> 18804 <url>https://go-review.googlesource.com/#/c/18491/</url> 18805 </references> 18806 <dates> 18807 <discovery>2016-01-13</discovery> 18808 <entry>2016-01-18</entry> 18809 </dates> 18810 </vuln> 18811 18812 <vuln vid="05eeb7e9-b987-11e5-83ef-14dae9d210b8"> 18813 <topic>isc-dhcpd -- Denial of Service</topic> 18814 <affects> 18815 <package> 18816 <name>isc-dhcp41-server</name> 18817 <range><lt>4.1.e_10,2</lt></range> 18818 </package> 18819 <package> 18820 <name>isc-dhcp41-client</name> 18821 <range><lt>4.1.e_3,2</lt></range> 18822 </package> 18823 <package> 18824 <name>isc-dhcp41-relay</name> 18825 <range><lt>4.1.e_6,2</lt></range> 18826 </package> 18827 <package> 18828 <name>isc-dhcp42-client</name> 18829 <name>isc-dhcp42-server</name> 18830 <name>isc-dhcp42-relay</name> 18831 <range><ge>0</ge></range> 18832 </package> 18833 <package> 18834 <name>isc-dhcp43-client</name> 18835 <name>isc-dhcp43-server</name> 18836 <name>isc-dhcp43-relay</name> 18837 <range><lt>4.3.3.p1</lt></range> 18838 </package> 18839 </affects> 18840 <description> 18841 <body xmlns="http://www.w3.org/1999/xhtml"> 18842 <p>ISC reports:</p> 18843 <blockquote cite="https://kb.isc.org/article/AA-01334"> 18844 <p>A badly formed packet with an invalid IPv4 UDP length field 18845 can cause a DHCP server, client, or relay program to terminate 18846 abnormally.</p> 18847 </blockquote> 18848 </body> 18849 </description> 18850 <references> 18851 <url>https://kb.isc.org/article/AA-01334</url> 18852 <cvename>CVE-2015-8605</cvename> 18853 </references> 18854 <dates> 18855 <discovery>2016-01-05</discovery> 18856 <entry>2016-01-12</entry> 18857 </dates> 18858 </vuln> 18859 18860 <vuln vid="3b5c2362-bd07-11e5-b7ef-5453ed2e2b49"> 18861 <topic>libproxy -- stack-based buffer overflow</topic> 18862 <affects> 18863 <!-- libproxy-python is not affected. It only installs a .py file that 18864 dlopen()s libproxy.so. --> 18865 <package> 18866 <name>libproxy</name> 18867 <range><ge>0.4.0</ge><lt>0.4.6_1</lt></range> 18868 </package> 18869 <package> 18870 <name>libproxy-gnome</name> 18871 <range><ge>0.4.0</ge><lt>0.4.6_2</lt></range> 18872 </package> 18873 <package> 18874 <name>libproxy-kde</name> 18875 <range><ge>0.4.0</ge><lt>0.4.6_6</lt></range> 18876 </package> 18877 <package> 18878 <name>libproxy-perl</name> 18879 <range><ge>0.4.0</ge><lt>0.4.6_3</lt></range> 18880 </package> 18881 <package> 18882 <name>libproxy-webkit</name> 18883 <range><ge>0.4.0</ge><lt>0.4.6_4</lt></range> 18884 </package> 18885 </affects> 18886 <description> 18887 <body xmlns="http://www.w3.org/1999/xhtml"> 18888 <p>Tomas Hoger reports:</p> 18889 <blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=864417#c0"> 18890 <p>A buffer overflow flaw was discovered in the libproxy's 18891 url::get_pac() used to download proxy.pac proxy auto-configuration 18892 file. A malicious host hosting proxy.pac, or a man in the middle 18893 attacker, could use this flaw to trigger a stack-based buffer 18894 overflow in an application using libproxy, if proxy configuration 18895 instructed it to download proxy.pac file from a remote HTTP 18896 server.</p> 18897 </blockquote> 18898 </body> 18899 </description> 18900 <references> 18901 <cvename>CVE-2012-4504</cvename> 18902 <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4504</url> 18903 <mlist>http://www.openwall.com/lists/oss-security/2012/10/12/1</mlist> 18904 <url>https://github.com/libproxy/libproxy/commit/c440553c12836664afd24a24fb3a4d10a2facd2c</url> 18905 <url>https://bugzilla.redhat.com/show_bug.cgi?id=864417</url> 18906 <mlist>https://groups.google.com/forum/?fromgroups=#!topic/libproxy/VxZ8No7mT0E</mlist> 18907 </references> 18908 <dates> 18909 <discovery>2012-10-10</discovery> 18910 <entry>2016-01-17</entry> 18911 <modified>2016-01-18</modified> 18912 </dates> 18913 </vuln> 18914 18915 <vuln vid="046fedd1-bd01-11e5-bbf4-5404a68ad561"> 18916 <topic>ffmpeg -- remote attacker can access local files</topic> 18917 <affects> 18918 <package> 18919 <name>ffmpeg</name> 18920 <range> 18921 <gt>2.0,1</gt> 18922 <lt>2.8.5,1</lt> 18923 </range> 18924 </package> 18925 <package> 18926 <name>mplayer</name> 18927 <name>mencoder</name> 18928 <range> 18929 <lt>1.2.r20151219_2</lt> 18930 </range> 18931 </package> 18932 </affects> 18933 <description> 18934 <body xmlns="http://www.w3.org/1999/xhtml"> 18935 <p>Arch Linux reports:</p> 18936 <blockquote cite="https://bugs.archlinux.org/task/47738"> 18937 <p>ffmpeg has a vulnerability in the current version that allows the 18938 attacker to create a specially crafted video file, downloading which 18939 will send files from a user PC to a remote attacker server. The 18940 attack does not even require the user to open that file — for 18941 example, KDE Dolphin thumbnail generation is enough.</p> 18942 </blockquote> 18943 </body> 18944 </description> 18945 <references> 18946 <cvename>CVE-2016-1897</cvename> 18947 <cvename>CVE-2016-1898</cvename> 18948 <freebsdpr>ports/206282</freebsdpr> 18949 <url>https://www.ffmpeg.org/security.html</url> 18950 </references> 18951 <dates> 18952 <discovery>2016-01-13</discovery> 18953 <entry>2016-01-17</entry> 18954 </dates> 18955 </vuln> 18956 18957 <vuln vid="6c808811-bb9a-11e5-a65c-485d605f4717"> 18958 <topic>h2o -- directory traversal vulnerability</topic> 18959 <affects> 18960 <package> 18961 <name>h2o</name> 18962 <range><lt>1.6.2</lt></range> 18963 </package> 18964 </affects> 18965 <description> 18966 <body xmlns="http://www.w3.org/1999/xhtml"> 18967 <p>Yakuzo OKU reports:</p> 18968 <blockquote cite="http://h2o.examp1e.net/vulnerabilities.html"> 18969 <p>When redirect directive is used, this flaw allows a remote 18970 attacker to inject response headers into an HTTP redirect response.</p> 18971 </blockquote> 18972 </body> 18973 </description> 18974 <references> 18975 <cvename>CVE-2016-1133</cvename> 18976 <url>https://h2o.examp1e.net/vulnerabilities.html</url> 18977 </references> 18978 <dates> 18979 <discovery>2016-01-13</discovery> 18980 <entry>2016-01-15</entry> 18981 </dates> 18982 </vuln> 18983 18984 <vuln vid="dfe0cdc1-baf2-11e5-863a-b499baebfeaf"> 18985 <topic>openssh -- information disclosure</topic> 18986 <affects> 18987 <package> 18988 <name>openssh-portable</name> 18989 <range> 18990 <gt>5.4.p0,1</gt> 18991 <lt>7.1.p2,1</lt> 18992 </range> 18993 </package> 18994 <package> 18995 <name>FreeBSD</name> 18996 <range><ge>10.2</ge><lt>10.2_10</lt></range> 18997 <range><ge>10.1</ge><lt>10.1_27</lt></range> 18998 <range><ge>9.3</ge><lt>9.3_34</lt></range> 18999 </package> 19000 </affects> 19001 <description> 19002 <body xmlns="http://www.w3.org/1999/xhtml"> 19003 <p>OpenSSH reports:</p> 19004 <blockquote cite="http://www.openssh.com/security.html"> 19005 <p>OpenSSH clients between versions 5.4 and 7.1 are vulnerable to 19006 information disclosure that may allow a malicious server to retrieve 19007 information including under some circumstances, user's private keys.</p> 19008 </blockquote> 19009 </body> 19010 </description> 19011 <references> 19012 <url>http://www.openssh.com/security.html</url> 19013 <cvename>CVE-2016-0777</cvename> 19014 <cvename>CVE-2016-0778</cvename> 19015 <freebsdsa>SA-16:07</freebsdsa> 19016 </references> 19017 <dates> 19018 <discovery>2016-01-14</discovery> 19019 <entry>2016-01-14</entry> 19020 <modified>2016-08-09</modified> 19021 </dates> 19022 </vuln> 19023 19024 <vuln vid="842cd117-ba54-11e5-9728-002590263bf5"> 19025 <topic>prosody -- multiple vulnerabilities</topic> 19026 <affects> 19027 <package> 19028 <name>prosody</name> 19029 <range><lt>0.9.9</lt></range> 19030 </package> 19031 </affects> 19032 <description> 19033 <body xmlns="http://www.w3.org/1999/xhtml"> 19034 <p>The Prosody Team reports:</p> 19035 <blockquote cite="http://blog.prosody.im/prosody-0-9-9-security-release/"> 19036 <p>Fix path traversal vulnerability in mod_http_files 19037 (CVE-2016-1231)</p> 19038 <p>Fix use of weak PRNG in generation of dialback secrets 19039 (CVE-2016-1232)</p> 19040 </blockquote> 19041 </body> 19042 </description> 19043 <references> 19044 <cvename>CVE-2016-1231</cvename> 19045 <cvename>CVE-2016-1232</cvename> 19046 <freebsdpr>ports/206150</freebsdpr> 19047 <url>http://blog.prosody.im/prosody-0-9-9-security-release/</url> 19048 </references> 19049 <dates> 19050 <discovery>2016-01-08</discovery> 19051 <entry>2016-01-14</entry> 19052 </dates> 19053 </vuln> 19054 19055 <vuln vid="a7a4e96c-ba50-11e5-9728-002590263bf5"> 19056 <topic>kibana4 -- XSS vulnerability</topic> 19057 <affects> 19058 <package> 19059 <name>kibana4</name> 19060 <name>kibana41</name> 19061 <range><lt>4.1.4</lt></range> 19062 </package> 19063 <package> 19064 <name>kibana42</name> 19065 <range><lt>4.2.2</lt></range> 19066 </package> 19067 <package> 19068 <name>kibana43</name> 19069 <range><lt>4.3.1</lt></range> 19070 </package> 19071 </affects> 19072 <description> 19073 <body xmlns="http://www.w3.org/1999/xhtml"> 19074 <p>Elastic reports:</p> 19075 <blockquote cite="https://www.elastic.co/blog/kibana-4-3-1-and-4-2-2-and-4-1-4"> 19076 <p>Fixes XSS vulnerability (CVE pending) - Thanks to Vladimir Ivanov 19077 for responsibly reporting.</p> 19078 </blockquote> 19079 </body> 19080 </description> 19081 <references> 19082 <freebsdpr>ports/205961</freebsdpr> 19083 <freebsdpr>ports/205962</freebsdpr> 19084 <freebsdpr>ports/205963</freebsdpr> 19085 <url>https://www.elastic.co/blog/kibana-4-3-1-and-4-2-2-and-4-1-4</url> 19086 </references> 19087 <dates> 19088 <discovery>2015-12-17</discovery> 19089 <entry>2016-01-13</entry> 19090 </dates> 19091 </vuln> 19092 19093 <vuln vid="333f655a-b93a-11e5-9efa-5453ed2e2b49"> 19094 <topic>p5-PathTools -- File::Spec::canonpath loses taint</topic> 19095 <affects> 19096 <package> 19097 <name>p5-PathTools</name> 19098 <range> 19099 <gt>3.4000</gt> 19100 <lt>3.6200</lt> 19101 </range> 19102 </package> 19103 <package> 19104 <name>perl5</name> 19105 <name>perl5.20</name> 19106 <name>perl5.22</name> 19107 <name>perl5-devel</name> 19108 <range><ge>5.19.9</ge><lt>5.20.2</lt></range> 19109 <range><ge>5.21.0</ge><lt>5.22.2</lt></range> 19110 <range><ge>5.23.0</ge><lt>5.23.7</lt></range> 19111 </package> 19112 </affects> 19113 <description> 19114 <body xmlns="http://www.w3.org/1999/xhtml"> 19115 <p>Ricardo Signes reports:</p> 19116 <blockquote> 19117 <p>Beginning in PathTools 3.47 and/or perl 5.20.0, the 19118 File::Spec::canonpath() routine returned untained strings even if 19119 passed tainted input. This defect undermines the guarantee of taint 19120 propagation, which is sometimes used to ensure that unvalidated 19121 user input does not reach sensitive code.</p> 19122 <p>This defect was found and reported by David Golden of MongoDB.</p> 19123 </blockquote> 19124 </body> 19125 </description> 19126 <references> 19127 <cvename>CVE-2015-8607</cvename> 19128 <url>https://rt.perl.org/Public/Bug/Display.html?id=126862</url> 19129 </references> 19130 <dates> 19131 <discovery>2016-01-11</discovery> 19132 <entry>2016-01-12</entry> 19133 <modified>2016-08-22</modified> 19134 </dates> 19135 </vuln> 19136 19137 <vuln vid="6b771fe2-b84e-11e5-92f9-485d605f4717"> 19138 <topic>php -- multiple vulnerabilities</topic> 19139 <affects> 19140 <package> 19141 <name>php55</name> 19142 <name>php55-gd</name> 19143 <name>php55-wddx</name> 19144 <name>php55-xmlrpc</name> 19145 <range><lt>5.5.31</lt></range> 19146 </package> 19147 <package> 19148 <name>php56</name> 19149 <name>php56-gd</name> 19150 <name>php56-soap</name> 19151 <name>php56-wddx</name> 19152 <name>php56-xmlrpc</name> 19153 <range><lt>5.6.17</lt></range> 19154 </package> 19155 </affects> 19156 <description> 19157 <body xmlns="http://www.w3.org/1999/xhtml"> 19158 <p>PHP reports:</p> 19159 <blockquote cite="http://www.php.net/ChangeLog-5.php#5.5.31"> 19160 <ul><li>Core: 19161 <ul> 19162 <li>Fixed bug #70755 (fpm_log.c memory leak and buffer overflow).</li> 19163 </ul></li> 19164 <li>GD: 19165 <ul> 19166 <li>Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array 19167 Index Out of Bounds).</li> 19168 </ul></li> 19169 <li>SOAP: 19170 <ul> 19171 <li>Fixed bug #70900 (SoapClient systematic out of memory error).</li> 19172 </ul></li> 19173 <li>Wddx 19174 <ul> 19175 <li>Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet 19176 Deserialization).</li> 19177 <li>Fixed bug #70741 (Session WDDX Packet Deserialization Type 19178 Confusion Vulnerability).</li> 19179 </ul></li> 19180 <li>XMLRPC: 19181 <ul> 19182 <li>Fixed bug #70728 (Type Confusion Vulnerability in 19183 PHP_to_XMLRPC_worker()).</li> 19184 </ul></li> 19185 </ul> 19186 </blockquote> 19187 </body> 19188 </description> 19189 <references> 19190 <url>http://www.php.net/ChangeLog-5.php#5.5.31</url> 19191 <url>http://www.php.net/ChangeLog-5.php#5.6.17</url> 19192 </references> 19193 <dates> 19194 <discovery>2016-01-07</discovery> 19195 <entry>2016-01-11</entry> 19196 </dates> 19197 </vuln> 19198 19199 <vuln vid="5f276780-b6ce-11e5-9731-5453ed2e2b49"> 19200 <topic>pygments -- shell injection vulnerability</topic> 19201 <affects> 19202 <package> 19203 <name>py27-pygments</name> 19204 <name>py32-pygments</name> 19205 <name>py33-pygments</name> 19206 <name>py34-pygments</name> 19207 <name>py35-pygments</name> 19208 <range><lt>2.0.2_1</lt></range> 19209 </package> 19210 </affects> 19211 <description> 19212 <body xmlns="http://www.w3.org/1999/xhtml"> 19213 <p>NVD reports:</p> 19214 <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8557"> 19215 <p>The FontManager._get_nix_font_path function in formatters/img.py 19216 in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute 19217 arbitrary commands via shell metacharacters in a font name.</p> 19218 </blockquote> 19219 </body> 19220 </description> 19221 <references> 19222 <cvename>CVE-2015-8557</cvename> 19223 <mlist>http://seclists.org/fulldisclosure/2015/Oct/4</mlist> 19224 <url>https://bitbucket.org/birkenfeld/pygments-main/commits/0036ab1c99e256298094505e5e92fdacdfc5b0a8</url> 19225 </references> 19226 <dates> 19227 <discovery>2015-09-28</discovery> 19228 <entry>2016-01-09</entry> 19229 </dates> 19230 </vuln> 19231 19232 <vuln vid="631fc042-b636-11e5-83ef-14dae9d210b8"> 19233 <topic>polkit -- multiple vulnerabilities</topic> 19234 <affects> 19235 <package> 19236 <name>polkit</name> 19237 <range><lt>0.113</lt></range> 19238 </package> 19239 </affects> 19240 <description> 19241 <body xmlns="http://www.w3.org/1999/xhtml"> 19242 <p>Colin Walters reports:</p> 19243 <blockquote cite="http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html"> 19244 <ul> 19245 <li><p>Integer overflow in the 19246 authentication_agent_new_cookie function in PolicyKit (aka polkit) 19247 before 0.113 allows local users to gain privileges by creating a large 19248 number of connections, which triggers the issuance of a duplicate cookie 19249 value.</p></li> 19250 <li><p>The authentication_agent_new function in 19251 polkitbackend/polkitbackendinteractiveauthority.c in PolicyKit (aka 19252 polkit) before 0.113 allows local users to cause a denial of service 19253 (NULL pointer dereference and polkitd daemon crash) by calling 19254 RegisterAuthenticationAgent with an invalid object path.</p></li> 19255 <li><p>The polkit_backend_action_pool_init function in 19256 polkitbackend/polkitbackendactionpool.c in PolicyKit (aka polkit) before 19257 0.113 might allow local users to gain privileges via duplicate action 19258 IDs in action descriptions.</p></li> 19259 <li><p>PolicyKit (aka polkit) before 0.113 allows local 19260 users to cause a denial of service (memory corruption and polkitd daemon 19261 crash) and possibly gain privileges via unspecified vectors, related to 19262 "javascript rule evaluation."</p></li> 19263 </ul> 19264 </blockquote> 19265 </body> 19266 </description> 19267 <references> 19268 <url>http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html</url> 19269 <cvename>CVE-2015-4625</cvename> 19270 <cvename>CVE-2015-3218</cvename> 19271 <cvename>CVE-2015-3255</cvename> 19272 <cvename>CVE-2015-3256</cvename> 19273 </references> 19274 <dates> 19275 <discovery>2015-06-03</discovery> 19276 <entry>2016-01-08</entry> 19277 </dates> 19278 </vuln> 19279 19280 <vuln vid="b22b016b-b633-11e5-83ef-14dae9d210b8"> 19281 <topic>librsync -- collision vulnerability</topic> 19282 <affects> 19283 <package> 19284 <name>librsync</name> 19285 <range><lt>1.0.0</lt></range> 19286 </package> 19287 </affects> 19288 <description> 19289 <body xmlns="http://www.w3.org/1999/xhtml"> 19290 <p>Michael Samuel reports:</p> 19291 <blockquote cite="http://www.openwall.com/lists/oss-security/2014/07/28/1"> 19292 <p>librsync before 1.0.0 uses a truncated MD4 checksum to 19293 match blocks, which makes it easier for remote attackers to modify 19294 transmitted data via a birthday attack.</p> 19295 </blockquote> 19296 </body> 19297 </description> 19298 <references> 19299 <url>http://www.openwall.com/lists/oss-security/2014/07/28/1</url> 19300 <cvename>CVE-2014-8242</cvename> 19301 </references> 19302 <dates> 19303 <discovery>2014-07-28</discovery> 19304 <entry>2016-01-08</entry> 19305 </dates> 19306 </vuln> 19307 19308 <vuln vid="4eae4f46-b5ce-11e5-8a2b-d050996490d0"> 19309 <topic>ntp -- denial of service vulnerability</topic> 19310 <affects> 19311 <package> 19312 <name>ntp</name> 19313 <range><lt>4.2.8p5</lt></range> 19314 </package> 19315 <package> 19316 <name>ntp-devel</name> 19317 <range><lt>4.3.78</lt></range> 19318 </package> 19319 <package> 19320 <name>FreeBSD</name> 19321 <range><ge>10.2</ge><lt>10.2_9</lt></range> 19322 <range><ge>10.1</ge><lt>10.1_26</lt></range> 19323 <range><ge>9.3</ge><lt>9.3_33</lt></range> 19324 </package> 19325 </affects> 19326 <description> 19327 <body xmlns="http://www.w3.org/1999/xhtml"> 19328 <p>Network Time Foundation reports:</p> 19329 <blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p5_Securit"> 19330 <p>NTF's NTP Project has been notified of the following 19331 1 medium-severity vulnerability that is fixed in 19332 ntp-4.2.8p5, released on Thursday, 7 January 2016:</p> 19333 <p>NtpBug2956: Small-step/Big-step CVE-2015-5300</p> 19334 </blockquote> 19335 </body> 19336 </description> 19337 <references> 19338 <freebsdsa>SA-16:02.ntp</freebsdsa> 19339 <cvename>CVE-2015-5300</cvename> 19340 <url>https://www.cs.bu.edu/~goldbe/NTPattack.html</url> 19341 <url>http://support.ntp.org/bin/view/Main/NtpBug2956</url> 19342 <url>http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p5_Securit</url> 19343 </references> 19344 <dates> 19345 <discovery>2015-10-21</discovery> 19346 <entry>2016-01-08</entry> 19347 <modified>2016-08-09</modified> 19348 </dates> 19349 </vuln> 19350 19351 <vuln vid="df587aa2-b5a5-11e5-9728-002590263bf5"> 19352 <topic>dhcpcd -- multiple vulnerabilities</topic> 19353 <affects> 19354 <package> 19355 <name>dhcpcd</name> 19356 <range><lt>6.10.0</lt></range> 19357 </package> 19358 </affects> 19359 <description> 19360 <body xmlns="http://www.w3.org/1999/xhtml"> 19361 <p>Nico Golde reports:</p> 19362 <blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/07/3"> 19363 <p>heap overflow via malformed dhcp responses later in print_option 19364 (via dhcp_envoption1) due to incorrect option length values. 19365 Exploitation is non-trivial, but I'd love to be proven wrong.</p> 19366 <p>invalid read/crash via malformed dhcp responses. not exploitable 19367 beyond DoS as far as I can judge.</p> 19368 </blockquote> 19369 </body> 19370 </description> 19371 <references> 19372 <cvename>CVE-2016-1503</cvename> 19373 <cvename>CVE-2016-1504</cvename> 19374 <freebsdpr>ports/206015</freebsdpr> 19375 <url>http://roy.marples.name/projects/dhcpcd/info/76a1609352263bd9def1300d7ba990679571fa30</url> 19376 <url>http://roy.marples.name/projects/dhcpcd/info/595883e2a431f65d8fabf33059aa4689cca17403</url> 19377 <url>http://www.openwall.com/lists/oss-security/2016/01/07/3</url> 19378 </references> 19379 <dates> 19380 <discovery>2016-01-04</discovery> 19381 <entry>2016-01-08</entry> 19382 </dates> 19383 </vuln> 19384 19385 <vuln vid="4084168e-b531-11e5-a98c-0011d823eebd"> 19386 <topic>mbedTLS/PolarSSL -- SLOTH attack on TLS 1.2 server authentication</topic> 19387 <affects> 19388 <package> 19389 <name>polarssl13</name> 19390 <range><lt>1.3.16</lt></range> 19391 </package> 19392 <package> 19393 <name>mbedtls</name> 19394 <range><lt>2.2.1</lt></range> 19395 </package> 19396 </affects> 19397 <description> 19398 <body xmlns="http://www.w3.org/1999/xhtml"> 19399 <p>ARM Limited reports:</p> 19400 <blockquote cite="https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released"> 19401 <p>MD5 handshake signatures in TLS 1.2 are vulnerable to the SLOTH attack 19402 on TLS 1.2 server authentication. They have been disabled by default. 19403 Other attacks from the SLOTH paper do not apply to any version of mbed 19404 TLS or PolarSSL.</p> 19405 </blockquote> 19406 </body> 19407 </description> 19408 <references> 19409 <url>https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released</url> 19410 </references> 19411 <dates> 19412 <discovery>2016-01-04</discovery> 19413 <entry>2016-01-07</entry> 19414 </dates> 19415 </vuln> 19416 19417 <vuln vid="6aa2d135-b40e-11e5-9728-002590263bf5"> 19418 <topic>xen-kernel -- ioreq handling possibly susceptible to multiple read issue</topic> 19419 <affects> 19420 <package> 19421 <name>xen-kernel</name> 19422 <range><lt>4.5.2_1</lt></range> 19423 </package> 19424 </affects> 19425 <description> 19426 <body xmlns="http://www.w3.org/1999/xhtml"> 19427 <p>The Xen Project reports:</p> 19428 <blockquote cite="http://xenbits.xen.org/xsa/advisory-166.html"> 19429 <p>Single memory accesses in source code can be translated to multiple 19430 ones in machine code by the compiler, requiring special caution when 19431 accessing shared memory. Such precaution was missing from the 19432 hypervisor code inspecting the state of I/O requests sent to the 19433 device model for assistance.</p> 19434 <p>Due to the offending field being a bitfield, it is however believed 19435 that there is no issue in practice, since compilers, at least when 19436 optimizing (which is always the case for non-debug builds), should find 19437 it more expensive to extract the bit field value twice than to keep the 19438 calculated value in a register.</p> 19439 <p>This vulnerability is exposed to malicious device models. In 19440 conventional Xen systems this means the qemu which service an HVM 19441 domain. On such systems this vulnerability can only be exploited if 19442 the attacker has gained control of the device model qemu via another 19443 vulnerability.</p> 19444 <p>Privilege escalation, host crash (Denial of Service), and leaked 19445 information all cannot be excluded.</p> 19446 </blockquote> 19447 </body> 19448 </description> 19449 <references> 19450 <freebsdpr>ports/205841</freebsdpr> 19451 <url>http://xenbits.xen.org/xsa/advisory-166.html</url> 19452 </references> 19453 <dates> 19454 <discovery>2015-12-17</discovery> 19455 <entry>2016-01-06</entry> 19456 </dates> 19457 </vuln> 19458 19459 <vuln vid="e839ca04-b40d-11e5-9728-002590263bf5"> 19460 <topic>xen-kernel -- information leak in legacy x86 FPU/XMM initialization</topic> 19461 <affects> 19462 <package> 19463 <name>xen-kernel</name> 19464 <range><lt>4.5.2_1</lt></range> 19465 </package> 19466 </affects> 19467 <description> 19468 <body xmlns="http://www.w3.org/1999/xhtml"> 19469 <p>The Xen Project reports:</p> 19470 <blockquote cite="http://xenbits.xen.org/xsa/advisory-165.html"> 19471 <p>When XSAVE/XRSTOR are not in use by Xen to manage guest extended 19472 register state, the initial values in the FPU stack and XMM 19473 registers seen by the guest upon first use are those left there by 19474 the previous user of those registers.</p> 19475 <p>A malicious domain may be able to leverage this to obtain sensitive 19476 information such as cryptographic keys from another domain.</p> 19477 </blockquote> 19478 </body> 19479 </description> 19480 <references> 19481 <cvename>CVE-2015-8555</cvename> 19482 <freebsdpr>ports/205841</freebsdpr> 19483 <url>http://xenbits.xen.org/xsa/advisory-165.html</url> 19484 </references> 19485 <dates> 19486 <discovery>2015-12-17</discovery> 19487 <entry>2016-01-06</entry> 19488 </dates> 19489 </vuln> 19490 19491 <vuln vid="5d1d4473-b40d-11e5-9728-002590263bf5"> 19492 <topic>xen-tools -- libxl leak of pv kernel and initrd on error</topic> 19493 <affects> 19494 <package> 19495 <name>xen-tools</name> 19496 <range><ge>4.1</ge><lt>4.5.2_1</lt></range> 19497 </package> 19498 </affects> 19499 <description> 19500 <body xmlns="http://www.w3.org/1999/xhtml"> 19501 <p>The Xen Project reports:</p> 19502 <blockquote cite="http://xenbits.xen.org/xsa/advisory-160.html"> 19503 <p>When constructing a guest which is configured to use a PV 19504 bootloader which runs as a userspace process in the toolstack domain 19505 (e.g. pygrub) libxl creates a mapping of the files to be used as 19506 kernel and initial ramdisk when building the guest domain.</p> 19507 <p>However if building the domain subsequently fails these mappings 19508 would not be released leading to a leak of virtual address space in 19509 the calling process, as well as preventing the recovery of the 19510 temporary disk files containing the kernel and initial ramdisk.</p> 19511 <p>For toolstacks which manage multiple domains within the same 19512 process, an attacker who is able to repeatedly start a suitable 19513 domain (or many such domains) can cause an out-of-memory condition in the 19514 toolstack process, leading to a denial of service.</p> 19515 <p>Under the same circumstances an attacker can also cause files to 19516 accumulate on the toolstack domain filesystem (usually under /var in 19517 dom0) used to temporarily store the kernel and initial ramdisk, 19518 perhaps leading to a denial of service against arbitrary other 19519 services using that filesystem.</p> 19520 </blockquote> 19521 </body> 19522 </description> 19523 <references> 19524 <cvename>CVE-2015-8341</cvename> 19525 <freebsdpr>ports/205841</freebsdpr> 19526 <url>http://xenbits.xen.org/xsa/advisory-160.html</url> 19527 </references> 19528 <dates> 19529 <discovery>2015-12-08</discovery> 19530 <entry>2016-01-06</entry> 19531 </dates> 19532 </vuln> 19533 19534 <vuln vid="bcad3faa-b40c-11e5-9728-002590263bf5"> 19535 <topic>xen-kernel -- XENMEM_exchange error handling issues</topic> 19536 <affects> 19537 <package> 19538 <name>xen-kernel</name> 19539 <range><lt>4.5.2_1</lt></range> 19540 </package> 19541 </affects> 19542 <description> 19543 <body xmlns="http://www.w3.org/1999/xhtml"> 19544 <p>The Xen Project reports:</p> 19545 <blockquote cite="http://xenbits.xen.org/xsa/advisory-159.html"> 19546 <p>Error handling in the operation may involve handing back pages to 19547 the domain. This operation may fail when in parallel the domain gets 19548 torn down. So far this failure unconditionally resulted in the host 19549 being brought down due to an internal error being assumed. This is 19550 CVE-2015-8339.</p> 19551 <p>Furthermore error handling so far wrongly included the release of a 19552 lock. That lock, however, was either not acquired or already released 19553 on all paths leading to the error handling sequence. This is 19554 CVE-2015-8340.</p> 19555 <p>A malicious guest administrator may be able to deny service by 19556 crashing the host or causing a deadlock.</p> 19557 </blockquote> 19558 </body> 19559 </description> 19560 <references> 19561 <cvename>CVE-2015-8339</cvename> 19562 <cvename>CVE-2015-8340</cvename> 19563 <freebsdpr>ports/205841</freebsdpr> 19564 <url>http://xenbits.xen.org/xsa/advisory-159.html</url> 19565 </references> 19566 <dates> 19567 <discovery>2015-12-08</discovery> 19568 <entry>2016-01-06</entry> 19569 </dates> 19570 </vuln> 19571 19572 <vuln vid="b65e4914-b3bc-11e5-8255-5453ed2e2b49"> 19573 <topic>tiff -- out-of-bounds read in CIE Lab image format</topic> 19574 <affects> 19575 <package> 19576 <name>tiff</name> 19577 <range><lt>4.0.6_1</lt></range> 19578 </package> 19579 <package> 19580 <name>linux-c6-tiff</name> 19581 <range><lt>3.9.4_2</lt></range> 19582 </package> 19583 <package> 19584 <name>linux-f10-tiff</name> 19585 <range><ge>*</ge></range> 19586 </package> 19587 </affects> 19588 <description> 19589 <body xmlns="http://www.w3.org/1999/xhtml"> 19590 <p>zzf of Alibaba discovered an out-of-bounds vulnerability in the code 19591 processing the LogLUV and CIE Lab image format files. An attacker 19592 could create a specially-crafted TIFF file that could cause libtiff 19593 to crash.</p> 19594 </body> 19595 </description> 19596 <references> 19597 <cvename>CVE-2015-8683</cvename> 19598 <mlist>http://www.openwall.com/lists/oss-security/2015/12/25/2</mlist> 19599 </references> 19600 <dates> 19601 <discovery>2015-12-25</discovery> 19602 <entry>2016-01-05</entry> 19603 <modified>2016-09-06</modified> 19604 </dates> 19605 </vuln> 19606 19607 <vuln vid="bd349f7a-b3b9-11e5-8255-5453ed2e2b49"> 19608 <topic>tiff -- out-of-bounds read in tif_getimage.c</topic> 19609 <affects> 19610 <package> 19611 <name>tiff</name> 19612 <range><lt>4.0.6_1</lt></range> 19613 </package> 19614 <package> 19615 <name>linux-c6-tiff</name> 19616 <range><lt>3.9.4_2</lt></range> 19617 </package> 19618 <package> 19619 <name>linux-f10-tiff</name> 19620 <range><ge>*</ge></range> 19621 </package> 19622 </affects> 19623 <description> 19624 <body xmlns="http://www.w3.org/1999/xhtml"> 19625 <p>LMX of Qihoo 360 Codesafe Team discovered an out-of-bounds read in 19626 tif_getimage.c. An attacker could create a specially-crafted TIFF 19627 file that could cause libtiff to crash.</p> 19628 </body> 19629 </description> 19630 <references> 19631 <cvename>CVE-2015-8665</cvename> 19632 <mlist>http://www.openwall.com/lists/oss-security/2015/12/24/2</mlist> 19633 </references> 19634 <dates> 19635 <discovery>2015-12-24</discovery> 19636 <entry>2016-01-05</entry> 19637 <modified>2016-09-06</modified> 19638 </dates> 19639 </vuln> 19640 19641 <vuln vid="86c3c66e-b2f5-11e5-863a-b499baebfeaf"> 19642 <topic>unzip -- multiple vulnerabilities</topic> 19643 <affects> 19644 <package> 19645 <name>unzip</name> 19646 <range><lt>6.0_7</lt></range> 19647 </package> 19648 </affects> 19649 <description> 19650 <body xmlns="http://www.w3.org/1999/xhtml"> 19651 <p>Gustavo Grieco reports:</p> 19652 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/07/4"> 19653 <p>Two issues were found in unzip 6.0:</p> 19654 <p> * A heap overflow triggered by unzipping a file with password 19655 (e.g unzip -p -P x sigsegv.zip).</p> 19656 <p> * A denegation of service with a file that never finishes unzipping 19657 (e.g. unzip sigxcpu.zip).</p> 19658 </blockquote> 19659 </body> 19660 </description> 19661 <references> 19662 <url>http://www.openwall.com/lists/oss-security/2015/09/07/4</url> 19663 <freebsdpr>ports/204413</freebsdpr> 19664 <cvename>CVE-2015-7696</cvename> 19665 <cvename>CVE-2015-7697</cvename> 19666 </references> 19667 <dates> 19668 <discovery>2015-09-26</discovery> 19669 <entry>2016-01-04</entry> 19670 </dates> 19671 </vuln> 19672 19673 <vuln vid="bb961ff3-b3a4-11e5-8255-5453ed2e2b49"> 19674 <topic>cacti -- SQL injection vulnerabilities</topic> 19675 <affects> 19676 <package> 19677 <name>cacti</name> 19678 <range><le>0.8.8f_1</le></range> 19679 </package> 19680 </affects> 19681 <description> 19682 <body xmlns="http://www.w3.org/1999/xhtml"> 19683 <p>NVD reports:</p> 19684 <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8369"> 19685 <p>SQL injection vulnerability in include/top_graph_header.php in 19686 Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary 19687 SQL commands via the rra_id parameter in a properties action to 19688 graph.php.</p> 19689 </blockquote> 19690 </body> 19691 </description> 19692 <references> 19693 <cvename>CVE-2015-8369</cvename> 19694 <url>http://bugs.cacti.net/view.php?id=2646</url> 19695 <url>http://svn.cacti.net/viewvc?view=rev&revision=7767</url> 19696 <mlist>http://seclists.org/fulldisclosure/2015/Dec/8</mlist> 19697 </references> 19698 <dates> 19699 <discovery>2015-12-05</discovery> 19700 <entry>2016-01-05</entry> 19701 </dates> 19702 </vuln> 19703 19704 <vuln vid="59e7eb28-b309-11e5-af83-80ee73b5dcf5"> 19705 <topic>kea -- unexpected termination while handling a malformed packet</topic> 19706 <affects> 19707 <package> 19708 <name>kea</name> 19709 <range><ge>0.9.2</ge><lt>1.0.0</lt></range> 19710 </package> 19711 </affects> 19712 <description> 19713 <body xmlns="http://www.w3.org/1999/xhtml"> 19714 <p>ISC Support reports:</p> 19715 <blockquote cite="https://kb.isc.org/article/AA-01318/0/CVE-2015-8373-ISC-Kea%3A-unexpected-termination-while-handling-a-malformed-packet.html"> 19716 <p>ISC Kea may terminate unexpectedly (crash) while handling 19717 a malformed client packet. Related defects in the kea-dhcp4 19718 and kea-dhcp6 servers can cause the server to crash during 19719 option processing if a client sends a malformed packet. 19720 An attacker sending a crafted malformed packet can cause 19721 an ISC Kea server providing DHCP services to IPv4 or IPv6 19722 clients to exit unexpectedly.</p> 19723 <ul> 19724 <li><p>The kea-dhcp4 server is vulnerable only in versions 19725 0.9.2 and 1.0.0-beta, and furthermore only when logging 19726 at debug level 40 or higher. Servers running kea-dhcp4 19727 versions 0.9.1 or lower, and servers which are not 19728 logging or are logging at debug level 39 or below are 19729 not vulnerable.</p></li> 19730 <li><p>The kea-dhcp6 server is vulnerable only in versions 19731 0.9.2 and 1.0.0-beta, and furthermore only when 19732 logging at debug level 45 or higher. Servers running 19733 kea-dhcp6 versions 0.9.1 or lower, and servers 19734 which are not logging or are logging at debug level 44 19735 or below are not vulnerable.</p></li> 19736 </ul> 19737 </blockquote> 19738 </body> 19739 </description> 19740 <references> 19741 <cvename>CVE-2015-8373</cvename> 19742 <url>https://kb.isc.org/article/AA-01318/0/CVE-2015-8373-ISC-Kea%3A-unexpected-termination-while-handling-a-malformed-packet.html</url> 19743 </references> 19744 <dates> 19745 <discovery>2015-12-15</discovery> 19746 <entry>2016-01-04</entry> 19747 <modified>2016-01-05</modified> 19748 </dates> 19749 </vuln> 19750 19751 <vuln vid="84dc49b0-b267-11e5-8a5b-00262d5ed8ee"> 19752 <topic>mini_httpd -- buffer overflow via snprintf</topic> 19753 <affects> 19754 <package> 19755 <name>mini_httpd</name> 19756 <range><lt>1.23</lt></range> 19757 </package> 19758 </affects> 19759 <description> 19760 <body xmlns="http://www.w3.org/1999/xhtml"> 19761 <p>ACME Updates reports:</p> 19762 <blockquote cite="https://cxsecurity.com/acveshow/CVE-2015-1548"> 19763 <p>mini_httpd 1.21 and earlier allows remote attackers to obtain 19764 sensitive information from process memory via an HTTP request with 19765 a long protocol string, which triggers an incorrect response size 19766 calculation and an out-of-bounds read.</p> 19767 <p>(rene) ACME, the author, claims that the vulnerability is fixed 19768 *after* version 1.22, released on 2015-12-28</p> 19769 </blockquote> 19770 </body> 19771 </description> 19772 <references> 19773 <cvename>CVE-2015-1548</cvename> 19774 <url>https://cxsecurity.com/cveshow/CVE-2015-1548</url> 19775 <url>http://acme.com/updates/archive/192.html</url> 19776 </references> 19777 <dates> 19778 <discovery>2015-02-10</discovery> 19779 <entry>2016-01-03</entry> 19780 </dates> 19781 </vuln> 19782 19783 <vuln vid="1384f2fd-b1be-11e5-9728-002590263bf5"> 19784 <topic>qemu -- denial of service vulnerability in Rocker switch emulation</topic> 19785 <affects> 19786 <package> 19787 <name>qemu</name> 19788 <name>qemu-devel</name> 19789 <range><lt>2.5.50</lt></range> 19790 </package> 19791 <package> 19792 <name>qemu-sbruno</name> 19793 <name>qemu-user-static</name> 19794 <range><lt>2.5.50.g20160213</lt></range> 19795 </package> 19796 </affects> 19797 <description> 19798 <body xmlns="http://www.w3.org/1999/xhtml"> 19799 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 19800 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/28/6"> 19801 <p>Qemu emulator built with the Rocker switch emulation support is 19802 vulnerable to an off-by-one error. It happens while processing 19803 transmit(tx) descriptors in 'tx_consume' routine, if a descriptor 19804 was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. 19805 </p> 19806 <p>A privileged user inside guest could use this flaw to cause memory 19807 leakage on the host or crash the Qemu process instance resulting in 19808 DoS issue.</p> 19809 </blockquote> 19810 </body> 19811 </description> 19812 <references> 19813 <cvename>CVE-2015-8701</cvename> 19814 <freebsdpr>ports/205813</freebsdpr> 19815 <freebsdpr>ports/205814</freebsdpr> 19816 <url>http://www.openwall.com/lists/oss-security/2015/12/28/6</url> 19817 <url>https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04629.html</url> 19818 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=007cd223de527b5f41278f2d886c1a4beb3e67aa</url> 19819 <url>https://github.com/seanbruno/qemu-bsd-user/commit/007cd223de527b5f41278f2d886c1a4beb3e67aa</url> 19820 </references> 19821 <dates> 19822 <discovery>2015-12-28</discovery> 19823 <entry>2016-01-03</entry> 19824 <modified>2016-07-06</modified> 19825 </dates> 19826 </vuln> 19827 19828 <vuln vid="152acff3-b1bd-11e5-9728-002590263bf5"> 19829 <topic>qemu -- denial of service vulnerability in Q35 chipset emulation</topic> 19830 <affects> 19831 <package> 19832 <name>qemu</name> 19833 <name>qemu-devel</name> 19834 <range><lt>2.5.50</lt></range> 19835 </package> 19836 <package> 19837 <name>qemu-sbruno</name> 19838 <name>qemu-user-static</name> 19839 <range><lt>2.5.50.g20151224</lt></range> 19840 </package> 19841 </affects> 19842 <description> 19843 <body xmlns="http://www.w3.org/1999/xhtml"> 19844 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 19845 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/24/1"> 19846 <p>Qemu emulator built with the Q35 chipset based pc system emulator 19847 is vulnerable to a heap based buffer overflow. It occurs during VM 19848 guest migration, as more(16 bytes) data is moved into allocated 19849 (8 bytes) memory area.</p> 19850 <p>A privileged guest user could use this issue to corrupt the VM 19851 guest image, potentially leading to a DoS. This issue affects q35 19852 machine types.</p> 19853 </blockquote> 19854 </body> 19855 </description> 19856 <references> 19857 <cvename>CVE-2015-8666</cvename> 19858 <url>http://www.openwall.com/lists/oss-security/2015/12/24/1</url> 19859 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=d9a3b33d2c9f996537b7f1d0246dee2d0120cefb</url> 19860 <url>https://github.com/seanbruno/qemu-bsd-user/commit/d9a3b33d2c9f996537b7f1d0246dee2d0120cefb</url> 19861 </references> 19862 <dates> 19863 <discovery>2015-11-19</discovery> 19864 <entry>2016-01-03</entry> 19865 <modified>2016-07-06</modified> 19866 </dates> 19867 </vuln> 19868 19869 <vuln vid="62ab8707-b1bc-11e5-9728-002590263bf5"> 19870 <topic>qemu -- denial of service vulnerability in Human Monitor Interface support</topic> 19871 <affects> 19872 <package> 19873 <name>qemu</name> 19874 <name>qemu-devel</name> 19875 <range><lt>2.5.0</lt></range> 19876 </package> 19877 <package> 19878 <name>qemu-sbruno</name> 19879 <name>qemu-user-static</name> 19880 <range><lt>2.5.50.g20160213</lt></range> 19881 </package> 19882 </affects> 19883 <description> 19884 <body xmlns="http://www.w3.org/1999/xhtml"> 19885 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 19886 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/22/8"> 19887 <p>Qemu emulator built with the Human Monitor Interface(HMP) support 19888 is vulnerable to an OOB write issue. It occurs while processing 19889 'sendkey' command in hmp_sendkey routine, if the command argument is 19890 longer than the 'keyname_buf' buffer size.</p> 19891 <p>A user/process could use this flaw to crash the Qemu process 19892 instance resulting in DoS.</p> 19893 </blockquote> 19894 </body> 19895 </description> 19896 <references> 19897 <cvename>CVE-2015-8619</cvename> 19898 <freebsdpr>ports/205813</freebsdpr> 19899 <freebsdpr>ports/205814</freebsdpr> 19900 <url>http://www.openwall.com/lists/oss-security/2015/12/22/8</url> 19901 <url>https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02930.html</url> 19902 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=64ffbe04eaafebf4045a3ace52a360c14959d196</url> 19903 <url>https://github.com/seanbruno/qemu-bsd-user/commit/64ffbe04eaafebf4045a3ace52a360c14959d196</url> 19904 </references> 19905 <dates> 19906 <discovery>2015-12-23</discovery> 19907 <entry>2016-01-03</entry> 19908 <modified>2016-07-06</modified> 19909 </dates> 19910 </vuln> 19911 19912 <vuln vid="b3f9f8ef-b1bb-11e5-9728-002590263bf5"> 19913 <topic>qemu -- denial of service vulnerability in MegaRAID SAS HBA emulation</topic> 19914 <affects> 19915 <package> 19916 <name>qemu</name> 19917 <name>qemu-devel</name> 19918 <range><lt>2.5.0</lt></range> 19919 </package> 19920 <package> 19921 <name>qemu-sbruno</name> 19922 <name>qemu-user-static</name> 19923 <range><lt>2.5.50.g20160213</lt></range> 19924 </package> 19925 </affects> 19926 <description> 19927 <body xmlns="http://www.w3.org/1999/xhtml"> 19928 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 19929 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/21/7"> 19930 <p>Qemu emulator built with the SCSI MegaRAID SAS HBA emulation 19931 support is vulnerable to a stack buffer overflow issue. It occurs 19932 while processing the SCSI controller's CTRL_GET_INFO command. A 19933 privileged guest user could use this flaw to crash the Qemu process 19934 instance resulting in DoS.</p> 19935 </blockquote> 19936 </body> 19937 </description> 19938 <references> 19939 <cvename>CVE-2015-8613</cvename> 19940 <freebsdpr>ports/205813</freebsdpr> 19941 <freebsdpr>ports/205814</freebsdpr> 19942 <url>http://www.openwall.com/lists/oss-security/2015/12/21/7</url> 19943 <url>https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03737.html</url> 19944 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=36fef36b91f7ec0435215860f1458b5342ce2811</url> 19945 <url>https://github.com/seanbruno/qemu-bsd-user/commit/36fef36b91f7ec0435215860f1458b5342ce2811</url> 19946 </references> 19947 <dates> 19948 <discovery>2015-12-21</discovery> 19949 <entry>2016-01-03</entry> 19950 <modified>2016-07-06</modified> 19951 </dates> 19952 </vuln> 19953 19954 <vuln vid="9ad8993e-b1ba-11e5-9728-002590263bf5"> 19955 <topic>qemu -- denial of service vulnerability in VMWARE VMXNET3 NIC support</topic> 19956 <affects> 19957 <package> 19958 <name>qemu</name> 19959 <name>qemu-devel</name> 19960 <range><lt>2.5.0</lt></range> 19961 </package> 19962 <package> 19963 <name>qemu-sbruno</name> 19964 <name>qemu-user-static</name> 19965 <range><lt>2.5.50.g20160213</lt></range> 19966 </package> 19967 </affects> 19968 <description> 19969 <body xmlns="http://www.w3.org/1999/xhtml"> 19970 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 19971 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/15/4"> 19972 <p>Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator 19973 support is vulnerable to a memory leakage flaw. It occurs when a 19974 guest repeatedly tries to activate the vmxnet3 device.</p> 19975 <p>A privileged guest user could use this flaw to leak host memory, 19976 resulting in DoS on the host.</p> 19977 </blockquote> 19978 </body> 19979 </description> 19980 <references> 19981 <cvename>CVE-2015-8567</cvename> 19982 <cvename>CVE-2015-8568</cvename> 19983 <freebsdpr>ports/205813</freebsdpr> 19984 <freebsdpr>ports/205814</freebsdpr> 19985 <url>http://www.openwall.com/lists/oss-security/2015/12/15/4</url> 19986 <url>https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html</url> 19987 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=aa4a3dce1c88ed51b616806b8214b7c8428b7470</url> 19988 <url>https://github.com/seanbruno/qemu-bsd-user/commit/aa4a3dce1c88ed51b616806b8214b7c8428b7470</url> 19989 </references> 19990 <dates> 19991 <discovery>2015-12-15</discovery> 19992 <entry>2016-01-03</entry> 19993 <modified>2016-07-06</modified> 19994 </dates> 19995 </vuln> 19996 19997 <vuln vid="60cb2055-b1b8-11e5-9728-002590263bf5"> 19998 <topic>qemu -- denial of service vulnerability in USB EHCI emulation support</topic> 19999 <affects> 20000 <package> 20001 <name>qemu</name> 20002 <name>qemu-devel</name> 20003 <range><lt>2.5.0</lt></range> 20004 </package> 20005 <package> 20006 <name>qemu-sbruno</name> 20007 <name>qemu-user-static</name> 20008 <range><lt>2.5.50.g20151224</lt></range> 20009 </package> 20010 </affects> 20011 <description> 20012 <body xmlns="http://www.w3.org/1999/xhtml"> 20013 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 20014 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/14/9"> 20015 <p>Qemu emulator built with the USB EHCI emulation support is 20016 vulnerable to an infinite loop issue. It occurs during communication 20017 between host controller interface(EHCI) and a respective device 20018 driver. These two communicate via a isochronous transfer descriptor 20019 list(iTD) and an infinite loop unfolds if there is a closed loop in 20020 this list.</p> 20021 <p>A privileges user inside guest could use this flaw to consume 20022 excessive CPU cycles & resources on the host.</p> 20023 </blockquote> 20024 </body> 20025 </description> 20026 <references> 20027 <cvename>CVE-2015-8558</cvename> 20028 <freebsdpr>ports/205814</freebsdpr> 20029 <url>http://www.openwall.com/lists/oss-security/2015/12/14/9</url> 20030 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=156a2e4dbffa85997636a7a39ef12da6f1b40254</url> 20031 <url>https://github.com/seanbruno/qemu-bsd-user/commit/156a2e4dbffa85997636a7a39ef12da6f1b40254</url> 20032 </references> 20033 <dates> 20034 <discovery>2015-12-14</discovery> 20035 <entry>2016-01-03</entry> 20036 </dates> 20037 </vuln> 20038 20039 <vuln vid="3fb06284-b1b7-11e5-9728-002590263bf5"> 20040 <topic>qemu -- denial of service vulnerability in MSI-X support</topic> 20041 <affects> 20042 <package> 20043 <name>qemu</name> 20044 <name>qemu-devel</name> 20045 <range><lt>2.5.0</lt></range> 20046 </package> 20047 <package> 20048 <name>qemu-sbruno</name> 20049 <name>qemu-user-static</name> 20050 <range><lt>2.5.50.g20151224</lt></range> 20051 </package> 20052 </affects> 20053 <description> 20054 <body xmlns="http://www.w3.org/1999/xhtml"> 20055 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 20056 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/14/2"> 20057 <p>Qemu emulator built with the PCI MSI-X support is vulnerable to 20058 null pointer dereference issue. It occurs when the controller 20059 attempts to write to the pending bit array(PBA) memory region. 20060 Because the MSI-X MMIO support did not define the .write method.</p> 20061 <p>A privileges used inside guest could use this flaw to crash the 20062 Qemu process resulting in DoS issue.</p> 20063 </blockquote> 20064 </body> 20065 </description> 20066 <references> 20067 <cvename>CVE-2015-7549</cvename> 20068 <url>http://www.openwall.com/lists/oss-security/2015/12/14/2</url> 20069 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=43b11a91dd861a946b231b89b7542856ade23d1b</url> 20070 <url>https://github.com/seanbruno/qemu-bsd-user/commit/43b11a91dd861a946b231b89b7542856ade23d1b</url> 20071 </references> 20072 <dates> 20073 <discovery>2015-06-26</discovery> 20074 <entry>2016-01-03</entry> 20075 </dates> 20076 </vuln> 20077 20078 <vuln vid="67feba97-b1b5-11e5-9728-002590263bf5"> 20079 <topic>qemu -- denial of service vulnerability in VNC</topic> 20080 <affects> 20081 <package> 20082 <name>qemu</name> 20083 <name>qemu-devel</name> 20084 <range><lt>2.5.0</lt></range> 20085 </package> 20086 <package> 20087 <name>qemu-sbruno</name> 20088 <name>qemu-user-static</name> 20089 <range><lt>2.5.50.g20151224</lt></range> 20090 </package> 20091 </affects> 20092 <description> 20093 <body xmlns="http://www.w3.org/1999/xhtml"> 20094 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 20095 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/08/4"> 20096 <p>Qemu emulator built with the VNC display driver support is 20097 vulnerable to an arithmetic exception flaw. It occurs on the VNC 20098 server side while processing the 'SetPixelFormat' messages from a 20099 client.</p> 20100 <p>A privileged remote client could use this flaw to crash the guest 20101 resulting in DoS.</p> 20102 </blockquote> 20103 </body> 20104 </description> 20105 <references> 20106 <cvename>CVE-2015-8504</cvename> 20107 <url>http://www.openwall.com/lists/oss-security/2015/12/08/4</url> 20108 <url>http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3</url> 20109 <url>https://github.com/seanbruno/qemu-bsd-user/commit/4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3</url> 20110 </references> 20111 <dates> 20112 <discovery>2015-12-08</discovery> 20113 <entry>2016-01-03</entry> 20114 </dates> 20115 </vuln> 20116 20117 <vuln vid="405446f4-b1b3-11e5-9728-002590263bf5"> 20118 <topic>qemu and xen-tools -- denial of service vulnerabilities in AMD PC-Net II NIC support</topic> 20119 <affects> 20120 <package> 20121 <name>qemu</name> 20122 <name>qemu-devel</name> 20123 <range><lt>2.5.0</lt></range> 20124 </package> 20125 <package> 20126 <name>qemu-sbruno</name> 20127 <name>qemu-user-static</name> 20128 <range><lt>2.5.50.g20151224</lt></range> 20129 </package> 20130 <package> 20131 <name>xen-tools</name> 20132 <range><lt>4.5.2_1</lt></range> 20133 </package> 20134 </affects> 20135 <description> 20136 <body xmlns="http://www.w3.org/1999/xhtml"> 20137 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 20138 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/30/2"> 20139 <p>Qemu emulator built with the AMD PC-Net II Ethernet Controller 20140 support is vulnerable to a heap buffer overflow flaw. While 20141 receiving packets in the loopback mode, it appends CRC code to the 20142 receive buffer. If the data size given is same as the receive buffer 20143 size, the appended CRC code overwrites 4 bytes beyond this 20144 's->buffer' array.</p> 20145 <p>A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw 20146 to crash the Qemu instance resulting in DoS or potentially execute 20147 arbitrary code with privileges of the Qemu process on the host.</p> 20148 </blockquote> 20149 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/30/3"> 20150 <p>The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets 20151 from a remote host(non-loopback mode), fails to validate the 20152 received data size, thus resulting in a buffer overflow issue. It 20153 could potentially lead to arbitrary code execution on the host, with 20154 privileges of the Qemu process. It requires the guest NIC to have 20155 larger MTU limit.</p> 20156 <p>A remote user could use this flaw to crash the guest instance 20157 resulting in DoS or potentially execute arbitrary code on a remote 20158 host with privileges of the Qemu process.</p> 20159 </blockquote> 20160 </body> 20161 </description> 20162 <references> 20163 <cvename>CVE-2015-7504</cvename> 20164 <cvename>CVE-2015-7512</cvename> 20165 <url>http://www.openwall.com/lists/oss-security/2015/11/30/2</url> 20166 <url>http://www.openwall.com/lists/oss-security/2015/11/30/3</url> 20167 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=837f21aacf5a714c23ddaadbbc5212f9b661e3f7</url> 20168 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=8b98a2f07175d46c3f7217639bd5e03f2ec56343</url> 20169 <url>https://github.com/seanbruno/qemu-bsd-user/commit/837f21aacf5a714c23ddaadbbc5212f9b661e3f7</url> 20170 <url>https://github.com/seanbruno/qemu-bsd-user/commit/8b98a2f07175d46c3f7217639bd5e03f2ec56343</url> 20171 <url>http://xenbits.xen.org/xsa/advisory-162.html</url> 20172 </references> 20173 <dates> 20174 <discovery>2015-11-30</discovery> 20175 <entry>2016-01-03</entry> 20176 <modified>2016-01-06</modified> 20177 </dates> 20178 </vuln> 20179 20180 <vuln vid="b56fe6bb-b1b1-11e5-9728-002590263bf5"> 20181 <topic>qemu -- denial of service vulnerabilities in eepro100 NIC support</topic> 20182 <affects> 20183 <package> 20184 <name>qemu</name> 20185 <name>qemu-devel</name> 20186 <range><lt>2.5.50</lt></range> 20187 </package> 20188 <package> 20189 <name>qemu-sbruno</name> 20190 <name>qemu-user-static</name> 20191 <range><lt>2.5.50.g20160213</lt></range> 20192 </package> 20193 </affects> 20194 <description> 20195 <body xmlns="http://www.w3.org/1999/xhtml"> 20196 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 20197 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/25/3"> 20198 <p>Qemu emulator built with the i8255x (PRO100) emulation support is 20199 vulnerable to an infinite loop issue. It could occur while 20200 processing a chain of commands located in the Command Block List 20201 (CBL). Each Command Block(CB) points to the next command in the 20202 list. An infinite loop unfolds if the link to the next CB points 20203 to the same block or there is a closed loop in the chain.</p> 20204 <p>A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw 20205 to crash the Qemu instance resulting in DoS.</p> 20206 </blockquote> 20207 </body> 20208 </description> 20209 <references> 20210 <cvename>CVE-2015-8345</cvename> 20211 <freebsdpr>ports/205813</freebsdpr> 20212 <freebsdpr>ports/205814</freebsdpr> 20213 <url>http://www.openwall.com/lists/oss-security/2015/11/25/3</url> 20214 <url>https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html</url> 20215 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=00837731d254908a841d69298a4f9f077babaf24</url> 20216 <url>https://github.com/seanbruno/qemu-bsd-user/commit/00837731d254908a841d69298a4f9f077babaf24</url> 20217 </references> 20218 <dates> 20219 <discovery>2015-10-16</discovery> 20220 <entry>2016-01-03</entry> 20221 <modified>2016-07-06</modified> 20222 </dates> 20223 </vuln> 20224 20225 <vuln vid="42cbd1e8-b152-11e5-9728-002590263bf5"> 20226 <topic>qemu -- denial of service vulnerability in virtio-net support</topic> 20227 <affects> 20228 <package> 20229 <name>qemu</name> 20230 <name>qemu-devel</name> 20231 <range><lt>2.4.1</lt></range> 20232 </package> 20233 <package> 20234 <name>qemu-sbruno</name> 20235 <name>qemu-user-static</name> 20236 <range><lt>2.5.50.g20151224</lt></range> 20237 </package> 20238 </affects> 20239 <description> 20240 <body xmlns="http://www.w3.org/1999/xhtml"> 20241 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 20242 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/18/5"> 20243 <p>Qemu emulator built with the Virtual Network Device(virtio-net) 20244 support is vulnerable to a DoS issue. It could occur while receiving 20245 large packets over the tuntap/macvtap interfaces and when guest's 20246 virtio-net driver did not support big/mergeable receive buffers.</p> 20247 <p>An attacker on the local network could use this flaw to disable 20248 guest's networking by sending a large number of jumbo frames to the 20249 guest, exhausting all receive buffers and thus leading to a DoS 20250 situation.</p> 20251 </blockquote> 20252 </body> 20253 </description> 20254 <references> 20255 <cvename>CVE-2015-7295</cvename> 20256 <url>http://www.openwall.com/lists/oss-security/2015/09/18/5</url> 20257 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=696317f1895e836d53b670c7b77b7be93302ba08</url> 20258 <url>https://github.com/seanbruno/qemu-bsd-user/commit/0cf33fb6b49a19de32859e2cdc6021334f448fb3</url> 20259 </references> 20260 <dates> 20261 <discovery>2015-09-18</discovery> 20262 <entry>2016-01-02</entry> 20263 </dates> 20264 </vuln> 20265 20266 <vuln vid="6aa3322f-b150-11e5-9728-002590263bf5"> 20267 <topic>qemu -- denial of service vulnerabilities in NE2000 NIC support</topic> 20268 <affects> 20269 <package> 20270 <name>qemu</name> 20271 <name>qemu-devel</name> 20272 <range><lt>2.4.0.1</lt></range> 20273 </package> 20274 <package> 20275 <name>qemu-sbruno</name> 20276 <name>qemu-user-static</name> 20277 <range><lt>2.5.50.g20151224</lt></range> 20278 </package> 20279 </affects> 20280 <description> 20281 <body xmlns="http://www.w3.org/1999/xhtml"> 20282 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 20283 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/15/2"> 20284 <p>Qemu emulator built with the NE2000 NIC emulation support is 20285 vulnerable to an infinite loop issue. It could occur when receiving 20286 packets over the network.</p> 20287 <p>A privileged user inside guest could use this flaw to crash the 20288 Qemu instance resulting in DoS.</p> 20289 </blockquote> 20290 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/15/3"> 20291 <p>Qemu emulator built with the NE2000 NIC emulation support is 20292 vulnerable to a heap buffer overflow issue. It could occur when 20293 receiving packets over the network.</p> 20294 <p>A privileged user inside guest could use this flaw to crash the 20295 Qemu instance or potentially execute arbitrary code on the host.</p> 20296 </blockquote> 20297 </body> 20298 </description> 20299 <references> 20300 <cvename>CVE-2015-5278</cvename> 20301 <cvename>CVE-2015-5279</cvename> 20302 <url>http://www.openwall.com/lists/oss-security/2015/09/15/2</url> 20303 <url>http://www.openwall.com/lists/oss-security/2015/09/15/3</url> 20304 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=5a1ccdfe44946e726b4c6fda8a4493b3931a68c1</url> 20305 <url>https://github.com/seanbruno/qemu-bsd-user/commit/737d2b3c41d59eb8f94ab7eb419b957938f24943</url> 20306 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755</url> 20307 <url>https://github.com/seanbruno/qemu-bsd-user/commit/9bbdbc66e5765068dce76e9269dce4547afd8ad4</url> 20308 </references> 20309 <dates> 20310 <discovery>2015-09-15</discovery> 20311 <entry>2016-01-02</entry> 20312 </dates> 20313 </vuln> 20314 20315 <vuln vid="bbc97005-b14e-11e5-9728-002590263bf5"> 20316 <topic>qemu -- denial of service vulnerability in IDE disk/CD/DVD-ROM emulation</topic> 20317 <affects> 20318 <package> 20319 <name>qemu</name> 20320 <name>qemu-devel</name> 20321 <range><lt>2.4.1</lt></range> 20322 </package> 20323 <package> 20324 <name>qemu-sbruno</name> 20325 <name>qemu-user-static</name> 20326 <range><lt>2.5.50.g20151224</lt></range> 20327 </package> 20328 </affects> 20329 <description> 20330 <body xmlns="http://www.w3.org/1999/xhtml"> 20331 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 20332 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/10/1"> 20333 <p>Qemu emulator built with the IDE disk and CD/DVD-ROM emulation 20334 support is vulnerable to a divide by zero issue. It could occur 20335 while executing an IDE command WIN_READ_NATIVE_MAX to determine 20336 the maximum size of a drive.</p> 20337 <p>A privileged user inside guest could use this flaw to crash the 20338 Qemu instance resulting in DoS.</p> 20339 </blockquote> 20340 </body> 20341 </description> 20342 <references> 20343 <cvename>CVE-2015-6855</cvename> 20344 <url>http://www.openwall.com/lists/oss-security/2015/09/10/1</url> 20345 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=63d761388d6fea994ca498c6e7a210851a99ad93</url> 20346 <url>https://github.com/seanbruno/qemu-bsd-user/commit/d9033e1d3aa666c5071580617a57bd853c5d794a</url> 20347 </references> 20348 <dates> 20349 <discovery>2015-09-09</discovery> 20350 <entry>2016-01-02</entry> 20351 </dates> 20352 </vuln> 20353 20354 <vuln vid="10bf8eed-b14d-11e5-9728-002590263bf5"> 20355 <topic>qemu -- denial of service vulnerability in e1000 NIC support</topic> 20356 <affects> 20357 <package> 20358 <name>qemu</name> 20359 <name>qemu-devel</name> 20360 <range><lt>2.4.0.1</lt></range> 20361 </package> 20362 <package> 20363 <name>qemu-sbruno</name> 20364 <name>qemu-user-static</name> 20365 <range><lt>2.5.50.g20151224</lt></range> 20366 </package> 20367 </affects> 20368 <description> 20369 <body xmlns="http://www.w3.org/1999/xhtml"> 20370 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 20371 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/04/4"> 20372 <p>Qemu emulator built with the e1000 NIC emulation support is 20373 vulnerable to an infinite loop issue. It could occur while 20374 processing transmit descriptor data when sending a network packet. 20375 </p> 20376 <p>A privileged user inside guest could use this flaw to crash the 20377 Qemu instance resulting in DoS.</p> 20378 </blockquote> 20379 </body> 20380 </description> 20381 <references> 20382 <cvename>CVE-2015-6815</cvename> 20383 <url>http://www.openwall.com/lists/oss-security/2015/09/04/4</url> 20384 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=3a56af1fbc17ff453f6e90fb08ce0c0e6fd0b61b</url> 20385 <url>https://github.com/seanbruno/qemu-bsd-user/commit/b947ac2bf26479e710489739c465c8af336599e7</url> 20386 </references> 20387 <dates> 20388 <discovery>2015-09-04</discovery> 20389 <entry>2016-01-02</entry> 20390 </dates> 20391 </vuln> 20392 20393 <vuln vid="8a560bcf-b14b-11e5-9728-002590263bf5"> 20394 <topic>qemu -- denial of service vulnerability in VNC</topic> 20395 <affects> 20396 <package> 20397 <name>qemu</name> 20398 <name>qemu-devel</name> 20399 <range><lt>2.1.0</lt></range> 20400 </package> 20401 <package> 20402 <name>qemu-sbruno</name> 20403 <name>qemu-user-static</name> 20404 <range><lt>2.2.50.g20141230</lt></range> 20405 </package> 20406 </affects> 20407 <description> 20408 <body xmlns="http://www.w3.org/1999/xhtml"> 20409 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 20410 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/02/7"> 20411 <p>Qemu emulator built with the VNC display driver is vulnerable to an 20412 infinite loop issue. It could occur while processing a 20413 CLIENT_CUT_TEXT message with specially crafted payload message.</p> 20414 <p>A privileged guest user could use this flaw to crash the Qemu 20415 process on the host, resulting in DoS.</p> 20416 </blockquote> 20417 </body> 20418 </description> 20419 <references> 20420 <cvename>CVE-2015-5239</cvename> 20421 <url>http://www.openwall.com/lists/oss-security/2015/09/02/7</url> 20422 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=f9a70e79391f6d7c2a912d785239ee8effc1922d</url> 20423 <url>https://github.com/seanbruno/qemu-bsd-user/commit/f9a70e79391f6d7c2a912d785239ee8effc1922d</url> 20424 </references> 20425 <dates> 20426 <discovery>2014-06-30</discovery> 20427 <entry>2016-01-02</entry> 20428 </dates> 20429 </vuln> 20430 20431 <vuln vid="2b3b4c27-b0c7-11e5-8d13-bc5ff45d0f28"> 20432 <topic>qemu -- buffer overflow vulnerability in VNC</topic> 20433 <affects> 20434 <package> 20435 <name>qemu</name> 20436 <name>qemu-devel</name> 20437 <range><lt>2.4.0.1</lt></range> 20438 </package> 20439 <package> 20440 <name>qemu-sbruno</name> 20441 <name>qemu-user-static</name> 20442 <range><lt>2.4.50.g20151011</lt></range> 20443 </package> 20444 </affects> 20445 <description> 20446 <body xmlns="http://www.w3.org/1999/xhtml"> 20447 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 20448 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/08/21/6"> 20449 <p>Qemu emulator built with the VNC display driver support is 20450 vulnerable to a buffer overflow flaw leading to a heap memory 20451 corruption issue. It could occur while refreshing the server 20452 display surface via routine vnc_refresh_server_surface().</p> 20453 <p>A privileged guest user could use this flaw to corrupt the heap 20454 memory and crash the Qemu process instance OR potentially use it 20455 to execute arbitrary code on the host.</p> 20456 </blockquote> 20457 </body> 20458 </description> 20459 <references> 20460 <cvename>CVE-2015-5225</cvename> 20461 <url>http://www.openwall.com/lists/oss-security/2015/08/21/6</url> 20462 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=efec4dcd2552e85ed57f276b58f09fc385727450</url> 20463 <url>https://github.com/seanbruno/qemu-bsd-user/commit/eb8934b0418b3b1d125edddc4fc334a54334a49b</url> 20464 </references> 20465 <dates> 20466 <discovery>2015-08-17</discovery> 20467 <entry>2016-01-01</entry> 20468 </dates> 20469 </vuln> 20470 20471 <vuln vid="21e5abe3-b0c6-11e5-8d13-bc5ff45d0f28"> 20472 <topic>qemu -- buffer overflow vulnerability in virtio-serial message exchanges</topic> 20473 <affects> 20474 <package> 20475 <name>qemu</name> 20476 <name>qemu-devel</name> 20477 <range><lt>2.4.0</lt></range> 20478 </package> 20479 <package> 20480 <name>qemu-sbruno</name> 20481 <name>qemu-user-static</name> 20482 <range><lt>2.4.50.g20150814</lt></range> 20483 </package> 20484 </affects> 20485 <description> 20486 <body xmlns="http://www.w3.org/1999/xhtml"> 20487 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 20488 <blockquote cite="http://www.openwall.com/lists/oss-security/2015/08/06/3"> 20489 <p>Qemu emulator built with the virtio-serial vmchannel support is 20490 vulnerable to a buffer overflow issue. It could occur while 20491 exchanging virtio control messages between guest and the host.</p> 20492 <p>A malicious guest could use this flaw to corrupt few bytes of Qemu 20493 memory area, potentially crashing the Qemu process.</p> 20494 </blockquote> 20495 </body> 20496 </description> 20497 <references> 20498 <cvename>CVE-2015-5745</cvename> 20499 <url>http://www.openwall.com/lists/oss-security/2015/08/06/5</url> 20500 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=7882080388be5088e72c425b02223c02e6cb4295</url> 20501 <url>https://github.com/seanbruno/qemu-bsd-user/commit/7882080388be5088e72c425b02223c02e6cb4295</url> 20502 </references> 20503 <dates> 20504 <discovery>2015-08-06</discovery> 20505 <entry>2016-01-01</entry> 20506 </dates> 20507 </vuln> 20508 20509 <vuln vid="a267cd6c-b0c4-11e5-8d13-bc5ff45d0f28"> 20510 <topic>qemu -- stack buffer overflow while parsing SCSI commands</topic> 20511 <affects> 20512 <package> 20513 <name>qemu</name> 20514 <name>qemu-devel</name> 20515 <range><lt>2.4.0</lt></range> 20516 </package> 20517 <package> 20518 <name>qemu-sbruno</name> 20519 <name>qemu-user-static</name> 20520 <range><lt>2.4.50.g20150814</lt></range> 20521 </package> 20522 </affects> 20523 <description> 20524 <body xmlns="http://www.w3.org/1999/xhtml"> 20525 <p>Prasad J Pandit, Red Hat Product Security Team, reports:</p> 20526 <blockquote cite="http://openwall.com/lists/oss-security/2015/07/23/6"> 20527 <p>Qemu emulator built with the SCSI device emulation support is 20528 vulnerable to a stack buffer overflow issue. It could occur while 20529 parsing SCSI command descriptor block with an invalid operation 20530 code.</p> 20531 <p>A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw 20532 to crash the Qemu instance resulting in DoS.</p> 20533 </blockquote> 20534 </body> 20535 </description> 20536 <references> 20537 <cvename>CVE-2015-5158</cvename> 20538 <url>http://openwall.com/lists/oss-security/2015/07/23/6</url> 20539 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=c170aad8b057223b1139d72e5ce7acceafab4fa9</url> 20540 <url>https://github.com/seanbruno/qemu-bsd-user/commit/c170aad8b057223b1139d72e5ce7acceafab4fa9</url> 20541 </references> 20542 <dates> 20543 <discovery>2015-07-23</discovery> 20544 <entry>2016-01-01</entry> 20545 </dates> 20546 </vuln> 20547 20548 <vuln vid="aea8d90e-b0c1-11e5-8d13-bc5ff45d0f28"> 20549 <topic>qemu -- code execution on host machine</topic> 20550 <affects> 20551 <package> 20552 <name>qemu</name> 20553 <name>qemu-devel</name> 20554 <range><lt>2.4.0</lt></range> 20555 </package> 20556 <package> 20557 <name>qemu-sbruno</name> 20558 <name>qemu-user-static</name> 20559 <range><lt>2.4.50.g20150814</lt></range> 20560 </package> 20561 </affects> 20562 <description> 20563 <body xmlns="http://www.w3.org/1999/xhtml"> 20564 <p>Petr Matousek of Red Hat Inc. reports:</p> 20565 <blockquote cite="http://openwall.com/lists/oss-security/2015/06/17/5"> 20566 <p>Due converting PIO to the new memory read/write api we no longer 20567 provide separate I/O region lenghts for read and write operations. 20568 As a result, reading from PIT Mode/Command register will end with 20569 accessing pit->channels with invalid index and potentially cause 20570 memory corruption and/or minor information leak.</p> 20571 <p>A privileged guest user in a guest with QEMU PIT emulation enabled 20572 could potentially (tough unlikely) use this flaw to execute 20573 arbitrary code on the host with the privileges of the hosting QEMU 20574 process.</p> 20575 <p>Please note that by default QEMU/KVM guests use in-kernel (KVM) PIT 20576 emulation and are thus not vulnerable to this issue.</p> 20577 </blockquote> 20578 </body> 20579 </description> 20580 <references> 20581 <cvename>CVE-2015-3214</cvename> 20582 <url>http://openwall.com/lists/oss-security/2015/06/17/5</url> 20583 <url>http://git.qemu.org/?p=qemu.git;a=commit;h=d4862a87e31a51de9eb260f25c9e99a75efe3235</url> 20584 <url>https://github.com/seanbruno/qemu-bsd-user/commit/d4862a87e31a51de9eb260f25c9e99a75efe3235</url> 20585 </references> 20586 <dates> 20587 <discovery>2015-06-17</discovery> 20588 <entry>2016-01-01</entry> 20589 </dates> 20590 </vuln> 20591