1  <vuln vid="d0b12952-cb86-11e6-906f-0cc47a065786">
2    <topic>h2o -- Use-after-free vulnerability</topic>
3    <affects>
4      <package>
5	<name>h2o</name>
6	<range><lt>2.0.4_2</lt></range>
7      </package>
8    </affects>
9    <description>
10      <body xmlns="http://www.w3.org/1999/xhtml">
11	<p>Kazuho Oku reports:</p>
12	<blockquote cite="https://github.com/h2o/h2o/issues?q=label%3Avulnerability">
13	  <p>A use-after-free vulnerability exists in H2O up to and including
14	    version 2.0.4 / 2.1.0-beta3 that can be used by a remote attacker to
15	    mount DoS attacks and / or information theft.</p>
16	</blockquote>
17      </body>
18    </description>
19    <references>
20      <url>https://github.com/h2o/h2o/releases/tag/v2.0.5</url>
21      <url>https://github.com/h2o/h2o/issues/1144</url>
22    </references>
23    <dates>
24      <discovery>2016-09-09</discovery>
25      <entry>2016-12-29</entry>
26    </dates>
27  </vuln>
28
29  <vuln vid="1b61ecef-cdb9-11e6-a9a5-b499baebfeaf">
30    <topic>PHP -- multiple vulnerabilities</topic>
31    <affects>
32      <package>
33	<name>php70</name>
34	<range><lt>7.0.14</lt></range>
35      </package>
36    </affects>
37    <description>
38      <body xmlns="http://www.w3.org/1999/xhtml">
39	<p>Check Point reports:</p>
40	<blockquote cite="http://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7/">
41	  <p>... discovered 3 fresh and previously unknown vulnerabilities
42	    (CVE-2016-7479, CVE-2016-7480,  CVE-2016-7478) in the PHP 7
43	    unserialize mechanism.</p>
44	  <p>The first two vulnerabilities allow attackers to take full control
45	    over servers, allowing them to do anything they want with the
46	    website, from spreading malware to defacing it or stealing customer
47	    data.</p>
48	  <p>The last vulnerability generates a Denial of Service attack which
49	    basically hangs the website, exhausts its memory consumption, and
50	    shuts it down.</p>
51	  <p>The PHP security team issued fixes for two of the vulnerabilities
52	    on the 13th of October and 1st of December.</p>
53	</blockquote>
54      </body>
55    </description>
56    <references>
57      <url>http://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7/</url>
58      <cvename>CVE-2016-7478</cvename>
59      <cvename>CVE-2016-7479</cvename>
60      <cvename>CVE-2016-7480</cvename>
61    </references>
62    <dates>
63      <discovery>2016-12-27</discovery>
64      <entry>2016-12-29</entry>
65      <modified>2017-01-04</modified>
66    </dates>
67  </vuln>
68
69  <vuln vid="6972668d-cdb7-11e6-a9a5-b499baebfeaf">
70    <topic>PHP -- multiple vulnerabilities</topic>
71    <affects>
72      <package>
73	<name>php70</name>
74	<range><lt>7.0.14</lt></range>
75      </package>
76    </affects>
77    <description>
78      <body xmlns="http://www.w3.org/1999/xhtml">
79	<p>The PHP project reports:</p>
80	<blockquote cite="http://php.net/ChangeLog-7.php#7.0.14">
81	  <ul>
82	    <li>Use After Free Vulnerability in unserialize() (CVE-2016-9936)</li>
83	    <li>Invalid read when wddx decodes empty boolean element
84	      (CVE-2016-9935)</li>
85	  </ul>
86	</blockquote>
87      </body>
88    </description>
89    <references>
90      <url>http://php.net/ChangeLog-7.php#7.0.14</url>
91      <cvename>CVE-2016-9935</cvename>
92      <cvename>CVE-2016-9936</cvename>
93    </references>
94    <dates>
95      <discovery>2016-12-08</discovery>
96      <entry>2016-12-29</entry>
97    </dates>
98  </vuln>
99
100  <vuln vid="3c4693de-ccf7-11e6-a9a5-b499baebfeaf">
101    <topic>phpmailer -- Remote Code Execution</topic>
102    <affects>
103      <package>
104	<name>phpmailer</name>
105	<range><lt>5.2.20</lt></range>
106      </package>
107      <package>
108	<name>tt-rss</name>
109	<range><lt>29.12.2016.04.37</lt></range>
110      </package>
111    </affects>
112    <description>
113      <body xmlns="http://www.w3.org/1999/xhtml">
114	<p>Legal Hackers reports:</p>
115	<blockquote cite="https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html">
116	  <p>An independent research uncovered a critical vulnerability in
117	    PHPMailer that could potentially be used by (unauthenticated)
118	    remote attackers to achieve remote arbitrary code execution in
119	    the context of the web server user and remotely compromise the
120	    target web application.</p>
121	  <p>To exploit the vulnerability an attacker could target common
122	    website components such as contact/feedback forms, registration
123	    forms, password email resets and others that send out emails with
124	    the help of a vulnerable version of the PHPMailer class.</p>
125	  <p>The first patch of the vulnerability CVE-2016-10033 was incomplete.
126	    This advisory demonstrates the bypass of the patch. The bypass allows
127	    to carry out Remote Code Execution on all current versions (including
128	    5.2.19).</p>
129	  </blockquote>
130      </body>
131    </description>
132    <references>
133      <url>https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html</url>
134      <cvename>CVE-2016-10045</cvename>
135    </references>
136    <dates>
137      <discovery>2016-12-28</discovery>
138      <entry>2016-12-28</entry>
139    </dates>
140  </vuln>
141
142  <vuln vid="e4bc323f-cc73-11e6-b704-000c292e4fd8">
143    <topic>samba -- multiple vulnerabilities</topic>
144    <affects>
145      <package>
146	<name>samba36</name>
147	<range><ge>3.6.0</ge><le>3.6.25_4</le></range>
148      </package>
149      <package>
150	<name>samba4</name>
151	<range><ge>4.0.0</ge><le>4.0.26</le></range>
152      </package>
153      <package>
154	<name>samba41</name>
155	<range><ge>4.1.0</ge><le>4.1.23</le></range>
156      </package>
157      <package>
158	<name>samba42</name>
159	<range><ge>4.2.0</ge><le>4.2.14</le></range>
160      </package>
161      <package>
162	<name>samba43</name>
163	<range><ge>4.3.0</ge><lt>4.3.13</lt></range>
164      </package>
165      <package>
166	<name>samba44</name>
167	<range><ge>4.4.0</ge><lt>4.4.8</lt></range>
168      </package>
169      <package>
170	<name>samba45</name>
171	<range><ge>4.5.0</ge><lt>4.5.3</lt></range>
172      </package>
173    </affects>
174    <description>
175      <body xmlns="http://www.w3.org/1999/xhtml">
176	<p>Samba team reports:</p>
177	<blockquote cite="https://www.samba.org/samba/latest_news.html#4.5.3">
178	  <p>[CVE-2016-2123] Authenticated users can supply malicious dnsRecord attributes
179	  on DNS objects and trigger a controlled memory corruption.</p>
180	  <p>[CVE-2016-2125] Samba client code always requests a forwardable ticket
181	  when using Kerberos authentication. This means the target server, which must be in the current or trusted
182	  domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to
183	  fully impersonate the authenticated user or service.</p>
184	  <p>[CVE-2016-2126] A remote, authenticated, attacker can cause the winbindd process
185	  to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum.
186	  A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions.</p>
187	</blockquote>
188      </body>
189    </description>
190    <references>
191      <cvename>CVE-2016-2123</cvename>
192      <url>https://www.samba.org/samba/security/CVE-2016-2123.html</url>
193      <cvename>CVE-2016-2125</cvename>
194      <url>https://www.samba.org/samba/security/CVE-2016-2125.html</url>
195      <cvename>CVE-2016-2126</cvename>
196      <url>https://www.samba.org/samba/security/CVE-2016-2126.html</url>
197    </references>
198    <dates>
199      <discovery>2016-12-19</discovery>
200      <entry>2016-12-26</entry>
201      <modified>2016-12-26</modified>
202    </dates>
203  </vuln>
204
205  <vuln vid="244c8288-cc4a-11e6-a475-bcaec524bf84">
206    <topic>upnp -- multiple vulnerabilities</topic>
207    <affects>
208      <package>
209	<name>upnp</name>
210	<range><lt>1.6.21</lt></range>
211      </package>
212    </affects>
213    <description>
214      <body xmlns="http://www.w3.org/1999/xhtml">
215	<p>Matthew Garett reports:</p>
216	<blockquote cite="https://twitter.com/mjg59/status/755062278513319936">
217	  <p>Reported this to upstream 8 months ago without response,
218	    so: libupnp's default behaviour allows anyone to write to your
219	    filesystem. Seriously. Find a device running a libupnp based server
220	    (Shodan says there's rather a lot), and POST a file to /testfile.
221	    Then GET /testfile ... and yeah if the server is running as root
222	    (it is) and is using / as the web root (probably not, but maybe)
223	    this gives full host fs access.</p>
224	</blockquote>
225	<p>Scott Tenaglia reports:</p>
226	<blockquote cite="https://sourceforge.net/p/pupnp/bugs/133/">
227	  <p>There is a heap buffer overflow vulnerability in the
228	    create_url_list function in upnp/src/gena/gena_device.c.</p>
229	</blockquote>
230      </body>
231    </description>
232    <references>
233      <url>https://twitter.com/mjg59/status/755062278513319936</url>
234      <url>https://sourceforge.net/p/pupnp/bugs/133/</url>
235      <cvename>CVE-2016-6255</cvename>
236      <cvename>CVE-2016-8863</cvename>
237    </references>
238    <dates>
239      <discovery>2016-02-23</discovery>
240      <entry>2016-12-27</entry>
241    </dates>
242  </vuln>
243
244  <vuln vid="c7656d4c-cb60-11e6-a9a5-b499baebfeaf">
245    <topic>phpmailer -- Remote Code Execution</topic>
246    <affects>
247      <package>
248	<name>phpmailer</name>
249	<range><lt>5.2.18</lt></range>
250      </package>
251      <package>
252	<name>tt-rss</name>
253	<range><lt>26.12.2016.07.29</lt></range>
254      </package>
255    </affects>
256    <description>
257      <body xmlns="http://www.w3.org/1999/xhtml">
258	<p>Legal Hackers reports:</p>
259	<blockquote cite="http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html">
260	  <p>An independent research uncovered a critical vulnerability in
261	    PHPMailer that could potentially be used by (unauthenticated)
262	    remote attackers to achieve remote arbitrary code execution in
263	    the context of the web server user and remotely compromise the
264	    target web application.</p>
265	  <p>To exploit the vulnerability an attacker could target common
266	    website components such as contact/feedback forms, registration
267	    forms, password email resets and others that send out emails with
268	    the help of a vulnerable version of the PHPMailer class.</p>
269	</blockquote>
270      </body>
271    </description>
272    <references>
273      <url>http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html</url>
274      <url>https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md</url>
275      <cvename>CVE-2016-10033</cvename>
276    </references>
277    <dates>
278      <discovery>2016-12-26</discovery>
279      <entry>2016-12-26</entry>
280    </dates>
281  </vuln>
282
283  <vuln vid="e7002b26-caaa-11e6-a76a-9f7324e5534e">
284    <topic>exim -- DKIM private key leak</topic>
285    <affects>
286      <package>
287	<name>exim</name>
288	<range><gt>4.69</gt><lt>4.87.1</lt></range>
289      </package>
290    </affects>
291    <description>
292      <body xmlns="http://www.w3.org/1999/xhtml">
293	<p>The Exim project reports:</p>
294	<blockquote cite="https://exim.org/static/doc/CVE-2016-9963.txt">
295	  <p>Exim leaks the private DKIM signing key to the log files.
296	  Additionally, if the build option EXPERIMENTAL_DSN_INFO=yes is used,
297	  the key material is included in the bounce message.</p>
298	</blockquote>
299      </body>
300    </description>
301    <references>
302      <url>https://exim.org/static/doc/CVE-2016-9963.txt</url>
303      <cvename>CVE-2016-9963</cvename>
304    </references>
305    <dates>
306      <discovery>2016-12-15</discovery>
307      <entry>2016-12-25</entry>
308    </dates>
309  </vuln>
310
311  <vuln vid="2aedd15f-ca8b-11e6-a9a5-b499baebfeaf">
312    <cancelled superseded="2c948527-d823-11e6-9171-14dae9d210b8"/>
313  </vuln>
314
315  <vuln vid="c40ca16c-4d9f-4d70-8b6c-4d53aeb8ead4">
316    <topic>cURL -- uninitialized random vulnerability</topic>
317    <affects>
318      <package>
319	<name>curl</name>
320	<range><ge>7.52.0</ge><lt>7.52.1</lt></range>
321      </package>
322    </affects>
323    <description>
324      <body xmlns="http://www.w3.org/1999/xhtml">
325	<p>Project curl Security Advisory:</p>
326	<blockquote cite="https://curl.haxx.se/docs/adv_20161223.html">
327	  <p>libcurl's (new) internal function that returns a good 32bit
328	    random value was implemented poorly and overwrote the pointer
329	    instead of writing the value into the buffer the pointer
330	    pointed to.</p>
331	  <p>This random value is used to generate nonces for Digest and
332	    NTLM authentication, for generating boundary strings in HTTP
333	    formposts and more. Having a weak or virtually non-existent
334	    random there makes these operations vulnerable.</p>
335	  <p>This function is brand new in 7.52.0 and is the result of an
336	    overhaul to make sure libcurl uses strong random as much as
337	    possible - provided by the backend TLS crypto libraries when
338	    present. The faulty function was introduced in this commit.</p>
339	  <p>We are not aware of any exploit of this flaw.</p>
340	</blockquote>
341      </body>
342    </description>
343    <references>
344      <url>https://curl.haxx.se/docs/adv_20161223.html</url>
345      <cvename>CVE-2016-9594</cvename>
346    </references>
347    <dates>
348      <discovery>2016-12-23</discovery>
349      <entry>2016-12-24</entry>
350    </dates>
351  </vuln>
352
353  <vuln vid="41f8af15-c8b9-11e6-ae1b-002590263bf5">
354    <topic>squid -- multiple vulnerabilities</topic>
355    <affects>
356      <package>
357	<name>squid</name>
358	<range><ge>3.1</ge><lt>3.5.23</lt></range>
359      </package>
360      <package>
361	<name>squid-devel</name>
362	<range><ge>4.0</ge><lt>4.0.17</lt></range>
363      </package>
364    </affects>
365    <description>
366      <body xmlns="http://www.w3.org/1999/xhtml">
367	<p>Squid security advisory 2016:10 reports:</p>
368	<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_10.txt">
369	  <p>Due to incorrect comparison of request headers Squid can deliver
370	    responses containing private data to clients it should not have
371	    reached.</p>
372	  <p>This problem allows a remote attacker to discover private and
373	    sensitive information about another clients browsing session.
374	    Potentially including credentials which allow access to further
375	    sensitive resources. This problem only affects Squid configured
376	    to use the Collapsed Forwarding feature. It is of particular
377	    importance for HTTPS reverse-proxy sites with Collapsed
378	    Forwarding.</p>
379	</blockquote>
380	<p>Squid security advisory 2016:11 reports:</p>
381	<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_11.txt">
382	  <p>Due to incorrect HTTP conditional request handling Squid can
383	    deliver responses containing private data to clients it should not
384	    have reached.</p>
385	  <p>This problem allows a remote attacker to discover private and
386	    sensitive information about another clients browsing session.
387	    Potentially including credentials which allow access to further
388	    sensitive resources..</p>
389	</blockquote>
390      </body>
391    </description>
392    <references>
393      <cvename>CVE-2016-10002</cvename>
394      <cvename>CVE-2016-10003</cvename>
395      <freebsdpr>ports/215416</freebsdpr>
396      <freebsdpr>ports/215418</freebsdpr>
397      <url>http://www.squid-cache.org/Advisories/SQUID-2016_10.txt</url>
398      <url>http://www.squid-cache.org/Advisories/SQUID-2016_11.txt</url>
399    </references>
400    <dates>
401      <discovery>2016-12-16</discovery>
402      <entry>2016-12-23</entry>
403    </dates>
404  </vuln>
405
406  <vuln vid="c11629d3-c8ad-11e6-ae1b-002590263bf5">
407    <topic>vim -- arbitrary command execution</topic>
408    <affects>
409      <package>
410	<name>vim</name>
411	<name>vim-console</name>
412	<name>vim-lite</name>
413	<range><lt>8.0.0056</lt></range>
414      </package>
415      <package>
416	<name>neovim</name>
417	<range><lt>0.1.7</lt></range>
418      </package>
419    </affects>
420    <description>
421      <body xmlns="http://www.w3.org/1999/xhtml">
422	<p>Mitre reports:</p>
423	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1248">
424	  <p>vim before patch 8.0.0056 does not properly validate values for the
425	    'filetype', 'syntax' and 'keymap' options, which may result in the
426	    execution of arbitrary code if a file with a specially crafted
427	    modeline is opened.</p>
428	</blockquote>
429      </body>
430    </description>
431    <references>
432      <cvename>CVE-2016-1248</cvename>
433      <bid>94478</bid>
434      <url>https://github.com/vim/vim/commit/d0b5138ba4bccff8a744c99836041ef6322ed39a</url>
435      <url>https://github.com/neovim/neovim/commit/4fad66fbe637818b6b3d6bc5d21923ba72795040</url>
436    </references>
437    <dates>
438      <discovery>2016-11-22</discovery>
439      <entry>2016-12-23</entry>
440    </dates>
441  </vuln>
442
443  <vuln vid="c290f093-c89e-11e6-821e-68f7288bdf41">
444    <topic>Pligg CMS -- XSS Vulnerability</topic>
445    <affects>
446      <package>
447	<name>pligg</name>
448	<range><le>2.0.2,1</le></range>
449      </package>
450    </affects>
451    <description>
452      <body xmlns="http://www.w3.org/1999/xhtml">
453	<p>Netsparker reports: </p>
454	<blockquote cite="https://www.netsparker.com/web-applications-advisories/ns-15-011-xss-vulnerability-identified-in-pligg-cms/">
455	  <p>Proof of Concept URL for XSS in Pligg CMS:</p>
456	  <p>Page: groups.php</p>
457	  <p>Parameter Name: keyword</p>
458	  <p>Parameter Type: GET</p>
459	  <p>Attack Pattern: http://example.com/pligg-cms-2.0.2/groups.php?view=search&amp;keyword='+alert(0x000D82)+'</p>
460	  <p>For more information on cross-site scripting vulnerabilities read the article Cross-site Scripting (XSS).</p>
461	</blockquote>
462      </body>
463    </description>
464    <references>
465      <url>https://www.netsparker.com/web-applications-advisories/ns-15-011-xss-vulnerability-identified-in-pligg-cms/</url>
466    </references>
467    <dates>
468      <discovery>2015-05-13</discovery>
469      <entry>2016-12-22</entry>
470    </dates>
471  </vuln>
472
473  <vuln vid="fcedcdbb-c86e-11e6-b1cf-14dae9d210b8">
474    <topic>FreeBSD -- Multiple vulnerabilities of ntp</topic>
475    <affects>
476      <package>
477	<name>FreeBSD</name>
478	<range><ge>11.0</ge><lt>11.0_6</lt></range>
479	<range><ge>10.3</ge><lt>10.3_15</lt></range>
480	<range><ge>10.2</ge><lt>10.2_28</lt></range>
481	<range><ge>10.1</ge><lt>10.1_45</lt></range>
482	<range><ge>9.3</ge><lt>9.3_53</lt></range>
483      </package>
484    </affects>
485    <description>
486      <body xmlns="http://www.w3.org/1999/xhtml">
487	<h1>Problem Description:</h1>
488	<p>Multiple vulnerabilities have been discovered in the NTP
489	suite:</p>
490	<p>CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy
491	of Cisco ASIG.</p>
492	<p>CVE-2016-9310: Mode 6 unauthenticated trap information
493	disclosure and DDoS vector. Reported by Matthew Van Gundy
494	of Cisco ASIG.</p>
495	<p>CVE-2016-7427: Broadcast Mode Replay Prevention DoS.
496	Reported by Matthew Van Gundy of Cisco ASIG.</p>
497	<p>CVE-2016-7428: Broadcast Mode Poll Interval Enforcement
498	DoS. Reported by Matthew Van Gundy of Cisco ASIG.</p>
499	<p>CVE-2016-7431: Regression: 010-origin: Zero Origin
500	Timestamp Bypass. Reported by Sharon Goldberg and Aanchal
501	Malhotra of Boston University.</p>
502	<p>CVE-2016-7434: Null pointer dereference in
503	_IO_str_init_static_internal(). Reported by Magnus Stubman.</p>
504	<p>CVE-2016-7426: Client rate limiting and server responses.
505	Reported by Miroslav Lichvar of Red Hat.</p>
506	<p>CVE-2016-7433: Reboot sync calculation problem. Reported
507	independently by Brian Utterback of Oracle, and by Sharon
508	Goldberg and Aanchal Malhotra of Boston University.</p>
509	<h1>Impact:</h1>
510	<p>A remote attacker who can send a specially crafted packet
511	to cause a NULL pointer dereference that will crash ntpd,
512	resulting in a Denial of Service. [CVE-2016-9311]</p>
513	<p>An exploitable configuration modification vulnerability
514	exists in the control mode (mode 6) functionality of ntpd.
515	If, against long-standing BCP recommendations, "restrict
516	default noquery ..." is not specified, a specially crafted
517	control mode packet can set ntpd traps, providing information
518	disclosure and DDoS amplification, and unset ntpd traps,
519	disabling legitimate monitoring by an attacker from remote.
520	[CVE-2016-9310]</p>
521	<p>An attacker with access to the NTP broadcast domain can
522	periodically inject specially crafted broadcast mode NTP
523	packets into the broadcast domain which, while being logged
524	by ntpd, can cause ntpd to reject broadcast mode packets
525	from legitimate NTP broadcast servers. [CVE-2016-7427]</p>
526	<p>An attacker with access to the NTP broadcast domain can
527	send specially crafted broadcast mode NTP packets to the
528	broadcast domain which, while being logged by ntpd, will
529	cause ntpd to reject broadcast mode packets from legitimate
530	NTP broadcast servers. [CVE-2016-7428]</p>
531	<p>Origin timestamp problems were fixed in ntp 4.2.8p6.
532	However, subsequent timestamp validation checks introduced
533	a regression in the handling of some Zero origin timestamp
534	checks. [CVE-2016-7431]</p>
535	<p>If ntpd is configured to allow mrulist query requests
536	from a server that sends a crafted malicious packet, ntpd
537	will crash on receipt of that crafted malicious mrulist
538	query packet. [CVE-2016-7434]</p>
539	<p>An attacker who knows the sources (e.g., from an IPv4
540	refid in server response) and knows the system is (mis)configured
541	in this way can periodically send packets with spoofed
542	source address to keep the rate limiting activated and
543	prevent ntpd from accepting valid responses from its sources.
544	[CVE-2016-7426]</p>
545	<p>Ntp Bug 2085 described a condition where the root delay
546	was included twice, causing the jitter value to be higher
547	than expected. Due to a misinterpretation of a small-print
548	variable in The Book, the fix for this problem was incorrect,
549	resulting in a root distance that did not include the peer
550	dispersion. The calculations and formulas have been reviewed
551	and reconciled, and the code has been updated accordingly.
552	[CVE-2016-7433]</p>
553      </body>
554    </description>
555    <references>
556      <cvename>CVE-2016-7426</cvename>
557      <cvename>CVE-2016-7427</cvename>
558      <cvename>CVE-2016-7428</cvename>
559      <cvename>CVE-2016-7431</cvename>
560      <cvename>CVE-2016-7433</cvename>
561      <cvename>CVE-2016-7434</cvename>
562      <cvename>CVE-2016-9310</cvename>
563      <cvename>CVE-2016-9311</cvename>
564      <freebsdsa>SA-16:39.ntp</freebsdsa>
565    </references>
566    <dates>
567      <discovery>2016-12-22</discovery>
568      <entry>2016-12-22</entry>
569    </dates>
570  </vuln>
571
572  <vuln vid="42880202-c81c-11e6-a9a5-b499baebfeaf">
573    <topic>cURL -- buffer overflow</topic>
574    <affects>
575      <package>
576	<name>curl</name>
577	<range><ge>7.1</ge><lt>7.52</lt></range>
578      </package>
579    </affects>
580    <description>
581      <body xmlns="http://www.w3.org/1999/xhtml">
582	<p>The cURL project reports:</p>
583	<blockquote cite="https://curl.haxx.se/docs/vuln-7.51.0.html">
584	  <h2>printf floating point buffer overflow</h2>
585	  <p>libcurl's implementation of the printf() functions triggers a
586	    buffer overflow when doing a large floating point output. The bug
587	    occurs when the conversion outputs more than 255 bytes.</p>
588	</blockquote>
589      </body>
590    </description>
591    <references>
592      <url>https://curl.haxx.se/docs/vuln-7.51.0.html</url>
593      <cvename>CVE-2016-9586</cvename>
594    </references>
595    <dates>
596      <discovery>2016-12-21</discovery>
597      <entry>2016-12-22</entry>
598    </dates>
599  </vuln>
600
601  <vuln vid="624b45c0-c7f3-11e6-ae1b-002590263bf5">
602    <topic>Joomla! -- multiple vulnerabilities</topic>
603    <affects>
604      <package>
605	<name>joomla3</name>
606	<range><ge>1.6.0</ge><lt>3.6.5</lt></range>
607      </package>
608    </affects>
609    <description>
610      <body xmlns="http://www.w3.org/1999/xhtml">
611	<p>The JSST and the Joomla! Security Center report:</p>
612	<blockquote cite="https://developer.joomla.org/security-centre/664-20161201-core-elevated-privileges.html">
613	  <h2>[20161201] - Core - Elevated Privileges</h2>
614	  <p>Incorrect use of unfiltered data stored to the session on a form
615	    validation failure allows for existing user accounts to be modified;
616	    to include resetting their username, password, and user group
617	    assignments.</p>
618	</blockquote>
619	<blockquote cite="https://developer.joomla.org/security-centre/665-20161202-core-shell-upload.html">
620	  <h2>[20161202] - Core - Shell Upload</h2>
621	  <p>Inadequate filesystem checks allowed files with alternative PHP
622	    file extensions to be uploaded.</p>
623	</blockquote>
624	<blockquote cite="https://developer.joomla.org/security-centre/666-20161203-core-information-disclosure.html">
625	  <h2>[20161203] - Core - Information Disclosure</h2>
626	  <p>Inadequate ACL checks in the Beez3 com_content article layout
627	    override enables a user to view restricted content.</p>
628	</blockquote>
629      </body>
630    </description>
631    <references>
632      <cvename>CVE-2016-9836</cvename>
633      <cvename>CVE-2016-9837</cvename>
634      <cvename>CVE-2016-9838</cvename>
635      <url>https://developer.joomla.org/security-centre/664-20161201-core-elevated-privileges.html</url>
636      <url>https://developer.joomla.org/security-centre/665-20161202-core-shell-upload.html</url>
637      <url>https://developer.joomla.org/security-centre/666-20161203-core-information-disclosure.html</url>
638      <url>https://www.joomla.org/announcements/release-news/5693-joomla-3-6-5-released.html</url>
639    </references>
640    <dates>
641      <discovery>2016-12-06</discovery>
642      <entry>2016-12-22</entry>
643    </dates>
644  </vuln>
645
646  <vuln vid="a27d234a-c7f2-11e6-ae1b-002590263bf5">
647    <topic>Joomla! -- multiple vulnerabilities</topic>
648    <affects>
649      <package>
650	<name>joomla3</name>
651	<range><ge>3.4.4</ge><lt>3.6.4</lt></range>
652      </package>
653    </affects>
654    <description>
655      <body xmlns="http://www.w3.org/1999/xhtml">
656	<p>The JSST and the Joomla! Security Center report:</p>
657	<blockquote cite="https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html">
658	  <h2>[20161001] - Core - Account Creation</h2>
659	  <p>Inadequate checks allows for users to register on a site when
660	    registration has been disabled.</p>
661	</blockquote>
662	<blockquote cite="https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html">
663	  <h2>[20161002] - Core - Elevated Privilege</h2>
664	  <p>Incorrect use of unfiltered data allows for users to register on a
665	    site with elevated privileges.</p>
666	</blockquote>
667	<blockquote cite="https://developer.joomla.org/security-centre/661-20161003-core-account-modifications.html">
668	  <h2>[20161003] - Core - Account Modifications</h2>
669	  <p>Incorrect use of unfiltered data allows for existing user accounts
670	    to be modified; to include resetting their username, password, and
671	    user group assignments.</p>
672	</blockquote>
673      </body>
674    </description>
675    <references>
676      <cvename>CVE-2016-8869</cvename>
677      <cvename>CVE-2016-8870</cvename>
678      <cvename>CVE-2016-9081</cvename>
679      <url>https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html</url>
680      <url>https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html</url>
681      <url>https://developer.joomla.org/security-centre/661-20161003-core-account-modifications.html</url>
682      <url>https://www.joomla.org/announcements/release-news/5678-joomla-3-6-4-released.html</url>
683    </references>
684    <dates>
685      <discovery>2016-10-25</discovery>
686      <entry>2016-12-22</entry>
687    </dates>
688  </vuln>
689
690  <vuln vid="f0806cad-c7f1-11e6-ae1b-002590263bf5">
691    <topic>Joomla! -- multiple vulnerabilities</topic>
692    <affects>
693      <package>
694	<name>joomla3</name>
695	<range><ge>1.6.0</ge><lt>3.6.1</lt></range>
696      </package>
697    </affects>
698    <description>
699      <body xmlns="http://www.w3.org/1999/xhtml">
700	<p>The JSST and the Joomla! Security Center report:</p>
701	<blockquote cite="https://developer.joomla.org/security-centre/652-20160801-core-core-acl-violations.html">
702	  <h2>[20160801] - Core - ACL Violation</h2>
703	  <p>Inadequate ACL checks in com_content provide potential read access
704	    to data which should be access restricted to users with edit_own
705	    level.</p>
706	</blockquote>
707	<blockquote cite="https://developer.joomla.org/security-centre/653-20160802-core-xss-vulnerability.html">
708	  <h2>[20160802] - Core - XSS Vulnerability</h2>
709	  <p>Inadequate escaping leads to XSS vulnerability in mail component.
710	    </p>
711	</blockquote>
712	<blockquote cite="https://developer.joomla.org/security-centre/654-20160803-core-csrf.html">
713	  <h2>[20160803] - Core - CSRF</h2>
714	  <p>Add additional CSRF hardening in com_joomlaupdate.</p>
715	</blockquote>
716      </body>
717    </description>
718    <references>
719      <url>https://developer.joomla.org/security-centre/652-20160801-core-core-acl-violations.html</url>
720      <url>https://developer.joomla.org/security-centre/653-20160802-core-xss-vulnerability.html</url>
721      <url>https://developer.joomla.org/security-centre/654-20160803-core-csrf.html</url>
722      <url>https://www.joomla.org/announcements/release-news/5665-joomla-3-6-1-released.html</url>
723    </references>
724    <dates>
725      <discovery>2016-08-03</discovery>
726      <entry>2016-12-22</entry>
727    </dates>
728  </vuln>
729
730  <vuln vid="c0ef061a-c7f0-11e6-ae1b-002590263bf5">
731    <topic>Joomla! -- multiple vulnerabilities</topic>
732    <affects>
733      <package>
734	<name>joomla3</name>
735	<range><ge>1.5.0</ge><lt>3.4.7</lt></range>
736      </package>
737    </affects>
738    <description>
739      <body xmlns="http://www.w3.org/1999/xhtml">
740	<p>The JSST and the Joomla! Security Center report:</p>
741	<blockquote cite="https://developer.joomla.org/security-centre/639-20151206-core-session-hardening.html">
742	  <h2>[20151206] - Core - Session Hardening</h2>
743	  <p>The Joomla Security Strike team has been following up on the
744	    critical security vulnerability patched last week. Since the recent
745	    update it has become clear that the root cause is a bug in PHP
746	    itself. This was fixed by PHP in September of 2015 with the releases
747	    of PHP 5.4.45, 5.5.29, 5.6.13 (Note that this is fixed in all
748	    versions of PHP 7 and has been back-ported in some specific Linux
749	    LTS versions of PHP 5.3). This fixes the bug across all supported
750	    PHP versions.</p>
751	</blockquote>
752	<blockquote cite="https://developer.joomla.org/security-centre/640-20151207-core-sql-injection.html">
753	  <h2>[20151207] - Core - SQL Injection</h2>
754	  <p>Inadequate filtering of request data leads to a SQL Injection
755	    vulnerability.</p>
756	</blockquote>
757      </body>
758    </description>
759    <references>
760      <url>https://developer.joomla.org/security-centre/639-20151206-core-session-hardening.html</url>
761      <url>https://developer.joomla.org/security-centre/640-20151207-core-sql-injection.html</url>
762      <url>https://www.joomla.org/announcements/release-news/5643-joomla-3-4-7.html</url>
763    </references>
764    <dates>
765      <discovery>2015-12-21</discovery>
766      <entry>2016-12-22</entry>
767    </dates>
768  </vuln>
769
770  <vuln vid="3ae078ca-c7eb-11e6-ae1b-002590263bf5">
771    <topic>xen-kernel -- x86 PV guests may be able to mask interrupts</topic>
772    <affects>
773      <package>
774	<name>xen-kernel</name>
775	<range><lt>4.7.1_3</lt></range>
776      </package>
777    </affects>
778    <description>
779      <body xmlns="http://www.w3.org/1999/xhtml">
780	<p>The Xen Project reports:</p>
781	<blockquote cite="https://xenbits.xen.org/xsa/advisory-202.html">
782	  <p>Certain PV guest kernel operations (page table writes in
783	    particular) need emulation, and use Xen's general x86 instruction
784	    emulator. This allows a malicious guest kernel which asynchronously
785	    modifies its instruction stream to effect the clearing of EFLAGS.IF
786	    from the state used to return to guest context.</p>
787	  <p>A malicious guest kernel administrator can cause a host hang or
788	    crash, resulting in a Denial of Service.</p>
789	</blockquote>
790      </body>
791    </description>
792    <references>
793      <cvename>CVE-2016-10024</cvename>
794      <url>https://xenbits.xen.org/xsa/advisory-202.html</url>
795    </references>
796    <dates>
797      <discovery>2016-12-21</discovery>
798      <entry>2016-12-22</entry>
799    </dates>
800  </vuln>
801
802  <vuln vid="862d6ab3-c75e-11e6-9f98-20cf30e32f6d">
803    <topic>Apache httpd -- several vulnerabilities</topic>
804    <affects>
805      <package>
806	<name>apache24</name>
807	<range><lt>2.4.25</lt></range>
808      </package>
809    </affects>
810    <description>
811      <body xmlns="http://www.w3.org/1999/xhtml">
812	<p>Apache Software Foundation reports:</p>
813	<blockquote cite="http://httpd.apache.org/security/vulnerabilities_24.html">
814	  <p>Please reference CVE/URL list for details</p>
815	</blockquote>
816      </body>
817    </description>
818    <references>
819      <url>http://httpd.apache.org/security/vulnerabilities_24.html</url>
820      <cvename>CVE-2016-8743</cvename>
821      <cvename>CVE-2016-2161</cvename>
822      <cvename>CVE-2016-0736</cvename>
823      <cvename>CVE-2016-8740</cvename>
824      <cvename>CVE-2016-5387</cvename>
825    </references>
826    <dates>
827      <discovery>2016-12-20</discovery>
828      <entry>2016-12-21</entry>
829      <modified>2016-12-22</modified>
830    </dates>
831  </vuln>
832
833  <vuln vid="942433db-c661-11e6-ae1b-002590263bf5">
834    <topic>xen-kernel -- x86: Mishandling of SYSCALL singlestep during emulation</topic>
835    <affects>
836      <package>
837	<name>xen-kernel</name>
838	<range><lt>4.7.1_2</lt></range>
839      </package>
840    </affects>
841    <description>
842      <body xmlns="http://www.w3.org/1999/xhtml">
843	<p>The Xen Project reports:</p>
844	<blockquote cite="http://xenbits.xen.org/xsa/advisory-204.html">
845	  <p>The typical behaviour of singlestepping exceptions is determined at
846	    the start of the instruction, with a #DB trap being raised at the
847	    end of the instruction. SYSCALL (and SYSRET, although we don't
848	    implement it) behave differently because the typical behaviour
849	    allows userspace to escalate its privilege. (This difference in
850	    behaviour seems to be undocumented.) Xen wrongly raised the
851	    exception based on the flags at the start of the instruction.</p>
852	  <p>Guest userspace which can invoke the instruction emulator can use
853	    this flaw to escalate its privilege to that of the guest kernel.</p>
854	</blockquote>
855      </body>
856    </description>
857    <references>
858      <cvename>CVE-2016-10013</cvename>
859      <url>http://xenbits.xen.org/xsa/advisory-204.html</url>
860    </references>
861    <dates>
862      <discovery>2016-12-19</discovery>
863      <entry>2016-12-20</entry>
864    </dates>
865  </vuln>
866
867  <vuln vid="e47ab5db-c333-11e6-ae1b-002590263bf5">
868    <topic>atheme-services -- multiple vulnerabilities</topic>
869    <affects>
870      <package>
871	<name>atheme-services</name>
872	<range><lt>7.2.7</lt></range>
873      </package>
874    </affects>
875    <description>
876      <body xmlns="http://www.w3.org/1999/xhtml">
877	<p>Mitre reports:</p>
878	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9773">
879	  <p>modules/chanserv/flags.c in Atheme before 7.2.7 allows remote
880	    attackers to modify the Anope FLAGS behavior by registering and
881	    dropping the (1) LIST, (2) CLEAR, or (3) MODIFY keyword nicks.</p>
882	</blockquote>
883	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4478">
884	  <p>Buffer overflow in the xmlrpc_char_encode function in
885	    modules/transport/xmlrpc/xmlrpclib.c in Atheme before 7.2.7 allows
886	    remote attackers to cause a denial of service via vectors related
887	    to XMLRPC response encoding.</p>
888	</blockquote>
889      </body>
890    </description>
891    <references>
892      <freebsdpr>ports/209217</freebsdpr>
893      <cvename>CVE-2014-9773</cvename>
894      <cvename>CVE-2016-4478</cvename>
895      <url>https://github.com/atheme/atheme/commit/87580d767868360d2fed503980129504da84b63e</url>
896      <url>https://github.com/atheme/atheme/commit/c597156adc60a45b5f827793cd420945f47bc03b</url>
897    </references>
898    <dates>
899      <discovery>2016-01-09</discovery>
900      <entry>2016-12-16</entry>
901    </dates>
902  </vuln>
903
904  <vuln vid="512c0ffd-cd39-4da4-b2dc-81ff4ba8e238">
905    <topic>mozilla -- multiple vulnerabilities</topic>
906    <affects>
907      <package>
908	<name>firefox</name>
909	<range><lt>50.1.0_1,1</lt></range>
910      </package>
911      <package>
912	<name>seamonkey</name>
913	<name>linux-seamonkey</name>
914	<range><lt>2.47</lt></range>
915      </package>
916      <package>
917	<name>firefox-esr</name>
918	<range><lt>45.6.0,1</lt></range>
919      </package>
920      <package>
921	<name>linux-firefox</name>
922	<range><lt>45.6.0,2</lt></range>
923      </package>
924      <package>
925	<name>libxul</name>
926	<name>thunderbird</name>
927	<name>linux-thunderbird</name>
928	<range><lt>45.6.0</lt></range>
929      </package>
930    </affects>
931    <description>
932      <body xmlns="http://www.w3.org/1999/xhtml">
933	<p>Mozilla Foundation reports:</p>
934	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/">
935	<p>CVE-2016-9894: Buffer overflow in SkiaGL</p>
936	<p>CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements</p>
937	<p>CVE-2016-9895: CSP bypass using marquee tag</p>
938	<p>CVE-2016-9896: Use-after-free with WebVR</p>
939	<p>CVE-2016-9897: Memory corruption in libGLES</p>
940	<p>CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees</p>
941	<p>CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs</p>
942	<p>CVE-2016-9904: Cross-origin information leak in shared atoms</p>
943	<p>CVE-2016-9901: Data from Pocket server improperly sanitized before execution</p>
944	<p>CVE-2016-9902: Pocket extension does not validate the origin of events</p>
945	<p>CVE-2016-9903: XSS injection vulnerability in add-ons SDK</p>
946	<p>CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1</p>
947	<p>CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6</p>
948	</blockquote>
949      </body>
950    </description>
951    <references>
952      <cvename>CVE-2016-9894</cvename>
953      <cvename>CVE-2016-9899</cvename>
954      <cvename>CVE-2016-9895</cvename>
955      <cvename>CVE-2016-9896</cvename>
956      <cvename>CVE-2016-9897</cvename>
957      <cvename>CVE-2016-9898</cvename>
958      <cvename>CVE-2016-9900</cvename>
959      <cvename>CVE-2016-9904</cvename>
960      <cvename>CVE-2016-9901</cvename>
961      <cvename>CVE-2016-9902</cvename>
962      <cvename>CVE-2016-9903</cvename>
963      <cvename>CVE-2016-9080</cvename>
964      <cvename>CVE-2016-9893</cvename>
965      <url>https://www.mozilla.org/security/advisories/mfsa2016-94/</url>
966      <url>https://www.mozilla.org/security/advisories/mfsa2016-95/</url>
967    </references>
968    <dates>
969      <discovery>2016-12-13</discovery>
970      <entry>2016-12-14</entry>
971    </dates>
972  </vuln>
973
974  <vuln vid="54e50cd9-c1a8-11e6-ae1b-002590263bf5">
975    <topic>wordpress -- multiple vulnerabilities</topic>
976    <affects>
977      <package>
978	<name>wordpress</name>
979	<range><lt>4.6.1,1</lt></range>
980      </package>
981      <package>
982	<name>de-wordpress</name>
983	<name>ja-wordpress</name>
984	<name>ru-wordpress</name>
985	<name>zh-wordpress-zh_CN</name>
986	<name>zh-wordpress-zh_TW</name>
987	<range><lt>4.6.1</lt></range>
988      </package>
989    </affects>
990    <description>
991      <body xmlns="http://www.w3.org/1999/xhtml">
992	<p>Jeremy Felt reports:</p>
993	<blockquote cite="https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/">
994	  <p>WordPress versions 4.6 and earlier are affected by two security
995	    issues: a cross-site scripting vulnerability via image filename,
996	    reported by SumOfPwn researcher Cengiz Han Sahin; and a path
997	    traversal vulnerability in the upgrade package uploader, reported
998	    by Dominik Schilling from the WordPress security team.</p>
999	</blockquote>
1000      </body>
1001    </description>
1002    <references>
1003      <url>https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/</url>
1004    </references>
1005    <dates>
1006      <discovery>2016-09-07</discovery>
1007      <entry>2016-12-14</entry>
1008    </dates>
1009  </vuln>
1010
1011  <vuln vid="80a897a2-c1a6-11e6-ae1b-002590263bf5">
1012    <topic>xen-kernel -- x86 CMPXCHG8B emulation fails to ignore operand size override</topic>
1013    <affects>
1014      <package>
1015	<name>xen-kernel</name>
1016	<range><lt>4.7.1_1</lt></range>
1017      </package>
1018    </affects>
1019    <description>
1020      <body xmlns="http://www.w3.org/1999/xhtml">
1021	<p>The Xen Project reports:</p>
1022	<blockquote cite="http://xenbits.xen.org/xsa/advisory-200.html">
1023	  <p>The x86 instruction CMPXCHG8B is supposed to ignore legacy operand
1024	    size overrides; it only honors the REX.W override (making it
1025	    CMPXCHG16B). So, the operand size is always 8 or 16. When support
1026	    for CMPXCHG16B emulation was added to the instruction emulator,
1027	    this restriction on the set of possible operand sizes was relied on
1028	    in some parts of the emulation; but a wrong, fully general, operand
1029	    size value was used for other parts of the emulation. As a result,
1030	    if a guest uses a supposedly-ignored operand size prefix, a small
1031	    amount of hypervisor stack data is leaked to the guests: a 96 bit
1032	    leak to guests running in 64-bit mode; or, a 32 bit leak to other
1033	    guests.</p>
1034	  <p>A malicious unprivileged guest may be able to obtain sensitive
1035	    information from the host.</p>
1036	</blockquote>
1037      </body>
1038    </description>
1039    <references>
1040      <cvename>CVE-2016-9932</cvename>
1041      <url>http://xenbits.xen.org/xsa/advisory-200.html</url>
1042    </references>
1043    <dates>
1044      <discovery>2016-12-13</discovery>
1045      <entry>2016-12-14</entry>
1046    </dates>
1047  </vuln>
1048
1049  <vuln vid="2d56308b-c0a8-11e6-a9a5-b499baebfeaf">
1050    <topic>PHP -- Multiple vulnerabilities</topic>
1051    <affects>
1052      <package>
1053	<name>php56</name>
1054	<range><lt>5.6.29</lt></range>
1055      </package>
1056      <package>
1057	<name>php70</name>
1058	<range><lt>7.0.14</lt></range>
1059      </package>
1060    </affects>
1061    <description>
1062      <body xmlns="http://www.w3.org/1999/xhtml">
1063	<p>The PHP project reports:</p>
1064	<blockquote cite="http://php.net/archive/2016.php#id2016-12-08-1">
1065	  <p>This is a security release. Several security bugs were fixed in
1066	    this release.</p>
1067	</blockquote>
1068      </body>
1069    </description>
1070    <references>
1071      <url>http://php.net/archive/2016.php#id2016-12-08-1</url>
1072      <url>http://php.net/archive/2016.php#id2016-12-08-2</url>
1073    </references>
1074    <dates>
1075      <discovery>2016-12-12</discovery>
1076      <entry>2016-12-12</entry>
1077    </dates>
1078  </vuln>
1079
1080  <vuln vid="c0b13887-be44-11e6-b04f-001999f8d30b">
1081    <topic>asterisk -- Authentication Bypass</topic>
1082    <affects>
1083      <package>
1084	<name>asterisk11</name>
1085	<range><lt>11.25.1</lt></range>
1086      </package>
1087      <package>
1088	<name>asterisk13</name>
1089	<range><lt>13.13.1</lt></range>
1090      </package>
1091    </affects>
1092    <description>
1093      <body xmlns="http://www.w3.org/1999/xhtml">
1094	<p>The Asterisk project reports:</p>
1095	<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
1096	  <p>The chan_sip channel driver has a liberal definition
1097	  for whitespace when attempting to strip the content between
1098	  a SIP header name and a colon character. Rather than
1099	  following RFC 3261 and stripping only spaces and horizontal
1100	  tabs, Asterisk treats any non-printable ASCII character
1101	  as if it were whitespace.</p>
1102	  <p>This mostly does not pose a problem until Asterisk is
1103	  placed in tandem with an authenticating SIP proxy. In
1104	  such a case, a crafty combination of valid and invalid
1105	  To headers can cause a proxy to allow an INVITE request
1106	  into Asterisk without authentication since it believes
1107	  the request is an in-dialog request. However, because of
1108	  the bug described above, the request will look like an
1109	  out-of-dialog request to Asterisk. Asterisk will then
1110	  process the request as a new call. The result is that
1111	  Asterisk can process calls from unvetted sources without
1112	  any authentication.</p>
1113	  <p>If you do not use a proxy for authentication, then
1114	  this issue does not affect you.</p>
1115	  <p>If your proxy is dialog-aware (meaning that the proxy
1116	  keeps track of what dialogs are currently valid), then
1117	  this issue does not affect you.</p>
1118	  <p>If you use chan_pjsip instead of chan_sip, then this
1119	  issue does not affect you.</p>
1120	</blockquote>
1121      </body>
1122    </description>
1123    <references>
1124      <url>http://downloads.digium.com/pub/security/ASTERISK-2016-009.html</url>
1125    </references>
1126    <dates>
1127      <discovery>2016-11-28</discovery>
1128      <entry>2016-12-09</entry>
1129    </dates>
1130  </vuln>
1131
1132  <vuln vid="9e6640fe-be3a-11e6-b04f-001999f8d30b">
1133    <topic>asterisk -- Crash on SDP offer or answer from endpoint using Opus</topic>
1134    <affects>
1135      <package>
1136	<name>asterisk13</name>
1137	<range><ge>13.12.0</ge><lt>13.13.1</lt></range>
1138      </package>
1139    </affects>
1140    <description>
1141      <body xmlns="http://www.w3.org/1999/xhtml">
1142	<p>The Asterisk project reports:</p>
1143	<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
1144	  <p>If an SDP offer or answer is received with the Opus
1145	  codec and with the format parameters separated using a
1146	  space the code responsible for parsing will recursively
1147	  call itself until it crashes. This occurs as the code
1148	  does not properly handle spaces separating the parameters.
1149	  This does NOT require the endpoint to have Opus configured
1150	  in Asterisk. This also does not require the endpoint to
1151	  be authenticated. If guest is enabled for chan_sip or
1152	  anonymous in chan_pjsip an SDP offer or answer is still
1153	  processed and the crash occurs.</p>
1154	</blockquote>
1155      </body>
1156    </description>
1157    <references>
1158      <url>http://downloads.asterisk.org/pub/security/AST-2016-008.html</url>
1159    </references>
1160    <dates>
1161      <discovery>2016-11-11</discovery>
1162      <entry>2016-12-09</entry>
1163    </dates>
1164  </vuln>
1165
1166  <vuln vid="eab68cff-bc0c-11e6-b2ca-001b3856973b">
1167    <topic>cryptopp -- multiple vulnerabilities</topic>
1168    <affects>
1169      <package>
1170	<name>cryptopp</name>
1171	<range><lt>5.6.5</lt></range>
1172      </package>
1173    </affects>
1174    <description>
1175      <body xmlns="http://www.w3.org/1999/xhtml">
1176	<p>Multiple sources report:</p>
1177	<blockquote cite="https://eprint.iacr.org/2015/368">
1178	  <p>CVE-2015-2141: The InvertibleRWFunction::CalculateInverse function
1179	    in rw.cpp in libcrypt++ 5.6.2 does not properly blind private key
1180	    operations for the Rabin-Williams digital signature algorithm, which
1181	    allows remote attackers to obtain private keys via a timing attack.
1182	    Fixed in 5.6.3.</p>
1183	</blockquote>
1184	<blockquote cite="https://github.com/weidai11/cryptopp/issues/146">
1185	  <p>CVE-2016-3995: Incorrect implementation of Rijndael timing attack
1186	    countermeasure. Fixed in 5.6.4.</p>
1187	</blockquote>
1188	<blockquote cite="https://github.com/weidai11/cryptopp/issues/277">
1189	  <p>CVE-2016-7420: Library built without -DNDEBUG could egress sensitive
1190	    information to the filesystem via a core dump if an assert was triggered.
1191	    Fixed in 5.6.5.</p>
1192	</blockquote>
1193      </body>
1194    </description>
1195    <references>
1196      <url>https://eprint.iacr.org/2015/368</url>
1197      <url>https://github.com/weidai11/cryptopp/issues/146</url>
1198      <url>https://github.com/weidai11/cryptopp/issues/277</url>
1199      <cvename>CVE-2015-2141</cvename>
1200      <cvename>CVE-2016-3995</cvename>
1201      <cvename>CVE-2016-7420</cvename>
1202    </references>
1203    <dates>
1204      <discovery>2015-02-27</discovery>
1205      <entry>2016-12-06</entry>
1206    </dates>
1207  </vuln>
1208
1209  <vuln vid="e722e3c6-bbee-11e6-b1cf-14dae9d210b8">
1210    <topic>FreeBSD -- bhyve(8) virtual machine escape</topic>
1211    <affects>
1212      <package>
1213	<name>FreeBSD</name>
1214	<range><ge>11.0</ge><lt>11.0_4</lt></range>
1215	<range><ge>10.3</ge><lt>10.3_13</lt></range>
1216	<range><ge>10.2</ge><lt>10.2_26</lt></range>
1217	<range><ge>10.1</ge><lt>10.1_43</lt></range>
1218      </package>
1219    </affects>
1220    <description>
1221      <body xmlns="http://www.w3.org/1999/xhtml">
1222	<h1>Problem Description:</h1>
1223	<p>The bounds checking of accesses to guest memory greater
1224	than 4GB by device emulations is subject to integer
1225	overflow.</p>
1226	<h1>Impact:</h1>
1227	<p>For a bhyve virtual machine with more than 3GB of guest
1228	memory configured, a malicious guest could craft device
1229	descriptors that could give it access to the heap of the
1230	bhyve process. Since the bhyve process is running as root,
1231	this may allow guests to obtain full control of the hosts
1232	they're running on.</p>
1233      </body>
1234    </description>
1235    <references>
1236      <cvename>CVE-2016-1889</cvename>
1237      <freebsdsa>SA-16:38.bhyve</freebsdsa>
1238    </references>
1239    <dates>
1240      <discovery>2016-12-06</discovery>
1241      <entry>2016-12-06</entry>
1242    </dates>
1243  </vuln>
1244
1245  <vuln vid="0282269d-bbee-11e6-b1cf-14dae9d210b8">
1246    <topic>FreeBSD -- link_ntoa(3) buffer overflow</topic>
1247    <affects>
1248      <package>
1249	<name>FreeBSD</name>
1250	<range><ge>11.0</ge><lt>11.0_5</lt></range>
1251	<range><ge>10.3</ge><lt>10.3_14</lt></range>
1252	<range><ge>10.2</ge><lt>10.2_27</lt></range>
1253	<range><ge>10.1</ge><lt>10.1_44</lt></range>
1254	<range><ge>9.3</ge><lt>9.3_52</lt></range>
1255      </package>
1256    </affects>
1257    <description>
1258      <body xmlns="http://www.w3.org/1999/xhtml">
1259	<h1>Problem Description:</h1>
1260	<p>A specially crafted argument can trigger a static buffer
1261	overflow in the library, with possibility to rewrite following
1262	static buffers that belong to other library functions.</p>
1263	<h1>Impact:</h1>
1264	<p>Due to very limited use of the function in the existing
1265	applications, and limited length of the overflow, exploitation
1266	of the vulnerability does not seem feasible. None of the
1267	utilities and daemons in the base system are known to be
1268	vulnerable. However, careful review of third party software
1269	that may use the function was not performed.</p>
1270      </body>
1271    </description>
1272    <references>
1273      <cvename>CVE-2016-6559</cvename>
1274      <freebsdsa>SA-16:37.libc</freebsdsa>
1275    </references>
1276    <dates>
1277      <discovery>2016-12-06</discovery>
1278      <entry>2016-12-06</entry>
1279      <modified>2016-12-08</modified>
1280    </dates>
1281  </vuln>
1282
1283  <vuln vid="e00304d2-bbed-11e6-b1cf-14dae9d210b8">
1284    <topic>FreeBSD -- Possible login(1) argument injection in telnetd(8)</topic>
1285    <affects>
1286      <package>
1287	<name>FreeBSD</name>
1288	<range><ge>11.0</ge><lt>11.0_4</lt></range>
1289	<range><ge>10.3</ge><lt>10.3_13</lt></range>
1290	<range><ge>10.2</ge><lt>10.2_26</lt></range>
1291	<range><ge>10.1</ge><lt>10.1_43</lt></range>
1292	<range><ge>9.3</ge><lt>9.3_51</lt></range>
1293      </package>
1294    </affects>
1295    <description>
1296      <body xmlns="http://www.w3.org/1999/xhtml">
1297	<h1>Problem Description:</h1>
1298	<p>An unexpected sequence of memory allocation failures
1299	combined with insufficient error checking could result in
1300	the construction and execution of an argument sequence that
1301	was not intended.</p>
1302	<h1>Impact:</h1>
1303	<p>An attacker who controls the sequence of memory allocation
1304	failures and success may cause login(1) to run without
1305	authentication and may be able to cause misbehavior of
1306	login(1) replacements.</p>
1307	<p>No practical way of controlling these memory allocation
1308	failures is known at this time.</p>
1309      </body>
1310    </description>
1311    <references>
1312      <cvename>CVE-2016-1888</cvename>
1313      <freebsdsa>SA-16:36.telnetd</freebsdsa>
1314    </references>
1315    <dates>
1316      <discovery>2016-12-06</discovery>
1317      <entry>2016-12-06</entry>
1318    </dates>
1319  </vuln>
1320
1321  <vuln vid="cb0bf1ec-bb92-11e6-a9a5-b499baebfeaf">
1322    <topic>Apache httpd -- denial of service in HTTP/2</topic>
1323    <affects>
1324      <package>
1325	<name>apache24</name>
1326	<range><ge>2.4.17</ge><le>2.4.23_1</le></range>
1327      </package>
1328      <package>
1329	<name>mod_http2-devel</name>
1330	<range><lt>1.8.3</lt></range>
1331      </package>
1332    </affects>
1333    <description>
1334      <body xmlns="http://www.w3.org/1999/xhtml">
1335	<p>mod_http2 reports:</p>
1336	<blockquote cite="http://mail-archives.apache.org/mod_mbox/httpd-announce/201612.mbox/%3C1A097A43-7CCB-4BA1-861F-E0C7EEE83A4B%40apache.org%3E">
1337	  <p>The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply
1338	    limitations on request headers correctly when experimental module
1339	    for the HTTP/2 protocol is used to access a resource.</p>
1340	  <p>The net result is that a the server allocates too much memory
1341	    instead of denying the request. This can lead to memory exhaustion
1342	    of the server by a properly crafted request.</p>
1343	</blockquote>
1344      </body>
1345    </description>
1346    <references>
1347      <url>http://mail-archives.apache.org/mod_mbox/httpd-announce/201612.mbox/%3C1A097A43-7CCB-4BA1-861F-E0C7EEE83A4B%40apache.org%3E</url>
1348      <url>https://github.com/icing/mod_h2/releases/tag/v1.8.3</url>
1349      <cvename>CVE-2016-8740</cvename>
1350    </references>
1351    <dates>
1352      <discovery>2016-12-06</discovery>
1353      <entry>2016-12-06</entry>
1354    </dates>
1355  </vuln>
1356
1357  <vuln vid="603fe0a1-bb26-11e6-8e5a-3065ec8fd3ec">
1358    <topic>chromium -- multiple vulnerabilities</topic>
1359    <affects>
1360      <package>
1361	<name>chromium</name>
1362	<name>chromium-npapi</name>
1363	<name>chromium-pulse</name>
1364	<range><lt>55.0.2883.75</lt></range>
1365      </package>
1366    </affects>
1367    <description>
1368      <body xmlns="http://www.w3.org/1999/xhtml">
1369	<p>Google Chrome Releases reports:</p>
1370	<blockquote cite="https://googlechromereleases.blogspot.nl/2016/12/stable-channel-update-for-desktop.html">
1371	  <p>36 security fixes in this release</p>
1372	  <p>Please reference CVE/URL list for details</p>
1373	</blockquote>
1374      </body>
1375    </description>
1376    <references>
1377      <cvename>CVE-2016-9651</cvename>
1378      <cvename>CVE-2016-5208</cvename>
1379      <cvename>CVE-2016-5207</cvename>
1380      <cvename>CVE-2016-5206</cvename>
1381      <cvename>CVE-2016-5205</cvename>
1382      <cvename>CVE-2016-5204</cvename>
1383      <cvename>CVE-2016-5209</cvename>
1384      <cvename>CVE-2016-5203</cvename>
1385      <cvename>CVE-2016-5210</cvename>
1386      <cvename>CVE-2016-5212</cvename>
1387      <cvename>CVE-2016-5211</cvename>
1388      <cvename>CVE-2016-5213</cvename>
1389      <cvename>CVE-2016-5214</cvename>
1390      <cvename>CVE-2016-5216</cvename>
1391      <cvename>CVE-2016-5215</cvename>
1392      <cvename>CVE-2016-5217</cvename>
1393      <cvename>CVE-2016-5218</cvename>
1394      <cvename>CVE-2016-5219</cvename>
1395      <cvename>CVE-2016-5221</cvename>
1396      <cvename>CVE-2016-5220</cvename>
1397      <cvename>CVE-2016-5222</cvename>
1398      <cvename>CVE-2016-9650</cvename>
1399      <cvename>CVE-2016-5223</cvename>
1400      <cvename>CVE-2016-5226</cvename>
1401      <cvename>CVE-2016-5225</cvename>
1402      <cvename>CVE-2016-5224</cvename>
1403      <cvename>CVE-2016-9652</cvename>
1404      <url>https://googlechromereleases.blogspot.nl/2016/12/stable-channel-update-for-desktop.html</url>
1405    </references>
1406    <dates>
1407      <discovery>2016-12-01</discovery>
1408      <entry>2016-12-05</entry>
1409    </dates>
1410  </vuln>
1411
1412  <vuln vid="e1f67063-aab4-11e6-b2d3-60a44ce6887b">
1413    <topic>ImageMagick7 -- multiple vulnerabilities</topic>
1414    <affects>
1415      <package>
1416	<name>ImageMagick7</name>
1417	<name>ImageMagick7-nox11</name>
1418	<range><lt>7.0.3.6</lt></range>
1419      </package>
1420    </affects>
1421    <description>
1422      <body xmlns="http://www.w3.org/1999/xhtml">
1423	<p>Multiple sources report:</p>
1424	<blockquote cite="https://github.com/ImageMagick/ImageMagick/issues/296">
1425	  <p>CVE-2016-9298: heap overflow in WaveletDenoiseImage(), fixed in ImageMagick7-7.0.3.6, discovered 2016-10-31</p>
1426	</blockquote>
1427	<blockquote cite="https://blogs.gentoo.org/ago/2016/10/20/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862/">
1428	  <p>CVE-2016-8866: memory allocation failure in AcquireMagickMemory (incomplete previous fix for CVE-2016-8862), not fixed yet with the release of this announcement, re-discovered 2016-10-13.</p>
1429	</blockquote>
1430	<blockquote cite="https://blogs.gentoo.org/ago/2016/10/17/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c/">
1431	  <p>CVE-2016-8862: memory allocation failure in AcquireMagickMemory, initially partially fixed in ImageMagick7-7.0.3.3, discovered 2016-09-14.</p>
1432	</blockquote>
1433      </body>
1434    </description>
1435    <references>
1436	<url>https://github.com/ImageMagick/ImageMagick/issues/296</url>
1437	<url>https://blogs.gentoo.org/ago/2016/10/20/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862/</url>
1438	<url>https://blogs.gentoo.org/ago/2016/10/17/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c/</url>
1439	<cvename>CVE-2016-9298</cvename>
1440	<cvename>CVE-2016-8866</cvename>
1441	<cvename>CVE-2016-8862</cvename>
1442	<freebsdpr>ports/214514</freebsdpr>
1443    </references>
1444    <dates>
1445      <discovery>2016-09-14</discovery>
1446      <entry>2016-12-04</entry>
1447    </dates>
1448  </vuln>
1449
1450  <vuln vid="bc4898d5-a794-11e6-b2d3-60a44ce6887b">
1451    <topic>Pillow -- multiple vulnerabilities</topic>
1452    <affects>
1453      <package>
1454	<name>py27-pillow</name>
1455	<name>py33-pillow</name>
1456	<name>py34-pillow</name>
1457	<name>py35-pillow</name>
1458	<range><lt>3.3.2</lt></range>
1459      </package>
1460    </affects>
1461    <description>
1462      <body xmlns="http://www.w3.org/1999/xhtml">
1463	<p>Pillow reports:</p>
1464	<blockquote cite="http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html">
1465	  <p>Pillow prior to 3.3.2 may experience integer overflow
1466	    errors in map.c when reading specially crafted image files. This may
1467	    lead to memory disclosure or corruption.</p>
1468	  <p>Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check
1469	    for negative image sizes in ImagingNew in Storage.c. A negative image
1470	    size can lead to a smaller allocation than expected, leading to arbi
1471	    trary writes.</p>
1472	</blockquote>
1473      </body>
1474    </description>
1475    <references>
1476	<url>http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html</url>
1477	<url>https://github.com/python-pillow/Pillow/issues/2105</url>
1478	<cvename>CVE-2016-9189</cvename>
1479	<cvename>CVE-2016-9190</cvename>
1480	<freebsdpr>ports/214410</freebsdpr>
1481    </references>
1482    <dates>
1483      <discovery>2016-09-06</discovery>
1484      <entry>2016-12-04</entry>
1485    </dates>
1486  </vuln>
1487
1488  <vuln vid="19d35b0f-ba73-11e6-b1cf-14dae9d210b8">
1489    <topic>ImageMagick -- heap overflow vulnerability</topic>
1490    <affects>
1491      <package>
1492	<name>ImageMagick</name>
1493	<name>ImageMagick-nox11</name>
1494	<range><lt>6.9.6.4,1</lt></range>
1495      </package>
1496      <package>
1497	<name>ImageMagick7</name>
1498	<name>ImageMagick7-nox11</name>
1499	<range><lt>7.0.3.7</lt></range>
1500      </package>
1501    </affects>
1502    <description>
1503      <body xmlns="http://www.w3.org/1999/xhtml">
1504	<p>Bastien Roucaries reports:</p>
1505	<blockquote cite="http://seclists.org/oss-sec/2016/q4/413">
1506	  <p>Imagemagick before 3cbfb163cff9e5b8cdeace8312e9bfee810ed02b
1507	    suffer from a heap overflow in WaveletDenoiseImage(). This problem is
1508	    easily trigerrable from a Perl script.</p>
1509	</blockquote>
1510      </body>
1511    </description>
1512    <references>
1513      <url>http://seclists.org/oss-sec/2016/q4/413</url>
1514      <url>https://github.com/ImageMagick/ImageMagick/issues/296</url>
1515      <cvename>CVE-2016-9298</cvename>
1516      <freebsdpr>ports/214517</freebsdpr>
1517      <freebsdpr>ports/214511</freebsdpr>
1518      <freebsdpr>ports/214520</freebsdpr>
1519    </references>
1520    <dates>
1521      <discovery>2016-11-13</discovery>
1522      <entry>2016-12-04</entry>
1523    </dates>
1524  </vuln>
1525
1526  <vuln vid="e5dcb942-ba6f-11e6-b1cf-14dae9d210b8">
1527    <topic>py-cryptography -- vulnerable HKDF key generation</topic>
1528    <affects>
1529      <package>
1530	<name>py27-cryptography</name>
1531	<name>py33-cryptography</name>
1532	<name>py34-cryptography</name>
1533	<name>py35-cryptography</name>
1534	<range><lt>1.5.3</lt></range>
1535      </package>
1536    </affects>
1537    <description>
1538      <body xmlns="http://www.w3.org/1999/xhtml">
1539	<p>Alex Gaynor reports:</p>
1540	<blockquote cite="https://github.com/pyca/cryptography/commit/b94cacf2ae6e75e4007a79709bbf5360435b512d">
1541	  <p>Fixed a bug where ``HKDF`` would return an empty
1542	    byte-string if used with a ``length`` less than
1543	    ``algorithm.digest_size``.</p>
1544	</blockquote>
1545      </body>
1546    </description>
1547    <references>
1548      <url>https://github.com/pyca/cryptography/commit/b94cacf2ae6e75e4007a79709bbf5360435b512d</url>
1549      <cvename>CVE-2016-9243</cvename>
1550      <freebsdpr>ports/214915</freebsdpr>
1551    </references>
1552    <dates>
1553      <discovery>2016-11-05</discovery>
1554      <entry>2016-12-04</entry>
1555      <modified>2016-12-06</modified>
1556    </dates>
1557  </vuln>
1558
1559  <vuln vid="a228c7a0-ba66-11e6-b1cf-14dae9d210b8">
1560    <topic>qemu -- denial of service vulnerability</topic>
1561    <affects>
1562      <package>
1563	<name>qemu</name>
1564	<name>qemu-devel</name>
1565	<name>qemu-sbruno</name>
1566	<range><lt>2.3.0</lt></range>
1567      </package>
1568    </affects>
1569    <description>
1570      <body xmlns="http://www.w3.org/1999/xhtml">
1571	<p>Daniel P. Berrange reports:</p>
1572	<blockquote cite="https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04895.html">
1573	  <p>The VNC server websockets decoder will read and buffer data
1574	    from websockets clients until it sees the end of the HTTP headers,
1575	    as indicated by \r\n\r\n. In theory this allows a malicious to
1576	    trick QEMU into consuming an arbitrary amount of RAM.</p>
1577	</blockquote>
1578      </body>
1579    </description>
1580    <references>
1581      <url>https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04895.html</url>
1582      <cvename>CVE-2015-1779</cvename>
1583      <freebsdpr>ports/206725</freebsdpr>
1584    </references>
1585    <dates>
1586      <discovery>2015-03-23</discovery>
1587      <entry>2016-12-04</entry>
1588      <modified>2016-12-06</modified>
1589    </dates>
1590  </vuln>
1591
1592  <vuln vid="59f79c99-ba4d-11e6-ae1b-002590263bf5">
1593    <topic>xen-tools -- delimiter injection vulnerabilities in pygrub</topic>
1594    <affects>
1595      <package>
1596	<name>xen-tools</name>
1597	<range><lt>4.7.1</lt></range>
1598      </package>
1599    </affects>
1600    <description>
1601      <body xmlns="http://www.w3.org/1999/xhtml">
1602	<p>The Xen Project reports:</p>
1603	<blockquote cite="https://xenbits.xen.org/xsa/advisory-198.html">
1604	  <p>pygrub, the boot loader emulator, fails to quote (or sanity check)
1605	    its results when reporting them to its caller.</p>
1606	  <p>A malicious guest administrator can obtain the contents of
1607	    sensitive host files (an information leak). Additionally, a
1608	    malicious guest administrator can cause files on the host to be
1609	    removed, causing a denial of service. In some unusual host
1610	    configurations, ability to remove certain files may be usable for
1611	    privilege escalation.</p>
1612	</blockquote>
1613      </body>
1614    </description>
1615    <references>
1616      <cvename>CVE-2016-9379</cvename>
1617      <cvename>CVE-2016-9380</cvename>
1618      <freebsdpr>ports/214936</freebsdpr>
1619      <url>https://xenbits.xen.org/xsa/advisory-198.html</url>
1620    </references>
1621    <dates>
1622      <discovery>2016-11-22</discovery>
1623      <entry>2016-12-04</entry>
1624    </dates>
1625  </vuln>
1626
1627  <vuln vid="58685e23-ba4d-11e6-ae1b-002590263bf5">
1628    <topic>xen-tools -- qemu incautious about shared ring processing</topic>
1629    <affects>
1630      <package>
1631	<name>xen-tools</name>
1632	<range><lt>4.7.1</lt></range>
1633      </package>
1634    </affects>
1635    <description>
1636      <body xmlns="http://www.w3.org/1999/xhtml">
1637	<p>The Xen Project reports:</p>
1638	<blockquote cite="https://xenbits.xen.org/xsa/advisory-197.html">
1639	  <p>The compiler can emit optimizations in qemu which can lead to
1640	    double fetch vulnerabilities. Specifically data on the rings shared
1641	    between qemu and the hypervisor (which the guest under control can
1642	    obtain mappings of) can be fetched twice (during which time the
1643	    guest can alter the contents) possibly leading to arbitrary code
1644	    execution in qemu.</p>
1645	  <p>Malicious administrators can exploit this vulnerability to take
1646	    over the qemu process, elevating its privilege to that of the qemu
1647	    process.</p>
1648	  <p>In a system not using a device model stub domain (or other
1649	    techniques for deprivileging qemu), malicious guest administrators
1650	    can thus elevate their privilege to that of the host.</p>
1651	</blockquote>
1652      </body>
1653    </description>
1654    <references>
1655      <cvename>CVE-2016-9381</cvename>
1656      <freebsdpr>ports/214936</freebsdpr>
1657      <url>https://xenbits.xen.org/xsa/advisory-197.html</url>
1658    </references>
1659    <dates>
1660      <discovery>2016-11-22</discovery>
1661      <entry>2016-12-04</entry>
1662    </dates>
1663  </vuln>
1664
1665  <vuln vid="56f0f11e-ba4d-11e6-ae1b-002590263bf5">
1666    <topic>xen-kernel -- x86 64-bit bit test instruction emulation broken</topic>
1667    <affects>
1668      <package>
1669	<name>xen-kernel</name>
1670	<range><lt>4.7.1</lt></range>
1671      </package>
1672    </affects>
1673    <description>
1674      <body xmlns="http://www.w3.org/1999/xhtml">
1675	<p>The Xen Project reports:</p>
1676	<blockquote cite="https://xenbits.xen.org/xsa/advisory-195.html">
1677	  <p>The x86 instructions BT, BTC, BTR, and BTS, when used with a
1678	    destination memory operand and a source register rather than an
1679	    immediate operand, access a memory location offset from that
1680	    specified by the memory operand as specified by the high bits of
1681	    the register source.</p>
1682	  <p>A malicious guest can modify arbitrary memory, allowing for
1683	    arbitrary code execution (and therefore privilege escalation
1684	    affecting the whole host), a crash of the host (leading to a DoS),
1685	    or information leaks. The vulnerability is sometimes exploitable
1686	    by unprivileged guest user processes.</p>
1687	</blockquote>
1688      </body>
1689    </description>
1690    <references>
1691      <cvename>CVE-2016-9383</cvename>
1692      <freebsdpr>ports/214936</freebsdpr>
1693      <url>https://xenbits.xen.org/xsa/advisory-195.html</url>
1694    </references>
1695    <dates>
1696      <discovery>2016-11-22</discovery>
1697      <entry>2016-12-04</entry>
1698    </dates>
1699  </vuln>
1700
1701  <vuln vid="5555120d-ba4d-11e6-ae1b-002590263bf5">
1702    <topic>xen-kernel -- guest 32-bit ELF symbol table load leaking host data</topic>
1703    <affects>
1704      <package>
1705	<name>xen-kernel</name>
1706	<range><ge>4.7</ge><lt>4.7.1</lt></range>
1707      </package>
1708    </affects>
1709    <description>
1710      <body xmlns="http://www.w3.org/1999/xhtml">
1711	<p>The Xen Project reports:</p>
1712	<blockquote cite="https://xenbits.xen.org/xsa/advisory-194.html">
1713	  <p>Along with their main kernel binary, unprivileged guests may
1714	    arrange to have their Xen environment load (kernel) symbol tables
1715	    for their use. The ELF image metadata created for this purpose has a
1716	    few unused bytes when the symbol table binary is in 32-bit ELF
1717	    format. These unused bytes were not properly cleared during symbol
1718	    table loading.</p>
1719	  <p>A malicious unprivileged guest may be able to obtain sensitive
1720	    information from the host.</p>
1721	  <p>The information leak is small and not under the control of the
1722	    guest, so effectively exploiting this vulnerability is probably
1723	    difficult.</p>
1724	</blockquote>
1725      </body>
1726    </description>
1727    <references>
1728      <cvename>CVE-2016-9384</cvename>
1729      <freebsdpr>ports/214936</freebsdpr>
1730      <url>https://xenbits.xen.org/xsa/advisory-194.html</url>
1731    </references>
1732    <dates>
1733      <discovery>2016-11-22</discovery>
1734      <entry>2016-12-04</entry>
1735    </dates>
1736  </vuln>
1737
1738  <vuln vid="53dbd096-ba4d-11e6-ae1b-002590263bf5">
1739    <topic>xen-kernel -- x86 segment base write emulation lacking canonical address checks</topic>
1740    <affects>
1741      <package>
1742	<name>xen-kernel</name>
1743	<range><ge>4.4</ge><lt>4.7.1</lt></range>
1744      </package>
1745    </affects>
1746    <description>
1747      <body xmlns="http://www.w3.org/1999/xhtml">
1748	<p>The Xen Project reports:</p>
1749	<blockquote cite="https://xenbits.xen.org/xsa/advisory-193.html">
1750	  <p>Both writes to the FS and GS register base MSRs as well as the
1751	    WRFSBASE and WRGSBASE instructions require their input values to be
1752	    canonical, or a #GP fault will be raised. When the use of those
1753	    instructions by the hypervisor was enabled, the previous guard
1754	    against #GP faults (having recovery code attached) was accidentally
1755	    removed.</p>
1756	  <p>A malicious guest administrator can crash the host, leading to a
1757	    DoS.</p>
1758	</blockquote>
1759      </body>
1760    </description>
1761    <references>
1762      <cvename>CVE-2016-9385</cvename>
1763      <freebsdpr>ports/214936</freebsdpr>
1764      <url>https://xenbits.xen.org/xsa/advisory-193.html</url>
1765    </references>
1766    <dates>
1767      <discovery>2016-11-22</discovery>
1768      <entry>2016-12-04</entry>
1769    </dates>
1770  </vuln>
1771
1772  <vuln vid="523bb0b7-ba4d-11e6-ae1b-002590263bf5">
1773    <topic>xen-kernel -- x86 task switch to VM86 mode mis-handled</topic>
1774    <affects>
1775      <package>
1776	<name>xen-kernel</name>
1777	<range><lt>4.7.1</lt></range>
1778      </package>
1779    </affects>
1780    <description>
1781      <body xmlns="http://www.w3.org/1999/xhtml">
1782	<p>The Xen Project reports:</p>
1783	<blockquote cite="https://xenbits.xen.org/xsa/advisory-192.html">
1784	  <p>LDTR, just like TR, is purely a protected mode facility. Hence even
1785	    when switching to a VM86 mode task, LDTR loading needs to follow
1786	    protected mode semantics. This was violated by the code.</p>
1787	  <p>On SVM (AMD hardware): a malicious unprivileged guest process can
1788	    escalate its privilege to that of the guest operating system.</p>
1789	  <p>On both SVM and VMX (Intel hardware): a malicious unprivileged
1790	    guest process can crash the guest.</p>
1791	</blockquote>
1792      </body>
1793    </description>
1794    <references>
1795      <cvename>CVE-2016-9382</cvename>
1796      <freebsdpr>ports/214936</freebsdpr>
1797      <url>https://xenbits.xen.org/xsa/advisory-192.html</url>
1798    </references>
1799    <dates>
1800      <discovery>2016-11-22</discovery>
1801      <entry>2016-12-04</entry>
1802    </dates>
1803  </vuln>
1804
1805  <vuln vid="50ac2e96-ba4d-11e6-ae1b-002590263bf5">
1806    <topic>xen-kernel -- x86 null segments not always treated as unusable</topic>
1807    <affects>
1808      <package>
1809	<name>xen-kernel</name>
1810	<range><lt>4.7.1</lt></range>
1811      </package>
1812    </affects>
1813    <description>
1814      <body xmlns="http://www.w3.org/1999/xhtml">
1815	<p>The Xen Project reports:</p>
1816	<blockquote cite="https://xenbits.xen.org/xsa/advisory-191.html">
1817	  <p>The Xen x86 emulator erroneously failed to consider the unusability
1818	    of segments when performing memory accesses.</p>
1819	  <p> The intended behaviour is as follows: The user data segment (%ds,
1820	    %es, %fs and %gs) selectors may be NULL in 32-bit to prevent access.
1821	    In 64-bit, NULL has a special meaning for user segments, and there
1822	    is no way of preventing access. However, in both 32-bit and 64-bit,
1823	    a NULL LDT system segment is intended to prevent access.</p>
1824	  <p>On Intel hardware, loading a NULL selector zeros the base as well
1825	    as most attributes, but sets the limit field to its largest possible
1826	    value. On AMD hardware, loading a NULL selector zeros the attributes,
1827	    leaving the stale base and limit intact.</p>
1828	  <p>Xen may erroneously permit the access using unexpected base/limit
1829	    values.</p>
1830	  <p>Ability to exploit this vulnerability on Intel is easy, but on AMD
1831	    depends in a complicated way on how the guest kernel manages LDTs.
1832	    </p>
1833	  <p>An unprivileged guest user program may be able to elevate its
1834	      privilege to that of the guest operating system.</p>
1835	</blockquote>
1836      </body>
1837    </description>
1838    <references>
1839      <cvename>CVE-2016-9386</cvename>
1840      <freebsdpr>ports/214936</freebsdpr>
1841      <url>https://xenbits.xen.org/xsa/advisory-191.html</url>
1842    </references>
1843    <dates>
1844      <discovery>2016-11-22</discovery>
1845      <entry>2016-12-04</entry>
1846    </dates>
1847  </vuln>
1848
1849  <vuln vid="4d7cf654-ba4d-11e6-ae1b-002590263bf5">
1850    <topic>xen-kernel -- CR0.TS and CR0.EM not always honored for x86 HVM guests</topic>
1851    <affects>
1852      <package>
1853	<name>xen-kernel</name>
1854	<range><lt>4.7.1</lt></range>
1855      </package>
1856    </affects>
1857    <description>
1858      <body xmlns="http://www.w3.org/1999/xhtml">
1859	<p>The Xen Project reports:</p>
1860	<blockquote cite="https://xenbits.xen.org/xsa/advisory-190.html">
1861	  <p>Instructions touching FPU, MMX, or XMM registers are required to
1862	    raise a Device Not Available Exception (#NM) when either CR0.EM or
1863	    CR0.TS are set. (Their AVX or AVX-512 extensions would consider only
1864	    CR0.TS.) While during normal operation this is ensured by the
1865	    hardware, if a guest modifies instructions while the hypervisor is
1866	    preparing to emulate them, the #NM delivery could be missed.</p>
1867	  <p>Guest code in one task may thus (unintentionally or maliciously)
1868	    read or modify register state belonging to another task in the same
1869	    VM.</p>
1870	  <p>A malicious unprivileged guest user may be able to obtain or
1871	    corrupt sensitive information (including cryptographic material) in
1872	    other programs in the same guest.</p>
1873	</blockquote>
1874      </body>
1875    </description>
1876    <references>
1877      <cvename>CVE-2016-7777</cvename>
1878      <freebsdpr>ports/214936</freebsdpr>
1879      <url>https://xenbits.xen.org/xsa/advisory-190.html</url>
1880    </references>
1881    <dates>
1882      <discovery>2016-10-04</discovery>
1883      <entry>2016-12-04</entry>
1884    </dates>
1885  </vuln>
1886
1887  <vuln vid="4bf57137-ba4d-11e6-ae1b-002590263bf5">
1888    <topic>xen-kernel -- use after free in FIFO event channel code</topic>
1889    <affects>
1890      <package>
1891	<name>xen-kernel</name>
1892	<range><ge>4.4</ge><lt>4.5</lt></range>
1893      </package>
1894    </affects>
1895    <description>
1896      <body xmlns="http://www.w3.org/1999/xhtml">
1897	<p>The Xen Project reports:</p>
1898	<blockquote cite="https://xenbits.xen.org/xsa/advisory-188.html">
1899	  <p>When the EVTCHNOP_init_control operation is called with a bad guest
1900	    frame number, it takes an error path which frees a control structure
1901	    without also clearing the corresponding pointer. Certain subsequent
1902	    operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control),
1903	    upon finding the non-NULL pointer, continue operation assuming it
1904	    points to allocated memory.</p>
1905	  <p>A malicious guest administrator can crash the host, leading to a
1906	    DoS. Arbitrary code execution (and therefore privilege escalation),
1907	    and information leaks, cannot be excluded.</p>
1908	</blockquote>
1909      </body>
1910    </description>
1911    <references>
1912      <cvename>CVE-2016-7154</cvename>
1913      <freebsdpr>ports/214936</freebsdpr>
1914      <url>https://xenbits.xen.org/xsa/advisory-188.html</url>
1915    </references>
1916    <dates>
1917      <discovery>2016-09-08</discovery>
1918      <entry>2016-12-04</entry>
1919    </dates>
1920  </vuln>
1921
1922  <vuln vid="4aae54be-ba4d-11e6-ae1b-002590263bf5">
1923    <topic>xen-kernel -- x86 HVM: Overflow of sh_ctxt-&gt;seg_reg[]</topic>
1924    <affects>
1925      <package>
1926	<name>xen-kernel</name>
1927	<range><lt>4.7.1</lt></range>
1928      </package>
1929    </affects>
1930    <description>
1931      <body xmlns="http://www.w3.org/1999/xhtml">
1932	<p>The Xen Project reports:</p>
1933	<blockquote cite="https://xenbits.xen.org/xsa/advisory-187.html">
1934	  <p>x86 HVM guests running with shadow paging use a subset of the x86
1935	    emulator to handle the guest writing to its own pagetables. There
1936	    are situations a guest can provoke which result in exceeding the
1937	    space allocated for internal state.</p>
1938	  <p>A malicious HVM guest administrator can cause Xen to fail a bug
1939	    check, causing a denial of service to the host.</p>
1940	</blockquote>
1941      </body>
1942    </description>
1943    <references>
1944      <cvename>CVE-2016-7094</cvename>
1945      <freebsdpr>ports/214936</freebsdpr>
1946      <url>https://xenbits.xen.org/xsa/advisory-187.html</url>
1947    </references>
1948    <dates>
1949      <discovery>2016-09-08</discovery>
1950      <entry>2016-12-04</entry>
1951    </dates>
1952  </vuln>
1953
1954  <vuln vid="49211361-ba4d-11e6-ae1b-002590263bf5">
1955    <topic>xen-kernel -- x86: Mishandling of instruction pointer truncation during emulation</topic>
1956    <affects>
1957      <package>
1958	<name>xen-kernel</name>
1959	<range><eq>4.5.3</eq></range>
1960	<range><eq>4.6.3</eq></range>
1961	<range><ge>4.7.0</ge><lt>4.7.1</lt></range>
1962      </package>
1963    </affects>
1964    <description>
1965      <body xmlns="http://www.w3.org/1999/xhtml">
1966	<p>The Xen Project reports:</p>
1967	<blockquote cite="https://xenbits.xen.org/xsa/advisory-186.html">
1968	  <p>When emulating HVM instructions, Xen uses a small i-cache for
1969	    fetches from guest memory. The code that handles cache misses does
1970	    not check if the address from which it fetched lies within the cache
1971	    before blindly writing to it. As such it is possible for the guest
1972	    to overwrite hypervisor memory.</p>
1973	  <p>It is currently believed that the only way to trigger this bug is
1974	    to use the way that Xen currently incorrectly wraps CS:IP in 16 bit
1975	    modes. The included patch prevents such wrapping.</p>
1976	  <p>A malicious HVM guest administrator can escalate their privilege to
1977	    that of the host.</p>
1978	</blockquote>
1979      </body>
1980    </description>
1981    <references>
1982      <cvename>CVE-2016-7093</cvename>
1983      <freebsdpr>ports/214936</freebsdpr>
1984      <url>https://xenbits.xen.org/xsa/advisory-186.html</url>
1985    </references>
1986    <dates>
1987      <discovery>2016-09-08</discovery>
1988      <entry>2016-12-04</entry>
1989    </dates>
1990  </vuln>
1991
1992  <vuln vid="45ca25b5-ba4d-11e6-ae1b-002590263bf5">
1993    <topic>xen-kernel -- x86: Disallow L3 recursive pagetable for 32-bit PV guests</topic>
1994    <affects>
1995      <package>
1996	<name>xen-kernel</name>
1997	<range><lt>4.7.1</lt></range>
1998      </package>
1999    </affects>
2000    <description>
2001      <body xmlns="http://www.w3.org/1999/xhtml">
2002	<p>The Xen Project reports:</p>
2003	<blockquote cite="https://xenbits.xen.org/xsa/advisory-185.html">
2004	  <p>On real hardware, a 32-bit PAE guest must leave the USER and RW bit
2005	    clear in L3 pagetable entries, but the pagetable walk behaves as if
2006	    they were set. (The L3 entries are cached in processor registers,
2007	    and don't actually form part of the pagewalk.)</p>
2008	  <p>When running a 32-bit PV guest on a 64-bit Xen, Xen must always OR
2009	    in the USER and RW bits for L3 updates for the guest to observe
2010	    architectural behaviour. This is unsafe in combination with
2011	    recursive pagetables.</p>
2012	  <p>As there is no way to construct an L3 recursive pagetable in native
2013	    32-bit PAE mode, disallow this option in 32-bit PV guests.</p>
2014	  <p>A malicious 32-bit PV guest administrator can escalate their
2015	    privilege to that of the host.</p>
2016	</blockquote>
2017      </body>
2018    </description>
2019    <references>
2020      <cvename>CVE-2016-7092</cvename>
2021      <freebsdpr>ports/214936</freebsdpr>
2022      <url>https://xenbits.xen.org/xsa/advisory-185.html</url>
2023    </references>
2024    <dates>
2025      <discovery>2016-09-08</discovery>
2026      <entry>2016-12-04</entry>
2027    </dates>
2028  </vuln>
2029
2030  <vuln vid="7fff2b16-b0ee-11e6-86b8-589cfc054129">
2031    <topic>wireshark -- multiple vulnerabilities</topic>
2032    <affects>
2033      <package>
2034       <name>tshark</name>
2035       <range><lt>2.2.2</lt></range>
2036      </package>
2037      <package>
2038       <name>tshark-lite</name>
2039       <range><lt>2.2.2</lt></range>
2040      </package>
2041      <package>
2042       <name>wireshark</name>
2043       <range><lt>2.2.2</lt></range>
2044      </package>
2045      <package>
2046       <name>wireshark-lite</name>
2047       <range><lt>2.2.2</lt></range>
2048      </package>
2049      <package>
2050	<name>wireshark-qt5</name>
2051	<range><lt>2.2.2</lt></range>
2052       </package>
2053     </affects>
2054     <description>
2055       <body xmlns="http://www.w3.org/1999/xhtml">
2056	<p>Wireshark project reports:</p>
2057	<blockquote cite="://www.wireshark.org/docs/relnotes/wireshark-2.2.2.html">
2058	 <p>Wireshark project is releasing Wireshark 2.2.2, which addresses:</p>
2059	 <ul>
2060	   <li>wnpa-sec-2016-58: Profinet I/O long loop - CVE-2016-9372</li>
2061	   <li>wnpa-sec-2016-59: AllJoyn crash - CVE-2016-9374</li>
2062	   <li>wnpa-sec-2016-60: OpenFlow crash - CVE-2016-9376</li>
2063	   <li>wnpa-sec-2016-61: DCERPC crash - CVE-2016-9373</li>
2064	   <li>wnpa-sec-2016-62: DTN infinite loop - CVE-2016-9375</li>
2065	 </ul>
2066       </blockquote>
2067      </body>
2068    </description>
2069    <references>
2070      <url>https://www.wireshark.org/docs/relnotes/wireshark-2.2.2.html</url>
2071      <cvename>CVE-2016-9372</cvename>
2072      <cvename>CVE-2016-9373</cvename>
2073      <cvename>CVE-2016-9374</cvename>
2074      <cvename>CVE-2016-9375</cvename>
2075      <cvename>CVE-2016-9376</cvename>
2076    </references>
2077    <dates>
2078      <discovery>2016-11-16</discovery>
2079      <entry>2016-12-01</entry>
2080    </dates>
2081  </vuln>
2082
2083  <vuln vid="18f39fb6-7400-4063-acaf-0806e92c094f">
2084    <topic>Mozilla -- SVG Animation Remote Code Execution</topic>
2085    <affects>
2086      <package>
2087	<name>firefox</name>
2088	<range><lt>50.0.2,1</lt></range>
2089      </package>
2090      <package>
2091	<name>firefox-esr</name>
2092	<range><lt>45.5.1,1</lt></range>
2093      </package>
2094      <package>
2095	<name>linux-firefox</name>
2096	<range><lt>45.5.1,2</lt></range>
2097      </package>
2098      <package>
2099	<name>seamonkey</name>
2100	<range><lt>2.46</lt></range>
2101      </package>
2102      <package>
2103	<name>linux-seamonkey</name>
2104	<range><lt>2.46</lt></range>
2105      </package>
2106      <package>
2107	<name>libxul</name>
2108	<range><lt>45.5.1</lt></range>
2109      </package>
2110      <package>
2111	<name>thunderbird</name>
2112	<range><lt>45.5.1</lt></range>
2113      </package>
2114      <package>
2115	<name>linux-thunderbird</name>
2116	<range><lt>45.5.1</lt></range>
2117      </package>
2118    </affects>
2119    <description>
2120      <body xmlns="http://www.w3.org/1999/xhtml">
2121	<p>The Mozilla Foundation reports:</p>
2122	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/">
2123	  <p>A use-after-free vulnerability in SVG Animation has been
2124	     discovered. An exploit built on this vulnerability has been
2125	     discovered in the wild targeting Firefox and Tor Browser
2126	     users on Windows.</p>
2127	</blockquote>
2128      </body>
2129    </description>
2130    <references>
2131      <cvename>CVE-2016-9079</cvename>
2132      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/</url>
2133    </references>
2134    <dates>
2135      <discovery>2016-11-30</discovery>
2136      <entry>2016-12-01</entry>
2137      <modified>2016-12-16</modified>
2138    </dates>
2139  </vuln>
2140
2141  <vuln vid="479c5b91-b6cc-11e6-a04e-3417eb99b9a0">
2142    <topic>wget -- Access List Bypass / Race Condition</topic>
2143    <affects>
2144      <package>
2145	<name>wget</name>
2146	<range><le>1.17</le></range>
2147      </package>
2148    </affects>
2149    <description>
2150      <body xmlns="http://www.w3.org/1999/xhtml">
2151	<p>Dawid Golunski reports:</p>
2152	<blockquote cite="https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html">
2153	  <p>GNU wget in version 1.17 and earlier, when used in
2154	    mirroring/recursive mode, is affected by a Race Condition
2155	    vulnerability that might allow remote attackers to bypass intended
2156	    wget access list restrictions specified with -A parameter.
2157	  </p>
2158	</blockquote>
2159      </body>
2160    </description>
2161    <references>
2162      <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7098</url>
2163      <cvename>CVE-2016-7098</cvename>
2164    </references>
2165    <dates>
2166      <discovery>2016-11-24</discovery>
2167      <entry>2016-11-30</entry>
2168    </dates>
2169  </vuln>
2170
2171  <vuln vid="48e83187-b6e9-11e6-b6cf-5453ed2e2b49">
2172    <topic>p7zip -- Null pointer dereference</topic>
2173    <affects>
2174      <package>
2175	<name>p7zip</name>
2176	<range><lt>15.14_2</lt></range>
2177      </package>
2178    </affects>
2179    <description>
2180      <body xmlns="http://www.w3.org/1999/xhtml">
2181	<p>MITRE reports:</p>
2182	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9296">
2183	  <p>A null pointer dereference bug affects the 16.02 and many old
2184	    versions of p7zip. A lack of null pointer check for the variable
2185	    <code>folders.PackPositions</code> in function
2186	    <code>CInArchive::ReadAndDecodePackedStreams</code>, as used in
2187	    the 7z.so library and in 7z applications, will cause a crash and a
2188	    denial of service when decoding malformed 7z files.</p>
2189	</blockquote>
2190      </body>
2191    </description>
2192    <references>
2193      <cvename>CVE-2016-9296</cvename>
2194      <url>https://sourceforge.net/p/p7zip/discussion/383043/thread/648d34db/</url>
2195      <url>https://sourceforge.net/p/p7zip/bugs/185/</url>
2196      <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9296</url>
2197    </references>
2198    <dates>
2199      <discovery>2016-07-17</discovery>
2200      <entry>2016-11-30</entry>
2201    </dates>
2202  </vuln>
2203
2204  <vuln vid="ac256985-b6a9-11e6-a3bf-206a8a720317">
2205    <topic>subversion -- Unrestricted XML entity expansion in mod_dontdothat and Subversionclients using http(s)</topic>
2206    <affects>
2207      <package>
2208	<name>subversion18</name>
2209	<range><lt>1.8.17</lt></range>
2210      </package>
2211      <package>
2212	<name>subversion</name>
2213	<range><lt>1.9.5</lt></range>
2214      </package>
2215    </affects>
2216    <description>
2217      <body xmlns="http://www.w3.org/1999/xhtml">
2218	<p>The Apache Software Foundation reports:</p>
2219	<blockquote cite="http://subversion.apache.org/security/CVE-2016-8734-advisory.txt">
2220	  <p>The mod_dontdothat module of subversion and subversion clients using
2221	  http(s):// are vulnerable to a denial-of-service attack, caused by
2222	  exponential XML entity expansion. The attack targets XML parsers
2223	  causing targeted process to consume excessive amounts of resources.
2224	  The attack is also known as the "billions of laughs attack."</p>
2225	</blockquote>
2226      </body>
2227    </description>
2228    <references>
2229      <url>http://subversion.apache.org/security/CVE-2016-8734-advisory.txt</url>
2230      <cvename>CVE-2016-8734</cvename>
2231    </references>
2232    <dates>
2233      <discovery>2016-11-29</discovery>
2234      <entry>2016-11-29</entry>
2235    </dates>
2236  </vuln>
2237
2238  <vuln vid="18449f92-ab39-11e6-8011-005056925db4">
2239    <topic>libwww -- multiple vulnerabilities</topic>
2240    <affects>
2241      <package>
2242	<name>libwww</name>
2243	<range><lt>5.4.0_6</lt></range>
2244      </package>
2245    </affects>
2246    <description>
2247      <body xmlns="http://www.w3.org/1999/xhtml">
2248	<p>Mitre reports:</p>
2249	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3183">
2250	 <p>The HTBoundary_put_block function in HTBound.c for W3C libwww
2251	   (w3c-libwww) allows remote servers to cause a denial of service
2252	   (segmentation fault) via a crafted multipart/byteranges MIME message
2253	   that triggers an out-of-bounds read.</p>
2254	</blockquote>
2255	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560">
2256	 <p>The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
2257	   as used in the XML-Twig module for Perl, allows context-dependent
2258	   attackers to cause a denial of service (application crash) via an XML
2259	   document with malformed UTF-8 sequences that trigger a buffer
2260	   over-read, related to the doProlog function in lib/xmlparse.c, a
2261	   different vulnerability than CVE-2009-2625 and CVE-2009-3720.</p>
2262	</blockquote>
2263	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720">
2264	 <p>The updatePosition function in lib/xmltok_impl.c in libexpat in
2265	   Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other
2266	   software, allows context-dependent attackers to cause a denial of
2267	   service (application crash) via an XML document with crafted UTF-8
2268	   sequences that trigger a buffer over-read, a different vulnerability
2269	   than CVE-2009-2625.</p>
2270	</blockquote>
2271      </body>
2272    </description>
2273    <references>
2274      <bid>15035</bid>
2275      <cvename>CVE-2005-3183</cvename>
2276      <cvename>CVE-2009-3560</cvename>
2277      <cvename>CVE-2009-3720</cvename>
2278      <freebsdpr>ports/214546</freebsdpr>
2279      <url>https://bugzilla.redhat.com/show_bug.cgi?id=170518</url>
2280    </references>
2281    <dates>
2282      <discovery>2005-10-12</discovery>
2283      <entry>2016-11-29</entry>
2284    </dates>
2285  </vuln>
2286
2287  <vuln vid="f90fce70-ecfa-4f4d-9ee8-c476dbf4bf0e">
2288    <topic>mozilla -- data: URL can inherit wrong origin after an HTTP redirect</topic>
2289    <affects>
2290      <package>
2291	<name>firefox</name>
2292	<range><lt>50.0.1,1</lt></range>
2293      </package>
2294    </affects>
2295    <description>
2296      <body xmlns="http://www.w3.org/1999/xhtml">
2297	<p>The Mozilla Foundation reports:</p>
2298	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-91/">
2299	  <p>Redirection from an HTTP connection to a data: URL
2300	    assigns the referring site's origin to the data: URL in some
2301	    circumstances. This can result in same-origin violations
2302	    against a domain if it loads resources from malicious
2303	    sites. Cross-origin setting of cookies has been demonstrated
2304	    without the ability to read them.</p>
2305	</blockquote>
2306      </body>
2307    </description>
2308    <references>
2309      <cvename>CVE-2016-9078</cvename>
2310      <url>https://www.mozilla.org/security/advisories/mfsa2016-91/</url>
2311    </references>
2312    <dates>
2313      <discovery>2016-11-28</discovery>
2314      <entry>2016-11-29</entry>
2315    </dates>
2316  </vuln>
2317
2318  <vuln vid="125f5958-b611-11e6-a9a5-b499baebfeaf">
2319    <topic>Roundcube -- arbitrary command execution</topic>
2320    <affects>
2321      <package>
2322	<name>roundcube</name>
2323	<range><lt>1.2.3,1</lt></range>
2324      </package>
2325    </affects>
2326    <description>
2327      <body xmlns="http://www.w3.org/1999/xhtml">
2328	<p>The Roundcube project reports</p>
2329	<blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-9920">
2330	  <p>steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before
2331	    1.2.3, when no SMTP server is configured and the sendmail program is
2332	    enabled, does not properly restrict the use of custom envelope-from
2333	    addresses on the sendmail command line, which allows remote
2334	    authenticated users to execute arbitrary code via a modified HTTP
2335	    request that sends a crafted e-mail message.</p>
2336	</blockquote>
2337      </body>
2338    </description>
2339    <references>
2340      <cvename>CVE-2016-9920</cvename>
2341      <bid>94858</bid>
2342      <url>http://www.openwall.com/lists/oss-security/2016/12/08/17</url>
2343      <url>https://github.com/roundcube/roundcubemail/wiki/Changelog#release-123</url>
2344    </references>
2345    <dates>
2346      <discovery>2016-11-29</discovery>
2347      <entry>2016-11-29</entry>
2348      <modified>2016-12-14</modified>
2349    </dates>
2350  </vuln>
2351
2352  <vuln vid="8db24888-b2f5-11e6-8153-00248c0c745d">
2353    <topic>Drupal Code -- Multiple Vulnerabilities</topic>
2354    <affects>
2355      <package>
2356	<name>drupal7</name>
2357	<range><ge>7.0</ge><lt>7.52</lt></range>
2358      </package>
2359      <package>
2360	<name>drupal8</name>
2361	<range><ge>8.0.0</ge><lt>8.2.3</lt></range>
2362      </package>
2363    </affects>
2364    <description>
2365      <body xmlns="http://www.w3.org/1999/xhtml">
2366	<p>The Drupal development team reports:</p>
2367	<blockquote cite="https://www.drupal.org/SA-CORE-2016-005">
2368	  <h3>Inconsistent name for term access query (Less critical - Drupal
2369	    7 and Drupal 8)</h3>
2370	  <p>Drupal provides a mechanism to alter database SELECT queries before
2371	    they are executed. Contributed and custom modules may use this
2372	    mechanism to restrict access to certain entities by implementing
2373	    hook_query_alter() or hook_query_TAG_alter() in order to add
2374	    additional conditions. Queries can be distinguished by means of
2375	    query tags. As the documentation on EntityFieldQuery::addTag()
2376	    suggests, access-tags on entity queries normally follow the form
2377	    ENTITY_TYPE_access (e.g. node_access). However, the taxonomy
2378	    module's access query tag predated this system and used term_access
2379	    as the query tag instead of taxonomy_term_access.</p>
2380	  <p>As a result, before this security release modules wishing to
2381	    restrict access to taxonomy terms may have implemented an
2382	    unsupported tag, or needed to look for both tags (term_access and
2383	    taxonomy_term_access) in order to be compatible with queries
2384	    generated both by Drupal core as well as those generated by
2385	    contributed modules like Entity Reference. Otherwise information
2386	    on taxonomy terms might have been disclosed to unprivileged users.
2387	    </p>
2388	  <h3>Incorrect cache context on password reset page (Less critical -
2389	    Drupal 8)</h3>
2390	  <p>The user password reset form does not specify a proper cache
2391	    context, which can lead to cache poisoning and unwanted content on
2392	    the page.</p>
2393	  <h3>Confirmation forms allow external URLs to be injected (Moderately
2394	    critical - Drupal 7)</h3>
2395	  <p>Under certain circumstances, malicious users could construct a URL
2396	    to a confirmation form that would trick users into being redirected
2397	    to a 3rd party website after interacting with the form, thereby
2398	    exposing the users to potential social engineering attacks.</p>
2399	  <h3>Denial of service via transliterate mechanism (Moderately critical
2400	    - Drupal 8)</h3>
2401	  <p>A specially crafted URL can cause a denial of service via the
2402	    transliterate mechanism.</p>
2403	</blockquote>
2404      </body>
2405    </description>
2406    <references>
2407      <cvename>CVE-2016-9449</cvename>
2408      <cvename>CVE-2016-9450</cvename>
2409      <cvename>CVE-2016-9451</cvename>
2410      <cvename>CVE-2016-9452</cvename>
2411    </references>
2412    <dates>
2413      <discovery>2016-11-16</discovery>
2414      <entry>2016-11-25</entry>
2415      <modified>2016-11-27</modified>
2416    </dates>
2417  </vuln>
2418
2419  <vuln vid="6fe72178-b2e3-11e6-8b2a-6805ca0b3d42">
2420    <topic>phpMyAdmin -- multiple vulnerabilities</topic>
2421    <affects>
2422      <package>
2423	<name>phpMyAdmin</name>
2424	<range><ge>4.6.0</ge><lt>4.6.5</lt></range>
2425      </package>
2426    </affects>
2427    <description>
2428      <body xmlns="http://www.w3.org/1999/xhtml">
2429	<p>Please reference CVE/URL list for details</p>
2430      </body>
2431    </description>
2432    <references>
2433      <url>https://www.phpmyadmin.net/security/PMASA-2016-57/</url>
2434      <url>https://www.phpmyadmin.net/security/PMASA-2016-58/</url>
2435      <url>https://www.phpmyadmin.net/security/PMASA-2016-59/</url>
2436      <url>https://www.phpmyadmin.net/security/PMASA-2016-60/</url>
2437      <url>https://www.phpmyadmin.net/security/PMASA-2016-61/</url>
2438      <url>https://www.phpmyadmin.net/security/PMASA-2016-62/</url>
2439      <url>https://www.phpmyadmin.net/security/PMASA-2016-63/</url>
2440      <url>https://www.phpmyadmin.net/security/PMASA-2016-64/</url>
2441      <url>https://www.phpmyadmin.net/security/PMASA-2016-65/</url>
2442      <url>https://www.phpmyadmin.net/security/PMASA-2016-66/</url>
2443      <url>https://www.phpmyadmin.net/security/PMASA-2016-67/</url>
2444      <url>https://www.phpmyadmin.net/security/PMASA-2016-68/</url>
2445      <url>https://www.phpmyadmin.net/security/PMASA-2016-69/</url>
2446      <url>https://www.phpmyadmin.net/security/PMASA-2016-70/</url>
2447      <url>https://www.phpmyadmin.net/security/PMASA-2016-71/</url>
2448      <cvename>CVE-2016-6632</cvename>
2449      <cvename>CVE-2016-6633</cvename>
2450      <cvename>CVE-2016-4412</cvename>
2451    </references>
2452    <dates>
2453      <discovery>2016-11-25</discovery>
2454      <entry>2016-11-25</entry>
2455    </dates>
2456  </vuln>
2457
2458  <vuln vid="dc596a17-7a9e-11e6-b034-f0def167eeea">
2459    <topic>Remote-Code-Execution vulnerability in mysql and its variants CVE 2016-6662</topic>
2460    <affects>
2461      <package>
2462	<name>mysql57-client</name>
2463	<name>mysql57-server</name>
2464	<range><lt>5.7.15</lt></range>
2465      </package>
2466      <package>
2467	<name>mysql56-client</name>
2468	<name>mysql56-server</name>
2469	<range><lt>5.6.33</lt></range>
2470      </package>
2471      <package>
2472	<name>mysql55-client</name>
2473	<name>mysql55-server</name>
2474	<range><lt>5.5.52</lt></range>
2475      </package>
2476    </affects>
2477    <description>
2478      <body xmlns="http://www.w3.org/1999/xhtml">
2479	<p>LegalHackers' reports:</p>
2480	<blockquote cite="http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html">
2481	  <p>RCE Bugs discovered in MySQL and its variants like MariaDB.
2482	     It works by manipulating my.cnf files and using --malloc-lib.
2483	     The bug seems fixed in MySQL 5.7.15 by Oracle</p>
2484	</blockquote>
2485      </body>
2486    </description>
2487    <references>
2488      <url>http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html</url>
2489      <url>https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html</url>
2490    </references>
2491    <dates>
2492      <discovery>2016-09-12</discovery>
2493      <entry>2016-11-24</entry>
2494      <modified>2016-11-24</modified>
2495    </dates>
2496  </vuln>
2497
2498  <vuln vid="8db8d62a-b08b-11e6-8eba-d050996490d0">
2499    <topic>ntp -- multiple vulnerabilities</topic>
2500    <affects>
2501      <package>
2502	<name>ntp</name>
2503	<range><lt>4.2.8p9</lt></range>
2504      </package>
2505      <package>
2506	<name>ntp-devel</name>
2507	<range><gt>0</gt></range>
2508      </package>
2509    </affects>
2510    <description>
2511      <body xmlns="http://www.w3.org/1999/xhtml">
2512	<p>Network Time Foundation reports:</p>
2513	<blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se">
2514	  <p>NTF's NTP Project is releasing ntp-4.2.8p9, which addresses:</p>
2515	  <ul>
2516	    <li>1 HIGH severity vulnerability that only affects Windows</li>
2517	    <li>2 MEDIUM severity vulnerabilities</li>
2518	    <li>2 MEDIUM/LOW severity vulnerabilities</li>
2519	    <li>5 LOW severity vulnerabilities</li>
2520	    <li>28 other non-security fixes and improvements</li>
2521	  </ul>
2522	  <p>All of the security issues in this release are listed in
2523	    <a href="http://www.kb.cert.org/vuls/id/633847">VU#633847</a>.</p>
2524	</blockquote>
2525      </body>
2526    </description>
2527    <references>
2528      <cvename>CVE-2016-7426</cvename>
2529      <cvename>CVE-2016-7427</cvename>
2530      <cvename>CVE-2016-7428</cvename>
2531      <cvename>CVE-2016-7429</cvename>
2532      <cvename>CVE-2016-7431</cvename>
2533      <cvename>CVE-2016-7433</cvename>
2534      <cvename>CVE-2016-7434</cvename>
2535      <cvename>CVE-2016-9310</cvename>
2536      <cvename>CVE-2016-9311</cvename>
2537      <cvename>CVE-2016-9312</cvename>
2538      <url>http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se</url>
2539      <url>http://www.kb.cert.org/vuls/id/633847</url>
2540    </references>
2541    <dates>
2542      <discovery>2016-11-21</discovery>
2543      <entry>2016-11-22</entry>
2544    </dates>
2545  </vuln>
2546
2547  <vuln vid="81fc7705-b002-11e6-b20a-14dae9d5a9d2">
2548    <topic>teeworlds -- Remote code execution</topic>
2549    <affects>
2550      <package>
2551	<name>teeworlds</name>
2552	<range><lt>0.6.4</lt></range>
2553      </package>
2554    </affects>
2555    <description>
2556      <body xmlns="http://www.w3.org/1999/xhtml">
2557	<p>Teeworlds project reports:</p>
2558	<blockquote cite="https://www.teeworlds.com/?page=news&amp;id=12086">
2559	  <p>Attacker controlled memory-writes and possibly arbitrary code
2560	    execution on the client, abusable by any server the client joins</p>
2561	</blockquote>
2562      </body>
2563    </description>
2564    <references>
2565      <url>https://www.teeworlds.com/?page=news&amp;id=12086</url>
2566    </references>
2567    <dates>
2568      <discovery>2016-11-13</discovery>
2569      <entry>2016-11-21</entry>
2570    </dates>
2571  </vuln>
2572
2573  <vuln vid="27eee66d-9474-44a5-b830-21ec12a1c307">
2574    <topic>jenkins -- Remote code execution vulnerability in remoting module</topic>
2575    <affects>
2576      <package>
2577	<name>jenkins</name>
2578	<range><le>2.31</le></range>
2579      </package>
2580      <package>
2581	<name>jenkins-lts</name>
2582	<range><le>2.19.2</le></range>
2583      </package>
2584    </affects>
2585    <description>
2586      <body xmlns="http://www.w3.org/1999/xhtml">
2587	<p>Jenkins Security Advisory:</p>
2588	<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16">
2589	  <p>An unauthenticated remote code execution vulnerability allowed
2590	    attackers to transfer a serialized Java object to the Jenkins CLI,
2591	    making Jenkins connect to an attacker-controlled LDAP server, which
2592	    in turn can send a serialized payload leading to code execution,
2593	    bypassing existing protection mechanisms.</p>
2594	</blockquote>
2595      </body>
2596    </description>
2597    <references>
2598      <cvename>CVE-2016-9299</cvename>
2599      <url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16</url>
2600    </references>
2601    <dates>
2602      <discovery>2016-11-11</discovery>
2603      <entry>2016-11-16</entry>
2604    </dates>
2605  </vuln>
2606
2607  <vuln vid="f6565fbf-ab9e-11e6-ae1b-002590263bf5">
2608    <topic>moodle -- multiple vulnerabilities</topic>
2609    <affects>
2610      <package>
2611	<name>moodle29</name>
2612	<range><lt>2.9.9</lt></range>
2613      </package>
2614      <package>
2615	<name>moodle30</name>
2616	<range><lt>3.0.7</lt></range>
2617      </package>
2618      <package>
2619	<name>moodle31</name>
2620	<range><lt>3.1.3</lt></range>
2621      </package>
2622    </affects>
2623    <description>
2624      <body xmlns="http://www.w3.org/1999/xhtml">
2625	<p>Marina Glancy reports:</p>
2626	<blockquote cite="https://moodle.org/security/">
2627	  <ul>
2628	    <li><p>MSA-16-0023: Question engine allows access to files that
2629	    should not be available</p></li>
2630	    <li><p>MSA-16-0024: Non-admin site managers may accidentally edit
2631	    admins via web services</p></li>
2632	    <li><p>MSA-16-0025: Capability to view course notes is checked in
2633	    the wrong context</p></li>
2634	    <li><p>MSA-16-0026: When debugging is enabled, error exceptions
2635	    returned from webservices could contain private data</p></li>
2636	  </ul>
2637	</blockquote>
2638      </body>
2639    </description>
2640    <references>
2641      <cvename>CVE-2016-8642</cvename>
2642      <cvename>CVE-2016-8643</cvename>
2643      <cvename>CVE-2016-8644</cvename>
2644      <url>https://moodle.org/security/</url>
2645    </references>
2646    <dates>
2647      <discovery>2016-11-14</discovery>
2648      <entry>2016-11-16</entry>
2649      <modified>2016-11-27</modified>
2650    </dates>
2651  </vuln>
2652
2653  <vuln vid="ab02f981-ab9e-11e6-ae1b-002590263bf5">
2654    <topic>moodle -- multiple vulnerabilities</topic>
2655    <affects>
2656      <package>
2657	<name>moodle29</name>
2658	<range><lt>2.9.8</lt></range>
2659      </package>
2660      <package>
2661	<name>moodle30</name>
2662	<range><lt>3.0.6</lt></range>
2663      </package>
2664      <package>
2665	<name>moodle31</name>
2666	<range><lt>3.1.2</lt></range>
2667      </package>
2668    </affects>
2669    <description>
2670      <body xmlns="http://www.w3.org/1999/xhtml">
2671	<p>Marina Glancy reports:</p>
2672	<blockquote cite="https://moodle.org/security/">
2673	  <ul>
2674	    <li><p>MSA-16-0022: Web service tokens should be invalidated when
2675	    the user password is changed or forced to be changed.</p></li>
2676	  </ul>
2677	</blockquote>
2678      </body>
2679    </description>
2680    <references>
2681      <cvename>CVE-2016-7038</cvename>
2682      <url>https://moodle.org/security/</url>
2683    </references>
2684    <dates>
2685      <discovery>2016-09-12</discovery>
2686      <entry>2016-11-16</entry>
2687    </dates>
2688  </vuln>
2689
2690  <vuln vid="d1853110-07f4-4645-895b-6fd462ad0589">
2691    <topic>mozilla -- multiple vulnerabilities</topic>
2692    <affects>
2693      <package>
2694	<name>firefox</name>
2695	<range><lt>50.0_1,1</lt></range>
2696      </package>
2697      <package>
2698	<name>seamonkey</name>
2699	<name>linux-seamonkey</name>
2700	<range><lt>2.47</lt></range>
2701      </package>
2702      <package>
2703	<name>firefox-esr</name>
2704	<range><lt>45.5.0,1</lt></range>
2705      </package>
2706      <package>
2707	<name>linux-firefox</name>
2708	<range><lt>45.5.0,2</lt></range>
2709      </package>
2710      <package>
2711	<name>libxul</name>
2712	<name>thunderbird</name>
2713	<name>linux-thunderbird</name>
2714	<range><lt>45.5.0</lt></range>
2715      </package>
2716    </affects>
2717    <description>
2718      <body xmlns="http://www.w3.org/1999/xhtml">
2719	<p>Mozilla Foundation reports:</p>
2720	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/">
2721	  <p>Please reference CVE/URL list for details</p>
2722	</blockquote>
2723      </body>
2724    </description>
2725    <references>
2726      <cvename>CVE-2016-5289</cvename>
2727      <cvename>CVE-2016-5290</cvename>
2728      <cvename>CVE-2016-5291</cvename>
2729      <cvename>CVE-2016-5292</cvename>
2730      <cvename>CVE-2016-5293</cvename>
2731      <cvename>CVE-2016-5294</cvename>
2732      <cvename>CVE-2016-5295</cvename>
2733      <cvename>CVE-2016-5296</cvename>
2734      <cvename>CVE-2016-5297</cvename>
2735      <cvename>CVE-2016-5298</cvename>
2736      <cvename>CVE-2016-5299</cvename>
2737      <cvename>CVE-2016-9061</cvename>
2738      <cvename>CVE-2016-9062</cvename>
2739      <cvename>CVE-2016-9063</cvename>
2740      <cvename>CVE-2016-9064</cvename>
2741      <cvename>CVE-2016-9065</cvename>
2742      <cvename>CVE-2016-9066</cvename>
2743      <cvename>CVE-2016-9067</cvename>
2744      <cvename>CVE-2016-9068</cvename>
2745      <cvename>CVE-2016-9070</cvename>
2746      <cvename>CVE-2016-9071</cvename>
2747      <cvename>CVE-2016-9072</cvename>
2748      <cvename>CVE-2016-9073</cvename>
2749      <cvename>CVE-2016-9074</cvename>
2750      <cvename>CVE-2016-9075</cvename>
2751      <cvename>CVE-2016-9076</cvename>
2752      <cvename>CVE-2016-9077</cvename>
2753      <url>https://www.mozilla.org/security/advisories/mfsa2016-89/</url>
2754      <url>https://www.mozilla.org/security/advisories/mfsa2016-90/</url>
2755    </references>
2756    <dates>
2757      <discovery>2016-11-15</discovery>
2758      <entry>2016-11-16</entry>
2759    </dates>
2760  </vuln>
2761
2762  <vuln vid="a8e9d834-a916-11e6-b9b4-bcaec524bf84">
2763    <topic>lives -- insecure files permissions</topic>
2764    <affects>
2765      <package>
2766	<name>lives</name>
2767	<range><lt>2.8.1</lt></range>
2768      </package>
2769    </affects>
2770    <description>
2771      <body xmlns="http://www.w3.org/1999/xhtml">
2772	<p>Debian reports:</p>
2773	<blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756565">
2774	  <p>smogrify script creates insecure temporary files.</p>
2775	</blockquote>
2776	<blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798043">
2777	  <p>lives creates and uses world-writable directory.</p>
2778	</blockquote>
2779      </body>
2780    </description>
2781    <references>
2782      <url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756565</url>
2783      <url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798043</url>
2784    </references>
2785    <dates>
2786      <discovery>2016-07-30</discovery>
2787      <entry>2016-11-12</entry>
2788    </dates>
2789  </vuln>
2790
2791  <vuln vid="50751310-a763-11e6-a881-b499baebfeaf">
2792    <topic>openssl -- multiple vulnerabilities</topic>
2793    <affects>
2794      <package>
2795	<name>openssl-devel</name>
2796	<range><lt>1.1.0c</lt></range>
2797      </package>
2798    </affects>
2799    <description>
2800      <body xmlns="http://www.w3.org/1999/xhtml">
2801	<p>OpenSSL reports:</p>
2802	<blockquote cite="https://www.openssl.org/news/secadv/20161110.txt">
2803	  <ul>
2804	    <li>ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)<br/>
2805	      Severity: High<br/>
2806	      TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS
2807	      attack by corrupting larger payloads. This can result in an OpenSSL crash. This
2808	      issue is not considered to be exploitable beyond a DoS.</li>
2809	    <li>CMS Null dereference (CVE-2016-7053)<br/>
2810	      Severity: Medium<br/>
2811	      Applications parsing invalid CMS structures can crash with a NULL pointer
2812	      dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type
2813	      in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure
2814	      callback if an attempt is made to free certain invalid encodings. Only CHOICE
2815	      structures using a callback which do not handle NULL value are affected.</li>
2816	    <li>Montgomery multiplication may produce incorrect results (CVE-2016-7055)i<br/>
2817	      Severity: Low<br/>
2818	      There is a carry propagating bug in the Broadwell-specific Montgomery
2819	      multiplication procedure that handles input lengths divisible by, but
2820	      longer than 256 bits.</li>
2821	  </ul>
2822	</blockquote>
2823      </body>
2824    </description>
2825    <references>
2826      <url>https://www.openssl.org/news/secadv/20161110.txt</url>
2827      <cvename>CVE-2016-7054</cvename>
2828      <cvename>CVE-2016-7053</cvename>
2829      <cvename>CVE-2016-7055</cvename>
2830    </references>
2831    <dates>
2832      <discovery>2016-11-10</discovery>
2833      <entry>2016-11-10</entry>
2834      <modified>2016-11-11</modified>
2835    </dates>
2836  </vuln>
2837
2838  <vuln vid="a3473f5a-a739-11e6-afaa-e8e0b747a45a">
2839    <topic>chromium -- multiple vulnerabilities</topic>
2840    <affects>
2841      <package>
2842	<name>chromium</name>
2843	<name>chromium-npapi</name>
2844	<name>chromium-pulse</name>
2845	<range><lt>54.0.2840.100</lt></range>
2846      </package>
2847    </affects>
2848    <description>
2849      <body xmlns="http://www.w3.org/1999/xhtml">
2850	<p>Google Chrome Releases reports:</p>
2851	<blockquote cite="https://googlechromereleases.blogspot.nl/2016/11/stable-channel-update-for-desktop_9.html">
2852	  <p>4 security fixes in this release, including:</p>
2853	  <ul>
2854	    <li>[643948] High CVE-2016-5199: Heap corruption in FFmpeg. Credit to
2855	      Paul Mehta</li>
2856	    <li>[658114] High CVE-2016-5200: Out of bounds memory access in V8. Credit to
2857	      Choongwoo Han</li>
2858	    <li>[660678] Medium CVE-2016-5201: Info leak in extensions. Credit to
2859	      Rob Wu</li>
2860	    <li>[662843] CVE-2016-5202: Various fixes from internal audits,
2861	      fuzzing and other initiatives</li>
2862	  </ul>
2863	</blockquote>
2864      </body>
2865    </description>
2866    <references>
2867      <cvename>CVE-2016-5199</cvename>
2868      <cvename>CVE-2016-5200</cvename>
2869      <cvename>CVE-2016-5201</cvename>
2870      <cvename>CVE-2016-5202</cvename>
2871      <url>https://googlechromereleases.blogspot.nl/2016/11/stable-channel-update-for-desktop_9.html</url>
2872    </references>
2873    <dates>
2874      <discovery>2016-11-09</discovery>
2875      <entry>2016-11-10</entry>
2876    </dates>
2877  </vuln>
2878
2879  <vuln vid="96f6bf10-a731-11e6-95ca-0011d823eebd">
2880    <topic>flash -- multiple vulnerabilities</topic>
2881    <affects>
2882      <package>
2883	<name>linux-c6-flashplugin</name>
2884	<name>linux-c7-flashplugin</name>
2885	<name>linux-f10-flashplugin</name>
2886	<range><lt>11.2r202.644</lt></range>
2887      </package>
2888    </affects>
2889    <description>
2890      <body xmlns="http://www.w3.org/1999/xhtml">
2891	<p>Adobe reports:</p>
2892	<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-37.html">
2893	  <ul>
2894	    <li>These updates resolve type confusion vulnerabilities that
2895	       could lead to code execution (CVE-2016-7860, CVE-2016-7861,
2896	       CVE-2016-7865).</li>
2897	    <li>These updates resolve use-after-free vulnerabilities that
2898	       could lead to code execution (CVE-2016-7857, CVE-2016-7858,
2899	       CVE-2016-7859, CVE-2016-7862, CVE-2016-7863, CVE-2016-7864).</li>
2900	  </ul>
2901	</blockquote>
2902      </body>
2903    </description>
2904    <references>
2905      <url>https://helpx.adobe.com/security/products/flash-player/apsb16-37.html</url>
2906      <cvename>CVE-2016-7857</cvename>
2907      <cvename>CVE-2016-7858</cvename>
2908      <cvename>CVE-2016-7859</cvename>
2909      <cvename>CVE-2016-7860</cvename>
2910      <cvename>CVE-2016-7861</cvename>
2911      <cvename>CVE-2016-7862</cvename>
2912      <cvename>CVE-2016-7863</cvename>
2913      <cvename>CVE-2016-7864</cvename>
2914      <cvename>CVE-2016-7865</cvename>
2915    </references>
2916    <dates>
2917      <discovery>2016-11-08</discovery>
2918      <entry>2016-11-10</entry>
2919    </dates>
2920  </vuln>
2921
2922  <vuln vid="10968dfd-a687-11e6-b2d3-60a44ce6887b">
2923    <topic>gitlab -- Directory traversal via "import/export" feature</topic>
2924    <affects>
2925      <package>
2926	<name>gitlab</name>
2927	<range><ge>8.10.0</ge><le>8.10.12</le></range>
2928	<range><ge>8.11.0</ge><le>8.11.9</le></range>
2929	<range><ge>8.12.0</ge><le>8.12.7</le></range>
2930	<range><ge>8.13.0</ge><le>8.13.2</le></range>
2931      </package>
2932    </affects>
2933    <description>
2934      <body xmlns="http://www.w3.org/1999/xhtml">
2935	<p>GitLab reports:</p>
2936	<blockquote cite="https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/">
2937	<p>The import/export feature did not properly check for symbolic links
2938	   in user-provided archives and therefore it was possible for an
2939	   authenticated user to retrieve the contents of any file
2940	   accessible to the GitLab service account. This included
2941	   sensitive files such as those that contain secret tokens used
2942	   by the GitLab service to authenticate users.</p>
2943	</blockquote>
2944      </body>
2945    </description>
2946    <references>
2947	<url>https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/</url>
2948	<cvename>CVE-2016-9086</cvename>
2949	<freebsdpr>ports/214360</freebsdpr>
2950    </references>
2951    <dates>
2952      <discovery>2016-11-02</discovery>
2953      <entry>2016-11-09</entry>
2954      <modified>2017-05-18</modified>
2955    </dates>
2956  </vuln>
2957
2958  <vuln vid="ae9cb9b8-a203-11e6-a265-3065ec8fd3ec">
2959    <topic>chromium -- out-of-bounds memory access</topic>
2960    <affects>
2961      <package>
2962	<name>chromium</name>
2963	<name>chromium-npapi</name>
2964	<name>chromium-pulse</name>
2965	<range><lt>54.0.2840.90</lt></range>
2966      </package>
2967    </affects>
2968    <description>
2969      <body xmlns="http://www.w3.org/1999/xhtml">
2970	<p>Google Chrome Releases reports:</p>
2971	<blockquote cite="https://googlechromereleases.blogspot.nl/2016/11/stable-channel-update-for-desktop.html">
2972	  <p>[659475] High CVE-2016-5198: Out of bounds memory access in V8.
2973	    Credit to Tencent Keen Security Lab, working with Trend Micro's
2974	    Zero Day Initiative.</p>
2975	</blockquote>
2976      </body>
2977    </description>
2978    <references>
2979      <cvename>CVE-2016-5198</cvename>
2980      <url>https://googlechromereleases.blogspot.nl/2016/11/stable-channel-update-for-desktop.html</url>
2981    </references>
2982    <dates>
2983      <discovery>2016-11-01</discovery>
2984      <entry>2016-11-03</entry>
2985    </dates>
2986  </vuln>
2987
2988  <vuln vid="0fcd3af0-a0fe-11e6-b1cf-14dae9d210b8">
2989    <topic>FreeBSD -- OpenSSL Remote DoS vulnerability</topic>
2990    <affects>
2991      <package>
2992	<name>FreeBSD</name>
2993	<range><ge>10.3</ge><lt>10.3_12</lt></range>
2994	<range><ge>10.2</ge><lt>10.2_25</lt></range>
2995	<range><ge>10.1</ge><lt>10.1_42</lt></range>
2996	<range><ge>9.3</ge><lt>9.3_50</lt></range>
2997      </package>
2998      <package>
2999	<name>openssl</name>
3000	<range><lt>1.0.2i,1</lt></range>
3001      </package>
3002      <package>
3003	<name>openssl-devel</name>
3004	<range><lt>1.1.0a</lt></range>
3005      </package>
3006      <package>
3007	<name>linux-c6-openssl</name>
3008	<range><lt>1.0.1e_13</lt></range>
3009      </package>
3010      <package>
3011	<name>linux-c7-openssl-libs</name>
3012	<range><lt>1.0.1e_3</lt></range>
3013      </package>
3014    </affects>
3015    <description>
3016      <body xmlns="http://www.w3.org/1999/xhtml">
3017	<h1>Problem Description:</h1>
3018	<p>Due to improper handling of alert packets, OpenSSL would
3019	consume an excessive amount of CPU time processing undefined
3020	alert messages.</p>
3021	<h1>Impact:</h1>
3022	<p>A remote attacker who can initiate handshakes with an
3023	OpenSSL based server can cause the server to consume a lot
3024	of computation power with very little bandwidth usage, and
3025	may be able to use this technique in a leveraged Denial of
3026	Service attack.</p>
3027      </body>
3028    </description>
3029    <references>
3030      <cvename>CVE-2016-8610</cvename>
3031      <freebsdsa>SA-16:35.openssl</freebsdsa>
3032      <url>http://seclists.org/oss-sec/2016/q4/224</url>
3033    </references>
3034    <dates>
3035      <discovery>2016-11-02</discovery>
3036      <entry>2016-11-02</entry>
3037      <modified>2017-02-22</modified>
3038    </dates>
3039  </vuln>
3040
3041  <vuln vid="cb116651-79db-4c09-93a2-c38f9df46724">
3042    <topic>django -- multiple vulnerabilities</topic>
3043    <affects>
3044      <package>
3045	<name>py27-django</name>
3046	<name>py33-django</name>
3047	<name>py34-django</name>
3048	<name>py35-django</name>
3049	<range><lt>1.8.16</lt></range>
3050      </package>
3051      <package>
3052	<name>py27-django18</name>
3053	<name>py33-django18</name>
3054	<name>py34-django18</name>
3055	<name>py35-django18</name>
3056	<range><lt>1.8.16</lt></range>
3057      </package>
3058      <package>
3059	<name>py27-django19</name>
3060	<name>py33-django19</name>
3061	<name>py34-django19</name>
3062	<name>py35-django19</name>
3063	<range><lt>1.9.11</lt></range>
3064      </package>
3065      <package>
3066	<name>py27-django110</name>
3067	<name>py33-django110</name>
3068	<name>py34-django110</name>
3069	<name>py35-django110</name>
3070	<range><lt>1.10.3</lt></range>
3071      </package>
3072    </affects>
3073    <description>
3074      <body xmlns="http://www.w3.org/1999/xhtml">
3075	<p>The Django project reports:</p>
3076	<blockquote cite="https://www.djangoproject.com/weblog/2016/nov/01/security-releases/">
3077	  <p>Today the Django team released Django 1.10.3, Django 1.9.11,
3078	    and 1.8.16.  These releases addresses two security issues
3079	    detailed below. We encourage all users of Django to upgrade
3080	    as soon as possible.</p>
3081	  <ul>
3082	    <li>User with hardcoded password created when running tests on Oracle</li>
3083	    <li>DNS rebinding vulnerability when DEBUG=True</li>
3084	  </ul>
3085	</blockquote>
3086      </body>
3087    </description>
3088    <references>
3089      <url>https://www.djangoproject.com/weblog/2016/nov/01/security-releases/</url>
3090      <cvename>CVE-2016-9013</cvename>
3091      <cvename>CVE-2016-9014</cvename>
3092    </references>
3093    <dates>
3094      <discovery>2016-11-01</discovery>
3095      <entry>2016-11-02</entry>
3096    </dates>
3097  </vuln>
3098
3099  <vuln vid="765feb7d-a0d1-11e6-a881-b499baebfeaf">
3100    <topic>cURL -- multiple vulnerabilities</topic>
3101    <affects>
3102      <package>
3103	<name>curl</name>
3104	<range><ge>7.1</ge><lt>7.51.0</lt></range>
3105      </package>
3106    </affects>
3107    <description>
3108      <body xmlns="http://www.w3.org/1999/xhtml">
3109	<p>The cURL project reports</p>
3110	<blockquote cite="https://curl.haxx.se/docs/security.html">
3111	  <ul>
3112	    <li>cookie injection for other servers</li>
3113	    <li>case insensitive password comparison</li>
3114	    <li>OOB write via unchecked multiplication</li>
3115	    <li>double-free in curl_maprintf</li>
3116	    <li>double-free in krb5 code</li>
3117	    <li>glob parser write/read out of bounds</li>
3118	    <li>curl_getdate read out of bounds</li>
3119	    <li>URL unescape heap overflow via integer truncation</li>
3120	    <li>Use-after-free via shared cookies</li>
3121	    <li>invalid URL parsing with '#'</li>
3122	    <li>IDNA 2003 makes curl use wrong host</li>
3123	  </ul>
3124	</blockquote>
3125      </body>
3126    </description>
3127    <references>
3128      <url>https://curl.haxx.se/docs/security.html</url>
3129      <cvename>CVE-2016-8615</cvename>
3130      <cvename>CVE-2016-8616</cvename>
3131      <cvename>CVE-2016-8617</cvename>
3132      <cvename>CVE-2016-8618</cvename>
3133      <cvename>CVE-2016-8619</cvename>
3134      <cvename>CVE-2016-8620</cvename>
3135      <cvename>CVE-2016-8621</cvename>
3136      <cvename>CVE-2016-8622</cvename>
3137      <cvename>CVE-2016-8623</cvename>
3138      <cvename>CVE-2016-8624</cvename>
3139      <cvename>CVE-2016-8625</cvename>
3140    </references>
3141    <dates>
3142      <discovery>2016-11-02</discovery>
3143      <entry>2016-11-02</entry>
3144    </dates>
3145  </vuln>
3146
3147  <vuln vid="0b8d01a4-a0d2-11e6-9ca2-d050996490d0">
3148    <topic>BIND -- Remote Denial of Service vulnerability</topic>
3149    <affects>
3150      <package>
3151	<name>bind99</name>
3152	<range><lt>9.9.9P4</lt></range>
3153      </package>
3154      <package>
3155	<name>bind910</name>
3156	<range><lt>9.10.4P4</lt></range>
3157      </package>
3158      <package>
3159	<name>bind911</name>
3160	<range><lt>9.11.0P1</lt></range>
3161      </package>
3162      <package>
3163	<name>bind9-devel</name>
3164	<range><le>9.12.0.a.2016.10.21</le></range>
3165      </package>
3166      <package>
3167	<name>FreeBSD</name>
3168	<range><ge>9.3</ge><lt>9.3_50</lt></range>
3169      </package>
3170    </affects>
3171    <description>
3172      <body xmlns="http://www.w3.org/1999/xhtml">
3173	<p>ISC reports:</p>
3174	<blockquote cite="https://kb.isc.org/article/AA-01434/">
3175	  <p>A defect in BIND's handling of responses containing
3176	    a DNAME answer can cause a resolver to exit after
3177	    encountering an assertion failure in db.c or
3178	    resolver.c</p>
3179	</blockquote>
3180      </body>
3181    </description>
3182    <references>
3183      <cvename>CVE-2016-8864</cvename>
3184      <freebsdsa>SA-16:34.bind</freebsdsa>
3185      <url>https://kb.isc.org/article/AA-01434/</url>
3186    </references>
3187    <dates>
3188      <discovery>2016-11-01</discovery>
3189      <entry>2016-11-02</entry>
3190    </dates>
3191  </vuln>
3192
3193  <vuln vid="f4bf713f-6ac7-4b76-8980-47bf90c5419f">
3194    <topic>memcached -- multiple vulnerabilities</topic>
3195    <affects>
3196      <package>
3197	<name>memcached</name>
3198	<range><lt>1.4.33</lt></range>
3199      </package>
3200    </affects>
3201    <description>
3202      <body xmlns="http://www.w3.org/1999/xhtml">
3203	<p>Cisco Talos reports:</p>
3204	<blockquote cite="http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html">
3205	  <p>Multiple integer overflow vulnerabilities exist within Memcached
3206	    that could be exploited to achieve remote code execution on the
3207	    targeted system. These vulnerabilities manifest in various Memcached
3208	    functions that are used in inserting, appending, prepending, or
3209	    modifying key-value data pairs. Systems which also have Memcached
3210	    compiled with support for SASL authentication are also vulnerable to
3211	    a third flaw due to how Memcached handles SASL authentication
3212	    commands.</p>
3213	  <p>An attacker could exploit these vulnerabilities by sending a
3214	    specifically crafted Memcached command to the targeted server.
3215	    Additionally, these vulnerabilities could also be exploited to leak
3216	    sensitive process information which an attacker could use to bypass
3217	    common exploitation mitigations, such as ASLR, and can be triggered
3218	    multiple times. This enables reliable exploitation which makes these
3219	    vulnerabilities severe.</p>
3220	</blockquote>
3221      </body>
3222    </description>
3223    <references>
3224      <url>http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html</url>
3225      <cvename>CVE-2016-8704</cvename>
3226      <cvename>CVE-2016-8705</cvename>
3227      <cvename>CVE-2016-8706</cvename>
3228    </references>
3229    <dates>
3230      <discovery>2016-10-31</discovery>
3231      <entry>2016-11-02</entry>
3232    </dates>
3233  </vuln>
3234
3235  <vuln vid="9bc14850-a070-11e6-a881-b499baebfeaf">
3236    <topic>MySQL -- multiple vulnerabilities</topic>
3237    <affects>
3238      <package>
3239	<name>mariadb55-server</name>
3240	<name>mysql55-server</name>
3241	<range><lt>5.5.53</lt></range>
3242      </package>
3243      <package>
3244	<name>mysql56-server</name>
3245	<range><lt>5.6.34</lt></range>
3246      </package>
3247      <package>
3248	<name>mysql57-server</name>
3249	<range><lt>5.7.15</lt></range>
3250      </package>
3251    </affects>
3252    <description>
3253      <body xmlns="http://www.w3.org/1999/xhtml">
3254	<p>The MariaDB project reports:</p>
3255	<blockquote cite="https://mariadb.com/kb/en/mariadb/mariadb-5553-release-notes/">
3256	  <p>Fixes for the following security vulnerabilities:</p>
3257	  <ul>
3258	    <li>CVE-2016-7440</li>
3259	    <li>CVE-2016-5584</li>
3260	  </ul>
3261	</blockquote>
3262      </body>
3263    </description>
3264    <references>
3265      <url>https://mariadb.com/kb/en/mariadb/mariadb-5553-release-notes/</url>
3266      <cvename>CVE-2016-7440</cvename>
3267      <cvename>CVE-2016-5584</cvename>
3268    </references>
3269    <dates>
3270      <discovery>2016-10-17</discovery>
3271      <entry>2016-11-01</entry>
3272    </dates>
3273  </vuln>
3274
3275  <vuln vid="9118961b-9fa5-11e6-a265-3065ec8fd3ec">
3276    <topic>chromium -- multiple vulnerabilities</topic>
3277    <affects>
3278      <package>
3279	<name>chromium</name>
3280	<name>chromium-npapi</name>
3281	<name>chromium-pulse</name>
3282	<range><lt>54.0.2840.59</lt></range>
3283      </package>
3284    </affects>
3285    <description>
3286      <body xmlns="http://www.w3.org/1999/xhtml">
3287	<p>Google Chrome Releases reports:</p>
3288	<blockquote cite="https://googlechromereleases.blogspot.nl/2016/10/stable-channel-update-for-desktop.html">
3289	  <p>21 security fixes in this release, including:</p>
3290	  <ul>
3291	    <li>[645211] High CVE-2016-5181: Universal XSS in Blink. Credit to
3292	      Anonymous</li>
3293	    <li>[638615] High CVE-2016-5182: Heap overflow in Blink. Credit to
3294	      Giwan Go of STEALIEN</li>
3295	    <li>[645122] High CVE-2016-5183: Use after free in PDFium. Credit
3296	      to Anonymous</li>
3297	    <li>[630654] High CVE-2016-5184: Use after free in PDFium. Credit
3298	      to Anonymous</li>
3299	    <li>[621360] High CVE-2016-5185: Use after free in Blink. Credit to
3300	      cloudfuzzer</li>
3301	    <li>[639702] High CVE-2016-5187: URL spoofing. Credit to Luan
3302	      Herrera</li>
3303	    <li>[565760] Medium CVE-2016-5188: UI spoofing. Credit to Luan
3304	      Herrera</li>
3305	    <li>[633885] Medium CVE-2016-5192: Cross-origin bypass in Blink.
3306	      Credit to haojunhou@gmail.com</li>
3307	    <li>[646278] Medium CVE-2016-5189: URL spoofing. Credit to xisigr
3308	      of Tencent's Xuanwu Lab</li>
3309	    <li>[644963] Medium CVE-2016-5186: Out of bounds read in DevTools.
3310	      Credit to Abdulrahman Alqabandi (@qab)</li>
3311	    <li>[639126] Medium CVE-2016-5191: Universal XSS in Bookmarks.
3312	      Credit to Gareth Hughes</li>
3313	    <li>[642067] Medium CVE-2016-5190: Use after free in Internals.
3314	      Credit to Atte Kettunen of OUSPG</li>
3315	    <li>[639658] Low CVE-2016-5193: Scheme bypass. Credit to Yuyang
3316	      ZHOU (martinzhou96)</li>
3317	    <li>[654782] CVE-2016-5194: Various fixes from internal audits,
3318	      fuzzing and other initiatives</li>
3319	  </ul>
3320	</blockquote>
3321      </body>
3322    </description>
3323    <references>
3324      <cvename>CVE-2016-5181</cvename>
3325      <cvename>CVE-2016-5182</cvename>
3326      <cvename>CVE-2016-5183</cvename>
3327      <cvename>CVE-2016-5184</cvename>
3328      <cvename>CVE-2016-5185</cvename>
3329      <cvename>CVE-2016-5186</cvename>
3330      <cvename>CVE-2016-5187</cvename>
3331      <cvename>CVE-2016-5188</cvename>
3332      <cvename>CVE-2016-5189</cvename>
3333      <cvename>CVE-2016-5190</cvename>
3334      <cvename>CVE-2016-5191</cvename>
3335      <cvename>CVE-2016-5192</cvename>
3336      <cvename>CVE-2016-5193</cvename>
3337      <cvename>CVE-2016-5194</cvename>
3338      <url>https://googlechromereleases.blogspot.nl/2016/10/stable-channel-update-for-desktop.html</url>
3339    </references>
3340    <dates>
3341      <discovery>2016-10-12</discovery>
3342      <entry>2016-10-31</entry>
3343    </dates>
3344  </vuln>
3345
3346  <vuln vid="9c135c7e-9fa4-11e6-a265-3065ec8fd3ec">
3347    <topic>chromium -- multiple vulnerabilities</topic>
3348    <affects>
3349      <package>
3350	<name>chromium</name>
3351	<name>chromium-npapi</name>
3352	<name>chromium-pulse</name>
3353	<range><lt>53.0.2785.143</lt></range>
3354      </package>
3355    </affects>
3356    <description>
3357      <body xmlns="http://www.w3.org/1999/xhtml">
3358	<p>Google Chrome Releases reports:</p>
3359	<blockquote cite="https://googlechromereleases.blogspot.nl/2016/09/stable-channel-update-for-desktop_29.html">
3360	  <p>3 security fixes in this release, including:</p>
3361	  <ul>
3362	    <li>[642496] High CVE-2016-5177: Use after free in V8. Credit to
3363	      Anonymous</li>
3364	    <li>[651092] CVE-2016-5178: Various fixes from internal audits,
3365fuzzing and other initiatives.</li>
3366	  </ul>
3367	</blockquote>
3368      </body>
3369    </description>
3370    <references>
3371      <cvename>CVE-2016-5177</cvename>
3372      <cvename>CVE-2016-5178</cvename>
3373      <url>https://googlechromereleases.blogspot.nl/2016/09/stable-channel-update-for-desktop_29.html</url>
3374    </references>
3375    <dates>
3376      <discovery>2016-09-29</discovery>
3377      <entry>2016-10-31</entry>
3378    </dates>
3379  </vuln>
3380
3381  <vuln vid="6a2cfcdc-9dea-11e6-a298-14dae9d210b8">
3382    <topic>FreeBSD -- OpenSSH Remote Denial of Service vulnerability</topic>
3383    <affects>
3384      <package>
3385	<name>openssh-portable</name>
3386	<range><lt>7.3p1_1</lt></range>
3387      </package>
3388      <package>
3389	<name>FreeBSD</name>
3390	<range><ge>11.0</ge><lt>11.0_3</lt></range>
3391	<range><ge>10.3</ge><lt>10.3_12</lt></range>
3392      </package>
3393    </affects>
3394    <description>
3395      <body xmlns="http://www.w3.org/1999/xhtml">
3396	<h1>Problem Description:</h1>
3397	<p>When processing the SSH_MSG_KEXINIT message, the server
3398	could allocate up to a few hundreds of megabytes of memory
3399	per each connection, before any authentication take place.</p>
3400	<h1>Impact:</h1>
3401	<p>A remote attacker may be able to cause a SSH server to
3402	allocate an excessive amount of memory. Note that the default
3403	MaxStartups setting on FreeBSD will limit the effectiveness
3404	of this attack.</p>
3405      </body>
3406    </description>
3407    <references>
3408      <url>http://seclists.org/oss-sec/2016/q4/191</url>
3409      <cvename>CVE-2016-8858</cvename>
3410      <freebsdsa>SA-16:33.openssh</freebsdsa>
3411    </references>
3412    <dates>
3413      <discovery>2016-10-19</discovery>
3414      <entry>2016-10-29</entry>
3415      <modified>2016-11-02</modified>
3416    </dates>
3417  </vuln>
3418
3419  <vuln vid="2e4fbc9a-9d23-11e6-a298-14dae9d210b8">
3420    <topic>sudo -- Potential bypass of sudo_noexec.so via wordexp()</topic>
3421    <affects>
3422      <package>
3423	<name>sudo</name>
3424	<range><ge>1.6.8</ge><lt>1.8.18p1</lt></range>
3425      </package>
3426    </affects>
3427    <description>
3428      <body xmlns="http://www.w3.org/1999/xhtml">
3429	<p>Todd C. Miller reports:</p>
3430	<blockquote cite="https://www.sudo.ws/alerts/noexec_wordexp.html">
3431	  <p>A flaw exists in sudo's noexec functionality that may allow
3432	    a user with sudo privileges to run additional commands even when the
3433	    NOEXEC tag has been applied to a command that uses the wordexp()
3434	    function.</p>
3435	</blockquote>
3436      </body>
3437    </description>
3438    <references>
3439      <url>https://www.sudo.ws/alerts/noexec_wordexp.html</url>
3440      <cvename>CVE-2016-7076</cvename>
3441    </references>
3442    <dates>
3443      <discovery>2016-10-28</discovery>
3444      <entry>2016-10-28</entry>
3445    </dates>
3446  </vuln>
3447
3448  <vuln vid="ac18046c-9b08-11e6-8011-005056925db4">
3449    <topic>Axis2 -- Security vulnerabilities on dependency Apache HttpClient</topic>
3450    <affects>
3451      <package>
3452	<name>axis2</name>
3453	<range><lt>1.7.4</lt></range>
3454      </package>
3455    </affects>
3456    <description>
3457      <body xmlns="http://www.w3.org/1999/xhtml">
3458	<p>Apache Axis2 reports:</p>
3459	<blockquote cite="http://axis.apache.org/axis2/java/core/release-notes/1.7.4.html">
3460	  <p>Apache Axis2 1.7.4 is a maintenance release that includes fixes for
3461		several issues, including the following security issues:
3462		Session fixation (AXIS2-4739) and XSS (AXIS2-5683) vulnerabilities
3463		affecting the admin console.
3464		A dependency on an Apache HttpClient version affected by known security
3465		vulnerabilities (CVE-2012-6153 and CVE-2014-3577); see AXIS2-5757.</p>
3466	</blockquote>
3467      </body>
3468    </description>
3469    <references>
3470      <url>http://axis.apache.org/axis2/java/core/release-notes/1.7.4.html</url>
3471      <url>https://issues.apache.org/jira/browse/AXIS2-4739</url>
3472      <url>https://issues.apache.org/jira/browse/AXIS2-5683</url>
3473      <url>https://issues.apache.org/jira/browse/AXIS2-5757</url>
3474      <cvename>CVE-2012-6153</cvename>
3475      <cvename>CVE-2014-3577</cvename>
3476    </references>
3477    <dates>
3478      <discovery>2012-12-06</discovery>
3479      <entry>2016-10-28</entry>
3480    </dates>
3481  </vuln>
3482
3483  <vuln vid="28bb6ee5-9b5c-11e6-b799-19bef72f4b7c">
3484    <topic>node.js -- ares_create_query single byte out of buffer write</topic>
3485    <affects>
3486      <package>
3487	<name>node010</name>
3488	<range><lt>0.10.48</lt></range>
3489      </package>
3490      <package>
3491	<name>node012</name>
3492	<range><lt>0.12.17</lt></range>
3493      </package>
3494      <package>
3495	<name>node4</name>
3496	<range><lt>4.6.1</lt></range>
3497      </package>
3498    </affects>
3499    <description>
3500      <body xmlns="http://www.w3.org/1999/xhtml">
3501	<p>Node.js has released new versions containing the following security fix:</p>
3502	<blockquote cite="https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/">
3503	  <p>The following releases all contain fixes for CVE-2016-5180 "ares_create_query single
3504	    byte out of buffer write": Node.js v0.10.48 (Maintenance), Node.js v0.12.17 (Maintenance),
3505	Node.js v4.6.1 (LTS "Argon")
3506	  </p>
3507	  <p>While this is not a critical update, all users of these release lines should upgrade at
3508		their earliest convenience.
3509	  </p>
3510	</blockquote>
3511      </body>
3512    </description>
3513    <references>
3514      <url>https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/</url>
3515      <cvename>CVE-2016-5180</cvename>
3516      <freebsdpr>ports/213800</freebsdpr>
3517    </references>
3518    <dates>
3519      <discovery>2016-10-18</discovery>
3520      <entry>2016-10-26</entry>
3521    </dates>
3522  </vuln>
3523
3524  <vuln vid="27180c99-9b5c-11e6-b799-19bef72f4b7c">
3525   <topic>node.js -- multiple vulnerabilities</topic>
3526    <affects>
3527      <package>
3528	<name>node</name>
3529	<range><ge>6.0.0</ge><lt>6.9.0</lt></range>
3530      </package>
3531    </affects>
3532    <description>
3533      <body xmlns="http://www.w3.org/1999/xhtml">
3534	<p>Node.js v6.9.0 LTS contains the following security fixes, specific to v6.x:</p>
3535	<blockquote cite="https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/">
3536	  <p>Disable auto-loading of openssl.cnf: Don't automatically attempt to load an OpenSSL
3537	    configuration file, from the OPENSSL_CONF environment variable or from the default
3538	    location for the current platform. Always triggering a configuration file load attempt
3539	    may allow an attacker to load compromised OpenSSL configuration into a Node.js process
3540	    if they are able to place a file in a default location.
3541	  </p>
3542	  <p>Patched V8 arbitrary memory read (CVE-2016-5172): The V8 parser mishandled scopes,
3543	    potentially allowing an attacker to obtain sensitive information from arbitrary memory
3544	    locations via crafted JavaScript code. This vulnerability would require an attacker to
3545	    be able to execute arbitrary JavaScript code in a Node.js process.
3546	  </p>
3547	  <p>Create a unique v8_inspector WebSocket address: Generate a UUID for each execution of
3548	    the inspector. This provides additional security to prevent unauthorized clients from
3549	    connecting to the Node.js process via the v8_inspector port when running with --inspect.
3550	    Since the debugging protocol allows extensive access to the internals of a running process,
3551	    and the execution of arbitrary code, it is important to limit connections to authorized
3552	    tools only. Note that the v8_inspector protocol in Node.js is still considered an
3553	    experimental feature. Vulnerability originally reported by Jann Horn.
3554	  </p>
3555	  <p>All of these vulnerabilities are considered low-severity for Node.js users, however,
3556	    users of Node.js v6.x should upgrade at their earliest convenience.</p>
3557	</blockquote>
3558      </body>
3559    </description>
3560    <references>
3561      <url>https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/</url>
3562      <cvename>CVE-2016-5172</cvename>
3563    </references>
3564    <dates>
3565      <discovery>2016-10-18</discovery>
3566      <entry>2016-10-28</entry>
3567   </dates>
3568  </vuln>
3569
3570  <vuln vid="c5c6e293-9cc7-11e6-823f-b8aeed92ecc4">
3571    <topic>urllib3 -- certificate verification failure</topic>
3572    <affects>
3573      <package>
3574	<name>py-urllib3</name>
3575	<range><lt>1.18</lt></range>
3576      </package>
3577    </affects>
3578    <description>
3579      <body xmlns="http://www.w3.org/1999/xhtml">
3580	<p>urllib3 reports:</p>
3581	<blockquote cite="https://github.com/shazow/urllib3/blob/1.18.1/CHANGES.rst">
3582	  <p>CVE-2016-9015: Certification verification failure</p>
3583	</blockquote>
3584      </body>
3585    </description>
3586    <references>
3587      <cvename>CVE-2016-9015</cvename>
3588      <url>https://github.com/shazow/urllib3/blob/1.18.1/CHANGES.rst</url>
3589    </references>
3590    <dates>
3591      <discovery>2016-10-27</discovery>
3592      <entry>2016-10-28</entry>
3593    </dates>
3594  </vuln>
3595
3596  <vuln vid="de6d01d5-9c44-11e6-ba67-0011d823eebd">
3597    <topic>flash -- remote code execution</topic>
3598    <affects>
3599      <package>
3600	<name>linux-f10-flashplugin</name>
3601	<name>linux-c6-flashplugin</name>
3602	<name>linux-c7-flashplugin</name>
3603	<range><lt>11.2r202.643</lt></range>
3604      </package>
3605    </affects>
3606    <description>
3607      <body xmlns="http://www.w3.org/1999/xhtml">
3608	<p>Adobe reports:</p>
3609	<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-36.html">
3610	  <p>Adobe has released security updates for Adobe Flash Player for
3611	    Windows, Macintosh, Linux and Chrome OS.  These updates address a
3612	    critical vulnerability that could potentially allow an attacker to
3613	    take control of the affected system.</p>
3614	  <p>Adobe is aware of a report that an exploit for CVE-2016-7855
3615	    exists in the wild, and is being used in limited, targeted attacks
3616	    against users running Windows versions 7, 8.1 and 10.</p>
3617	</blockquote>
3618      </body>
3619    </description>
3620    <references>
3621      <cvename>CVE-2016-7855</cvename>
3622      <url>https://helpx.adobe.com/security/products/flash-player/apsb16-36.html</url>
3623    </references>
3624    <dates>
3625      <discovery>2016-10-26</discovery>
3626      <entry>2016-10-27</entry>
3627    </dates>
3628  </vuln>
3629
3630  <vuln vid="a479a725-9adb-11e6-a298-14dae9d210b8">
3631    <topic>FreeBSD -- bhyve - privilege escalation vulnerability</topic>
3632    <affects>
3633      <package>
3634	<name>FreeBSD-kernel</name>
3635	<range><ge>11.0</ge><lt>11.0_2</lt></range>
3636      </package>
3637    </affects>
3638    <description>
3639      <body xmlns="http://www.w3.org/1999/xhtml">
3640	<h1>Problem Description:</h1>
3641	<p>An unchecked array reference in the VGA device emulation
3642	code could potentially allow guests access to the heap of
3643	the bhyve process. Since the bhyve process is running as
3644	root, this may allow guests to obtain full control of the
3645	hosts they are running on.</p>
3646	<h1>Impact:</h1>
3647	<p>For bhyve virtual machines with the "fbuf" framebuffer
3648	device configured, if exploited, a malicious guest could
3649	obtain full access to not just the host system, but to other
3650	virtual machines running on the system.</p>
3651      </body>
3652    </description>
3653    <references>
3654      <freebsdsa>SA-16:32.bhyve</freebsdsa>
3655    </references>
3656    <dates>
3657      <discovery>2016-10-25</discovery>
3658      <entry>2016-10-25</entry>
3659      <modified>2016-10-25</modified>
3660    </dates>
3661  </vuln>
3662
3663  <vuln vid="2482c798-93c6-11e6-846f-bc5ff4fb5ea1">
3664    <topic>flash -- multiple vulnerabilities</topic>
3665    <affects>
3666      <package>
3667	<name>linux-c6-flashplugin</name>
3668	<name>linux-c6_64-flashplugin</name>
3669	<name>linux-c7-flashplugin</name>
3670	<name>linux-f10-flashplugin</name>
3671	<range><lt>11.2r202.637</lt></range>
3672      </package>
3673    </affects>
3674    <description>
3675      <body xmlns="http://www.w3.org/1999/xhtml">
3676	<p>Adobe reports:</p>
3677	<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-32.html">
3678	  <p>Adobe has released security updates for Adobe Flash Player for
3679	    Windows, Macintosh, Linux and ChromeOS.  These updates address
3680	    critical vulnerabilities that could potentially allow an attacker
3681	    to take control of the affected system.</p>
3682	  <p>These updates resolve a type confusion vulnerability that could
3683	    lead to code execution (CVE-2016-6992).</p>
3684	  <p>These updates resolve use-after-free vulnerabilities that could
3685	    lead to code execution (CVE-2016-6981, CVE-2016-6987).</p>
3686	  <p>These updates resolve a security bypass vulnerability
3687	    (CVE-2016-4286).</p>
3688	  <p>These updates resolve memory corruption vulnerabilities that could
3689	    lead to code execution (CVE-2016-4273, CVE-2016-6982,
3690	    CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986,
3691	    CVE-2016-6989, CVE-2016-6990).</p>
3692	</blockquote>
3693      </body>
3694    </description>
3695    <references>
3696      <cvename>CVE-2016-4273</cvename>
3697      <cvename>CVE-2016-4286</cvename>
3698      <cvename>CVE-2016-6981</cvename>
3699      <cvename>CVE-2016-6982</cvename>
3700      <cvename>CVE-2016-6983</cvename>
3701      <cvename>CVE-2016-6984</cvename>
3702      <cvename>CVE-2016-6985</cvename>
3703      <cvename>CVE-2016-6986</cvename>
3704      <cvename>CVE-2016-6987</cvename>
3705      <cvename>CVE-2016-6989</cvename>
3706      <cvename>CVE-2016-6990</cvename>
3707      <cvename>CVE-2016-6992</cvename>
3708      <url>https://helpx.adobe.com/security/products/flash-player/apsb16-32.html</url>
3709    </references>
3710    <dates>
3711      <discovery>2016-10-11</discovery>
3712      <entry>2016-10-24</entry>
3713    </dates>
3714  </vuln>
3715
3716  <vuln vid="aaa9f3db-13b5-4a0e-9ed7-e5ab287098fa">
3717    <topic>mozilla -- multiple vulnerabilities</topic>
3718    <affects>
3719      <package>
3720	<name>firefox</name>
3721	<range><lt>49.0.2,1</lt></range>
3722      </package>
3723    </affects>
3724    <description>
3725      <body xmlns="http://www.w3.org/1999/xhtml">
3726	<p>Mozilla Foundation reports:</p>
3727	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/">
3728	  <p>CVE-2016-5287: Crash in nsTArray_base&lt;T&gt;::SwapArrayElements</p>
3729	  <p>CVE-2016-5288: Web content can read cache entries</p>
3730	</blockquote>
3731      </body>
3732    </description>
3733    <references>
3734      <cvename>CVE-2016-5287</cvename>
3735      <cvename>CVE-2016-5288</cvename>
3736      <url>https://www.mozilla.org/security/advisories/mfsa2016-87/</url>
3737    </references>
3738    <dates>
3739      <discovery>2016-10-20</discovery>
3740      <entry>2016-10-21</entry>
3741    </dates>
3742  </vuln>
3743
3744  <vuln vid="0baadc45-92d0-11e6-8011-005056925db4">
3745    <topic>Axis2 -- Cross-site scripting (XSS) vulnerability</topic>
3746    <affects>
3747      <package>
3748	<name>axis2</name>
3749	<range><lt>1.7.3</lt></range>
3750      </package>
3751    </affects>
3752    <description>
3753      <body xmlns="http://www.w3.org/1999/xhtml">
3754	<p>Apache Axis2 reports:</p>
3755	<blockquote cite="http://axis.apache.org/axis2/java/core/release-notes/1.7.3.html">
3756	<p>Apache Axis2 1.7.3 is a security release that contains a fix
3757	    for CVE-2010-3981. That security vulnerability affects the admin console
3758	    that is part of the Axis2 Web application and was originally reported
3759	    for SAP BusinessObjects (which includes a version of Axis2). That report
3760	    didn’t mention Axis2 at all and the Axis2 project only recently became
3761	    aware (thanks to Devesh Bhatt and Nishant Agarwala) that the issue
3762	    affects Apache Axis2 as well.</p>
3763	</blockquote>
3764      </body>
3765    </description>
3766    <references>
3767      <url>http://axis.apache.org/axis2/java/core/release-notes/1.7.3.html</url>
3768      <cvename>CVE-2010-3981</cvename>
3769      <freebsdpr>ports/213546</freebsdpr>
3770    </references>
3771    <dates>
3772      <discovery>2010-10-18</discovery>
3773      <entry>2016-10-18</entry>
3774    </dates>
3775  </vuln>
3776
3777  <vuln vid="c1dc55dc-9556-11e6-b154-3065ec8fd3ec">
3778    <topic>Tor -- remote denial of service</topic>
3779    <affects>
3780      <package>
3781	<name>tor</name>
3782	<range><lt>0.2.8.9</lt></range>
3783      </package>
3784      <package>
3785	<name>tor-devel</name>
3786	<range><lt>0.2.9.4-alpha</lt></range>
3787      </package>
3788    </affects>
3789    <description>
3790      <body xmlns="http://www.w3.org/1999/xhtml">
3791	<p>The Tor Blog reports:</p>
3792	<blockquote cite="https://blog.torproject.org/blog/tor-0289-released-important-fixes">
3793	  <p>Prevent a class of security bugs caused by treating the contents
3794	    of a buffer chunk as if they were a NUL-terminated string. At least
3795	    one such bug seems to be present in all currently used versions of
3796	    Tor, and would allow an attacker to remotely crash most Tor
3797	    instances, especially those compiled with extra compiler hardening.
3798	    With this defense in place, such bugs can't crash Tor, though we
3799	    should still fix them as they occur. Closes ticket 20384
3800	    (TROVE-2016-10-001).</p>
3801	</blockquote>
3802      </body>
3803    </description>
3804    <references>
3805      <url>https://blog.torproject.org/blog/tor-0289-released-important-fixes</url>
3806    </references>
3807    <dates>
3808      <discovery>2016-10-17</discovery>
3809      <entry>2016-10-18</entry>
3810    </dates>
3811  </vuln>
3812
3813  <vuln vid="43f1c867-654a-11e6-8286-00248c0c745d">
3814    <topic>Rails 4 -- Possible XSS Vulnerability in Action View</topic>
3815    <affects>
3816      <package>
3817	<name>rubygem-actionview</name>
3818	<range><gt>3.0.0</gt><lt>4.2.7.1</lt></range>
3819      </package>
3820    </affects>
3821    <description>
3822      <body xmlns="http://www.w3.org/1999/xhtml">
3823	<p>Ruby Security team reports:</p>
3824	<blockquote cite="https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE">
3825	  <p>There is a possible XSS vulnerability in Action View.  Text declared as "HTML
3826safe" will not have quotes escaped when used as attribute values in tag
3827helpers.  This vulnerability has been assigned the CVE identifier
3828CVE-2016-6316.</p>
3829	</blockquote>
3830      </body>
3831    </description>
3832    <references>
3833      <url>https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE</url>
3834      <cvename>CVE-2016-6316</cvename>
3835    </references>
3836    <dates>
3837      <discovery>2016-08-11</discovery>
3838      <entry>2016-08-18</entry>
3839    </dates>
3840  </vuln>
3841
3842  <vuln vid="7e61cf44-6549-11e6-8286-00248c0c745d">
3843    <topic>Rails 4 -- Unsafe Query Generation Risk in Active Record</topic>
3844    <affects>
3845      <package>
3846	<name>rubygem-activerecord4</name>
3847	<range><gt>4.2.0</gt><lt>4.2.7.1</lt></range>
3848      </package>
3849    </affects>
3850    <description>
3851      <body xmlns="http://www.w3.org/1999/xhtml">
3852	<p>Ruby Security team reports:</p>
3853	<blockquote cite="https://groups.google.com/forum/#!topic/ruby-security-ann/WccgKSKiPZA">
3854	  <p>There is a vulnerability when Active Record is used in conjunction with JSON
3855parameter parsing. This vulnerability has been assigned the CVE identifier
3856CVE-2016-6317.  This vulnerability is similar to CVE-2012-2660, CVE-2012-2694
3857and CVE-2013-0155.</p>
3858	</blockquote>
3859      </body>
3860    </description>
3861    <references>
3862      <url>https://groups.google.com/forum/#!topic/ruby-security-ann/WccgKSKiPZA</url>
3863      <cvename>CVE-2016-6317</cvename>
3864    </references>
3865    <dates>
3866      <discovery>2016-08-11</discovery>
3867      <entry>2016-08-18</entry>
3868    </dates>
3869  </vuln>
3870
3871  <vuln vid="f471032a-8700-11e6-8d93-00248c0c745d">
3872    <topic>PHP -- multiple vulnerabilities</topic>
3873    <affects>
3874      <package>
3875	<name>php70</name>
3876	<range><lt>7.0.11</lt></range>
3877      </package>
3878    </affects>
3879    <description>
3880      <body xmlns="http://www.w3.org/1999/xhtml">
3881	<p>PHP reports:</p>
3882	<blockquote cite="http://php.net/ChangeLog-7.php#7.0.11">
3883	<ul>
3884	  <li><p>Fixed bug #73007 (add locale length check)</p></li>
3885	  <li><p>Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields)</p></li>
3886	  <li><p>Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile)</p></li>
3887	  <li><p>Fixed bug #73029 (Missing type check when unserializing SplArray)</p></li>
3888	  <li><p>Fixed bug #73052 (Memory Corruption in During Deserialized-object Destruction)</p></li>
3889	  <li><p>Fixed bug #72860 (wddx_deserialize use-after-free)</p></li>
3890	  <li><p>Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element)</p></li>
3891	</ul>
3892	</blockquote>
3893      </body>
3894    </description>
3895    <references>
3896      <url>http://php.net/ChangeLog-7.php#7.0.11</url>
3897      <cvename>CVE-2016-7416</cvename>
3898      <cvename>CVE-2016-7412</cvename>
3899      <cvename>CVE-2016-7414</cvename>
3900      <cvename>CVE-2016-7417</cvename>
3901      <cvename>CVE-2016-7413</cvename>
3902      <cvename>CVE-2016-7418</cvename>
3903    </references>
3904    <dates>
3905      <discovery>2016-09-15</discovery>
3906      <entry>2016-09-30</entry>
3907    </dates>
3908  </vuln>
3909
3910  <vuln vid="8d5180a6-86fe-11e6-8d93-00248c0c745d">
3911    <topic>PHP -- multiple vulnerabilities</topic>
3912    <affects>
3913      <package>
3914	<name>php56</name>
3915	<range><lt>5.6.26</lt></range>
3916      </package>
3917    </affects>
3918    <description>
3919      <body xmlns="http://www.w3.org/1999/xhtml">
3920	<p>PHP reports:</p>
3921	<blockquote cite="http://php.net/ChangeLog-5.php#5.6.26">
3922	<ul>
3923	  <li><p>Fixed bug #73007 (add locale length check)</p></li>
3924	  <li><p>Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields)</p></li>
3925	  <li><p>Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile)</p></li>
3926	  <li><p>Fixed bug #73029 (Missing type check when unserializing SplArray)</p></li>
3927	  <li><p>Fixed bug #73052 (Memory Corruption in During Deserialized-object Destruction)</p></li>
3928	  <li><p>Fixed bug #72860 (wddx_deserialize use-after-free)</p></li>
3929	  <li><p>Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element)</p></li>
3930	</ul>
3931	</blockquote>
3932      </body>
3933    </description>
3934    <references>
3935      <url>http://php.net/ChangeLog-5.php#5.6.26</url>
3936      <cvename>CVE-2016-7416</cvename>
3937      <cvename>CVE-2016-7412</cvename>
3938      <cvename>CVE-2016-7414</cvename>
3939      <cvename>CVE-2016-7417</cvename>
3940      <cvename>CVE-2016-7411</cvename>
3941      <cvename>CVE-2016-7413</cvename>
3942      <cvename>CVE-2016-7418</cvename>
3943    </references>
3944    <dates>
3945      <discovery>2016-09-16</discovery>
3946      <entry>2016-09-30</entry>
3947    </dates>
3948  </vuln>
3949
3950  <vuln vid="ad479f89-9020-11e6-a590-14dae9d210b8">
3951    <topic>file-roller -- path traversal vulnerability</topic>
3952    <affects>
3953      <package>
3954	<name>file-roller</name>
3955	<range><ge>3.5.4,1</ge><lt>3.20.2,1</lt></range>
3956      </package>
3957    </affects>
3958    <description>
3959      <body xmlns="http://www.w3.org/1999/xhtml">
3960	<p> reports:</p>
3961	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/09/08/4">
3962	  <p>File Roller 3.5.4 through 3.20.2 was affected by a path
3963	    traversal bug that could result in deleted files if a user
3964	    were tricked into opening a malicious archive.</p>
3965	</blockquote>
3966      </body>
3967    </description>
3968    <references>
3969      <url>http://www.openwall.com/lists/oss-security/2016/09/08/4</url>
3970      <cvename>CVE-2016-7162</cvename>
3971      <freebsdpr>ports/213199</freebsdpr>
3972    </references>
3973    <dates>
3974      <discovery>2016-09-08</discovery>
3975      <entry>2016-10-12</entry>
3976      <modified>2016-10-18</modified>
3977    </dates>
3978  </vuln>
3979
3980  <vuln vid="7d40edd1-901e-11e6-a590-14dae9d210b8">
3981    <topic>VirtualBox -- undisclosed vulnerabilities</topic>
3982    <affects>
3983      <package>
3984	<name>virtualbox-ose</name>
3985	<range><ge>5.0</ge><lt>5.0.8</lt></range>
3986	<range><ge>4.3</ge><lt>4.3.32</lt></range>
3987	<range><ge>4.2</ge><lt>4.2.34</lt></range>
3988	<range><ge>4.1</ge><lt>4.1.42</lt></range>
3989	<range><ge>4.0</ge><lt>4.0.34</lt></range>
3990      </package>
3991    </affects>
3992    <description>
3993      <body xmlns="http://www.w3.org/1999/xhtml">
3994	<p>Oracle reports reports:</p>
3995	<blockquote cite="http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html">
3996	  <p>Unspecified vulnerability in the Oracle VM VirtualBox
3997	    component in Oracle Virtualization VirtualBox prior to 4.0.34, 4.1.42,
3998	    4.2.34, 4.3.32, and 5.0.8, when using a Windows guest, allows local
3999	    users to affect availability via unknown vectors related to Core.</p>
4000	  <p>Unspecified vulnerability in the Oracle VM VirtualBox
4001	    component in Oracle Virtualization VirtualBox before 4.0.34, 4.1.42,
4002	    4.2.34, 4.3.32, and 5.0.8, when a VM has the Remote Display feature
4003	    (RDP) enabled, allows remote attackers to affect availability via
4004	    unknown vectors related to Core.</p>
4005	</blockquote>
4006      </body>
4007    </description>
4008    <references>
4009      <url>http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html</url>
4010      <cvename>CVE-2015-4813</cvename>
4011      <cvename>CVE-2015-4896</cvename>
4012      <freebsdpr>ports/204406</freebsdpr>
4013    </references>
4014    <dates>
4015      <discovery>2015-10-01</discovery>
4016      <entry>2016-10-12</entry>
4017      <modified>2016-10-18</modified>
4018    </dates>
4019  </vuln>
4020
4021  <vuln vid="10f7f782-901c-11e6-a590-14dae9d210b8">
4022    <topic>ImageMagick -- multiple vulnerabilities</topic>
4023    <affects>
4024      <package>
4025	<name>ImageMagick</name>
4026	<name>ImageMagick-nox11</name>
4027	<range><lt>6.9.5.10,1</lt></range>
4028      </package>
4029    </affects>
4030    <description>
4031      <body xmlns="http://www.w3.org/1999/xhtml">
4032	<p>Debian reports:</p>
4033	<blockquote cite="https://www.debian.org/security/2016/dsa-3675">
4034	  <p>Various memory handling problems and cases of missing or
4035	    incomplete input sanitizing may result in denial of service or the
4036	    execution of arbitrary code if malformed SIXEL, PDB, MAP, SGI, TIFF and
4037	    CALS files are processed.</p>
4038	</blockquote>
4039      </body>
4040    </description>
4041    <references>
4042      <url>https://www.debian.org/security/2016/dsa-3675</url>
4043      <freebsdpr>ports/213032</freebsdpr>
4044    </references>
4045    <dates>
4046      <discovery>2016-09-23</discovery>
4047      <entry>2016-10-12</entry>
4048      <modified>2016-10-18</modified>
4049    </dates>
4050  </vuln>
4051
4052  <vuln vid="2a526c78-84ab-11e6-a4a1-60a44ce6887b">
4053    <topic>libgd -- integer overflow which could lead to heap buffer overflow</topic>
4054    <affects>
4055      <package>
4056       <name>gd</name>
4057       <range><le>2.2.3</le></range>
4058      </package>
4059      <package>
4060       <name>php70-gd</name>
4061       <range><le>7.0.11</le></range>
4062      </package>
4063      <package>
4064       <name>php56-gd</name>
4065       <range><le>5.6.26</le></range>
4066      </package>
4067    </affects>
4068    <description>
4069      <body xmlns="http://www.w3.org/1999/xhtml">
4070       <p>LibGD reports:</p>
4071       <blockquote cite="https://github.com/libgd/libgd/issues/308">
4072	 <p>An integer overflow issue was found in function gdImageWebpCtx of file gd_webp.c which could lead to heap buffer overflow.</p>
4073       </blockquote>
4074      </body>
4075    </description>
4076    <references>
4077      <url>https://github.com/libgd/libgd/issues/308</url>
4078      <url>https://bugs.php.net/bug.php?id=73003</url>
4079      <freebsdpr>ports/213023</freebsdpr>
4080    </references>
4081    <dates>
4082      <discovery>2016-09-02</discovery>
4083      <entry>2016-10-11</entry>
4084      <modified>2016-10-18</modified>
4085    </dates>
4086  </vuln>
4087
4088  <vuln vid="cb3f036d-8c7f-11e6-924a-60a44ce6887b">
4089    <topic>libvncserver -- multiple security vulnerabilities</topic>
4090    <affects>
4091      <package>
4092       <name>libvncserver</name>
4093       <range><lt>0.9.10</lt></range>
4094      </package>
4095    </affects>
4096    <description>
4097      <body xmlns="http://www.w3.org/1999/xhtml">
4098       <p>Nicolas Ruff reports:</p>
4099       <blockquote cite="http://seclists.org/oss-sec/2014/q3/639">
4100	 <p>Integer overflow in MallocFrameBuffer() on client side.</p>
4101	 <p>Lack of malloc() return value checking on client side.</p>
4102	 <p>Server crash on a very large ClientCutText message.</p>
4103	 <p>Server crash when scaling factor is set to zero.</p>
4104	 <p>Multiple stack overflows in File Transfer feature.</p>
4105       </blockquote>
4106      </body>
4107    </description>
4108    <references>
4109      <url>http://seclists.org/oss-sec/2014/q3/639</url>
4110      <cvename>CVE-2014-6051</cvename>
4111      <cvename>CVE-2014-6052</cvename>
4112      <cvename>CVE-2014-6053</cvename>
4113      <cvename>CVE-2014-6054</cvename>
4114      <cvename>CVE-2014-6055</cvename>
4115      <freebsdpr>ports/212380</freebsdpr>
4116    </references>
4117    <dates>
4118      <discovery>2014-09-23</discovery>
4119      <entry>2016-10-11</entry>
4120      <modified>2016-10-18</modified>
4121    </dates>
4122  </vuln>
4123
4124  <vuln vid="ab947396-9018-11e6-a590-14dae9d210b8">
4125    <topic>openoffice -- information disclosure vulnerability</topic>
4126    <affects>
4127      <package>
4128	<name>apache-openoffice</name>
4129	<name>apache-openoffice-devel</name>
4130	<range><lt>4.1.1</lt></range>
4131      </package>
4132    </affects>
4133    <description>
4134      <body xmlns="http://www.w3.org/1999/xhtml">
4135	<p>Apache reports:</p>
4136	<blockquote cite="http://www.openoffice.org/security/cves/CVE-2014-3575.html">
4137	  <p>The exposure exploits the way OLE previews are generated to
4138	    embed arbitrary file data into a specially crafted document when it is
4139	    opened. Data exposure is possible if the updated document is distributed
4140	    to other parties.</p>
4141	</blockquote>
4142      </body>
4143    </description>
4144    <references>
4145      <url>http://www.openoffice.org/security/cves/CVE-2014-3575.html</url>
4146      <cvename>CVE-2014-3575</cvename>
4147      <freebsdpr>ports/212379</freebsdpr>
4148    </references>
4149    <dates>
4150      <discovery>2014-08-21</discovery>
4151      <entry>2016-10-12</entry>
4152      <modified>2016-10-18</modified>
4153    </dates>
4154  </vuln>
4155
4156  <vuln vid="47157c14-9013-11e6-a590-14dae9d210b8">
4157    <topic>mupdf -- multiple vulnerabilities</topic>
4158    <affects>
4159      <package>
4160	<name>mupdf</name>
4161	<range><lt>1.9a_1,1</lt></range>
4162      </package>
4163      <package>
4164	<name>llpp</name>
4165	<range><lt>22_2</lt></range>
4166      </package>
4167      <package>
4168	<name>zathura-pdf-mupdf</name>
4169	<range><lt>0.3.0_2</lt></range>
4170      </package>
4171    </affects>
4172    <description>
4173      <body xmlns="http://www.w3.org/1999/xhtml">
4174	<p>Tobias Kortkamp reports:</p>
4175	<blockquote cite="http://openbsd-archive.7691.n7.nabble.com/mupdf-CVE-2016-6525-amp-CVE-2016-6265-td302904.html">
4176	  <p>Heap-based buffer overflow in the pdf_load_mesh_params
4177	    function in pdf/pdf-shade.c in MuPDF allows remote attackers to cause a
4178	    denial of service (crash) or execute arbitrary code via a large decode
4179	    array.</p>
4180	<p>Use-after-free vulnerability in the pdf_load_xref function in
4181	    pdf/pdf-xref.c in MuPDF allows remote attackers to cause a denial of
4182	    service (crash) via a crafted PDF file.</p>
4183	</blockquote>
4184      </body>
4185    </description>
4186    <references>
4187      <url>http://openbsd-archive.7691.n7.nabble.com/mupdf-CVE-2016-6525-amp-CVE-2016-6265-td302904.html</url>
4188      <url>http://bugs.ghostscript.com/show_bug.cgi?id=696941</url>
4189      <url>http://bugs.ghostscript.com/show_bug.cgi?id=696954</url>
4190      <cvename>CVE-2016-6525</cvename>
4191      <cvename>CVE-2016-6265</cvename>
4192      <freebsdpr>ports/212207</freebsdpr>
4193    </references>
4194    <dates>
4195      <discovery>2016-08-27</discovery>
4196      <entry>2016-10-12</entry>
4197      <modified>2016-10-18</modified>
4198    </dates>
4199  </vuln>
4200
4201  <vuln vid="b7d56d0b-7a11-11e6-af78-589cfc0654e1">
4202    <topic>openjpeg -- multiple vulnerabilities</topic>
4203    <affects>
4204      <package>
4205	<name>openjpeg</name>
4206	<range><lt>2.1.1_1</lt></range>
4207      </package>
4208    </affects>
4209    <description>
4210      <body xmlns="http://www.w3.org/1999/xhtml">
4211	<p>Tencent's Xuanwu LAB reports:</p>
4212	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/09/08/2">
4213	  <p>A Heap Buffer Overflow (Out-of-Bounds Write) issue was found in
4214	    function opj_dwt_interleave_v of dwt.c. This vulnerability allows
4215	    remote attackers to execute arbitrary code on vulnerable installations
4216	    of OpenJPEG.</p>
4217	  <p>An integer overflow issue exists in function opj_pi_create_decode of
4218	    pi.c. It can lead to Out-Of-Bounds Read and Out-Of-Bounds Write in
4219	    function opj_pi_next_cprl of pi.c (function opj_pi_next_lrcp,
4220	    opj_pi_next_rlcp, opj_pi_next_rpcl, opj_pi_next_pcrl may also be
4221	    vulnerable). This vulnerability allows remote attackers to execute
4222	    arbitrary code on vulnerable installations of OpenJPEG.</p>
4223      </blockquote>
4224      </body>
4225    </description>
4226    <references>
4227      <url>"http://www.openwall.com/lists/oss-security/2016/09/08/2"</url>
4228      <url>"http://www.openwall.com/lists/oss-security/2016/09/08/3"</url>
4229      <cvename>CVE-2016-5157</cvename>
4230      <cvename>CVE-2016-7163</cvename>
4231    </references>
4232    <dates>
4233      <discovery>2016-09-08</discovery>
4234      <entry>2016-10-11</entry>
4235    </dates>
4236  </vuln>
4237
4238  <vuln vid="fa175f30-8c75-11e6-924a-60a44ce6887b">
4239    <topic>redis -- sensitive information leak through command history file</topic>
4240    <affects>
4241      <package>
4242       <name>redis</name>
4243       <name>redis-devel</name>
4244       <range><lt>3.2.3</lt></range>
4245      </package>
4246    </affects>
4247    <description>
4248      <body xmlns="http://www.w3.org/1999/xhtml">
4249       <p>Redis team reports:</p>
4250       <blockquote cite="https://github.com/antirez/redis/pull/1418">
4251	 <p>The redis-cli history file (in linenoise) is created with the
4252	    default OS umask value which makes it world readable in most systems
4253	    and could potentially expose authentication credentials to other
4254	    users.</p>
4255       </blockquote>
4256      </body>
4257    </description>
4258    <references>
4259      <url>https://github.com/antirez/redis/pull/1418</url>
4260      <url>https://github.com/antirez/redis/issues/3284</url>
4261      <cvename>CVE-2013-7458</cvename>
4262    </references>
4263    <dates>
4264      <discovery>2013-11-30</discovery>
4265      <entry>2016-10-11</entry>
4266    </dates>
4267  </vuln>
4268
4269  <vuln vid="1a71a972-8ee7-11e6-a590-14dae9d210b8">
4270    <topic>FreeBSD -- Multiple libarchive vulnerabilities</topic>
4271    <affects>
4272      <package>
4273	<name>FreeBSD</name>
4274	<range><ge>11.0</ge><lt>11.0_1</lt></range>
4275	<range><ge>10.3</ge><lt>10.3_10</lt></range>
4276	<range><ge>10.2</ge><lt>10.2_23</lt></range>
4277	<range><ge>10.1</ge><lt>10.1_40</lt></range>
4278      </package>
4279    </affects>
4280    <description>
4281      <body xmlns="http://www.w3.org/1999/xhtml">
4282	<h1>Problem Description:</h1>
4283	<p>Flaws in libarchive's handling of symlinks and hard links
4284	allow overwriting files outside the extraction directory,
4285	or permission changes to a directory outside the extraction
4286	directory.</p>
4287	<h1>Impact:</h1>
4288	<p>An attacker who can control freebsd-update's or portsnap's
4289	input to tar(1) can change file content or permissions on
4290	files outside of the update tool's working sandbox.</p>
4291      </body>
4292    </description>
4293    <references>
4294      <freebsdsa>SA-16:31.libarchive</freebsdsa>
4295    </references>
4296    <dates>
4297      <discovery>2016-10-05</discovery>
4298      <entry>2016-10-10</entry>
4299    </dates>
4300  </vuln>
4301
4302  <vuln vid="e7dcd69d-8ee6-11e6-a590-14dae9d210b8">
4303    <topic>FreeBSD -- Multiple portsnap vulnerabilities</topic>
4304    <affects>
4305      <package>
4306	<name>FreeBSD</name>
4307	<range><ge>11.0</ge><lt>11.0_1</lt></range>
4308	<range><ge>10.3</ge><lt>10.3_10</lt></range>
4309	<range><ge>10.2</ge><lt>10.2_23</lt></range>
4310	<range><ge>10.1</ge><lt>10.1_40</lt></range>
4311	<range><ge>9.3</ge><lt>9.3_48</lt></range>
4312      </package>
4313    </affects>
4314    <description>
4315      <body xmlns="http://www.w3.org/1999/xhtml">
4316	<h1>Problem Description:</h1>
4317	<p>Flaws in portsnap's verification of downloaded tar files
4318	allows additional files to be included without causing the
4319	verification to fail. Portsnap may then use or execute these
4320	files.</p>
4321	<h1>Impact:</h1>
4322	<p>An attacker who can conduct man in the middle attack on
4323	the network at the time when portsnap is run can cause
4324	portsnap to execute arbitrary commands under the credentials
4325	of the user who runs portsnap, typically root.</p>
4326      </body>
4327    </description>
4328    <references>
4329      <freebsdsa>SA-16:30.portsnap</freebsdsa>
4330    </references>
4331    <dates>
4332      <discovery>2016-10-10</discovery>
4333      <entry>2016-10-10</entry>
4334    </dates>
4335  </vuln>
4336
4337  <vuln vid="ce808022-8ee6-11e6-a590-14dae9d210b8">
4338    <topic>FreeBSD -- Heap overflow vulnerability in bspatch</topic>
4339    <affects>
4340      <package>
4341	<name>FreeBSD</name>
4342	<range><ge>11.0</ge><lt>11.0_1</lt></range>
4343	<range><ge>10.3</ge><lt>10.3_10</lt></range>
4344	<range><ge>10.2</ge><lt>10.2_23</lt></range>
4345	<range><ge>10.1</ge><lt>10.1_40</lt></range>
4346	<range><ge>9.3</ge><lt>9.3_48</lt></range>
4347      </package>
4348    </affects>
4349    <description>
4350      <body xmlns="http://www.w3.org/1999/xhtml">
4351	<h1>Problem Description:</h1>
4352	<p>The implementation of bspatch is susceptible to integer
4353	overflows with carefully crafted input, potentially allowing
4354	an attacker who can control the patch file to write at
4355	arbitrary locations in the heap. This issue was partially
4356	addressed in FreeBSD-SA-16:25.bspatch, but some possible
4357	integer overflows remained.</p>
4358	<h1>Impact:</h1>
4359	<p>An attacker who can control the patch file can cause a
4360	crash or run arbitrary code under the credentials of the
4361	user who runs bspatch, in many cases, root.</p>
4362      </body>
4363    </description>
4364    <references>
4365      <freebsdsa>SA-16:29.bspatch</freebsdsa>
4366    </references>
4367    <dates>
4368      <discovery>2016-10-10</discovery>
4369      <entry>2016-10-10</entry>
4370    </dates>
4371  </vuln>
4372
4373  <vuln vid="aeb7874e-8df1-11e6-a082-5404a68ad561">
4374    <topic>mkvtoolnix -- code execution via specially crafted files</topic>
4375    <affects>
4376      <package>
4377	<name>mkvtoolnix</name>
4378	<range><lt>9.4.1</lt></range>
4379      </package>
4380    </affects>
4381    <description>
4382      <body xmlns="http://www.w3.org/1999/xhtml">
4383	<p>Moritz Bunkus reports:</p>
4384	<blockquote cite="https://mkvtoolnix.download/doc/ChangeLog">
4385	  <p>most of the bugs fixed on 2016-09-06 and 2016-09-07 for
4386	     issue #1780 are potentially exploitable. The scenario is arbitrary
4387	     code execution with specially-crafted files.</p>
4388	</blockquote>
4389      </body>
4390    </description>
4391    <references>
4392      <url>https://mkvtoolnix.download/doc/ChangeLog</url>
4393    </references>
4394    <dates>
4395      <discovery>2016-09-07</discovery>
4396      <entry>2016-10-09</entry>
4397    </dates>
4398  </vuln>
4399
4400  <vuln vid="1cf65085-a760-41d2-9251-943e1af62eb8">
4401    <topic>X.org libraries -- multiple vulnerabilities</topic>
4402    <affects>
4403      <package>
4404	<name>libX11</name>
4405	<range><lt>1.6.4,1</lt></range>
4406      </package>
4407      <package>
4408	<name>libXfixes</name>
4409	<range><lt>5.0.3</lt></range>
4410      </package>
4411      <package>
4412	<name>libXi</name>
4413	<range><lt>1.7.7,1</lt></range>
4414      </package>
4415      <package>
4416	<name>libXrandr</name>
4417	<range><lt>1.5.1</lt></range>
4418      </package>
4419      <package>
4420	<name>libXrender</name>
4421	<range><lt>0.9.10</lt></range>
4422      </package>
4423      <package>
4424	<name>libXtst</name>
4425	<range><lt>1.2.3</lt></range>
4426      </package>
4427      <package>
4428	<name>libXv</name>
4429	<range><lt>1.0.11,1</lt></range>
4430      </package>
4431      <package>
4432	<name>libXvMC</name>
4433	<range><lt>1.0.10</lt></range>
4434      </package>
4435    </affects>
4436    <description>
4437      <body xmlns="http://www.w3.org/1999/xhtml">
4438	<p>Matthieu Herrb reports:</p>
4439	<blockquote cite="https://lists.x.org/archives/xorg-announce/2016-October/002720.html">
4440	  <p>Tobias Stoeckmann from the OpenBSD project has discovered a
4441	    number of issues in the way various X client libraries handle
4442	    the responses they receive from servers, and has worked with
4443	    X.Org's security team to analyze, confirm, and fix these issues.
4444	    These issue come in addition to the ones discovered by Ilja van
4445	    Sprundel in 2013.</p>
4446
4447	  <p>Most of these issues stem from the client libraries trusting
4448	    the server to send correct protocol data, and not verifying
4449	    that the values will not overflow or cause other damage. Most
4450	    of the time X clients and servers are run by the same user, with
4451	    the server more privileged than the clients, so this is not a
4452	    problem, but there are scenarios in which a privileged client
4453	    can be connected to an unprivileged server, for instance,
4454	    connecting a setuid X client (such as a screen lock program)
4455	    to a virtual X server (such as Xvfb or Xephyr) which the user
4456	    has modified to return invalid data, potentially allowing the
4457	    user to escalate their privileges.</p>
4458	</blockquote>
4459      </body>
4460    </description>
4461    <references>
4462      <url>https://lists.x.org/archives/xorg-announce/2016-October/002720.html</url>
4463      <cvename>CVE-2016-5407</cvename>
4464    </references>
4465    <dates>
4466      <discovery>2016-10-04</discovery>
4467      <entry>2016-10-07</entry>
4468      <modified>2016-10-10</modified>
4469    </dates>
4470  </vuln>
4471
4472  <vuln vid="c8d902b1-8550-11e6-81e7-d050996490d0">
4473    <topic>BIND -- Remote Denial of Service vulnerability</topic>
4474    <affects>
4475      <package>
4476	<name>bind99</name>
4477	<range><lt>9.9.9P3</lt></range>
4478      </package>
4479      <package>
4480	<name>bind910</name>
4481	<range><lt>9.10.4P3</lt></range>
4482      </package>
4483      <package>
4484	<name>bind911</name>
4485	<range><lt>9.11.0.rc3</lt></range>
4486      </package>
4487      <package>
4488	<name>bind9-devel</name>
4489	<range><lt>9.12.0.a.2016.09.10</lt></range>
4490      </package>
4491      <package>
4492	<name>FreeBSD</name>
4493	<range><ge>9.3</ge><lt>9.3_48</lt></range>
4494      </package>
4495    </affects>
4496    <description>
4497      <body xmlns="http://www.w3.org/1999/xhtml">
4498	<p>ISC reports:</p>
4499	<blockquote cite="https://kb.isc.org/article/AA-01419">
4500	  <p>Testing by ISC has uncovered a critical error condition
4501	    which can occur when a nameserver is constructing a
4502	    response.  A defect in the rendering of messages into
4503	    packets can cause named to exit with an assertion
4504	    failure in buffer.c while constructing a response
4505	    to a query that meets certain criteria.</p>
4506	</blockquote>
4507      </body>
4508    </description>
4509    <references>
4510      <cvename>CVE-2016-2776</cvename>
4511      <freebsdsa>SA-16:28.bind</freebsdsa>
4512      <url>https://kb.isc.org/article/AA-01419</url>
4513    </references>
4514    <dates>
4515      <discovery>2016-09-27</discovery>
4516      <entry>2016-09-28</entry>
4517      <modified>2016-10-10</modified>
4518    </dates>
4519  </vuln>
4520
4521  <vuln vid="bb022643-84fb-11e6-a4a1-60a44ce6887b">
4522    <topic>django -- CSRF protection bypass on a site with Google Analytics</topic>
4523    <affects>
4524      <package>
4525       <name>py-django19</name>
4526       <range><lt>1.9.10</lt></range>
4527      </package>
4528      <package>
4529       <name>py-django18</name>
4530       <range><lt>1.8.15</lt></range>
4531      </package>
4532      <package>
4533       <name>py-django</name>
4534       <range><lt>1.8.15</lt></range>
4535      </package>
4536    </affects>
4537    <description>
4538      <body xmlns="http://www.w3.org/1999/xhtml">
4539       <p>Django Software Foundation reports:</p>
4540       <blockquote cite="https://www.djangoproject.com/weblog/2016/sep/26/security-releases/">
4541	 <p>An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection.</p>
4542       </blockquote>
4543      </body>
4544    </description>
4545    <references>
4546      <url>https://www.djangoproject.com/weblog/2016/sep/26/security-releases/</url>
4547      <cvename>CVE-2016-7401</cvename>
4548    </references>
4549    <dates>
4550      <discovery>2016-09-26</discovery>
4551      <entry>2016-09-27</entry>
4552    </dates>
4553  </vuln>
4554
4555  <vuln vid="91a337d8-83ed-11e6-bf52-b499baebfeaf">
4556    <topic>OpenSSL -- multiple vulnerabilities</topic>
4557    <affects>
4558      <package>
4559	<name>openssl</name>
4560	<range><lt>1.0.2j,1</lt></range>
4561      </package>
4562      <package>
4563	<name>openssl-devel</name>
4564	<range><lt>1.1.0b</lt></range>
4565      </package>
4566      <package>
4567	<name>libressl</name>
4568	<range><lt>2.4.3</lt></range>
4569      </package>
4570      <package>
4571	<name>libressl-devel</name>
4572	<range><lt>2.4.3</lt></range>
4573      </package>
4574      <package>
4575	<name>FreeBSD</name>
4576	<range><ge>11.0</ge><lt>11.0_1</lt></range>
4577      </package>
4578    </affects>
4579    <description>
4580      <body xmlns="http://www.w3.org/1999/xhtml">
4581	<p>OpenSSL reports:</p>
4582	<blockquote cite="https://www.openssl.org/news/secadv/20160926.txt">
4583	  <p>Critical vulnerability in OpenSSL 1.1.0a<br/>
4584	    Fix Use After Free for large message sizes (CVE-2016-6309)</p>
4585	  <p>Moderate vulnerability in OpenSSL 1.0.2i<br/>
4586	    Missing CRL sanity check (CVE-2016-7052)</p>
4587	</blockquote>
4588      </body>
4589    </description>
4590    <references>
4591      <url>https://www.openssl.org/news/secadv/20160926.txt</url>
4592      <cvename>CVE-2016-6309</cvename>
4593      <cvename>CVE-2016-7052</cvename>
4594      <freebsdsa>SA-16:27.openssl</freebsdsa>
4595    </references>
4596    <dates>
4597      <discovery>2016-09-26</discovery>
4598      <entry>2016-09-26</entry>
4599      <modified>2016-10-10</modified>
4600    </dates>
4601  </vuln>
4602
4603  <vuln vid="43eaa656-80bc-11e6-bf52-b499baebfeaf">
4604    <topic>OpenSSL -- multiple vulnerabilities</topic>
4605    <affects>
4606      <package>
4607	<name>openssl-devel</name>
4608	<range><ge>1.1.0</ge><lt>1.1.0_1</lt></range>
4609      </package>
4610      <package>
4611	<name>openssl</name>
4612	<range><lt>1.0.2i,1</lt></range>
4613      </package>
4614      <package>
4615	<name>linux-c6-openssl</name>
4616	<range><lt>1.0.1e_11</lt></range>
4617      </package>
4618      <package>
4619	<name>FreeBSD</name>
4620	<range><ge>10.3</ge><lt>10.3_8</lt></range>
4621	<range><ge>10.2</ge><lt>10.2_21</lt></range>
4622	<range><ge>10.1</ge><lt>10.1_38</lt></range>
4623	<range><ge>9.3</ge><lt>9.3_46</lt></range>
4624      </package>
4625    </affects>
4626    <description>
4627      <body xmlns="http://www.w3.org/1999/xhtml">
4628	<p>OpenSSL reports:</p>
4629	<blockquote cite="https://www.openssl.org/news/secadv/20160922.txt">
4630	  <p>High: OCSP Status Request extension unbounded memory growth</p>
4631	  <p>SSL_peek() hang on empty record</p>
4632	  <p>SWEET32 Mitigation</p>
4633	  <p>OOB write in MDC2_Update()</p>
4634	  <p>Malformed SHA512 ticket DoS</p>
4635	  <p>OOB write in BN_bn2dec()</p>
4636	  <p>OOB read in TS_OBJ_print_bio()</p>
4637	  <p>Pointer arithmetic undefined behaviour</p>
4638	  <p>Constant time flag not preserved in DSA signing</p>
4639	  <p>DTLS buffered message DoS</p>
4640	  <p>DTLS replay protection DoS</p>
4641	  <p>Certificate message OOB reads</p>
4642	  <p>Excessive allocation of memory in tls_get_message_header()</p>
4643	  <p>Excessive allocation of memory in dtls1_preprocess_fragment()</p>
4644	  <p>NB: LibreSSL is only affected by CVE-2016-6304</p>
4645	</blockquote>
4646      </body>
4647    </description>
4648    <references>
4649      <url>https://www.openssl.org/news/secadv/20160922.txt</url>
4650      <cvename>CVE-2016-6304</cvename>
4651      <cvename>CVE-2016-6305</cvename>
4652      <cvename>CVE-2016-2183</cvename>
4653      <cvename>CVE-2016-6303</cvename>
4654      <cvename>CVE-2016-6302</cvename>
4655      <cvename>CVE-2016-2182</cvename>
4656      <cvename>CVE-2016-2180</cvename>
4657      <cvename>CVE-2016-2177</cvename>
4658      <cvename>CVE-2016-2178</cvename>
4659      <cvename>CVE-2016-2179</cvename>
4660      <cvename>CVE-2016-2181</cvename>
4661      <cvename>CVE-2016-6306</cvename>
4662      <cvename>CVE-2016-6307</cvename>
4663      <cvename>CVE-2016-6308</cvename>
4664      <freebsdsa>SA-16:26.openssl</freebsdsa>
4665    </references>
4666    <dates>
4667      <discovery>2016-09-22</discovery>
4668      <entry>2016-09-22</entry>
4669      <modified>2016-10-11</modified>
4670    </dates>
4671  </vuln>
4672
4673  <vuln vid="e78261e4-803d-11e6-a590-14dae9d210b8">
4674    <topic>irssi -- heap corruption and missing boundary checks</topic>
4675    <affects>
4676      <package>
4677	<name>irssi</name>
4678	<name>zh-irssi</name>
4679	<range><ge>0.8.17</ge><lt>0.8.20</lt></range>
4680      </package>
4681    </affects>
4682    <description>
4683      <body xmlns="http://www.w3.org/1999/xhtml">
4684	<p>Irssi reports:</p>
4685	<blockquote cite="https://irssi.org/security/irssi_sa_2016.txt">
4686	  <p>Remote crash and heap corruption. Remote code execution seems
4687	    difficult since only Nuls are written.</p>
4688	</blockquote>
4689      </body>
4690    </description>
4691    <references>
4692      <url>https://irssi.org/security/irssi_sa_2016.txt</url>
4693      <cvename>CVE-2016-7044</cvename>
4694      <cvename>CVE-2016-7045</cvename>
4695    </references>
4696    <dates>
4697      <discovery>2016-09-21</discovery>
4698      <entry>2016-09-21</entry>
4699      <modified>2016-09-22</modified>
4700    </dates>
4701  </vuln>
4702
4703  <vuln vid="2c57c47e-8bb3-4694-83c8-9fc3abad3964">
4704    <topic>mozilla -- multiple vulnerabilities</topic>
4705    <affects>
4706      <package>
4707	<name>firefox</name>
4708	<range><lt>49.0,1</lt></range>
4709      </package>
4710      <package>
4711	<name>seamonkey</name>
4712	<name>linux-seamonkey</name>
4713	<range><lt>2.46</lt></range>
4714      </package>
4715      <package>
4716	<name>firefox-esr</name>
4717	<range><lt>45.4.0,1</lt></range>
4718      </package>
4719      <package>
4720	<name>linux-firefox</name>
4721	<range><lt>45.4.0,2</lt></range>
4722      </package>
4723      <package>
4724	<name>libxul</name>
4725	<name>thunderbird</name>
4726	<name>linux-thunderbird</name>
4727	<range><lt>45.4.0</lt></range>
4728      </package>
4729    </affects>
4730    <description>
4731      <body xmlns="http://www.w3.org/1999/xhtml">
4732	<p>Mozilla Foundation reports:</p>
4733	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-85/">
4734	  <p>CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]</p>
4735	  <p>CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]</p>
4736	  <p>CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]</p>
4737	  <p>CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]</p>
4738	  <p>CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]</p>
4739	  <p>CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]</p>
4740	  <p>CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]</p>
4741	  <p>CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]</p>
4742	  <p>CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]</p>
4743	  <p>CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]</p>
4744	  <p>CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]</p>
4745	  <p>CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]</p>
4746	  <p>CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]</p>
4747	  <p>CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]</p>
4748	  <p>CVE-2016-5281 - use-after-free in DOMSVGLength [high]</p>
4749	  <p>CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]</p>
4750	  <p>CVE-2016-5283 - &lt;iframe src&gt; fragment timing attack can reveal cross-origin data [high]</p>
4751	  <p>CVE-2016-5284 - Add-on update site certificate pin expiration [high]</p>
4752	</blockquote>
4753      </body>
4754    </description>
4755    <references>
4756      <cvename>CVE-2016-2827</cvename>
4757      <cvename>CVE-2016-5256</cvename>
4758      <cvename>CVE-2016-5257</cvename>
4759      <cvename>CVE-2016-5270</cvename>
4760      <cvename>CVE-2016-5271</cvename>
4761      <cvename>CVE-2016-5272</cvename>
4762      <cvename>CVE-2016-5273</cvename>
4763      <cvename>CVE-2016-5274</cvename>
4764      <cvename>CVE-2016-5275</cvename>
4765      <cvename>CVE-2016-5276</cvename>
4766      <cvename>CVE-2016-5277</cvename>
4767      <cvename>CVE-2016-5278</cvename>
4768      <cvename>CVE-2016-5279</cvename>
4769      <cvename>CVE-2016-5280</cvename>
4770      <cvename>CVE-2016-5281</cvename>
4771      <cvename>CVE-2016-5282</cvename>
4772      <cvename>CVE-2016-5283</cvename>
4773      <cvename>CVE-2016-5284</cvename>
4774      <url>https://www.mozilla.org/security/advisories/mfsa2016-85/</url>
4775      <url>https://www.mozilla.org/security/advisories/mfsa2016-86/</url>
4776      <url>https://www.mozilla.org/security/advisories/mfsa2016-88/</url>
4777    </references>
4778    <dates>
4779      <discovery>2016-09-13</discovery>
4780      <entry>2016-09-20</entry>
4781      <modified>2016-10-21</modified>
4782    </dates>
4783  </vuln>
4784
4785  <vuln vid="653a8059-7c49-11e6-9242-3065ec8fd3ec">
4786    <topic>chromium -- multiple vulnerabilities</topic>
4787    <affects>
4788      <package>
4789	<name>chromium</name>
4790	<name>chromium-npapi</name>
4791	<name>chromium-pulse</name>
4792	<range><lt>53.0.2785.113</lt></range>
4793      </package>
4794    </affects>
4795    <description>
4796      <body xmlns="http://www.w3.org/1999/xhtml">
4797	<p>Google Chrome Releases reports:</p>
4798	<blockquote cite="https://googlechromereleases.blogspot.nl/2016/09/stable-channel-update-for-desktop_13.html">
4799	  <p>Several security fixes in this release, including:</p>
4800	  <ul>
4801	    <li>[641101] High CVE-2016-5170: Use after free in Blink.Credit to
4802	      Anonymous</li>
4803	    <li>[643357] High CVE-2016-5171: Use after free in Blink. Credit to
4804	      Anonymous</li>
4805	    <li>[616386] Medium CVE-2016-5172: Arbitrary Memory Read in v8.
4806	      Credit to Choongwoo Han</li>
4807	    <li>[468931] Medium CVE-2016-5173: Extension resource access.
4808	      Credit to Anonymous</li>
4809	    <li>[579934] Medium CVE-2016-5174: Popup not correctly suppressed.
4810	      Credit to Andrey Kovalev (@L1kvID) Yandex Security Team</li>
4811	    <li>[646394] CVE-2016-5175: Various fixes from internal audits,
4812	      fuzzing and other initiatives.</li>
4813	  </ul>
4814	</blockquote>
4815      </body>
4816    </description>
4817    <references>
4818      <cvename>CVE-2016-5170</cvename>
4819      <cvename>CVE-2016-5171</cvename>
4820      <cvename>CVE-2016-5172</cvename>
4821      <cvename>CVE-2016-5173</cvename>
4822      <cvename>CVE-2016-5174</cvename>
4823      <cvename>CVE-2016-5175</cvename>
4824      <url>https://googlechromereleases.blogspot.nl/2016/09/stable-channel-update-for-desktop_13.html</url>
4825    </references>
4826    <dates>
4827      <discovery>2016-09-13</discovery>
4828      <entry>2016-09-16</entry>
4829    </dates>
4830  </vuln>
4831
4832  <vuln vid="b64a7389-7c27-11e6-8aaa-5404a68ad561">
4833    <topic>Remote-Code-Execution vulnerability in mysql and its variants CVE 2016-6662</topic>
4834    <affects>
4835      <package>
4836	<name>mysql57-client</name>
4837	<name>mysql57-server</name>
4838	<range><lt>5.7.15</lt></range>
4839      </package>
4840    </affects>
4841    <description>
4842      <body xmlns="http://www.w3.org/1999/xhtml">
4843	<p>LegalHackers' reports:</p>
4844	<blockquote cite="http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html">
4845	  <p>RCE Bugs discovered in MySQL and its variants like MariaDB.
4846	     It works by manipulating my.cnf files and using --malloc-lib.
4847	     The bug seems fixed in MySQL 5.7.15 by Oracle</p>
4848	</blockquote>
4849      </body>
4850    </description>
4851    <references>
4852      <cvename>CVE-2016-6662</cvename>
4853      <url>http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html</url>
4854      <url>https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html</url>
4855    </references>
4856    <dates>
4857      <discovery>2016-09-12</discovery>
4858      <entry>2016-09-14</entry>
4859    </dates>
4860  </vuln>
4861
4862  <vuln vid="bc19dcca-7b13-11e6-b99e-589cfc0654e1">
4863    <topic>dropbear -- multiple vulnerabilities</topic>
4864    <affects>
4865      <package>
4866	<name>dropbear</name>
4867	<range><lt>2016.74</lt></range>
4868      </package>
4869    </affects>
4870    <description>
4871      <body xmlns="http://www.w3.org/1999/xhtml">
4872	<p>Matt Johnston reports:</p>
4873	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/09/15/2">
4874	  <p>If specific usernames including "%" symbols can be created on a system
4875	     (validated by getpwnam()) then an attacker could run arbitrary code as root
4876	     when connecting to Dropbear server.
4877
4878	     A dbclient user who can control username or host arguments could potentially
4879	     run arbitrary code as the dbclient user. This could be a problem if scripts
4880	     or webpages pass untrusted input to the dbclient program.</p>
4881	  <p>dropbearconvert import of OpenSSH keys could run arbitrary code as
4882	     the local dropbearconvert user when parsing malicious key files.</p>
4883	  <p>dbclient could run arbitrary code as the local dbclient user if
4884	     particular -m or -c arguments are provided. This could be an issue where
4885	     dbclient is used in scripts.</p>
4886	  <p>dbclient or dropbear server could expose process memory to the
4887	     running user if compiled with DEBUG_TRACE and running with -v</p>
4888	</blockquote>
4889      </body>
4890    </description>
4891    <references>
4892      <url>"http://www.openwall.com/lists/oss-security/2016/09/15/2"</url>
4893      <cvename>CVE-2016-7406</cvename>
4894      <cvename>CVE-2016-7407</cvename>
4895      <cvename>CVE-2016-7408</cvename>
4896      <cvename>CVE-2016-7409</cvename>
4897    </references>
4898    <dates>
4899      <discovery>2016-07-12</discovery>
4900      <entry>2016-09-15</entry>
4901    </dates>
4902  </vuln>
4903
4904  <vuln vid="08664d42-7989-11e6-b7a8-74d02b9a84d5">
4905    <topic>h2o -- fix DoS attack vector</topic>
4906    <affects>
4907      <package>
4908	<name>h2o</name>
4909	<range>
4910	  <lt>2.0.4</lt>
4911	</range>
4912      </package>
4913    </affects>
4914    <description>
4915      <body xmlns="http://www.w3.org/1999/xhtml">
4916	<p>Frederik Deweerdt reported a denial-of-service attack vector
4917	due to an unhandled error condition during socket connection.</p>
4918      </body>
4919    </description>
4920    <references>
4921      <url>https://github.com/h2o/h2o/issues/1077</url>
4922      <cvename>CVE-2016-4864</cvename>
4923    </references>
4924    <dates>
4925      <discovery>2016-06-09</discovery>
4926      <entry>2016-09-14</entry>
4927    </dates>
4928  </vuln>
4929
4930  <vuln vid="b018121b-7a4b-11e6-bf52-b499baebfeaf">
4931    <topic>cURL -- Escape and unescape integer overflows</topic>
4932    <affects>
4933      <package>
4934	<name>curl</name>
4935	<range><ge>7.11.1</ge><lt>7.50.3</lt></range>
4936      </package>
4937    </affects>
4938    <description>
4939      <body xmlns="http://www.w3.org/1999/xhtml">
4940	<p>The cURL project reports</p>
4941	<blockquote cite="https://curl.haxx.se/docs/adv_20160914.html">
4942	  <p>The four libcurl functions curl_escape(), curl_easy_escape(),
4943	    curl_unescape and curl_easy_unescape perform string URL percent
4944	    escaping and unescaping. They accept custom string length inputs
4945	    in signed integer arguments.</p>
4946	  <p>The provided string length arguments were not properly checked
4947	    and due to arithmetic in the functions, passing in the length
4948	    0xffffffff (2^32-1 or UINT_MAX or even just -1) would end up
4949	    causing an allocation of zero bytes of heap memory that curl
4950	    would attempt to write gigabytes of data into.</p>
4951	</blockquote>
4952      </body>
4953    </description>
4954    <references>
4955      <url>https://curl.haxx.se/docs/adv_20160914.html</url>
4956      <cvename>CVE-2016-7167</cvename>
4957    </references>
4958    <dates>
4959      <discovery>2016-09-14</discovery>
4960      <entry>2016-09-14</entry>
4961    </dates>
4962  </vuln>
4963
4964  <vuln vid="769ba449-79e1-11e6-bf75-3065ec8fd3ec">
4965    <topic>chromium -- multiple vulnerabilities</topic>
4966    <affects>
4967      <package>
4968	<name>chromium</name>
4969	<name>chromium-npapi</name>
4970	<name>chromium-pulse</name>
4971	<range><lt>53.0.2785.92</lt></range>
4972      </package>
4973    </affects>
4974    <description>
4975      <body xmlns="http://www.w3.org/1999/xhtml">
4976	<p>Google Chrome Releases reports:</p>
4977	<blockquote cite="https://googlechromereleases.blogspot.nl/2016/08/stable-channel-update-for-desktop_31.html">
4978	  <p>33 security fixes in this release</p>
4979	  <p>Please reference CVE/URL list for details</p>
4980	</blockquote>
4981      </body>
4982    </description>
4983    <references>
4984      <cvename>CVE-2016-5147</cvename>
4985      <cvename>CVE-2016-5148</cvename>
4986      <cvename>CVE-2016-5149</cvename>
4987      <cvename>CVE-2016-5150</cvename>
4988      <cvename>CVE-2016-5151</cvename>
4989      <cvename>CVE-2016-5152</cvename>
4990      <cvename>CVE-2016-5153</cvename>
4991      <cvename>CVE-2016-5154</cvename>
4992      <cvename>CVE-2016-5155</cvename>
4993      <cvename>CVE-2016-5156</cvename>
4994      <cvename>CVE-2016-5157</cvename>
4995      <cvename>CVE-2016-5158</cvename>
4996      <cvename>CVE-2016-5159</cvename>
4997      <cvename>CVE-2016-5160</cvename>
4998      <cvename>CVE-2016-5161</cvename>
4999      <cvename>CVE-2016-5162</cvename>
5000      <cvename>CVE-2016-5163</cvename>
5001      <cvename>CVE-2016-5164</cvename>
5002      <cvename>CVE-2016-5165</cvename>
5003      <cvename>CVE-2016-5166</cvename>
5004      <cvename>CVE-2016-5167</cvename>
5005      <url>https://googlechromereleases.blogspot.nl/2016/08/stable-channel-update-for-desktop_31.html</url>
5006    </references>
5007    <dates>
5008      <discovery>2016-08-31</discovery>
5009      <entry>2016-09-13</entry>
5010    </dates>
5011  </vuln>
5012
5013  <vuln vid="958b9cee-79da-11e6-bf75-3065ec8fd3ec">
5014    <topic>chromium -- multiple vulnerabilities</topic>
5015    <affects>
5016      <package>
5017	<name>chromium</name>
5018	<name>chromium-npapi</name>
5019	<name>chromium-pulse</name>
5020	<range><lt>52.0.2743.116</lt></range>
5021      </package>
5022    </affects>
5023    <description>
5024      <body xmlns="http://www.w3.org/1999/xhtml">
5025	<p>Google Chrome Releases reports:</p>
5026	<blockquote cite="https://googlechromereleases.blogspot.nl/2016/08/stable-channel-update-for-desktop.html">
5027	  <p>10 security fixes in this release, including:</p>
5028	  <ul>
5029	    <li>[629542] High CVE-2016-5141 Address bar spoofing. Credit to
5030	      anonymous</li>
5031	    <li>[626948] High CVE-2016-5142 Use-after-free in Blink. Credit to
5032	      anonymous</li>
5033	    <li>[625541] High CVE-2016-5139 Heap overflow in pdfium. Credit to
5034	      GiWan Go of Stealien</li>
5035	    <li>[619405] High CVE-2016-5140 Heap overflow in pdfium. Credit to
5036	      Ke Liu of Tencent's Xuanwu LAB</li>
5037	    <li>[623406] Medium CVE-2016-5145 Same origin bypass for images in
5038	      Blink. Credit to anonymous</li>
5039	    <li>[619414] Medium CVE-2016-5143 Parameter sanitization failure in
5040	      DevTools. Credit to Gregory Panakkal</li>
5041	    <li>[618333] Medium CVE-2016-5144 Parameter sanitization failure in
5042	      DevTools. Credit to Gregory Panakkal</li>
5043	    <li>[633486] CVE-2016-5146: Various fixes from internal audits,
5044	     fuzzing and other initiatives.</li>
5045	  </ul>
5046	</blockquote>
5047      </body>
5048    </description>
5049    <references>
5050      <cvename>CVE-2016-5139</cvename>
5051      <cvename>CVE-2016-5140</cvename>
5052      <cvename>CVE-2016-5141</cvename>
5053      <cvename>CVE-2016-5142</cvename>
5054      <cvename>CVE-2016-5143</cvename>
5055      <cvename>CVE-2016-5144</cvename>
5056      <cvename>CVE-2016-5145</cvename>
5057      <cvename>CVE-2016-5146</cvename>
5058      <url>https://googlechromereleases.blogspot.nl/2016/08/stable-channel-update-for-desktop.html</url>
5059    </references>
5060    <dates>
5061      <discovery>2016-08-03</discovery>
5062      <entry>2016-09-13</entry>
5063    </dates>
5064  </vuln>
5065
5066  <vuln vid="856b88bf-7984-11e6-81e7-d050996490d0">
5067    <topic>mysql -- Remote Root Code Execution</topic>
5068    <affects>
5069      <package>
5070	<name>mariadb55-server</name>
5071	<range><lt>5.5.51</lt></range>
5072      </package>
5073      <package>
5074	<name>mariadb100-server</name>
5075	<range><lt>10.0.27</lt></range>
5076      </package>
5077      <package>
5078	<name>mariadb101-server</name>
5079	<range><lt>10.1.17</lt></range>
5080      </package>
5081      <package>
5082	<name>mysql55-server</name>
5083	<range><lt>5.5.52</lt></range>
5084      </package>
5085      <package>
5086	<name>mysql56-server</name>
5087	<range><lt>5.6.33</lt></range>
5088      </package>
5089      <package>
5090	<name>mysql57-server</name>
5091	<range><lt>5.7.15</lt></range>
5092      </package>
5093      <package>
5094	<name>percona55-server</name>
5095	<range><lt>5.5.51.38.1</lt></range>
5096      </package>
5097      <package>
5098	<name>percona56-server</name>
5099	<range><lt>5.6.32.78.0</lt></range>
5100      </package>
5101      <package>
5102	<name>percona57-server</name>
5103	<range><lt>5.7.14.7</lt></range>
5104      </package>
5105    </affects>
5106    <description>
5107      <body xmlns="http://www.w3.org/1999/xhtml">
5108	<p>Dawid Golunski reports:</p>
5109	<blockquote cite="http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt">
5110	  <p>An independent research has revealed multiple severe MySQL
5111	    vulnerabilities.  This advisory focuses on a critical
5112	    vulnerability with a CVEID of CVE-2016-6662 which can allow
5113	    attackers to (remotely) inject malicious settings into MySQL
5114	    configuration files (my.cnf) leading to critical
5115	    consequences.</p>
5116	</blockquote>
5117      </body>
5118    </description>
5119    <references>
5120      <cvename>CVE-2016-6662</cvename>
5121      <url>http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt</url>
5122      <url>https://jira.mariadb.org/browse/MDEV-10465</url>
5123      <url>https://www.percona.com/blog/2016/09/12/percona-server-critical-update-cve-2016-6662/</url>
5124      <url>https://www.percona.com/blog/2016/09/12/database-affected-cve-2016-6662/</url>
5125      <url>https://www.psce.com/blog/2016/09/12/how-to-quickly-patch-mysql-server-against-cve-2016-6662/</url>
5126    </references>
5127    <dates>
5128      <discovery>2016-09-12</discovery>
5129      <entry>2016-09-13</entry>
5130    </dates>
5131  </vuln>
5132
5133  <vuln vid="331eabb3-85b1-466a-a2af-66ac864d395a">
5134    <topic>wolfssl -- leakage of private key information</topic>
5135    <affects>
5136      <package>
5137  <name>wolfssl</name>
5138  <range><lt>3.6.8</lt></range>
5139      </package>
5140    </affects>
5141    <description>
5142      <body xmlns="http://www.w3.org/1999/xhtml">
5143  <p>Florian Weimer of Redhat discovered that an optimization in
5144  RSA signature validation can result in disclosure of the
5145  server's private key under certain fault conditions.</p>
5146      </body>
5147    </description>
5148    <references>
5149      <url>https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found%2C_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html</url>
5150      <url>https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/</url>
5151      <cvename>CVE-2015-7744</cvename>
5152    </references>
5153    <dates>
5154      <discovery>2015-09-17</discovery>
5155      <entry>2016-01-05</entry>
5156    </dates>
5157  </vuln>
5158
5159  <vuln vid="3d1372e1-7822-4fd8-b56e-5ee832afbd96">
5160    <topic>wolfssl -- DDoS amplification in DTLS</topic>
5161    <affects>
5162      <package>
5163  <name>wolfssl</name>
5164  <range><lt>3.6.8</lt></range>
5165      </package>
5166    </affects>
5167    <description>
5168      <body xmlns="http://www.w3.org/1999/xhtml">
5169  <p>Sebastian Ramacher identified an error in wolfSSL's implementation
5170    of the server side of the DTLS handshake, which could be abused
5171    for DDoS amplification or a DoS on the DTLS server itself.</p>
5172      </body>
5173    </description>
5174    <references>
5175      <url>https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found%2C_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html</url>
5176      <url>https://github.com/IAIK/wolfSSL-DoS</url>
5177      <cvename>CVE-2015-6925</cvename>
5178    </references>
5179    <dates>
5180      <discovery>2015-09-18</discovery>
5181      <entry>2016-01-05</entry>
5182    </dates>
5183  </vuln>
5184
5185  <vuln vid="a0128291-7690-11e6-95a8-0011d823eebd">
5186    <topic>gnutls -- OCSP validation issue</topic>
5187    <affects>
5188      <package>
5189	<name>gnutls</name>
5190	<range><lt>3.4.15</lt></range>
5191      </package>
5192    </affects>
5193    <description>
5194      <body xmlns="http://www.w3.org/1999/xhtml">
5195	<p>gnutls.org reports:</p>
5196	<blockquote cite="https://gnutls.org/security.html#GNUTLS-SA-2016-3">
5197	  <p>Stefan Bühler discovered an issue that affects validation
5198	    of certificates using OCSP responses, which can falsely report a
5199	    certificate as valid under certain circumstances.</p>
5200	</blockquote>
5201      </body>
5202    </description>
5203    <references>
5204      <url>https://gnutls.org/security.html#GNUTLS-SA-2016-3</url>
5205    </references>
5206    <dates>
5207      <discovery>2016-09-08</discovery>
5208      <entry>2016-09-09</entry>
5209    </dates>
5210  </vuln>
5211
5212  <vuln vid="aa1aefe3-6e37-47db-bfda-343ef4acb1b5">
5213    <topic>Mozilla -- multiple vulnerabilities</topic>
5214    <affects>
5215      <package>
5216	<name>firefox</name>
5217	<range><lt>48.0,1</lt></range>
5218      </package>
5219      <package>
5220	<name>seamonkey</name>
5221	<name>linux-seamonkey</name>
5222	<range><lt>2.45</lt></range>
5223      </package>
5224      <package>
5225	<name>firefox-esr</name>
5226	<range><lt>45.3.0,1</lt></range>
5227      </package>
5228      <package>
5229	<name>linux-firefox</name>
5230	<range><lt>45.3.0,2</lt></range>
5231      </package>
5232      <package>
5233	<name>libxul</name>
5234	<name>thunderbird</name>
5235	<name>linux-thunderbird</name>
5236	<range><lt>45.3.0</lt></range>
5237      </package>
5238    </affects>
5239    <description>
5240      <body xmlns="http://www.w3.org/1999/xhtml">
5241	<p>Mozilla Foundation reports:</p>
5242	<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox48">
5243	  <p>Please reference CVE/URL list for details</p>
5244	</blockquote>
5245      </body>
5246    </description>
5247    <references>
5248      <cvename>CVE-2016-0718</cvename>
5249      <cvename>CVE-2016-2830</cvename>
5250      <cvename>CVE-2016-2835</cvename>
5251      <cvename>CVE-2016-2836</cvename>
5252      <cvename>CVE-2016-2837</cvename>
5253      <cvename>CVE-2016-2838</cvename>
5254      <cvename>CVE-2016-2839</cvename>
5255      <cvename>CVE-2016-5250</cvename>
5256      <cvename>CVE-2016-5251</cvename>
5257      <cvename>CVE-2016-5252</cvename>
5258      <cvename>CVE-2016-5253</cvename>
5259      <cvename>CVE-2016-5254</cvename>
5260      <cvename>CVE-2016-5255</cvename>
5261      <cvename>CVE-2016-5258</cvename>
5262      <cvename>CVE-2016-5259</cvename>
5263      <cvename>CVE-2016-5260</cvename>
5264      <cvename>CVE-2016-5261</cvename>
5265      <cvename>CVE-2016-5262</cvename>
5266      <cvename>CVE-2016-5263</cvename>
5267      <cvename>CVE-2016-5264</cvename>
5268      <cvename>CVE-2016-5265</cvename>
5269      <cvename>CVE-2016-5266</cvename>
5270      <cvename>CVE-2016-5267</cvename>
5271      <cvename>CVE-2016-5268</cvename>
5272      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-62/</url>
5273      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-63/</url>
5274      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-64/</url>
5275      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-65/</url>
5276      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-66/</url>
5277      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-67/</url>
5278      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-68/</url>
5279      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-69/</url>
5280      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-70/</url>
5281      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-71/</url>
5282      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-72/</url>
5283      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-73/</url>
5284      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-74/</url>
5285      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-75/</url>
5286      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-76/</url>
5287      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-77/</url>
5288      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-78/</url>
5289      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-79/</url>
5290      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-80/</url>
5291      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-81/</url>
5292      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-82/</url>
5293      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-83/</url>
5294      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-84/</url>
5295    </references>
5296    <dates>
5297      <discovery>2016-08-02</discovery>
5298      <entry>2016-09-07</entry>
5299      <modified>2016-09-20</modified>
5300    </dates>
5301  </vuln>
5302
5303  <vuln vid="5cb18881-7604-11e6-b362-001999f8d30b">
5304    <topic>asterisk -- RTP Resource Exhaustion</topic>
5305    <affects>
5306      <package>
5307	<name>asterisk11</name>
5308	<range><lt>11.23.1</lt></range>
5309      </package>
5310      <package>
5311	<name>asterisk13</name>
5312	<range><lt>13.11.1</lt></range>
5313      </package>
5314    </affects>
5315    <description>
5316      <body xmlns="http://www.w3.org/1999/xhtml">
5317	<p>The Asterisk project reports:</p>
5318	<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
5319	  <p>The overlap dialing feature in chan_sip allows chan_sip
5320	  to report to a device that the number that has been dialed
5321	  is incomplete and more digits are required. If this
5322	  functionality is used with a device that has performed
5323	  username/password authentication RTP resources are leaked.
5324	  This occurs because the code fails to release the old RTP
5325	  resources before allocating new ones in this scenario.
5326	  If all resources are used then RTP port exhaustion will
5327	  occur and no RTP sessions are able to be set up.</p>
5328	  <p>If overlap dialing support is not needed the "allowoverlap"
5329	  option can be set to no. This will stop any usage of the
5330	  scenario which causes the resource exhaustion.</p>
5331	</blockquote>
5332      </body>
5333    </description>
5334    <references>
5335      <url>http://downloads.asterisk.org/pub/security/AST-2016-007.html</url>
5336    </references>
5337    <dates>
5338      <discovery>2016-08-05</discovery>
5339      <entry>2016-09-08</entry>
5340    </dates>
5341  </vuln>
5342
5343  <vuln vid="7fda7920-7603-11e6-b362-001999f8d30b">
5344    <topic>asterisk -- Crash on ACK from unknown endpoint</topic>
5345    <affects>
5346      <package>
5347	<name>asterisk13</name>
5348	<range><ge>13.10.0</ge><lt>13.11.1</lt></range>
5349      </package>
5350    </affects>
5351    <description>
5352      <body xmlns="http://www.w3.org/1999/xhtml">
5353	<p>The Asterisk project reports:</p>
5354	<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
5355	  <p>Asterisk can be crashed remotely by sending an ACK to
5356	  it from an endpoint username that Asterisk does not
5357	  recognize. Most SIP request types result in an "artificial"
5358	  endpoint being looked up, but ACKs bypass this lookup.
5359	  The resulting NULL pointer results in a crash when
5360	  attempting to determine if ACLs should be applied.</p>
5361	  <p>This issue was introduced in the Asterisk 13.10 release
5362	  and only affects that release.</p>
5363	  <p>This issue only affects users using the PJSIP stack
5364	  with Asterisk. Those users that use chan_sip are
5365	  unaffected.</p>
5366	</blockquote>
5367      </body>
5368    </description>
5369    <references>
5370      <url>http://downloads.asterisk.org/pub/security/AST-2016-006.html</url>
5371    </references>
5372    <dates>
5373      <discovery>2016-08-03</discovery>
5374      <entry>2016-09-08</entry>
5375    </dates>
5376  </vuln>
5377
5378  <vuln vid="70c85c93-743c-11e6-a590-14dae9d210b8">
5379    <topic>inspircd -- authentication bypass vulnerability</topic>
5380    <affects>
5381      <package>
5382	<name>inspircd</name>
5383	<range><lt>2.0.23</lt></range>
5384      </package>
5385    </affects>
5386    <description>
5387      <body xmlns="http://www.w3.org/1999/xhtml">
5388	<p>Adam reports:</p>
5389	<blockquote cite="http://www.inspircd.org/2016/09/03/v2023-released.html">
5390	  <p>A serious vulnerability exists in when using m_sasl in
5391	    combination with any services that support SASL EXTERNAL.
5392	    To be vulnerable you must have m_sasl loaded, and have services which
5393	    support SASL EXTERNAL authentication.</p>
5394	</blockquote>
5395      </body>
5396    </description>
5397    <references>
5398      <url>http://www.inspircd.org/2016/09/03/v2023-released.html</url>
5399    </references>
5400    <dates>
5401      <discovery>2016-09-03</discovery>
5402      <entry>2016-09-06</entry>
5403    </dates>
5404  </vuln>
5405
5406  <vuln vid="9e50dcc3-740b-11e6-94a2-080027ef73ec">
5407    <topic>mailman -- CSRF hardening in parts of the web interface</topic>
5408    <affects>
5409      <package>
5410	<name>mailman</name>
5411	<range><lt>2.1.15</lt></range>
5412      </package>
5413    </affects>
5414    <description>
5415      <body xmlns="http://www.w3.org/1999/xhtml">
5416	<p>The late Tokio Kikuchi reported:</p>
5417	<blockquote cite="https://bugs.launchpad.net/mailman/+bug/775294">
5418	  <p>We may have to set lifetime for input forms because of recent
5419	    activities on cross-site request forgery (CSRF). The form lifetime
5420	    is successfully deployed in frameworks like web.py or plone etc.
5421	    Proposed branch lp:~tkikuchi/mailman/form-lifetime implement
5422	    lifetime in admin, admindb, options and edithtml interfaces.
5423	    [...]</p>
5424	</blockquote>
5425	<blockquote cite="https://launchpad.net/mailman/2.1/2.1.15">
5426	  <p>The web admin interface has been hardened against CSRF attacks by
5427	  adding a hidden, encrypted token with a time stamp to form submissions
5428	  and not accepting authentication by cookie if the token is missing,
5429	  invalid or older than the new mm_cfg.py setting FORM_LIFETIME which
5430	  defaults to one hour.  Posthumous thanks go to Tokio Kikuchi for this implementation [...].</p>
5431	</blockquote>
5432      </body>
5433    </description>
5434    <references>
5435      <url>https://bugs.launchpad.net/mailman/+bug/775294</url>
5436      <url>https://launchpad.net/mailman/2.1/2.1.15</url>
5437      <cvename>CVE-2016-7123</cvename>
5438    </references>
5439    <dates>
5440      <discovery>2011-05-02</discovery>
5441      <entry>2016-09-06</entry>
5442    </dates>
5443  </vuln>
5444
5445  <vuln vid="adccefd1-7080-11e6-a2cb-c80aa9043978">
5446    <topic>openssh -- sshd -- remote valid user discovery and PAM /bin/login attack</topic>
5447    <affects>
5448      <package>
5449	<name>openssh-portable</name>
5450	<range><lt>7.3.p1,1</lt></range>
5451      </package>
5452    </affects>
5453    <description>
5454      <body xmlns="http://www.w3.org/1999/xhtml">
5455	<p>The OpenSSH project reports:</p>
5456	<blockquote cite="http://www.openssh.com/txt/release-7.3">
5457	  <p>* sshd(8): Mitigate timing differences in password authentication
5458	    that could be used to discern valid from invalid account names
5459	    when long passwords were sent and particular password hashing
5460	    algorithms are in use on the server. CVE-2016-6210, reported by
5461	    EddieEzra.Harari at verint.com
5462	  </p>
5463	  <p> * sshd(8): (portable only) Ignore PAM environment vars when
5464	    UseLogin=yes. If PAM is configured to read user-specified
5465	    environment variables and UseLogin=yes in sshd_config, then a
5466	    hostile local user may attack /bin/login via LD_PRELOAD or
5467	    similar environment variables set via PAM. CVE-2015-8325,
5468	    found by Shayan Sadigh.
5469	  </p>
5470	</blockquote>
5471      </body>
5472    </description>
5473    <references>
5474      <url>http://www.openssh.com/txt/release-7.3</url>
5475      <cvename>CVE-2016-6210</cvename>
5476      <cvename>CVE-2015-8325</cvename>
5477    </references>
5478    <dates>
5479      <discovery>2016-08-01</discovery>
5480      <entry>2016-09-01</entry>
5481    </dates>
5482  </vuln>
5483
5484  <vuln vid="b11ab01b-6e19-11e6-ab24-080027ef73ec">
5485    <topic>mailman -- CSRF protection enhancements</topic>
5486    <affects>
5487      <package>
5488	<name>mailman</name>
5489	<range><lt>2.1.23</lt></range>
5490      </package>
5491    </affects>
5492    <description>
5493      <body xmlns="http://www.w3.org/1999/xhtml">
5494	<p>Mark Sapiro reports:</p>
5495	<blockquote cite="http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1668">
5496	  <p>CSRF protection has been extended to the user options page.  This
5497	    was actually fixed by Tokio Kikuchi as part of the fix for LP:
5498	    #775294 and intended for Mailman 2.1.15, but that fix wasn't
5499	    completely merged at the time.  The full fix also addresses the
5500	    admindb, and edithtml pages as well as the user options page and the
5501	    previously fixed admin pages.  Thanks to Nishant Agarwala for reporting the issue.</p>
5502	</blockquote>
5503      </body>
5504    </description>
5505    <references>
5506      <url>http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1668</url>
5507      <url>https://mail.python.org/pipermail/mailman-announce/2016-August/000226.html</url>
5508      <cvename>CVE-2016-6893</cvename>
5509    </references>
5510    <dates>
5511      <discovery>2016-08-19</discovery>
5512      <entry>2016-08-29</entry>
5513    </dates>
5514  </vuln>
5515
5516  <vuln vid="e195679d-045b-4953-bb33-be0073ba2ac6">
5517    <topic>libxml2 -- multiple vulnerabilities</topic>
5518    <affects>
5519      <package>
5520	<name>libxml2</name>
5521	<range><lt>2.9.4</lt></range>
5522      </package>
5523    </affects>
5524    <description>
5525      <body xmlns="http://www.w3.org/1999/xhtml">
5526	<p>Daniel Veillard reports:</p>
5527	<blockquote cite="https://mail.gnome.org/archives/xml/2016-May/msg00023.html">
5528	  <p>More format string warnings with possible format string
5529	    vulnerability (David Kilzer)</p>
5530	  <p>Avoid building recursive entities (Daniel Veillard)</p>
5531	  <p>Heap-based buffer overread in htmlCurrentChar (Pranjal Jumde)</p>
5532	  <p>Heap-based buffer-underreads due to xmlParseName (David Kilzer)</p>
5533	  <p>Heap use-after-free in xmlSAX2AttributeNs (Pranjal Jumde)</p>
5534	  <p>Heap use-after-free in htmlParsePubidLiteral and
5535	    htmlParseSystemiteral (Pranjal Jumde)</p>
5536	  <p>Fix some format string warnings with possible format string
5537	    vulnerability (David Kilzer)</p>
5538	  <p>Detect change of encoding when parsing HTML names (Hugh Davenport)</p>
5539	  <p>Fix inappropriate fetch of entities content (Daniel Veillard)</p>
5540	  <p>Bug 759398: Heap use-after-free in xmlDictComputeFastKey
5541	    (Pranjal Jumde)</p>
5542	  <p>Bug 758605: Heap-based buffer overread in xmlDictAddString
5543	    (Pranjal Jumde)</p>
5544	  <p>Bug 758588: Heap-based buffer overread in
5545	    xmlParserPrintFileContextInternal (David Kilzer)</p>
5546	  <p>Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
5547	    (Pranjal Jumde)</p>
5548	  <p>Add missing increments of recursion depth counter to XML parser.
5549	    (Peter Simons)</p>
5550	  <p>Fix NULL pointer deref in XPointer range-to</p>
5551	</blockquote>
5552      </body>
5553    </description>
5554    <references>
5555      <url>https://mail.gnome.org/archives/xml/2016-May/msg00023.html</url>
5556      <url>https://bugzilla.gnome.org/show_bug.cgi?id=759398</url>
5557      <url>https://bugzilla.gnome.org/show_bug.cgi?id=758605</url>
5558      <url>https://bugzilla.gnome.org/show_bug.cgi?id=758588</url>
5559      <url>https://bugzilla.gnome.org/show_bug.cgi?id=757711</url>
5560      <url>https://git.gnome.org/browse/libxml2/patch/?id=d8083bf77955b7879c1290f0c0a24ab8cc70f7fb</url>
5561      <cvename>CVE-2016-1762</cvename>
5562      <cvename>CVE-2016-1833</cvename>
5563      <cvename>CVE-2016-1834</cvename>
5564      <cvename>CVE-2016-1835</cvename>
5565      <cvename>CVE-2016-1836</cvename>
5566      <cvename>CVE-2016-1837</cvename>
5567      <cvename>CVE-2016-1838</cvename>
5568      <cvename>CVE-2016-1839</cvename>
5569      <cvename>CVE-2016-1840</cvename>
5570      <cvename>CVE-2016-3627</cvename>
5571      <cvename>CVE-2016-3705</cvename>
5572      <cvename>CVE-2016-4449</cvename>
5573      <cvename>CVE-2016-4483</cvename>
5574    </references>
5575    <dates>
5576      <discovery>2016-05-23</discovery>
5577      <entry>2016-08-28</entry>
5578    </dates>
5579  </vuln>
5580
5581  <vuln vid="4472ab39-6c66-11e6-9ca5-50e549ebab6c">
5582    <topic>kdelibs -- directory traversal vulnerability</topic>
5583    <affects>
5584      <package>
5585	<name>kdelibs</name>
5586	<range><lt>4.14.10_7</lt></range>
5587      </package>
5588    </affects>
5589    <description>
5590      <body xmlns="http://www.w3.org/1999/xhtml">
5591	<p>David Faure reports:</p>
5592	<blockquote cite="https://www.kde.org/info/security/advisory-20160724-1.txt">
5593	  <p>A maliciously crafted archive (.zip or .tar.bz2) with "../" in the
5594	    file paths could be offered for download via the KNewStuff
5595	    framework (e.g. on www.kde-look.org), and upon extraction would
5596	    install files anywhere in the user's home directory.</p>
5597	</blockquote>
5598      </body>
5599    </description>
5600    <references>
5601	<cvename>CVE-2016-6232</cvename>
5602      <url>https://www.kde.org/info/security/advisory-20160724-1.txt</url>
5603    </references>
5604    <dates>
5605      <discovery>2016-07-24</discovery>
5606      <entry>2016-08-27</entry>
5607    </dates>
5608  </vuln>
5609
5610  <vuln vid="f5035ead-688b-11e6-8b1d-c86000169601">
5611    <topic>eog -- out-of-bounds write</topic>
5612    <affects>
5613      <package>
5614	<name>eog</name>
5615	<range><lt>3.18.3</lt></range>
5616      </package>
5617    </affects>
5618    <description>
5619      <body xmlns="http://www.w3.org/1999/xhtml">
5620	<p>Felix Riemann reports:</p>
5621	<blockquote cite="https://mail.gnome.org/archives/ftp-release-list/2016-August/msg00123.html">
5622	  <p>CVE-2016-6855 out-of-bounds write in eog 3.10.2.</p>
5623	</blockquote>
5624      </body>
5625    </description>
5626    <references>
5627      <url>https://mail.gnome.org/archives/ftp-release-list/2016-August/msg00123.html</url>
5628      <cvename>CVE-2016-6855</cvename>
5629    </references>
5630    <dates>
5631      <discovery>2016-08-21</discovery>
5632      <entry>2016-08-22</entry>
5633    </dates>
5634  </vuln>
5635
5636  <vuln vid="44989c29-67d1-11e6-8b1d-c86000169601">
5637    <topic>fontconfig -- insufficiently cache file validation</topic>
5638    <affects>
5639      <package>
5640	<name>fontconfig</name>
5641	<range><lt>1.12.1</lt></range>
5642      </package>
5643    </affects>
5644    <description>
5645      <body xmlns="http://www.w3.org/1999/xhtml">
5646	<p>Debian security team reports:</p>
5647	<blockquote cite="https://packetstormsecurity.com/files/138236/Debian-Security-Advisory-3644-1.html">
5648	  <p>Tobias Stoeckmann discovered that cache files are insufficiently
5649	    validated in fontconfig, a generic font configuration library. An
5650	    attacker can trigger arbitrary free() calls, which in turn allows
5651	    double free attacks and therefore arbitrary code execution. In
5652	    combination with setuid binaries using crafted cache files, this
5653	    could allow privilege escalation.</p>
5654	</blockquote>
5655      </body>
5656    </description>
5657    <references>
5658      <url>https://packetstormsecurity.com/files/138236/Debian-Security-Advisory-3644-1.html</url>
5659      <cvename>CVE-2016-5384</cvename>
5660    </references>
5661    <dates>
5662      <discovery>2016-08-05</discovery>
5663      <entry>2016-08-21</entry>
5664    </dates>
5665  </vuln>
5666
5667  <vuln vid="7fe7df75-6568-11e6-a590-14dae9d210b8">
5668    <topic>End of Life Ports</topic>
5669    <affects>
5670      <package>
5671	<name>python32</name>
5672	<name>python31</name>
5673	<name>python30</name>
5674	<name>python26</name>
5675	<name>python25</name>
5676	<name>python24</name>
5677	<name>python23</name>
5678	<name>python22</name>
5679	<name>python21</name>
5680	<name>python20</name>
5681	<name>python15</name>
5682	<range><ge>0</ge></range>
5683      </package>
5684      <package>
5685	<name>php54</name>
5686	<name>php53</name>
5687	<name>php52</name>
5688	<name>php5</name>
5689	<name>php4</name>
5690	<range><ge>0</ge></range>
5691      </package>
5692      <package>
5693	<name>perl5</name>
5694	<range><lt>5.18</lt></range>
5695      </package>
5696      <package>
5697	<name>perl5.16</name>
5698	<name>perl5.14</name>
5699	<name>perl5.12</name>
5700	<name>perl</name> <!-- Perl 5.10 and earlier were called "perl" -->
5701	<range><ge>0</ge></range>
5702      </package>
5703      <package>
5704	<name>ruby</name>
5705	<name>ruby_static</name>
5706	<range><lt>2.1,1</lt></range>
5707      </package>
5708      <package>
5709	<name>unifi2</name>
5710	<name>unifi3</name>
5711	<range><ge>0</ge></range>
5712      </package>
5713      <package>
5714	<name>apache21</name>
5715	<name>apache20</name>
5716	<name>apache13</name>
5717	<range><ge>0</ge></range>
5718      </package>
5719      <package>
5720	<name>tomcat55</name>
5721	<name>tomcat41</name>
5722	<range><ge>0</ge></range>
5723      </package>
5724      <package>
5725	<name>mysql51-client</name>
5726	<name>mysql51-server</name>
5727	<name>mysql50-client</name>
5728	<name>mysql50-server</name>
5729	<name>mysql41-client</name>
5730	<name>mysql41-server</name>
5731	<name>mysql40-client</name>
5732	<name>mysql40-server</name>
5733	<range><ge>0</ge></range>
5734      </package>
5735      <package>
5736	<name>postgresql90-client</name>
5737	<name>postgresql90-server</name>
5738	<name>postgresql84-client</name>
5739	<name>postgresql84-server</name>
5740	<name>postgresql83-client</name>
5741	<name>postgresql83-server</name>
5742	<name>postgresql82-client</name>
5743	<name>postgresql82-server</name>
5744	<name>postgresql81-client</name>
5745	<name>postgresql81-server</name>
5746	<name>postgresql80-client</name>
5747	<name>postgresql80-server</name>
5748	<name>postgresql74-client</name>
5749	<name>postgresql74-server</name>
5750	<name>postgresql73-client</name>
5751	<name>postgresql73-server</name>
5752	<name>postgresql72-client</name>
5753	<name>postgresql72-server</name>
5754	<name>postgresql71-client</name>
5755	<name>postgresql71-server</name>
5756	<name>postgresql7-client</name>
5757	<name>postgresql7-server</name>
5758	<range><ge>0</ge></range>
5759      </package>
5760    </affects>
5761    <description>
5762      <body xmlns="http://www.w3.org/1999/xhtml">
5763	  <p>These packages have reached End of Life status and/or have
5764	    been removed from the Ports Tree. They may contain undocumented
5765	    security issues. Please take caution and find alternative
5766	    software as soon as possible.</p>
5767      </body>
5768    </description>
5769    <references>
5770      <freebsdpr>ports/211975</freebsdpr>
5771    </references>
5772    <dates>
5773      <discovery>2016-08-18</discovery>
5774      <entry>2016-08-18</entry>
5775      <modified>2016-10-18</modified>
5776    </dates>
5777  </vuln>
5778
5779  <vuln vid="e1c71d8d-64d9-11e6-b38a-25a46b33f2ed">
5780    <topic>gnupg -- attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output</topic>
5781    <affects>
5782      <package>
5783	<name>gnupg1</name>
5784	<range><lt>1.4.21</lt></range>
5785      </package>
5786      <package>
5787	<name>libgcrypt</name>
5788	<range><lt>1.7.3</lt></range>
5789      </package>
5790      <package>
5791	<name>linux-c6-libgcrypt</name>
5792	<range><lt>1.4.5_4</lt></range>
5793      </package>
5794      <package>
5795	<name>linux-c7-libgcrypt</name>
5796	<range><lt>1.5.3_1</lt></range>
5797      </package>
5798    </affects>
5799    <description>
5800      <body xmlns="http://www.w3.org/1999/xhtml">
5801	<p>Werner Koch reports:</p>
5802	<blockquote cite="https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html">
5803	  <p>There was a bug in the mixing functions of Libgcrypt's random
5804	    number generator: An attacker who obtains 4640 bits from the RNG can
5805	    trivially predict the next 160 bits of output.  This bug exists since
5806	    1998 in all GnuPG and Libgcrypt versions.</p>
5807	</blockquote>
5808      </body>
5809    </description>
5810    <references>
5811      <url>https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html</url>
5812      <cvename>CVE-2016-6313</cvename>
5813    </references>
5814    <dates>
5815      <discovery>2016-08-17</discovery>
5816      <entry>2016-08-18</entry>
5817      <modified>2016-11-30</modified>
5818    </dates>
5819  </vuln>
5820
5821  <vuln vid="ef70b201-645d-11e6-9cdc-6805ca0b3d42">
5822    <topic>phpmyadmin -- multiple vulnerabilities</topic>
5823    <affects>
5824      <package>
5825	<name>phpmyadmin</name>
5826	<range><ge>4.6.0</ge><lt>4.6.4</lt></range>
5827      </package>
5828    </affects>
5829    <description>
5830      <body xmlns="http://www.w3.org/1999/xhtml">
5831	<p>The phpmyadmin development team reports:</p>
5832	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-29/">
5833	  <p>Weakness with cookie encryption</p>
5834	</blockquote>
5835	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-30/">
5836	  <p>Multiple XSS vulnerabilities</p>
5837	</blockquote>
5838	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-31/">
5839	  <p>Multiple XSS vulnerabilities</p>
5840	</blockquote>
5841	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-32/">
5842	  <p>PHP code injection</p>
5843	</blockquote>
5844	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-33/">
5845	  <p>Full path disclosure</p>
5846	</blockquote>
5847	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-34/">
5848	  <p>SQL injection attack</p>
5849	</blockquote>
5850	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-35/">
5851	  <p>Local file exposure</p>
5852	</blockquote>
5853	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-36/">
5854	  <p>Local file exposure through symlinks with
5855	    UploadDir</p>
5856	</blockquote>
5857	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-37/">
5858	  <p>Path traversal with SaveDir and UploadDir</p>
5859	</blockquote>
5860	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-38/">
5861	  <p>Multiple XSS vulnerabilities</p>
5862	</blockquote>
5863	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-39/">
5864	  <p>SQL injection attack</p>
5865	</blockquote>
5866	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-40/">
5867	  <p>SQL injection attack</p>
5868	</blockquote>
5869	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-41/">
5870	  <p>Denial of service (DOS) attack in transformation
5871	    feature</p>
5872	</blockquote>
5873	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-42/">
5874	  <p>SQL injection attack as control user</p>
5875	</blockquote>
5876	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-43/">
5877	  <p>Unvalidated data passed to unserialize()</p>
5878	</blockquote>
5879	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-45/">
5880	  <p>DOS attack with forced persistent connections</p>
5881	</blockquote>
5882	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-46/">
5883	  <p>Denial of service (DOS) attack by for loops</p>
5884	</blockquote>
5885	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-47/">
5886	  <p>IPv6 and proxy server IP-based authentication rule
5887	    circumvention</p>
5888	</blockquote>
5889	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-48/">
5890	  <p>Detect if user is logged in</p>
5891	</blockquote>
5892	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-49/">
5893	  <p>Bypass URL redirect protection</p>
5894	</blockquote>
5895	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-50/">
5896	  <p>Referrer leak in url.php</p>
5897	</blockquote>
5898	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-51/">
5899	  <p>Reflected File Download attack</p>
5900	</blockquote>
5901	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-52/">
5902	  <p>ArbitraryServerRegexp bypass</p>
5903	</blockquote>
5904	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-53/">
5905	  <p>Denial of service (DOS) attack by changing password to a
5906	    very long string</p>
5907	</blockquote>
5908	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-54/">
5909	  <p>Remote code execution vulnerability when run as CGI</p>
5910	</blockquote>
5911	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-55/">
5912	  <h3>Summary</h3>
5913	  <p>Denial of service (DOS) attack with dbase extension</p>
5914	</blockquote>
5915	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-56/">
5916	  <p>Remote code execution vulnerability when PHP is running
5917	    with dbase extension</p>
5918	</blockquote>
5919      </body>
5920    </description>
5921    <references>
5922      <url>https://www.phpmyadmin.net/security/PMASA-2016-29/</url>
5923      <url>https://www.phpmyadmin.net/security/PMASA-2016-30/</url>
5924      <url>https://www.phpmyadmin.net/security/PMASA-2016-31/</url>
5925      <url>https://www.phpmyadmin.net/security/PMASA-2016-32/</url>
5926      <url>https://www.phpmyadmin.net/security/PMASA-2016-33/</url>
5927      <url>https://www.phpmyadmin.net/security/PMASA-2016-34/</url>
5928      <url>https://www.phpmyadmin.net/security/PMASA-2016-35/</url>
5929      <url>https://www.phpmyadmin.net/security/PMASA-2016-36/</url>
5930      <url>https://www.phpmyadmin.net/security/PMASA-2016-37/</url>
5931      <url>https://www.phpmyadmin.net/security/PMASA-2016-38/</url>
5932      <url>https://www.phpmyadmin.net/security/PMASA-2016-39/</url>
5933      <url>https://www.phpmyadmin.net/security/PMASA-2016-40/</url>
5934      <url>https://www.phpmyadmin.net/security/PMASA-2016-41/</url>
5935      <url>https://www.phpmyadmin.net/security/PMASA-2016-42/</url>
5936      <url>https://www.phpmyadmin.net/security/PMASA-2016-43/</url>
5937      <url>https://www.phpmyadmin.net/security/PMASA-2016-45/</url>
5938      <url>https://www.phpmyadmin.net/security/PMASA-2016-46/</url>
5939      <url>https://www.phpmyadmin.net/security/PMASA-2016-47/</url>
5940      <url>https://www.phpmyadmin.net/security/PMASA-2016-48/</url>
5941      <url>https://www.phpmyadmin.net/security/PMASA-2016-49/</url>
5942      <url>https://www.phpmyadmin.net/security/PMASA-2016-50/</url>
5943      <url>https://www.phpmyadmin.net/security/PMASA-2016-51/</url>
5944      <url>https://www.phpmyadmin.net/security/PMASA-2016-52/</url>
5945      <url>https://www.phpmyadmin.net/security/PMASA-2016-53/</url>
5946      <url>https://www.phpmyadmin.net/security/PMASA-2016-54/</url>
5947      <url>https://www.phpmyadmin.net/security/PMASA-2016-55/</url>
5948      <url>https://www.phpmyadmin.net/security/PMASA-2016-56/</url>
5949      <cvename>CVE-2016-6606</cvename>
5950      <cvename>CVE-2016-6607</cvename>
5951      <cvename>CVE-2016-6608</cvename>
5952      <cvename>CVE-2016-6609</cvename>
5953      <cvename>CVE-2016-6610</cvename>
5954      <cvename>CVE-2016-6611</cvename>
5955      <cvename>CVE-2016-6612</cvename>
5956      <cvename>CVE-2016-6613</cvename>
5957      <cvename>CVE-2016-6614</cvename>
5958      <cvename>CVE-2016-6615</cvename>
5959      <cvename>CVE-2016-6616</cvename>
5960      <cvename>CVE-2016-6617</cvename>
5961      <cvename>CVE-2016-6618</cvename>
5962      <cvename>CVE-2016-6619</cvename>
5963      <cvename>CVE-2016-6620</cvename>
5964      <cvename>CVE-2016-6622</cvename>
5965      <cvename>CVE-2016-6623</cvename>
5966      <cvename>CVE-2016-6624</cvename>
5967      <cvename>CVE-2016-6625</cvename>
5968      <cvename>CVE-2016-6626</cvename>
5969      <cvename>CVE-2016-6627</cvename>
5970      <cvename>CVE-2016-6628</cvename>
5971      <cvename>CVE-2016-6629</cvename>
5972      <cvename>CVE-2016-6630</cvename>
5973      <cvename>CVE-2016-6631</cvename>
5974      <cvename>CVE-2016-6632</cvename>
5975      <cvename>CVE-2016-6633</cvename>
5976    </references>
5977    <dates>
5978      <discovery>2016-08-17</discovery>
5979      <entry>2016-08-17</entry>
5980    </dates>
5981  </vuln>
5982
5983  <vuln vid="f7dd2d09-625e-11e6-828b-fcaa14edc6a6">
5984    <topic>TeamSpeak Server 3 -- Multiple vulnerabilities including Remote Code Execution</topic>
5985    <affects>
5986      <package>
5987	<name>teamspeak3-server</name>
5988	<range><le>3.0.13_1,1</le></range>
5989      </package>
5990    </affects>
5991    <description>
5992      <body xmlns="http://www.w3.org/1999/xhtml">
5993	<p>Hanz Jenson audit report:</p>
5994	<blockquote cite="http://seclists.org/fulldisclosure/2016/Aug/61">
5995		<p>I found 10 vulnerabilities. Some of these are critical and allow remote code
5996		execution. For the average user, that means that these vulnerabilities can be
5997		exploited by a malicious attacker in order to take over any Teamspeak server,
5998		not only becoming serveradmin, but getting a shell on the affected machine.</p>
5999	</blockquote>
6000      </body>
6001    </description>
6002    <references>
6003    <url>http://seclists.org/fulldisclosure/2016/Aug/61</url>
6004    </references>
6005    <dates>
6006      <discovery>2016-08-12</discovery>
6007      <entry>2016-08-14</entry>
6008    </dates>
6009  </vuln>
6010
6011  <vuln vid="df502a2f-61f6-11e6-a461-643150d3111d">
6012    <topic>puppet-agent MCollective plugin -- Remote Code Execution vulnerability</topic>
6013    <affects>
6014      <package>
6015	<name>mcollective-puppet-agent</name>
6016	<range><lt>1.11.1</lt></range>
6017      </package>
6018    </affects>
6019    <description>
6020      <body xmlns="http://www.w3.org/1999/xhtml">
6021	<p>Puppet reports:</p>
6022	<blockquote cite="https://puppet.com/security/cve/cve-2015-7331">
6023	  <p>Puppet Enterprise previously included a puppet-agent MCollective plugin that allowed you to pass the `--server` argument to MCollective. This insecure argument enabled remote code execution via connection to an untrusted host. The puppet-agent MCollective version included in PE 2016.2.1, this option is disabled by default.</p>
6024	</blockquote>
6025      </body>
6026    </description>
6027    <references>
6028      <url>https://puppet.com/security/cve/cve-2015-7331</url>
6029      <cvename>CVE-2015-7331</cvename>
6030    </references>
6031    <dates>
6032      <discovery>2016-08-09</discovery>
6033      <entry>2016-08-15</entry>
6034    </dates>
6035  </vuln>
6036
6037  <vuln vid="7d4f4955-600a-11e6-a6c3-14dae9d210b8">
6038    <topic>FreeBSD -- Heap vulnerability in bspatch</topic>
6039    <affects>
6040      <package>
6041	<name>FreeBSD</name>
6042	<range><ge>10.3</ge><lt>10.3_6</lt></range>
6043	<range><ge>10.2</ge><lt>10.2_20</lt></range>
6044	<range><ge>10.1</ge><lt>10.1_37</lt></range>
6045	<range><ge>9.3</ge><lt>9.3_45</lt></range>
6046      </package>
6047    </affects>
6048    <description>
6049      <body xmlns="http://www.w3.org/1999/xhtml">
6050	<h1>Problem Description:</h1>
6051	<p>The implementation of bspatch does not check for a
6052	negative value on numbers of bytes read from the diff and
6053	extra streams, allowing an attacker who can control the
6054	patch file to write at arbitrary locations in the heap.</p>
6055	<p>This issue was first discovered by The Chromium Project
6056	and reported independently by Lu Tung-Pin to the FreeBSD
6057	project.</p>
6058	<h1>Impact:</h1>
6059	<p>An attacker who can control the patch file can cause a
6060	crash or run arbitrary code under the credentials of the
6061	user who runs bspatch, in many cases, root.</p>
6062      </body>
6063    </description>
6064    <references>
6065      <cvename>CVE-2014-9862</cvename>
6066      <freebsdsa>SA-16:25.bspatch</freebsdsa>
6067    </references>
6068    <dates>
6069      <discovery>2016-07-25</discovery>
6070      <entry>2016-08-11</entry>
6071    </dates>
6072  </vuln>
6073
6074  <vuln vid="7cfcea05-600a-11e6-a6c3-14dae9d210b8">
6075    <topic>FreeBSD -- Multiple ntp vulnerabilities</topic>
6076    <affects>
6077      <package>
6078	<name>FreeBSD</name>
6079	<range><ge>10.3</ge><lt>10.3_5</lt></range>
6080	<range><ge>10.2</ge><lt>10.2_19</lt></range>
6081	<range><ge>10.1</ge><lt>10.1_36</lt></range>
6082	<range><ge>9.3</ge><lt>9.3_44</lt></range>
6083      </package>
6084    </affects>
6085    <description>
6086      <body xmlns="http://www.w3.org/1999/xhtml">
6087	<h1>Problem Description:</h1>
6088	<p>Multiple vulnerabilities have been discovered in the NTP
6089	suite:</p>
6090	<p>The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
6091	could cause ntpd to crash. [CVE-2016-4957, Reported by
6092	Nicolas Edet of Cisco]</p>
6093	<p>An attacker who knows the origin timestamp and can send
6094	a spoofed packet containing a CRYPTO-NAK to an ephemeral
6095	peer target before any other response is sent can demobilize
6096	that association. [CVE-2016-4953, Reported by Miroslav
6097	Lichvar of Red Hat]</p>
6098	<p>An attacker who is able to spoof packets with correct
6099	origin timestamps from enough servers before the expected
6100	response packets arrive at the target machine can affect
6101	some peer variables and, for example, cause a false leap
6102	indication to be set. [CVE-2016-4954, Reported by Jakub
6103	Prokes of Red Hat]</p>
6104	<p>An attacker who is able to spoof a packet with a correct
6105	origin timestamp before the expected response packet arrives
6106	at the target machine can send a CRYPTO_NAK or a bad MAC
6107	and cause the association's peer variables to be cleared.
6108	If this can be done often enough, it will prevent that
6109	association from working. [CVE-2016-4955, Reported by
6110	Miroslav Lichvar of Red Hat]</p>
6111	<p>The fix for NtpBug2978 does not cover broadcast associations,
6112	so broadcast clients can be triggered to flip into interleave
6113	mode. [CVE-2016-4956, Reported by Miroslav Lichvar of Red
6114	Hat.]</p>
6115	<h1>Impact:</h1>
6116	<p>Malicious remote attackers may be able to break time
6117	synchronization, or cause the ntpd(8) daemon to crash.</p>
6118      </body>
6119    </description>
6120    <references>
6121      <cvename>CVE-2016-4953</cvename>
6122      <cvename>CVE-2016-4954</cvename>
6123      <cvename>CVE-2016-4955</cvename>
6124      <cvename>CVE-2016-4956</cvename>
6125      <cvename>CVE-2016-4957</cvename>
6126      <freebsdsa>SA-16:24.ntp</freebsdsa>
6127    </references>
6128    <dates>
6129      <discovery>2016-06-04</discovery>
6130      <entry>2016-08-11</entry>
6131    </dates>
6132  </vuln>
6133
6134  <vuln vid="7cad4795-600a-11e6-a6c3-14dae9d210b8">
6135    <topic>FreeBSD -- Kernel stack disclosure in 4.3BSD compatibility layer</topic>
6136    <affects>
6137      <package>
6138	<name>FreeBSD-kernel</name>
6139	<range><ge>10.3</ge><lt>10.3_4</lt></range>
6140	<range><ge>10.2</ge><lt>10.2_18</lt></range>
6141	<range><ge>10.1</ge><lt>10.1_35</lt></range>
6142	<range><ge>9.3</ge><lt>9.3_43</lt></range>
6143      </package>
6144    </affects>
6145    <description>
6146      <body xmlns="http://www.w3.org/1999/xhtml">
6147	<h1>Problem Description:</h1>
6148	<p>The implementation of historic stat(2) system call does
6149	not clear the output struct before copying it out to
6150	userland.</p>
6151	<h1>Impact:</h1>
6152	<p>An unprivileged user can read a portion of uninitialised
6153	kernel stack data, which may contain sensitive information,
6154	such as the stack guard, portions of the file cache or
6155	terminal buffers, which an attacker might leverage to obtain
6156	elevated privileges.</p>
6157      </body>
6158    </description>
6159    <references>
6160      <freebsdsa>SA-16:21.43bsd</freebsdsa>
6161    </references>
6162    <dates>
6163      <discovery>2016-05-31</discovery>
6164      <entry>2016-08-11</entry>
6165    </dates>
6166  </vuln>
6167
6168  <vuln vid="7c5d64dd-600a-11e6-a6c3-14dae9d210b8">
6169    <topic>FreeBSD -- Kernel stack disclosure in Linux compatibility layer</topic>
6170    <affects>
6171      <package>
6172	<name>FreeBSD-kernel</name>
6173	<range><ge>10.3</ge><lt>10.3_4</lt></range>
6174	<range><ge>10.2</ge><lt>10.2_18</lt></range>
6175	<range><ge>10.1</ge><lt>10.1_35</lt></range>
6176	<range><ge>9.3</ge><lt>9.3_43</lt></range>
6177      </package>
6178    </affects>
6179    <description>
6180      <body xmlns="http://www.w3.org/1999/xhtml">
6181	<h1>Problem Description:</h1>
6182	<p>The implementation of the TIOCGSERIAL ioctl(2) does not
6183	clear the output struct before copying it out to userland.</p>
6184	<p>The implementation of the Linux sysinfo() system call
6185	does not clear the output struct before copying it out to
6186	userland.</p>
6187	<h1>Impact:</h1>
6188	<p>An unprivileged user can read a portion of uninitialised
6189	kernel stack data, which may contain sensitive information,
6190	such as the stack guard, portions of the file cache or
6191	terminal buffers, which an attacker might leverage to obtain
6192	elevated privileges.</p>
6193      </body>
6194    </description>
6195    <references>
6196      <freebsdsa>SA-16:20.linux</freebsdsa>
6197    </references>
6198    <dates>
6199      <discovery>2016-05-31</discovery>
6200      <entry>2016-08-11</entry>
6201    </dates>
6202  </vuln>
6203
6204  <vuln vid="7c0bac69-600a-11e6-a6c3-14dae9d210b8">
6205    <topic>FreeBSD -- Incorrect argument handling in sendmsg(2)</topic>
6206    <affects>
6207      <package>
6208	<name>FreeBSD-kernel</name>
6209	<range><ge>10.3</ge><lt>10.3_3</lt></range>
6210	<range><ge>10.2</ge><lt>10.2_17</lt></range>
6211	<range><ge>10.1</ge><lt>10.1_34</lt></range>
6212      </package>
6213    </affects>
6214    <description>
6215      <body xmlns="http://www.w3.org/1999/xhtml">
6216	<h1>Problem Description:</h1>
6217	<p>Incorrect argument handling in the socket code allows
6218	malicious local user to overwrite large portion of the
6219	kernel memory.</p>
6220	<h1>Impact:</h1>
6221	<p>Malicious local user may crash kernel or execute arbitrary
6222	code in the kernel, potentially gaining superuser privileges.</p>
6223      </body>
6224    </description>
6225    <references>
6226      <cvename>CVE-2016-1887</cvename>
6227      <freebsdsa>SA-16:19.sendmsg</freebsdsa>
6228    </references>
6229    <dates>
6230      <discovery>2016-05-17</discovery>
6231      <entry>2016-08-11</entry>
6232    </dates>
6233  </vuln>
6234
6235  <vuln vid="7bbc0e8c-600a-11e6-a6c3-14dae9d210b8">
6236    <topic>FreeBSD -- Buffer overflow in keyboard driver</topic>
6237    <affects>
6238      <package>
6239	<name>FreeBSD-kernel</name>
6240	<range><ge>10.3</ge><lt>10.3_3</lt></range>
6241	<range><ge>10.2</ge><lt>10.2_17</lt></range>
6242	<range><ge>10.1</ge><lt>10.1_34</lt></range>
6243	<range><ge>9.3</ge><lt>9.3_42</lt></range>
6244      </package>
6245    </affects>
6246    <description>
6247      <body xmlns="http://www.w3.org/1999/xhtml">
6248	<h1>Problem Description:</h1>
6249	<p>Incorrect signedness comparison in the ioctl(2) handler
6250	allows a malicious local user to overwrite a portion of the
6251	kernel memory.</p>
6252	<h1>Impact:</h1>
6253	<p>A local user may crash the kernel, read a portion of
6254	kernel memory and execute arbitrary code in kernel context.
6255	The result of executing an arbitrary kernel code is privilege
6256	escalation.</p>
6257      </body>
6258    </description>
6259    <references>
6260      <cvename>CVE-2016-1886</cvename>
6261      <freebsdsa>SA-16:18.atkbd</freebsdsa>
6262    </references>
6263    <dates>
6264      <discovery>2016-05-17</discovery>
6265      <entry>2016-08-11</entry>
6266    </dates>
6267  </vuln>
6268
6269  <vuln vid="7b6a11b5-600a-11e6-a6c3-14dae9d210b8">
6270    <topic>FreeBSD -- Incorrect argument validation in sysarch(2)</topic>
6271    <affects>
6272      <package>
6273	<name>FreeBSD-kernel</name>
6274	<range><ge>11.0</ge><lt>11.0_2</lt></range>
6275	<range><ge>10.3</ge><lt>10.3_11</lt></range>
6276	<range><ge>10.2</ge><lt>10.2_24</lt></range>
6277	<range><ge>10.1</ge><lt>10.1_41</lt></range>
6278	<range><ge>9.3</ge><lt>9.3_49</lt></range>
6279      </package>
6280    </affects>
6281    <description>
6282      <body xmlns="http://www.w3.org/1999/xhtml">
6283	<h1>Problem Description:</h1>
6284	<p>A special combination of sysarch(2) arguments, specify
6285	a request to uninstall a set of descriptors from the LDT.
6286	The start descriptor is cleared and the number of descriptors
6287	are provided. Due to lack of sufficient bounds checking
6288	during argument validity verification, unbound zero'ing of
6289	the process LDT and adjacent memory can be initiated from
6290	usermode.</p>
6291	<h1>Impact:</h1>
6292	<p>This vulnerability could cause the kernel to panic. In
6293	addition it is possible to perform a local Denial of Service
6294	against the system by unprivileged processes.</p>
6295      </body>
6296    </description>
6297    <references>
6298      <cvename>CVE-2016-1885</cvename>
6299      <freebsdsa>SA-16:15.sysarch</freebsdsa>
6300    </references>
6301    <dates>
6302      <discovery>2016-03-16</discovery>
6303      <entry>2016-08-11</entry>
6304      <modified>2016-10-25</modified>
6305    </dates>
6306  </vuln>
6307
6308  <vuln vid="7b1a4a27-600a-11e6-a6c3-14dae9d210b8">
6309    <topic>FreeBSD -- Multiple OpenSSL vulnerabilities</topic>
6310    <affects>
6311      <package>
6312	<name>FreeBSD</name>
6313	<range><ge>10.2</ge><lt>10.2_13</lt></range>
6314	<range><ge>10.1</ge><lt>10.1_30</lt></range>
6315	<range><ge>9.3</ge><lt>9.3_38</lt></range>
6316      </package>
6317    </affects>
6318    <description>
6319      <body xmlns="http://www.w3.org/1999/xhtml">
6320	<h1>Problem Description:</h1>
6321	<p>A cross-protocol attack was discovered that could lead
6322	to decryption of TLS sessions by using a server supporting
6323	SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA
6324	padding oracle. Note that traffic between clients and
6325	non-vulnerable servers can be decrypted provided another
6326	server supporting SSLv2 and EXPORT ciphers (even with a
6327	different protocol such as SMTP, IMAP or POP3) shares the
6328	RSA keys of the non-vulnerable server. This vulnerability
6329	is known as DROWN. [CVE-2016-0800]</p>
6330	<p>A double free bug was discovered when OpenSSL parses
6331	malformed DSA private keys and could lead to a DoS attack
6332	or memory corruption for applications that receive DSA
6333	private keys from untrusted sources. This scenario is
6334	considered rare. [CVE-2016-0705]</p>
6335	<p>The SRP user database lookup method SRP_VBASE_get_by_user
6336	had confusing memory management semantics; the returned
6337	pointer was sometimes newly allocated, and sometimes owned
6338	by the callee. The calling code has no way of distinguishing
6339	these two cases. [CVE-2016-0798]</p>
6340	<p>In the BN_hex2bn function, the number of hex digits is
6341	calculated using an int value |i|. Later |bn_expand| is
6342	called with a value of |i * 4|. For large values of |i|
6343	this can result in |bn_expand| not allocating any memory
6344	because |i * 4| is negative. This can leave the internal
6345	BIGNUM data field as NULL leading to a subsequent NULL
6346	pointer dereference. For very large values of |i|, the
6347	calculation |i * 4| could be a positive value smaller than
6348	|i|. In this case memory is allocated to the internal BIGNUM
6349	data field, but it is insufficiently sized leading to heap
6350	corruption. A similar issue exists in BN_dec2bn. This could
6351	have security consequences if BN_hex2bn/BN_dec2bn is ever
6352	called by user applications with very large untrusted hex/dec
6353	data. This is anticipated to be a rare occurrence.
6354	[CVE-2016-0797]</p>
6355	<p>The internal |fmtstr| function used in processing a "%s"
6356	formatted string in the BIO_*printf functions could overflow
6357	while calculating the length of a string and cause an
6358	out-of-bounds read when printing very long strings.
6359	[CVE-2016-0799]</p>
6360	<p>A side-channel attack was found which makes use of
6361	cache-bank conflicts on the Intel Sandy-Bridge microarchitecture
6362	which could lead to the recovery of RSA keys. [CVE-2016-0702]</p>
6363	<p>s2_srvr.c did not enforce that clear-key-length is 0 for
6364	non-export ciphers. If clear-key bytes are present for these
6365	ciphers, they displace encrypted-key bytes. [CVE-2016-0703]</p>
6366	<p>s2_srvr.c overwrites the wrong bytes in the master key
6367	when applying Bleichenbacher protection for export cipher
6368	suites. [CVE-2016-0704]</p>
6369	<h1>Impact:</h1>
6370	<p>Servers that have SSLv2 protocol enabled are vulnerable
6371	to the "DROWN" attack which allows a remote attacker to
6372	fast attack many recorded TLS connections made to the server,
6373	even when the client did not make any SSLv2 connections
6374	themselves.</p>
6375	<p>An attacker who can supply malformed DSA private keys
6376	to OpenSSL applications may be able to cause memory corruption
6377	which would lead to a Denial of Service condition.
6378	[CVE-2016-0705]</p>
6379	<p>An attacker connecting with an invalid username can cause
6380	memory leak, which could eventually lead to a Denial of
6381	Service condition. [CVE-2016-0798]</p>
6382	<p>An attacker who can inject malformed data into an
6383	application may be able to cause memory corruption which
6384	would lead to a Denial of Service condition. [CVE-2016-0797,
6385	CVE-2016-0799]</p>
6386	<p>A local attacker who has control of code in a thread
6387	running on the same hyper-threaded core as the victim thread
6388	which is performing decryptions could recover RSA keys.
6389	[CVE-2016-0702]</p>
6390	<p>An eavesdropper who can intercept SSLv2 handshake can
6391	conduct an efficient divide-and-conquer key recovery attack
6392	and use the server as an oracle to determine the SSLv2
6393	master-key, using only 16 connections to the server and
6394	negligible computation. [CVE-2016-0703]</p>
6395	<p>An attacker can use the Bleichenbacher oracle, which
6396	enables more efficient variant of the DROWN attack.
6397	[CVE-2016-0704]</p>
6398      </body>
6399    </description>
6400    <references>
6401      <cvename>CVE-2016-0702</cvename>
6402      <cvename>CVE-2016-0703</cvename>
6403      <cvename>CVE-2016-0704</cvename>
6404      <cvename>CVE-2016-0705</cvename>
6405      <cvename>CVE-2016-0797</cvename>
6406      <cvename>CVE-2016-0798</cvename>
6407      <cvename>CVE-2016-0799</cvename>
6408      <cvename>CVE-2016-0800</cvename>
6409      <freebsdsa>SA-16:12.openssl</freebsdsa>
6410    </references>
6411    <dates>
6412      <discovery>2016-03-10</discovery>
6413      <entry>2016-08-11</entry>
6414    </dates>
6415  </vuln>
6416
6417  <vuln vid="7ac28df1-600a-11e6-a6c3-14dae9d210b8">
6418    <topic>FreeBSD -- Linux compatibility layer issetugid(2) system call</topic>
6419    <affects>
6420      <package>
6421	<name>FreeBSD-kernel</name>
6422	<range><ge>10.2</ge><lt>10.2_11</lt></range>
6423	<range><ge>10.1</ge><lt>10.1_28</lt></range>
6424	<range><ge>9.3</ge><lt>9.3_35</lt></range>
6425      </package>
6426    </affects>
6427    <description>
6428      <body xmlns="http://www.w3.org/1999/xhtml">
6429	<h1>Problem Description:</h1>
6430	<p>A programming error in the Linux compatibility layer
6431	could cause the issetugid(2) system call to return incorrect
6432	information.</p>
6433	<h1>Impact:</h1>
6434	<p>If an application relies on output of the issetugid(2)
6435	system call and that information is incorrect, this could
6436	lead to a privilege escalation.</p>
6437      </body>
6438    </description>
6439    <references>
6440      <cvename>CVE-2016-1883</cvename>
6441      <freebsdsa>SA-16:10.linux</freebsdsa>
6442    </references>
6443    <dates>
6444      <discovery>2016-01-27</discovery>
6445      <entry>2016-08-11</entry>
6446    </dates>
6447  </vuln>
6448
6449  <vuln vid="7a31dfba-600a-11e6-a6c3-14dae9d210b8">
6450    <topic>FreeBSD -- Insecure default snmpd.config permissions</topic>
6451    <affects>
6452      <package>
6453	<name>FreeBSD</name>
6454	<range><ge>10.2</ge><lt>10.2_9</lt></range>
6455	<range><ge>10.1</ge><lt>10.1_26</lt></range>
6456	<range><ge>9.3</ge><lt>9.3_33</lt></range>
6457      </package>
6458    </affects>
6459    <description>
6460      <body xmlns="http://www.w3.org/1999/xhtml">
6461	<h1>Problem Description:</h1>
6462	<p>The SNMP protocol supports an authentication model called
6463	USM, which relies on a shared secret. The default permission
6464	of the snmpd configuration file, /etc/snmpd.config, is
6465	weak and does not provide adequate protection against local
6466	unprivileged users.</p>
6467	<h1>Impact:</h1>
6468	<p>A local user may be able to read the shared secret, if
6469	configured and used by the system administrator.</p>
6470      </body>
6471    </description>
6472    <references>
6473      <cvename>CVE-2015-5677</cvename>
6474      <freebsdsa>SA-16:06.bsnmpd</freebsdsa>
6475    </references>
6476    <dates>
6477      <discovery>2016-01-14</discovery>
6478      <entry>2016-08-11</entry>
6479    </dates>
6480  </vuln>
6481
6482  <vuln vid="79dfc135-600a-11e6-a6c3-14dae9d210b8">
6483    <topic>FreeBSD -- TCP MD5 signature denial of service</topic>
6484    <affects>
6485      <package>
6486	<name>FreeBSD-kernel</name>
6487	<range><ge>10.2</ge><lt>10.2_9</lt></range>
6488	<range><ge>10.1</ge><lt>10.1_26</lt></range>
6489	<range><ge>9.3</ge><lt>9.3_33</lt></range>
6490      </package>
6491    </affects>
6492    <description>
6493      <body xmlns="http://www.w3.org/1999/xhtml">
6494	<h1>Problem Description:</h1>
6495	<p>A programming error in processing a TCP connection with
6496	both TCP_MD5SIG and TCP_NOOPT socket options may lead to
6497	kernel crash.</p>
6498	<h1>Impact:</h1>
6499	<p>A local attacker can crash the kernel, resulting in a
6500	denial-of-service.</p>
6501	<p>A remote attack is theoretically possible, if server has
6502	a listening socket with TCP_NOOPT set, and server is either
6503	out of SYN cache entries, or SYN cache is disabled by
6504	configuration.</p>
6505      </body>
6506    </description>
6507    <references>
6508      <cvename>CVE-2016-1882</cvename>
6509      <freebsdsa>SA-16:05.tcp</freebsdsa>
6510    </references>
6511    <dates>
6512      <discovery>2016-01-14</discovery>
6513      <entry>2016-08-11</entry>
6514    </dates>
6515  </vuln>
6516
6517  <vuln vid="798f63e0-600a-11e6-a6c3-14dae9d210b8">
6518    <topic>FreeBSD -- Linux compatibility layer setgroups(2) system call</topic>
6519    <affects>
6520      <package>
6521	<name>FreeBSD-kernel</name>
6522	<range><ge>10.2</ge><lt>10.2_9</lt></range>
6523	<range><ge>10.1</ge><lt>10.1_26</lt></range>
6524	<range><ge>9.3</ge><lt>9.3_33</lt></range>
6525      </package>
6526    </affects>
6527    <description>
6528      <body xmlns="http://www.w3.org/1999/xhtml">
6529	<h1>Problem Description:</h1>
6530	<p>A programming error in the Linux compatibility layer
6531	setgroups(2) system call can lead to an unexpected results,
6532	such as overwriting random kernel memory contents.</p>
6533	<h1>Impact:</h1>
6534	<p>It is possible for a local attacker to overwrite portions
6535	of kernel memory, which may result in a privilege escalation
6536	or cause a system panic.</p>
6537      </body>
6538    </description>
6539    <references>
6540      <cvename>CVE-2016-1881</cvename>
6541      <freebsdsa>SA-16:04.linux</freebsdsa>
6542    </references>
6543    <dates>
6544      <discovery>2016-01-14</discovery>
6545      <entry>2016-08-11</entry>
6546    </dates>
6547  </vuln>
6548
6549  <vuln vid="793fb19c-600a-11e6-a6c3-14dae9d210b8">
6550    <topic>FreeBSD -- Linux compatibility layer incorrect futex handling</topic>
6551    <affects>
6552      <package>
6553	<name>FreeBSD-kernel</name>
6554	<range><ge>10.2</ge><lt>10.2_9</lt></range>
6555	<range><ge>10.1</ge><lt>10.1_26</lt></range>
6556	<range><ge>9.3</ge><lt>9.3_33</lt></range>
6557      </package>
6558    </affects>
6559    <description>
6560      <body xmlns="http://www.w3.org/1999/xhtml">
6561	<h1>Problem Description:</h1>
6562	<p>A programming error in the handling of Linux futex robust
6563	lists may result in incorrect memory locations being
6564	accessed.</p>
6565	<h1>Impact:</h1>
6566	<p>It is possible for a local attacker to read portions of
6567	kernel memory, which may result in a privilege escalation.</p>
6568      </body>
6569    </description>
6570    <references>
6571      <cvename>CVE-2016-1880</cvename>
6572      <freebsdsa>SA-16:03.linux</freebsdsa>
6573    </references>
6574    <dates>
6575      <discovery>2016-01-14</discovery>
6576      <entry>2016-08-11</entry>
6577    </dates>
6578  </vuln>
6579
6580  <vuln vid="78f06a6c-600a-11e6-a6c3-14dae9d210b8">
6581    <topic>FreeBSD -- SCTP ICMPv6 error message vulnerability</topic>
6582    <affects>
6583      <package>
6584	<name>FreeBSD-kernel</name>
6585	<range><ge>10.2</ge><lt>10.2_9</lt></range>
6586	<range><ge>10.1</ge><lt>10.1_26</lt></range>
6587	<range><ge>9.3</ge><lt>9.3_33</lt></range>
6588      </package>
6589    </affects>
6590    <description>
6591      <body xmlns="http://www.w3.org/1999/xhtml">
6592	<h1>Problem Description:</h1>
6593	<p>A lack of proper input checks in the ICMPv6 processing
6594	in the SCTP stack can lead to either a failed kernel assertion
6595	or to a NULL pointer dereference. In either case, a kernel
6596	panic will follow.</p>
6597	<h1>Impact:</h1>
6598	<p>A remote, unauthenticated attacker can reliably trigger
6599	a kernel panic in a vulnerable system running IPv6. Any
6600	kernel compiled with both IPv6 and SCTP support is vulnerable.
6601	There is no requirement to have an SCTP socket open.</p>
6602	<p>IPv4 ICMP processing is not impacted by this vulnerability.</p>
6603      </body>
6604    </description>
6605    <references>
6606      <cvename>CVE-2016-1879</cvename>
6607      <freebsdsa>SA-16:01.sctp</freebsdsa>
6608    </references>
6609    <dates>
6610      <discovery>2016-01-14</discovery>
6611      <entry>2016-08-11</entry>
6612    </dates>
6613  </vuln>
6614
6615  <vuln vid="0e5d6969-600a-11e6-a6c3-14dae9d210b8">
6616    <topic>FreeBSD -- rpcbind(8) remote denial of service [REVISED]</topic>
6617    <affects>
6618      <package>
6619	<name>FreeBSD</name>
6620	<range><ge>10.2</ge><lt>10.2_5</lt></range>
6621	<range><ge>10.1</ge><lt>10.1_22</lt></range>
6622	<range><ge>9.3</ge><lt>9.3_28</lt></range>
6623      </package>
6624    </affects>
6625    <description>
6626      <body xmlns="http://www.w3.org/1999/xhtml">
6627	<h1>Problem Description:</h1>
6628	<p>In rpcbind(8), netbuf structures are copied directly,
6629	which would result in two netbuf structures that reference
6630	to one shared address buffer. When one of the two netbuf
6631	structures is freed, access to the other netbuf structure
6632	would result in an undefined result that may crash the
6633	rpcbind(8) daemon.</p>
6634	<h1>Impact:</h1>
6635	<p>A remote attacker who can send specifically crafted
6636	packets to the rpcbind(8) daemon can cause it to crash,
6637	resulting in a denial of service condition.</p>
6638      </body>
6639    </description>
6640    <references>
6641      <cvename>CVE-2015-7236</cvename>
6642      <freebsdsa>SA-15:24.rpcbind</freebsdsa>
6643    </references>
6644    <dates>
6645      <discovery>2015-09-29</discovery>
6646      <entry>2016-08-11</entry>
6647    </dates>
6648  </vuln>
6649
6650  <vuln vid="0dfa5dde-600a-11e6-a6c3-14dae9d210b8">
6651    <topic>FreeBSD -- Local privilege escalation in IRET handler</topic>
6652    <affects>
6653      <package>
6654	<name>FreeBSD-kernel</name>
6655	<range><ge>10.1</ge><lt>10.1_19</lt></range>
6656	<range><ge>9.3</ge><lt>9.3_24</lt></range>
6657      </package>
6658    </affects>
6659    <description>
6660      <body xmlns="http://www.w3.org/1999/xhtml">
6661	<h1>Problem Description:</h1>
6662	<p>If the kernel-mode IRET instruction generates an #SS or
6663	#NP exception, but the exception handler does not properly
6664	ensure that the right GS register base for kernel is reloaded,
6665	the userland GS segment may be used in the context of the
6666	kernel exception handler.</p>
6667	<h1>Impact:</h1>
6668	<p>By causing an IRET with #SS or #NP exceptions, a local
6669	attacker can cause the kernel to use an arbitrary GS base,
6670	which may allow escalated privileges or panic the system.</p>
6671      </body>
6672    </description>
6673    <references>
6674      <cvename>CVE-2015-5675</cvename>
6675      <freebsdsa>SA-15:21.amd64</freebsdsa>
6676    </references>
6677    <dates>
6678      <discovery>2015-08-25</discovery>
6679      <entry>2016-08-11</entry>
6680    </dates>
6681  </vuln>
6682
6683  <vuln vid="0da8a68e-600a-11e6-a6c3-14dae9d210b8">
6684    <topic>FreeBSD -- Multiple integer overflows in expat (libbsdxml) XML parser</topic>
6685    <affects>
6686      <package>
6687	<name>FreeBSD</name>
6688	<range><ge>10.1</ge><lt>10.1_18</lt></range>
6689	<range><ge>10.2</ge><lt>10.2_1</lt></range>
6690	<range><ge>9.3</ge><lt>9.3_23</lt></range>
6691      </package>
6692    </affects>
6693    <description>
6694      <body xmlns="http://www.w3.org/1999/xhtml">
6695	<h1>Problem Description:</h1>
6696	<p>Multiple integer overflows have been discovered in the
6697	XML_GetBuffer() function in the expat library.</p>
6698	<h1>Impact:</h1>
6699	<p>The integer overflows may be exploited by using specifically
6700	crafted XML data and lead to infinite loop, or a heap buffer
6701	overflow, which results in a Denial of Service condition,
6702	or enables remote attackers to execute arbitrary code.</p>
6703      </body>
6704    </description>
6705    <references>
6706      <cvename>CVE-2015-1283</cvename>
6707      <freebsdsa>SA-15:20.expat</freebsdsa>
6708    </references>
6709    <dates>
6710      <discovery>2015-08-18</discovery>
6711      <entry>2016-08-11</entry>
6712    </dates>
6713  </vuln>
6714
6715  <vuln vid="0d584493-600a-11e6-a6c3-14dae9d210b8">
6716    <topic>FreeBSD -- routed(8) remote denial of service vulnerability</topic>
6717    <affects>
6718      <package>
6719	<name>FreeBSD</name>
6720	<range><ge>10.1</ge><lt>10.1_17</lt></range>
6721	<range><ge>9.3</ge><lt>9.3_22</lt></range>
6722      </package>
6723    </affects>
6724    <description>
6725      <body xmlns="http://www.w3.org/1999/xhtml">
6726	<h1>Problem Description:</h1>
6727	<p>The input path in routed(8) will accept queries from any
6728	source and attempt to answer them. However, the output path
6729	assumes that the destination address for the response is
6730	on a directly connected network.</p>
6731	<h1>Impact:</h1>
6732	<p>Upon receipt of a query from a source which is not on a
6733	directly connected network, routed(8) will trigger an
6734	assertion and terminate. The affected system's routing table
6735	will no longer be updated. If the affected system is a
6736	router, its routes will eventually expire from other routers'
6737	routing tables, and its networks will no longer be reachable
6738	unless they are also connected to another router.</p>
6739      </body>
6740    </description>
6741    <references>
6742      <cvename>CVE-2015-5674</cvename>
6743      <freebsdsa>SA-15:19.routed</freebsdsa>
6744    </references>
6745    <dates>
6746      <discovery>2015-08-05</discovery>
6747      <entry>2016-08-11</entry>
6748    </dates>
6749  </vuln>
6750
6751  <vuln vid="0d090952-600a-11e6-a6c3-14dae9d210b8">
6752    <topic>FreeBSD -- shell injection vulnerability in patch(1)</topic>
6753    <affects>
6754      <package>
6755	<name>FreeBSD</name>
6756	<range><ge>10.1</ge><lt>10.1_17</lt></range>
6757      </package>
6758    </affects>
6759    <description>
6760      <body xmlns="http://www.w3.org/1999/xhtml">
6761	<h1>Problem Description:</h1>
6762	<p>Due to insufficient sanitization of the input patch
6763	stream, it is possible for a patch file to cause patch(1)
6764	to pass certain ed(1) scripts to the ed(1) editor, which
6765	would run commands.</p>
6766	<h1>Impact:</h1>
6767	<p>This issue could be exploited to execute arbitrary
6768	commands as the user invoking patch(1) against a specially
6769	crafted patch file, which could be leveraged to obtain
6770	elevated privileges.</p>
6771      </body>
6772    </description>
6773    <references>
6774      <cvename>CVE-2015-1418</cvename>
6775      <freebsdsa>SA-15:18.bsdpatch</freebsdsa>
6776    </references>
6777    <dates>
6778      <discovery>2015-08-05</discovery>
6779      <entry>2016-08-11</entry>
6780    </dates>
6781  </vuln>
6782
6783  <vuln vid="0cb9d5bb-600a-11e6-a6c3-14dae9d210b8">
6784    <topic>FreeBSD -- Resource exhaustion in TCP reassembly</topic>
6785    <affects>
6786      <package>
6787	<name>FreeBSD-kernel</name>
6788	<range><ge>10.1</ge><lt>10.1_16</lt></range>
6789	<range><ge>9.3</ge><lt>9.3_21</lt></range>
6790	<range><ge>8.4</ge><lt>8.4_35</lt></range>
6791      </package>
6792    </affects>
6793    <description>
6794      <body xmlns="http://www.w3.org/1999/xhtml">
6795	<h1>Problem Description:</h1>
6796	<p>There is a mistake with the introduction of VNET, which
6797	converted the global limit on the number of segments that
6798	could belong to reassembly queues into a per-VNET limit.
6799	Because mbufs are allocated from a global pool, in the
6800	presence of a sufficient number of VNETs, the total number
6801	of mbufs attached to reassembly queues can grow to the total
6802	number of mbufs in the system, at which point all network
6803	traffic would cease.</p>
6804	<h1>Impact:</h1>
6805	<p>An attacker who can establish concurrent TCP connections
6806	across a sufficient number of VNETs and manipulate the
6807	inbound packet streams such that the maximum number of mbufs
6808	are enqueued on each reassembly queue can cause mbuf cluster
6809	exhaustion on the target system, resulting in a Denial of
6810	Service condition.</p>
6811	<p>As the default per-VNET limit on the number of segments
6812	that can belong to reassembly queues is 1/16 of the total
6813	number of mbuf clusters in the system, only systems that
6814	have 16 or more VNET instances are vulnerable.</p>
6815      </body>
6816    </description>
6817    <references>
6818      <cvename>CVE-2015-1417</cvename>
6819      <freebsdsa>SA-15:15.tcp</freebsdsa>
6820    </references>
6821    <dates>
6822      <discovery>2015-07-28</discovery>
6823      <entry>2016-08-11</entry>
6824    </dates>
6825  </vuln>
6826
6827  <vuln vid="0c6759dd-600a-11e6-a6c3-14dae9d210b8">
6828    <topic>FreeBSD -- shell injection vulnerability in patch(1)</topic>
6829    <affects>
6830      <package>
6831	<name>FreeBSD</name>
6832	<range><ge>10.1</ge><lt>10.1_16</lt></range>
6833      </package>
6834    </affects>
6835    <description>
6836      <body xmlns="http://www.w3.org/1999/xhtml">
6837	<h1>Problem Description:</h1>
6838	<p>Due to insufficient sanitization of the input patch
6839	stream, it is possible for a patch file to cause patch(1)
6840	to run commands in addition to the desired SCCS or RCS
6841	commands.</p>
6842	<h1>Impact:</h1>
6843	<p>This issue could be exploited to execute arbitrary
6844	commands as the user invoking patch(1) against a specially
6845	crafted patch file, which could be leveraged to obtain
6846	elevated privileges.</p>
6847      </body>
6848    </description>
6849    <references>
6850      <cvename>CVE-2015-1416</cvename>
6851      <freebsdsa>SA-15:14.bsdpatch</freebsdsa>
6852    </references>
6853    <dates>
6854      <discovery>2015-07-28</discovery>
6855      <entry>2016-08-11</entry>
6856    </dates>
6857  </vuln>
6858
6859  <vuln vid="0c064c43-600a-11e6-a6c3-14dae9d210b8">
6860    <topic>FreeBSD -- Resource exhaustion due to sessions stuck in LAST_ACK state</topic>
6861    <affects>
6862      <package>
6863	<name>FreeBSD-kernel</name>
6864	<range><ge>10.1</ge><lt>10.1_15</lt></range>
6865	<range><ge>9.3</ge><lt>9.3_20</lt></range>
6866	<range><ge>8.4</ge><lt>8.4_34</lt></range>
6867      </package>
6868    </affects>
6869    <description>
6870      <body xmlns="http://www.w3.org/1999/xhtml">
6871	<h1>Problem Description:</h1>
6872	<p>TCP connections transitioning to the LAST_ACK state can
6873	become permanently stuck due to mishandling of protocol
6874	state in certain situations, which in turn can lead to
6875	accumulated consumption and eventual exhaustion of system
6876	resources, such as mbufs and sockets.</p>
6877	<h1>Impact:</h1>
6878	<p>An attacker who can repeatedly establish TCP connections
6879	to a victim system (for instance, a Web server) could create
6880	many TCP connections that are stuck in LAST_ACK state and
6881	cause resource exhaustion, resulting in a denial of service
6882	condition. This may also happen in normal operation where
6883	no intentional attack is conducted, but an attacker who can
6884	send specifically crafted packets can trigger this more
6885	reliably.</p>
6886      </body>
6887    </description>
6888    <references>
6889      <cvename>CVE-2015-5358</cvename>
6890      <freebsdsa>SA-15:13.tcp</freebsdsa>
6891    </references>
6892    <dates>
6893      <discovery>2015-07-21</discovery>
6894      <entry>2016-08-11</entry>
6895    </dates>
6896  </vuln>
6897
6898  <vuln vid="0bb55a18-600a-11e6-a6c3-14dae9d210b8">
6899    <topic>FreeBSD -- Denial of Service with IPv6 Router Advertisements</topic>
6900    <affects>
6901      <package>
6902	<name>FreeBSD-kernel</name>
6903	<range><ge>10.1</ge><lt>10.1_9</lt></range>
6904	<range><ge>9.3</ge><lt>9.3_13</lt></range>
6905	<range><ge>8.4</ge><lt>8.4_27</lt></range>
6906      </package>
6907    </affects>
6908    <description>
6909      <body xmlns="http://www.w3.org/1999/xhtml">
6910	<h1>Problem Description:</h1>
6911	<p>The Neighbor Discover Protocol allows a local router to
6912	advertise a suggested Current Hop Limit value of a link,
6913	which will replace Current Hop Limit on an interface connected
6914	to the link on the FreeBSD system.</p>
6915	<h1>Impact:</h1>
6916	<p>When the Current Hop Limit (similar to IPv4's TTL) is
6917	small, IPv6 packets may get dropped before they reached
6918	their destinations.</p>
6919	<p>By sending specifically crafted Router Advertisement
6920	packets, an attacker on the local network can cause the
6921	FreeBSD system to lose the ability to communicate with
6922	another IPv6 node on a different network.</p>
6923      </body>
6924    </description>
6925    <references>
6926      <cvename>CVE-2015-2923</cvename>
6927      <freebsdsa>SA-15:09.ipv6</freebsdsa>
6928    </references>
6929    <dates>
6930      <discovery>2015-04-07</discovery>
6931      <entry>2016-08-11</entry>
6932    </dates>
6933  </vuln>
6934
6935  <vuln vid="0b65f297-600a-11e6-a6c3-14dae9d210b8">
6936    <topic>FreeBSD -- Insecure default GELI keyfile permissions</topic>
6937    <affects>
6938      <package>
6939	<name>FreeBSD</name>
6940	<range><ge>10.1</ge><lt>10.1_9</lt></range>
6941      </package>
6942    </affects>
6943    <description>
6944      <body xmlns="http://www.w3.org/1999/xhtml">
6945	<h1>Problem Description:</h1>
6946	<p>The default permission set by bsdinstall(8) installer
6947	when configuring full disk encrypted ZFS is too open.</p>
6948	<h1>Impact:</h1>
6949	<p>A local attacker may be able to get a copy of the geli(8)
6950	provider's keyfile which is located at a fixed location.</p>
6951      </body>
6952    </description>
6953    <references>
6954      <cvename>CVE-2015-1415</cvename>
6955      <freebsdsa>SA-15:08.bsdinstall</freebsdsa>
6956    </references>
6957    <dates>
6958      <discovery>2015-04-07</discovery>
6959      <entry>2016-08-11</entry>
6960    </dates>
6961  </vuln>
6962
6963  <vuln vid="0afe8b29-600a-11e6-a6c3-14dae9d210b8">
6964    <topic>FreeBSD -- Integer overflow in IGMP protocol</topic>
6965    <affects>
6966      <package>
6967	<name>FreeBSD-kernel</name>
6968	<range><ge>10.1</ge><lt>10.1_9</lt></range>
6969	<range><ge>9.3</ge><lt>9.3_13</lt></range>
6970	<range><ge>8.4</ge><lt>8.4_27</lt></range>
6971      </package>
6972    </affects>
6973    <description>
6974      <body xmlns="http://www.w3.org/1999/xhtml">
6975	<h1>Problem Description:</h1>
6976	<p>An integer overflow in computing the size of IGMPv3 data
6977	buffer can result in a buffer which is too small for the
6978	requested operation.</p>
6979	<h1>Impact:</h1>
6980	<p>An attacker who can send specifically crafted IGMP packets
6981	could cause a denial of service situation by causing the
6982	kernel to crash.</p>
6983      </body>
6984    </description>
6985    <references>
6986      <cvename>CVE-2015-1414</cvename>
6987      <freebsdsa>SA-15:04.igmp</freebsdsa>
6988    </references>
6989    <dates>
6990      <discovery>2015-02-25</discovery>
6991      <entry>2016-08-11</entry>
6992    </dates>
6993  </vuln>
6994
6995  <vuln vid="0aad3ce5-600a-11e6-a6c3-14dae9d210b8">
6996    <topic>FreeBSD -- SCTP stream reset vulnerability</topic>
6997    <affects>
6998      <package>
6999	<name>FreeBSD-kernel</name>
7000	<range><ge>10.1</ge><lt>10.1_5</lt></range>
7001	<range><ge>10.0</ge><lt>10.0_17</lt></range>
7002	<range><ge>9.3</ge><lt>9.3_9</lt></range>
7003	<range><ge>8.4</ge><lt>8.4_23</lt></range>
7004      </package>
7005    </affects>
7006    <description>
7007      <body xmlns="http://www.w3.org/1999/xhtml">
7008	<h1>Problem Description:</h1>
7009	<p>The input validation of received SCTP RE_CONFIG chunks
7010	is insufficient, and can result in a NULL pointer deference
7011	later.</p>
7012	<h1>Impact:</h1>
7013	<p>A remote attacker who can send a malformed SCTP packet
7014	to a FreeBSD system that serves SCTP can cause a kernel
7015	panic, resulting in a Denial of Service.</p>
7016      </body>
7017    </description>
7018    <references>
7019      <cvename>CVE-2014-8613</cvename>
7020      <freebsdsa>SA-15:03.sctp</freebsdsa>
7021    </references>
7022    <dates>
7023      <discovery>2015-01-27</discovery>
7024      <entry>2016-08-11</entry>
7025    </dates>
7026  </vuln>
7027
7028  <vuln vid="0a5cf6d8-600a-11e6-a6c3-14dae9d210b8">
7029    <topic>FreeBSD -- SCTP SCTP_SS_VALUE kernel memory corruption and disclosure</topic>
7030    <affects>
7031      <package>
7032	<name>FreeBSD-kernel</name>
7033	<range><ge>10.1</ge><lt>10.1_5</lt></range>
7034	<range><ge>10.0</ge><lt>10.0_17</lt></range>
7035	<range><ge>9.3</ge><lt>9.3_9</lt></range>
7036	<range><ge>8.4</ge><lt>8.4_23</lt></range>
7037      </package>
7038    </affects>
7039    <description>
7040      <body xmlns="http://www.w3.org/1999/xhtml">
7041	<h1>Problem Description:</h1>
7042	<p>Due to insufficient validation of the SCTP stream ID,
7043	which serves as an array index, a local unprivileged attacker
7044	can read or write 16-bits of kernel memory.</p>
7045	<h1>Impact:</h1>
7046	<p>An unprivileged process can read or modify 16-bits of
7047	memory which belongs to the kernel. This may lead to
7048	exposure of sensitive information or allow privilege
7049	escalation.</p>
7050      </body>
7051    </description>
7052    <references>
7053      <cvename>CVE-2014-8612</cvename>
7054      <freebsdsa>SA-15:02.kmem</freebsdsa>
7055    </references>
7056    <dates>
7057      <discovery>2015-01-27</discovery>
7058      <entry>2016-08-11</entry>
7059    </dates>
7060  </vuln>
7061
7062  <vuln vid="74ded00e-6007-11e6-a6c3-14dae9d210b8">
7063    <topic>FreeBSD -- Buffer overflow in stdio</topic>
7064    <affects>
7065      <package>
7066	<name>FreeBSD</name>
7067	<range><ge>10.1</ge><lt>10.1_1</lt></range>
7068      </package>
7069    </affects>
7070    <description>
7071      <body xmlns="http://www.w3.org/1999/xhtml">
7072	<h1>Problem Description:</h1>
7073	<p>A programming error in the standard I/O library's
7074	__sflush() function could erroneously adjust the buffered
7075	stream's internal state even when no write actually occurred
7076	in the case when write(2) system call returns an error.</p>
7077	<h1>Impact:</h1>
7078	<p>The accounting mismatch would accumulate, if the caller
7079	does not check for stream status and will eventually lead
7080	to a heap buffer overflow.</p>
7081	<p>Such overflows may lead to data corruption or the execution
7082	of arbitrary code at the privilege level of the calling
7083	program.</p>
7084      </body>
7085    </description>
7086    <references>
7087      <cvename>CVE-2014-8611</cvename>
7088      <freebsdsa>SA-14:27.stdio</freebsdsa>
7089    </references>
7090    <dates>
7091      <discovery>2014-12-10</discovery>
7092      <entry>2016-08-11</entry>
7093    </dates>
7094  </vuln>
7095
7096  <vuln vid="7488378d-6007-11e6-a6c3-14dae9d210b8">
7097    <topic>FreeBSD -- Remote command execution in ftp(1)</topic>
7098    <affects>
7099      <package>
7100	<name>FreeBSD</name>
7101	<range><ge>10.0</ge><lt>10.0_12</lt></range>
7102	<range><ge>9.3</ge><lt>9.3_5</lt></range>
7103	<range><ge>9.2</ge><lt>9.2_15</lt></range>
7104	<range><ge>9.1</ge><lt>9.1_22</lt></range>
7105	<range><ge>8.4</ge><lt>8.4_19</lt></range>
7106      </package>
7107    </affects>
7108    <description>
7109      <body xmlns="http://www.w3.org/1999/xhtml">
7110	<h1>Problem Description:</h1>
7111	<p>A malicious HTTP server could cause ftp(1) to execute
7112	arbitrary commands.</p>
7113	<h1>Impact:</h1>
7114	<p>When operating on HTTP URIs, the ftp(1) client follows
7115	HTTP redirects, and uses the part of the path after the
7116	last '/' from the last resource it accesses as the output
7117	filename if '-o' is not specified.</p>
7118	<p>If the output file name provided by the server begins
7119	with a pipe ('|'), the output is passed to popen(3), which
7120	might be used to execute arbitrary commands on the ftp(1)
7121	client machine.</p>
7122      </body>
7123    </description>
7124    <references>
7125      <cvename>CVE-2014-8517</cvename>
7126      <freebsdsa>SA-14:26.ftp</freebsdsa>
7127    </references>
7128    <dates>
7129      <discovery>2014-11-04</discovery>
7130      <entry>2016-08-11</entry>
7131    </dates>
7132  </vuln>
7133
7134  <vuln vid="74389f22-6007-11e6-a6c3-14dae9d210b8">
7135    <topic>FreeBSD -- Kernel stack disclosure in setlogin(2) / getlogin(2)</topic>
7136    <affects>
7137      <package>
7138	<name>FreeBSD-kernel</name>
7139	<range><ge>10.0</ge><lt>10.0_12</lt></range>
7140	<range><ge>9.3</ge><lt>9.3_5</lt></range>
7141	<range><ge>9.2</ge><lt>9.2_15</lt></range>
7142	<range><ge>9.1</ge><lt>9.1_22</lt></range>
7143	<range><ge>8.4</ge><lt>8.4_19</lt></range>
7144      </package>
7145    </affects>
7146    <description>
7147      <body xmlns="http://www.w3.org/1999/xhtml">
7148	<h1>Problem Description:</h1>
7149	<p>When setlogin(2) is called while setting up a new login
7150	session, the login name is copied into an uninitialized
7151	stack buffer, which is then copied into a buffer of the
7152	same size in the session structure. The getlogin(2) system
7153	call returns the entire buffer rather than just the portion
7154	occupied by the login name associated with the session.</p>
7155	<h1>Impact:</h1>
7156	<p>An unprivileged user can access this memory by calling
7157	getlogin(2) and reading beyond the terminating NUL character
7158	of the resulting string. Up to 16 (FreeBSD 8) or 32 (FreeBSD
7159	9 and 10) bytes of kernel memory may be leaked in this
7160	manner for each invocation of setlogin(2).</p>
7161	<p>This memory may contain sensitive information, such as
7162	portions of the file cache or terminal buffers, which an
7163	attacker might leverage to obtain elevated privileges.</p>
7164      </body>
7165    </description>
7166    <references>
7167      <cvename>CVE-2014-8476</cvename>
7168      <freebsdsa>SA-14:25.setlogin</freebsdsa>
7169    </references>
7170    <dates>
7171      <discovery>2014-11-04</discovery>
7172      <entry>2016-08-11</entry>
7173    </dates>
7174  </vuln>
7175
7176  <vuln vid="73e9a137-6007-11e6-a6c3-14dae9d210b8">
7177    <topic>FreeBSD -- Denial of service attack against sshd(8)</topic>
7178    <affects>
7179      <package>
7180	<name>FreeBSD</name>
7181	<range><ge>10.0</ge><lt>10.0_12</lt></range>
7182	<range><ge>9.2</ge><lt>9.2_15</lt></range>
7183	<range><ge>9.1</ge><lt>9.1_22</lt></range>
7184      </package>
7185    </affects>
7186    <description>
7187      <body xmlns="http://www.w3.org/1999/xhtml">
7188	<h1>Problem Description:</h1>
7189	<p>Although OpenSSH is not multithreaded, when OpenSSH is
7190	compiled with Kerberos support, the Heimdal libraries bring
7191	in the POSIX thread library as a dependency. Due to incorrect
7192	library ordering while linking sshd(8), symbols in the C
7193	library which are shadowed by the POSIX thread library may
7194	not be resolved correctly at run time.</p>
7195	<p>Note that this problem is specific to the FreeBSD build
7196	system and does not affect other operating systems or the
7197	version of OpenSSH available from the FreeBSD ports tree.</p>
7198	<h1>Impact:</h1>
7199	<p>An incorrectly linked sshd(8) child process may deadlock
7200	while handling an incoming connection. The connection may
7201	then time out or be interrupted by the client, leaving the
7202	deadlocked sshd(8) child process behind. Eventually, the
7203	sshd(8) parent process stops accepting new connections.</p>
7204	<p>An attacker may take advantage of this by repeatedly
7205	connecting and then dropping the connection after having
7206	begun, but not completed, the authentication process.</p>
7207      </body>
7208    </description>
7209    <references>
7210      <cvename>CVE-2014-8475</cvename>
7211      <freebsdsa>SA-14:24.sshd</freebsdsa>
7212    </references>
7213    <dates>
7214      <discovery>2014-11-04</discovery>
7215      <entry>2016-08-11</entry>
7216    </dates>
7217  </vuln>
7218
7219  <vuln vid="73964eac-6007-11e6-a6c3-14dae9d210b8">
7220    <topic>FreeBSD -- memory leak in sandboxed namei lookup</topic>
7221    <affects>
7222      <package>
7223	<name>FreeBSD-kernel</name>
7224	<range><ge>10.0</ge><lt>10.0_10</lt></range>
7225	<range><ge>9.3</ge><lt>9.3_3</lt></range>
7226	<range><ge>9.2</ge><lt>9.2_13</lt></range>
7227	<range><ge>9.1</ge><lt>9.1_20</lt></range>
7228      </package>
7229    </affects>
7230    <description>
7231      <body xmlns="http://www.w3.org/1999/xhtml">
7232	<h1>Problem Description:</h1>
7233	<p>The namei facility will leak a small amount of kernel
7234	memory every time a sandboxed process looks up a nonexistent
7235	path name.</p>
7236	<h1>Impact:</h1>
7237	<p>A remote attacker that can cause a sandboxed process
7238	(for instance, a web server) to look up a large number of
7239	nonexistent path names can cause memory exhaustion.</p>
7240      </body>
7241    </description>
7242    <references>
7243      <cvename>CVE-2014-3711</cvename>
7244      <freebsdsa>SA-14:22.namei</freebsdsa>
7245    </references>
7246    <dates>
7247      <discovery>2014-10-21</discovery>
7248      <entry>2016-08-11</entry>
7249    </dates>
7250  </vuln>
7251
7252  <vuln vid="734233f4-6007-11e6-a6c3-14dae9d210b8">
7253    <topic>FreeBSD -- routed(8) remote denial of service vulnerability</topic>
7254    <affects>
7255      <package>
7256	<name>FreeBSD</name>
7257	<range><ge>10.0</ge><lt>10.0_10</lt></range>
7258	<range><ge>9.3</ge><lt>9.3_3</lt></range>
7259	<range><ge>9.2</ge><lt>9.2_13</lt></range>
7260	<range><ge>9.1</ge><lt>9.1_20</lt></range>
7261	<range><ge>8.4</ge><lt>8.4_17</lt></range>
7262      </package>
7263    </affects>
7264    <description>
7265      <body xmlns="http://www.w3.org/1999/xhtml">
7266	<h1>Problem Description:</h1>
7267	<p>The input path in routed(8) will accept queries from any
7268	source and attempt to answer them. However, the output path
7269	assumes that the destination address for the response is
7270	on a directly connected network.</p>
7271	<h1>Impact:</h1>
7272	<p>Upon receipt of a query from a source which is not on a
7273	directly connected network, routed(8) will trigger an
7274	assertion and terminate. The affected system's routing table
7275	will no longer be updated. If the affected system is a
7276	router, its routes will eventually expire from other routers'
7277	routing tables, and its networks will no longer be reachable
7278	unless they are also connected to another router.</p>
7279      </body>
7280    </description>
7281    <references>
7282      <cvename>CVE-2014-3955</cvename>
7283      <freebsdsa>SA-14:21.routed</freebsdsa>
7284    </references>
7285    <dates>
7286      <discovery>2014-10-21</discovery>
7287      <entry>2016-08-11</entry>
7288    </dates>
7289  </vuln>
7290
7291  <vuln vid="72ee7111-6007-11e6-a6c3-14dae9d210b8">
7292    <topic>FreeBSD -- rtsold(8) remote buffer overflow vulnerability</topic>
7293    <affects>
7294      <package>
7295	<name>FreeBSD</name>
7296	<range><ge>10.0</ge><lt>10.0_10</lt></range>
7297	<range><ge>9.3</ge><lt>9.3_3</lt></range>
7298	<range><ge>9.2</ge><lt>9.2_13</lt></range>
7299	<range><ge>9.1</ge><lt>9.1_20</lt></range>
7300      </package>
7301    </affects>
7302    <description>
7303      <body xmlns="http://www.w3.org/1999/xhtml">
7304	<h1>Problem Description:</h1>
7305	<p>Due to a missing length check in the code that handles
7306	DNS parameters, a malformed router advertisement message
7307	can result in a stack buffer overflow in rtsold(8).</p>
7308	<h1>Impact:</h1>
7309	<p>Receipt of a router advertisement message with a malformed
7310	DNSSL option, for instance from a compromised host on the
7311	same network, can cause rtsold(8) to crash.</p>
7312	<p>While it is theoretically possible to inject code into
7313	rtsold(8) through malformed router advertisement messages,
7314	it is normally compiled with stack protection enabled,
7315	rendering such an attack extremely difficult.</p>
7316	<p>When rtsold(8) crashes, the existing DNS configuration
7317	will remain in force, and the kernel will continue to receive
7318	and process periodic router advertisements.</p>
7319      </body>
7320    </description>
7321    <references>
7322      <cvename>CVE-2014-3954</cvename>
7323      <freebsdsa>SA-14:20.rtsold</freebsdsa>
7324    </references>
7325    <dates>
7326      <discovery>2014-10-21</discovery>
7327      <entry>2016-08-11</entry>
7328    </dates>
7329  </vuln>
7330
7331  <vuln vid="729c4a9f-6007-11e6-a6c3-14dae9d210b8">
7332    <topic>FreeBSD -- Denial of Service in TCP packet processing</topic>
7333    <affects>
7334      <package>
7335	<name>FreeBSD-kernel</name>
7336	<range><ge>10.0</ge><lt>10.0_9</lt></range>
7337	<range><ge>9.3</ge><lt>9.3_2</lt></range>
7338	<range><ge>9.2</ge><lt>9.2_12</lt></range>
7339	<range><ge>9.1</ge><lt>9.1_19</lt></range>
7340	<range><ge>8.4</ge><lt>8.4_16</lt></range>
7341      </package>
7342    </affects>
7343    <description>
7344      <body xmlns="http://www.w3.org/1999/xhtml">
7345	<h1>Problem Description:</h1>
7346	<p>When a segment with the SYN flag for an already existing
7347	connection arrives, the TCP stack tears down the connection,
7348	bypassing a check that the sequence number in the segment
7349	is in the expected window.</p>
7350	<h1>Impact:</h1>
7351	<p>An attacker who has the ability to spoof IP traffic can
7352	tear down a TCP connection by sending only 2 packets, if
7353	they know both TCP port numbers. In case one of the two
7354	port numbers is unknown, a successful attack requires less
7355	than 2**17 packets spoofed, which can be generated within
7356	less than a second on a decent connection to the Internet.</p>
7357      </body>
7358    </description>
7359    <references>
7360      <cvename>CVE-2004-0230</cvename>
7361      <freebsdsa>SA-14:19.tcp</freebsdsa>
7362    </references>
7363    <dates>
7364      <discovery>2014-09-16</discovery>
7365      <entry>2016-08-11</entry>
7366    </dates>
7367  </vuln>
7368
7369  <vuln vid="7240de58-6007-11e6-a6c3-14dae9d210b8">
7370    <topic>FreeBSD -- Kernel memory disclosure in control messages and SCTP</topic>
7371    <affects>
7372      <package>
7373	<name>FreeBSD-kernel</name>
7374	<range><ge>10.0</ge><lt>10.0_7</lt></range>
7375	<range><ge>9.2</ge><lt>9.2_10</lt></range>
7376	<range><ge>9.1</ge><lt>9.1_17</lt></range>
7377	<range><ge>8.4</ge><lt>8.4_14</lt></range>
7378      </package>
7379    </affects>
7380    <description>
7381      <body xmlns="http://www.w3.org/1999/xhtml">
7382	<h1>Problem Description:</h1>
7383	<p>Buffer between control message header and data may not
7384	be completely initialized before being copied to userland.
7385	[CVE-2014-3952]</p>
7386	<p>Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO,
7387	have implicit padding that may not be completely initialized
7388	before being copied to userland. In addition, three SCTP
7389	notifications, SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR and
7390	SCTP_AUTHENTICATION_EVENT, have padding in the returning
7391	data structure that may not be completely initialized before
7392	being copied to userland. [CVE-2014-3953]</p>
7393	<h1>Impact:</h1>
7394	<p>An unprivileged local process may be able to retrieve
7395	portion of kernel memory.</p>
7396	<p>For the generic control message, the process may be able
7397	to retrieve a maximum of 4 bytes of kernel memory.</p>
7398	<p>For SCTP, the process may be able to retrieve 2 bytes
7399	of kernel memory for all three control messages, plus 92
7400	bytes for SCTP_SNDRCV and 76 bytes for SCTP_EXTRCV. If the
7401	local process is permitted to receive SCTP notification, a
7402	maximum of 112 bytes of kernel memory may be returned to
7403	userland.</p>
7404	<p>This information might be directly useful, or it might
7405	be leveraged to obtain elevated privileges in some way. For
7406	example, a terminal buffer might include a user-entered
7407	password.</p>
7408      </body>
7409    </description>
7410    <references>
7411      <cvename>CVE-2014-3952</cvename>
7412      <cvename>CVE-2014-3953</cvename>
7413      <freebsdsa>SA-14:17.kmem</freebsdsa>
7414    </references>
7415    <dates>
7416      <discovery>2014-07-08</discovery>
7417      <entry>2016-08-11</entry>
7418    </dates>
7419  </vuln>
7420
7421  <vuln vid="70140f20-6007-11e6-a6c3-14dae9d210b8">
7422    <topic>FreeBSD -- Multiple vulnerabilities in file(1) and libmagic(3)</topic>
7423    <affects>
7424      <package>
7425	<name>FreeBSD</name>
7426	<range><ge>10.0</ge><lt>10.0_6</lt></range>
7427	<range><ge>9.2</ge><lt>9.2_9</lt></range>
7428	<range><ge>9.1</ge><lt>9.1_16</lt></range>
7429	<range><ge>8.4</ge><lt>8.4_13</lt></range>
7430      </package>
7431    </affects>
7432    <description>
7433      <body xmlns="http://www.w3.org/1999/xhtml">
7434	<h1>Problem Description:</h1>
7435	<p>A specifically crafted Composite Document File (CDF)
7436	file can trigger an out-of-bounds read or an invalid pointer
7437	dereference. [CVE-2012-1571]</p>
7438	<p>A flaw in regular expression in the awk script detector
7439	makes use of multiple wildcards with unlimited repetitions.
7440	[CVE-2013-7345]</p>
7441	<p>A malicious input file could trigger infinite recursion
7442	in libmagic(3). [CVE-2014-1943]</p>
7443	<p>A specifically crafted Portable Executable (PE) can
7444	trigger out-of-bounds read. [CVE-2014-2270]</p>
7445	<h1>Impact:</h1>
7446	<p>An attacker who can cause file(1) or any other applications
7447	using the libmagic(3) library to be run on a maliciously
7448	constructed input can the application to crash or consume
7449	excessive CPU resources, resulting in a denial-of-service.</p>
7450      </body>
7451    </description>
7452    <references>
7453      <cvename>CVE-2012-1571</cvename>
7454      <cvename>CVE-2013-7345</cvename>
7455      <cvename>CVE-2014-1943</cvename>
7456      <cvename>CVE-2014-2270</cvename>
7457      <freebsdsa>SA-14:16.file</freebsdsa>
7458    </references>
7459    <dates>
7460      <discovery>2014-06-24</discovery>
7461      <entry>2016-08-11</entry>
7462    </dates>
7463  </vuln>
7464
7465  <vuln vid="6f91a709-6007-11e6-a6c3-14dae9d210b8">
7466    <topic>FreeBSD -- iconv(3) NULL pointer dereference and out-of-bounds array access</topic>
7467    <affects>
7468      <package>
7469	<name>FreeBSD</name>
7470	<range><ge>10.0</ge><lt>10.0_6</lt></range>
7471      </package>
7472    </affects>
7473    <description>
7474      <body xmlns="http://www.w3.org/1999/xhtml">
7475	<h1>Problem Description:</h1>
7476	<p>A NULL pointer dereference in the initialization code
7477	of the HZ module and an out of bounds array access in the
7478	initialization code of the VIQR module make iconv_open(3)
7479	calls involving HZ or VIQR result in an application crash.</p>
7480	<h1>Impact:</h1>
7481	<p>Services where an attacker can control the arguments of
7482	an iconv_open(3) call can be caused to crash resulting in
7483	a denial-of-service. For example, an email encoded in HZ
7484	may cause an email delivery service to crash if it converts
7485	emails to a more generic encoding like UTF-8 before applying
7486	filtering rules.</p>
7487      </body>
7488    </description>
7489    <references>
7490      <cvename>CVE-2014-3951</cvename>
7491      <freebsdsa>SA-14:15.iconv</freebsdsa>
7492    </references>
7493    <dates>
7494      <discovery>2014-06-24</discovery>
7495      <entry>2016-08-11</entry>
7496    </dates>
7497  </vuln>
7498
7499  <vuln vid="6e8f9003-6007-11e6-a6c3-14dae9d210b8">
7500    <topic>FreeBSD -- Incorrect error handling in PAM policy parser</topic>
7501    <affects>
7502      <package>
7503	<name>FreeBSD</name>
7504	<range><ge>9.2</ge><lt>9.2_7</lt></range>
7505	<range><ge>10.0</ge><lt>10.0_4</lt></range>
7506      </package>
7507    </affects>
7508    <description>
7509      <body xmlns="http://www.w3.org/1999/xhtml">
7510	<h1>Problem Description:</h1>
7511	<p>The OpenPAM library searches for policy definitions in
7512	several locations. While doing so, the absence of a policy
7513	file is a soft failure (handled by searching in the next
7514	location) while the presence of an invalid file is a hard
7515	failure (handled by returning an error to the caller).</p>
7516	<p>The policy parser returns the same error code (ENOENT)
7517	when a syntactically valid policy references a non-existent
7518	module as when the requested policy file does not exist.
7519	The search loop regards this as a soft failure and looks
7520	for the next similarly-named policy, without discarding the
7521	partially-loaded configuration.</p>
7522	<p>A similar issue can arise if a policy contains an include
7523	directive that refers to a non-existent policy.</p>
7524	<h1>Impact:</h1>
7525	<p>If a module is removed, or the name of a module is
7526	misspelled in the policy file, the PAM library will proceed
7527	with a partially loaded configuration. Depending on the
7528	exact circumstances, this may result in a fail-open scenario
7529	where users are allowed to log in without a password, or
7530	with an incorrect password.</p>
7531	<p>In particular, if a policy references a module installed
7532	by a package or port, and that package or port is being
7533	reinstalled or upgraded, there is a brief window of time
7534	during which the module is absent and policies that use it
7535	may fail open. This can be especially damaging to Internet-facing
7536	SSH servers, which are regularly subjected to brute-force
7537	scans.</p>
7538      </body>
7539    </description>
7540    <references>
7541      <cvename>CVE-2014-3879</cvename>
7542      <freebsdsa>SA-14:13.pam</freebsdsa>
7543    </references>
7544    <dates>
7545      <discovery>2014-06-03</discovery>
7546      <entry>2016-08-11</entry>
7547    </dates>
7548  </vuln>
7549
7550  <vuln vid="6e04048b-6007-11e6-a6c3-14dae9d210b8">
7551    <topic>FreeBSD -- ktrace kernel memory disclosure</topic>
7552    <affects>
7553      <package>
7554	<name>FreeBSD-kernel</name>
7555	<range><ge>9.2</ge><lt>9.2_7</lt></range>
7556	<range><ge>9.1</ge><lt>9.1_14</lt></range>
7557	<range><ge>8.4</ge><lt>8.4_11</lt></range>
7558      </package>
7559    </affects>
7560    <description>
7561      <body xmlns="http://www.w3.org/1999/xhtml">
7562	<h1>Problem Description:</h1>
7563	<p>Due to an overlooked merge to -STABLE branches, the size
7564	for page fault kernel trace entries was set incorrectly.</p>
7565	<h1>Impact:</h1>
7566	<p>A user who can enable kernel process tracing could end
7567	up reading the contents of kernel memory.</p>
7568	<p>Such memory might contain sensitive information, such
7569	as portions of the file cache or terminal buffers. This
7570	information might be directly useful, or it might be leveraged
7571	to obtain elevated privileges in some way; for example, a
7572	terminal buffer might include a user-entered password.</p>
7573      </body>
7574    </description>
7575    <references>
7576      <cvename>CVE-2014-3873</cvename>
7577      <freebsdsa>SA-14:12.ktrace</freebsdsa>
7578    </references>
7579    <dates>
7580      <discovery>2014-06-03</discovery>
7581      <entry>2016-08-11</entry>
7582    </dates>
7583  </vuln>
7584
7585  <vuln vid="6d9eadaf-6007-11e6-a6c3-14dae9d210b8">
7586    <topic>FreeBSD -- sendmail improper close-on-exec flag handling</topic>
7587    <affects>
7588      <package>
7589	<name>FreeBSD</name>
7590	<range><ge>10.0</ge><lt>10.0_4</lt></range>
7591	<range><ge>9.2</ge><lt>9.2_7</lt></range>
7592	<range><ge>9.1</ge><lt>9.1_14</lt></range>
7593	<range><ge>8.4</ge><lt>8.4_11</lt></range>
7594      </package>
7595    </affects>
7596    <description>
7597      <body xmlns="http://www.w3.org/1999/xhtml">
7598	<h1>Problem Description:</h1>
7599	<p>There is a programming error in sendmail(8) that prevented
7600	open file descriptors have close-on-exec properly set.
7601	Consequently a subprocess will be able to access all open
7602	files that the parent process have open.</p>
7603	<h1>Impact:</h1>
7604	<p>A local user who can execute their own program for mail
7605	delivery will be able to interfere with an open SMTP
7606	connection.</p>
7607      </body>
7608    </description>
7609    <references>
7610      <freebsdsa>SA-14:11.sendmail</freebsdsa>
7611    </references>
7612    <dates>
7613      <discovery>2014-06-03</discovery>
7614      <entry>2016-08-11</entry>
7615    </dates>
7616  </vuln>
7617
7618  <vuln vid="6d472244-6007-11e6-a6c3-14dae9d210b8">
7619    <topic>FreeBSD -- TCP reassembly vulnerability</topic>
7620    <affects>
7621      <package>
7622	<name>FreeBSD-kernel</name>
7623	<range><ge>8.4</ge><lt>8.4_9</lt></range>
7624	<range><ge>8.3</ge><lt>8.3_16</lt></range>
7625	<range><ge>9.2</ge><lt>9.2_5</lt></range>
7626	<range><ge>9.1</ge><lt>9.1_12</lt></range>
7627	<range><ge>10.0</ge><lt>10.0_2</lt></range>
7628      </package>
7629    </affects>
7630    <description>
7631      <body xmlns="http://www.w3.org/1999/xhtml">
7632	<h1>Problem Description:</h1>
7633	<p>FreeBSD may add a reassemble queue entry on the stack
7634	into the segment list when the reassembly queue reaches its
7635	limit. The memory from the stack is undefined after the
7636	function returns. Subsequent iterations of the reassembly
7637	function will attempt to access this entry.</p>
7638	<h1>Impact:</h1>
7639	<p>An attacker who can send a series of specifically crafted
7640	packets with a connection could cause a denial of service
7641	situation by causing the kernel to crash.</p>
7642	<p>Additionally, because the undefined on stack memory may
7643	be overwritten by other kernel threads, while extremely
7644	difficult, it may be possible for an attacker to construct
7645	a carefully crafted attack to obtain portion of kernel
7646	memory via a connected socket. This may result in the
7647	disclosure of sensitive information such as login credentials,
7648	etc. before or even without crashing the system.</p>
7649      </body>
7650    </description>
7651    <references>
7652      <cvename>CVE-2014-3000</cvename>
7653      <freebsdsa>SA-14:08.tcp</freebsdsa>
7654    </references>
7655    <dates>
7656      <discovery>2014-04-30</discovery>
7657      <entry>2016-08-11</entry>
7658    </dates>
7659  </vuln>
7660
7661  <vuln vid="6b6ca5b6-6007-11e6-a6c3-14dae9d210b8">
7662    <topic>FreeBSD -- devfs rules not applied by default for jails</topic>
7663    <affects>
7664      <package>
7665	<name>FreeBSD</name>
7666	<range><ge>10.0</ge><lt>10.0_2</lt></range>
7667      </package>
7668    </affects>
7669    <description>
7670      <body xmlns="http://www.w3.org/1999/xhtml">
7671	<h1>Problem Description:</h1>
7672	<p>The default devfs rulesets are not loaded on boot, even
7673	when jails are used. Device nodes will be created in the
7674	jail with their normal default access permissions, while
7675	most of them should be hidden and inaccessible.</p>
7676	<h1>Impact:</h1>
7677	<p>Jailed processes can get access to restricted resources
7678	on the host system. For jailed processes running with
7679	superuser privileges this implies access to all devices on
7680	the system. This level of access could lead to information
7681	leakage and privilege escalation.</p>
7682      </body>
7683    </description>
7684    <references>
7685      <cvename>CVE-2014-3001</cvename>
7686      <freebsdsa>SA-14:07.devfs</freebsdsa>
7687    </references>
7688    <dates>
7689      <discovery>2014-04-30</discovery>
7690      <entry>2016-08-11</entry>
7691    </dates>
7692  </vuln>
7693
7694  <vuln vid="6a384960-6007-11e6-a6c3-14dae9d210b8">
7695    <topic>FreeBSD -- Deadlock in the NFS server</topic>
7696    <affects>
7697      <package>
7698	<name>FreeBSD-kernel</name>
7699	<range><ge>10.0</ge><lt>10.0_1</lt></range>
7700	<range><ge>9.2</ge><lt>9.2_4</lt></range>
7701	<range><ge>9.1</ge><lt>9.1_11</lt></range>
7702	<range><ge>8.4</ge><lt>8.4_8</lt></range>
7703	<range><ge>8.3</ge><lt>8.3_15</lt></range>
7704      </package>
7705    </affects>
7706    <description>
7707      <body xmlns="http://www.w3.org/1999/xhtml">
7708	<h1>Problem Description:</h1>
7709	<p>The kernel holds a lock over the source directory vnode
7710	while trying to convert the target directory file handle
7711	to a vnode, which needs to be returned with the lock held,
7712	too. This order may be in violation of normal lock order,
7713	which in conjunction with other threads that grab locks in
7714	the right order, constitutes a deadlock condition because
7715	no thread can proceed.</p>
7716	<h1>Impact:</h1>
7717	<p>An attacker on a trusted client could cause the NFS
7718	server become deadlocked, resulting in a denial of service.</p>
7719      </body>
7720    </description>
7721    <references>
7722      <cvename>CVE-2014-1453</cvename>
7723      <freebsdsa>SA-14:05.nfsserver</freebsdsa>
7724    </references>
7725    <dates>
7726      <discovery>2014-04-08</discovery>
7727      <entry>2016-08-11</entry>
7728    </dates>
7729  </vuln>
7730
7731  <vuln vid="4c96ecf2-5fd9-11e6-a6c3-14dae9d210b8">
7732    <topic>FreeBSD -- bsnmpd remote denial of service vulnerability</topic>
7733    <affects>
7734      <package>
7735	<name>FreeBSD</name>
7736	<range><ge>9.2</ge><lt>9.2_3</lt></range>
7737	<range><ge>9.1</ge><lt>9.1_10</lt></range>
7738	<range><ge>8.4</ge><lt>8.4_7</lt></range>
7739	<range><ge>8.3</ge><lt>8.3_14</lt></range>
7740      </package>
7741    </affects>
7742    <description>
7743      <body xmlns="http://www.w3.org/1999/xhtml">
7744	<p>Problem Description:</p>
7745	<p>The bsnmpd(8) daemon is prone to a stack-based
7746	  buffer-overflow when it has received a specifically crafted
7747	  GETBULK PDU request.</p>
7748	<p>Impact:</p>
7749	<p>This issue could be exploited to execute arbitrary code in
7750	  the context of the service daemon, or crash the service daemon, causing
7751	  a denial-of-service.</p>
7752      </body>
7753    </description>
7754    <references>
7755      <cvename>CVE-2014-1452</cvename>
7756      <freebsdsa>SA-14:01.bsnmpd</freebsdsa>
7757    </references>
7758    <dates>
7759      <discovery>2014-01-14</discovery>
7760      <entry>2016-08-11</entry>
7761    </dates>
7762  </vuln>
7763
7764  <vuln vid="ca16fd0b-5fd1-11e6-a6f2-6cc21735f730">
7765    <topic>PostgreSQL -- Denial-of-Service and Code Injection Vulnerabilities</topic>
7766     <affects>
7767      <package>
7768	<name>postgresql91-server</name>
7769	<range><ge>9.1.0</ge><lt>9.1.23</lt></range>
7770      </package>
7771      <package>
7772	<name>postgresql92-server</name>
7773	<range><ge>9.2.0</ge><lt>9.2.18</lt></range>
7774      </package>
7775      <package>
7776	<name>postgresql93-server</name>
7777	<range><ge>9.3.0</ge><lt>9.3.11</lt></range>
7778      </package>
7779      <package>
7780	<name>postgresql94-server</name>
7781	<range><ge>9.4.0</ge><lt>9.4.9</lt></range>
7782      </package>
7783      <package>
7784	<name>postgresql95-server</name>
7785	<range><ge>9.5.0</ge><lt>9.5.4</lt></range>
7786      </package>
7787    </affects>
7788    <description>
7789      <body xmlns="http://www.w3.org/1999/xhtml">
7790	<p>PostgreSQL project reports:</p>
7791	<blockquote cite="http://www.postgresql.org/about/news/1688/">
7792	  <p>
7793	  Security Fixes nested CASE expressions +
7794	  database and role names with embedded special characters
7795	  </p>
7796	  <ul>
7797	    <li>CVE-2016-5423: certain nested CASE expressions can cause the
7798	     server to crash.
7799	    </li>
7800	    <li>CVE-2016-5424: database and role names with embedded special
7801	     characters can allow code injection during administrative operations
7802	     like pg_dumpall.
7803	    </li>
7804	  </ul>
7805	</blockquote>
7806      </body>
7807    </description>
7808    <references>
7809      <cvename>CVE-2016-5423</cvename>
7810      <cvename>CVE-2016-5424</cvename>
7811    </references>
7812    <dates>
7813      <discovery>2016-08-11</discovery>
7814      <entry>2016-08-11</entry>
7815    </dates>
7816  </vuln>
7817
7818  <vuln vid="28bf62ef-5e2c-11e6-a15f-00248c0c745d">
7819    <topic>piwik -- XSS vulnerability</topic>
7820    <affects>
7821      <package>
7822	<name>piwik</name>
7823	<range><lt>2.16.2</lt></range>
7824      </package>
7825    </affects>
7826    <description>
7827      <body xmlns="http://www.w3.org/1999/xhtml">
7828	<p>Piwik reports:</p>
7829	<blockquote cite="https://piwik.org/changelog/piwik-2-16-2/">
7830	  <p>We have identified and fixed several XSS security issues in this release.</p>
7831	</blockquote>
7832      </body>
7833    </description>
7834    <references>
7835      <url>We have identified and fixed several XSS security issues in this release.</url>
7836    </references>
7837    <dates>
7838      <discovery>2016-08-03</discovery>
7839      <entry>2016-08-09</entry>
7840    </dates>
7841  </vuln>
7842
7843  <vuln vid="7d08e608-5e95-11e6-b334-002590263bf5">
7844    <topic>BIND,Knot,NSD,PowerDNS -- denial over service via oversized zone transfers</topic>
7845    <affects>
7846      <package>
7847	<name>bind99</name>
7848	<range><le>9.9.9P2</le></range>
7849      </package>
7850      <package>
7851	<name>bind910</name>
7852	<range><le>9.10.4P2</le></range>
7853      </package>
7854      <package>
7855	<name>bind911</name>
7856	<range><le>9.11.0.b2</le></range>
7857      </package>
7858      <package>
7859	<name>bind9-devel</name>
7860	<range><le>9.12.0.a.2016.11.02</le></range>
7861      </package>
7862      <package>
7863	<name>knot</name>
7864	<name>knot1</name>
7865	<range><lt>1.6.8</lt></range>
7866      </package>
7867      <package>
7868	<name>knot2</name>
7869	<range><lt>2.3.0</lt></range>
7870      </package>
7871      <package>
7872	<name>nsd</name>
7873	<range><lt>4.1.11</lt></range>
7874      </package>
7875      <package>
7876	<name>powerdns</name>
7877	<range><lt>4.0.1</lt></range>
7878      </package>
7879    </affects>
7880    <description>
7881      <body xmlns="http://www.w3.org/1999/xhtml">
7882	<p>ISC reports:</p>
7883	<blockquote cite="https://kb.isc.org/article/AA-01390">
7884	  <p>DNS protocols were designed with the assumption that a certain
7885	    amount of trust could be presumed between the operators of primary
7886	    and secondary servers for a given zone. However, in current
7887	    practice some organizations have scenarios which require them to
7888	    accept zone data from sources that are not fully trusted (for
7889	    example: providers of secondary name service). A party who is
7890	    allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS
7891	    updates) can overwhelm the server which is accepting data by
7892	    intentionally or accidentally exhausting that server's memory.</p>
7893	</blockquote>
7894      </body>
7895    </description>
7896    <references>
7897      <cvename>CVE-2016-6170</cvename>
7898      <cvename>CVE-2016-6171</cvename>
7899      <cvename>CVE-2016-6172</cvename>
7900      <cvename>CVE-2016-6173</cvename>
7901      <url>https://kb.isc.org/article/AA-01390</url>
7902      <mlist>http://www.openwall.com/lists/oss-security/2016/07/06/4</mlist>
7903    </references>
7904    <dates>
7905      <discovery>2016-07-06</discovery>
7906      <entry>2016-08-10</entry>
7907      <modified>2017-04-24</modified>
7908    </dates>
7909  </vuln>
7910
7911  <vuln vid="dd48d9b9-5e7e-11e6-a6c3-14dae9d210b8">
7912    <topic>FreeBSD -- Kernel memory disclosure in sctp(4)</topic>
7913    <affects>
7914      <package>
7915	<name>FreeBSD-kernel</name>
7916	<range><ge>9.1</ge><lt>9.1_6</lt></range>
7917	<range><ge>8.4</ge><lt>8.4_3</lt></range>
7918	<range><ge>8.3</ge><lt>8.3_10</lt></range>
7919      </package>
7920    </affects>
7921    <description>
7922      <body xmlns="http://www.w3.org/1999/xhtml">
7923	<p>Problem Description:</p>
7924	<p>When initializing the SCTP state cookie being sent in INIT-ACK chunks,
7925	  a buffer allocated from the kernel stack is not completely initialized.</p>
7926	<p>Impact:</p>
7927	<p>Fragments of kernel memory may be included in SCTP packets and
7928	  transmitted over the network.  For each SCTP session, there are two
7929	  separate instances in which a 4-byte fragment may be transmitted.</p>
7930	<p>This memory might contain sensitive information, such as portions of the
7931	  file cache or terminal buffers.  This information might be directly
7932	  useful, or it might be leveraged to obtain elevated privileges in
7933	  some way.  For example, a terminal buffer might include a user-entered
7934	  password.</p>
7935      </body>
7936    </description>
7937    <references>
7938      <freebsdsa>SA-13:10.sctp</freebsdsa>
7939      <cvename>CVE-2013-5209</cvename>
7940    </references>
7941    <dates>
7942      <discovery>2013-08-22</discovery>
7943      <entry>2016-08-09</entry>
7944    </dates>
7945  </vuln>
7946
7947  <vuln vid="0844632f-5e78-11e6-a6c3-14dae9d210b8">
7948    <topic>FreeBSD -- integer overflow in IP_MSFILTER</topic>
7949    <affects>
7950      <package>
7951	<name>FreeBSD-kernel</name>
7952	<range><ge>9.1</ge><lt>9.1_6</lt></range>
7953	<range><ge>8.4</ge><lt>8.4_3</lt></range>
7954	<range><ge>8.3</ge><lt>8.3_10</lt></range>
7955      </package>
7956    </affects>
7957    <description>
7958      <body xmlns="http://www.w3.org/1999/xhtml">
7959	<p>Problem Description:</p>
7960	<p>An integer overflow in computing the size of a temporary
7961	  buffer can result in a buffer which is too small for the requested
7962	  operation.</p>
7963	<p>Impact:</p>
7964	<p>An unprivileged process can read or write pages of memory
7965	  which belong to the kernel.  These may lead to exposure of sensitive
7966	  information or allow privilege escalation.</p>
7967      </body>
7968    </description>
7969    <references>
7970      <cvename>CVE-2013-3077</cvename>
7971      <freebsdsa>SA-13:09.ip_multicast</freebsdsa>
7972    </references>
7973    <dates>
7974      <discovery>2013-08-22</discovery>
7975      <entry>2016-08-09</entry>
7976    </dates>
7977  </vuln>
7978
7979  <vuln vid="e5d2442d-5e76-11e6-a6c3-14dae9d210b8">
7980    <topic>FreeBSD -- Incorrect privilege validation in the NFS server</topic>
7981    <affects>
7982      <package>
7983	<name>FreeBSD-kernel</name>
7984	<range><ge>9.1</ge><lt>9.1_5</lt></range>
7985	<range><ge>8.3</ge><lt>8.3_9</lt></range>
7986      </package>
7987    </affects>
7988    <description>
7989      <body xmlns="http://www.w3.org/1999/xhtml">
7990	<p>Problem Description:</p>
7991	<p>The kernel incorrectly uses client supplied credentials
7992	  instead of the one configured in exports(5) when filling out the
7993	  anonymous credential for a NFS export, when -network or -host
7994	  restrictions are used at the same time.</p>
7995	<p>Impact:</p>
7996	<p>The remote client may supply privileged credentials (e.g. the
7997	  root user) when accessing a file under the NFS share, which will bypass
7998	  the normal access checks.</p>
7999      </body>
8000    </description>
8001    <references>
8002      <cvename>CVE-2013-4851</cvename>
8003      <freebsdsa>SA-13:08.nfsserver</freebsdsa>
8004    </references>
8005    <dates>
8006      <discovery>2013-07-06</discovery>
8007      <entry>2016-08-09</entry>
8008    </dates>
8009  </vuln>
8010
8011  <vuln vid="6da45e38-5b55-11e6-8859-000c292ee6b8">
8012    <topic>collectd -- Network plugin heap overflow</topic>
8013    <affects>
8014      <package>
8015	<name>collectd5</name>
8016	<range><lt>5.5.2</lt></range>
8017      </package>
8018    </affects>
8019    <description>
8020      <body xmlns="http://www.w3.org/1999/xhtml">
8021	<p>The collectd Project reports:</p>
8022	<blockquote cite="http://collectd.org/news.shtml#news98">
8023	  <p>Emilien Gaspar has identified a heap overflow in collectd's
8024	    network plugin which can be triggered remotely and is potentially
8025	    exploitable.</p>
8026	</blockquote>
8027      </body>
8028    </description>
8029    <references>
8030      <cvename>CVE-2016-6254</cvename>
8031      <url>http://collectd.org/news.shtml#news98</url>
8032    </references>
8033    <dates>
8034      <discovery>2016-07-26</discovery>
8035      <entry>2016-08-05</entry>
8036    </dates>
8037  </vuln>
8038
8039  <vuln vid="3ddcb42b-5b78-11e6-b334-002590263bf5">
8040    <topic>moodle -- multiple vulnerabilities</topic>
8041    <affects>
8042      <package>
8043	<name>moodle28</name>
8044	<range><le>2.8.12</le></range>
8045      </package>
8046      <package>
8047	<name>moodle29</name>
8048	<range><lt>2.9.7</lt></range>
8049      </package>
8050      <package>
8051	<name>moodle30</name>
8052	<range><lt>3.0.5</lt></range>
8053      </package>
8054      <package>
8055	<name>moodle31</name>
8056	<range><lt>3.1.1</lt></range>
8057      </package>
8058    </affects>
8059    <description>
8060      <body xmlns="http://www.w3.org/1999/xhtml">
8061	<p>Marina Glancy reports:</p>
8062	<blockquote cite="https://moodle.org/security/">
8063	  <ul>
8064	    <li><p>MSA-16-0019: Glossary search displays entries without
8065	    checking user permissions to view them</p></li>
8066	    <li><p>MSA-16-0020: Text injection in email headers</p></li>
8067	    <li><p>MSA-16-0021: Unenrolled user still receives event monitor
8068	    notifications even though they can no longer access course</p></li>
8069	  </ul>
8070	</blockquote>
8071      </body>
8072    </description>
8073    <references>
8074      <cvename>CVE-2016-5012</cvename>
8075      <cvename>CVE-2016-5013</cvename>
8076      <cvename>CVE-2016-5014</cvename>
8077      <url>https://moodle.org/security/</url>
8078    </references>
8079    <dates>
8080      <discovery>2016-07-19</discovery>
8081      <entry>2016-08-06</entry>
8082    </dates>
8083  </vuln>
8084
8085  <vuln vid="7a31e0de-5b6d-11e6-b334-002590263bf5">
8086    <topic>bind -- denial of service vulnerability</topic>
8087    <affects>
8088      <package>
8089	<name>bind99</name>
8090	<range><lt>9.9.9P2</lt></range>
8091      </package>
8092      <package>
8093	<name>bind910</name>
8094	<range><lt>9.10.4P2</lt></range>
8095      </package>
8096      <package>
8097	<name>bind911</name>
8098	<range><lt>9.11.0.b2</lt></range>
8099      </package>
8100      <package>
8101	<name>bind9-devel</name>
8102	<range><lt>9.12.0.a.2016.07.14</lt></range>
8103      </package>
8104    </affects>
8105    <description>
8106      <body xmlns="http://www.w3.org/1999/xhtml">
8107	<p>ISC reports:</p>
8108	<blockquote cite="https://kb.isc.org/article/AA-01393">
8109	  <p>A query name which is too long can cause a segmentation fault in
8110	    lwresd.</p>
8111	</blockquote>
8112      </body>
8113    </description>
8114    <references>
8115      <cvename>CVE-2016-2775</cvename>
8116      <url>https://kb.isc.org/article/AA-01393</url>
8117    </references>
8118    <dates>
8119      <discovery>2016-07-18</discovery>
8120      <entry>2016-08-06</entry>
8121    </dates>
8122  </vuln>
8123
8124  <vuln vid="610101ea-5b6a-11e6-b334-002590263bf5">
8125    <topic>wireshark -- multiple vulnerabilities</topic>
8126    <affects>
8127      <package>
8128	<name>wireshark</name>
8129	<name>wireshark-lite</name>
8130	<name>wireshark-qt5</name>
8131	<name>tshark</name>
8132	<name>tshark-lite</name>
8133	<range><lt>2.0.5</lt></range>
8134      </package>
8135    </affects>
8136    <description>
8137      <body xmlns="http://www.w3.org/1999/xhtml">
8138	<p>Wireshark development team reports:</p>
8139	<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.5.html">
8140	  <p>The following vulnerabilities have been fixed:</p>
8141	  <ul>
8142	    <li><p>wnpa-sec-2016-41</p>
8143	      <p>PacketBB crash. (Bug 12577)</p></li>
8144	    <li><p>wnpa-sec-2016-42</p>
8145	      <p>WSP infinite loop. (Bug 12594)</p></li>
8146	    <li><p>wnpa-sec-2016-44</p>
8147	      <p>RLC long loop. (Bug 12660)</p></li>
8148	    <li><p>wnpa-sec-2016-45</p>
8149	      <p>LDSS dissector crash. (Bug 12662)</p></li>
8150	    <li><p>wnpa-sec-2016-46</p>
8151	      <p>RLC dissector crash. (Bug 12664)</p></li>
8152	    <li><p>wnpa-sec-2016-47</p>
8153	      <p>OpenFlow long loop. (Bug 12659)</p></li>
8154	    <li><p>wnpa-sec-2016-48</p>
8155	      <p>MMSE, WAP, WBXML, and WSP infinite loop. (Bug 12661)</p></li>
8156	    <li><p>wnpa-sec-2016-49</p>
8157	      <p>WBXML crash. (Bug 12663)</p></li>
8158	  </ul>
8159	</blockquote>
8160      </body>
8161    </description>
8162    <references>
8163      <cvename>CVE-2016-6505</cvename>
8164      <cvename>CVE-2016-6506</cvename>
8165      <cvename>CVE-2016-6508</cvename>
8166      <cvename>CVE-2016-6509</cvename>
8167      <cvename>CVE-2016-6510</cvename>
8168      <cvename>CVE-2016-6511</cvename>
8169      <cvename>CVE-2016-6512</cvename>
8170      <cvename>CVE-2016-6513</cvename>
8171      <url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.5.html</url>
8172      <url>http://www.openwall.com/lists/oss-security/2016/08/01/4</url>
8173    </references>
8174    <dates>
8175      <discovery>2016-07-27</discovery>
8176      <entry>2016-08-06</entry>
8177    </dates>
8178  </vuln>
8179
8180  <vuln vid="3e08047f-5a6c-11e6-a6c3-14dae9d210b8">
8181    <topic>p5-XSLoader -- local arbitrary code execution</topic>
8182    <affects>
8183      <package>
8184	<name>p5-XSLoader</name>
8185	<range><lt>0.22</lt></range>
8186      </package>
8187      <package>
8188	<name>perl5</name>
8189	<name>perl5.18</name>
8190	<name>perl5.20</name>
8191	<name>perl5.22</name>
8192	<name>perl5.24</name>
8193	<name>perl5-devel</name>
8194	<range><lt>5.18.4_24</lt></range>
8195	<range><ge>5.20</ge><lt>5.20.3_15</lt></range>
8196	<range><ge>5.21</ge><lt>5.22.3.r2</lt></range>
8197	<range><ge>5.23</ge><lt>5.24.1.r2</lt></range>
8198	<range><ge>5.25</ge><lt>5.25.2.87</lt></range>
8199      </package>
8200      <package>
8201	<name>perl</name>
8202	<range><ge>0</ge></range>
8203      </package>
8204    </affects>
8205    <description>
8206      <body xmlns="http://www.w3.org/1999/xhtml">
8207	<p>Jakub Wilk reports:</p>
8208	<blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829578">
8209	  <p>XSLoader tries to load code from a subdirectory in the cwd when
8210	    called inside a string eval</p>
8211	</blockquote>
8212      </body>
8213    </description>
8214    <references>
8215      <url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829578</url>
8216      <cvename>CVE-2016-6185</cvename>
8217    </references>
8218    <dates>
8219      <discovery>2016-06-30</discovery>
8220      <entry>2016-08-04</entry>
8221      <modified>2016-08-22</modified>
8222    </dates>
8223  </vuln>
8224
8225  <vuln vid="72bfbb09-5a6a-11e6-a6c3-14dae9d210b8">
8226    <topic>perl -- local arbitrary code execution</topic>
8227    <affects>
8228      <package>
8229	<name>perl5</name>
8230	<name>perl5.18</name>
8231	<name>perl5.20</name>
8232	<name>perl5.22</name>
8233	<name>perl5.24</name>
8234	<name>perl5-devel</name>
8235	<range><lt>5.18.4_23</lt></range>
8236	<range><ge>5.20</ge><lt>5.20.3_14</lt></range>
8237	<range><ge>5.21</ge><lt>5.22.3.r2</lt></range>
8238	<range><ge>5.23</ge><lt>5.24.1.r2</lt></range>
8239	<range><ge>5.25</ge><lt>5.25.3.18</lt></range>
8240      </package>
8241      <package>
8242	<name>perl</name>
8243	<range><ge>0</ge></range>
8244      </package>
8245    </affects>
8246    <description>
8247      <body xmlns="http://www.w3.org/1999/xhtml">
8248	<p>Sawyer X reports:</p>
8249	<blockquote cite="http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html">
8250	  <p>Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do
8251	    not properly remove . (period) characters from the end of the includes
8252	    directory array, which might allow local users to gain privileges via a
8253	    Trojan horse module under the current working directory.</p>
8254	</blockquote>
8255      </body>
8256    </description>
8257    <references>
8258      <url>http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html</url>
8259      <cvename>CVE-2016-1238</cvename>
8260    </references>
8261    <dates>
8262      <discovery>2016-07-21</discovery>
8263      <entry>2016-08-04</entry>
8264      <modified>2016-08-22</modified>
8265    </dates>
8266  </vuln>
8267
8268  <vuln vid="556d2286-5a51-11e6-a6c3-14dae9d210b8">
8269    <topic>gd -- multiple vulnerabilities</topic>
8270    <affects>
8271      <package>
8272	<name>gd</name>
8273	<range><lt>2.2.3,1</lt></range>
8274      </package>
8275    </affects>
8276    <description>
8277      <body xmlns="http://www.w3.org/1999/xhtml">
8278	<p>Pierre Joye reports:</p>
8279	<blockquote cite="https://github.com/libgd/libgd/releases/tag/gd-2.2.3">
8280	  <ul>
8281	  <li><p>fix php bug 72339, Integer Overflow in _gd2GetHeader
8282	    (CVE-2016-5766)</p></li>
8283	  <li><p>gd: Buffer over-read issue when parsing crafted TGA
8284	    file (CVE-2016-6132)</p></li>
8285	  <li><p>Integer overflow error within _gdContributionsAlloc()
8286	    (CVE-2016-6207)</p></li>
8287	  <li><p>fix php bug 72494, invalid color index not handled, can
8288	    lead to crash ( CVE-2016-6128)</p></li>
8289	  </ul>
8290	</blockquote>
8291      </body>
8292    </description>
8293    <references>
8294      <url>https://github.com/libgd/libgd/releases/tag/gd-2.2.3</url>
8295      <cvename>CVE-2016-5766</cvename>
8296      <cvename>CVE-2016-6132</cvename>
8297      <cvename>CVE-2016-6207</cvename>
8298      <cvename>CVE-2016-6128</cvename>
8299    </references>
8300    <dates>
8301      <discovery>2016-07-21</discovery>
8302      <entry>2016-08-04</entry>
8303    </dates>
8304  </vuln>
8305
8306  <vuln vid="e4bc70fc-5a2f-11e6-a1bc-589cfc0654e1">
8307    <topic>Vulnerabilities in Curl</topic>
8308    <affects>
8309      <package>
8310	<name>curl</name>
8311	<range><ge>7.32.0</ge><lt>7.50.1</lt></range>
8312      </package>
8313    </affects>
8314    <description>
8315      <body xmlns="http://www.w3.org/1999/xhtml">
8316	<p>Curl security team reports:</p>
8317	<blockquote cite="https://curl.haxx.se/docs/security.html">
8318	  <p>CVE-2016-5419 - TLS session resumption client cert bypass</p>
8319	  <p>CVE-2016-5420 - Re-using connections with wrong client cert</p>
8320	  <p>CVE-2016-5421 - use of connection struct after free</p>
8321	</blockquote>
8322      </body>
8323    </description>
8324    <references>
8325      <cvename>CVE-2016-5419</cvename>
8326      <cvename>CVE-2016-5420</cvename>
8327      <cvename>CVE-2016-5421</cvename>
8328      <url>https://curl.haxx.se/docs/adv_20160803A.html</url>
8329      <url>https://curl.haxx.se/docs/adv_20160803B.html</url>
8330      <url>https://curl.haxx.se/docs/adv_20160803C.html</url>
8331    </references>
8332    <dates>
8333      <discovery>2016-08-03</discovery>
8334      <entry>2016-08-04</entry>
8335    </dates>
8336  </vuln>
8337
8338  <vuln vid="ef0033ad-5823-11e6-80cc-001517f335e2">
8339    <topic>lighttpd - multiple vulnerabilities</topic>
8340    <affects>
8341      <package>
8342	<name>lighttpd</name>
8343	<range><lt>1.4.41</lt></range>
8344      </package>
8345    </affects>
8346    <description>
8347      <body xmlns="http://www.w3.org/1999/xhtml">
8348	<p>Lighttpd Project reports:</p>
8349	<blockquote cite="http://www.lighttpd.net/2016/7/31/1.4.41/">
8350	  <p>Security fixes for Lighttpd:</p>
8351	  <ul>
8352	    <li><p>security: encode quoting chars in HTML and XML</p></li>
8353	    <li><p>security: ensure gid != 0 if server.username is set, but not server.groupname</p></li>
8354	    <li><p>security: disable stat_cache if server.follow-symlink = “disable”</p></li>
8355	    <li><p>security: httpoxy defense: do not emit HTTP_PROXY to CGI env</p></li>
8356	  </ul>
8357	</blockquote>
8358      </body>
8359    </description>
8360    <references>
8361      <url>http://www.lighttpd.net/2016/7/31/1.4.41/</url>
8362      <freebsdpr>ports/211495</freebsdpr>
8363    </references>
8364    <dates>
8365      <discovery>2016-07-31</discovery>
8366      <entry>2016-08-03</entry>
8367    </dates>
8368  </vuln>
8369
8370  <vuln vid="06574c62-5854-11e6-b334-002590263bf5">
8371    <topic>xen-tools -- virtio: unbounded memory allocation issue</topic>
8372    <affects>
8373      <package>
8374	<name>xen-tools</name>
8375	<range><lt>4.7.0_4</lt></range>
8376      </package>
8377    </affects>
8378    <description>
8379      <body xmlns="http://www.w3.org/1999/xhtml">
8380	<p>The Xen Project reports:</p>
8381	<blockquote cite="http://xenbits.xen.org/xsa/advisory-184.html">
8382	  <p>A guest can submit virtio requests without bothering to wait for
8383	    completion and is therefore not bound by virtqueue size...</p>
8384	  <p>A malicious guest administrator can cause unbounded memory
8385	    allocation in QEMU, which can cause an Out-of-Memory condition
8386	    in the domain running qemu. Thus, a malicious guest administrator
8387	    can cause a denial of service affecting the whole host.</p>
8388	</blockquote>
8389      </body>
8390    </description>
8391    <references>
8392      <cvename>CVE-2016-5403</cvename>
8393      <freebsdpr>ports/211482</freebsdpr>
8394      <url>http://xenbits.xen.org/xsa/advisory-184.html</url>
8395    </references>
8396    <dates>
8397      <discovery>2016-07-27</discovery>
8398      <entry>2016-08-02</entry>
8399    </dates>
8400  </vuln>
8401
8402  <vuln vid="04cf89e3-5854-11e6-b334-002590263bf5">
8403    <topic>xen-kernel -- x86: Missing SMAP whitelisting in 32-bit exception / event delivery</topic>
8404    <affects>
8405      <package>
8406	<name>xen-kernel</name>
8407	<range><gt>4.5</gt><lt>4.7.0_3</lt></range>
8408      </package>
8409    </affects>
8410    <description>
8411      <body xmlns="http://www.w3.org/1999/xhtml">
8412	<p>The Xen Project reports:</p>
8413	<blockquote cite="http://xenbits.xen.org/xsa/advisory-183.html">
8414	  <p>Supervisor Mode Access Prevention is a hardware feature designed
8415	    to make an Operating System more robust, by raising a pagefault
8416	    rather than accidentally following a pointer into userspace.
8417	    However, legitimate accesses into userspace require whitelisting,
8418	    and the exception delivery mechanism for 32bit PV guests wasn't
8419	    whitelisted.</p>
8420	  <p>A malicious 32-bit PV guest kernel can trigger a safety check,
8421	    crashing the hypervisor and causing a denial of service to other
8422	    VMs on the host.</p>
8423	</blockquote>
8424      </body>
8425    </description>
8426    <references>
8427      <cvename>CVE-2016-6259</cvename>
8428      <freebsdpr>ports/211482</freebsdpr>
8429      <url>http://xenbits.xen.org/xsa/advisory-183.html</url>
8430    </references>
8431    <dates>
8432      <discovery>2016-07-26</discovery>
8433      <entry>2016-08-02</entry>
8434    </dates>
8435  </vuln>
8436
8437  <vuln vid="032aa524-5854-11e6-b334-002590263bf5">
8438    <topic>xen-kernel -- x86: Privilege escalation in PV guests</topic>
8439    <affects>
8440      <package>
8441	<name>xen-kernel</name>
8442	<range><lt>4.7.0_3</lt></range>
8443      </package>
8444    </affects>
8445    <description>
8446      <body xmlns="http://www.w3.org/1999/xhtml">
8447	<p>The Xen Project reports:</p>
8448	<blockquote cite="http://xenbits.xen.org/xsa/advisory-182.html">
8449	  <p>The PV pagetable code has fast-paths for making updates to
8450	    pre-existing pagetable entries, to skip expensive re-validation
8451	    in safe cases (e.g. clearing only Access/Dirty bits). The bits
8452	    considered safe were too broad, and not actually safe.</p>
8453	  <p>A malicious PV guest administrator can escalate their privilege to
8454	    that of the host.</p>
8455	</blockquote>
8456      </body>
8457    </description>
8458    <references>
8459      <cvename>CVE-2016-6258</cvename>
8460      <freebsdpr>ports/211482</freebsdpr>
8461      <url>http://xenbits.xen.org/xsa/advisory-182.html</url>
8462    </references>
8463    <dates>
8464      <discovery>2016-07-26</discovery>
8465      <entry>2016-08-02</entry>
8466    </dates>
8467  </vuln>
8468
8469  <vuln vid="cb5189eb-572f-11e6-b334-002590263bf5">
8470    <topic>libidn -- multiple vulnerabilities</topic>
8471    <affects>
8472      <package>
8473	<name>libidn</name>
8474	<range><lt>1.33</lt></range>
8475      </package>
8476    </affects>
8477    <description>
8478      <body xmlns="http://www.w3.org/1999/xhtml">
8479	<p>Simon Josefsson reports:</p>
8480	<blockquote cite="https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html">
8481	  <p>libidn: Fix out-of-bounds stack read in idna_to_ascii_4i.</p>
8482	  <p>idn: Solve out-of-bounds-read when reading one zero byte as input.
8483	    Also replaced fgets with getline.</p>
8484	  <p>libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8. It was
8485	    always documented to only accept UTF-8 data, but now it doesn't
8486	    crash when presented with such data.</p>
8487	</blockquote>
8488      </body>
8489    </description>
8490    <references>
8491      <cvename>CVE-2016-6261</cvename>
8492      <cvename>CVE-2015-8948</cvename>
8493      <cvename>CVE-2016-6262</cvename>
8494      <cvename>CVE-2016-6263</cvename>
8495      <url>https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html</url>
8496      <url>http://www.openwall.com/lists/oss-security/2016/07/21/4</url>
8497    </references>
8498    <dates>
8499      <discovery>2016-07-20</discovery>
8500      <entry>2016-07-31</entry>
8501    </dates>
8502  </vuln>
8503
8504  <vuln vid="6fb8a90f-c9d5-4d14-b940-aed3d63c2edc">
8505    <topic>The GIMP -- Use after Free vulnerability</topic>
8506    <affects>
8507      <package>
8508	<name>gimp-app</name>
8509	<range><lt>2.8.18,1</lt></range>
8510      </package>
8511    </affects>
8512    <description>
8513      <body xmlns="http://www.w3.org/1999/xhtml">
8514	<p>The GIMP team reports:</p>
8515	<blockquote cite="https://mail.gnome.org/archives/gimp-developer-list/2016-July/msg00020.html">
8516	  <p>A Use-after-free vulnerability was found in the xcf_load_image function.</p>
8517	</blockquote>
8518      </body>
8519    </description>
8520    <references>
8521      <url>https://mail.gnome.org/archives/gimp-developer-list/2016-July/msg00020.html</url>
8522      <url>https://bugzilla.gnome.org/show_bug.cgi?id=767873</url>
8523      <cvename>CVE-2016-4994</cvename>
8524    </references>
8525    <dates>
8526      <discovery>2016-06-20</discovery>
8527      <entry>2016-07-19</entry>
8528    </dates>
8529  </vuln>
8530
8531  <vuln vid="cb09a7aa-5344-11e6-a7bd-14dae9d210b8">
8532    <topic>xercesi-c3 -- multiple vulnerabilities</topic>
8533    <affects>
8534      <package>
8535	<name>xerces-c3</name>
8536	<range><lt>3.1.4</lt></range>
8537      </package>
8538    </affects>
8539    <description>
8540      <body xmlns="http://www.w3.org/1999/xhtml">
8541	<p>Apache reports:</p>
8542	<blockquote cite="https://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt">
8543	  <p>The Xerces-C XML parser fails to successfully parse a
8544	    DTD that is deeply nested, and this causes a stack overflow, which
8545	    makes a denial of service attack against many applications possible
8546	    by an unauthenticated attacker.</p>
8547	  <p>Also, CVE-2016-2099: Use-after-free vulnerability in
8548	    validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier
8549	    allows context-dependent attackers to have unspecified impact via an
8550	    invalid character in an XML document.</p>
8551	</blockquote>
8552      </body>
8553    </description>
8554    <references>
8555      <url>https://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt</url>
8556      <url>http://www.openwall.com/lists/oss-security/2016/05/09/7</url>
8557      <cvename>CVE-2016-2099</cvename>
8558      <cvename>CVE-2016-4463</cvename>
8559    </references>
8560    <dates>
8561      <discovery>2016-05-09</discovery>
8562      <entry>2016-07-26</entry>
8563    </dates>
8564  </vuln>
8565
8566  <vuln vid="b6402385-533b-11e6-a7bd-14dae9d210b8">
8567    <topic>php -- multiple vulnerabilities</topic>
8568    <affects>
8569      <package>
8570	<name>php55</name>
8571	<range><lt>5.5.38</lt></range>
8572      </package>
8573      <package>
8574	<name>php56</name>
8575	<range><lt>5.6.24</lt></range>
8576      </package>
8577      <package>
8578	<name>php70</name>
8579	<range><lt>7.0.9</lt></range>
8580      </package>
8581      <package>
8582	<name>php70-curl</name>
8583	<range><lt>7.0.9</lt></range>
8584      </package>
8585      <package>
8586	<name>php55-bz2</name>
8587	<range><lt>5.5.38</lt></range>
8588      </package>
8589      <package>
8590	<name>php56-bz2</name>
8591	<range><lt>5.6.24</lt></range>
8592      </package>
8593      <package>
8594	<name>php70-bz2</name>
8595	<range><lt>7.0.9</lt></range>
8596      </package>
8597      <package>
8598	<name>php55-exif</name>
8599	<range><lt>5.5.38</lt></range>
8600      </package>
8601      <package>
8602	<name>php56-exif</name>
8603	<range><lt>5.6.24</lt></range>
8604      </package>
8605      <package>
8606	<name>php70-exif</name>
8607	<range><lt>7.0.9</lt></range>
8608      </package>
8609      <package>
8610	<name>php55-gd</name>
8611	<range><lt>5.5.38</lt></range>
8612      </package>
8613      <package>
8614	<name>php56-gd</name>
8615	<range><lt>5.6.24</lt></range>
8616      </package>
8617      <package>
8618	<name>php70-gd</name>
8619	<range><lt>7.0.9</lt></range>
8620      </package>
8621      <package>
8622	<name>php70-mcrypt</name>
8623	<range><lt>7.0.9</lt></range>
8624      </package>
8625      <package>
8626	<name>php55-odbc</name>
8627	<range><lt>5.5.38</lt></range>
8628      </package>
8629      <package>
8630	<name>php56-odbc</name>
8631	<range><lt>5.6.24</lt></range>
8632      </package>
8633      <package>
8634	<name>php70-odbc</name>
8635	<range><lt>7.0.9</lt></range>
8636      </package>
8637      <package>
8638	<name>php55-snmp</name>
8639	<range><lt>5.5.38</lt></range>
8640      </package>
8641      <package>
8642	<name>php56-snmp</name>
8643	<range><lt>5.6.24</lt></range>
8644      </package>
8645      <package>
8646	<name>php70-snmp</name>
8647	<range><lt>7.0.9</lt></range>
8648      </package>
8649      <package>
8650	<name>php55-xmlrpc</name>
8651	<range><lt>5.5.38</lt></range>
8652      </package>
8653      <package>
8654	<name>php56-xmlrpc</name>
8655	<range><lt>5.6.24</lt></range>
8656      </package>
8657      <package>
8658	<name>php70-xmlrpc</name>
8659	<range><lt>7.0.9</lt></range>
8660      </package>
8661      <package>
8662	<name>php55-zip</name>
8663	<range><lt>5.5.38</lt></range>
8664      </package>
8665      <package>
8666	<name>php56-zip</name>
8667	<range><lt>5.6.24</lt></range>
8668      </package>
8669      <package>
8670	<name>php70-zip</name>
8671	<range><lt>7.0.9</lt></range>
8672      </package>
8673    </affects>
8674    <description>
8675      <body xmlns="http://www.w3.org/1999/xhtml">
8676	<p>PHP reports:</p>
8677	<blockquote cite="http://www.php.net/ChangeLog-5.php#5.5.38">
8678	  <ul>
8679	    <li><p>Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns)</p></li>
8680	    <li><p>Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()).</p></li>
8681	    <li><p>Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access).</p></li>
8682	    <li><p>Fixed bug #72519 (imagegif/output out-of-bounds access).</p></li>
8683	    <li><p>Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener).</p></li>
8684	    <li><p>Fixed bug #72533 (locale_accept_from_http out-of-bounds access).</p></li>
8685	    <li><p>Fixed bug #72541 (size_t overflow lead to heap corruption).</p></li>
8686	    <li><p>Fixed bug #72551, bug #72552 (Incorrect casting from size_t to int lead to heap overflow in mdecrypt_generic).</p></li>
8687	    <li><p>Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).</p></li>
8688	    <li><p>Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications).</p></li>
8689	    <li><p>Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).</p></li>
8690	    <li><p>Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).</p></li>
8691	    <li><p>Fixed bug #72613 (Inadequate error handling in bzread()).</p></li>
8692	    <li><p>Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).</p></li>
8693	  </ul>
8694	</blockquote>
8695      </body>
8696    </description>
8697    <references>
8698      <url>http://www.php.net/ChangeLog-5.php#5.5.38</url>
8699      <url>http://www.php.net/ChangeLog-5.php#5.6.24</url>
8700      <url>http://www.php.net/ChangeLog-7.php#7.0.8</url>
8701      <url>http://seclists.org/oss-sec/2016/q3/121</url>
8702      <cvename>CVE-2015-8879</cvename>
8703      <cvename>CVE-2016-5385</cvename>
8704      <cvename>CVE-2016-5399</cvename>
8705      <cvename>CVE-2016-6288</cvename>
8706      <cvename>CVE-2016-6289</cvename>
8707      <cvename>CVE-2016-6290</cvename>
8708      <cvename>CVE-2016-6291</cvename>
8709      <cvename>CVE-2016-6292</cvename>
8710      <cvename>CVE-2016-6294</cvename>
8711      <cvename>CVE-2016-6295</cvename>
8712      <cvename>CVE-2016-6296</cvename>
8713      <cvename>CVE-2016-6297</cvename>
8714    </references>
8715    <dates>
8716      <discovery>2016-07-21</discovery>
8717      <entry>2016-07-26</entry>
8718    </dates>
8719  </vuln>
8720
8721  <vuln vid="6fae9fe1-5048-11e6-8aa7-3065ec8fd3ec">
8722    <topic>chromium -- multiple vulnerabilities</topic>
8723    <affects>
8724      <package>
8725	<name>chromium</name>
8726	<name>chromium-npapi</name>
8727	<name>chromium-pulse</name>
8728	<range><lt>52.0.2743.82</lt></range>
8729      </package>
8730    </affects>
8731    <description>
8732      <body xmlns="http://www.w3.org/1999/xhtml">
8733	<p>Google Chrome Releases reports:</p>
8734	<blockquote cite="https://googlechromereleases.blogspot.nl/2016/07/stable-channel-update.html">
8735	  <p>48 security fixes in this release, including:</p>
8736	  <ul>
8737	    <li>[610600] High CVE-2016-1706: Sandbox escape in PPAPI. Credit to
8738	      Pinkie Pie xisigr of Tencent's Xuanwu Lab</li>
8739	    <li>[613949] High CVE-2016-1708: Use-after-free in Extensions.
8740	      Credit to Adam Varsan</li>
8741	    <li>[614934] High CVE-2016-1709: Heap-buffer-overflow in sfntly.
8742	      Credit to ChenQin of Topsec Security Team</li>
8743	    <li>[616907] High CVE-2016-1710: Same-origin bypass in Blink.
8744	      Credit to Mariusz Mlynski</li>
8745	    <li>[617495] High CVE-2016-1711: Same-origin bypass in Blink.
8746	      Credit to Mariusz Mlynski</li>
8747	    <li>[618237] High CVE-2016-5127: Use-after-free in Blink.  Credit
8748	      to cloudfuzzer</li>
8749	    <li>[619166] High CVE-2016-5128: Same-origin bypass in V8. Credit
8750	      to Anonymous</li>
8751	    <li>[620553] High CVE-2016-5129: Memory corruption in V8. Credit to
8752	      Jeonghoon Shin</li>
8753	    <li>[623319] High CVE-2016-5130: URL spoofing. Credit to Wadih
8754	      Matar</li>
8755	    <li>[623378] High CVE-2016-5131: Use-after-free in libxml. Credit
8756	      to Nick Wellnhofer</li>
8757	    <li>[607543] Medium CVE-2016-5132: Limited same-origin bypass in
8758	      Service Workers. Credit to Ben Kelly</li>
8759	    <li>[613626] Medium CVE-2016-5133: Origin confusion in proxy
8760	      authentication.  Credit to Patch Eudor</li>
8761	    <li>[593759] Medium CVE-2016-5134: URL leakage via PAC script.
8762	      Credit to Paul Stone</li>
8763	    <li>[605451] Medium CVE-2016-5135: Content-Security-Policy bypass.
8764	      Credit to kingxwy</li>
8765	    <li>[625393] Medium CVE-2016-5136: Use after free in extensions.
8766	      Credit to Rob Wu</li>
8767	    <li>[625945] Medium CVE-2016-5137: History sniffing with HSTS and
8768	      CSP. Credit to Xiaoyin Liu</li>
8769	    <li>[629852] CVE-2016-1705: Various fixes from internal audits,
8770	      fuzzing and other initiatives.</li>
8771	  </ul>
8772	</blockquote>
8773      </body>
8774    </description>
8775    <references>
8776      <cvename>CVE-2016-1705</cvename>
8777      <cvename>CVE-2016-1706</cvename>
8778      <cvename>CVE-2016-1708</cvename>
8779      <cvename>CVE-2016-1709</cvename>
8780      <cvename>CVE-2016-1710</cvename>
8781      <cvename>CVE-2016-1711</cvename>
8782      <cvename>CVE-2016-5127</cvename>
8783      <cvename>CVE-2016-5128</cvename>
8784      <cvename>CVE-2016-5129</cvename>
8785      <cvename>CVE-2016-5130</cvename>
8786      <cvename>CVE-2016-5131</cvename>
8787      <cvename>CVE-2016-5132</cvename>
8788      <cvename>CVE-2016-5133</cvename>
8789      <cvename>CVE-2016-5134</cvename>
8790      <cvename>CVE-2016-5135</cvename>
8791      <cvename>CVE-2016-5136</cvename>
8792      <cvename>CVE-2016-5137</cvename>
8793      <url>https://googlechromereleases.blogspot.nl/2016/07/stable-channel-update.html</url>
8794    </references>
8795    <dates>
8796      <discovery>2016-07-20</discovery>
8797      <entry>2016-07-22</entry>
8798    </dates>
8799  </vuln>
8800
8801  <vuln vid="62d45229-4fa0-11e6-9d13-206a8a720317">
8802    <topic>krb5 -- KDC denial of service vulnerability</topic>
8803    <affects>
8804      <package>
8805	<name>krb5-113</name>
8806	<range><lt>1.13.6</lt></range>
8807      </package>
8808      <package>
8809	<name>krb5-114</name>
8810	<range><lt>1.14.3</lt></range>
8811      </package>
8812    </affects>
8813    <description>
8814      <body xmlns="http://www.w3.org/1999/xhtml">
8815	<p>Major changes in krb5 1.14.3 and krb5 1.13.6:</p>
8816	<blockquote cite="http://web.mit.edu/kerberos/krb5-1.14/">
8817	  <p>Fix a rare KDC denial of service vulnerability when anonymous
8818	     client principals are restricted to obtaining TGTs only
8819	     [CVE-2016-3120] .</p>
8820	</blockquote>
8821      </body>
8822    </description>
8823    <references>
8824      <cvename>CVE-2016-3120</cvename>
8825      <url>http://web.mit.edu/kerberos/krb5-1.14/</url>
8826    </references>
8827    <dates>
8828      <discovery>2016-07-20</discovery>
8829      <entry>2016-07-21</entry>
8830      <modified>2016-07-26</modified>
8831    </dates>
8832  </vuln>
8833
8834  <vuln vid="72f71e26-4f69-11e6-ac37-ac9e174be3af">
8835    <topic>Apache OpenOffice 4.1.2 -- Memory Corruption Vulnerability (Impress Presentations)</topic>
8836    <affects>
8837      <package>
8838	<name>apache-openoffice</name>
8839	<range><lt>4.1.2_8</lt></range>
8840      </package>
8841      <package>
8842	<name>apache-openoffice-devel</name>
8843	<range><lt>4.2.1753426,4</lt></range>
8844      </package>
8845    </affects>
8846    <description>
8847      <body xmlns="http://www.w3.org/1999/xhtml">
8848	<p>The Apache OpenOffice Project reports:</p>
8849	<blockquote cite="http://www.openoffice.org/security/cves/CVE-2016-1513.html">
8850	  <p>An OpenDocument Presentation .ODP or Presentation Template
8851	    .OTP file can contain invalid presentation elements that lead
8852	    to memory corruption when the document is loaded in Apache
8853	    OpenOffice Impress. The defect may cause the document to appear
8854	    as corrupted and OpenOffice may crash in a recovery-stuck mode
8855	    requiring manual intervention. A crafted exploitation of the
8856	    defect can allow an attacker to cause denial of service
8857	    (memory corruption and application crash) and possible
8858	    execution of arbitrary code.</p>
8859	</blockquote>
8860      </body>
8861    </description>
8862    <references>
8863      <cvename>CVE-2016-1513</cvename>
8864      <url>http://www.openoffice.org/security/cves/CVE-2015-4551.html</url>
8865    </references>
8866    <dates>
8867      <discovery>2016-07-17</discovery>
8868      <entry>2016-07-21</entry>
8869    </dates>
8870  </vuln>
8871
8872  <vuln vid="ca5cb202-4f51-11e6-b2ec-b499baebfeaf">
8873    <topic>MySQL -- Multiple vulnerabilities</topic>
8874    <affects>
8875      <package>
8876	<name>mariadb55-server</name>
8877	<range><le>5.5.49</le></range>
8878      </package>
8879      <package>
8880	<name>mariadb100-server</name>
8881	<range><le>10.0.25</le></range>
8882      </package>
8883      <package>
8884	<name>mariadb101-server</name>
8885	<range><le>10.1.14</le></range>
8886      </package>
8887      <package>
8888	<name>mysql55-server</name>
8889	<range><le>5.5.49</le></range>
8890      </package>
8891      <package>
8892	<name>mysql56-server</name>
8893	<range><lt>5.6.30</lt></range>
8894      </package>
8895      <package>
8896	<name>mysql57-server</name>
8897	<range><lt>5.7.12_1</lt></range>
8898      </package>
8899      <package>
8900	<name>percona55-server</name>
8901	<range><le>5.5.49</le></range>
8902      </package>
8903      <package>
8904	<name>percona56-server</name>
8905	<range><le>5.6.30</le></range>
8906      </package>
8907    </affects>
8908    <description>
8909      <body xmlns="http://www.w3.org/1999/xhtml">
8910	<p>Oracle reports:</p>
8911	<blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL">
8912	  <p>The quarterly Critical Patch Update contains 22 new security fixes for
8913	     Oracle MySQL 5.5.49, 5.6.30, 5.7.13 and earlier</p>
8914	</blockquote>
8915      </body>
8916    </description>
8917    <references>
8918      <url>http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL</url>
8919      <cvename>CVE-2016-3477</cvename>
8920      <cvename>CVE-2016-3440</cvename>
8921      <cvename>CVE-2016-2105</cvename>
8922      <cvename>CVE-2016-3471</cvename>
8923      <cvename>CVE-2016-3486</cvename>
8924      <cvename>CVE-2016-3501</cvename>
8925      <cvename>CVE-2016-3518</cvename>
8926      <cvename>CVE-2016-3521</cvename>
8927      <cvename>CVE-2016-3588</cvename>
8928      <cvename>CVE-2016-3615</cvename>
8929      <cvename>CVE-2016-3614</cvename>
8930      <cvename>CVE-2016-5436</cvename>
8931      <cvename>CVE-2016-3459</cvename>
8932      <cvename>CVE-2016-5437</cvename>
8933      <cvename>CVE-2016-3424</cvename>
8934      <cvename>CVE-2016-5439</cvename>
8935      <cvename>CVE-2016-5440</cvename>
8936      <cvename>CVE-2016-5441</cvename>
8937      <cvename>CVE-2016-5442</cvename>
8938      <cvename>CVE-2016-5443</cvename>
8939      <cvename>CVE-2016-5444</cvename>
8940      <cvename>CVE-2016-3452</cvename>
8941    </references>
8942    <dates>
8943      <discovery>2016-07-20</discovery>
8944      <entry>2016-07-21</entry>
8945      <modified>2016-08-08</modified>
8946    </dates>
8947  </vuln>
8948
8949  <vuln vid="3caf4e6c-4cef-11e6-a15f-00248c0c745d">
8950    <topic>typo3 -- Missing access check in Extbase</topic>
8951    <affects>
8952      <package>
8953       <name>typo3</name>
8954       <range><lt>7.6.8</lt></range>
8955      </package>
8956      <package>
8957       <name>typo3-lts</name>
8958       <range><lt>6.2.24</lt></range>
8959      </package>
8960    </affects>
8961    <description>
8962      <body xmlns="http://www.w3.org/1999/xhtml">
8963	<p>TYPO3 reports:</p>
8964	<blockquote cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/">
8965	  <p>Extbase request handling fails to implement a proper access check for
8966    requested controller/ action combinations, which makes it possible for an
8967    attacker to execute arbitrary Extbase actions by crafting a special request. To
8968    successfully exploit this vulnerability, an attacker must have access to at
8969    least one Extbase plugin or module action in a TYPO3 installation. The missing
8970    access check inevitably leads to information disclosure or remote code
8971    execution, depending on the action that an attacker is able to execute.</p>
8972	</blockquote>
8973      </body>
8974    </description>
8975    <references>
8976      <cvename>CVE-2016-5091</cvename>
8977      <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/</url>
8978      <url>https://wiki.typo3.org/TYPO3_CMS_7.6.8</url>
8979      <url>https://wiki.typo3.org/TYPO3_CMS_6.2.24</url>
8980    </references>
8981    <dates>
8982      <discovery>2016-05-24</discovery>
8983      <entry>2016-07-18</entry>
8984    </dates>
8985  </vuln>
8986
8987  <vuln vid="cf0b5668-4d1b-11e6-b2ec-b499baebfeaf">
8988    <cancelled/>
8989  </vuln>
8990
8991  <vuln vid="00cb1469-4afc-11e6-97ea-002590263bf5">
8992    <topic>atutor -- multiple vulnerabilities</topic>
8993    <affects>
8994      <package>
8995	<name>atutor</name>
8996	<range><lt>2.2.2</lt></range>
8997      </package>
8998    </affects>
8999    <description>
9000      <body xmlns="http://www.w3.org/1999/xhtml">
9001	<p>ATutor reports:</p>
9002	<blockquote cite="https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2">
9003	  <p>Security Fixes: Added a new layer of security over all php
9004	    superglobals, fixed several XSS, CSRF, and SQL injection
9005	    vulnerabilities.</p>
9006	</blockquote>
9007      </body>
9008    </description>
9009    <references>
9010      <url>https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2</url>
9011    </references>
9012    <dates>
9013      <discovery>2016-07-01</discovery>
9014      <entry>2016-07-16</entry>
9015    </dates>
9016  </vuln>
9017
9018  <vuln vid="ffa8ca79-4afb-11e6-97ea-002590263bf5">
9019    <topic>atutor -- multiple vulnerabilities</topic>
9020    <affects>
9021      <package>
9022	<name>atutor</name>
9023	<range><lt>2.2.1</lt></range>
9024      </package>
9025    </affects>
9026    <description>
9027      <body xmlns="http://www.w3.org/1999/xhtml">
9028	<p>ATutor reports:</p>
9029	<blockquote cite="https://github.com/atutor/ATutor/releases/tag/atutor_2_2_1">
9030	  <p>Security Fixes: A number of minor XSS vulnerabilities discovered in
9031	    the previous version of ATutor have been corrected.</p>
9032	</blockquote>
9033      </body>
9034    </description>
9035    <references>
9036      <url>https://github.com/atutor/ATutor/releases/tag/atutor_2_2_1</url>
9037    </references>
9038    <dates>
9039      <discovery>2016-01-30</discovery>
9040      <entry>2016-07-16</entry>
9041    </dates>
9042  </vuln>
9043
9044  <vuln vid="a522d6ac-4aed-11e6-97ea-002590263bf5">
9045    <topic>flash -- multiple vulnerabilities</topic>
9046    <affects>
9047      <package>
9048	<name>linux-c6-flashplugin</name>
9049	<name>linux-c6_64-flashplugin</name>
9050	<name>linux-f10-flashplugin</name>
9051	<range><lt>11.2r202.632</lt></range>
9052      </package>
9053    </affects>
9054    <description>
9055      <body xmlns="http://www.w3.org/1999/xhtml">
9056	<p>Adobe reports:</p>
9057	<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-25.htmL">
9058	  <p>These updates resolve a race condition vulnerability that could
9059	    lead to information disclosure (CVE-2016-4247).</p>
9060	  <p>These updates resolve type confusion vulnerabilities that could
9061	    lead to code execution (CVE-2016-4223, CVE-2016-4224,
9062	    CVE-2016-4225).</p>
9063	  <p>These updates resolve use-after-free vulnerabilities that could
9064	    lead to code execution (CVE-2016-4173, CVE-2016-4174, CVE-2016-4222,
9065	    CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229,
9066	    CVE-2016-4230, CVE-2016-4231, CVE-2016-4248).</p>
9067	  <p>These updates resolve a heap buffer overflow vulnerability that
9068	    could lead to code execution (CVE-2016-4249).</p>
9069	  <p>These updates resolve memory corruption vulnerabilities that could
9070	    lead to code execution (CVE-2016-4172, CVE-2016-4175, CVE-2016-4179,
9071	    CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183,
9072	    CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187,
9073	    CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217,
9074	    CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221,
9075	    CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236,
9076	    CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240,
9077	    CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244,
9078	    CVE-2016-4245, CVE-2016-4246).</p>
9079	  <p>These updates resolve a memory leak vulnerability (CVE-2016-4232).
9080	    </p>
9081	  <p>These updates resolve stack corruption vulnerabilities that could
9082	    lead to code execution (CVE-2016-4176, CVE-2016-4177).</p>
9083	  <p>These updates resolve a security bypass vulnerability that could
9084	    lead to information disclosure (CVE-2016-4178).</p>
9085	</blockquote>
9086      </body>
9087    </description>
9088    <references>
9089      <cvename>CVE-2016-4172</cvename>
9090      <cvename>CVE-2016-4173</cvename>
9091      <cvename>CVE-2016-4174</cvename>
9092      <cvename>CVE-2016-4175</cvename>
9093      <cvename>CVE-2016-4176</cvename>
9094      <cvename>CVE-2016-4177</cvename>
9095      <cvename>CVE-2016-4178</cvename>
9096      <cvename>CVE-2016-4179</cvename>
9097      <cvename>CVE-2016-4180</cvename>
9098      <cvename>CVE-2016-4181</cvename>
9099      <cvename>CVE-2016-4182</cvename>
9100      <cvename>CVE-2016-4183</cvename>
9101      <cvename>CVE-2016-4184</cvename>
9102      <cvename>CVE-2016-4185</cvename>
9103      <cvename>CVE-2016-4186</cvename>
9104      <cvename>CVE-2016-4187</cvename>
9105      <cvename>CVE-2016-4188</cvename>
9106      <cvename>CVE-2016-4189</cvename>
9107      <cvename>CVE-2016-4190</cvename>
9108      <cvename>CVE-2016-4217</cvename>
9109      <cvename>CVE-2016-4218</cvename>
9110      <cvename>CVE-2016-4219</cvename>
9111      <cvename>CVE-2016-4220</cvename>
9112      <cvename>CVE-2016-4221</cvename>
9113      <cvename>CVE-2016-4222</cvename>
9114      <cvename>CVE-2016-4223</cvename>
9115      <cvename>CVE-2016-4224</cvename>
9116      <cvename>CVE-2016-4225</cvename>
9117      <cvename>CVE-2016-4226</cvename>
9118      <cvename>CVE-2016-4227</cvename>
9119      <cvename>CVE-2016-4228</cvename>
9120      <cvename>CVE-2016-4229</cvename>
9121      <cvename>CVE-2016-4230</cvename>
9122      <cvename>CVE-2016-4231</cvename>
9123      <cvename>CVE-2016-4232</cvename>
9124      <cvename>CVE-2016-4233</cvename>
9125      <cvename>CVE-2016-4234</cvename>
9126      <cvename>CVE-2016-4235</cvename>
9127      <cvename>CVE-2016-4236</cvename>
9128      <cvename>CVE-2016-4237</cvename>
9129      <cvename>CVE-2016-4238</cvename>
9130      <cvename>CVE-2016-4239</cvename>
9131      <cvename>CVE-2016-4240</cvename>
9132      <cvename>CVE-2016-4241</cvename>
9133      <cvename>CVE-2016-4242</cvename>
9134      <cvename>CVE-2016-4243</cvename>
9135      <cvename>CVE-2016-4244</cvename>
9136      <cvename>CVE-2016-4245</cvename>
9137      <cvename>CVE-2016-4246</cvename>
9138      <cvename>CVE-2016-4247</cvename>
9139      <cvename>CVE-2016-4248</cvename>
9140      <cvename>CVE-2016-4249</cvename>
9141      <url>https://helpx.adobe.com/security/products/flash-player/apsb16-25.html</url>
9142    </references>
9143    <dates>
9144      <discovery>2016-07-12</discovery>
9145      <entry>2016-07-16</entry>
9146    </dates>
9147  </vuln>
9148
9149  <vuln vid="61b8c359-4aab-11e6-a7bd-14dae9d210b8">
9150    <cancelled superseded="cbceeb49-3bc7-11e6-8e82-002590263bf5"/>
9151  </vuln>
9152
9153  <vuln vid="3159cd70-4aaa-11e6-a7bd-14dae9d210b8">
9154    <topic>libreoffice -- use-after-free vulnerability</topic>
9155    <affects>
9156      <package>
9157	<name>libreoffice</name>
9158	<range><lt>5.1.4</lt></range>
9159      </package>
9160    </affects>
9161    <description>
9162      <body xmlns="http://www.w3.org/1999/xhtml">
9163	<p>Talos reports:</p>
9164	<blockquote cite="http://www.talosintelligence.com/reports/TALOS-2016-0126/">
9165	  <p>An exploitable Use After Free vulnerability exists in the
9166	    RTF parser LibreOffice. A specially crafted file can cause a use after
9167	    free resulting in a possible arbitrary code execution. To exploit the
9168	    vulnerability a malicious file needs to be opened by the user via
9169	    vulnerable application.</p>
9170	</blockquote>
9171      </body>
9172    </description>
9173    <references>
9174      <url>http://www.talosintelligence.com/reports/TALOS-2016-0126/</url>
9175      <url>http://www.libreoffice.org/about-us/security/advisories/cve-2016-4324/</url>
9176      <cvename>CVE-2016-4324</cvename>
9177    </references>
9178    <dates>
9179      <discovery>2016-06-27</discovery>
9180      <entry>2016-07-15</entry>
9181    </dates>
9182  </vuln>
9183
9184  <vuln vid="c17fe91d-4aa6-11e6-a7bd-14dae9d210b8">
9185    <cancelled/>
9186  </vuln>
9187
9188  <vuln vid="0ab66088-4aa5-11e6-a7bd-14dae9d210b8">
9189    <topic>tiff -- buffer overflow</topic>
9190    <affects>
9191      <package>
9192	<name>tiff</name>
9193	<range><lt>4.0.6_2</lt></range>
9194      </package>
9195      <package>
9196	<name>linux-c6-tiff</name>
9197	<range><lt>3.9.4_2</lt></range>
9198      </package>
9199      <package>
9200	<name>linux-f10-tiff</name>
9201	<range><ge>*</ge></range>
9202      </package>
9203    </affects>
9204    <description>
9205      <body xmlns="http://www.w3.org/1999/xhtml">
9206	<p>Mathias Svensson reports:</p>
9207	<blockquote cite="https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2">
9208	  <p>potential buffer write overrun in PixarLogDecode() on
9209	    corrupted/unexpected images</p>
9210	</blockquote>
9211      </body>
9212    </description>
9213    <references>
9214      <url>https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2</url>
9215      <cvename>CVE-2016-5314</cvename>
9216      <cvename>CVE-2016-5320</cvename>
9217      <cvename>CVE-2016-5875</cvename>
9218    </references>
9219    <dates>
9220      <discovery>2016-06-28</discovery>
9221      <entry>2016-07-15</entry>
9222      <modified>2016-09-06</modified>
9223    </dates>
9224  </vuln>
9225
9226  <vuln vid="42ecf370-4aa4-11e6-a7bd-14dae9d210b8">
9227    <cancelled/>
9228  </vuln>
9229
9230  <vuln vid="d706a3a3-4a7c-11e6-97f7-5453ed2e2b49">
9231    <topic>p7zip -- out-of-bounds read vulnerability</topic>
9232    <affects>
9233      <package>
9234	<name>p7zip</name>
9235	<range><lt>15.14_1</lt></range>
9236      </package>
9237    </affects>
9238    <description>
9239      <body xmlns="http://www.w3.org/1999/xhtml">
9240	<p>Cisco Talos reports:</p>
9241	<blockquote cite="http://www.talosintelligence.com/reports/TALOS-2016-0094/">
9242	  <p>An out-of-bounds read vulnerability exists in the way 7-Zip
9243	  handles Universal Disk Format (UDF) files.</p>
9244	  <p>Central to 7-Zip’s processing of UDF files is the
9245	  CInArchive::ReadFileItem method. Because volumes can have more than
9246	  one partition map, their objects are kept in an object vector. To
9247	  start looking for an item, this method tries to reference the proper
9248	  object using the partition map’s object vector and the "PartitionRef"
9249	  field from the Long Allocation Descriptor. Lack of checking whether
9250	  the "PartitionRef" field is bigger than the available amount of
9251	  partition map objects causes a read out-of-bounds and can lead, in
9252	  some circumstances, to arbitrary code execution.</p>
9253	</blockquote>
9254      </body>
9255    </description>
9256    <references>
9257      <cvename>CVE-2016-2335</cvename>
9258      <url>http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html</url>
9259    </references>
9260    <dates>
9261      <discovery>2016-05-11</discovery>
9262      <entry>2016-07-15</entry>
9263    </dates>
9264  </vuln>
9265
9266  <vuln vid="a9bcaf57-4a7b-11e6-97f7-5453ed2e2b49">
9267    <topic>p7zip -- heap overflow vulnerability</topic>
9268    <affects>
9269      <package>
9270	<name>p7zip</name>
9271	<range><lt>15.14_1</lt></range>
9272      </package>
9273    </affects>
9274    <description>
9275      <body xmlns="http://www.w3.org/1999/xhtml">
9276	<p>Cisco Talos reports:</p>
9277	<blockquote cite="http://www.talosintelligence.com/reports/TALOS-2016-0093/">
9278	  <p>An exploitable heap overflow vulnerability exists in the
9279	  NArchive::NHfs::CHandler::ExtractZlibFile method functionality of
9280	  7zip that can lead to arbitrary code execution.</p>
9281	</blockquote>
9282      </body>
9283    </description>
9284    <references>
9285      <cvename>CVE-2016-2334</cvename>
9286      <url>http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html</url>
9287    </references>
9288    <dates>
9289      <discovery>2016-05-11</discovery>
9290      <entry>2016-07-15</entry>
9291    </dates>
9292  </vuln>
9293
9294  <vuln vid="4729c849-4897-11e6-b704-000c292e4fd8">
9295    <topic>samba -- client side SMB2/3 required signing can be downgraded</topic>
9296    <affects>
9297      <package>
9298	<name>samba4</name>
9299	<range><ge>4.0.0</ge><le>4.0.26</le></range>
9300      </package>
9301      <package>
9302	<name>samba41</name>
9303	<range><ge>4.1.0</ge><le>4.1.23</le></range>
9304      </package>
9305      <package>
9306	<name>samba42</name>
9307	<range><ge>4.2.0</ge><lt>4.2.14</lt></range>
9308      </package>
9309      <package>
9310	<name>samba43</name>
9311	<range><ge>4.3.0</ge><lt>4.3.11</lt></range>
9312      </package>
9313      <package>
9314	<name>samba44</name>
9315	<range><ge>4.4.0</ge><lt>4.4.5</lt></range>
9316      </package>
9317    </affects>
9318    <description>
9319      <body xmlns="http://www.w3.org/1999/xhtml">
9320	<p>Samba team reports:</p>
9321	<blockquote cite="https://www.samba.org/samba/security/CVE-2016-2119.html">
9322	  <p>A man in the middle attack can disable client signing over
9323	  SMB2/3, even if enforced by configuration parameters.</p>
9324	</blockquote>
9325      </body>
9326    </description>
9327    <references>
9328      <cvename>CVE-2016-2119</cvename>
9329      <url>https://www.samba.org/samba/security/CVE-2016-2119.html</url>
9330    </references>
9331    <dates>
9332      <discovery>2016-07-07</discovery>
9333      <entry>2016-07-13</entry>
9334    </dates>
9335  </vuln>
9336
9337  <vuln vid="3fcd52b2-4510-11e6-a15f-00248c0c745d">
9338    <topic>ruby-saml -- XML signature wrapping attack</topic>
9339    <affects>
9340      <package>
9341	<name>rubygem-ruby-saml</name>
9342	<range><lt>1.3.0</lt></range>
9343      </package>
9344    </affects>
9345    <description>
9346      <body xmlns="http://www.w3.org/1999/xhtml">
9347	<p>RubySec reports:</p>
9348	<blockquote cite="http://rubysec.com/advisories/CVE-2016-5697/">
9349	  <p>ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack
9350	   in the specific scenario where there was a signature that referenced at the same
9351	   time 2 elements (but past the scheme validator process since 1 of the element was
9352	   inside the encrypted assertion).</p>
9353    <p>ruby-saml users must update to 1.3.0, which implements 3 extra validations to
9354       mitigate this kind of attack.</p>
9355	</blockquote>
9356      </body>
9357    </description>
9358    <references>
9359      <cvename>CVE-2016-5697</cvename>
9360      <url>http://rubysec.com/advisories/CVE-2016-5697/</url>
9361      <url>https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995</url>
9362    </references>
9363    <dates>
9364      <discovery>2016-06-24</discovery>
9365      <entry>2016-07-08</entry>
9366    </dates>
9367  </vuln>
9368
9369  <vuln vid="7d64d00c-43e3-11e6-ab34-002590263bf5">
9370    <topic>quassel -- remote denial of service</topic>
9371    <affects>
9372      <package>
9373	<name>quassel</name>
9374	<range><lt>0.12.4</lt></range>
9375      </package>
9376    </affects>
9377    <description>
9378      <body xmlns="http://www.w3.org/1999/xhtml">
9379	<p>Mitre reports:</p>
9380	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4414">
9381	  <p>The onReadyRead function in core/coreauthhandler.cpp in Quassel
9382	    before 0.12.4 allows remote attackers to cause a denial of service
9383	    (NULL pointer dereference and crash) via invalid handshake data.</p>
9384	</blockquote>
9385      </body>
9386    </description>
9387    <references>
9388      <cvename>CVE-2016-4414</cvename>
9389      <url>http://quassel-irc.org/node/129</url>
9390      <url>https://github.com/quassel/quassel/commit/e678873</url>
9391      <url>http://www.openwall.com/lists/oss-security/2016/04/30/2</url>
9392      <url>http://www.openwall.com/lists/oss-security/2016/04/30/4</url>
9393    </references>
9394    <dates>
9395      <discovery>2016-04-24</discovery>
9396      <entry>2016-07-07</entry>
9397    </dates>
9398  </vuln>
9399
9400  <vuln vid="e9d1e040-42c9-11e6-9608-20cf30e32f6d">
9401    <topic>apache24 -- X509 Client certificate based authentication can be bypassed when HTTP/2 is used</topic>
9402    <affects>
9403      <package>
9404	<name>apache24</name>
9405	<range><ge>2.4.18</ge><lt>2.4.23</lt></range>
9406      </package>
9407    </affects>
9408    <description>
9409      <body xmlns="http://www.w3.org/1999/xhtml">
9410	<p>Apache Software Foundation reports:</p>
9411	<blockquote cite="INSERT URL HERE">
9412	  <p>The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509
9413	    client certificate correctly when experimental module for the HTTP/2
9414	    protocol is used to access a resource.</p>
9415	  <p>The net result is that a resource that should require a valid client
9416	    certificate in order to get access can be accessed without that credential.</p>
9417	</blockquote>
9418      </body>
9419    </description>
9420    <references>
9421      <cvename>CVE-2016-4979</cvename>
9422      <url>http://mail-archives.apache.org/mod_mbox/httpd-announce/201607.mbox/CVE-2016-4979-68283</url>
9423    </references>
9424    <dates>
9425      <discovery>2016-07-01</discovery>
9426      <entry>2016-07-05</entry>
9427    </dates>
9428  </vuln>
9429
9430  <vuln vid="e800cd4b-4212-11e6-942d-bc5ff45d0f28">
9431    <topic>xen-tools -- Unrestricted qemu logging</topic>
9432    <affects>
9433      <package>
9434	<name>xen-tools</name>
9435	<range><lt>4.7.0_2</lt></range>
9436      </package>
9437    </affects>
9438    <description>
9439      <body xmlns="http://www.w3.org/1999/xhtml">
9440	<p>The Xen Project reports:</p>
9441	<blockquote cite="http://xenbits.xen.org/xsa/advisory-180.html">
9442	  <p>When the libxl toolstack launches qemu for HVM guests, it pipes the
9443	    output of stderr to a file in /var/log/xen.  This output is not
9444	    rate-limited in any way.  The guest can easily cause qemu to print
9445	    messages to stderr, causing this file to become arbitrarily large.
9446	    </p>
9447	  <p>The disk containing the logfile can be exhausted, possibly causing a
9448	    denial-of-service (DoS).</p>
9449	</blockquote>
9450      </body>
9451    </description>
9452    <references>
9453      <cvename>CVE-2014-3672</cvename>
9454      <url>http://xenbits.xen.org/xsa/advisory-180.html</url>
9455    </references>
9456    <dates>
9457      <discovery>2016-05-23</discovery>
9458      <entry>2016-07-04</entry>
9459    </dates>
9460  </vuln>
9461
9462  <vuln vid="e6ce6f50-4212-11e6-942d-bc5ff45d0f28">
9463    <topic>xen-tools -- QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks</topic>
9464    <affects>
9465      <package>
9466	<name>xen-tools</name>
9467	<range><lt>4.7.0_2</lt></range>
9468      </package>
9469    </affects>
9470    <description>
9471      <body xmlns="http://www.w3.org/1999/xhtml">
9472	<p>The Xen Project reports:</p>
9473	<blockquote cite="http://xenbits.xen.org/xsa/advisory-179.html">
9474	  <p>Qemu VGA module allows banked access to video memory using the
9475	    window at 0xa00000 and it supports different access modes with
9476	    different address calculations.</p>
9477	  <p>Qemu VGA module allows guest to edit certain registers in 'vbe'
9478	    and 'vga' modes.</p>
9479	  <p>A privileged guest user could use CVE-2016-3710 to exceed the bank
9480	    address window and write beyond the said memory area, potentially
9481	    leading to arbitrary code execution with privileges of the Qemu
9482	    process.  If the system is not using stubdomains, this will be in
9483	    domain 0.</p>
9484	  <p>A privileged guest user could use CVE-2016-3712 to cause potential
9485	    integer overflow or OOB read access issues in Qemu, resulting in a DoS
9486	    of the guest itself.  More dangerous effect, such as data leakage or
9487	    code execution, are not known but cannot be ruled out.</p>
9488	</blockquote>
9489      </body>
9490    </description>
9491    <references>
9492      <cvename>CVE-2016-3710</cvename>
9493      <cvename>CVE-2016-3712</cvename>
9494      <url>http://xenbits.xen.org/xsa/advisory-179.html</url>
9495    </references>
9496    <dates>
9497      <discovery>2016-05-09</discovery>
9498      <entry>2016-07-04</entry>
9499    </dates>
9500  </vuln>
9501
9502  <vuln vid="e589ae90-4212-11e6-942d-bc5ff45d0f28">
9503    <topic>xen-tools -- Unsanitised driver domain input in libxl device handling</topic>
9504    <affects>
9505      <package>
9506	<name>xen-tools</name>
9507	<range><lt>4.7.0_1</lt></range>
9508      </package>
9509    </affects>
9510    <description>
9511      <body xmlns="http://www.w3.org/1999/xhtml">
9512	<p>The Xen Project reports:</p>
9513	<blockquote cite="http://xenbits.xen.org/xsa/advisory-178.html">
9514	  <p>libxl's device-handling code freely uses and trusts information
9515	    from the backend directories in xenstore.</p>
9516	  <p>A malicious driver domain can deny service to management tools.</p>
9517	</blockquote>
9518      </body>
9519    </description>
9520    <references>
9521      <cvename>CVE-2016-4963</cvename>
9522      <url>http://xenbits.xen.org/xsa/advisory-178.html</url>
9523    </references>
9524    <dates>
9525      <discovery>2016-06-02</discovery>
9526      <entry>2016-07-04</entry>
9527    </dates>
9528  </vuln>
9529
9530  <vuln vid="e43b210a-4212-11e6-942d-bc5ff45d0f28">
9531    <topic>xen-kernel -- x86 software guest page walk PS bit handling flaw</topic>
9532    <affects>
9533      <package>
9534	<name>xen-kernel</name>
9535	<range><lt>4.7.0</lt></range>
9536      </package>
9537    </affects>
9538    <description>
9539      <body xmlns="http://www.w3.org/1999/xhtml">
9540	<p>The Xen Project reports:</p>
9541	<blockquote cite="http://xenbits.xen.org/xsa/advisory-176.html">
9542	  <p>The Page Size (PS) page table entry bit exists at all page table
9543	    levels other than L1.  Its meaning is reserved in L4, and
9544	    conditionally reserved in L3 and L2 (depending on hardware
9545	    capabilities).  The software page table walker in the hypervisor,
9546	    however, so far ignored that bit in L4 and (on respective hardware)
9547	    L3 entries, resulting in pages to be treated as page tables which
9548	    the guest OS may not have designated as such.  If the page in
9549	    question is writable by an unprivileged user, then that user will
9550	    be able to map arbitrary guest memory.</p>
9551	  <p>On vulnerable OSes, guest user mode code may be able to establish
9552	    mappings of arbitrary memory inside the guest, allowing it to
9553	    elevate its privileges inside the guest.</p>
9554	</blockquote>
9555      </body>
9556    </description>
9557    <references>
9558      <cvename>CVE-2016-4480</cvename>
9559      <url>http://xenbits.xen.org/xsa/advisory-176.html</url>
9560    </references>
9561    <dates>
9562      <discovery>2016-05-17</discovery>
9563      <entry>2016-07-04</entry>
9564    </dates>
9565  </vuln>
9566
9567  <vuln vid="e2fca11b-4212-11e6-942d-bc5ff45d0f28">
9568    <topic>xen-tools -- Unsanitised guest input in libxl device handling code</topic>
9569    <affects>
9570      <package>
9571	<name>xen-tools</name>
9572	<range><lt>4.7.0_1</lt></range>
9573      </package>
9574    </affects>
9575    <description>
9576      <body xmlns="http://www.w3.org/1999/xhtml">
9577	<p>The Xen Project reports:</p>
9578	<blockquote cite="http://xenbits.xen.org/xsa/advisory-175.html">
9579	  <p>Various parts of libxl device-handling code inappropriately use
9580	    information from (partially) guest controlled areas of xenstore.</p>
9581	  <p>A malicious guest administrator can cause denial of service by
9582	    resource exhaustion.</p>
9583	  <p>A malicious guest administrator can confuse and/or deny service to
9584	    management facilities.</p>
9585	  <p>A malicious guest administrator of a guest configured with channel
9586	    devices may be able to escalate their privilege to that of the
9587	    backend domain (i.e., normally, to that of the host).</p>
9588	</blockquote>
9589      </body>
9590    </description>
9591    <references>
9592      <cvename>CVE-2016-4962</cvename>
9593      <url>http://xenbits.xen.org/xsa/advisory-175.html</url>
9594    </references>
9595    <dates>
9596      <discovery>2016-06-02</discovery>
9597      <entry>2016-07-04</entry>
9598    </dates>
9599  </vuln>
9600
9601  <vuln vid="d51ced72-4212-11e6-942d-bc5ff45d0f28">
9602    <topic>xen-kernel -- x86 shadow pagetables: address width overflow</topic>
9603    <affects>
9604      <package>
9605	<name>xen-kernel</name>
9606	<range><ge>3.4</ge><lt>4.7.0</lt></range>
9607      </package>
9608    </affects>
9609    <description>
9610      <body xmlns="http://www.w3.org/1999/xhtml">
9611	<p>The Xen Project reports:</p>
9612	<blockquote cite="http://xenbits.xen.org/xsa/advisory-173.html">
9613	  <p>In the x86 shadow pagetable code, the guest frame number of a
9614	    superpage mapping is stored in a 32-bit field.  If a shadowed guest
9615	    can cause a superpage mapping of a guest-physical address at or
9616	    above 2^44 to be shadowed, the top bits of the address will be lost,
9617	    causing an assertion failure or NULL dereference later on, in code
9618	    that removes the shadow.</p>
9619	  <p>A HVM guest using shadow pagetables can cause the host to crash.
9620	    </p>
9621	  <p>A PV guest using shadow pagetables (i.e. being migrated) with PV
9622	    superpages enabled (which is not the default) can crash the host, or
9623	    corrupt hypervisor memory, and so a privilege escalation cannot be
9624	    ruled out.</p>
9625	</blockquote>
9626      </body>
9627    </description>
9628    <references>
9629      <cvename>CVE-2016-3960</cvename>
9630      <url>http://xenbits.xen.org/xsa/advisory-173.html</url>
9631    </references>
9632    <dates>
9633      <discovery>2016-04-18</discovery>
9634      <entry>2016-07-04</entry>
9635    </dates>
9636  </vuln>
9637
9638  <vuln vid="313e9557-41e8-11e6-ab34-002590263bf5">
9639    <topic>wireshark -- multiple vulnerabilities</topic>
9640    <affects>
9641      <package>
9642	<name>wireshark</name>
9643	<name>wireshark-lite</name>
9644	<name>wireshark-qt5</name>
9645	<name>tshark</name>
9646	<name>tshark-lite</name>
9647	<range><lt>2.0.4</lt></range>
9648      </package>
9649    </affects>
9650    <description>
9651      <body xmlns="http://www.w3.org/1999/xhtml">
9652	<p>Wireshark development team reports:</p>
9653	<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.4.html">
9654	  <p>The following vulnerabilities have been fixed:</p>
9655	  <ul>
9656	    <li><p>wnpa-sec-2016-29</p>
9657	      <p>The SPOOLS dissector could go into an infinite loop. Discovered
9658	      by the CESG.</p></li>
9659	    <li><p>wnpa-sec-2016-30</p>
9660	      <p>The IEEE 802.11 dissector could crash. (Bug 11585)</p></li>
9661	    <li><p>wnpa-sec-2016-31</p>
9662	      <p>The IEEE 802.11 dissector could crash. Discovered by Mateusz
9663	      Jurczyk. (Bug 12175)</p></li>
9664	    <li><p>wnpa-sec-2016-32</p>
9665	      <p>The UMTS FP dissector could crash. (Bug 12191)</p></li>
9666	    <li><p>wnpa-sec-2016-33</p>
9667	      <p>Some USB dissectors could crash. Discovered by Mateusz
9668	      Jurczyk. (Bug 12356)</p></li>
9669	    <li><p>wnpa-sec-2016-34</p>
9670	      <p>The Toshiba file parser could crash. Discovered by iDefense
9671	      Labs. (Bug 12394)</p></li>
9672	    <li><p>wnpa-sec-2016-35</p>
9673	      <p>The CoSine file parser could crash. Discovered by iDefense
9674	      Labs. (Bug 12395)</p></li>
9675	    <li><p>wnpa-sec-2016-36</p>
9676	      <p>The NetScreen file parser could crash. Discovered by iDefense
9677	      Labs. (Bug 12396)</p></li>
9678	    <li><p>wnpa-sec-2016-37</p>
9679	      <p>The Ethernet dissector could crash. (Bug 12440)</p></li>
9680	  </ul>
9681	</blockquote>
9682      </body>
9683    </description>
9684    <references>
9685      <cvename>CVE-2016-5350</cvename>
9686      <cvename>CVE-2016-5351</cvename>
9687      <cvename>CVE-2016-5352</cvename>
9688      <cvename>CVE-2016-5353</cvename>
9689      <cvename>CVE-2016-5354</cvename>
9690      <cvename>CVE-2016-5355</cvename>
9691      <cvename>CVE-2016-5356</cvename>
9692      <cvename>CVE-2016-5357</cvename>
9693      <cvename>CVE-2016-5358</cvename>
9694      <url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.4.html</url>
9695      <url>http://www.openwall.com/lists/oss-security/2016/06/09/4</url>
9696    </references>
9697    <dates>
9698      <discovery>2016-06-07</discovery>
9699      <entry>2016-07-04</entry>
9700    </dates>
9701  </vuln>
9702
9703  <vuln vid="8656cf5f-4170-11e6-8dfe-002590263bf5">
9704    <topic>moodle -- multiple vulnerabilities</topic>
9705    <affects>
9706      <package>
9707	<name>moodle28</name>
9708	<range><lt>2.8.12</lt></range>
9709      </package>
9710      <package>
9711	<name>moodle29</name>
9712	<range><lt>2.9.6</lt></range>
9713      </package>
9714      <package>
9715	<name>moodle30</name>
9716	<range><lt>3.0.4</lt></range>
9717      </package>
9718    </affects>
9719    <description>
9720      <body xmlns="http://www.w3.org/1999/xhtml">
9721	<p>Marina Glancy reports:</p>
9722	<blockquote cite="https://moodle.org/security/">
9723	  <ul>
9724	    <li><p>MSA-16-0013: Users are able to change profile fields that
9725	    were locked by the administrator.</p></li>
9726	    <li><p>MSA-16-0015: Information disclosure of hidden forum names
9727	    and sub-names.</p></li>
9728	    <li><p>MSA-16-0016: User can view badges of other users without
9729	    proper permissions.</p></li>
9730	    <li><p>MSA-16-0017: Course idnumber not protected from teacher
9731	    restore.</p></li>
9732	    <li><p>MSA-16-0018: CSRF in script marking forum posts as read.</p>
9733	    </li>
9734	  </ul>
9735	</blockquote>
9736      </body>
9737    </description>
9738    <references>
9739      <cvename>CVE-2016-3729</cvename>
9740      <cvename>CVE-2016-3731</cvename>
9741      <cvename>CVE-2016-3732</cvename>
9742      <cvename>CVE-2016-3733</cvename>
9743      <cvename>CVE-2016-3734</cvename>
9744      <url>https://moodle.org/security/</url>
9745    </references>
9746    <dates>
9747      <discovery>2016-05-18</discovery>
9748      <entry>2016-07-03</entry>
9749    </dates>
9750  </vuln>
9751
9752  <vuln vid="ad9b77f6-4163-11e6-b05b-14dae9d210b8">
9753    <topic>icingaweb2 -- remote code execution</topic>
9754    <affects>
9755      <package>
9756	<name>icingaweb2</name>
9757	<range><lt>2.3.4</lt></range>
9758      </package>
9759    </affects>
9760    <description>
9761      <body xmlns="http://www.w3.org/1999/xhtml">
9762	<p>Eric Lippmann reports:</p>
9763	<blockquote cite="https://www.icinga.org/2016/06/23/icinga-web-2-v2-3-4-v2-2-2-and-v2-1-4-releases/">
9764	  <p>Possibility of remote code execution via the remote command
9765	    transport.</p>
9766	</blockquote>
9767      </body>
9768    </description>
9769    <references>
9770      <url>https://www.icinga.org/2016/06/23/icinga-web-2-v2-3-4-v2-2-2-and-v2-1-4-releases/</url>
9771    </references>
9772    <dates>
9773      <discovery>2016-06-23</discovery>
9774      <entry>2016-07-03</entry>
9775    </dates>
9776  </vuln>
9777
9778  <vuln vid="a5c204b5-4153-11e6-8dfe-002590263bf5">
9779    <topic>hive -- authorization logic vulnerability</topic>
9780    <affects>
9781      <package>
9782	<name>hive</name>
9783	<range><lt>2.0.0</lt></range>
9784      </package>
9785    </affects>
9786    <description>
9787      <body xmlns="http://www.w3.org/1999/xhtml">
9788	<p>Sushanth Sowmyan reports:</p>
9789	<blockquote cite="http://mail-archives.apache.org/mod_mbox/hive-user/201601.mbox/%3C20160128205008.2154F185EB%40minotaur.apache.org%3E">
9790	  <p>Some partition-level operations exist that do not explicitly also
9791	    authorize privileges of the parent table. This can lead to issues when
9792	    the parent table would have denied the operation, but no denial occurs
9793	    because the partition-level privilege is not checked by the
9794	    authorization framework, which defines authorization entities only
9795	    from the table level upwards.</p>
9796	</blockquote>
9797      </body>
9798    </description>
9799    <references>
9800      <cvename>CVE-2015-7521</cvename>
9801      <url>http://mail-archives.apache.org/mod_mbox/hive-user/201601.mbox/%3C20160128205008.2154F185EB%40minotaur.apache.org%3E</url>
9802    </references>
9803    <dates>
9804      <discovery>2016-01-28</discovery>
9805      <entry>2016-07-03</entry>
9806    </dates>
9807  </vuln>
9808
9809  <vuln vid="546deeea-3fc6-11e6-a671-60a44ce6887b">
9810    <topic>SQLite3 -- Tempdir Selection Vulnerability</topic>
9811    <affects>
9812      <package>
9813	<name>sqlite3</name>
9814	<range><lt>3.13.0</lt></range>
9815      </package>
9816    </affects>
9817    <description>
9818      <body xmlns="http://www.w3.org/1999/xhtml">
9819	<p>KoreLogic security reports:</p>
9820	<blockquote cite="https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt">
9821	  <p>Affected versions of SQLite reject potential tempdir locations if
9822	    they are not readable, falling back to '.'. Thus, SQLite will favor
9823	    e.g. using cwd for tempfiles on such a system, even if cwd is an
9824	    unsafe location.  Notably, SQLite also checks the permissions of
9825	    '.', but ignores the results of that check.</p>
9826	</blockquote>
9827      </body>
9828    </description>
9829    <references>
9830      <cvename>CVE-2016-6153</cvename>
9831      <freebsdpr>ports/209827</freebsdpr>
9832      <url>https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt</url>
9833      <url>http://openwall.com/lists/oss-security/2016/07/01/2</url>
9834      <url>http://www.sqlite.org/cgi/src/info/67985761aa93fb61</url>
9835      <url>http://www.sqlite.org/cgi/src/info/b38fe522cfc971b3</url>
9836      <url>http://www.sqlite.org/cgi/src/info/614bb709d34e1148</url>
9837    </references>
9838    <dates>
9839      <discovery>2016-07-01</discovery>
9840      <entry>2016-07-03</entry>
9841    </dates>
9842  </vuln>
9843
9844  <vuln vid="8d5368ef-40fe-11e6-b2ec-b499baebfeaf">
9845    <topic>Python -- smtplib StartTLS stripping vulnerability</topic>
9846    <affects>
9847      <package>
9848	<name>python27</name>
9849	<range><lt>2.7.12</lt></range>
9850      </package>
9851      <package>
9852	<name>python33</name>
9853	<range><gt>0</gt></range>
9854      </package>
9855      <package>
9856	<name>python34</name>
9857	<range><lt>3.4.5</lt></range>
9858      </package>
9859      <package>
9860	<name>python35</name>
9861	<range><lt>3.5.2</lt></range>
9862      </package>
9863    </affects>
9864    <description>
9865      <body xmlns="http://www.w3.org/1999/xhtml">
9866	<p>Red Hat reports:</p>
9867	<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772">
9868	  <p>A vulnerability in smtplib allowing MITM attacker to perform a
9869	    startTLS stripping attack. smtplib does not seem to raise an exception
9870	    when the remote end (smtp server) is capable of negotiating starttls but
9871	    fails to respond with 220 (ok) to an explicit call of SMTP.starttls().
9872	    This may allow a malicious MITM to perform a startTLS stripping attack
9873	    if the client code does not explicitly check the response code for startTLS.</p>
9874	</blockquote>
9875      </body>
9876    </description>
9877    <references>
9878      <url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772</url>
9879      <cvename>CVE-2016-0772</cvename>
9880    </references>
9881    <dates>
9882      <discovery>2016-06-14</discovery>
9883      <entry>2016-07-03</entry>
9884    </dates>
9885  </vuln>
9886
9887  <vuln vid="e7028e1d-3f9b-11e6-81f9-6805ca0b3d42">
9888    <topic>phpMyAdmin -- multiple vulnerabilities</topic>
9889    <affects>
9890      <package>
9891	<name>phpmyadmin</name>
9892	<range><ge>4.6.0</ge><lt>4.6.3</lt></range>
9893      </package>
9894    </affects>
9895    <description>
9896      <body xmlns="http://www.w3.org/1999/xhtml">
9897	<p>Please reference CVE/URL list for details</p>
9898      </body>
9899    </description>
9900    <references>
9901      <url>https://www.phpmyadmin.net/security/PMASA-2016-17/</url>
9902      <url>https://www.phpmyadmin.net/security/PMASA-2016-18/</url>
9903      <url>https://www.phpmyadmin.net/security/PMASA-2016-19/</url>
9904      <url>https://www.phpmyadmin.net/security/PMASA-2016-20/</url>
9905      <url>https://www.phpmyadmin.net/security/PMASA-2016-21/</url>
9906      <url>https://www.phpmyadmin.net/security/PMASA-2016-22/</url>
9907      <url>https://www.phpmyadmin.net/security/PMASA-2016-23/</url>
9908      <url>https://www.phpmyadmin.net/security/PMASA-2016-24/</url>
9909      <url>https://www.phpmyadmin.net/security/PMASA-2016-25/</url>
9910      <url>https://www.phpmyadmin.net/security/PMASA-2016-26/</url>
9911      <url>https://www.phpmyadmin.net/security/PMASA-2016-27/</url>
9912      <url>https://www.phpmyadmin.net/security/PMASA-2016-28/</url>
9913      <cvename>CVE-2016-5701</cvename>
9914      <cvename>CVE-2016-5702</cvename>
9915      <cvename>CVE-2016-5703</cvename>
9916      <cvename>CVE-2016-5704</cvename>
9917      <cvename>CVE-2016-5705</cvename>
9918      <cvename>CVE-2016-5706</cvename>
9919      <cvename>CVE-2016-5730</cvename>
9920      <cvename>CVE-2016-5731</cvename>
9921      <cvename>CVE-2016-5732</cvename>
9922      <cvename>CVE-2016-5733</cvename>
9923      <cvename>CVE-2016-5734</cvename>
9924      <cvename>CVE-2016-5739</cvename>
9925    </references>
9926    <dates>
9927      <discovery>2016-06-23</discovery>
9928      <entry>2016-07-01</entry>
9929    </dates>
9930  </vuln>
9931
9932  <vuln vid="f1c219ba-3f14-11e6-b3c8-14dae9d210b8">
9933    <topic>haproxy -- denial of service</topic>
9934    <affects>
9935      <package>
9936	<name>haproxy</name>
9937	<range><ge>1.6.0</ge><lt>1.6.5_1</lt></range>
9938      </package>
9939    </affects>
9940    <description>
9941      <body xmlns="http://www.w3.org/1999/xhtml">
9942	<p>HAproxy reports:</p>
9943	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/06/09/5">
9944	  <p>HAproxy 1.6.x before 1.6.6, when a deny comes from a
9945	    reqdeny rule, allows remote attackers to cause a denial of service
9946	    (uninitialized memory access and crash) or possibly have unspecified
9947	    other impact via unknown vectors.</p>
9948	</blockquote>
9949      </body>
9950    </description>
9951    <references>
9952      <url>http://www.openwall.com/lists/oss-security/2016/06/09/5</url>
9953      <cvename>CVE-2016-5360</cvename>
9954    </references>
9955    <dates>
9956      <discovery>2016-06-09</discovery>
9957      <entry>2016-06-30</entry>
9958    </dates>
9959  </vuln>
9960
9961  <vuln vid="093584f2-3f14-11e6-b3c8-14dae9d210b8">
9962    <topic>libtorrent-rasterbar -- denial of service</topic>
9963    <affects>
9964      <package>
9965	<name>libtorrent-rasterbar</name>
9966	<range><lt>1.1.1</lt></range>
9967      </package>
9968    </affects>
9969    <description>
9970      <body xmlns="http://www.w3.org/1999/xhtml">
9971	<p>Brandon Perry reports:</p>
9972	<blockquote cite="https://github.com/arvidn/libtorrent/issues/780">
9973	  <p>The parse_chunk_header function in libtorrent before 1.1.1
9974	    allows remote attackers to cause a denial of service (crash) via a
9975	    crafted (1) HTTP response or possibly a (2) UPnP broadcast.</p>
9976	</blockquote>
9977      </body>
9978    </description>
9979    <references>
9980      <url>https://github.com/arvidn/libtorrent/issues/780</url>
9981      <cvename>CVE-2016-5301</cvename>
9982    </references>
9983    <dates>
9984      <discovery>2016-06-03</discovery>
9985      <entry>2016-06-30</entry>
9986    </dates>
9987  </vuln>
9988
9989  <vuln vid="ff76f0e0-3f11-11e6-b3c8-14dae9d210b8">
9990    <topic>expat2 -- denial of service</topic>
9991    <affects>
9992      <package>
9993	<name>expat</name>
9994	<range><lt>2.1.1_2</lt></range>
9995      </package>
9996    </affects>
9997    <description>
9998      <body xmlns="http://www.w3.org/1999/xhtml">
9999	<p>Adam Maris reports:</p>
10000	<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=1344251">
10001	  <p>It was found that original patch for issues CVE-2015-1283
10002	    and CVE-2015-2716 used overflow checks that could be optimized out by
10003	    some compilers applying certain optimization settings, which can cause
10004	    the vulnerability to remain even after applying the patch.</p>
10005	</blockquote>
10006      </body>
10007    </description>
10008    <references>
10009      <url>https://bugzilla.redhat.com/show_bug.cgi?id=1344251</url>
10010      <cvename>CVE-2016-4472</cvename>
10011    </references>
10012    <dates>
10013      <discovery>2016-06-09</discovery>
10014      <entry>2016-06-30</entry>
10015      <modified>2016-11-30</modified>
10016    </dates>
10017  </vuln>
10018
10019  <vuln vid="875e4cf8-3f0e-11e6-b3c8-14dae9d210b8">
10020    <topic>dnsmasq -- denial of service</topic>
10021    <affects>
10022      <package>
10023	<name>dnsmasq</name>
10024	<range><lt>2.76,1</lt></range>
10025      </package>
10026      <package>
10027	<name>dnsmasq-devel</name>
10028	<range><lt>2.76.0test1</lt></range>
10029      </package>
10030    </affects>
10031    <description>
10032      <body xmlns="http://www.w3.org/1999/xhtml">
10033	<p> reports:</p>
10034	<blockquote cite="http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html">
10035	  <p>Dnsmasq before 2.76 allows remote servers to cause a denial
10036	    of service (crash) via a reply with an empty DNS address that has an (1)
10037	    A or (2) AAAA record defined locally.</p>
10038	</blockquote>
10039      </body>
10040    </description>
10041    <references>
10042      <url>http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html</url>
10043      <url>http://www.openwall.com/lists/oss-security/2016/06/03/7</url>
10044      <cvename>CVE-2015-8899</cvename>
10045    </references>
10046    <dates>
10047      <discovery>2016-04-18</discovery>
10048      <entry>2016-06-30</entry>
10049      <modified>2016-06-30</modified>
10050    </dates>
10051  </vuln>
10052
10053  <vuln vid="a61374fc-3a4d-11e6-a671-60a44ce6887b">
10054    <topic>Python -- HTTP Header Injection in Python urllib</topic>
10055    <affects>
10056      <package>
10057	<name>python27</name>
10058	<range><lt>2.7.10</lt></range>
10059      </package>
10060      <package>
10061	<name>python33</name>
10062	<range><ge>0</ge></range>
10063      </package>
10064      <package>
10065	<name>python34</name>
10066	<range><lt>3.4.4</lt></range>
10067      </package>
10068      <package>
10069	<name>python35</name>
10070	<range><lt>3.5.0</lt></range>
10071      </package>
10072    </affects>
10073    <description>
10074      <body xmlns="http://www.w3.org/1999/xhtml">
10075	<p>Guido Vranken reports:</p>
10076	<blockquote cite="https://bugs.python.org/issue22928">
10077	  <p>HTTP header injection in urrlib2/urllib/httplib/http.client with
10078	     newlines in header values, where newlines have a semantic consequence of
10079	     denoting the start of an additional header line.</p>
10080	</blockquote>
10081      </body>
10082    </description>
10083    <references>
10084      <url>https://bugs.python.org/issue22928</url>
10085      <url>http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html</url>
10086      <url>http://www.openwall.com/lists/oss-security/2016/06/14/7</url>
10087      <cvename>CVE-2016-5699</cvename>
10088    </references>
10089    <dates>
10090      <discovery>2014-11-24</discovery>
10091      <entry>2016-06-30</entry>
10092      <modified>2016-07-04</modified>
10093    </dates>
10094  </vuln>
10095
10096  <vuln vid="0ca24682-3f03-11e6-b3c8-14dae9d210b8">
10097    <topic>openssl -- denial of service</topic>
10098    <affects>
10099      <package>
10100	<name>openssl</name>
10101	<range><lt>1.0.2_14</lt></range>
10102      </package>
10103    </affects>
10104    <description>
10105      <body xmlns="http://www.w3.org/1999/xhtml">
10106	<p>Mitre reports:</p>
10107	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177">
10108	  <p>OpenSSL through 1.0.2h incorrectly uses pointer arithmetic
10109	    for heap-buffer boundary checks, which might allow remote attackers to
10110	    cause a denial of service (integer overflow and application crash) or
10111	    possibly have unspecified other impact by leveraging unexpected malloc
10112	    behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.</p>
10113	</blockquote>
10114      </body>
10115    </description>
10116    <references>
10117      <url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177</url>
10118      <url>ihttps://bugzilla.redhat.com/show_bug.cgi?id=1341705</url>
10119      <url>https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/</url>
10120      <cvename>CVE-2016-2177</cvename>
10121    </references>
10122    <dates>
10123      <discovery>2016-06-01</discovery>
10124      <entry>2016-06-30</entry>
10125    </dates>
10126  </vuln>
10127
10128  <vuln vid="cbceeb49-3bc7-11e6-8e82-002590263bf5">
10129    <topic>Apache Commons FileUpload -- denial of service (DoS) vulnerability</topic>
10130    <affects>
10131      <package>
10132	<name>tomcat7</name>
10133	<range><lt>7.0.70</lt></range>
10134      </package>
10135      <package>
10136	<name>tomcat8</name>
10137	<range><lt>8.0.36</lt></range>
10138      </package>
10139      <package>
10140	<name>apache-struts</name>
10141	<range><lt>2.5.2</lt></range>
10142      </package>
10143    </affects>
10144    <description>
10145      <body xmlns="http://www.w3.org/1999/xhtml">
10146	<p>Mark Thomas reports:</p>
10147	<blockquote cite="http://mail-archives.apache.org/mod_mbox/tomcat-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832%40apache.org%3E">
10148	  <p>CVE-2016-3092 is a denial of service vulnerability that has been
10149	    corrected in the Apache Commons FileUpload component. It occurred
10150	    when the length of the multipart boundary was just below the size of
10151	    the buffer (4096 bytes) used to read the uploaded file. This caused
10152	    the file upload process to take several orders of magnitude longer
10153	    than if the boundary length was the typical tens of bytes.</p>
10154	</blockquote>
10155      </body>
10156    </description>
10157    <references>
10158      <cvename>CVE-2016-3092</cvename>
10159      <freebsdpr>ports/209669</freebsdpr>
10160      <url>http://tomcat.apache.org/security-7.html</url>
10161      <url>http://tomcat.apache.org/security-8.html</url>
10162      <url>http://mail-archives.apache.org/mod_mbox/tomcat-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832%40apache.org%3E</url>
10163      <url>http://jvn.jp/en/jp/JVN89379547/index.html</url>
10164    </references>
10165    <dates>
10166      <discovery>2016-06-20</discovery>
10167      <entry>2016-06-26</entry>
10168      <modified>2017-08-10</modified>
10169    </dates>
10170  </vuln>
10171
10172  <vuln vid="bfcc23b6-3b27-11e6-8e82-002590263bf5">
10173    <topic>wordpress -- multiple vulnerabilities</topic>
10174    <affects>
10175      <package>
10176	<name>wordpress</name>
10177	<range><lt>4.5.3,1</lt></range>
10178      </package>
10179      <package>
10180	<name>de-wordpress</name>
10181	<name>ja-wordpress</name>
10182	<name>ru-wordpress</name>
10183	<name>zh-wordpress-zh_CN</name>
10184	<name>zh-wordpress-zh_TW</name>
10185	<range><lt>4.5.3</lt></range>
10186      </package>
10187    </affects>
10188    <description>
10189      <body xmlns="http://www.w3.org/1999/xhtml">
10190	<p>Adam Silverstein reports:</p>
10191	<blockquote cite="https://wordpress.org/news/2016/06/wordpress-4-5-3/">
10192	  <p>WordPress 4.5.3 is now available. This is a security release for
10193	    all previous versions and we strongly encourage you to update your
10194	    sites immediately.</p>
10195	  <p>WordPress versions 4.5.2 and earlier are affected by several
10196	    security issues: redirect bypass in the customizer, reported by
10197	    Yassine Aboukir; two different XSS problems via attachment names,
10198	    reported by Jouko Pynnönenand Divyesh Prajapati; revision history
10199	    information disclosure, reported independently by John Blackbourn
10200	    from the WordPress security team and by Dan Moen from the Wordfence
10201	    Research Team; oEmbed denial of service reported by Jennifer Dodd
10202	    from Automattic; unauthorized category removal from a post, reported
10203	    by David Herrera from Alley Interactive; password change via stolen
10204	    cookie, reported by Michael Adams from the WordPress security team;
10205	    and some less secure sanitize_file_name edge cases reported by Peter
10206	    Westwood of the WordPress security team.</p>
10207	</blockquote>
10208      </body>
10209    </description>
10210    <references>
10211      <cvename>CVE-2016-5832</cvename>
10212      <cvename>CVE-2016-5833</cvename>
10213      <cvename>CVE-2016-5834</cvename>
10214      <cvename>CVE-2016-5835</cvename>
10215      <cvename>CVE-2016-5836</cvename>
10216      <cvename>CVE-2016-5837</cvename>
10217      <cvename>CVE-2016-5838</cvename>
10218      <cvename>CVE-2016-5839</cvename>
10219      <freebsdpr>ports/210480</freebsdpr>
10220      <freebsdpr>ports/210581</freebsdpr>
10221      <url>https://wordpress.org/news/2016/06/wordpress-4-5-3/</url>
10222      <url>http://www.openwall.com/lists/oss-security/2016/06/23/9</url>
10223    </references>
10224    <dates>
10225      <discovery>2016-06-18</discovery>
10226      <entry>2016-06-25</entry>
10227    </dates>
10228  </vuln>
10229
10230  <vuln vid="66d77c58-3b1d-11e6-8e82-002590263bf5">
10231    <topic>php -- multiple vulnerabilities</topic>
10232    <affects>
10233      <package>
10234	<name>php55</name>
10235	<name>php55-gd</name>
10236	<name>php55-mbstring</name>
10237	<name>php55-wddx</name>
10238	<name>php55-zip</name>
10239	<range><lt>5.5.37</lt></range>
10240      </package>
10241      <package>
10242	<name>php56</name>
10243	<name>php56-gd</name>
10244	<name>php56-mbstring</name>
10245	<name>php56-phar</name>
10246	<name>php56-wddx</name>
10247	<name>php56-zip</name>
10248	<range><lt>5.6.23</lt></range>
10249      </package>
10250      <package>
10251	<name>php70</name>
10252	<name>php70-gd</name>
10253	<name>php70-mbstring</name>
10254	<name>php70-phar</name>
10255	<name>php70-wddx</name>
10256	<name>php70-zip</name>
10257	<range><lt>7.0.8</lt></range>
10258      </package>
10259    </affects>
10260    <description>
10261      <body xmlns="http://www.w3.org/1999/xhtml">
10262	<p>The PHP Group reports:</p>
10263	<blockquote cite="http://php.net/ChangeLog-5.php#5.5.37">
10264	  <p>Please reference CVE/URL list for details</p>
10265	</blockquote>
10266      </body>
10267    </description>
10268    <references>
10269      <cvename>CVE-2015-8874</cvename>
10270      <cvename>CVE-2016-5766</cvename>
10271      <cvename>CVE-2016-5767</cvename>
10272      <cvename>CVE-2016-5768</cvename>
10273      <cvename>CVE-2016-5769</cvename>
10274      <cvename>CVE-2016-5770</cvename>
10275      <cvename>CVE-2016-5771</cvename>
10276      <cvename>CVE-2016-5772</cvename>
10277      <cvename>CVE-2016-5773</cvename>
10278      <freebsdpr>ports/210491</freebsdpr>
10279      <freebsdpr>ports/210502</freebsdpr>
10280      <url>http://php.net/ChangeLog-5.php#5.5.37</url>
10281      <url>http://php.net/ChangeLog-5.php#5.6.23</url>
10282      <url>http://php.net/ChangeLog-7.php#7.0.8</url>
10283    </references>
10284    <dates>
10285      <discovery>2016-06-23</discovery>
10286      <entry>2016-06-25</entry>
10287    </dates>
10288  </vuln>
10289
10290  <vuln vid="4a0d9b53-395d-11e6-b3c8-14dae9d210b8">
10291    <topic>libarchive -- multiple vulnerabilities</topic>
10292    <affects>
10293      <package>
10294	<name>libarchive</name>
10295	<range><lt>3.2.1,1</lt></range>
10296      </package>
10297    </affects>
10298    <description>
10299      <body xmlns="http://www.w3.org/1999/xhtml">
10300	<p>Hanno Bock and Cisco Talos report:</p>
10301	<blockquote cite="http://openwall.com/lists/oss-security/2016/06/23/6">
10302	  <ul>
10303	  <li><p>Out of bounds heap read in RAR parser</p></li>
10304	  <li><p>Signed integer overflow in ISO parser</p></li>
10305	  <li><p>TALOS-2016-0152 [CVE-2016-4300]: 7-Zip
10306	    read_SubStreamsInfo Integer Overflow</p></li>
10307	  <li><p>TALOS-2016-0153 [CVE-2016-4301]: mtree parse_device Stack
10308	    Based Buffer Overflow</p></li>
10309	  <li><p>TALOS-2016-0154 [CVE-2016-4302]: Libarchive Rar RestartModel
10310	    Heap Overflow</p></li>
10311	  </ul>
10312	</blockquote>
10313      </body>
10314    </description>
10315    <references>
10316      <url>http://openwall.com/lists/oss-security/2016/06/23/6</url>
10317      <url>https://github.com/libarchive/libarchive/issues/521</url>
10318      <url>https://github.com/libarchive/libarchive/issues/717#event-697151157</url>
10319      <url>http://blog.talosintel.com/2016/06/the-poisoned-archives.html</url>
10320      <cvename>CVE-2015-8934</cvename>
10321      <cvename>CVE-2016-4300</cvename>
10322      <cvename>CVE-2016-4301</cvename>
10323      <cvename>CVE-2016-4302</cvename>
10324    </references>
10325    <dates>
10326      <discovery>2016-06-23</discovery>
10327      <entry>2016-06-23</entry>
10328    </dates>
10329  </vuln>
10330
10331  <vuln vid="22775cdd-395a-11e6-b3c8-14dae9d210b8">
10332    <topic>piwik -- XSS vulnerability</topic>
10333    <affects>
10334      <package>
10335	<name>piwik</name>
10336	<range><lt>2.16.1</lt></range>
10337      </package>
10338    </affects>
10339    <description>
10340      <body xmlns="http://www.w3.org/1999/xhtml">
10341	<p>Piwik reports:</p>
10342	<blockquote cite="http://piwik.org/changelog/piwik-2-16-1/">
10343	  <p>The Piwik Security team is grateful for the responsible
10344	    disclosures by our security researchers: Egidio Romano (granted a
10345	    critical security bounty), James Kettle and Paweł Bartunek (XSS) and
10346	    Emanuel Bronshtein (limited XSS).</p>
10347	</blockquote>
10348      </body>
10349    </description>
10350    <references>
10351      <url>http://piwik.org/changelog/piwik-2-16-1/</url>
10352    </references>
10353    <dates>
10354      <discovery>2016-04-11</discovery>
10355      <entry>2016-06-23</entry>
10356    </dates>
10357  </vuln>
10358
10359  <vuln vid="6df56c60-3738-11e6-a671-60a44ce6887b">
10360    <topic>wget -- HTTP to FTP redirection file name confusion vulnerability</topic>
10361    <affects>
10362      <package>
10363	<name>wget</name>
10364	<range><lt>1.18</lt></range>
10365      </package>
10366    </affects>
10367    <description>
10368      <body xmlns="http://www.w3.org/1999/xhtml">
10369	<p>Giuseppe Scrivano reports:</p>
10370	<blockquote cite="http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html">
10371	  <p>On a server redirect from HTTP to a FTP resource, wget would trust the
10372	    HTTP server and uses the name in the redirected URL as the destination
10373	    filename.</p>
10374	</blockquote>
10375      </body>
10376    </description>
10377    <references>
10378      <url>http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html</url>
10379      <cvename>CVE-2016-4971</cvename>
10380    </references>
10381    <dates>
10382      <discovery>2016-06-09</discovery>
10383      <entry>2016-06-21</entry>
10384    </dates>
10385  </vuln>
10386
10387  <vuln vid="1a2aa04f-3718-11e6-b3c8-14dae9d210b8">
10388    <topic>libxslt -- Denial of Service</topic>
10389    <affects>
10390      <package>
10391	<name>libxslt</name>
10392	<range><lt>1.1.29</lt></range>
10393      </package>
10394    </affects>
10395    <description>
10396      <body xmlns="http://www.w3.org/1999/xhtml">
10397	<p>Google reports:</p>
10398	<blockquote cite="http://seclists.org/bugtraq/2016/Jun/81">
10399	  <ul>
10400	    <li>[583156] Medium CVE-2016-1683: Out-of-bounds access in libxslt.
10401	      Credit to Nicolas Gregoire.</li>
10402	    <li>[583171] Medium CVE-2016-1684: Integer overflow in libxslt.
10403	      Credit to Nicolas Gregoire.</li>
10404	  </ul>
10405	</blockquote>
10406      </body>
10407    </description>
10408    <references>
10409      <url>http://googlechromereleases.blogspot.com/2016/05/stable-channel-update_25.html</url>
10410      <cvename>CVE-2016-1683</cvename>
10411      <cvename>CVE-2016-1684</cvename>
10412    </references>
10413    <dates>
10414      <discovery>2016-05-25</discovery>
10415      <entry>2016-06-20</entry>
10416    </dates>
10417  </vuln>
10418
10419  <vuln vid="0e3dfdde-35c4-11e6-8e82-002590263bf5">
10420    <topic>flash -- multiple vulnerabilities</topic>
10421    <affects>
10422      <package>
10423	<name>linux-c6-flashplugin</name>
10424	<name>linux-c6_64-flashplugin</name>
10425	<name>linux-f10-flashplugin</name>
10426	<range><lt>11.2r202.626</lt></range>
10427      </package>
10428    </affects>
10429    <description>
10430      <body xmlns="http://www.w3.org/1999/xhtml">
10431	<p>Adobe reports:</p>
10432	<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-18.html">
10433	  <p>These updates resolve type confusion vulnerabilities that could
10434	    lead to code execution (CVE-2016-4144, CVE-2016-4149).</p>
10435	  <p>These updates resolve use-after-free vulnerabilities that could
10436	    lead to code execution (CVE-2016-4142, CVE-2016-4143, CVE-2016-4145,
10437	    CVE-2016-4146, CVE-2016-4147, CVE-2016-4148).</p>
10438	  <p>These updates resolve heap buffer overflow vulnerabilities that
10439	    could lead to code execution (CVE-2016-4135, CVE-2016-4136,
10440	    CVE-2016-4138).</p>
10441	  <p>These updates resolve memory corruption vulnerabilities that could
10442	    lead to code execution (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124,
10443	    CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129,
10444	    CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133,
10445	    CVE-2016-4134, CVE-2016-4137, CVE-2016-4141, CVE-2016-4150,
10446	    CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154,
10447	    CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171).</p>
10448	  <p>These updates resolve a vulnerability in the directory search path
10449	    used to find resources that could lead to code execution
10450	    (CVE-2016-4140).</p>
10451	  <p>These updates resolve a vulnerability that could be exploited to
10452	    bypass the same-origin-policy and lead to information disclosure
10453	    (CVE-2016-4139).</p>
10454	</blockquote>
10455      </body>
10456    </description>
10457    <references>
10458      <cvename>CVE-2016-4122</cvename>
10459      <cvename>CVE-2016-4123</cvename>
10460      <cvename>CVE-2016-4124</cvename>
10461      <cvename>CVE-2016-4125</cvename>
10462      <cvename>CVE-2016-4127</cvename>
10463      <cvename>CVE-2016-4128</cvename>
10464      <cvename>CVE-2016-4129</cvename>
10465      <cvename>CVE-2016-4130</cvename>
10466      <cvename>CVE-2016-4131</cvename>
10467      <cvename>CVE-2016-4132</cvename>
10468      <cvename>CVE-2016-4133</cvename>
10469      <cvename>CVE-2016-4134</cvename>
10470      <cvename>CVE-2016-4135</cvename>
10471      <cvename>CVE-2016-4136</cvename>
10472      <cvename>CVE-2016-4137</cvename>
10473      <cvename>CVE-2016-4138</cvename>
10474      <cvename>CVE-2016-4139</cvename>
10475      <cvename>CVE-2016-4140</cvename>
10476      <cvename>CVE-2016-4141</cvename>
10477      <cvename>CVE-2016-4142</cvename>
10478      <cvename>CVE-2016-4143</cvename>
10479      <cvename>CVE-2016-4144</cvename>
10480      <cvename>CVE-2016-4145</cvename>
10481      <cvename>CVE-2016-4146</cvename>
10482      <cvename>CVE-2016-4147</cvename>
10483      <cvename>CVE-2016-4148</cvename>
10484      <cvename>CVE-2016-4149</cvename>
10485      <cvename>CVE-2016-4150</cvename>
10486      <cvename>CVE-2016-4151</cvename>
10487      <cvename>CVE-2016-4152</cvename>
10488      <cvename>CVE-2016-4153</cvename>
10489      <cvename>CVE-2016-4154</cvename>
10490      <cvename>CVE-2016-4155</cvename>
10491      <cvename>CVE-2016-4156</cvename>
10492      <cvename>CVE-2016-4166</cvename>
10493      <cvename>CVE-2016-4171</cvename>
10494      <url>https://helpx.adobe.com/security/products/flash-player/apsb16-18.html</url>
10495    </references>
10496    <dates>
10497      <discovery>2016-06-16</discovery>
10498      <entry>2016-06-19</entry>
10499    </dates>
10500  </vuln>
10501
10502  <vuln vid="0c6b008d-35c4-11e6-8e82-002590263bf5">
10503    <topic>flash -- multiple vulnerabilities</topic>
10504    <affects>
10505      <package>
10506	<name>linux-c6-flashplugin</name>
10507	<name>linux-c6_64-flashplugin</name>
10508	<name>linux-f10-flashplugin</name>
10509	<range><lt>11.2r202.621</lt></range>
10510      </package>
10511    </affects>
10512    <description>
10513      <body xmlns="http://www.w3.org/1999/xhtml">
10514	<p>Adobe reports:</p>
10515	<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-15.html">
10516	  <p>These updates resolve type confusion vulnerabilities that could
10517	    lead to code execution (CVE-2016-1105, CVE-2016-4117).</p>
10518	  <p>These updates resolve use-after-free vulnerabilities that could
10519	    lead to code execution (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107,
10520	    CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108,
10521	    CVE-2016-4110, CVE-2016-4121).</p>
10522	  <p>These updates resolve a heap buffer overflow vulnerability that
10523	    could lead to code execution (CVE-2016-1101).</p>
10524	  <p>These updates resolve a buffer overflow vulnerability that could
10525	    lead to code execution (CVE-2016-1103).</p>
10526	  <p>These updates resolve memory corruption vulnerabilities that could
10527	    lead to code execution (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099,
10528	    CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109,
10529	    CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114,
10530	    CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161,
10531	    CVE-2016-4162, CVE-2016-4163).</p>
10532	  <p>These updates resolve a vulnerability in the directory search path
10533	    used to find resources that could lead to code execution
10534	    (CVE-2016-4116).</p>
10535	</blockquote>
10536      </body>
10537    </description>
10538    <references>
10539      <cvename>CVE-2016-1096</cvename>
10540      <cvename>CVE-2016-1097</cvename>
10541      <cvename>CVE-2016-1098</cvename>
10542      <cvename>CVE-2016-1099</cvename>
10543      <cvename>CVE-2016-1100</cvename>
10544      <cvename>CVE-2016-1101</cvename>
10545      <cvename>CVE-2016-1102</cvename>
10546      <cvename>CVE-2016-1103</cvename>
10547      <cvename>CVE-2016-1104</cvename>
10548      <cvename>CVE-2016-1105</cvename>
10549      <cvename>CVE-2016-1106</cvename>
10550      <cvename>CVE-2016-1107</cvename>
10551      <cvename>CVE-2016-1108</cvename>
10552      <cvename>CVE-2016-1109</cvename>
10553      <cvename>CVE-2016-1110</cvename>
10554      <cvename>CVE-2016-4108</cvename>
10555      <cvename>CVE-2016-4109</cvename>
10556      <cvename>CVE-2016-4110</cvename>
10557      <cvename>CVE-2016-4111</cvename>
10558      <cvename>CVE-2016-4112</cvename>
10559      <cvename>CVE-2016-4113</cvename>
10560      <cvename>CVE-2016-4114</cvename>
10561      <cvename>CVE-2016-4115</cvename>
10562      <cvename>CVE-2016-4116</cvename>
10563      <cvename>CVE-2016-4117</cvename>
10564      <cvename>CVE-2016-4120</cvename>
10565      <cvename>CVE-2016-4121</cvename>
10566      <cvename>CVE-2016-4160</cvename>
10567      <cvename>CVE-2016-4161</cvename>
10568      <cvename>CVE-2016-4162</cvename>
10569      <cvename>CVE-2016-4163</cvename>
10570      <url>https://helpx.adobe.com/security/products/flash-player/apsb16-15.html</url>
10571    </references>
10572    <dates>
10573      <discovery>2016-05-12</discovery>
10574      <entry>2016-06-19</entry>
10575    </dates>
10576  </vuln>
10577
10578  <vuln vid="07888b49-35c4-11e6-8e82-002590263bf5">
10579    <topic>flash -- multiple vulnerabilities</topic>
10580    <affects>
10581      <package>
10582	<name>linux-c6-flashplugin</name>
10583	<name>linux-c6_64-flashplugin</name>
10584	<name>linux-f10-flashplugin</name>
10585	<range><lt>11.2r202.616</lt></range>
10586      </package>
10587    </affects>
10588    <description>
10589      <body xmlns="http://www.w3.org/1999/xhtml">
10590	<p>Adobe reports:</p>
10591	<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-10.html">
10592	  <p>These updates harden a mitigation against JIT spraying attacks that
10593	    could be used to bypass memory layout randomization mitigations
10594	    (CVE-2016-1006).</p>
10595	  <p>These updates resolve type confusion vulnerabilities that could
10596	    lead to code execution (CVE-2016-1015, CVE-2016-1019).</p>
10597	  <p>These updates resolve use-after-free vulnerabilities that could
10598	    lead to code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016,
10599	    CVE-2016-1017, CVE-2016-1031).</p>
10600	  <p>These updates resolve memory corruption vulnerabilities that could
10601	    lead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021,
10602	    CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025,
10603	    CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029,
10604	    CVE-2016-1032, CVE-2016-1033).</p>
10605	  <p>These updates resolve a stack overflow vulnerability that could
10606	    lead to code execution (CVE-2016-1018).</p>
10607	  <p>These updates resolve a security bypass vulnerability
10608	    (CVE-2016-1030).</p>
10609	  <p>These updates resolve a vulnerability in the directory search path
10610	    used to find resources that could lead to code execution
10611	    (CVE-2016-1014).</p>
10612	</blockquote>
10613      </body>
10614    </description>
10615    <references>
10616      <cvename>CVE-2016-1006</cvename>
10617      <cvename>CVE-2016-1011</cvename>
10618      <cvename>CVE-2016-1012</cvename>
10619      <cvename>CVE-2016-1013</cvename>
10620      <cvename>CVE-2016-1014</cvename>
10621      <cvename>CVE-2016-1015</cvename>
10622      <cvename>CVE-2016-1016</cvename>
10623      <cvename>CVE-2016-1017</cvename>
10624      <cvename>CVE-2016-1018</cvename>
10625      <cvename>CVE-2016-1019</cvename>
10626      <cvename>CVE-2016-1020</cvename>
10627      <cvename>CVE-2016-1021</cvename>
10628      <cvename>CVE-2016-1022</cvename>
10629      <cvename>CVE-2016-1023</cvename>
10630      <cvename>CVE-2016-1024</cvename>
10631      <cvename>CVE-2016-1025</cvename>
10632      <cvename>CVE-2016-1026</cvename>
10633      <cvename>CVE-2016-1027</cvename>
10634      <cvename>CVE-2016-1028</cvename>
10635      <cvename>CVE-2016-1029</cvename>
10636      <cvename>CVE-2016-1030</cvename>
10637      <cvename>CVE-2016-1031</cvename>
10638      <cvename>CVE-2016-1032</cvename>
10639      <cvename>CVE-2016-1033</cvename>
10640      <url>https://helpx.adobe.com/security/products/flash-player/apsb16-10.html</url>
10641    </references>
10642    <dates>
10643      <discovery>2016-04-07</discovery>
10644      <entry>2016-06-19</entry>
10645    </dates>
10646  </vuln>
10647
10648  <vuln vid="d59ebed4-34be-11e6-be25-3065ec8fd3ec">
10649    <topic>chromium -- multiple vulnerabilities</topic>
10650    <affects>
10651      <package>
10652	<name>chromium</name>
10653	<name>chromium-npapi</name>
10654	<name>chromium-pulse</name>
10655	<range><lt>51.0.2704.103</lt></range>
10656      </package>
10657    </affects>
10658    <description>
10659      <body xmlns="http://www.w3.org/1999/xhtml">
10660	<p>Google Chrome Releases reports:</p>
10661	<blockquote cite="https://googlechromereleases.blogspot.nl/2016/06/stable-channel-update_16.html">
10662	  <p>3 security fixes in this release, including:</p>
10663	  <ul>
10664	    <li>[620742] CVE-2016-1704: Various fixes from internal audits,
10665	      fuzzing and other initiatives.</li>
10666	  </ul>
10667	</blockquote>
10668      </body>
10669    </description>
10670    <references>
10671      <cvename>CVE-2016-1704</cvename>
10672      <url>https://googlechromereleases.blogspot.nl/2016/06/stable-channel-update_16.html</url>
10673    </references>
10674    <dates>
10675      <discovery>2016-06-16</discovery>
10676      <entry>2016-06-17</entry>
10677    </dates>
10678  </vuln>
10679
10680  <vuln vid="1d0f6852-33d8-11e6-a671-60a44ce6887b">
10681    <topic>Python -- Integer overflow in zipimport module</topic>
10682    <affects>
10683      <package>
10684       <name>python35</name>
10685       <range><lt>3.5.1_3</lt></range>
10686      </package>
10687      <package>
10688       <name>python34</name>
10689       <range><lt>3.4.4_3</lt></range>
10690      </package>
10691      <package>
10692       <name>python33</name>
10693       <range><lt>3.3.6_5</lt></range>
10694      </package>
10695      <package>
10696       <name>python27</name>
10697       <range><lt>2.7.11_3</lt></range>
10698      </package>
10699    </affects>
10700    <description>
10701      <body xmlns="http://www.w3.org/1999/xhtml">
10702       <p>Python reports:</p>
10703       <blockquote cite="http://bugs.python.org/issue26171">
10704       <p>Possible integer overflow and heap corruption in
10705       zipimporter.get_data()</p>
10706       </blockquote>
10707      </body>
10708    </description>
10709    <references>
10710      <url>http://bugs.python.org/issue26171</url>
10711      <cvename>CVE-2016-5636</cvename>
10712    </references>
10713    <dates>
10714      <discovery>2016-01-21</discovery>
10715      <entry>2016-06-17</entry>
10716    </dates>
10717  </vuln>
10718
10719  <vuln vid="7932548e-3427-11e6-8e82-002590263bf5">
10720    <topic>drupal -- multiple vulnerabilities</topic>
10721    <affects>
10722      <package>
10723	<name>drupal7</name>
10724	<range><lt>7.44</lt></range>
10725      </package>
10726      <package>
10727	<name>drupal8</name>
10728	<range><lt>8.1.3</lt></range>
10729      </package>
10730    </affects>
10731    <description>
10732      <body xmlns="http://www.w3.org/1999/xhtml">
10733	<p>Drupal Security Team reports:</p>
10734	<blockquote cite="https://www.drupal.org/SA-CORE-2016-002">
10735	  <ul>
10736	  <li><p>Saving user accounts can sometimes grant the user all roles
10737	    (User module - Drupal 7 - Moderately Critical)</p></li>
10738	  <li><p>Views can allow unauthorized users to see Statistics
10739	    information (Views module - Drupal 8 - Less Critical)</p></li>
10740	  </ul>
10741	</blockquote>
10742      </body>
10743    </description>
10744    <references>
10745      <cvename>CVE-2016-6211</cvename>
10746      <cvename>CVE-2016-6212</cvename>
10747      <url>https://www.drupal.org/SA-CORE-2016-002</url>
10748      <url>http://www.openwall.com/lists/oss-security/2016/07/13/7</url>
10749    </references>
10750    <dates>
10751      <discovery>2016-06-15</discovery>
10752      <entry>2016-06-17</entry>
10753      <modified>2016-07-16</modified>
10754    </dates>
10755  </vuln>
10756
10757  <vuln vid="ac0900df-31d0-11e6-8e82-002590263bf5">
10758    <topic>botan -- multiple vulnerabilities</topic>
10759    <affects>
10760      <package>
10761	<name>botan110</name>
10762	<range><lt>1.10.13</lt></range>
10763      </package>
10764    </affects>
10765    <description>
10766      <body xmlns="http://www.w3.org/1999/xhtml">
10767	<p>Jack Lloyd reports:</p>
10768	<blockquote cite="https://lists.randombit.net/pipermail/botan-devel/2016-April/002101.html">
10769	  <p>Botan 1.10.13 has been released backporting some side channel
10770	    protections for ECDSA signatures (CVE-2016-2849) and PKCS #1 RSA
10771	    decryption (CVE-2015-7827).</p>
10772	</blockquote>
10773      </body>
10774    </description>
10775    <references>
10776      <cvename>CVE-2016-2849</cvename>
10777      <cvename>CVE-2015-7827</cvename>
10778      <url>https://lists.randombit.net/pipermail/botan-devel/2016-April/002101.html</url>
10779    </references>
10780    <dates>
10781      <discovery>2016-04-28</discovery>
10782      <entry>2016-06-14</entry>
10783    </dates>
10784  </vuln>
10785
10786  <vuln vid="f771880c-31cf-11e6-8e82-002590263bf5">
10787    <topic>botan -- cryptographic vulnerability</topic>
10788    <affects>
10789      <package>
10790	<name>botan110</name>
10791	<range><lt>1.10.8</lt></range>
10792      </package>
10793    </affects>
10794    <description>
10795      <body xmlns="http://www.w3.org/1999/xhtml">
10796	<p>MITRE reports:</p>
10797	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9742">
10798	  <p>The Miller-Rabin primality check in Botan before 1.10.8 and 1.11.x
10799	    before 1.11.9 improperly uses a single random base, which makes it
10800	    easier for remote attackers to defeat cryptographic protection
10801	    mechanisms via a DH group.</p>
10802	</blockquote>
10803      </body>
10804    </description>
10805    <references>
10806      <cvename>CVE-2014-9742</cvename>
10807    </references>
10808    <dates>
10809      <discovery>2014-04-11</discovery>
10810      <entry>2016-06-14</entry>
10811    </dates>
10812  </vuln>
10813
10814  <vuln vid="6d402857-2fba-11e6-9f31-5404a68ad561">
10815    <topic>VLC -- Possibly remote code execution via crafted file</topic>
10816    <affects>
10817      <package>
10818	<name>vlc</name>
10819	<range><lt>2.2.4,4</lt></range>
10820      </package>
10821      <package>
10822	<name>vlc-qt4</name>
10823	<range><lt>2.2.4,4</lt></range>
10824      </package>
10825    </affects>
10826    <description>
10827      <body xmlns="http://www.w3.org/1999/xhtml">
10828	<p>The VLC project reports:</p>
10829	<blockquote cite="https://www.videolan.org/developers/vlc-branch/NEWS">
10830	  <p>Fix out-of-bound write in adpcm QT IMA codec (CVE-2016-5108)</p>
10831	</blockquote>
10832      </body>
10833    </description>
10834    <references>
10835      <cvename>CVE-2016-5108</cvename>
10836    </references>
10837    <dates>
10838      <discovery>2016-05-25</discovery>
10839      <entry>2016-06-11</entry>
10840    </dates>
10841  </vuln>
10842
10843  <vuln vid="97e86d10-2ea7-11e6-ae88-002590263bf5">
10844    <topic>roundcube -- XSS vulnerability</topic>
10845    <affects>
10846      <package>
10847	<name>roundcube</name>
10848	<range><lt>1.1.5_1,1</lt></range>
10849      </package>
10850    </affects>
10851    <description>
10852      <body xmlns="http://www.w3.org/1999/xhtml">
10853	<p>Roundcube reports:</p>
10854	<blockquote cite="https://github.com/roundcube/roundcubemail/wiki/Changelog">
10855	  <p>Fix XSS issue in href attribute on area tag (#5240).</p>
10856	</blockquote>
10857      </body>
10858    </description>
10859    <references>
10860      <cvename>CVE-2016-5103</cvename>
10861      <freebsdpr>ports/209841</freebsdpr>
10862      <url>https://github.com/roundcube/roundcubemail/issues/5240</url>
10863      <url>http://seclists.org/oss-sec/2016/q2/414</url>
10864    </references>
10865    <dates>
10866      <discovery>2016-05-06</discovery>
10867      <entry>2016-06-10</entry>
10868    </dates>
10869  </vuln>
10870
10871  <vuln vid="6f0529e2-2e82-11e6-b2ec-b499baebfeaf">
10872    <topic>OpenSSL -- vulnerability in DSA signing</topic>
10873    <affects>
10874      <package>
10875	<name>openssl</name>
10876	<range><lt>1.0.2_13</lt></range>
10877      </package>
10878      <package>
10879	<name>libressl</name>
10880	<range><lt>2.2.9</lt></range>
10881	<range><ge>2.3.0</ge><lt>2.3.6</lt></range>
10882      </package>
10883      <package>
10884	<name>libressl-devel</name>
10885	<range><lt>2.4.1</lt></range>
10886      </package>
10887    </affects>
10888    <description>
10889      <body xmlns="http://www.w3.org/1999/xhtml">
10890	<p>The OpenSSL team reports:</p>
10891	<blockquote cite="https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2">
10892	  <p>Operations in the DSA signing algorithm should run in constant time
10893	    in order to avoid side channel attacks. A flaw in the OpenSSL DSA
10894	    implementation means that a non-constant time codepath is followed for
10895	    certain operations. This has been demonstrated through a cache-timing
10896	    attack to be sufficient for an attacker to recover the private DSA key.
10897	  </p>
10898	</blockquote>
10899      </body>
10900    </description>
10901    <references>
10902      <url>https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2</url>
10903      <cvename>CVE-2016-2178</cvename>
10904    </references>
10905    <dates>
10906      <discovery>2016-06-09</discovery>
10907      <entry>2016-06-09</entry>
10908      <modified>2016-12-20</modified>
10909    </dates>
10910  </vuln>
10911
10912  <vuln vid="c9c252f5-2def-11e6-ae88-002590263bf5">
10913    <topic>expat -- multiple vulnerabilities</topic>
10914    <affects>
10915      <package>
10916	<name>expat</name>
10917	<range><lt>2.1.1_1</lt></range>
10918      </package>
10919    </affects>
10920    <description>
10921      <body xmlns="http://www.w3.org/1999/xhtml">
10922	<p>Sebastian Pipping reports:</p>
10923	<blockquote cite="https://sourceforge.net/p/expat/code_git/ci/07cc2fcacf81b32b2e06aa918df51756525240c0/">
10924	  <p>CVE-2012-6702 -- Resolve troublesome internal call to srand that
10925	    was introduced with Expat 2.1.0 when addressing CVE-2012-0876
10926	    (issue #496)</p>
10927	  <p>CVE-2016-5300 -- Use more entropy for hash initialization than the
10928	    original fix to CVE-2012-0876.</p>
10929	</blockquote>
10930      </body>
10931    </description>
10932    <references>
10933      <cvename>CVE-2012-6702</cvename>
10934      <cvename>CVE-2016-5300</cvename>
10935      <freebsdpr>ports/210155</freebsdpr>
10936      <url>https://sourceforge.net/p/expat/code_git/ci/07cc2fcacf81b32b2e06aa918df51756525240c0/</url>
10937      <url>http://www.openwall.com/lists/oss-security/2016/03/18/3</url>
10938    </references>
10939    <dates>
10940      <discovery>2016-03-18</discovery>
10941      <entry>2016-06-09</entry>
10942      <modified>2016-11-06</modified>
10943    </dates>
10944  </vuln>
10945
10946  <vuln vid="d6bbf2d8-2cfc-11e6-800b-080027468580">
10947    <topic>iperf3 -- buffer overflow</topic>
10948    <affects>
10949      <package>
10950	<name>iperf3</name>
10951	<range><ge>3.1</ge><lt>3.1.3</lt></range>
10952	<range><ge>3.0</ge><lt>3.0.12</lt></range>
10953      </package>
10954    </affects>
10955    <description>
10956      <body xmlns="http://www.w3.org/1999/xhtml">
10957	<p>ESnet reports:</p>
10958	<blockquote cite="https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc">
10959	  <p>A malicious process can connect to an iperf3 server and,
10960	    by sending a malformed message on the control channel,
10961	    corrupt the server process's heap area.  This can lead to a
10962	    crash (and a denial of service), or theoretically a remote
10963	    code execution as the user running the iperf3 server.  A
10964	    malicious iperf3 server could potentially mount a similar
10965	    attack on an iperf3 client.
10966	  </p>
10967	</blockquote>
10968      </body>
10969    </description>
10970    <references>
10971      <cvename>CVE-2016-4303</cvename>
10972      <url>https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc</url>
10973    </references>
10974    <dates>
10975      <discovery>2016-06-08</discovery>
10976      <entry>2016-06-08</entry>
10977    </dates>
10978  </vuln>
10979
10980  <vuln vid="9c196cfd-2ccc-11e6-94b0-0011d823eebd">
10981    <topic>gnutls -- file overwrite by setuid programs</topic>
10982    <affects>
10983      <package>
10984	<name>gnutls</name>
10985	<range><ge>3.4.12</ge><lt>3.4.13</lt></range>
10986      </package>
10987    </affects>
10988    <description>
10989      <body xmlns="http://www.w3.org/1999/xhtml">
10990	<p>gnutls.org reports:</p>
10991	<blockquote cite="https://gnutls.org/security.html#GNUTLS-SA-2016-1">
10992	  <p>Setuid programs using GnuTLS 3.4.12 could potentially allow an
10993	    attacker to overwrite and corrupt arbitrary files in the
10994	    filesystem.</p>
10995	</blockquote>
10996      </body>
10997    </description>
10998    <references>
10999      <url>https://gnutls.org/security.html#GNUTLS-SA-2016-1</url>
11000    </references>
11001    <dates>
11002      <discovery>2016-06-06</discovery>
11003      <entry>2016-06-07</entry>
11004    </dates>
11005  </vuln>
11006
11007  <vuln vid="32166082-53fa-41fa-b081-207e7a989a0a">
11008    <topic>NSS -- multiple vulnerabilities</topic>
11009    <affects>
11010      <package>
11011	<name>nss</name>
11012	<range><lt>3.23</lt></range>
11013      </package>
11014      <package>
11015	<name>linux-c6-nss</name>
11016	<name>linux-c7-nss</name>
11017	<range><lt>3.21.3</lt></range>
11018      </package>
11019      <package>
11020	<name>linux-seamonkey</name>
11021	<range><lt>2.44</lt></range>
11022      </package>
11023    </affects>
11024    <description>
11025      <body xmlns="http://www.w3.org/1999/xhtml">
11026	<p>Mozilla Foundation reports:</p>
11027	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-61/">
11028	  <p>Mozilla has updated the version of Network Security
11029	    Services (NSS) library used in Firefox to NSS 3.23. This
11030	    addresses four moderate rated networking security issues
11031	    reported by Mozilla engineers Tyson Smith and Jed Davis.</p>
11032	</blockquote>
11033      </body>
11034    </description>
11035    <references>
11036      <cvename>CVE-2016-2834</cvename>
11037      <url>https://www.mozilla.org/security/advisories/mfsa2016-61/</url>
11038      <url>https://hg.mozilla.org/projects/nss/rev/1ba7cd83c672</url>
11039      <url>https://hg.mozilla.org/projects/nss/rev/8d78a5ae260a</url>
11040      <url>https://hg.mozilla.org/projects/nss/rev/5fde729fdbff</url>
11041      <url>https://hg.mozilla.org/projects/nss/rev/329932eb1700</url>
11042    </references>
11043    <dates>
11044      <discovery>2016-06-07</discovery>
11045      <entry>2016-06-07</entry>
11046      <modified>2016-11-23</modified>
11047    </dates>
11048  </vuln>
11049
11050  <vuln vid="8065d37b-8e7c-4707-a608-1b0a2b8509c3">
11051    <topic>mozilla -- multiple vulnerabilities</topic>
11052    <affects>
11053      <package>
11054	<name>firefox</name>
11055	<range><lt>47.0,1</lt></range>
11056      </package>
11057      <package>
11058	<name>seamonkey</name>
11059	<name>linux-seamonkey</name>
11060	<range><lt>2.44</lt></range>
11061      </package>
11062      <package>
11063	<name>firefox-esr</name>
11064	<range><lt>45.2.0,1</lt></range>
11065      </package>
11066      <package>
11067	<name>linux-firefox</name>
11068	<range><lt>45.2.0,2</lt></range>
11069      </package>
11070      <package>
11071	<name>libxul</name>
11072	<name>thunderbird</name>
11073	<name>linux-thunderbird</name>
11074	<range><lt>45.2.0</lt></range>
11075      </package>
11076    </affects>
11077    <description>
11078      <body xmlns="http://www.w3.org/1999/xhtml">
11079	<p>Mozilla Foundation reports:</p>
11080	<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox47">
11081	<p>MFSA 2016-49 Miscellaneous memory safety hazards (rv:47.0 /
11082	  rv:45.2)</p>
11083	<p>MFSA 2016-50 Buffer overflow parsing HTML5 fragments</p>
11084	<p>MFSA 2016-51 Use-after-free deleting tables from a
11085	  contenteditable document</p>
11086	<p>MFSA 2016-52 Addressbar spoofing though the SELECT element</p>
11087	<p>MFSA 2016-54 Partial same-origin-policy through setting
11088	  location.host through data URI</p>
11089	<p>MFSA 2016-56 Use-after-free when textures are used in WebGL
11090	  operations after recycle pool destruction</p>
11091	<p>MFSA 2016-57 Incorrect icon displayed on permissions
11092	  notifications</p>
11093	<p>MFSA 2016-58 Entering fullscreen and persistent pointerlock
11094	  without user permission</p>
11095	<p>MFSA 2016-59 Information disclosure of disabled plugins
11096	  through CSS pseudo-classes</p>
11097	<p>MFSA 2016-60 Java applets bypass CSP protections</p>
11098	</blockquote>
11099      </body>
11100    </description>
11101    <references>
11102      <cvename>CVE-2016-2815</cvename>
11103      <cvename>CVE-2016-2818</cvename>
11104      <cvename>CVE-2016-2819</cvename>
11105      <cvename>CVE-2016-2821</cvename>
11106      <cvename>CVE-2016-2822</cvename>
11107      <cvename>CVE-2016-2825</cvename>
11108      <cvename>CVE-2016-2828</cvename>
11109      <cvename>CVE-2016-2829</cvename>
11110      <cvename>CVE-2016-2831</cvename>
11111      <cvename>CVE-2016-2832</cvename>
11112      <cvename>CVE-2016-2833</cvename>
11113      <url>https://www.mozilla.org/security/advisories/mfsa2016-49/</url>
11114      <url>https://www.mozilla.org/security/advisories/mfsa2016-50/</url>
11115      <url>https://www.mozilla.org/security/advisories/mfsa2016-51/</url>
11116      <url>https://www.mozilla.org/security/advisories/mfsa2016-52/</url>
11117      <url>https://www.mozilla.org/security/advisories/mfsa2016-54/</url>
11118      <url>https://www.mozilla.org/security/advisories/mfsa2016-56/</url>
11119      <url>https://www.mozilla.org/security/advisories/mfsa2016-57/</url>
11120      <url>https://www.mozilla.org/security/advisories/mfsa2016-58/</url>
11121      <url>https://www.mozilla.org/security/advisories/mfsa2016-59/</url>
11122      <url>https://www.mozilla.org/security/advisories/mfsa2016-60/</url>
11123    </references>
11124    <dates>
11125      <discovery>2016-06-07</discovery>
11126      <entry>2016-06-07</entry>
11127    </dates>
11128  </vuln>
11129
11130  <vuln vid="c039a761-2c29-11e6-8912-3065ec8fd3ec">
11131    <topic>chromium -- multiple vulnerabilities</topic>
11132    <affects>
11133      <package>
11134	<name>chromium</name>
11135	<name>chromium-npapi</name>
11136	<name>chromium-pulse</name>
11137	<range><lt>51.0.2704.79</lt></range>
11138      </package>
11139    </affects>
11140    <description>
11141      <body xmlns="http://www.w3.org/1999/xhtml">
11142	<p>Google Chrome Releases reports:</p>
11143	<blockquote cite="http://googlechromereleases.blogspot.nl/2016/06/stable-channel-update.html">
11144	  <p>15 security fixes in this release, including:</p>
11145	  <ul>
11146	    <li>601073] High CVE-2016-1696: Cross-origin bypass in Extension
11147	      bindings. Credit to anonymous.</li>
11148	    <li>[613266] High CVE-2016-1697: Cross-origin bypass in Blink.
11149	      Credit to Mariusz Mlynski.</li>
11150	    <li>[603725] Medium CVE-2016-1698: Information leak in Extension
11151	      bindings. Credit to Rob Wu.</li>
11152	    <li>[607939] Medium CVE-2016-1699: Parameter sanitization failure
11153	      in DevTools. Credit to Gregory Panakkal.</li>
11154	    <li>[608104] Medium CVE-2016-1700: Use-after-free in Extensions.
11155	      Credit to Rob Wu.</li>
11156	    <li>[608101] Medium CVE-2016-1701: Use-after-free in Autofill.
11157	      Credit to Rob Wu.</li>
11158	    <li>[609260] Medium CVE-2016-1702: Out-of-bounds read in Skia.
11159	      Credit to cloudfuzzer.</li>
11160	    <li>[616539] CVE-2016-1703: Various fixes from internal audits,
11161	      fuzzing and other initiatives.</li>
11162	  </ul>
11163	</blockquote>
11164      </body>
11165    </description>
11166    <references>
11167      <cvename>CVE-2016-1695</cvename>
11168      <cvename>CVE-2016-1696</cvename>
11169      <cvename>CVE-2016-1697</cvename>
11170      <cvename>CVE-2016-1698</cvename>
11171      <cvename>CVE-2016-1699</cvename>
11172      <cvename>CVE-2016-1700</cvename>
11173      <cvename>CVE-2016-1701</cvename>
11174      <cvename>CVE-2016-1702</cvename>
11175      <cvename>CVE-2016-1703</cvename>
11176      <url>http://googlechromereleases.blogspot.nl/2016/06/stable-channel-update.html</url>
11177    </references>
11178    <dates>
11179      <discovery>2016-06-01</discovery>
11180      <entry>2016-06-06</entry>
11181    </dates>
11182  </vuln>
11183
11184  <vuln vid="bcbd3fe0-2b46-11e6-ae88-002590263bf5">
11185    <topic>openafs -- multiple vulnerabilities</topic>
11186    <affects>
11187      <package>
11188	<name>openafs</name>
11189	<range><lt>1.6.17</lt></range>
11190      </package>
11191    </affects>
11192    <description>
11193      <body xmlns="http://www.w3.org/1999/xhtml">
11194	<p>The OpenAFS development team reports:</p>
11195	<blockquote cite="http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt">
11196	  <p>Foreign users can bypass access controls to create groups as
11197	    system:administrators, including in the user namespace and the
11198	    system: namespace.</p>
11199	</blockquote>
11200	<blockquote cite="http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt">
11201	  <p>The contents of uninitialized memory are sent on the wire when
11202	    clients perform certain RPCs.  Depending on the RPC, the information
11203	    leaked may come from kernel memory or userspace.</p>
11204	</blockquote>
11205      </body>
11206    </description>
11207    <references>
11208      <cvename>CVE-2016-2860</cvename>
11209      <cvename>CVE-2016-4536</cvename>
11210      <freebsdpr>ports/209534</freebsdpr>
11211      <url>http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt</url>
11212      <url>http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt</url>
11213    </references>
11214    <dates>
11215      <discovery>2016-03-16</discovery>
11216      <entry>2016-06-05</entry>
11217    </dates>
11218  </vuln>
11219
11220  <vuln vid="2e8fe57e-2b46-11e6-ae88-002590263bf5">
11221    <topic>openafs -- local DoS vulnerability</topic>
11222    <affects>
11223      <package>
11224	<name>openafs</name>
11225	<range><lt>1.6.16</lt></range>
11226      </package>
11227    </affects>
11228    <description>
11229      <body xmlns="http://www.w3.org/1999/xhtml">
11230	<p>The OpenAFS development team reports:</p>
11231	<blockquote cite="https://www.openafs.org/dl/1.6.16/RELNOTES-1.6.16">
11232	  <p>Avoid a potential denial of service issue, by fixing a bug in
11233	    pioctl logic that allowed a local user to overrun a kernel buffer
11234	    with a single NUL byte.</p>
11235	</blockquote>
11236      </body>
11237    </description>
11238    <references>
11239      <cvename>CVE-2015-8312</cvename>
11240      <url>https://www.openafs.org/dl/1.6.16/RELNOTES-1.6.16</url>
11241    </references>
11242    <dates>
11243      <discovery>2016-03-16</discovery>
11244      <entry>2016-06-05</entry>
11245    </dates>
11246  </vuln>
11247
11248  <vuln vid="0297b260-2b3b-11e6-ae88-002590263bf5">
11249    <topic>ikiwiki -- XSS vulnerability</topic>
11250    <affects>
11251      <package>
11252	<name>ikiwiki</name>
11253	<range><lt>3.20160509</lt></range>
11254      </package>
11255    </affects>
11256    <description>
11257      <body xmlns="http://www.w3.org/1999/xhtml">
11258	<p>Mitre reports:</p>
11259	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4561">
11260	  <p>Cross-site scripting (XSS) vulnerability in the cgierror function
11261	    in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers
11262	    to inject arbitrary web script or HTML via unspecified vectors
11263	    involving an error message.</p>
11264	</blockquote>
11265      </body>
11266    </description>
11267    <references>
11268      <cvename>CVE-2016-4561</cvename>
11269      <freebsdpr>ports/209593</freebsdpr>
11270    </references>
11271    <dates>
11272      <discovery>2016-05-04</discovery>
11273      <entry>2016-06-05</entry>
11274    </dates>
11275  </vuln>
11276
11277  <vuln vid="65bb1858-27de-11e6-b714-74d02b9a84d5">
11278    <topic>h2o -- use after free on premature connection close</topic>
11279    <affects>
11280      <package>
11281	<name>h2o</name>
11282	<range><lt>1.7.3</lt></range>
11283      </package>
11284    </affects>
11285    <description>
11286      <body xmlns="http://www.w3.org/1999/xhtml">
11287	<p>Tim Newsha reports:</p>
11288	<blockquote cite="http://h2o.examp1e.net/vulnerabilities.html">
11289	  <p>When H2O tries to disconnect a premature HTTP/2 connection, it
11290	    calls free(3) to release memory allocated for the connection and
11291	    immediately after then touches the memory. No malloc-related
11292	    operation is performed by the same thread between the time it calls
11293	    free and the time the memory is touched. Fixed by Frederik
11294	    Deweerdt.</p>
11295	</blockquote>
11296      </body>
11297    </description>
11298    <references>
11299      <url>https://h2o.examp1e.net/vulnerabilities.html</url>
11300    </references>
11301    <dates>
11302      <discovery>2016-05-17</discovery>
11303      <entry>2016-06-01</entry>
11304    </dates>
11305  </vuln>
11306
11307  <vuln vid="36cf7670-2774-11e6-af29-f0def16c5c1b">
11308    <topic>nginx -- a specially crafted request might result in worker process crash</topic>
11309    <affects>
11310      <package>
11311	<name>nginx</name>
11312	<range><ge>1.4.0</ge><lt>1.8.1_3,2</lt></range>
11313	<range><ge>1.10.0,2</ge><lt>1.10.1,2</lt></range>
11314      </package>
11315      <package>
11316	<name>nginx-devel</name>
11317	<range><ge>1.3.9</ge><lt>1.9.15_1</lt></range>
11318	<range><ge>1.10.0</ge><lt>1.11.1</lt></range>
11319      </package>
11320    </affects>
11321    <description>
11322      <body xmlns="http://www.w3.org/1999/xhtml">
11323	<p>Maxim Dounin reports:</p>
11324	<blockquote cite="http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html">
11325	  <p>A problem was identified in nginx code responsible for saving
11326	    client request body to a temporary file.  A specially crafted
11327	    request might result in worker process crash due to a NULL
11328	    pointer dereference while writing client request body to a
11329	    temporary file.</p>
11330	</blockquote>
11331      </body>
11332    </description>
11333    <references>
11334      <url>http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html</url>
11335      <cvename>CVE-2016-4450</cvename>
11336    </references>
11337    <dates>
11338      <discovery>2016-05-31</discovery>
11339      <entry>2016-05-31</entry>
11340      <modified>2016-06-05</modified>
11341    </dates>
11342  </vuln>
11343
11344  <vuln vid="6167b341-250c-11e6-a6fb-003048f2e514">
11345    <topic>cacti -- multiple vulnerabilities</topic>
11346    <affects>
11347      <package>
11348	<name>cacti</name>
11349	<range><lt>0.8.8h</lt></range>
11350      </package>
11351    </affects>
11352    <description>
11353      <body xmlns="http://www.w3.org/1999/xhtml">
11354	<p>The Cacti Group, Inc. reports:</p>
11355	<blockquote cite="http://www.cacti.net/release_notes_0_8_8h.php">
11356	  <p>Changelog</p>
11357	  <ul>
11358	    <li>bug:0002667: Cacti SQL Injection Vulnerability</li>
11359	    <li>bug:0002673: CVE-2016-3659 - Cacti graph_view.php SQL Injection
11360	     Vulnerability</li>
11361	    <li>bug:0002656: Authentication using web authentication as a user
11362	     not in the cacti database allows complete access (regression)</li>
11363	  </ul>
11364	</blockquote>
11365      </body>
11366    </description>
11367    <references>
11368      <cvename>CVE-2016-3659</cvename>
11369      <url>http://www.cacti.net/release_notes_0_8_8h.php</url>
11370      <url>http://bugs.cacti.net/view.php?id=2673</url>
11371      <url>http://seclists.org/fulldisclosure/2016/Apr/4</url>
11372      <url>http://packetstormsecurity.com/files/136547/Cacti-0.8.8g-SQL-Injection.html</url>
11373    </references>
11374    <dates>
11375      <discovery>2016-04-04</discovery>
11376      <entry>2016-05-28</entry>
11377    </dates>
11378  </vuln>
11379
11380  <vuln vid="b53bbf58-257f-11e6-9f4d-20cf30e32f6d">
11381    <topic>openvswitch -- MPLS buffer overflow</topic>
11382    <affects>
11383      <package>
11384	<name>openvswitch</name>
11385	<range><ge>2.2.0</ge><lt>2.3.3</lt></range>
11386	<range><ge>2.4.0</ge><lt>2.4.1</lt></range>
11387      </package>
11388    </affects>
11389    <description>
11390      <body xmlns="http://www.w3.org/1999/xhtml">
11391	<p>Open vSwitch reports:</p>
11392	<blockquote cite="http://openvswitch.org/pipermail/announce/2016-March/000082.html">
11393	  <p>Multiple versions of Open vSwitch are vulnerable to remote buffer
11394	    overflow attacks, in which crafted MPLS packets could overflow the
11395	    buffer reserved for MPLS labels in an OVS internal data structure.
11396	    The MPLS packets that trigger the vulnerability and the potential for
11397	    exploitation vary depending on version:</p>
11398	<p>Open vSwitch 2.1.x and earlier are not vulnerable.</p>
11399	<p>In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be
11400	  exploited for arbitrary remote code execution.</p>
11401	<p>In Open vSwitch 2.4.x, the MPLS buffer overflow does not obviously lead
11402	  to a remote code execution exploit, but testing shows that it can allow a
11403	  remote denial of service.  See the mitigation section for details.</p>
11404	<p>Open vSwitch 2.5.x is not vulnerable.</p>
11405	</blockquote>
11406      </body>
11407    </description>
11408    <references>
11409      <cvename>CVE-2016-2074</cvename>
11410      <url>http://openvswitch.org/pipermail/announce/2016-March/000082.html</url>
11411      <url>http://openvswitch.org/pipermail/announce/2016-March/000083.html</url>
11412    </references>
11413    <dates>
11414      <discovery>2016-03-28</discovery>
11415      <entry>2016-05-29</entry>
11416      <modified>2016-07-03</modified>
11417    </dates>
11418  </vuln>
11419
11420  <vuln vid="1a6bbb95-24b8-11e6-bd31-3065ec8fd3ec">
11421    <topic>chromium -- multiple vulnerabilities</topic>
11422    <affects>
11423      <package>
11424	<name>chromium</name>
11425	<name>chromium-npapi</name>
11426	<name>chromium-pulse</name>
11427	<range><lt>51.0.2704.63</lt></range>
11428      </package>
11429    </affects>
11430    <description>
11431      <body xmlns="http://www.w3.org/1999/xhtml">
11432	<p>Google Chrome Releases reports:</p>
11433	<blockquote cite="http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update_25.html">
11434	  <p>42 security fixes in this release</p>
11435	  <p>Please reference CVE/URL list for details</p>
11436	</blockquote>
11437      </body>
11438    </description>
11439    <references>
11440      <cvename>CVE-2016-1672</cvename>
11441      <cvename>CVE-2016-1673</cvename>
11442      <cvename>CVE-2016-1674</cvename>
11443      <cvename>CVE-2016-1675</cvename>
11444      <cvename>CVE-2016-1672</cvename>
11445      <cvename>CVE-2016-1677</cvename>
11446      <cvename>CVE-2016-1678</cvename>
11447      <cvename>CVE-2016-1679</cvename>
11448      <cvename>CVE-2016-1680</cvename>
11449      <cvename>CVE-2016-1681</cvename>
11450      <cvename>CVE-2016-1682</cvename>
11451      <cvename>CVE-2016-1685</cvename>
11452      <cvename>CVE-2016-1686</cvename>
11453      <cvename>CVE-2016-1687</cvename>
11454      <cvename>CVE-2016-1688</cvename>
11455      <cvename>CVE-2016-1689</cvename>
11456      <cvename>CVE-2016-1690</cvename>
11457      <cvename>CVE-2016-1691</cvename>
11458      <cvename>CVE-2016-1692</cvename>
11459      <cvename>CVE-2016-1693</cvename>
11460      <cvename>CVE-2016-1694</cvename>
11461      <cvename>CVE-2016-1695</cvename>
11462      <url>http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update_25.html</url>
11463    </references>
11464    <dates>
11465      <discovery>2016-05-25</discovery>
11466      <entry>2016-05-28</entry>
11467      <modified>2016-06-20</modified>
11468    </dates>
11469  </vuln>
11470
11471  <vuln vid="4dfafa16-24ba-11e6-bd31-3065ec8fd3ec">
11472    <topic>chromium -- multiple vulnerabilities</topic>
11473    <affects>
11474      <package>
11475	<name>chromium</name>
11476	<name>chromium-npapi</name>
11477	<name>chromium-pulse</name>
11478	<range><lt>50.0.2661.102</lt></range>
11479      </package>
11480    </affects>
11481    <description>
11482      <body xmlns="http://www.w3.org/1999/xhtml">
11483	<p>Google Chrome Releases reports:</p>
11484	<blockquote cite="http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update.html">
11485	  <p>5 security fixes in this release, including:</p>
11486	  <ul>
11487	    <li>[605766] High CVE-2016-1667: Same origin bypass in DOM. Credit
11488	      to Mariusz Mlynski.</li>
11489	    <li>[605910] High CVE-2016-1668: Same origin bypass in Blink V8
11490	      bindings. Credit to Mariusz Mlynski.</li>
11491	    <li>[606115] High CVE-2016-1669: Buffer overflow in V8. Credit to
11492	      Choongwoo Han.</li>
11493	    <li>[578882] Medium CVE-2016-1670: Race condition in loader. Credit
11494	      to anonymous.</li>
11495	    <li>[586657] Medium CVE-2016-1671: Directory traversal using the
11496	      file scheme on Android. Credit to Jann Horn.</li>
11497	  </ul>
11498	</blockquote>
11499      </body>
11500    </description>
11501    <references>
11502      <cvename>CVE-2016-1667</cvename>
11503      <cvename>CVE-2016-1668</cvename>
11504      <cvename>CVE-2016-1669</cvename>
11505      <cvename>CVE-2016-1670</cvename>
11506      <cvename>CVE-2016-1671</cvename>
11507      <url>http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update.html</url>
11508    </references>
11509    <dates>
11510      <discovery>2016-05-11</discovery>
11511      <entry>2016-05-28</entry>
11512    </dates>
11513  </vuln>
11514
11515  <vuln vid="7da1da96-24bb-11e6-bd31-3065ec8fd3ec">
11516    <topic>chromium -- multiple vulnerabilities</topic>
11517    <affects>
11518      <package>
11519	<name>chromium</name>
11520	<name>chromium-npapi</name>
11521	<name>chromium-pulse</name>
11522	<range><lt>50.0.2661.94</lt></range>
11523      </package>
11524    </affects>
11525    <description>
11526      <body xmlns="http://www.w3.org/1999/xhtml">
11527	<p>Google Chrome Releases reports:</p>
11528	<blockquote cite="http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_28.html">
11529	  <p>9 security fixes in this release, including:</p>
11530	  <ul>
11531	    <li>[574802] High CVE-2016-1660: Out-of-bounds write in Blink.
11532	     Credit to Atte Kettunen of OUSPG.</li>
11533	    <li>[601629] High CVE-2016-1661: Memory corruption in cross-process
11534	     frames. Credit to Wadih Matar.</li>
11535	    <li>[603732] High CVE-2016-1662: Use-after-free in extensions.
11536	     Credit to Rob Wu.</li>
11537	    <li>[603987] High CVE-2016-1663: Use-after-free in Blink's V8
11538	     bindings. Credit to anonymous.</li>
11539	    <li>[597322] Medium CVE-2016-1664: Address bar spoofing. Credit to
11540	     Wadih Matar.</li>
11541	    <li>[606181] Medium CVE-2016-1665: Information leak in V8. Credit
11542	     to HyungSeok Han.</li>
11543	    <li>[607652] CVE-2016-1666: Various fixes from internal audits,
11544	     fuzzing and other initiatives.</li>
11545	  </ul>
11546	</blockquote>
11547      </body>
11548    </description>
11549    <references>
11550      <cvename>CVE-2016-1660</cvename>
11551      <cvename>CVE-2016-1661</cvename>
11552      <cvename>CVE-2016-1662</cvename>
11553      <cvename>CVE-2016-1663</cvename>
11554      <cvename>CVE-2016-1664</cvename>
11555      <cvename>CVE-2016-1665</cvename>
11556      <cvename>CVE-2016-1666</cvename>
11557      <url>http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_28.html</url>
11558    </references>
11559    <dates>
11560      <discovery>2016-04-28</discovery>
11561      <entry>2016-05-28</entry>
11562    </dates>
11563  </vuln>
11564
11565  <vuln vid="6b110175-246d-11e6-8dd3-002590263bf5">
11566    <topic>php -- multiple vulnerabilities</topic>
11567    <affects>
11568      <package>
11569	<name>php70-gd</name>
11570	<name>php70-intl</name>
11571	<range><lt>7.0.7</lt></range>
11572      </package>
11573      <package>
11574	<name>php56</name>
11575	<name>php56-gd</name>
11576	<range><lt>5.6.22</lt></range>
11577      </package>
11578      <package>
11579	<name>php55</name>
11580	<name>php55-gd</name>
11581	<name>php55-phar</name>
11582	<range><lt>5.5.36</lt></range>
11583      </package>
11584    </affects>
11585    <description>
11586      <body xmlns="http://www.w3.org/1999/xhtml">
11587	<p>The PHP Group reports:</p>
11588	<blockquote cite="http://php.net/ChangeLog-5.php#5.5.36">
11589	  <ul><li>Core:
11590	  <ul>
11591	    <li>Fixed bug #72114 (Integer underflow / arbitrary null write in
11592	      fread/gzread). (CVE-2016-5096) (PHP 5.5/5.6 only)</li>
11593	    <li>Fixed bug #72135 (Integer Overflow in php_html_entities).
11594	      (CVE-2016-5094) (PHP 5.5/5.6 only)</li>
11595	  </ul></li>
11596	  <li>GD:
11597	  <ul>
11598	    <li>Fixed bug #72227 (imagescale out-of-bounds read).
11599	      (CVE-2013-7456)</li>
11600	  </ul></li>
11601	  <li>Intl:
11602	  <ul>
11603	    <li>Fixed bug #72241 (get_icu_value_internal out-of-bounds read).
11604	      (CVE-2016-5093)</li>
11605	  </ul></li>
11606	  <li>Phar:
11607	  <ul>
11608	    <li>Fixed bug #71331 (Uninitialized pointer in
11609	      phar_make_dirstream()). (CVE-2016-4343) (PHP 5.5 only)</li>
11610	  </ul></li>
11611	  </ul>
11612	</blockquote>
11613      </body>
11614    </description>
11615    <references>
11616      <cvename>CVE-2016-5096</cvename>
11617      <cvename>CVE-2016-5094</cvename>
11618      <cvename>CVE-2013-7456</cvename>
11619      <cvename>CVE-2016-5093</cvename>
11620      <cvename>CVE-2016-4343</cvename>
11621      <freebsdpr>ports/209779</freebsdpr>
11622      <url>http://php.net/ChangeLog-7.php#7.0.7</url>
11623      <url>http://php.net/ChangeLog-5.php#5.6.22</url>
11624      <url>http://php.net/ChangeLog-5.php#5.5.36</url>
11625    </references>
11626    <dates>
11627      <discovery>2016-05-26</discovery>
11628      <entry>2016-05-28</entry>
11629    </dates>
11630  </vuln>
11631
11632  <vuln vid="00ec1be1-22bb-11e6-9ead-6805ca0b3d42">
11633    <topic>phpmyadmin -- XSS and sensitive data leakage</topic>
11634    <affects>
11635      <package>
11636	<name>phpmyadmin</name>
11637	<range><ge>4.6.0</ge><lt>4.6.2</lt></range>
11638      </package>
11639    </affects>
11640    <description>
11641      <body xmlns="http://www.w3.org/1999/xhtml">
11642	<p>The phpmyadmin development team reports:</p>
11643	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-14/">
11644	  <h2>Description</h2>
11645	  <p>Because user SQL queries are part of the URL, sensitive
11646	    information made as part of a user query can be exposed by
11647	    clicking on external links to attackers monitoring user GET
11648	    query parameters or included in the webserver logs.</p>
11649	  <h2>Severity</h2>
11650	  <p>We consider this to be non-critical.</p>
11651	</blockquote>
11652	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-16/">
11653	  <h2>Description</h2>
11654	  <p>A specially crafted attack could allow for special HTML
11655	    characters to be passed as URL encoded values and displayed
11656	    back as special characters in the page.</p>
11657	  <h2>Severity</h2>
11658	  <p>We consider this to be non-critical.</p>
11659	</blockquote>
11660      </body>
11661    </description>
11662    <references>
11663      <url>https://www.phpmyadmin.net/security/PMASA-2016-14/</url>
11664      <url>https://www.phpmyadmin.net/security/PMASA-2016-16/</url>
11665      <cvename>CVE-2016-5097</cvename>
11666      <cvename>CVE-2016-5099</cvename>
11667    </references>
11668    <dates>
11669      <discovery>2016-05-25</discovery>
11670      <entry>2016-05-25</entry>
11671      <modified>2016-05-26</modified>
11672    </dates>
11673  </vuln>
11674
11675  <vuln vid="b50f53ce-2151-11e6-8dd3-002590263bf5">
11676    <topic>mediawiki -- multiple vulnerabilities</topic>
11677    <affects>
11678      <package>
11679	<name>mediawiki123</name>
11680	<range><lt>1.23.14</lt></range>
11681      </package>
11682      <package>
11683	<name>mediawiki124</name>
11684	<range><le>1.24.6</le></range>
11685      </package>
11686      <package>
11687	<name>mediawiki125</name>
11688	<range><lt>1.25.6</lt></range>
11689      </package>
11690      <package>
11691	<name>mediawiki126</name>
11692	<range><lt>1.26.3</lt></range>
11693      </package>
11694    </affects>
11695    <description>
11696      <body xmlns="http://www.w3.org/1999/xhtml">
11697	<p>Mediawiki reports:</p>
11698	<blockquote cite="https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html">
11699	  <p>Security fixes:</p>
11700	    <p>T122056: Old tokens are remaining valid within a new session</p>
11701	    <p>T127114: Login throttle can be tricked using non-canonicalized
11702	      usernames</p>
11703	    <p>T123653: Cross-domain policy regexp is too narrow</p>
11704	    <p>T123071: Incorrectly identifying http link in a's href
11705	      attributes, due to m modifier in regex</p>
11706	    <p>T129506: MediaWiki:Gadget-popups.js isn't renderable</p>
11707	    <p>T125283: Users occasionally logged in as different users after
11708	      SessionManager deployment</p>
11709	    <p>T103239: Patrol allows click catching and patrolling of any
11710	      page</p>
11711	    <p>T122807: [tracking] Check php crypto primatives</p>
11712	    <p>T98313: Graphs can leak tokens, leading to CSRF</p>
11713	    <p>T130947: Diff generation should use PoolCounter</p>
11714	    <p>T133507: Careless use of $wgExternalLinkTarget is insecure</p>
11715	    <p>T132874: API action=move is not rate limited</p>
11716	</blockquote>
11717      </body>
11718    </description>
11719    <references>
11720      <url>https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html</url>
11721    </references>
11722    <dates>
11723      <discovery>2016-05-20</discovery>
11724      <entry>2016-05-24</entry>
11725    </dates>
11726  </vuln>
11727
11728  <vuln vid="967b852b-1e28-11e6-8dd3-002590263bf5">
11729    <topic>hostapd and wpa_supplicant -- psk configuration parameter update allowing arbitrary data to be written</topic>
11730    <affects>
11731      <package>
11732	<name>wpa_supplicant</name>
11733	<range><lt>2.5_2</lt></range>
11734      </package>
11735      <package>
11736	<name>hostapd</name>
11737	<range><lt>2.6</lt></range>
11738      </package>
11739    </affects>
11740    <description>
11741      <body xmlns="http://www.w3.org/1999/xhtml">
11742	<p>Jouni Malinen reports:</p>
11743	<blockquote cite="http://w1.fi/security/2016-1/psk-parameter-config-update.txt">
11744	  <p>psk configuration parameter update allowing arbitrary data to be
11745	    written (2016-1 - CVE-2016-4476/CVE-2016-4477).</p>
11746	</blockquote>
11747      </body>
11748    </description>
11749    <references>
11750      <cvename>CVE-2016-4476</cvename>
11751      <cvename>CVE-2016-4477</cvename>
11752      <freebsdpr>ports/209564</freebsdpr>
11753      <url>http://w1.fi/security/2016-1/psk-parameter-config-update.txt</url>
11754    </references>
11755    <dates>
11756      <discovery>2016-05-02</discovery>
11757      <entry>2016-05-20</entry>
11758      <modified>2017-03-22</modified>
11759    </dates>
11760  </vuln>
11761
11762  <vuln vid="57b3aba7-1e25-11e6-8dd3-002590263bf5">
11763    <topic>expat -- denial of service vulnerability on malformed input</topic>
11764    <affects>
11765      <package>
11766	<name>expat</name>
11767	<range><lt>2.1.1</lt></range>
11768      </package>
11769      <package>
11770	<name>linux-c6-expat</name>
11771	<range><lt>2.0.1_3</lt></range>
11772      </package>
11773      <package>
11774	<name>linux-c7-expat</name>
11775	<range><lt>2.1.0_1</lt></range>
11776      </package>
11777    </affects>
11778    <description>
11779      <body xmlns="http://www.w3.org/1999/xhtml">
11780	<p>Gustavo Grieco reports:</p>
11781	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/17/12">
11782	  <p>The Expat XML parser mishandles certain kinds of malformed input
11783	    documents, resulting in buffer overflows during processing and error
11784	    reporting. The overflows can manifest as a segmentation fault or as
11785	    memory corruption during a parse operation. The bugs allow for a
11786	    denial of service attack in many applications by an unauthenticated
11787	    attacker, and could conceivably result in remote code execution.</p>
11788	</blockquote>
11789      </body>
11790    </description>
11791    <references>
11792      <cvename>CVE-2016-0718</cvename>
11793      <freebsdpr>ports/209360</freebsdpr>
11794      <url>http://www.openwall.com/lists/oss-security/2016/05/17/12</url>
11795    </references>
11796    <dates>
11797      <discovery>2016-05-17</discovery>
11798      <entry>2016-05-20</entry>
11799      <modified>2016-11-30</modified>
11800    </dates>
11801  </vuln>
11802
11803  <vuln vid="036d6c38-1c5b-11e6-b9e0-20cf30e32f6d">
11804    <topic>Bugzilla security issues</topic>
11805    <affects>
11806      <package>
11807	<name>bugzilla44</name>
11808	<range><lt>4.4.12</lt></range>
11809      </package>
11810      <package>
11811	<name>bugzilla50</name>
11812	<range><lt>5.0.3</lt></range>
11813      </package>
11814    </affects>
11815    <description>
11816      <body xmlns="http://www.w3.org/1999/xhtml">
11817	<p>Bugzilla Security Advisory</p>
11818	<blockquote cite="https://www.bugzilla.org/security/4.4.11/">
11819	  <p>A specially crafted bug summary could trigger XSS in dependency graphs.
11820	  Due to an incorrect parsing of the image map generated by the dot script,
11821	    a specially crafted bug summary could trigger XSS in dependency graphs.</p>
11822	</blockquote>
11823      </body>
11824    </description>
11825    <references>
11826      <cvename>CVE-2016-2803</cvename>
11827      <url>https://bugzilla.mozilla.org/show_bug.cgi?id=1253263</url>
11828    </references>
11829    <dates>
11830      <discovery>2016-03-03</discovery>
11831      <entry>2016-05-17</entry>
11832    </dates>
11833  </vuln>
11834
11835  <vuln vid="0dc8be9e-19af-11e6-8de0-080027ef73ec">
11836    <topic>OpenVPN -- Buffer overflow in PAM authentication and DoS through port sharing</topic>
11837    <affects>
11838      <package>
11839	<name>openvpn</name>
11840	<range><lt>2.3.11</lt></range>
11841      </package>
11842      <package>
11843	<name>openvpn-polarssl</name>
11844	<range><lt>2.3.11</lt></range>
11845      </package>
11846    </affects>
11847    <description>
11848      <body xmlns="http://www.w3.org/1999/xhtml">
11849	<p>Samuli Seppänen reports:</p>
11850	<blockquote cite="https://sourceforge.net/p/openvpn/mailman/message/35076507/">
11851	  <p>OpenVPN 2.3.11 [...] fixes two vulnerabilities: a port-share bug
11852	    with DoS potential and a buffer overflow by user supplied data when
11853	    using pam authentication.[...]</p>
11854	</blockquote>
11855      </body>
11856    </description>
11857    <references>
11858      <url>https://sourceforge.net/p/openvpn/mailman/message/35076507/</url>
11859      <url>https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11</url>
11860    </references>
11861    <dates>
11862      <discovery>2016-03-03</discovery>
11863      <entry>2016-05-14</entry>
11864    </dates>
11865  </vuln>
11866
11867  <vuln vid="82b702e0-1907-11e6-857b-00221503d280">
11868    <topic>imagemagick -- buffer overflow</topic>
11869    <affects>
11870      <package>
11871	<name>ImageMagick</name>
11872	<name>ImageMagick-nox11</name>
11873	<range><lt>6.9.4.1,1</lt></range>
11874      </package>
11875      <package>
11876	<name>ImageMagick7</name>
11877	<name>ImageMagick7-nox11</name>
11878	<range><ge>7.0.0.0.b20150715</ge><lt>7.0.1.3</lt></range>
11879      </package>
11880    </affects>
11881    <description>
11882      <body xmlns="http://www.w3.org/1999/xhtml">
11883	<p>ImageMagick reports:</p>
11884	<blockquote cite="http://legacy.imagemagick.org/script/changelog.php">
11885	  <p>Fix a buffer overflow in magick/drag.c/DrawStrokePolygon().</p>
11886	</blockquote>
11887      </body>
11888    </description>
11889    <references>
11890      <url>http://legacy.imagemagick.org/script/changelog.php</url>
11891    </references>
11892    <dates>
11893      <discovery>2016-05-09</discovery>
11894      <entry>2016-05-13</entry>
11895    </dates>
11896  </vuln>
11897
11898  <vuln vid="e387834a-17ef-11e6-9947-7054d2909b71">
11899    <topic>jenkins -- multiple vulnerabilities</topic>
11900    <affects>
11901      <package>
11902	<name>jenkins</name>
11903	<range><le>2.2</le></range>
11904      </package>
11905      <package>
11906	<name>jenkins2</name>
11907	<range><le>2.2</le></range>
11908      </package>
11909      <package>
11910	<name>jenkins-lts</name>
11911	<range><le>1.651.1</le></range>
11912      </package>
11913    </affects>
11914    <description>
11915      <body xmlns="http://www.w3.org/1999/xhtml">
11916	<p>Jenkins Security Advisory:</p>
11917	<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11">
11918	  <h1>Description</h1>
11919	  <h5>SECURITY-170 / CVE-2016-3721</h5>
11920	  <p>Arbitrary build parameters are passed to build scripts as environment variables</p>
11921	  <h5>SECURITY-243 / CVE-2016-3722</h5>
11922	  <p>Malicious users with multiple user accounts can prevent other users from logging in</p>
11923	  <h5>SECURITY-250 / CVE-2016-3723</h5>
11924	  <p>Information on installed plugins exposed via API</p>
11925	  <h5>SECURITY-266 / CVE-2016-3724</h5>
11926	  <p>Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration</p>
11927	  <h5>SECURITY-273 / CVE-2016-3725</h5>
11928	  <p>Regular users can trigger download of update site metadata</p>
11929	  <h5>SECURITY-276 / CVE-2016-3726</h5>
11930	  <p>Open redirect to scheme-relative URLs</p>
11931	  <h5>SECURITY-281 / CVE-2016-3727</h5>
11932	  <p>Granting the permission to read node configurations allows access to overall system configuration</p>
11933	</blockquote>
11934      </body>
11935    </description>
11936    <references>
11937      <cvename>CVE-2016-3721</cvename>
11938      <cvename>CVE-2016-3722</cvename>
11939      <cvename>CVE-2016-3723</cvename>
11940      <cvename>CVE-2016-3724</cvename>
11941      <cvename>CVE-2016-3725</cvename>
11942      <cvename>CVE-2016-3726</cvename>
11943      <cvename>CVE-2016-3727</cvename>
11944      <url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11</url>
11945    </references>
11946    <dates>
11947      <discovery>2016-05-11</discovery>
11948      <entry>2016-05-12</entry>
11949    </dates>
11950  </vuln>
11951
11952  <vuln vid="d9f99491-1656-11e6-94fa-002590263bf5">
11953    <topic>perl5 -- taint mechanism bypass vulnerability</topic>
11954    <affects>
11955      <package>
11956	<name>perl5</name>
11957	<range><lt>5.18.4_21</lt></range>
11958	<range><ge>5.20.0</ge><lt>5.20.3_12</lt></range>
11959	<range><ge>5.22.0</ge><lt>5.22.1_8</lt></range>
11960      </package>
11961      <package>
11962	<name>perl5.18</name>
11963	<range><ge>5.18.0</ge><lt>5.18.4_21</lt></range>
11964      </package>
11965      <package>
11966	<name>perl5.20</name>
11967	<range><ge>5.20.0</ge><lt>5.20.3_12</lt></range>
11968      </package>
11969      <package>
11970	<name>perl5.22</name>
11971	<range><ge>5.22.0</ge><lt>5.22.1_8</lt></range>
11972      </package>
11973      <package>
11974	<name>perl</name>
11975	<range><ge>0</ge></range>
11976      </package>
11977    </affects>
11978    <description>
11979      <body xmlns="http://www.w3.org/1999/xhtml">
11980	<p>MITRE reports:</p>
11981	<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2381">
11982	  <p>Perl might allow context-dependent attackers to bypass the taint
11983	    protection mechanism in a child process via duplicate environment
11984	    variables in envp.</p>
11985	</blockquote>
11986      </body>
11987    </description>
11988    <references>
11989      <cvename>CVE-2016-2381</cvename>
11990      <freebsdpr>ports/208879</freebsdpr>
11991    </references>
11992    <dates>
11993      <discovery>2016-04-08</discovery>
11994      <entry>2016-05-10</entry>
11995      <modified>2016-08-22</modified>
11996    </dates>
11997  </vuln>
11998
11999  <vuln vid="3686917b-164d-11e6-94fa-002590263bf5">
12000    <topic>wordpress -- multiple vulnerabilities</topic>
12001    <affects>
12002      <package>
12003	<name>wordpress</name>
12004	<range><lt>4.5.2,1</lt></range>
12005      </package>
12006      <package>
12007	<name>de-wordpress</name>
12008	<name>ja-wordpress</name>
12009	<name>ru-wordpress</name>
12010	<name>zh-wordpress-zh_CN</name>
12011	<name>zh-wordpress-zh_TW</name>
12012	<range><lt>4.5.2</lt></range>
12013      </package>
12014    </affects>
12015    <description>
12016      <body xmlns="http://www.w3.org/1999/xhtml">
12017	<p>Helen Hou-Sandi reports:</p>
12018	<blockquote cite="https://wordpress.org/news/2016/05/wordpress-4-5-2/">
12019	  <p>WordPress 4.5.2 is now available. This is a security release for
12020	    all previous versions and we strongly encourage you to update your
12021	    sites immediately.</p>
12022	  <p>WordPress versions 4.5.1 and earlier are affected by a SOME
12023	    vulnerability through Plupload, the third-party library WordPress
12024	    uses for uploading files. WordPress versions 4.2 through 4.5.1 are
12025	    vulnerable to reflected XSS using specially crafted URIs through
12026	    MediaElement.js, the third-party library used for media players.
12027	    MediaElement.js and Plupload have also released updates fixing
12028	    these issues.</p>
12029	</blockquote>
12030      </body>
12031    </description>
12032    <references>
12033      <cvename>CVE-2016-4566</cvename>
12034      <cvename>CVE-2016-4567</cvename>
12035      <url>https://wordpress.org/news/2016/05/wordpress-4-5-2/</url>
12036      <url>http://www.openwall.com/lists/oss-security/2016/05/07/7</url>
12037    </references>
12038    <dates>
12039      <discovery>2016-05-06</discovery>
12040      <entry>2016-05-10</entry>
12041    </dates>
12042  </vuln>
12043
12044  <vuln vid="2b4c8e1f-1609-11e6-b55e-b499baebfeaf">
12045    <topic>libarchive -- RCE vulnerability</topic>
12046    <affects>
12047      <package>
12048	<name>libarchive</name>
12049	<range><lt>3.2.0,1</lt></range>
12050      </package>
12051    </affects>
12052    <description>
12053      <body xmlns="http://www.w3.org/1999/xhtml">
12054	<p>The libarchive project reports:</p>
12055	<blockquote cite="https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7">
12056	  <p>Heap-based buffer overflow in the zip_read_mac_metadata function
12057	    in archive_read_support_format_zip.c in libarchive before 3.2.0
12058	    allows remote attackers to execute arbitrary code via crafted
12059	    entry-size values in a ZIP archive.</p>
12060	</blockquote>
12061      </body>
12062    </description>
12063    <references>
12064      <cvename>CVE-2016-1541</cvename>
12065      <url>https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7</url>
12066    </references>
12067    <dates>
12068      <discovery>2016-05-01</discovery>
12069      <entry>2016-05-09</entry>
12070      <modified>2016-05-10</modified>
12071    </dates>
12072  </vuln>
12073
12074  <vuln vid="25e5205b-1447-11e6-9ead-6805ca0b3d42">
12075    <topic>squid -- multiple vulnerabilities</topic>
12076    <affects>
12077      <package>
12078	<name>squid</name>
12079	<range><ge>3.0.0</ge><lt>3.5.18</lt></range>
12080      </package>
12081      <package>
12082	<name>squid-devel</name>
12083	<range><ge>4.0.0</ge><lt>4.0.10</lt></range>
12084      </package>
12085    </affects>
12086    <description>
12087      <body xmlns="http://www.w3.org/1999/xhtml">
12088	<p>The squid development team reports:</p>
12089	<p>Please reference CVE/URL list for details</p>
12090      </body>
12091    </description>
12092    <references>
12093      <cvename>CVE-2016-4553</cvename>
12094      <cvename>CVE-2016-4554</cvename>
12095      <cvename>CVE-2016-4555</cvename>
12096      <cvename>CVE-2016-4556</cvename>
12097      <url>http://www.squid-cache.org/Advisories/SQUID-2016_7.txt</url>
12098      <url>http://www.squid-cache.org/Advisories/SQUID-2016_8.txt</url>
12099      <url>http://www.squid-cache.org/Advisories/SQUID-2016_9.txt</url>
12100    </references>
12101    <dates>
12102      <discovery>2016-05-06</discovery>
12103      <entry>2016-05-07</entry>
12104      <modified>2016-05-09</modified>
12105    </dates>
12106  </vuln>
12107
12108  <vuln vid="0d724b05-687f-4527-9c03-af34d3b094ec">
12109    <topic>ImageMagick -- multiple vulnerabilities</topic>
12110    <affects>
12111      <package>
12112	<name>ImageMagick</name>
12113	<name>ImageMagick-nox11</name>
12114	<range><lt>6.9.3.9_1,1</lt></range>
12115      </package>
12116      <package>
12117	<name>ImageMagick7</name>
12118	<name>ImageMagick7-nox11</name>
12119	<range><ge>7.0.0.0.b20150715</ge><lt>7.0.1.0_1</lt></range>
12120      </package>
12121    </affects>
12122    <description>
12123      <body xmlns="http://www.w3.org/1999/xhtml">
12124	<p>Openwall reports:</p>
12125	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/03/18">
12126	  <p>Insufficient filtering for filename passed to delegate's command
12127	    allows remote code execution during conversion of several file
12128	    formats. Any service which uses ImageMagick to process user
12129	    supplied images and uses default delegates.xml / policy.xml,
12130	    may be vulnerable to this issue.</p>
12131	  <p>It is possible to make ImageMagick perform a HTTP GET or FTP
12132	    request</p>
12133	  <p>It is possible to delete files by using ImageMagick's 'ephemeral'
12134	    pseudo protocol which deletes files after reading.</p>
12135	  <p>It is possible to move image files to file with any extension
12136	    in any folder by using ImageMagick's 'msl' pseudo protocol.
12137	    msl.txt and image.gif should exist in known location - /tmp/
12138	    for PoC (in real life it may be web service written in PHP,
12139	    which allows to upload raw txt files and process images with
12140	    ImageMagick).</p>
12141	  <p>It is possible to get content of the files from the server
12142	    by using ImageMagick's 'label' pseudo protocol.</p>
12143	</blockquote>
12144      </body>
12145    </description>
12146    <references>
12147      <cvename>CVE-2016-3714</cvename>
12148      <cvename>CVE-2016-3715</cvename>
12149      <cvename>CVE-2016-3716</cvename>
12150      <cvename>CVE-2016-3717</cvename>
12151      <cvename>CVE-2016-3718</cvename>
12152      <url>http://www.openwall.com/lists/oss-security/2016/05/03/18</url>
12153      <url>https://imagetragick.com/</url>
12154    </references>
12155    <dates>
12156      <discovery>2016-05-03</discovery>
12157      <entry>2016-05-06</entry>
12158      <modified>2016-05-07</modified>
12159    </dates>
12160  </vuln>
12161
12162  <vuln vid="a6cd01fa-11bd-11e6-bb3c-9cb654ea3e1c">
12163    <topic>jansson -- local denial of service vulnerabilities</topic>
12164    <affects>
12165      <package>
12166	<name>jansson</name>
12167	<range><lt>2.7_2</lt></range>
12168      </package>
12169    </affects>
12170    <description>
12171      <body xmlns="http://www.w3.org/1999/xhtml">
12172	<p>QuickFuzz reports:</p>
12173	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/01/5">
12174	  <p>A crash caused by stack exhaustion parsing a JSON was found.</p>
12175	</blockquote>
12176      </body>
12177    </description>
12178    <references>
12179      <url>http://www.openwall.com/lists/oss-security/2016/05/01/5</url>
12180      <url>http://www.openwall.com/lists/oss-security/2016/05/02/1</url>
12181      <cvename>CVE-2016-4425</cvename>
12182    </references>
12183    <dates>
12184      <discovery>2016-05-01</discovery>
12185      <entry>2016-05-04</entry>
12186    </dates>
12187  </vuln>
12188
12189  <vuln vid="01d729ca-1143-11e6-b55e-b499baebfeaf">
12190    <topic>OpenSSL -- multiple vulnerabilities</topic>
12191    <affects>
12192      <package>
12193	<name>openssl</name>
12194	<range><lt>1.0.2_11</lt></range>
12195      </package>
12196      <package>
12197	<name>linux-c6-openssl</name>
12198	<range><lt>1.0.1e_8</lt></range>
12199      </package>
12200      <package>
12201	<name>libressl</name>
12202	<range><ge>2.3.0</ge><lt>2.3.4</lt></range>
12203	<range><lt>2.2.7</lt></range>
12204      </package>
12205      <package>
12206	<name>libressl-devel</name>
12207	<range><lt>2.3.4</lt></range>
12208      </package>
12209      <package>
12210	<name>FreeBSD</name>
12211	<range><ge>10.3</ge><lt>10.3_2</lt></range>
12212	<range><ge>10.2</ge><lt>10.2_16</lt></range>
12213	<range><ge>10.1</ge><lt>10.1_33</lt></range>
12214	<range><ge>9.3</ge><lt>9.3_41</lt></range>
12215      </package>
12216    </affects>
12217    <description>
12218      <body xmlns="http://www.w3.org/1999/xhtml">
12219	<p>OpenSSL reports:</p>
12220	<blockquote cite="https://www.openssl.org/news/secadv/20160503.txt">
12221	  <p>Memory corruption in the ASN.1 encoder</p>
12222	  <p>Padding oracle in AES-NI CBC MAC check</p>
12223	  <p>EVP_EncodeUpdate overflow</p>
12224	  <p>EVP_EncryptUpdate overflow</p>
12225	  <p>ASN.1 BIO excessive memory allocation</p>
12226	  <p>EBCDIC overread (OpenSSL only)</p>
12227	</blockquote>
12228      </body>
12229    </description>
12230    <references>
12231      <url>https://www.openssl.org/news/secadv/20160503.txt</url>
12232      <url>https://marc.info/?l=openbsd-tech&amp;m=146228598730414</url>
12233      <cvename>CVE-2016-2105</cvename>
12234      <cvename>CVE-2016-2106</cvename>
12235      <cvename>CVE-2016-2107</cvename>
12236      <cvename>CVE-2016-2108</cvename>
12237      <cvename>CVE-2016-2109</cvename>
12238      <cvename>CVE-2016-2176</cvename>
12239      <freebsdsa>SA-16:17.openssl</freebsdsa>
12240    </references>
12241    <dates>
12242      <discovery>2016-05-03</discovery>
12243      <entry>2016-05-03</entry>
12244      <modified>2016-08-09</modified>
12245    </dates>
12246  </vuln>
12247
12248  <vuln vid="95564990-1138-11e6-b55e-b499baebfeaf">
12249    <cancelled superseded="01d729ca-1143-11e6-b55e-b499baebfeaf"/>
12250  </vuln>
12251
12252  <vuln vid="be72e773-1131-11e6-94fa-002590263bf5">
12253    <topic>gitlab -- privilege escalation via "impersonate" feature</topic>
12254    <affects>
12255      <package>
12256	<name>gitlab</name>
12257	<range><ge>8.2.0</ge><lt>8.2.5</lt></range>
12258	<range><ge>8.3.0</ge><lt>8.3.9</lt></range>
12259	<range><ge>8.4.0</ge><lt>8.4.10</lt></range>
12260	<range><ge>8.5.0</ge><lt>8.5.12</lt></range>
12261	<range><ge>8.6.0</ge><lt>8.6.8</lt></range>
12262	<range><ge>8.7.0</ge><lt>8.7.1</lt></range>
12263      </package>
12264    </affects>
12265    <description>
12266      <body xmlns="http://www.w3.org/1999/xhtml">
12267	<p>GitLab reports:</p>
12268	<blockquote cite="https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/">
12269	  <p>During an internal code review, we discovered a critical security
12270	    flaw in the "impersonate" feature of GitLab. Added in GitLab 8.2,
12271	    this feature was intended to allow an administrator to simulate
12272	    being logged in as any other user.</p>
12273	  <p>A part of this feature was not properly secured and it was possible
12274	    for any authenticated user, administrator or not, to "log in" as any
12275	    other user, including administrators. Please see the issue for more
12276	    details.</p>
12277	</blockquote>
12278      </body>
12279    </description>
12280    <references>
12281      <cvename>CVE-2016-4340</cvename>
12282      <freebsdpr>ports/209225</freebsdpr>
12283      <url>https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/</url>
12284      <url>https://gitlab.com/gitlab-org/gitlab-ce/issues/15548</url>
12285    </references>
12286    <dates>
12287      <discovery>2016-05-02</discovery>
12288      <entry>2016-05-03</entry>
12289    </dates>
12290  </vuln>
12291
12292  <vuln vid="5764c634-10d2-11e6-94fa-002590263bf5">
12293    <topic>php -- multiple vulnerabilities</topic>
12294    <affects>
12295      <package>
12296	<name>php70</name>
12297	<name>php70-bcmath</name>
12298	<name>php70-exif</name>
12299	<name>php70-gd</name>
12300	<name>php70-xml</name>
12301	<range><lt>7.0.6</lt></range>
12302      </package>
12303      <package>
12304	<name>php56</name>
12305	<name>php56-bcmath</name>
12306	<name>php56-exif</name>
12307	<name>php56-gd</name>
12308	<name>php56-xml</name>
12309	<range><lt>5.6.21</lt></range>
12310      </package>
12311      <package>
12312	<name>php55</name>
12313	<name>php55-bcmath</name>
12314	<name>php55-exif</name>
12315	<name>php55-gd</name>
12316	<name>php55-xml</name>
12317	<range><lt>5.5.35</lt></range>
12318      </package>
12319    </affects>
12320    <description>
12321      <body xmlns="http://www.w3.org/1999/xhtml">
12322	<p>The PHP Group reports:</p>
12323	<blockquote cite="http://www.php.net/ChangeLog-5.php#5.5.35">
12324	  <ul><li>BCMath:
12325	  <ul>
12326	    <li>Fixed bug #72093 (bcpowmod accepts negative scale and corrupts
12327	      _one_ definition).</li>
12328	  </ul></li>
12329	  <li>Exif:
12330	  <ul>
12331	    <li>Fixed bug #72094 (Out of bounds heap read access in exif header
12332	      processing).</li>
12333	  </ul></li>
12334	  <li>GD:
12335	  <ul>
12336	    <li>Fixed bug #71912 (libgd: signedness vulnerability).
12337	      (CVE-2016-3074)</li>
12338	  </ul></li>
12339	  <li>Intl:
12340	  <ul>
12341	    <li>Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos
12342	      with negative offset).</li>
12343	  </ul></li>
12344	  <li>XML:
12345	  <ul>
12346	    <li>Fixed bug #72099 (xml_parse_into_struct segmentation fault).
12347	      </li>
12348	  </ul></li>
12349	  </ul>
12350	</blockquote>
12351      </body>
12352    </description>
12353    <references>
12354      <cvename>CVE-2016-3074</cvename>
12355      <freebsdpr>ports/209145</freebsdpr>
12356      <url>http://www.php.net/ChangeLog-7.php#7.0.6</url>
12357      <url>http://www.php.net/ChangeLog-5.php#5.6.21</url>
12358      <url>http://www.php.net/ChangeLog-5.php#5.5.35</url>
12359    </references>
12360    <dates>
12361      <discovery>2016-04-28</discovery>
12362      <entry>2016-05-03</entry>
12363    </dates>
12364  </vuln>
12365
12366  <vuln vid="a1134048-10c6-11e6-94fa-002590263bf5">
12367    <topic>libksba -- local denial of service vulnerabilities</topic>
12368    <affects>
12369      <package>
12370	<name>libksba</name>
12371	<range><lt>1.3.3</lt></range>
12372      </package>
12373    </affects>
12374    <description>
12375      <body xmlns="http://www.w3.org/1999/xhtml">
12376	<p>Martin Prpic, Red Hat Product Security Team, reports:</p>
12377	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/04/29/5">
12378	  <p>Denial of Service due to stack overflow in src/ber-decoder.c.</p>
12379	  <p>Integer overflow in the BER decoder src/ber-decoder.c.</p>
12380	  <p>Integer overflow in the DN decoder src/dn.c.</p>
12381	</blockquote>
12382      </body>
12383    </description>
12384    <references>
12385      <cvename>CVE-2016-4353</cvename>
12386      <cvename>CVE-2016-4354</cvename>
12387      <cvename>CVE-2016-4355</cvename>
12388      <cvename>CVE-2016-4356</cvename>
12389      <url>http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=07116a314f4dcd4d96990bbd74db95a03a9f650a</url>
12390      <url>http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=aea7b6032865740478ca4b706850a5217f1c3887</url>
12391      <url>http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=243d12fdec66a4360fbb3e307a046b39b5b4ffc3</url>
12392      <url>https://security.gentoo.org/glsa/201604-04</url>
12393      <mlist>http://www.openwall.com/lists/oss-security/2016/04/29/5</mlist>
12394    </references>
12395    <dates>
12396      <discovery>2015-04-08</discovery>
12397      <entry>2016-05-03</entry>
12398    </dates>
12399  </vuln>
12400
12401  <vuln vid="7e36c369-10c0-11e6-94fa-002590263bf5">
12402    <topic>wireshark -- multiple vulnerabilities</topic>
12403    <affects>
12404      <package>
12405	<name>wireshark</name>
12406	<name>wireshark-lite</name>
12407	<name>wireshark-qt5</name>
12408	<name>tshark</name>
12409	<name>tshark-lite</name>
12410	<range><lt>2.0.3</lt></range>
12411      </package>
12412    </affects>
12413    <description>
12414      <body xmlns="http://www.w3.org/1999/xhtml">
12415	<p>Wireshark development team reports:</p>
12416	<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.3.html">
12417	  <p>The following vulnerabilities have been fixed:</p>
12418	  <ul>
12419	    <li><p>wnpa-sec-2016-19</p>
12420	      <p>The NCP dissector could crash. (Bug 11591)</p></li>
12421	    <li><p>wnpa-sec-2016-20</p>
12422	      <p>TShark could crash due to a packet reassembly bug. (Bug 11799)
12423		</p></li>
12424	    <li><p>wnpa-sec-2016-21</p>
12425	      <p>The IEEE 802.11 dissector could crash. (Bug 11824, Bug 12187)
12426		</p></li>
12427	    <li><p>wnpa-sec-2016-22</p>
12428	      <p>The PKTC dissector could crash. (Bug 12206)</p></li>
12429	    <li><p>wnpa-sec-2016-23</p>
12430	      <p>The PKTC dissector could crash. (Bug 12242)</p></li>
12431	    <li><p>wnpa-sec-2016-24</p>
12432	      <p>The IAX2 dissector could go into an infinite loop. (Bug
12433		12260)</p></li>
12434	    <li><p>wnpa-sec-2016-25</p>
12435	      <p>Wireshark and TShark could exhaust the stack. (Bug 12268)</p>
12436		</li>
12437	    <li><p>wnpa-sec-2016-26</p>
12438	      <p>The GSM CBCH dissector could crash. (Bug 12278)</p></li>
12439	    <li><p>wnpa-sec-2016-27</p>
12440	      <p>MS-WSP dissector crash. (Bug 12341)</p></li>
12441	  </ul>
12442	</blockquote>
12443      </body>
12444    </description>
12445    <references>
12446      <cvename>CVE-2016-4076</cvename>
12447      <cvename>CVE-2016-4077</cvename>
12448      <cvename>CVE-2016-4078</cvename>
12449      <cvename>CVE-2016-4079</cvename>
12450      <cvename>CVE-2016-4080</cvename>
12451      <cvename>CVE-2016-4081</cvename>
12452      <cvename>CVE-2016-4006</cvename>
12453      <cvename>CVE-2016-4082</cvename>
12454      <cvename>CVE-2016-4083</cvename>
12455      <cvename>CVE-2016-4084</cvename>
12456      <url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.3.html</url>
12457      <url>http://www.openwall.com/lists/oss-security/2016/04/25/2</url>
12458    </references>
12459    <dates>
12460      <discovery>2016-04-22</discovery>
12461      <entry>2016-05-02</entry>
12462      <modified>2016-07-04</modified>
12463    </dates>
12464  </vuln>
12465
12466  <vuln vid="78abc022-0fee-11e6-9a1c-0014a5a57822">
12467    <topic>mercurial -- arbitrary code execution vulnerability</topic>
12468    <affects>
12469      <package>
12470	<name>mercurial</name>
12471	<range><lt>3.8.1</lt></range>
12472      </package>
12473    </affects>
12474    <description>
12475      <body xmlns="http://www.w3.org/1999/xhtml">
12476	<p>Mercurial reports:</p>
12477	<blockquote cite="https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.8_.2F_3.8.1_.282016-5-1.29">
12478	  <p>CVE-2016-3105: Arbitrary code execution when converting
12479	    Git repos</p>
12480	</blockquote>
12481      </body>
12482    </description>
12483    <references>
12484      <cvename>CVE-2016-3105</cvename>
12485      <url>https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.8_.2F_3.8.1_.282016-5-1.29</url>
12486    </references>
12487    <dates>
12488      <discovery>2016-05-01</discovery>
12489      <entry>2016-05-01</entry>
12490    </dates>
12491  </vuln>
12492
12493  <vuln vid="8c2b2f11-0ebe-11e6-b55e-b499baebfeaf">
12494    <topic>MySQL -- multiple vulnerabilities</topic>
12495    <affects>
12496      <package>
12497	<name>mariadb55-server</name>
12498	<range><lt>5.5.49</lt></range>
12499      </package>
12500      <package>
12501	<name>mariadb100-server</name>
12502	<range><lt>10.0.25</lt></range>
12503      </package>
12504      <package>
12505	<name>mariadb101-server</name>
12506	<range><lt>10.1.12</lt></range>
12507      </package>
12508      <package>
12509	<name>mysql55-server</name>
12510	<range><lt>5.5.49</lt></range>
12511      </package>
12512      <package>
12513	<name>mysql56-server</name>
12514	<range><lt>5.6.30</lt></range>
12515      </package>
12516      <package>
12517	<name>mysql57-server</name>
12518	<range><lt>5.7.12</lt></range>
12519      </package>
12520      <package>
12521	<name>percona55-server</name>
12522	<range><lt>5.5.49</lt></range>
12523      </package>
12524      <package>
12525	<name>percona-server</name>
12526	<range><lt>5.6.30</lt></range>
12527      </package>
12528    </affects>
12529    <description>
12530      <body xmlns="http://www.w3.org/1999/xhtml">
12531	<p>Oracle reports reports:</p>
12532	<blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html#AppendixMSQL">
12533	  <p>Critical Patch Update contains 31 new security fixes for Oracle MySQL
12534	     5.5.48, 5.6.29, 5.7.11 and earlier</p>
12535	</blockquote>
12536      </body>
12537    </description>
12538    <references>
12539      <url>http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html#AppendixMSQL</url>
12540      <url>https://mariadb.com/kb/en/mariadb/mariadb-5549-release-notes/</url>
12541      <url>https://mariadb.com/kb/en/mariadb/mariadb-10025-release-notes/</url>
12542      <url>https://mariadb.com/kb/en/mariadb/mariadb-10112-release-notes/</url>
12543      <cvename>CVE-2016-0705</cvename>
12544      <cvename>CVE-2016-0639</cvename>
12545      <cvename>CVE-2015-3194</cvename>
12546      <cvename>CVE-2016-0640</cvename>
12547      <cvename>CVE-2016-0641</cvename>
12548      <cvename>CVE-2016-3461</cvename>
12549      <cvename>CVE-2016-2047</cvename>
12550      <cvename>CVE-2016-0642</cvename>
12551      <cvename>CVE-2016-0643</cvename>
12552      <cvename>CVE-2016-0644</cvename>
12553      <cvename>CVE-2016-0646</cvename>
12554      <cvename>CVE-2016-0647</cvename>
12555      <cvename>CVE-2016-0648</cvename>
12556      <cvename>CVE-2016-0649</cvename>
12557      <cvename>CVE-2016-0650</cvename>
12558      <cvename>CVE-2016-0652</cvename>
12559      <cvename>CVE-2016-0653</cvename>
12560      <cvename>CVE-2016-0654</cvename>
12561      <cvename>CVE-2016-0655</cvename>
12562      <cvename>CVE-2016-0656</cvename>
12563      <cvename>CVE-2016-0657</cvename>
12564      <cvename>CVE-2016-0658</cvename>
12565      <cvename>CVE-2016-0651</cvename>
12566      <cvename>CVE-2016-0659</cvename>
12567      <cvename>CVE-2016-0661</cvename>
12568      <cvename>CVE-2016-0662</cvename>
12569      <cvename>CVE-2016-0663</cvename>
12570      <cvename>CVE-2016-0665</cvename>
12571      <cvename>CVE-2016-0666</cvename>
12572      <cvename>CVE-2016-0667</cvename>
12573      <cvename>CVE-2016-0668</cvename>
12574    </references>
12575    <dates>
12576      <discovery>2016-04-19</discovery>
12577      <entry>2016-04-30</entry>
12578    </dates>
12579  </vuln>
12580
12581  <vuln vid="f2d4f879-0d7c-11e6-925f-6805ca0b3d42">
12582    <topic>logstash -- password disclosure vulnerability</topic>
12583    <affects>
12584      <package>
12585	<name>logstash</name>
12586	<range><ge>2.1.0</ge><lt>2.3.2</lt></range>
12587      </package>
12588    </affects>
12589    <description>
12590      <body xmlns="http://www.w3.org/1999/xhtml">
12591	<p>Logstash developers report:</p>
12592	<blockquote cite="https://www.elastic.co/blog/logstash-2.3.1-and-2.2.4-released#Passwords_Printed_in_Log_Files_under_Some_Conditions_18">
12593	  <h2>Passwords Printed in Log Files under Some Conditions</h2>
12594	  <p>It was discovered that, in Logstash 2.1.0+, log messages
12595	    generated by a stalled pipeline during shutdown will print
12596	    plaintext contents of password fields. While investigating
12597	    this issue we also discovered that debug logging has
12598	    included this data for quite some time. Our latest releases
12599	    fix both leaks. You will want to scrub old log files if this
12600	    is of particular concern to you. This was fixed in issue
12601	    #4965</p>
12602	</blockquote>
12603      </body>
12604    </description>
12605    <references>
12606      <url>https://www.elastic.co/blog/logstash-2.3.1-and-2.2.4-released#Passwords_Printed_in_Log_Files_under_Some_Conditions_18</url>
12607      <url>https://github.com/elastic/logstash/pull/4965</url>
12608    </references>
12609    <dates>
12610      <discovery>2016-04-01</discovery>
12611      <entry>2016-04-28</entry>
12612    </dates>
12613  </vuln>
12614
12615  <vuln vid="c8174b63-0d3a-11e6-b06e-d43d7eed0ce2">
12616    <topic>subversion -- multiple vulnerabilities</topic>
12617    <affects>
12618      <package>
12619	<name>subversion</name>
12620	<range><ge>1.9.0</ge><lt>1.9.4</lt></range>
12621	<range><ge>1.0.0</ge><lt>1.8.15</lt></range>
12622      </package>
12623      <package>
12624	<name>subversion18</name>
12625	<range><ge>1.0.0</ge><lt>1.8.15</lt></range>
12626      </package>
12627    </affects>
12628    <description>
12629      <body xmlns="http://www.w3.org/1999/xhtml">
12630	<p>Subversion project reports:</p>
12631	<blockquote cite="http://subversion.apache.org/security/CVE-2016-2167-advisory.txt">
12632	  <p>svnserve, the svn:// protocol server, can optionally use the Cyrus
12633	    SASL library for authentication, integrity protection, and encryption.
12634	    Due to a programming oversight, authentication against Cyrus SASL
12635	    would permit the remote user to specify a realm string which is
12636	    a prefix of the expected realm string.</p>
12637	</blockquote>
12638	<blockquote cite="http://subversion.apache.org/security/CVE-2016-2168-advisory.txt">
12639	  <p>Subversion's httpd servers are vulnerable to a remotely triggerable crash
12640	    in the mod_authz_svn module.  The crash can occur during an authorization
12641	    check for a COPY or MOVE request with a specially crafted header value.</p>
12642	  <p>This allows remote attackers to cause a denial of service.</p>
12643	</blockquote>
12644      </body>
12645    </description>
12646    <references>
12647      <cvename>CVE-2016-2167</cvename>
12648      <url>http://subversion.apache.org/security/CVE-2016-2167-advisory.txt</url>
12649      <cvename>CVE-2016-2168</cvename>
12650      <url>http://subversion.apache.org/security/CVE-2016-2168-advisory.txt</url>
12651    </references>
12652    <dates>
12653      <discovery>2016-04-21</discovery>
12654      <entry>2016-04-28</entry>
12655    </dates>
12656  </vuln>
12657
12658  <vuln vid="b2487d9a-0c30-11e6-acd0-d050996490d0">
12659    <topic>ntp -- multiple vulnerabilities</topic>
12660    <affects>
12661      <package>
12662	<name>ntp</name>
12663	<range><lt>4.2.8p7</lt></range>
12664      </package>
12665      <package>
12666	<name>ntp-devel</name>
12667	<range><lt>4.3.92</lt></range>
12668      </package>
12669      <package>
12670	<name>FreeBSD</name>
12671	<range><ge>10.3</ge><lt>10.3_1</lt></range>
12672	<range><ge>10.2</ge><lt>10.2_15</lt></range>
12673	<range><ge>10.1</ge><lt>10.1_32</lt></range>
12674	<range><ge>9.3</ge><lt>9.3_40</lt></range>
12675      </package>
12676    </affects>
12677    <description>
12678      <body xmlns="http://www.w3.org/1999/xhtml">
12679	<p>Network Time Foundation reports:</p>
12680	<blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security">
12681	  <p>NTF's NTP Project has been notified of the following low-
12682	    and medium-severity vulnerabilities that are fixed in
12683	    ntp-4.2.8p7, released on Tuesday, 26 April 2016:</p>
12684	  <ul>
12685	    <li>Bug 3020 / CVE-2016-1551: Refclock impersonation
12686	      vulnerability, AKA: refclock-peering. Reported by
12687	      Matt Street and others of Cisco ASIG</li>
12688	    <li>Bug 3012 / CVE-2016-1549: Sybil vulnerability:
12689	      ephemeral association attack, AKA: ntp-sybil -
12690	      MITIGATION ONLY. Reported by Matthew Van Gundy
12691	      of Cisco ASIG</li>
12692	    <li>Bug 3011 / CVE-2016-2516: Duplicate IPs on
12693	      unconfig directives will cause an assertion botch.
12694	      Reported by Yihan Lian of the Cloud Security Team,
12695	      Qihoo 360</li>
12696	    <li>Bug 3010 / CVE-2016-2517: Remote configuration
12697	      trustedkey/requestkey values are not properly
12698	      validated. Reported by Yihan Lian of the Cloud
12699	      Security Team, Qihoo 360</li>
12700	    <li>Bug 3009 / CVE-2016-2518: Crafted addpeer with
12701	      hmode &gt; 7 causes array wraparound with MATCH_ASSOC.
12702	      Reported by Yihan Lian of the Cloud Security Team,
12703	      Qihoo 360</li>
12704	    <li>Bug 3008 / CVE-2016-2519: ctl_getitem() return
12705	      value not always checked. Reported by Yihan Lian
12706	      of the Cloud Security Team, Qihoo 360</li>
12707	    <li>Bug 3007 / CVE-2016-1547: Validate crypto-NAKs,
12708	      AKA: nak-dos. Reported by Stephen Gray and
12709	      Matthew Van Gundy of Cisco ASIG</li>
12710	    <li>Bug 2978 / CVE-2016-1548: Interleave-pivot -
12711	      MITIGATION ONLY. Reported by Miroslav Lichvar of
12712	      RedHat and separately by Jonathan Gardner of
12713	      Cisco ASIG.</li>
12714	    <li>Bug 2952 / CVE-2015-7704: KoD fix: peer
12715	      associations were broken by the fix for
12716	      NtpBug2901, AKA: Symmetric active/passive mode
12717	      is broken. Reported by Michael Tatarinov,
12718	      NTP Project Developer Volunteer</li>
12719	    <li>Bug 2945 / Bug 2901 / CVE-2015-8138: Zero
12720	      Origin Timestamp Bypass, AKA: Additional KoD Checks.
12721	      Reported by Jonathan Gardner of Cisco ASIG</li>
12722	    <li>Bug 2879 / CVE-2016-1550: Improve NTP security
12723	      against buffer comparison timing attacks,
12724	      authdecrypt-timing, AKA: authdecrypt-timing.
12725	      Reported independently by Loganaden Velvindron,
12726	      and Matthew Van Gundy and Stephen Gray of
12727	      Cisco ASIG.</li>
12728	  </ul>
12729	</blockquote>
12730      </body>
12731    </description>
12732    <references>
12733      <freebsdsa>SA-16:16.ntp</freebsdsa>
12734      <cvename>CVE-2015-7704</cvename>
12735      <cvename>CVE-2015-8138</cvename>
12736      <cvename>CVE-2016-1547</cvename>
12737      <cvename>CVE-2016-1548</cvename>
12738      <cvename>CVE-2016-1549</cvename>
12739      <cvename>CVE-2016-1550</cvename>
12740      <cvename>CVE-2016-1551</cvename>
12741      <cvename>CVE-2016-2516</cvename>
12742      <cvename>CVE-2016-2517</cvename>
12743      <cvename>CVE-2016-2518</cvename>
12744      <cvename>CVE-2016-2519</cvename>
12745      <url>http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security</url>
12746    </references>
12747    <dates>
12748      <discovery>2016-04-26</discovery>
12749      <entry>2016-04-27</entry>
12750      <modified>2016-08-09</modified>
12751    </dates>
12752  </vuln>
12753
12754  <vuln vid="92d44f83-a7bf-41cf-91ee-3d1b8ecf579f">
12755    <topic>mozilla -- multiple vulnerabilities</topic>
12756    <affects>
12757      <package>
12758	<name>firefox</name>
12759	<name>linux-firefox</name>
12760	<range><lt>46.0,1</lt></range>
12761      </package>
12762      <package>
12763	<name>seamonkey</name>
12764	<name>linux-seamonkey</name>
12765	<range><lt>2.43</lt></range>
12766      </package>
12767      <package>
12768	<name>firefox-esr</name>
12769	<range><ge>39.0,1</ge><lt>45.1.0,1</lt></range>
12770	<range><lt>38.8.0,1</lt></range>
12771      </package>
12772      <package>
12773	<name>libxul</name>
12774	<name>thunderbird</name>
12775	<name>linux-thunderbird</name>
12776	<range><ge>39.0</ge><lt>45.1.0</lt></range>
12777	<range><lt>38.8.0</lt></range>
12778      </package>
12779    </affects>
12780    <description>
12781      <body xmlns="http://www.w3.org/1999/xhtml">
12782	<p>Mozilla Foundation reports:</p>
12783	<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox46">
12784	<p>MFSA 2016-39 Miscellaneous memory safety hazards (rv:46.0 /
12785	  rv:45.1 / rv:38.8)</p>
12786	<p>MFSA 2016-42 Use-after-free and buffer overflow
12787	  in Service Workers</p>
12788	<p>MFSA 2016-44 Buffer overflow in libstagefright with
12789	  CENC offsets</p>
12790	<p>MFSA 2016-45 CSP not applied to pages sent with
12791	  multipart/x-mixed-replace</p>
12792	<p>MFSA 2016-46 Elevation of privilege with
12793	  chrome.tabs.update API in web extensions</p>
12794	<p>MFSA 2016-47 Write to invalid HashMap entry through
12795	  JavaScript.watch()</p>
12796	<p>MFSA 2016-48 Firefox Health Reports could accept events
12797	  from untrusted domains</p>
12798	</blockquote>
12799      </body>
12800    </description>
12801    <references>
12802      <cvename>CVE-2016-2804</cvename>
12803      <cvename>CVE-2016-2805</cvename>
12804      <cvename>CVE-2016-2806</cvename>
12805      <cvename>CVE-2016-2807</cvename>
12806      <cvename>CVE-2016-2808</cvename>
12807      <cvename>CVE-2016-2811</cvename>
12808      <cvename>CVE-2016-2812</cvename>
12809      <cvename>CVE-2016-2814</cvename>
12810      <cvename>CVE-2016-2816</cvename>
12811      <cvename>CVE-2016-2817</cvename>
12812      <cvename>CVE-2016-2820</cvename>
12813      <url>https://www.mozilla.org/security/advisories/mfsa2016-39/</url>
12814      <url>https://www.mozilla.org/security/advisories/mfsa2016-42/</url>
12815      <url>https://www.mozilla.org/security/advisories/mfsa2016-44/</url>
12816      <url>https://www.mozilla.org/security/advisories/mfsa2016-45/</url>
12817      <url>https://www.mozilla.org/security/advisories/mfsa2016-46/</url>
12818      <url>https://www.mozilla.org/security/advisories/mfsa2016-47/</url>
12819      <url>https://www.mozilla.org/security/advisories/mfsa2016-48/</url>
12820    </references>
12821    <dates>
12822      <discovery>2016-04-26</discovery>
12823      <entry>2016-04-26</entry>
12824    </dates>
12825  </vuln>
12826
12827  <vuln vid="f87a9376-0943-11e6-8fc4-00a0986f28c4">
12828    <topic>phpmyfaq -- cross-site request forgery vulnerability</topic>
12829    <affects>
12830      <package>
12831	<name>phpmyfaq</name>
12832	<range><lt>2.8.27</lt></range>
12833      </package>
12834    </affects>
12835    <description>
12836      <body xmlns="http://www.w3.org/1999/xhtml">
12837	<p>The phpMyFAQ team reports:</p>
12838	<blockquote cite="http://www.phpmyfaq.de/security/advisory-2016-04-11">
12839	  <p>The vulnerability exists due to application does not properly
12840	    verify origin of HTTP requests in "Interface Translation"
12841	    functionality.: A remote unauthenticated attacker can create
12842	    a specially crafted malicious web page with CSRF exploit, trick
12843	    a logged-in administrator to visit the page, spoof the HTTP
12844	    request, as if it was coming from the legitimate user, inject
12845	    and execute arbitrary PHP code on the target system with privileges
12846	    of the webserver.</p>
12847	</blockquote>
12848      </body>
12849    </description>
12850    <references>
12851      <url>http://www.phpmyfaq.de/security/advisory-2016-04-11</url>
12852      <url>https://www.htbridge.com/advisory/HTB23300</url>
12853    </references>
12854    <dates>
12855      <discovery>2016-04-11</discovery>
12856      <entry>2016-04-23</entry>
12857    </dates>
12858  </vuln>
12859
12860  <vuln vid="1b0d2938-0766-11e6-94fa-002590263bf5">
12861    <topic>libtasn1 -- denial of service parsing malicious DER certificates</topic>
12862    <affects>
12863      <package>
12864	<name>libtasn1</name>
12865	<range><lt>4.8</lt></range>
12866      </package>
12867    </affects>
12868    <description>
12869      <body xmlns="http://www.w3.org/1999/xhtml">
12870	<p>GNU Libtasn1 NEWS reports:</p>
12871	<blockquote cite="http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=blob_plain;f=NEWS;hb=e9bcdc86b920d72c9cffc2570d14eea2f6365b37">
12872	  <p>Fixes to avoid an infinite recursion when decoding without the
12873	    ASN1_DECODE_FLAG_STRICT_DER flag. Reported by Pascal Cuoq.</p>
12874	</blockquote>
12875      </body>
12876    </description>
12877    <references>
12878      <cvename>CVE-2016-4008</cvename>
12879      <url>http://www.openwall.com/lists/oss-security/2016/04/13/3</url>
12880      <url>http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=blob_plain;f=NEWS;hb=e9bcdc86b920d72c9cffc2570d14eea2f6365b37</url>
12881    </references>
12882    <dates>
12883      <discovery>2016-04-11</discovery>
12884      <entry>2016-04-21</entry>
12885    </dates>
12886  </vuln>
12887
12888  <vuln vid="e05bfc92-0763-11e6-94fa-002590263bf5">
12889    <topic>squid -- multiple vulnerabilities</topic>
12890    <affects>
12891      <package>
12892	<name>squid</name>
12893	<range><lt>3.5.17</lt></range>
12894      </package>
12895    </affects>
12896    <description>
12897      <body xmlns="http://www.w3.org/1999/xhtml">
12898	<p>Squid security advisory 2016:5 reports:</p>
12899	<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_5.txt">
12900	  <p>Due to incorrect buffer management Squid cachemgr.cgi tool is
12901	    vulnerable to a buffer overflow when processing remotely supplied
12902	    inputs relayed to it from Squid.</p>
12903	  <p>This problem allows any client to seed the Squid manager reports
12904	    with data that will cause a buffer overflow when processed by the
12905	    cachemgr.cgi tool. However, this does require manual administrator
12906	    actions to take place. Which greatly reduces the impact and
12907	    possible uses.</p>
12908	</blockquote>
12909	<p>Squid security advisory 2016:6 reports:</p>
12910	<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_6.txt">
12911	  <p>Due to buffer overflow issues Squid is vulnerable to a denial of
12912	    service attack when processing ESI responses. Due to incorrect input
12913	    validation Squid is vulnerable to public information disclosure of
12914	    the server stack layout when processing ESI responses. Due to
12915	    incorrect input validation and buffer overflow Squid is vulnerable
12916	    to remote code execution when processing ESI responses.</p>
12917	  <p>These problems allow ESI components to be used to perform a denial
12918	    of service attack on the Squid service and all other services on the
12919	    same machine. Under certain build conditions these problems allow
12920	    remote clients to view large sections of the server memory. However,
12921	    the bugs are exploitable only if you have built and configured the
12922	    ESI features to be used by a reverse-proxy and if the ESI components
12923	    being processed by Squid can be controlled by an attacker.</p>
12924	</blockquote>
12925      </body>
12926    </description>
12927    <references>
12928      <cvename>CVE-2016-4051</cvename>
12929      <cvename>CVE-2016-4052</cvename>
12930      <cvename>CVE-2016-4053</cvename>
12931      <cvename>CVE-2016-4054</cvename>
12932      <freebsdpr>ports/208939</freebsdpr>
12933      <url>http://www.squid-cache.org/Advisories/SQUID-2016_5.txt</url>
12934      <url>http://www.squid-cache.org/Advisories/SQUID-2016_6.txt</url>
12935    </references>
12936    <dates>
12937      <discovery>2016-04-20</discovery>
12938      <entry>2016-04-21</entry>
12939    </dates>
12940  </vuln>
12941
12942  <vuln vid="253c6889-06f0-11e6-925f-6805ca0b3d42">
12943    <topic>ansible -- use of predictable paths in lxc_container</topic>
12944    <affects>
12945      <package>
12946	<name>ansible</name>
12947	<range><ge>2.0.0.0</ge><lt>2.0.2.0</lt></range>
12948      </package>
12949      <package>
12950	<name>ansible1</name>
12951	<range><lt>1.9.6</lt></range>
12952      </package>
12953    </affects>
12954    <description>
12955      <body xmlns="http://www.w3.org/1999/xhtml">
12956	<p>Ansible developers report:</p>
12957	<blockquote cite="https://github.com/ansible/ansible-modules-extras/pull/1941/commits/8c6fe646ee79f5e55361b885b7efed5bec72d4a4">
12958	  <p>CVE-2016-3096: do not use predictable paths in lxc_container</p>
12959
12960	  <ul>
12961	    <li>do not use a predictable filename for the LXC attach
12962	      script</li>
12963	    <li>don't use predictable filenames for LXC attach script
12964	      logging</li>
12965	    <li>don't set a predictable archive_path</li>
12966	  </ul>
12967
12968	  <p>this should prevent symlink attacks which could result
12969	    in</p>
12970
12971	  <ul>
12972	    <li>data corruption</li>
12973	    <li>data leakage</li>
12974	    <li>privilege escalation</li>
12975	  </ul>
12976	</blockquote>
12977      </body>
12978    </description>
12979    <references>
12980      <cvename>CVE-2016-3096</cvename>
12981      <url>https://github.com/ansible/ansible-modules-extras/pull/1941/commits/8c6fe646ee79f5e55361b885b7efed5bec72d4a4</url>
12982      <url>https://bugzilla.redhat.com/show_bug.cgi?id=1322925</url>
12983    </references>
12984    <dates>
12985      <discovery>2016-04-02</discovery>
12986      <entry>2016-04-20</entry>
12987    </dates>
12988  </vuln>
12989
12990  <vuln vid="a733b5ca-06eb-11e6-817f-3085a9a4510d">
12991    <topic>proftpd -- vulnerability in mod_tls</topic>
12992    <affects>
12993      <package>
12994	<name>proftpd</name>
12995	<range><lt>1.3.5b</lt></range>
12996	<range><eq>1.3.6.r1</eq></range>
12997      </package>
12998    </affects>
12999    <description>
13000      <body xmlns="http://www.w3.org/1999/xhtml">
13001	<p>MITRE reports:</p>
13002	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3125">
13003	  <p>The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before
13004	   1.3.6rc2 does not properly handle the TLSDHParamFile directive, which
13005	   might cause a weaker than intended Diffie-Hellman (DH) key to be used
13006	   and consequently allow attackers to have unspecified impact via
13007	   unknown vectors.</p>
13008	</blockquote>
13009      </body>
13010    </description>
13011    <references>
13012      <cvename>CVE-2016-3125</cvename>
13013    </references>
13014    <dates>
13015      <discovery>2016-03-08</discovery>
13016      <entry>2016-04-20</entry>
13017    </dates>
13018  </vuln>
13019
13020  <vuln vid="6d8505f0-0614-11e6-b39c-00262d5ed8ee">
13021    <topic>chromium -- multiple vulnerabilities</topic>
13022    <affects>
13023      <package>
13024	<name>chromium</name>
13025	<name>chromium-npapi</name>
13026	<name>chromium-pulse</name>
13027	<range><lt>50.0.2661.75</lt></range>
13028      </package>
13029    </affects>
13030    <description>
13031      <body xmlns="http://www.w3.org/1999/xhtml">
13032	<p>Google Chrome Releases reports:</p>
13033	<blockquote cite="http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_13.html">
13034	  <p>20 security fixes in this release, including:</p>
13035	  <ul>
13036	    <li>[590275] High CVE-2016-1652: Universal XSS in extension
13037	      bindings. Credit to anonymous.</li>
13038	    <li>[589792] High CVE-2016-1653: Out-of-bounds write in V8. Credit
13039	      to Choongwoo Han.</li>
13040	    <li>[591785] Medium CVE-2016-1651: Out-of-bounds read in Pdfium
13041	      JPEG2000 decoding. Credit to kdot working with HP's Zero Day
13042	      Initiative.</li>
13043	    <li>[589512] Medium CVE-2016-1654: Uninitialized memory read in
13044	      media. Credit to Atte Kettunen of OUSPG.</li>
13045	    <li>[582008] Medium CVE-2016-1655: Use-after-free related to
13046	      extensions. Credit to Rob Wu.</li>
13047	    <li>[570750] Medium CVE-2016-1656: Android downloaded file path
13048	      restriction bypass. Credit to Dzmitry Lukyanenko.</li>
13049	    <li>[567445] Medium CVE-2016-1657: Address bar spoofing. Credit to
13050	      Luan Herrera.</li>
13051	    <li>[573317] Low CVE-2016-1658: Potential leak of sensitive
13052	      information to malicious extensions. Credit to Antonio Sanso
13053	      (@asanso) of Adobe.</li>
13054	    <li>[602697] CVE-2016-1659: Various fixes from internal audits,
13055	      fuzzing and other initiatives.</li>
13056	  </ul>
13057	</blockquote>
13058      </body>
13059    </description>
13060    <references>
13061      <cvename>CVE-2016-1651</cvename>
13062      <cvename>CVE-2016-1652</cvename>
13063      <cvename>CVE-2016-1653</cvename>
13064      <cvename>CVE-2016-1654</cvename>
13065      <cvename>CVE-2016-1655</cvename>
13066      <cvename>CVE-2016-1656</cvename>
13067      <cvename>CVE-2016-1657</cvename>
13068      <cvename>CVE-2016-1658</cvename>
13069      <cvename>CVE-2016-1659</cvename>
13070      <url>http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_13.html</url>
13071    </references>
13072    <dates>
13073      <discovery>2016-04-13</discovery>
13074      <entry>2016-04-19</entry>
13075    </dates>
13076  </vuln>
13077
13078  <vuln vid="976567f6-05c5-11e6-94fa-002590263bf5">
13079    <topic>hostapd and wpa_supplicant -- multiple vulnerabilities</topic>
13080    <affects>
13081      <package>
13082	<name>wpa_supplicant</name>
13083	<range><lt>2.5_1</lt></range>
13084      </package>
13085      <package>
13086	<name>hostapd</name>
13087	<range><lt>2.6</lt></range>
13088      </package>
13089    </affects>
13090    <description>
13091      <body xmlns="http://www.w3.org/1999/xhtml">
13092	<p>Jouni Malinen reports:</p>
13093	<blockquote cite="http://w1.fi/security/2015-6/wpa_supplicant-unauthorized-wnm-sleep-mode-gtk-control.txt">
13094	  <p>wpa_supplicant unauthorized WNM Sleep Mode GTK control. (2015-6 -
13095	    CVE-2015-5310)</p>
13096	</blockquote>
13097	<blockquote cite="http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt">
13098	  <p>EAP-pwd missing last fragment length validation. (2015-7 -
13099	    CVE-2015-5315)</p>
13100	</blockquote>
13101	<blockquote cite="http://w1.fi/security/2015-8/eap-pwd-unexpected-confirm.txt">
13102	  <p>EAP-pwd peer error path failure on unexpected Confirm message.
13103	    (2015-8 - CVE-2015-5316)</p>
13104	</blockquote>
13105      </body>
13106    </description>
13107    <references>
13108      <cvename>CVE-2015-5310</cvename>
13109      <cvename>CVE-2015-5315</cvename>
13110      <cvename>CVE-2015-5316</cvename>
13111      <freebsdpr>ports/208482</freebsdpr>
13112      <url>http://w1.fi/security/2015-6/wpa_supplicant-unauthorized-wnm-sleep-mode-gtk-control.txt</url>
13113      <url>http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt</url>
13114      <url>http://w1.fi/security/2015-8/eap-pwd-unexpected-confirm.txt</url>
13115    </references>
13116    <dates>
13117      <discovery>2015-11-10</discovery>
13118      <entry>2016-04-19</entry>
13119      <modified>2017-03-22</modified>
13120    </dates>
13121  </vuln>
13122
13123  <vuln vid="092156c9-04d7-11e6-b1ce-002590263bf5">
13124    <topic>dhcpcd -- remote code execution/denial of service</topic>
13125    <affects>
13126      <package>
13127	<name>dhcpcd</name>
13128	<range><lt>6.9.1</lt></range>
13129      </package>
13130    </affects>
13131    <description>
13132      <body xmlns="http://www.w3.org/1999/xhtml">
13133	<p>MITRE reports:</p>
13134	<blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7912">
13135	  <p>The get_option function in dhcp.c in dhcpcd before 6.2.0, as used
13136	    in dhcpcd 5.x in Android before 5.1 and other products, does not
13137	    validate the relationship between length fields and the amount of
13138	    data, which allows remote DHCP servers to execute arbitrary code or
13139	    cause a denial of service (memory corruption) via a large length
13140	    value of an option in a DHCPACK message.</p>
13141	</blockquote>
13142      </body>
13143    </description>
13144    <references>
13145      <cvename>CVE-2014-7912</cvename>
13146      <url>http://roy.marples.name/projects/dhcpcd/info/d71cfd8aa203bffe</url>
13147    </references>
13148    <dates>
13149      <discovery>2015-06-19</discovery>
13150      <entry>2016-04-17</entry>
13151    </dates>
13152  </vuln>
13153
13154  <vuln vid="6ec9f210-0404-11e6-9aee-bc5ff4fb5ea1">
13155    <topic>dhcpcd -- remote code execution/denial of service</topic>
13156    <affects>
13157      <package>
13158	<name>dhcpcd</name>
13159	<range><lt>6.10.2</lt></range>
13160      </package>
13161    </affects>
13162    <description>
13163      <body xmlns="http://www.w3.org/1999/xhtml">
13164	<p>MITRE reports:</p>
13165	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7913">
13166	  <p>The print_option function in dhcp-common.c in dhcpcd through 6.9.1,
13167	    as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other
13168	    products, misinterprets the return value of the snprintf function,
13169	    which allows remote DHCP servers to execute arbitrary code or cause
13170	    a denial of service (memory corruption) via a crafted message.</p>
13171	</blockquote>
13172      </body>
13173    </description>
13174    <references>
13175      <cvename>CVE-2014-7913</cvename>
13176      <freebsdpr>ports/208702</freebsdpr>
13177      <url>http://roy.marples.name/projects/dhcpcd/info/528541c4c619520e</url>
13178    </references>
13179    <dates>
13180      <discovery>2016-01-22</discovery>
13181      <entry>2016-04-17</entry>
13182    </dates>
13183  </vuln>
13184
13185  <vuln vid="e21474c6-031a-11e6-aa86-001999f8d30b">
13186    <topic>PJSIP -- TCP denial of service in PJProject</topic>
13187    <affects>
13188      <package>
13189	<name>pjsip</name>
13190	<range><le>2.4.5</le></range>
13191      </package>
13192      <package>
13193	<name>pjsip-extsrtp</name>
13194	<range><le>2.4.5</le></range>
13195      </package>
13196    </affects>
13197    <description>
13198      <body xmlns="http://www.w3.org/1999/xhtml">
13199	<p>The Asterisk project reports:</p>
13200	<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
13201	  <p>PJProject has a limit on the number of TCP connections
13202	  that it can accept. Furthermore, PJProject does not close
13203	  TCP connections it accepts. By default, this value is
13204	  approximately 60.</p>
13205	  <p>An attacker can deplete the number of allowed TCP
13206	  connections by opening TCP connections and sending no
13207	  data to Asterisk.</p>
13208	  <p>If PJProject has been compiled in debug mode, then
13209	  once the number of allowed TCP connections has been
13210	  depleted, the next attempted TCP connection to Asterisk
13211	  will crash due to an assertion in PJProject.</p>
13212	  <p>If PJProject has not been compiled in debug mode, then
13213	  any further TCP connection attempts will be rejected.
13214	  This makes Asterisk unable to process TCP SIP traffic.</p>
13215	  <p>Note that this only affects TCP/TLS, since UDP is
13216	  connectionless.</p>
13217	</blockquote>
13218      </body>
13219    </description>
13220    <references>
13221      <url>http://downloads.asterisk.org/pub/security/AST-2016-005.html</url>
13222    </references>
13223    <dates>
13224      <discovery>2016-02-15</discovery>
13225      <entry>2016-04-15</entry>
13226    </dates>
13227  </vuln>
13228
13229  <vuln vid="ee50726e-0319-11e6-aa86-001999f8d30b">
13230    <topic>asterisk -- Long Contact URIs in REGISTER requests can crash Asterisk</topic>
13231    <affects>
13232      <package>
13233	<name>asterisk13</name>
13234	<range><lt>13.8.1</lt></range>
13235      </package>
13236    </affects>
13237    <description>
13238      <body xmlns="http://www.w3.org/1999/xhtml">
13239	<p>The Asterisk project reports:</p>
13240	<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
13241	  <p>Asterisk may crash when processing an incoming REGISTER
13242	  request if that REGISTER contains a Contact header with
13243	  a lengthy URI.</p>
13244	  <p>This crash will only happen for requests that pass
13245	  authentication. Unauthenticated REGISTER requests will
13246	  not result in a crash occurring.</p>
13247	  <p>This vulnerability only affects Asterisk when using
13248	  PJSIP as its SIP stack. The chan_sip module does not have
13249	  this problem.</p>
13250	</blockquote>
13251      </body>
13252    </description>
13253    <references>
13254      <url>http://downloads.asterisk.org/pub/security/AST-2016-004.html</url>
13255    </references>
13256    <dates>
13257      <discovery>2016-01-19</discovery>
13258      <entry>2016-04-15</entry>
13259    </dates>
13260  </vuln>
13261
13262  <vuln vid="f2217cdf-01e4-11e6-b1ce-002590263bf5">
13263    <topic>go -- remote denial of service</topic>
13264    <affects>
13265      <package>
13266	<name>go</name>
13267	<range><lt>1.6.1,1</lt></range>
13268      </package>
13269    </affects>
13270    <description>
13271      <body xmlns="http://www.w3.org/1999/xhtml">
13272	<p>Jason Buberel reports:</p>
13273	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/04/05/2">
13274	  <p>Go has an infinite loop in several big integer routines that makes
13275	    Go programs vulnerable to remote denial of service attacks. Programs
13276	    using HTTPS client authentication or the Go ssh server libraries are
13277	    both exposed to this vulnerability.</p>
13278	</blockquote>
13279      </body>
13280    </description>
13281    <references>
13282      <cvename>CVE-2016-3959</cvename>
13283      <url>http://www.openwall.com/lists/oss-security/2016/04/05/2</url>
13284      <url>https://golang.org/cl/21533</url>
13285    </references>
13286    <dates>
13287      <discovery>2016-04-05</discovery>
13288      <entry>2016-04-14</entry>
13289    </dates>
13290  </vuln>
13291
13292  <vuln vid="a636fc26-00d9-11e6-b704-000c292e4fd8">
13293    <topic>samba -- multiple vulnerabilities</topic>
13294    <affects>
13295      <package>
13296	<name>samba36</name>
13297	<range><ge>3.6.0</ge><le>3.6.25_3</le></range>
13298      </package>
13299      <package>
13300	<name>samba4</name>
13301	<range><ge>4.0.0</ge><le>4.0.26</le></range>
13302      </package>
13303      <package>
13304	<name>samba41</name>
13305	<range><ge>4.1.0</ge><le>4.1.23</le></range>
13306      </package>
13307      <package>
13308	<name>samba42</name>
13309	<range><ge>4.2.0</ge><lt>4.2.11</lt></range>
13310      </package>
13311      <package>
13312	<name>samba43</name>
13313	<range><ge>4.3.0</ge><lt>4.3.8</lt></range>
13314      </package>
13315      <package>
13316	<name>samba44</name>
13317	<range><ge>4.4.0</ge><lt>4.4.2</lt></range>
13318      </package>
13319    </affects>
13320    <description>
13321      <body xmlns="http://www.w3.org/1999/xhtml">
13322	<p>Samba team reports:</p>
13323	<blockquote cite="https://www.samba.org/samba/latest_news.html#4.4.2">
13324	  <p>[CVE-2015-5370] Errors in Samba DCE-RPC code can lead to denial of service
13325	   (crashes and high cpu consumption) and man in the middle attacks.</p>
13326	  <p>[CVE-2016-2110] The feature negotiation of NTLMSSP is not downgrade protected.
13327	   A man in the middle is able to clear even required flags, especially
13328	   NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL.</p>
13329	  <p>[CVE-2016-2111] When Samba is configured as Domain Controller it allows remote
13330	   attackers to spoof the computer name of a secure channel's endpoints, and obtain
13331	   sensitive session information, by running a crafted application and leveraging
13332	   the ability to sniff network traffic.</p>
13333	  <p>[CVE-2016-2112] A man in the middle is able to downgrade LDAP connections
13334	   to no integrity protection.</p>
13335	  <p>[CVE-2016-2113] Man in the middle attacks are possible for client triggered LDAP
13336	   connections (with ldaps://) and ncacn_http connections (with https://).</p>
13337	  <p>[CVE-2016-2114] Due to a bug Samba doesn't enforce required smb signing, even if explicitly configured.</p>
13338	  <p>[CVE-2016-2115] The protection of DCERPC communication over ncacn_np (which is
13339	   the default for most the file server related protocols) is inherited from the underlying SMB connection.</p>
13340	  <p>[CVE-2016-2118] a.k.a. BADLOCK. A man in the middle can intercept any DCERPC traffic
13341	   between a client and a server in order to impersonate the client and get the same privileges
13342	   as the authenticated user account. This is most problematic against active directory domain controllers.</p>
13343	</blockquote>
13344      </body>
13345    </description>
13346    <references>
13347      <cvename>CVE-2015-5370</cvename>
13348      <url>https://www.samba.org/samba/security/CVE-2015-5370.html</url>
13349      <cvename>CVE-2016-2110</cvename>
13350      <url>https://www.samba.org/samba/security/CVE-2016-2110.html</url>
13351      <cvename>CVE-2016-2111</cvename>
13352      <url>https://www.samba.org/samba/security/CVE-2016-2111.html</url>
13353      <cvename>CVE-2016-2112</cvename>
13354      <url>https://www.samba.org/samba/security/CVE-2016-2112.html</url>
13355      <cvename>CVE-2016-2113</cvename>
13356      <url>https://www.samba.org/samba/security/CVE-2016-2113.html</url>
13357      <cvename>CVE-2016-2114</cvename>
13358      <url>https://www.samba.org/samba/security/CVE-2016-2114.html</url>
13359      <cvename>CVE-2016-2115</cvename>
13360      <url>https://www.samba.org/samba/security/CVE-2016-2115.html</url>
13361      <cvename>CVE-2016-2118</cvename>
13362      <url>https://www.samba.org/samba/security/CVE-2016-2118.html</url>
13363    </references>
13364    <dates>
13365      <discovery>2016-04-12</discovery>
13366      <entry>2016-04-12</entry>
13367      <modified>2016-04-12</modified>
13368    </dates>
13369  </vuln>
13370
13371  <vuln vid="482d40cb-f9a3-11e5-92ce-002590263bf5">
13372    <topic>php -- multiple vulnerabilities</topic>
13373    <affects>
13374      <package>
13375	<name>php70</name>
13376	<name>php70-fileinfo</name>
13377	<name>php70-mbstring</name>
13378	<name>php70-phar</name>
13379	<name>php70-snmp</name>
13380	<range><lt>7.0.5</lt></range>
13381      </package>
13382      <package>
13383	<name>php56</name>
13384	<name>php56-fileinfo</name>
13385	<name>php56-mbstring</name>
13386	<name>php56-phar</name>
13387	<name>php56-snmp</name>
13388	<range><lt>5.6.20</lt></range>
13389      </package>
13390      <package>
13391	<name>php55</name>
13392	<name>php55-fileinfo</name>
13393	<name>php55-mbstring</name>
13394	<name>php55-phar</name>
13395	<name>php55-snmp</name>
13396	<range><lt>5.5.34</lt></range>
13397      </package>
13398    </affects>
13399    <description>
13400      <body xmlns="http://www.w3.org/1999/xhtml">
13401	<p>The PHP Group reports:</p>
13402	<blockquote cite="http://php.net/ChangeLog-7.php#7.0.5">
13403	  <ul><li>Fileinfo:
13404	  <ul>
13405	    <li>Fixed bug #71527 (Buffer over-write in finfo_open with
13406	      malformed magic file).</li>
13407	  </ul></li>
13408	  <li>mbstring:
13409	  <ul>
13410	    <li>Fixed bug #71906 (AddressSanitizer: negative-size-param (-1)
13411	      in mbfl_strcut).</li>
13412	  </ul></li>
13413	  <li>Phar:
13414	  <ul>
13415	    <li>Fixed bug #71860 (Invalid memory write in phar on filename with
13416	      \0 in name).</li>
13417	  </ul></li>
13418	  <li>SNMP:
13419	  <ul>
13420	    <li>Fixed bug #71704 (php_snmp_error() Format String Vulnerability).
13421	      </li>
13422	  </ul></li>
13423	  <li>Standard:
13424	  <ul>
13425	    <li>Fixed bug #71798 (Integer Overflow in php_raw_url_encode).</li>
13426	  </ul></li>
13427	  </ul>
13428	</blockquote>
13429      </body>
13430    </description>
13431    <references>
13432      <freebsdpr>ports/208465</freebsdpr>
13433      <url>http://php.net/ChangeLog-7.php#7.0.5</url>
13434      <url>http://php.net/ChangeLog-5.php#5.6.20</url>
13435      <url>http://php.net/ChangeLog-5.php#5.5.34</url>
13436    </references>
13437    <dates>
13438      <discovery>2016-03-31</discovery>
13439      <entry>2016-04-03</entry>
13440    </dates>
13441  </vuln>
13442
13443  <vuln vid="497b82e0-f9a0-11e5-92ce-002590263bf5">
13444    <topic>pcre -- heap overflow vulnerability</topic>
13445    <affects>
13446      <package>
13447	<name>pcre</name>
13448	<range><lt>8.38_1</lt></range>
13449      </package>
13450    </affects>
13451    <description>
13452      <body xmlns="http://www.w3.org/1999/xhtml">
13453	<p>Mitre reports:</p>
13454	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1283">
13455	  <p>The pcre_compile2 function in pcre_compile.c in PCRE 8.38
13456	    mishandles the /((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'&lt;((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/
13457	    pattern and related patterns with named subgroups, which allows
13458	    remote attackers to cause a denial of service (heap-based buffer
13459	    overflow) or possibly have unspecified other impact via a crafted
13460	    regular expression, as demonstrated by a JavaScript RegExp object
13461	    encountered by Konqueror.</p>
13462	</blockquote>
13463      </body>
13464    </description>
13465    <references>
13466      <cvename>CVE-2016-1283</cvename>
13467      <freebsdpr>ports/208260</freebsdpr>
13468      <url>https://bugs.exim.org/show_bug.cgi?id=1767</url>
13469    </references>
13470    <dates>
13471      <discovery>2016-02-27</discovery>
13472      <entry>2016-04-03</entry>
13473    </dates>
13474  </vuln>
13475
13476  <vuln vid="df328fac-f942-11e5-92ce-002590263bf5">
13477    <topic>py-djblets -- Self-XSS vulnerability</topic>
13478    <affects>
13479      <package>
13480	<name>py27-djblets</name>
13481	<name>py32-djblets</name>
13482	<name>py33-djblets</name>
13483	<name>py34-djblets</name>
13484	<name>py35-djblets</name>
13485	<range><lt>0.9.2</lt></range>
13486      </package>
13487    </affects>
13488    <description>
13489      <body xmlns="http://www.w3.org/1999/xhtml">
13490	<p>Djblets Release Notes reports:</p>
13491	<blockquote cite="https://www.reviewboard.org/docs/releasenotes/djblets/0.9.2/">
13492	  <p>A recently-discovered vulnerability in the datagrid templates allows an
13493	    attacker to generate a URL to any datagrid page containing malicious code
13494	    in a column sorting value. If the user visits that URL and then clicks
13495	    that column, the code will execute.</p>
13496	  <p>The cause of the vulnerability was due to a template not escaping
13497	    user-provided values.</p>
13498	</blockquote>
13499      </body>
13500    </description>
13501    <references>
13502      <url>https://www.reviewboard.org/docs/releasenotes/djblets/0.9.2/</url>
13503    </references>
13504    <dates>
13505      <discovery>2016-03-01</discovery>
13506      <entry>2016-04-03</entry>
13507    </dates>
13508  </vuln>
13509
13510  <vuln vid="a430e15d-f93f-11e5-92ce-002590263bf5">
13511    <topic>moodle -- multiple vulnerabilities</topic>
13512    <affects>
13513      <package>
13514	<name>moodle28</name>
13515	<range><lt>2.8.11</lt></range>
13516      </package>
13517      <package>
13518	<name>moodle29</name>
13519	<range><lt>2.9.5</lt></range>
13520      </package>
13521      <package>
13522	<name>moodle30</name>
13523	<range><lt>3.0.3</lt></range>
13524      </package>
13525    </affects>
13526    <description>
13527      <body xmlns="http://www.w3.org/1999/xhtml">
13528	<p>Marina Glancy reports:</p>
13529	<blockquote cite="https://moodle.org/security/">
13530	  <ul>
13531	    <li><p>MSA-16-0003: Incorrect capability check when displaying
13532	    users emails in Participants list</p></li>
13533	    <li><p>MSA-16-0004: XSS from profile fields from external db</p>
13534	    </li>
13535	    <li><p>MSA-16-0005: Reflected XSS in mod_data advanced search</p>
13536	    </li>
13537	    <li><p>MSA-16-0006: Hidden courses are shown to students in Event
13538	    Monitor</p></li>
13539	    <li><p>MSA-16-0007: Non-Editing Instructor role can edit exclude
13540	    checkbox in Single View</p></li>
13541	    <li><p>MSA-16-0008: External function get_calendar_events return
13542	    events that pertains to hidden activities</p></li>
13543	    <li><p>MSA-16-0009: CSRF in Assignment plugin management page</p>
13544	    </li>
13545	    <li><p>MSA-16-0010: Enumeration of category details possible without
13546	    authentication</p></li>
13547	    <li><p>MSA-16-0011: Add no referrer to links with _blank target
13548	    attribute</p></li>
13549	    <li><p>MSA-16-0012: External function mod_assign_save_submission
13550	    does not check due dates</p></li>
13551	  </ul>
13552	</blockquote>
13553      </body>
13554    </description>
13555    <references>
13556      <cvename>CVE-2016-2151</cvename>
13557      <cvename>CVE-2016-2152</cvename>
13558      <cvename>CVE-2016-2153</cvename>
13559      <cvename>CVE-2016-2154</cvename>
13560      <cvename>CVE-2016-2155</cvename>
13561      <cvename>CVE-2016-2156</cvename>
13562      <cvename>CVE-2016-2157</cvename>
13563      <cvename>CVE-2016-2158</cvename>
13564      <cvename>CVE-2016-2190</cvename>
13565      <cvename>CVE-2016-2159</cvename>
13566      <url>https://moodle.org/security/</url>
13567    </references>
13568    <dates>
13569      <discovery>2016-03-21</discovery>
13570      <entry>2016-04-03</entry>
13571    </dates>
13572  </vuln>
13573
13574  <vuln vid="297117ba-f92d-11e5-92ce-002590263bf5">
13575    <topic>squid -- multiple vulnerabilities</topic>
13576    <affects>
13577      <package>
13578	<name>squid</name>
13579	<range><lt>3.5.16</lt></range>
13580      </package>
13581    </affects>
13582    <description>
13583      <body xmlns="http://www.w3.org/1999/xhtml">
13584	<p>Squid security advisory 2016:3 reports:</p>
13585	<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_3.txt">
13586	  <p>Due to a buffer overrun Squid pinger binary is vulnerable to
13587	    denial of service or information leak attack when processing
13588	    ICMPv6 packets.</p>
13589	  <p>This bug also permits the server response to manipulate other
13590	    ICMP and ICMPv6 queries processing to cause information leak.</p>
13591	  <p>This bug allows any remote server to perform a denial of service
13592	    attack on the Squid service by crashing the pinger. This may
13593	    affect Squid HTTP routing decisions. In some configurations,
13594	    sub-optimal routing decisions may result in serious service
13595	    degradation or even transaction failures.</p>
13596	  <p>If the system does not contain buffer-overrun protection leading
13597	    to that crash this bug will instead allow attackers to leak
13598	    arbitrary amounts of information from the heap into Squid log
13599	    files. This is of higher importance than usual because the pinger
13600	    process operates with root priviliges.</p>
13601	</blockquote>
13602	<p>Squid security advisory 2016:4 reports:</p>
13603	<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_4.txt">
13604	  <p>Due to incorrect bounds checking Squid is vulnerable to a denial
13605	    of service attack when processing HTTP responses.</p>
13606	  <p>This problem allows a malicious client script and remote server
13607	    delivering certain unusual HTTP response syntax to trigger a
13608	    denial of service for all clients accessing the Squid service.</p>
13609	</blockquote>
13610      </body>
13611    </description>
13612    <references>
13613      <cvename>CVE-2016-3947</cvename>
13614      <cvename>CVE-2016-3948</cvename>
13615      <freebsdpr>ports/208463</freebsdpr>
13616      <url>http://www.squid-cache.org/Advisories/SQUID-2016_3.txt</url>
13617      <url>http://www.squid-cache.org/Advisories/SQUID-2016_4.txt</url>
13618    </references>
13619    <dates>
13620      <discovery>2016-03-28</discovery>
13621      <entry>2016-04-02</entry>
13622    </dates>
13623  </vuln>
13624
13625  <vuln vid="97a24d2e-f74c-11e5-8458-6cc21735f730">
13626    <topic>PostgreSQL -- minor security problems.</topic>
13627    <affects>
13628      <package>
13629	<name>postgresql95-server</name>
13630	<name>postgresql95-contrib</name>
13631	<range><ge>9.5.0</ge><lt>9.5.2</lt></range>
13632      </package>
13633    </affects>
13634    <description>
13635      <body xmlns="http://www.w3.org/1999/xhtml">
13636	<p>PostgreSQL project reports:</p>
13637	<blockquote cite="http://www.postgresql.org/about/news/1656/">
13638	  <p>Security Fixes for RLS, BRIN</p>
13639	   <p>
13640	  This release closes security hole CVE-2016-2193
13641	  (https://access.redhat.com/security/cve/CVE-2016-2193), where a query
13642	  plan might get reused for more than one ROLE in the same session.
13643	  This could cause the wrong set of Row Level Security (RLS) policies to
13644	  be used for the query.</p>
13645	   <p>
13646	  The update also fixes CVE-2016-3065
13647	  (https://access.redhat.com/security/cve/CVE-2016-3065), a server crash
13648	  bug triggered by using `pageinspect` with BRIN index pages.  Since an
13649	  attacker might be able to expose a few bytes of server memory, this
13650	  crash is being treated as a security issue.</p>
13651	</blockquote>
13652      </body>
13653    </description>
13654    <references>
13655      <cvename>CVE-2016-2193</cvename>
13656      <cvename>CVE-2016-3065</cvename>
13657    </references>
13658    <dates>
13659      <discovery>2016-03-01</discovery>
13660      <entry>2016-03-31</entry>
13661    </dates>
13662  </vuln>
13663
13664  <vuln vid="f7b3d1eb-f738-11e5-a710-0011d823eebd">
13665    <topic>flash -- multiple vulnerabilities</topic>
13666    <affects>
13667      <package>
13668	<name>linux-c6-flashplugin</name>
13669	<name>linux-f10-flashplugin</name>
13670	<name>linux-c6_64-flashplugin</name>
13671	<range><lt>11.2r202.577</lt></range>
13672      </package>
13673    </affects>
13674    <description>
13675      <body xmlns="http://www.w3.org/1999/xhtml">
13676	<p>Adobe reports:</p>
13677	<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-08.html">
13678	  <p>These updates resolve integer overflow vulnerabilities that
13679	    could lead to code execution (CVE-2016-0963, CVE-2016-0993,
13680	    CVE-2016-1010).</p>
13681	  <p>These updates resolve use-after-free vulnerabilities that could
13682	    lead to code execution (CVE-2016-0987, CVE-2016-0988,
13683	    CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995,
13684	    CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999,
13685	    CVE-2016-1000).</p>
13686	  <p>These updates resolve a heap overflow vulnerability that could
13687	    lead to code execution (CVE-2016-1001).</p>
13688	  <p>These updates resolve memory corruption vulnerabilities that
13689	    could lead to code execution (CVE-2016-0960, CVE-2016-0961,
13690	    CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992,
13691	    CVE-2016-1002, CVE-2016-1005).</p>
13692	</blockquote>
13693      </body>
13694    </description>
13695    <references>
13696      <cvename>CVE-2016-0960</cvename>
13697      <cvename>CVE-2016-0961</cvename>
13698      <cvename>CVE-2016-0962</cvename>
13699      <cvename>CVE-2016-0963</cvename>
13700      <cvename>CVE-2016-0986</cvename>
13701      <cvename>CVE-2016-0987</cvename>
13702      <cvename>CVE-2016-0988</cvename>
13703      <cvename>CVE-2016-0989</cvename>
13704      <cvename>CVE-2016-0990</cvename>
13705      <cvename>CVE-2016-0991</cvename>
13706      <cvename>CVE-2016-0992</cvename>
13707      <cvename>CVE-2016-0993</cvename>
13708      <cvename>CVE-2016-0994</cvename>
13709      <cvename>CVE-2016-0995</cvename>
13710      <cvename>CVE-2016-0996</cvename>
13711      <cvename>CVE-2016-0997</cvename>
13712      <cvename>CVE-2016-0998</cvename>
13713      <cvename>CVE-2016-0999</cvename>
13714      <cvename>CVE-2016-1000</cvename>
13715      <cvename>CVE-2016-1001</cvename>
13716      <cvename>CVE-2016-1002</cvename>
13717      <cvename>CVE-2016-1005</cvename>
13718      <cvename>CVE-2016-1010</cvename>
13719      <url>https://helpx.adobe.com/security/products/flash-player/apsb16-08.html</url>
13720    </references>
13721    <dates>
13722      <discovery>2016-03-10</discovery>
13723      <entry>2016-03-31</entry>
13724    </dates>
13725  </vuln>
13726
13727  <vuln vid="4cd9b19f-f66d-11e5-b94c-001999f8d30b">
13728    <topic>Multiple vulnerabilities in Botan</topic>
13729    <affects>
13730      <package>
13731	<name>botan110</name>
13732	<range><lt>1.10.11</lt></range>
13733      </package>
13734    </affects>
13735    <description>
13736      <body xmlns="http://www.w3.org/1999/xhtml">
13737	<p>The botan developers reports:</p>
13738	<blockquote cite="http://botan.randombit.net/security.html">
13739	  <p>Infinite loop in modular square root algorithm - The ressol function implements the Tonelli-Shanks algorithm for finding square roots could be sent into a nearly infinite loop due to a misplaced conditional check. This could occur if a composite modulus is provided, as this algorithm is only defined for primes. This function is exposed to attacker controlled input via the OS2ECP function during ECC point decompression.</p>
13740	  <p>Heap overflow on invalid ECC point - The PointGFp constructor did not check that the affine coordinate arguments were less than the prime, but then in curve multiplication assumed that both arguments if multiplied would fit into an integer twice the size of the prime.</p>
13741	  <p>The bigint_mul and bigint_sqr functions received the size of the output buffer, but only used it to dispatch to a faster algorithm in cases where there was sufficient output space to call an unrolled multiplication function.</p>
13742	  <p>The result is a heap overflow accessible via ECC point decoding, which accepted untrusted inputs. This is likely exploitable for remote code execution.</p>
13743	  <p>On systems which use the mlock pool allocator, it would allow an attacker to overwrite memory held in secure_vector objects. After this point the write will hit the guard page at the end of the mmapped region so it probably could not be used for code execution directly, but would allow overwriting adjacent key material.</p>
13744	</blockquote>
13745      </body>
13746    </description>
13747    <references>
13748      <url>http://botan.randombit.net/security.html</url>
13749      <cvename>CVE-2016-2194</cvename>
13750      <cvename>CVE-2016-2195</cvename>
13751    </references>
13752    <dates>
13753      <discovery>2016-02-01</discovery>
13754      <entry>2016-03-31</entry>
13755    </dates>
13756  </vuln>
13757
13758  <vuln vid="2004616d-f66c-11e5-b94c-001999f8d30b">
13759    <topic>Botan BER Decoder vulnerabilities</topic>
13760    <affects>
13761      <package>
13762	<name>botan110</name>
13763	<range><lt>1.10.10</lt></range>
13764      </package>
13765    </affects>
13766    <description>
13767      <body xmlns="http://www.w3.org/1999/xhtml">
13768	<p>The botan developers reports:</p>
13769	<blockquote cite="http://botan.randombit.net/">
13770	  <p>Excess memory allocation in BER decoder - The BER decoder would allocate a fairly arbitrary amount of memory in a length field, even if there was no chance the read request would succeed. This might cause the process to run out of memory or invoke the OOM killer.</p>
13771	  <p>Crash in BER decoder - The BER decoder would crash due to reading from offset 0 of an empty vector if it encountered a BIT STRING which did not contain any data at all. This can be used to easily crash applications reading untrusted ASN.1 data, but does not seem exploitable for code execution.</p>
13772	</blockquote>
13773      </body>
13774    </description>
13775    <references>
13776      <url>http://botan.randombit.net/security.html</url>
13777      <cvename>CVE-2015-5726</cvename>
13778      <cvename>CVE-2015-5727</cvename>
13779    </references>
13780    <dates>
13781      <discovery>2015-08-03</discovery>
13782      <entry>2016-03-31</entry>
13783    </dates>
13784  </vuln>
13785
13786  <vuln vid="e1085b15-f609-11e5-a230-0014a5a57822">
13787    <topic>mercurial -- multiple vulnerabilities</topic>
13788    <affects>
13789      <package>
13790	<name>mercurial</name>
13791	<range><lt>2.7.3</lt></range>
13792      </package>
13793    </affects>
13794    <description>
13795      <body xmlns="http://www.w3.org/1999/xhtml">
13796	<p>Mercurial reports:</p>
13797	<blockquote cite="https://www.mercurial-scm.org/pipermail/mercurial/2016-March/049452.html">
13798	  <p>CVE-2016-3630: Remote code execution in binary delta decoding</p>
13799	  <p>CVE-2016-3068: Arbitrary code execution with Git subrepos</p>
13800	  <p>CVE-2016-3069: Arbitrary code execution when converting
13801	    Git repos</p>
13802	</blockquote>
13803      </body>
13804    </description>
13805    <references>
13806      <cvename>CVE-2016-3630</cvename>
13807      <cvename>CVE-2016-3068</cvename>
13808      <cvename>CVE-2016-3069</cvename>
13809      <url>https://www.mercurial-scm.org/pipermail/mercurial/2016-March/049452.html</url>
13810    </references>
13811    <dates>
13812      <discovery>2016-03-29</discovery>
13813      <entry>2016-03-29</entry>
13814    </dates>
13815  </vuln>
13816
13817  <vuln vid="8be8ca39-ae70-4422-bf1a-d8fae6911c5e">
13818    <topic>chromium -- multiple vulnerabilities</topic>
13819    <affects>
13820      <package>
13821	<name>chromium</name>
13822	<name>chromium-npapi</name>
13823	<name>chromium-pulse</name>
13824	<range><lt>49.0.2623.108</lt></range>
13825      </package>
13826    </affects>
13827    <description>
13828      <body xmlns="http://www.w3.org/1999/xhtml">
13829	<p>Google Chrome Releases reports:</p>
13830	<blockquote cite="http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_24.html">
13831	  <p>[594574] High CVE-2016-1646: Out-of-bounds read in V8.</p>
13832	  <p>[590284] High CVE-2016-1647: Use-after-free in Navigation.</p>
13833	  <p>[590455] High CVE-2016-1648: Use-after-free in Extensions.</p>
13834	  <p>[597518] CVE-2016-1650: Various fixes from internal audits,
13835	    fuzzing and other initiatives.</p>
13836	  <p>Multiple vulnerabilities in V8 fixed at the tip of the
13837	    4.9 branch</p>
13838	</blockquote>
13839      </body>
13840    </description>
13841    <references>
13842      <cvename>CVE-2016-1646</cvename>
13843      <cvename>CVE-2016-1647</cvename>
13844      <cvename>CVE-2016-1648</cvename>
13845      <cvename>CVE-2016-1649</cvename>
13846      <cvename>CVE-2016-1650</cvename>
13847      <url>http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_24.html</url>
13848    </references>
13849    <dates>
13850      <discovery>2016-03-24</discovery>
13851      <entry>2016-03-29</entry>
13852    </dates>
13853  </vuln>
13854
13855  <vuln vid="5c288f68-c7ca-4c0d-b7dc-1ec6295200b3">
13856    <topic>chromium -- multiple vulnerabilities</topic>
13857    <affects>
13858      <package>
13859	<name>chromium</name>
13860	<name>chromium-npapi</name>
13861	<name>chromium-pulse</name>
13862	<range><lt>49.0.2623.87</lt></range>
13863      </package>
13864    </affects>
13865    <description>
13866      <body xmlns="http://www.w3.org/1999/xhtml">
13867	<p>Google Chrome Releases reports:</p>
13868	<blockquote cite="http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_8.html">
13869	  <p>[589838] High CVE-2016-1643: Type confusion in Blink.</p>
13870	  <p>[590620] High CVE-2016-1644: Use-after-free in Blink.</p>
13871	  <p>[587227] High CVE-2016-1645: Out-of-bounds write in PDFium.</p>
13872	</blockquote>
13873      </body>
13874    </description>
13875    <references>
13876      <cvename>CVE-2016-1643</cvename>
13877      <cvename>CVE-2016-1644</cvename>
13878      <cvename>CVE-2016-1645</cvename>
13879      <url>http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_8.html</url>
13880    </references>
13881    <dates>
13882      <discovery>2016-03-08</discovery>
13883      <entry>2016-03-29</entry>
13884    </dates>
13885  </vuln>
13886
13887  <vuln vid="cd409df7-f483-11e5-92ce-002590263bf5">
13888    <topic>bind -- denial of service vulnerability</topic>
13889    <affects>
13890      <package>
13891	<name>bind910</name>
13892	<range><ge>9.10.0</ge><lt>9.10.3P4</lt></range>
13893      </package>
13894      <package>
13895	<name>bind9-devel</name>
13896	<range><lt>9.11.0.a20160309</lt></range>
13897      </package>
13898    </affects>
13899    <description>
13900      <body xmlns="http://www.w3.org/1999/xhtml">
13901	<p>ISC reports:</p>
13902	<blockquote cite="https://kb.isc.org/article/AA-01351">
13903	  <p>A response containing multiple DNS cookies causes servers with
13904	    cookie support enabled to exit with an assertion failure.</p>
13905	</blockquote>
13906      </body>
13907    </description>
13908    <references>
13909      <cvename>CVE-2016-2088</cvename>
13910      <url>https://kb.isc.org/article/AA-01351</url>
13911    </references>
13912    <dates>
13913      <discovery>2016-03-09</discovery>
13914      <entry>2016-03-28</entry>
13915    </dates>
13916  </vuln>
13917
13918  <vuln vid="cba246d2-f483-11e5-92ce-002590263bf5">
13919    <topic>bind -- denial of service vulnerability</topic>
13920    <affects>
13921      <package>
13922	<name>bind98</name>
13923	<range><le>9.8.8</le></range>
13924      </package>
13925      <package>
13926	<name>bind99</name>
13927	<range><ge>9.9.0</ge><lt>9.9.8P4</lt></range>
13928      </package>
13929      <package>
13930	<name>bind910</name>
13931	<range><ge>9.10.0</ge><lt>9.10.3P4</lt></range>
13932      </package>
13933      <package>
13934	<name>bind9-devel</name>
13935	<range><lt>9.11.0.a20160309</lt></range>
13936      </package>
13937      <package>
13938	<name>FreeBSD</name>
13939	<range><ge>9.3</ge><lt>9.3_38</lt></range>
13940      </package>
13941    </affects>
13942    <description>
13943      <body xmlns="http://www.w3.org/1999/xhtml">
13944	<p>ISC reports:</p>
13945	<blockquote cite="https://kb.isc.org/article/AA-01353">
13946	  <p>A problem parsing resource record signatures for DNAME resource
13947	    records can lead to an assertion failure in resolver.c or db.c</p>
13948	</blockquote>
13949      </body>
13950    </description>
13951    <references>
13952      <cvename>CVE-2016-1286</cvename>
13953      <freebsdsa>SA-16:13.bind</freebsdsa>
13954      <url>https://kb.isc.org/article/AA-01353</url>
13955    </references>
13956    <dates>
13957      <discovery>2016-03-09</discovery>
13958      <entry>2016-03-28</entry>
13959      <modified>2016-08-09</modified>
13960    </dates>
13961  </vuln>
13962
13963  <vuln vid="c9075321-f483-11e5-92ce-002590263bf5">
13964    <topic>bind -- denial of service vulnerability</topic>
13965    <affects>
13966      <package>
13967	<name>bind98</name>
13968	<range><le>9.8.8</le></range>
13969      </package>
13970      <package>
13971	<name>bind99</name>
13972	<range><ge>9.9.0</ge><lt>9.9.8P4</lt></range>
13973      </package>
13974      <package>
13975	<name>bind910</name>
13976	<range><ge>9.10.0</ge><lt>9.10.3P4</lt></range>
13977      </package>
13978      <package>
13979	<name>bind9-devel</name>
13980	<range><lt>9.11.0.a20160309</lt></range>
13981      </package>
13982      <package>
13983	<name>FreeBSD</name>
13984	<range><ge>9.3</ge><lt>9.3_38</lt></range>
13985      </package>
13986    </affects>
13987    <description>
13988      <body xmlns="http://www.w3.org/1999/xhtml">
13989	<p>ISC reports:</p>
13990	<blockquote cite="https://kb.isc.org/article/AA-01352">
13991	  <p>An error parsing input received by the rndc control channel can
13992	    cause an assertion failure in sexpr.c or alist.c.</p>
13993	</blockquote>
13994      </body>
13995    </description>
13996    <references>
13997      <cvename>CVE-2016-1285</cvename>
13998      <freebsdsa>SA-16:13.bind</freebsdsa>
13999      <url>https://kb.isc.org/article/AA-01352</url>
14000    </references>
14001    <dates>
14002      <discovery>2016-03-09</discovery>
14003      <entry>2016-03-28</entry>
14004      <modified>2016-08-09</modified>
14005    </dates>
14006  </vuln>
14007
14008  <vuln vid="6d25c306-f3bb-11e5-92ce-002590263bf5">
14009    <topic>salt -- Insecure configuration of PAM external authentication service</topic>
14010    <affects>
14011      <package>
14012	<name>py27-salt</name>
14013	<name>py32-salt</name>
14014	<name>py33-salt</name>
14015	<name>py34-salt</name>
14016	<name>py35-salt</name>
14017	<range><lt>2015.5.10</lt></range>
14018	<range><ge>2015.8.0</ge><lt>2015.8.8</lt></range>
14019      </package>
14020    </affects>
14021    <description>
14022      <body xmlns="http://www.w3.org/1999/xhtml">
14023	<p>SaltStack reports:</p>
14024	<blockquote cite="https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html">
14025	  <p>This issue affects all Salt versions prior to 2015.8.8/2015.5.10
14026	    when PAM external authentication is enabled. This issue involves
14027	    passing an alternative PAM authentication service with a command
14028	    that is sent to LocalClient, enabling the attacker to bypass the
14029	    configured authentication service.</p>
14030	</blockquote>
14031      </body>
14032    </description>
14033    <references>
14034      <cvename>CVE-2016-3176</cvename>
14035      <url>https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html</url>
14036    </references>
14037    <dates>
14038      <discovery>2016-03-17</discovery>
14039      <entry>2016-03-27</entry>
14040    </dates>
14041  </vuln>
14042
14043  <vuln vid="a258604d-f2aa-11e5-b4a9-ac220bdcec59">
14044    <topic>activemq -- Unsafe deserialization</topic>
14045    <affects>
14046      <package>
14047	<name>activemq</name>
14048	<range><lt>5.13.0</lt></range>
14049      </package>
14050    </affects>
14051    <description>
14052      <body xmlns="http://www.w3.org/1999/xhtml">
14053	<p>Alvaro Muatoz, Matthias Kaiser and Christian Schneider reports:</p>
14054	<blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt">
14055	  <p>JMS Object messages depends on Java Serialization for
14056	    marshaling/unmashaling of the message payload. There are a couple of places
14057	    inside the broker where deserialization can occur, like web console or stomp
14058	    object message transformation. As deserialization of untrusted data can lead to
14059	    security flaws as demonstrated in various reports, this leaves the broker
14060	    vulnerable to this attack vector. Additionally, applications that consume
14061	    ObjectMessage type of messages can be vulnerable as they deserialize objects on
14062	    ObjectMessage.getObject() calls.</p>
14063	</blockquote>
14064      </body>
14065    </description>
14066    <references>
14067      <url>http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt</url>
14068      <cvename>CVE-2015-5254</cvename>
14069    </references>
14070    <dates>
14071      <discovery>2016-01-08</discovery>
14072      <entry>2016-03-25</entry>
14073    </dates>
14074  </vuln>
14075
14076  <vuln vid="950b2d60-f2a9-11e5-b4a9-ac220bdcec59">
14077    <topic>activemq -- Web Console Clickjacking</topic>
14078    <affects>
14079      <package>
14080	<name>activemq</name>
14081	<range><lt>5.13.2</lt></range>
14082      </package>
14083    </affects>
14084    <description>
14085      <body xmlns="http://www.w3.org/1999/xhtml">
14086	<p>Michael Furman reports:</p>
14087	<blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt">
14088	  <p>The web based administration console does not set the
14089	    X-Frame-Options header in HTTP responses. This allows the console to be embedded
14090	    in a frame or iframe which could then be used to cause a user to perform an
14091	    unintended action in the console.</p>
14092	</blockquote>
14093      </body>
14094    </description>
14095    <references>
14096      <url>http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt</url>
14097      <cvename>CVE-2016-0734</cvename>
14098    </references>
14099    <dates>
14100      <discovery>2016-03-10</discovery>
14101      <entry>2016-03-25</entry>
14102    </dates>
14103  </vuln>
14104
14105  <vuln vid="a6cc5753-f29e-11e5-b4a9-ac220bdcec59">
14106    <topic>activemq -- Web Console Cross-Site Scripting</topic>
14107    <affects>
14108      <package>
14109	<name>activemq</name>
14110	<range><lt>5.13.1</lt></range>
14111      </package>
14112    </affects>
14113    <description>
14114      <body xmlns="http://www.w3.org/1999/xhtml">
14115	<p>Vladimir Ivanov (Positive Technologies) reports:</p>
14116	<blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt">
14117	  <p>Several instances of cross-site scripting vulnerabilities were
14118	    identified to be present in the web based administration console as well as the
14119	    ability to trigger a Java memory dump into an arbitrary folder. The root cause
14120	    of these issues are improper user data output validation and incorrect
14121	    permissions configured on Jolokia.</p>
14122	</blockquote>
14123      </body>
14124    </description>
14125    <references>
14126      <url>http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt</url>
14127      <cvename>CVE-2016-0782</cvename>
14128    </references>
14129    <dates>
14130      <discovery>2016-03-10</discovery>
14131      <entry>2016-03-25</entry>
14132    </dates>
14133  </vuln>
14134
14135  <vuln vid="7033b42d-ef09-11e5-b766-14dae9d210b8">
14136    <topic>pcre -- stack buffer overflow</topic>
14137    <affects>
14138      <package>
14139	<name>pcre</name>
14140	<range><lt>8.38</lt></range>
14141      </package>
14142      <package>
14143	<name>pcre2</name>
14144	<range><lt>10.20_1</lt></range>
14145      </package>
14146    </affects>
14147    <description>
14148      <body xmlns="http://www.w3.org/1999/xhtml">
14149	<p>Philip Hazel reports:</p>
14150	<blockquote cite="https://bugs.exim.org/show_bug.cgi?id=1791">
14151	  <p>PCRE does not validate that handling the (*ACCEPT) verb
14152	    will occur within the bounds of the cworkspace stack buffer, leading to
14153	    a stack buffer overflow.</p>
14154	</blockquote>
14155      </body>
14156    </description>
14157    <references>
14158      <url>https://bugs.exim.org/show_bug.cgi?id=1791</url>
14159      <cvename>CVE-2016-3191</cvename>
14160    </references>
14161    <dates>
14162      <discovery>2016-02-09</discovery>
14163      <entry>2016-03-21</entry>
14164      <modified>2016-03-21</modified>
14165    </dates>
14166  </vuln>
14167
14168  <vuln vid="c428de09-ed69-11e5-92ce-002590263bf5">
14169    <topic>kamailio -- SEAS Module Heap overflow</topic>
14170    <affects>
14171      <package>
14172	<name>kamailio</name>
14173	<range><lt>4.3.5</lt></range>
14174      </package>
14175    </affects>
14176    <description>
14177      <body xmlns="http://www.w3.org/1999/xhtml">
14178	<p>Stelios Tsampas reports:</p>
14179	<blockquote cite="http://seclists.org/oss-sec/2016/q1/338">
14180	  <p>A (remotely exploitable) heap overflow vulnerability was found in
14181	    Kamailio v4.3.4.</p>
14182	</blockquote>
14183      </body>
14184    </description>
14185    <references>
14186      <cvename>CVE-2016-2385</cvename>
14187      <url>https://github.com/kamailio/kamailio/commit/f50c9c853e7809810099c970780c30b0765b0643</url>
14188      <url>https://census-labs.com/news/2016/03/30/kamailio-seas-heap-overflow/</url>
14189      <url>http://seclists.org/oss-sec/2016/q1/338</url>
14190    </references>
14191    <dates>
14192      <discovery>2016-02-15</discovery>
14193      <entry>2016-03-19</entry>
14194      <modified>2016-04-03</modified>
14195    </dates>
14196  </vuln>
14197
14198  <vuln vid="5dd39f26-ed68-11e5-92ce-002590263bf5">
14199    <topic>hadoop2 -- unauthorized disclosure of data vulnerability</topic>
14200    <affects>
14201      <package>
14202	<name>hadoop2</name>
14203	<range><ge>2.6</ge><lt>2.7</lt></range>
14204      </package>
14205    </affects>
14206    <description>
14207      <body xmlns="http://www.w3.org/1999/xhtml">
14208	<p>Arun Suresh reports:</p>
14209	<blockquote cite="http://mail-archives.apache.org/mod_mbox/hadoop-general/201602.mbox/browser">
14210	  <p>RPC traffic from clients, potentially including authentication
14211	    credentials, may be intercepted by a malicious user with access to
14212	    run tasks or containers on a cluster.</p>
14213	</blockquote>
14214      </body>
14215    </description>
14216    <references>
14217      <cvename>CVE-2015-1776</cvename>
14218      <url>http://mail-archives.apache.org/mod_mbox/hadoop-general/201602.mbox/browser</url>
14219    </references>
14220    <dates>
14221      <discovery>2016-02-15</discovery>
14222      <entry>2016-03-19</entry>
14223    </dates>
14224  </vuln>
14225
14226  <vuln vid="d2a84feb-ebe0-11e5-92ce-002590263bf5">
14227    <topic>git -- integer overflow</topic>
14228    <affects>
14229      <package>
14230	<name>git</name>
14231	<range><lt>2.4.11</lt></range>
14232	<range><ge>2.5.0</ge><lt>2.5.5</lt></range>
14233	<range><ge>2.6.0</ge><lt>2.6.6</lt></range>
14234	<range><ge>2.7.0</ge><lt>2.7.4</lt></range>
14235      </package>
14236      <package>
14237	<name>git-gui</name>
14238	<range><lt>2.4.11</lt></range>
14239	<range><ge>2.5.0</ge><lt>2.5.5</lt></range>
14240	<range><ge>2.6.0</ge><lt>2.6.6</lt></range>
14241	<range><ge>2.7.0</ge><lt>2.7.4</lt></range>
14242      </package>
14243      <package>
14244	<name>git-lite</name>
14245	<range><lt>2.4.11</lt></range>
14246	<range><ge>2.5.0</ge><lt>2.5.5</lt></range>
14247	<range><ge>2.6.0</ge><lt>2.6.6</lt></range>
14248	<range><ge>2.7.0</ge><lt>2.7.4</lt></range>
14249      </package>
14250      <package>
14251	<name>git-subversion</name>
14252	<range><lt>2.4.11</lt></range>
14253	<range><ge>2.5.0</ge><lt>2.5.5</lt></range>
14254	<range><ge>2.6.0</ge><lt>2.6.6</lt></range>
14255	<range><ge>2.7.0</ge><lt>2.7.4</lt></range>
14256      </package>
14257    </affects>
14258    <description>
14259      <body xmlns="http://www.w3.org/1999/xhtml">
14260	<p>Debian reports:</p>
14261	<blockquote cite="https://security-tracker.debian.org/tracker/CVE-2016-2324">
14262	  <p>integer overflow due to a loop which adds more to "len".</p>
14263	</blockquote>
14264      </body>
14265    </description>
14266    <references>
14267      <cvename>CVE-2016-2324</cvename>
14268      <url>https://security-tracker.debian.org/tracker/CVE-2016-2324</url>
14269      <url>https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d</url>
14270    </references>
14271    <dates>
14272      <discovery>2016-02-24</discovery>
14273      <entry>2016-03-18</entry>
14274    </dates>
14275  </vuln>
14276
14277  <vuln vid="93ee802e-ebde-11e5-92ce-002590263bf5">
14278    <topic>git -- potential code execution</topic>
14279    <affects>
14280      <package>
14281	<name>git</name>
14282	<range><lt>2.7.0</lt></range>
14283      </package>
14284    </affects>
14285    <description>
14286      <body xmlns="http://www.w3.org/1999/xhtml">
14287	<p>Debian reports:</p>
14288	<blockquote cite="https://security-tracker.debian.org/tracker/CVE-2016-2315">
14289	  <p>"int" is the wrong data type for ... nlen assignment.</p>
14290	</blockquote>
14291      </body>
14292    </description>
14293    <references>
14294      <cvename>CVE-2016-2315</cvename>
14295      <url>http://www.openwall.com/lists/oss-security/2016/03/15/6</url>
14296      <url>https://marc.info/?l=oss-security&amp;m=145809217306686&amp;w=2</url>
14297      <url>https://github.com/git/git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305</url>
14298      <url>https://security-tracker.debian.org/tracker/CVE-2016-2315</url>
14299    </references>
14300    <dates>
14301      <discovery>2015-09-24</discovery>
14302      <entry>2016-03-17</entry>
14303    </dates>
14304  </vuln>
14305
14306  <vuln vid="6d33b3e5-ea03-11e5-85be-14dae9d210b8">
14307    <topic>node -- multiple vulnerabilities</topic>
14308    <affects>
14309      <package>
14310	<name>node</name>
14311	<range><lt>5.7.1</lt></range>
14312      </package>
14313    </affects>
14314    <description>
14315      <body xmlns="http://www.w3.org/1999/xhtml">
14316	<p>Jeremiah Senkpiel reports:</p>
14317	<blockquote cite="https://github.com/nodejs/node/commit/805f054cc7791c447dbb960fbf3b179ea05294ac">
14318	  <ul>
14319	  <li><p>Fix a double-free defect in parsing malformed DSA keys
14320	    that may potentially be used for DoS or memory corruption attacks.</p></li>
14321	  <li><p>Fix a defect that can cause memory corruption in
14322	    certain very rare cases</p></li>
14323	  <li><p>Fix a defect that makes the CacheBleed Attack possible</p></li>
14324	  </ul>
14325	</blockquote>
14326      </body>
14327    </description>
14328    <references>
14329      <url>https://github.com/nodejs/node/commit/805f054cc7791c447dbb960fbf3b179ea05294ac</url>
14330      <cvename>CVE-2016-0702</cvename>
14331      <cvename>CVE-2016-0705</cvename>
14332      <cvename>CVE-2016-0797</cvename>
14333    </references>
14334    <dates>
14335      <discovery>2016-03-02</discovery>
14336      <entry>2016-03-14</entry>
14337    </dates>
14338  </vuln>
14339
14340  <vuln vid="8eb78cdc-e9ec-11e5-85be-14dae9d210b8">
14341    <topic>dropbear -- authorized_keys command= bypass</topic>
14342    <affects>
14343      <package>
14344	<name>dropbear</name>
14345	<range><lt>2016.72</lt></range>
14346      </package>
14347    </affects>
14348    <description>
14349      <body xmlns="http://www.w3.org/1999/xhtml">
14350	<p>Matt Johnson reports:</p>
14351	<blockquote cite="https://matt.ucc.asn.au/dropbear/CHANGES">
14352	  <p>Validate X11 forwarding input. Could allow bypass of
14353	    authorized_keys command= restrictions</p>
14354	</blockquote>
14355      </body>
14356    </description>
14357    <references>
14358      <url>https://matt.ucc.asn.au/dropbear/CHANGES</url>
14359      <cvename>CVE-2016-3116</cvename>
14360    </references>
14361    <dates>
14362      <discovery>2016-03-11</discovery>
14363      <entry>2016-03-14</entry>
14364    </dates>
14365  </vuln>
14366
14367  <vuln vid="77b7ffb7-e937-11e5-8bed-5404a68ad561">
14368    <topic>jpgraph2 -- XSS vulnerability</topic>
14369    <affects>
14370      <package>
14371	<name>jpgraph2</name>
14372	<range><lt>3.0.7_1</lt></range>
14373      </package>
14374    </affects>
14375    <description>
14376      <body xmlns="http://www.w3.org/1999/xhtml">
14377	<p>Martin Barbella reports:</p>
14378	<blockquote cite="http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded">
14379	  <p>JpGraph is an object oriented library for PHP that can be used to create
14380	    various types of graphs which also contains support for client side
14381	    image maps.
14382
14383	    The GetURLArguments function for the JpGraph's Graph class does not
14384	    properly sanitize the names of get and post variables, leading to a
14385	    cross site scripting vulnerability.</p>
14386	</blockquote>
14387      </body>
14388    </description>
14389    <references>
14390      <url>http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded</url>
14391    </references>
14392    <dates>
14393      <discovery>2009-12-22</discovery>
14394      <entry>2016-03-13</entry>
14395    </dates>
14396  </vuln>
14397
14398  <vuln vid="5af511e5-e928-11e5-92ce-002590263bf5">
14399    <topic>php7 -- multiple vulnerabilities</topic>
14400    <affects>
14401      <package>
14402	<name>php70</name>
14403	<name>php70-soap</name>
14404	<range><lt>7.0.4</lt></range>
14405      </package>
14406    </affects>
14407    <description>
14408      <body xmlns="http://www.w3.org/1999/xhtml">
14409	<p>The PHP Group reports:</p>
14410	<blockquote cite="http://php.net/ChangeLog-7.php#7.0.4">
14411	  <ul><li>Core:
14412	  <ul>
14413	    <li>Fixed bug #71637 (Multiple Heap Overflow due to integer
14414	      overflows in xml/filter_url/addcslashes).</li>
14415	  </ul></li>
14416	  <li>SOAP:
14417	  <ul>
14418	    <li>Fixed bug #71610 (Type Confusion Vulnerability - SOAP /
14419	      make_http_soap_request()).</li>
14420	  </ul></li>
14421	  </ul>
14422	</blockquote>
14423      </body>
14424    </description>
14425    <references>
14426      <url>http://php.net/ChangeLog-7.php#7.0.4</url>
14427    </references>
14428    <dates>
14429      <discovery>2016-03-03</discovery>
14430      <entry>2016-03-13</entry>
14431    </dates>
14432  </vuln>
14433
14434  <vuln vid="e991ef79-e920-11e5-92ce-002590263bf5">
14435    <topic>php5 -- multiple vulnerabilities</topic>
14436    <affects>
14437      <package>
14438	<name>php55-phar</name>
14439	<name>php55-wddx</name>
14440	<range><lt>5.5.33</lt></range>
14441      </package>
14442      <package>
14443	<name>php56-phar</name>
14444	<name>php56-wddx</name>
14445	<range><lt>5.6.19</lt></range>
14446      </package>
14447    </affects>
14448    <description>
14449      <body xmlns="http://www.w3.org/1999/xhtml">
14450	<p>The PHP Group reports:</p>
14451	<blockquote cite="http://php.net/ChangeLog-5.php#5.6.19">
14452	  <ul><li>Phar:
14453	  <ul>
14454	    <li>Fixed bug #71498 (Out-of-Bound Read in phar_parse_zipfile()).
14455	      </li>
14456	  </ul></li>
14457	  <li>WDDX:
14458	  <ul>
14459	    <li>Fixed bug #71587 (Use-After-Free / Double-Free in WDDX
14460	      Deserialize).</li>
14461	  </ul></li>
14462	  </ul>
14463	</blockquote>
14464      </body>
14465    </description>
14466    <references>
14467      <url>http://php.net/ChangeLog-5.php#5.6.19</url>
14468      <url>http://php.net/ChangeLog-5.php#5.5.33</url>
14469    </references>
14470    <dates>
14471      <discovery>2016-03-03</discovery>
14472      <entry>2016-03-13</entry>
14473    </dates>
14474  </vuln>
14475
14476  <vuln vid="e4644df8-e7da-11e5-829d-c80aa9043978">
14477    <topic>openssh -- command injection when X11Forwarding is enabled</topic>
14478    <affects>
14479      <package>
14480	<name>openssh-portable</name>
14481	<range><lt>7.2.p2,1</lt></range>
14482      </package>
14483      <package>
14484	<name>FreeBSD</name>
14485	<range><ge>10.2</ge><lt>10.2_14</lt></range>
14486	<range><ge>10.1</ge><lt>10.1_31</lt></range>
14487	<range><ge>9.3</ge><lt>9.3_39</lt></range>
14488      </package>
14489    </affects>
14490    <description>
14491      <body xmlns="http://www.w3.org/1999/xhtml">
14492	<p>The OpenSSH project reports:</p>
14493	<blockquote cite="http://www.openssh.com/txt/x11fwd.adv">
14494	  <p>Missing sanitisation of untrusted input allows an
14495	    authenticated user who is able to request X11 forwarding
14496	    to inject commands to xauth(1).
14497	  </p>
14498	  <p>Injection of xauth commands grants the ability to read
14499	    arbitrary files under the authenticated user's privilege,
14500	    Other xauth commands allow limited information leakage,
14501	    file overwrite, port probing and generally expose xauth(1),
14502	    which was not written with a hostile user in mind, as an
14503	    attack surface.
14504	  </p>
14505	  <p>Mitigation:</p>
14506	  <p>Set X11Forwarding=no in sshd_config. This is the default.</p>
14507	  <p>For authorized_keys that specify a "command" restriction,
14508	    also set the "restrict" (available in OpenSSH &gt;=7.2) or
14509	    "no-x11-forwarding" restrictions.
14510	  </p>
14511	</blockquote>
14512      </body>
14513    </description>
14514    <references>
14515      <url>http://www.openssh.com/txt/x11fwd.adv</url>
14516      <cvename>CVE-2016-3115</cvename>
14517      <freebsdsa>SA-16:14.openssh</freebsdsa>
14518    </references>
14519    <dates>
14520      <discovery>2016-03-11</discovery>
14521      <entry>2016-03-11</entry>
14522      <modified>2016-08-09</modified>
14523    </dates>
14524  </vuln>
14525
14526  <vuln vid="70c44cd0-e717-11e5-85be-14dae9d210b8">
14527    <topic>quagga -- stack based buffer overflow vulnerability</topic>
14528    <affects>
14529      <package>
14530	<name>quagga</name>
14531	<range><lt>1.0.20160309</lt></range>
14532      </package>
14533    </affects>
14534    <description>
14535      <body xmlns="http://www.w3.org/1999/xhtml">
14536	<p>Donald Sharp reports:</p>
14537	<blockquote cite="https://www.kb.cert.org/vuls/id/270232">
14538	  <p>A malicious BGP peer may execute arbitrary code in
14539	    particularly configured remote bgpd hosts.</p>
14540	</blockquote>
14541      </body>
14542    </description>
14543    <references>
14544      <url>https://www.kb.cert.org/vuls/id/270232</url>
14545      <url>http://savannah.nongnu.org/forum/forum.php?forum_id=8476</url>
14546      <cvename>CVE-2016-2342</cvename>
14547    </references>
14548    <dates>
14549      <discovery>2016-01-27</discovery>
14550      <entry>2016-03-10</entry>
14551    </dates>
14552  </vuln>
14553
14554  <vuln vid="d71831ef-e6f8-11e5-85be-14dae9d210b8">
14555    <topic>ricochet -- information disclosure</topic>
14556    <affects>
14557      <package>
14558	<name>ricochet</name>
14559	<range><lt>1.1.2</lt></range>
14560      </package>
14561    </affects>
14562    <description>
14563      <body xmlns="http://www.w3.org/1999/xhtml">
14564	<p>special reports:</p>
14565	<blockquote cite="https://github.com/ricochet-im/ricochet/releases/tag/v1.1.2">
14566	  <p>By sending a nickname with some HTML tags in a contact
14567	    request, an attacker could cause Ricochet to make network requests
14568	    without Tor after the request is accepted, which would reveal the user's
14569	    IP address.</p>
14570	</blockquote>
14571      </body>
14572    </description>
14573    <references>
14574      <url>https://github.com/ricochet-im/ricochet/releases/tag/v1.1.2</url>
14575    </references>
14576    <dates>
14577      <discovery>2016-02-15</discovery>
14578      <entry>2016-03-10</entry>
14579    </dates>
14580  </vuln>
14581
14582  <vuln vid="77e0b631-e6cf-11e5-85be-14dae9d210b8">
14583    <topic>pidgin-otr -- use after free</topic>
14584    <affects>
14585      <package>
14586	<name>pidgin-otr</name>
14587	<range><lt>4.0.2</lt></range>
14588      </package>
14589    </affects>
14590    <description>
14591      <body xmlns="http://www.w3.org/1999/xhtml">
14592	<p>Hanno Bock reports:</p>
14593	<blockquote cite="http://seclists.org/oss-sec/2016/q1/572">
14594	  <p>The pidgin-otr plugin version 4.0.2 fixes a heap use after
14595	    free error.
14596	    The bug is triggered when a user tries to authenticate a buddy and
14597	    happens in the function create_smp_dialog.</p>
14598	</blockquote>
14599      </body>
14600    </description>
14601    <references>
14602      <url>http://seclists.org/oss-sec/2016/q1/572</url>
14603      <url>https://bugs.otr.im/issues/88</url>
14604      <url>https://bugs.otr.im/issues/128</url>
14605      <cvename>CVE-2015-8833</cvename>
14606    </references>
14607    <dates>
14608      <discovery>2015-04-04</discovery>
14609      <entry>2016-03-10</entry>
14610    </dates>
14611  </vuln>
14612
14613  <vuln vid="c2b1652c-e647-11e5-85be-14dae9d210b8">
14614    <topic>libotr -- integer overflow</topic>
14615    <affects>
14616      <package>
14617	<name>libotr</name>
14618	<range><lt>4.1.1</lt></range>
14619      </package>
14620      <package>
14621	<name>libotr3</name>
14622	<range><ge>0</ge></range>
14623      </package>
14624    </affects>
14625    <description>
14626      <body xmlns="http://www.w3.org/1999/xhtml">
14627	<p>X41 D-Sec reports:</p>
14628	<blockquote cite="https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/">
14629	  <p>A remote attacker may crash or execute arbitrary code in
14630	    libotr by sending large OTR messages.</p>
14631	</blockquote>
14632      </body>
14633    </description>
14634    <references>
14635      <url>https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/</url>
14636      <cvename>CVE-2016-2851</cvename>
14637    </references>
14638    <dates>
14639      <discovery>2016-02-17</discovery>
14640      <entry>2016-03-09</entry>
14641      <modified>2016-03-09</modified>
14642    </dates>
14643  </vuln>
14644
14645  <vuln vid="1bcfd963-e483-41b8-ab8e-bad5c3ce49c9">
14646    <topic>brotli -- buffer overflow</topic>
14647    <affects>
14648      <package>
14649	<name>brotli</name>
14650	<range><ge>0.3.0</ge><lt>0.3.0_1</lt></range>
14651	<range><lt>0.2.0_2</lt></range>
14652      </package>
14653      <package>
14654	<name>libbrotli</name>
14655	<range><lt>0.3.0_3</lt></range>
14656      </package>
14657      <package>
14658	<name>chromium</name>
14659	<name>chromium-npapi</name>
14660	<name>chromium-pulse</name>
14661	<range><lt>48.0.2564.109</lt></range>
14662      </package>
14663      <package>
14664	<name>firefox</name>
14665	<name>linux-firefox</name>
14666	<range><lt>45.0,1</lt></range>
14667      </package>
14668      <package>
14669	<name>seamonkey</name>
14670	<name>linux-seamonkey</name>
14671	<range><lt>2.42</lt></range>
14672      </package>
14673      <package>
14674	<name>firefox-esr</name>
14675	<range><lt>38.7.0,1</lt></range>
14676      </package>
14677      <package>
14678	<name>libxul</name>
14679	<name>thunderbird</name>
14680	<name>linux-thunderbird</name>
14681	<range><lt>38.7.0</lt></range>
14682      </package>
14683    </affects>
14684    <description>
14685      <body xmlns="http://www.w3.org/1999/xhtml">
14686	<p>Google Chrome Releases reports:</p>
14687	<blockquote cite="http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_9.html">
14688	  <p>[583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.</p>
14689	</blockquote>
14690	<p>Mozilla Foundation reports:</p>
14691	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-30/">
14692	  <p>Security researcher Luke Li reported a pointer underflow
14693	    bug in the Brotli library's decompression that leads to a
14694	    buffer overflow. This results in a potentially exploitable
14695	    crash when triggered.</p>
14696	</blockquote>
14697      </body>
14698    </description>
14699    <references>
14700      <cvename>CVE-2016-1624</cvename>
14701      <cvename>CVE-2016-1968</cvename>
14702      <url>https://github.com/google/brotli/commit/37a320dd81db8d546cd24a45b4c61d87b45dcade</url>
14703      <url>https://chromium.googlesource.com/chromium/src/+/7716418a27d561ee295a99f11fd3865580748de2%5E!/</url>
14704      <url>https://www.mozilla.org/security/advisories/mfsa2016-30/</url>
14705      <url>https://hg.mozilla.org/releases/mozilla-release/rev/4a5d8ade4e3e</url>
14706    </references>
14707    <dates>
14708      <discovery>2016-02-08</discovery>
14709      <entry>2016-03-08</entry>
14710      <modified>2016-03-08</modified>
14711    </dates>
14712  </vuln>
14713
14714  <vuln vid="2225c5b4-1e5a-44fc-9920-b3201c384a15">
14715    <topic>mozilla -- multiple vulnerabilities</topic>
14716    <affects>
14717      <package>
14718	<name>firefox</name>
14719	<name>linux-firefox</name>
14720	<range><lt>45.0,1</lt></range>
14721      </package>
14722      <package>
14723	<name>seamonkey</name>
14724	<name>linux-seamonkey</name>
14725	<range><lt>2.42</lt></range>
14726      </package>
14727      <package>
14728	<name>firefox-esr</name>
14729	<range><lt>38.7.0,1</lt></range>
14730      </package>
14731      <package>
14732	<name>libxul</name>
14733	<name>thunderbird</name>
14734	<name>linux-thunderbird</name>
14735	<range><lt>38.7.0</lt></range>
14736      </package>
14737    </affects>
14738    <description>
14739      <body xmlns="http://www.w3.org/1999/xhtml">
14740	<p>Mozilla Foundation reports:</p>
14741	<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox45">
14742	  <p>MFSA 2016-16 Miscellaneous memory safety hazards (rv:45.0
14743	    / rv:38.7)</p>
14744	  <p>MFSA 2016-17 Local file overwriting and potential
14745	    privilege escalation through CSP reports</p>
14746	  <p>MFSA 2016-18 CSP reports fail to strip location
14747	    information for embedded iframe pages</p>
14748	  <p>MFSA 2016-19 Linux video memory DOS with Intel
14749	    drivers</p>
14750	  <p>MFSA 2016-20 Memory leak in libstagefright when deleting
14751	    an array during MP4 processing</p>
14752	  <p>MFSA 2016-21 Displayed page address can be overridden</p>
14753	  <p>MFSA 2016-22 Service Worker Manager out-of-bounds read in
14754	    Service Worker Manager</p>
14755	  <p>MFSA 2016-23 Use-after-free in HTML5 string parser</p>
14756	  <p>MFSA 2016-24 Use-after-free in SetBody</p>
14757	  <p>MFSA 2016-25 Use-after-free when using multiple WebRTC
14758	    data channels</p>
14759	  <p>MFSA 2016-26 Memory corruption when modifying a file
14760	    being read by FileReader</p>
14761	  <p>MFSA 2016-27 Use-after-free during XML
14762	    transformations</p>
14763	  <p>MFSA 2016-28 Addressbar spoofing though history
14764	    navigation and Location protocol property</p>
14765	  <p>MFSA 2016-29 Same-origin policy violation using
14766	    perfomance.getEntries and history navigation with session
14767	    restore</p>
14768	  <p>MFSA 2016-31 Memory corruption with malicious NPAPI
14769	    plugin</p>
14770	  <p>MFSA 2016-32 WebRTC and LibVPX vulnerabilities found
14771	    through code inspection</p>
14772	  <p>MFSA 2016-33 Use-after-free in GetStaticInstance in
14773	    WebRTC</p>
14774	  <p>MFSA 2016-34 Out-of-bounds read in HTML parser following
14775	    a failed allocation</p>
14776	</blockquote>
14777      </body>
14778    </description>
14779    <references>
14780      <cvename>CVE-2016-1952</cvename>
14781      <cvename>CVE-2016-1953</cvename>
14782      <cvename>CVE-2016-1954</cvename>
14783      <cvename>CVE-2016-1955</cvename>
14784      <cvename>CVE-2016-1956</cvename>
14785      <cvename>CVE-2016-1957</cvename>
14786      <cvename>CVE-2016-1958</cvename>
14787      <cvename>CVE-2016-1959</cvename>
14788      <cvename>CVE-2016-1960</cvename>
14789      <cvename>CVE-2016-1961</cvename>
14790      <cvename>CVE-2016-1962</cvename>
14791      <cvename>CVE-2016-1963</cvename>
14792      <cvename>CVE-2016-1964</cvename>
14793      <cvename>CVE-2016-1965</cvename>
14794      <cvename>CVE-2016-1966</cvename>
14795      <cvename>CVE-2016-1967</cvename>
14796      <cvename>CVE-2016-1970</cvename>
14797      <cvename>CVE-2016-1971</cvename>
14798      <cvename>CVE-2016-1972</cvename>
14799      <cvename>CVE-2016-1973</cvename>
14800      <cvename>CVE-2016-1974</cvename>
14801      <cvename>CVE-2016-1975</cvename>
14802      <cvename>CVE-2016-1976</cvename>
14803      <url>https://www.mozilla.org/security/advisories/mfsa2016-16/</url>
14804      <url>https://www.mozilla.org/security/advisories/mfsa2016-17/</url>
14805      <url>https://www.mozilla.org/security/advisories/mfsa2016-18/</url>
14806      <url>https://www.mozilla.org/security/advisories/mfsa2016-19/</url>
14807      <url>https://www.mozilla.org/security/advisories/mfsa2016-20/</url>
14808      <url>https://www.mozilla.org/security/advisories/mfsa2016-21/</url>
14809      <url>https://www.mozilla.org/security/advisories/mfsa2016-22/</url>
14810      <url>https://www.mozilla.org/security/advisories/mfsa2016-23/</url>
14811      <url>https://www.mozilla.org/security/advisories/mfsa2016-24/</url>
14812      <url>https://www.mozilla.org/security/advisories/mfsa2016-25/</url>
14813      <url>https://www.mozilla.org/security/advisories/mfsa2016-26/</url>
14814      <url>https://www.mozilla.org/security/advisories/mfsa2016-27/</url>
14815      <url>https://www.mozilla.org/security/advisories/mfsa2016-28/</url>
14816      <url>https://www.mozilla.org/security/advisories/mfsa2016-29/</url>
14817      <url>https://www.mozilla.org/security/advisories/mfsa2016-31/</url>
14818      <url>https://www.mozilla.org/security/advisories/mfsa2016-32/</url>
14819      <url>https://www.mozilla.org/security/advisories/mfsa2016-33/</url>
14820      <url>https://www.mozilla.org/security/advisories/mfsa2016-34/</url>
14821    </references>
14822    <dates>
14823      <discovery>2016-03-08</discovery>
14824      <entry>2016-03-08</entry>
14825      <modified>2016-03-08</modified>
14826    </dates>
14827  </vuln>
14828
14829  <vuln vid="adffe823-e692-4921-ae9c-0b825c218372">
14830    <topic>graphite2 -- multiple vulnerabilities</topic>
14831    <affects>
14832      <package>
14833	<name>graphite2</name>
14834	<range><lt>1.3.6</lt></range>
14835      </package>
14836      <package>
14837	<name>linux-firefox</name>
14838	<range><lt>45.0,1</lt></range>
14839      </package>
14840      <package>
14841	<name>linux-thunderbird</name>
14842	<range><lt>38.7.0</lt></range>
14843      </package>
14844      <package>
14845	<name>linux-seamonkey</name>
14846	<range><lt>2.42</lt></range>
14847      </package>
14848    </affects>
14849    <description>
14850      <body xmlns="http://www.w3.org/1999/xhtml">
14851	<p>Mozilla Foundation reports:</p>
14852	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/">
14853	  <p>Security researcher Holger Fuhrmannek and Mozilla
14854	    security engineer Tyson Smith reported a number of security
14855	    vulnerabilities in the Graphite 2 library affecting version
14856	    1.3.5.
14857
14858	    The issue reported by Holger Fuhrmannek is a mechanism to
14859	    induce stack corruption with a malicious graphite font. This
14860	    leads to a potentially exploitable crash when the font is
14861	    loaded.
14862
14863	    Tyson Smith used the Address Sanitizer tool in concert with
14864	    a custom software fuzzer to find a series of uninitialized
14865	    memory, out-of-bounds read, and out-of-bounds write errors
14866	    when working with fuzzed graphite fonts.</p>
14867	</blockquote>
14868	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-38/">
14869	  <p>Security researcher James Clawson used the Address
14870	    Sanitizer tool to discover an out-of-bounds write in the
14871	    Graphite 2 library when loading a crafted Graphite font
14872	    file. This results in a potentially exploitable crash.</p>
14873	</blockquote>
14874      </body>
14875    </description>
14876    <references>
14877      <url>https://www.mozilla.org/security/advisories/mfsa2016-37/</url>
14878      <url>https://www.mozilla.org/security/advisories/mfsa2016-38/</url>
14879      <cvename>CVE-2016-1969</cvename>
14880      <cvename>CVE-2016-1977</cvename>
14881      <cvename>CVE-2016-2790</cvename>
14882      <cvename>CVE-2016-2791</cvename>
14883      <cvename>CVE-2016-2792</cvename>
14884      <cvename>CVE-2016-2793</cvename>
14885      <cvename>CVE-2016-2794</cvename>
14886      <cvename>CVE-2016-2795</cvename>
14887      <cvename>CVE-2016-2796</cvename>
14888      <cvename>CVE-2016-2797</cvename>
14889      <cvename>CVE-2016-2798</cvename>
14890      <cvename>CVE-2016-2799</cvename>
14891      <cvename>CVE-2016-2800</cvename>
14892      <cvename>CVE-2016-2801</cvename>
14893      <cvename>CVE-2016-2802</cvename>
14894    </references>
14895    <dates>
14896      <discovery>2016-03-08</discovery>
14897      <entry>2016-03-08</entry>
14898      <modified>2016-03-14</modified>
14899    </dates>
14900  </vuln>
14901
14902  <vuln vid="c4292768-5273-4f17-a267-c5fe35125ce4">
14903    <topic>NSS -- multiple vulnerabilities</topic>
14904    <affects>
14905      <package>
14906	<name>nss</name>
14907	<range><ge>3.20</ge><lt>3.21.1</lt></range>
14908	<range><lt>3.19.2.3</lt></range>
14909      </package>
14910      <package>
14911	<name>linux-c6-nss</name>
14912	<range><ge>3.20</ge><lt>3.21.0_1</lt></range>
14913	<range><lt>3.19.2.3</lt></range>
14914      </package>
14915      <package>
14916	<name>linux-firefox</name>
14917	<range><lt>45.0,1</lt></range>
14918      </package>
14919      <package>
14920	<name>linux-thunderbird</name>
14921	<range><lt>38.7.0</lt></range>
14922      </package>
14923      <package>
14924	<name>linux-seamonkey</name>
14925	<range><lt>2.42</lt></range>
14926      </package>
14927    </affects>
14928    <description>
14929      <body xmlns="http://www.w3.org/1999/xhtml">
14930	<p>Mozilla Foundation reports:</p>
14931	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-35/">
14932	  <p>Security researcher Francis Gabriel reported a heap-based
14933	    buffer overflow in the way the Network Security Services
14934	    (NSS) libraries parsed certain ASN.1 structures. An attacker
14935	    could create a specially-crafted certificate which, when
14936	    parsed by NSS, would cause it to crash or execute arbitrary
14937	    code with the permissions of the user.</p>
14938	</blockquote>
14939	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-36/">
14940	  <p>Mozilla developer Tim Taubert used the Address Sanitizer
14941	    tool and software fuzzing to discover a use-after-free
14942	    vulnerability while processing DER encoded keys in the
14943	    Network Security Services (NSS) libraries. The vulnerability
14944	    overwrites the freed memory with zeroes.</p>
14945	</blockquote>
14946      </body>
14947    </description>
14948    <references>
14949      <cvename>CVE-2016-1950</cvename>
14950      <cvename>CVE-2016-1979</cvename>
14951      <url>https://www.mozilla.org/security/advisories/mfsa2016-35/</url>
14952      <url>https://www.mozilla.org/security/advisories/mfsa2016-36/</url>
14953      <url>https://hg.mozilla.org/projects/nss/rev/b9a31471759d</url>
14954      <url>https://hg.mozilla.org/projects/nss/rev/7033b1193c94</url>
14955    </references>
14956    <dates>
14957      <discovery>2016-03-08</discovery>
14958      <entry>2016-03-08</entry>
14959      <modified>2016-09-05</modified>
14960    </dates>
14961  </vuln>
14962
14963  <vuln vid="75091516-6f4b-4059-9884-6727023dc366">
14964    <topic>NSS -- multiple vulnerabilities</topic>
14965    <affects>
14966      <package>
14967	<name>nss</name>
14968	<name>linux-c6-nss</name>
14969	<range><lt>3.21</lt></range>
14970      </package>
14971      <package>
14972	<name>linux-firefox</name>
14973	<range><lt>44.0,1</lt></range>
14974      </package>
14975      <package>
14976	<name>linux-seamonkey</name>
14977	<range><lt>2.41</lt></range>
14978      </package>
14979    </affects>
14980    <description>
14981      <body xmlns="http://www.w3.org/1999/xhtml">
14982	<p>Mozilla Foundation reports:</p>
14983	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-07/">
14984	  <p>Security researcher Hanno Böck reported that calculations
14985	    with mp_div and mp_exptmod in Network Security Services
14986	    (NSS) can produce wrong results in some circumstances. These
14987	    functions are used within NSS for a variety of cryptographic
14988	    division functions, leading to potential cryptographic
14989	    weaknesses.</p>
14990	</blockquote>
14991	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-15/">
14992	  <p>Mozilla developer Eric Rescorla reported that a failed
14993	    allocation during DHE and ECDHE handshakes would lead to a
14994	    use-after-free vulnerability.</p>
14995	</blockquote>
14996      </body>
14997    </description>
14998    <references>
14999      <cvename>CVE-2016-1938</cvename>
15000      <cvename>CVE-2016-1978</cvename>
15001      <url>https://www.mozilla.org/security/advisories/mfsa2016-07/</url>
15002      <url>https://www.mozilla.org/security/advisories/mfsa2016-15/</url>
15003      <url>https://hg.mozilla.org/projects/nss/rev/a555bf0fc23a</url>
15004      <url>https://hg.mozilla.org/projects/nss/rev/a245a4ccd354</url>
15005    </references>
15006    <dates>
15007      <discovery>2016-01-26</discovery>
15008      <entry>2016-03-08</entry>
15009    </dates>
15010  </vuln>
15011
15012  <vuln vid="f9e6c0d1-e4cc-11e5-b2bd-002590263bf5">
15013    <topic>django -- multiple vulnerabilities</topic>
15014    <affects>
15015      <package>
15016	<name>py27-django</name>
15017	<name>py32-django</name>
15018	<name>py33-django</name>
15019	<name>py34-django</name>
15020	<name>py35-django</name>
15021	<range><lt>1.8.10</lt></range>
15022      </package>
15023      <package>
15024	<name>py27-django18</name>
15025	<name>py32-django18</name>
15026	<name>py33-django18</name>
15027	<name>py34-django18</name>
15028	<name>py35-django18</name>
15029	<range><lt>1.8.10</lt></range>
15030      </package>
15031      <package>
15032	<name>py27-django19</name>
15033	<name>py32-django19</name>
15034	<name>py33-django19</name>
15035	<name>py34-django19</name>
15036	<name>py35-django19</name>
15037	<range><lt>1.9.3</lt></range>
15038      </package>
15039      <package>
15040	<name>py27-django-devel</name>
15041	<name>py32-django-devel</name>
15042	<name>py33-django-devel</name>
15043	<name>py34-django-devel</name>
15044	<name>py35-django-devel</name>
15045	<range><le>20150709,1</le></range>
15046      </package>
15047    </affects>
15048    <description>
15049      <body xmlns="http://www.w3.org/1999/xhtml">
15050	<p>Tim Graham reports:</p>
15051	<blockquote cite="https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/">
15052	  <p>Malicious redirect and possible XSS attack via user-supplied
15053	    redirect URLs containing basic auth</p>
15054	  <p>User enumeration through timing difference on password hasher work
15055	    factor upgrade</p>
15056	</blockquote>
15057      </body>
15058    </description>
15059    <references>
15060      <cvename>CVE-2016-2512</cvename>
15061      <cvename>CVE-2016-2513</cvename>
15062      <url>https://www.djangoproject.com/weblog/2016/mar/01/security-releases/</url>
15063    </references>
15064    <dates>
15065      <discovery>2016-03-01</discovery>
15066      <entry>2016-03-08</entry>
15067    </dates>
15068  </vuln>
15069
15070  <vuln vid="fef03980-e4c6-11e5-b2bd-002590263bf5">
15071    <topic>wordpress -- multiple vulnerabilities</topic>
15072    <affects>
15073      <package>
15074	<name>wordpress</name>
15075	<range><lt>4.4.2,1</lt></range>
15076      </package>
15077      <package>
15078	<name>de-wordpress</name>
15079	<name>ja-wordpress</name>
15080	<name>ru-wordpress</name>
15081	<name>zh-wordpress-zh_CN</name>
15082	<name>zh-wordpress-zh_TW</name>
15083	<range><lt>4.4.2</lt></range>
15084      </package>
15085    </affects>
15086    <description>
15087      <body xmlns="http://www.w3.org/1999/xhtml">
15088	<p>Samuel Sidler reports:</p>
15089	<blockquote cite="https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/">
15090	  <p>WordPress 4.4.2 is now available. This is a security release for
15091	    all previous versions and we strongly encourage you to update your
15092	    sites immediately.</p>
15093	  <p>WordPress versions 4.4.1 and earlier are affected by two security
15094	    issues: a possible SSRF for certain local URIs, reported by Ronni
15095	    Skansing; and an open redirection attack, reported by Shailesh
15096	    Suthar.</p>
15097	</blockquote>
15098      </body>
15099    </description>
15100    <references>
15101      <cvename>CVE-2016-2221</cvename>
15102      <cvename>CVE-2016-2222</cvename>
15103      <url>http://www.openwall.com/lists/oss-security/2016/02/04/6</url>
15104      <url>https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/</url>
15105    </references>
15106    <dates>
15107      <discovery>2016-02-02</discovery>
15108      <entry>2016-03-08</entry>
15109    </dates>
15110  </vuln>
15111
15112  <vuln vid="7f0fbb30-e462-11e5-a3f3-080027ef73ec">
15113    <topic>PuTTY - old-style scp downloads may allow remote code execution</topic>
15114    <affects>
15115      <package>
15116	<name>putty</name>
15117	<range><lt>0.67</lt></range>
15118      </package>
15119    </affects>
15120    <description>
15121      <body xmlns="http://www.w3.org/1999/xhtml">
15122	<p>Simon G. Tatham reports:</p>
15123	<blockquote cite="http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html">
15124	  <p>Many versions of PSCP prior to 0.67 have a stack corruption
15125	    vulnerability in their treatment of the 'sink' direction (i.e.
15126	    downloading from server to client) of the old-style SCP protocol.
15127	    </p>
15128	  <p>In order for this vulnerability to be exploited, the user must
15129	    connect to a malicious server and attempt to download any file.[...]
15130	    you can work around it in a vulnerable PSCP by using the -sftp
15131	    option to force the use of the newer SFTP protocol, provided your
15132	    server supports that protocol.</p>
15133	</blockquote>
15134      </body>
15135    </description>
15136    <references>
15137      <url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html</url>
15138      <cvename>CVE-2016-2563</cvename>
15139      <url>https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563</url>
15140    </references>
15141    <dates>
15142      <discovery>2016-02-26</discovery>
15143      <entry>2016-03-07</entry>
15144    </dates>
15145  </vuln>
15146
15147  <vuln vid="12d1b5a6-e39d-11e5-9f77-5453ed2e2b49">
15148    <topic>websvn -- reflected cross-site scripting</topic>
15149    <affects>
15150      <package>
15151	<name>websvn</name>
15152	<range><lt>2.3.3_1</lt></range>
15153      </package>
15154    </affects>
15155    <description>
15156      <body xmlns="http://www.w3.org/1999/xhtml">
15157	<p>Sebastien Delafond reports:</p>
15158	<blockquote cite="https://lists.debian.org/debian-security-announce/2016/msg00060.html">
15159	  <p>Jakub Palaczynski discovered that websvn, a web viewer for
15160	  Subversion repositories, does not correctly sanitize user-supplied
15161	  input, which allows a remote user to run reflected cross-site
15162	  scripting attacks.</p>
15163	</blockquote>
15164      </body>
15165    </description>
15166    <references>
15167      <cvename>CVE-2016-2511</cvename>
15168      <url>https://lists.debian.org/debian-security-announce/2016/msg00060.html</url>
15169      <url>http://seclists.org/fulldisclosure/2016/Feb/99</url>
15170    </references>
15171    <dates>
15172      <discovery>2016-02-22</discovery>
15173      <entry>2016-03-06</entry>
15174    </dates>
15175  </vuln>
15176
15177  <vuln vid="f69e1f09-e39b-11e5-9f77-5453ed2e2b49">
15178    <topic>websvn -- information disclosure</topic>
15179    <affects>
15180      <package>
15181	<name>websvn</name>
15182	<range><lt>2.3.3_1</lt></range>
15183      </package>
15184    </affects>
15185    <description>
15186      <body xmlns="http://www.w3.org/1999/xhtml">
15187	<p>Thijs Kinkhorst reports:</p>
15188	<blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682">
15189	  <p>James Clawson reported:</p>
15190	  <p>"Arbitrary files with a known path can be accessed in websvn by
15191	  committing a symlink to a repository and then downloading the file
15192	  (using the download link).</p>
15193	  <p>An attacker must have write access to the repo, and the download
15194	  option must have been enabled in the websvn config file."</p>
15195	</blockquote>
15196      </body>
15197    </description>
15198    <references>
15199      <cvename>CVE-2013-6892</cvename>
15200      <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6892</url>
15201      <url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682</url>
15202    </references>
15203    <dates>
15204      <discovery>2015-01-18</discovery>
15205      <entry>2016-03-06</entry>
15206    </dates>
15207  </vuln>
15208
15209  <vuln vid="5a016dd0-8aa8-490e-a596-55f4cc17e4ef">
15210    <topic>rails -- multiple vulnerabilities</topic>
15211    <affects>
15212      <package>
15213	<name>rubygem-actionpack</name>
15214	<range><lt>3.2.22.2</lt></range>
15215      </package>
15216      <package>
15217	<name>rubygem-actionpack4</name>
15218	<range><lt>4.2.5.2</lt></range>
15219      </package>
15220      <package>
15221	<name>rubygem-actionview</name>
15222	<range><lt>4.2.5.2</lt></range>
15223      </package>
15224      <package>
15225	<name>rubygem-rails</name>
15226	<range><lt>3.2.22.2</lt></range>
15227      </package>
15228      <package>
15229	<name>rubygem-rails4</name>
15230	<range><lt>4.2.5.2</lt></range>
15231      </package>
15232    </affects>
15233    <description>
15234      <body xmlns="http://www.w3.org/1999/xhtml">
15235	<p>Ruby on Rails blog:</p>
15236	<blockquote cite="http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/">
15237	  <p>Rails 4.2.5.2, 4.1.14.2, and 3.2.22.2 have been released! These
15238	    contain the following important security fixes, and it is
15239		recommended that users upgrade as soon as possible.</p>
15240	</blockquote>
15241      </body>
15242    </description>
15243    <references>
15244      <cvename>CVE-2016-2097</cvename>
15245      <cvename>CVE-2016-2098</cvename>
15246      <url>https://groups.google.com/d/msg/rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ</url>
15247      <url>https://groups.google.com/d/msg/rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ</url>
15248      <url>http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/</url>
15249    </references>
15250    <dates>
15251      <discovery>2016-02-29</discovery>
15252      <entry>2016-03-06</entry>
15253    </dates>
15254  </vuln>
15255
15256  <vuln vid="f85fa236-e2a6-412e-b5c7-c42120892de5">
15257    <topic>chromium -- multiple vulnerabilities</topic>
15258    <affects>
15259      <package>
15260	<name>chromium</name>
15261	<name>chromium-npapi</name>
15262	<name>chromium-pulse</name>
15263	<range><lt>49.0.2623.75</lt></range>
15264      </package>
15265    </affects>
15266    <description>
15267      <body xmlns="http://www.w3.org/1999/xhtml">
15268	<p>Google Chrome Releases reports:</p>
15269	<blockquote cite="http://googlechromereleases.blogspot.de/2016/03/stable-channel-update.html">
15270	  <p>[560011] High CVE-2016-1630: Same-origin bypass in Blink.</p>
15271	  <p>[569496] High CVE-2016-1631: Same-origin bypass in Pepper Plugin.</p>
15272	  <p>[549986] High CVE-2016-1632: Bad cast in Extensions.</p>
15273	  <p>[572537] High CVE-2016-1633: Use-after-free in Blink.</p>
15274	  <p>[559292] High CVE-2016-1634: Use-after-free in Blink.</p>
15275	  <p>[585268] High CVE-2016-1635: Use-after-free in Blink.</p>
15276	  <p>[584155] High CVE-2016-1636: SRI Validation Bypass.</p>
15277	  <p>[555544] Medium CVE-2016-1637: Information Leak in Skia.</p>
15278	  <p>[585282] Medium CVE-2016-1638: WebAPI Bypass.</p>
15279	  <p>[572224] Medium CVE-2016-1639: Use-after-free in WebRTC.</p>
15280	  <p>[550047] Medium CVE-2016-1640: Origin confusion in Extensions UI.</p>
15281	  <p>[583718] Medium CVE-2016-1641: Use-after-free in Favicon.</p>
15282	  <p>[591402] CVE-2016-1642: Various fixes from internal audits, fuzzing and other initiatives.</p>
15283	  <p>Multiple vulnerabilities in V8 fixed.</p>
15284	</blockquote>
15285      </body>
15286    </description>
15287    <references>
15288      <cvename>CVE-2016-1630</cvename>
15289      <cvename>CVE-2016-1631</cvename>
15290      <cvename>CVE-2016-1632</cvename>
15291      <cvename>CVE-2016-1633</cvename>
15292      <cvename>CVE-2016-1634</cvename>
15293      <cvename>CVE-2016-1635</cvename>
15294      <cvename>CVE-2016-1636</cvename>
15295      <cvename>CVE-2016-1637</cvename>
15296      <cvename>CVE-2016-1638</cvename>
15297      <cvename>CVE-2016-1639</cvename>
15298      <cvename>CVE-2016-1640</cvename>
15299      <cvename>CVE-2016-1641</cvename>
15300      <cvename>CVE-2016-1642</cvename>
15301      <url>http://googlechromereleases.blogspot.de/2016/03/stable-channel-update.html</url>
15302    </references>
15303    <dates>
15304      <discovery>2016-03-02</discovery>
15305      <entry>2016-03-05</entry>
15306    </dates>
15307  </vuln>
15308
15309  <vuln vid="6b3591ea-e2d2-11e5-a6be-5453ed2e2b49">
15310    <topic>libssh -- weak Diffie-Hellman secret generation</topic>
15311    <affects>
15312      <package>
15313	<name>libssh</name>
15314	<range><lt>0.7.3</lt></range>
15315      </package>
15316    </affects>
15317    <description>
15318      <body xmlns="http://www.w3.org/1999/xhtml">
15319	<p>Andreas Schneider reports:</p>
15320	<blockquote cite="https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/">
15321	  <p>libssh versions 0.1 and above have a bits/bytes confusion bug and
15322	  generate an abnormally short ephemeral secret for the
15323	  diffie-hellman-group1 and diffie-hellman-group14 key exchange
15324	  methods. The resulting secret is 128 bits long, instead of the
15325	  recommended sizes of 1024 and 2048 bits respectively. There are
15326	  practical algorithms (Baby steps/Giant steps, Pollard’s rho) that can
15327	  solve this problem in O(2^63) operations.</p>
15328	  <p>Both client and server are are vulnerable, pre-authentication.
15329	  This vulnerability could be exploited by an eavesdropper with enough
15330	  resources to decrypt or intercept SSH sessions. The bug was found
15331	  during an internal code review by Aris Adamantiadis of the libssh
15332	  team.</p>
15333	</blockquote>
15334      </body>
15335    </description>
15336    <references>
15337      <cvename>CVE-2016-0739</cvename>
15338      <url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0739</url>
15339      <url>https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/</url>
15340    </references>
15341    <dates>
15342      <discovery>2016-02-23</discovery>
15343      <entry>2016-03-05</entry>
15344    </dates>
15345  </vuln>
15346
15347  <vuln vid="7d09b9ee-e0ba-11e5-abc4-6fb07af136d2">
15348    <topic>exim -- local privillege escalation</topic>
15349    <affects>
15350      <package>
15351	<name>exim</name>
15352	<range><lt>4.86.2</lt></range>
15353	<range><lt>4.85.2</lt></range>
15354	<range><lt>4.84.2</lt></range>
15355      </package>
15356    </affects>
15357    <description>
15358      <body xmlns="http://www.w3.org/1999/xhtml">
15359	<p>The Exim development team reports:</p>
15360	<blockquote cite="https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html">
15361	<p>All installations having Exim set-uid root and using 'perl_startup' are
15362	vulnerable to a local privilege escalation. Any user who can start an
15363	instance of Exim (and this is normally <strong>any</strong> user) can gain root
15364	privileges. If you do not use 'perl_startup' you <strong>should</strong> be safe.</p>
15365	</blockquote>
15366      </body>
15367    </description>
15368    <references>
15369      <cvename>CVE-2016-1531</cvename>
15370      <url>https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html</url>
15371    </references>
15372    <dates>
15373      <discovery>2016-02-26</discovery>
15374      <entry>2016-03-02</entry>
15375    </dates>
15376  </vuln>
15377
15378  <vuln vid="db3301be-e01c-11e5-b2bd-002590263bf5">
15379    <topic>cacti -- multiple vulnerabilities</topic>
15380    <affects>
15381      <package>
15382	<name>cacti</name>
15383	<range><lt>0.8.8g</lt></range>
15384      </package>
15385    </affects>
15386    <description>
15387      <body xmlns="http://www.w3.org/1999/xhtml">
15388	<p>The Cacti Group, Inc. reports:</p>
15389	<blockquote cite="http://www.cacti.net/release_notes_0_8_8g.php">
15390	  <p>Changelog</p>
15391	  <ul>
15392	    <li>bug:0002652: CVE-2015-8604: SQL injection in graphs_new.php</li>
15393	    <li>bug:0002655: CVE-2015-8377: SQL injection vulnerability in the
15394	       host_new_graphs_save function in graphs_new.php</li>
15395	    <li>bug:0002656: Authentication using web authentication as a user
15396	       not in the cacti database allows complete access</li>
15397	  </ul>
15398	</blockquote>
15399      </body>
15400    </description>
15401    <references>
15402      <cvename>CVE-2015-8377</cvename>
15403      <cvename>CVE-2015-8604</cvename>
15404      <cvename>CVE-2016-2313</cvename>
15405      <url>http://www.cacti.net/release_notes_0_8_8g.php</url>
15406      <url>http://bugs.cacti.net/view.php?id=2652</url>
15407      <url>http://bugs.cacti.net/view.php?id=2655</url>
15408      <url>http://bugs.cacti.net/view.php?id=2656</url>
15409      <url>http://www.openwall.com/lists/oss-security/2016/02/09/3</url>
15410    </references>
15411    <dates>
15412      <discovery>2016-02-21</discovery>
15413      <entry>2016-03-02</entry>
15414    </dates>
15415  </vuln>
15416
15417  <vuln vid="f682a506-df7c-11e5-81e4-6805ca0b3d42">
15418    <topic>phpmyadmin -- multiple XSS and a man-in-the-middle vulnerability</topic>
15419    <affects>
15420      <package>
15421	<name>phpmyadmin</name>
15422	<range><ge>4.5.0</ge><lt>4.5.5.1</lt></range>
15423      </package>
15424    </affects>
15425    <description>
15426      <body xmlns="http://www.w3.org/1999/xhtml">
15427	<p>The phpMyAdmin development team reports:</p>
15428	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-10/">
15429	  <p>XSS vulnerability in SQL parser.</p>
15430	  <p>Using a crafted SQL query, it is possible to trigger an XSS
15431	    attack through the SQL query page.</p>
15432	  <p>We consider this vulnerability to be non-critical.</p>
15433	</blockquote>
15434	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-11/">
15435	  <p>Multiple XSS vulnerabilities.</p>
15436	  <p>By sending a specially crafted URL as part of the HOST
15437	    header, it is possible to trigger an XSS attack.</p>
15438	  <p>A weakness was found that allows an XSS attack with Internet
15439	    Explorer versions older than 8 and Safari on Windows using a
15440	    specially crafted URL.</p>
15441	  <p>Using a crafted SQL query, it is possible to trigger an XSS
15442	    attack through the SQL query page.</p>
15443	  <p>Using a crafted parameter value, it is possible to trigger
15444	    an XSS attack in user accounts page.</p>
15445	  <p>Using a crafted parameter value, it is possible to trigger
15446	    an XSS attack in zoom search page.</p>
15447	  <p>We consider this vulnerability to be non-critical.</p>
15448	</blockquote>
15449	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-12/">
15450	  <p>Multiple XSS vulnerabilities.</p>
15451	  <p>With a crafted table/column name it is possible to trigger
15452	    an XSS attack in the database normalization page.</p>
15453	  <p>With a crafted parameter it is possible to trigger an XSS
15454	    attack in the database structure page.</p>
15455	  <p>With a crafted parameter it is possible to trigger an XSS
15456	    attack in central columns page.</p>
15457	  <p>We consider this vulnerability to be non-critical.</p>
15458	</blockquote>
15459	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-13/">
15460	  <p>Vulnerability allowing man-in-the-middle attack on API
15461	    call to GitHub.</p>
15462	  <p>A vulnerability in the API call to GitHub can be exploited
15463	    to perform a man-in-the-middle attack.</p>
15464	  <p>We consider this vulnerability to be serious.</p>
15465	</blockquote>
15466      </body>
15467    </description>
15468    <references>
15469      <url>https://www.phpmyadmin.net/security/PMASA-2016-10/</url>
15470      <url>https://www.phpmyadmin.net/security/PMASA-2016-11/</url>
15471      <url>https://www.phpmyadmin.net/security/PMASA-2016-12/</url>
15472      <url>https://www.phpmyadmin.net/security/PMASA-2016-13/</url>
15473      <cvename>CVE-2016-2559</cvename>
15474      <cvename>CVE-2016-2560</cvename>
15475      <cvename>CVE-2016-2561</cvename>
15476      <cvename>CVE-2016-2562</cvename>
15477    </references>
15478    <dates>
15479      <discovery>2016-02-29</discovery>
15480      <entry>2016-03-01</entry>
15481    </dates>
15482  </vuln>
15483
15484  <vuln vid="45117749-df55-11e5-b2bd-002590263bf5">
15485    <topic>wireshark -- multiple vulnerabilities</topic>
15486    <affects>
15487      <package>
15488	<name>wireshark</name>
15489	<name>wireshark-lite</name>
15490	<name>wireshark-qt5</name>
15491	<name>tshark</name>
15492	<name>tshark-lite</name>
15493	<range><lt>2.0.2</lt></range>
15494      </package>
15495    </affects>
15496    <description>
15497      <body xmlns="http://www.w3.org/1999/xhtml">
15498	<p>Wireshark development team reports:</p>
15499	<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.2.html">
15500	  <p>The following vulnerabilities have been fixed:</p>
15501	  <ul>
15502	    <li><p>wnpa-sec-2016-02</p>
15503	      <p>ASN.1 BER dissector crash. (Bug 11828) CVE-2016-2522</p></li>
15504	    <li><p>wnpa-sec-2016-03</p>
15505	      <p>DNP dissector infinite loop. (Bug 11938) CVE-2016-2523</p></li>
15506	    <li><p>wnpa-sec-2016-04</p>
15507	      <p>X.509AF dissector crash. (Bug 12002) CVE-2016-2524</p></li>
15508	    <li><p>wnpa-sec-2016-05</p>
15509	      <p>HTTP/2 dissector crash. (Bug 12077) CVE-2016-2525</p></li>
15510	    <li><p>wnpa-sec-2016-06</p>
15511	      <p>HiQnet dissector crash. (Bug 11983) CVE-2016-2526</p></li>
15512	    <li><p>wnpa-sec-2016-07</p>
15513	      <p>3GPP TS 32.423 Trace file parser crash. (Bug 11982)
15514		</p>CVE-2016-2527</li>
15515	    <li><p>wnpa-sec-2016-08</p>
15516	      <p>LBMC dissector crash. (Bug 11984) CVE-2016-2528</p></li>
15517	    <li><p>wnpa-sec-2016-09</p>
15518	      <p>iSeries file parser crash. (Bug 11985) CVE-2016-2529</p></li>
15519	    <li><p>wnpa-sec-2016-10</p>
15520	      <p>RSL dissector crash. (Bug 11829) CVE-2016-2530
15521		CVE-2016-2531</p></li>
15522	    <li><p>wnpa-sec-2016-11</p>
15523	      <p>LLRP dissector crash. (Bug 12048) CVE-2016-2532</p></li>
15524	    <li><p>wnpa-sec-2016-12</p>
15525	      <p>Ixia IxVeriWave file parser crash. (Bug 11795)</p></li>
15526	    <li><p>wnpa-sec-2016-13</p>
15527	      <p>IEEE 802.11 dissector crash. (Bug 11818)</p></li>
15528	    <li><p>wnpa-sec-2016-14</p>
15529	      <p>GSM A-bis OML dissector crash. (Bug 11825)</p></li>
15530	    <li><p>wnpa-sec-2016-15</p>
15531	      <p>ASN.1 BER dissector crash. (Bug 12106)</p></li>
15532	    <li><p>wnpa-sec-2016-16</p>
15533	      <p>SPICE dissector large loop. (Bug 12151)</p></li>
15534	    <li><p>wnpa-sec-2016-17</p>
15535	      <p>NFS dissector crash.</p></li>
15536	    <li><p>wnpa-sec-2016-18</p>
15537	      <p>ASN.1 BER dissector crash. (Bug 11822)</p></li>
15538	  </ul>
15539	</blockquote>
15540      </body>
15541    </description>
15542    <references>
15543      <cvename>CVE-2016-2522</cvename>
15544      <cvename>CVE-2016-2523</cvename>
15545      <cvename>CVE-2016-2524</cvename>
15546      <cvename>CVE-2016-2525</cvename>
15547      <cvename>CVE-2016-2526</cvename>
15548      <cvename>CVE-2016-2527</cvename>
15549      <cvename>CVE-2016-2528</cvename>
15550      <cvename>CVE-2016-2529</cvename>
15551      <cvename>CVE-2016-2530</cvename>
15552      <cvename>CVE-2016-2531</cvename>
15553      <cvename>CVE-2016-2532</cvename>
15554      <cvename>CVE-2016-4415</cvename>
15555      <cvename>CVE-2016-4416</cvename>
15556      <cvename>CVE-2016-4417</cvename>
15557      <cvename>CVE-2016-4418</cvename>
15558      <cvename>CVE-2016-4419</cvename>
15559      <cvename>CVE-2016-4420</cvename>
15560      <cvename>CVE-2016-4421</cvename>
15561      <url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.2.html</url>
15562      <url>http://www.openwall.com/lists/oss-security/2016/05/01/1</url>
15563    </references>
15564    <dates>
15565      <discovery>2016-02-26</discovery>
15566      <entry>2016-03-01</entry>
15567      <modified>2016-07-04</modified>
15568    </dates>
15569  </vuln>
15570
15571  <vuln vid="42c2c422-df55-11e5-b2bd-002590263bf5">
15572    <topic>wireshark -- multiple vulnerabilities</topic>
15573    <affects>
15574      <package>
15575	<name>wireshark</name>
15576	<name>wireshark-lite</name>
15577	<name>wireshark-qt5</name>
15578	<name>tshark</name>
15579	<name>tshark-lite</name>
15580	<range><lt>2.0.1</lt></range>
15581      </package>
15582    </affects>
15583    <description>
15584      <body xmlns="http://www.w3.org/1999/xhtml">
15585	<p>Wireshark development team reports:</p>
15586	<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.1.html">
15587	  <p>The following vulnerabilities have been fixed:</p>
15588	  <ul>
15589	    <li><p>wnpa-sec-2015-31</p>
15590	      <p>NBAP dissector crashes. (Bug 11602, Bug 11835, Bug 11841)</p>
15591		</li>
15592	    <li><p>wnpa-sec-2015-37</p>
15593	      <p>NLM dissector crash.</p></li>
15594	    <li><p>wnpa-sec-2015-39</p>
15595	      <p>BER dissector crash.</p></li>
15596	    <li><p>wnpa-sec-2015-40</p>
15597	      <p>Zlib decompression crash. (Bug 11548)</p></li>
15598	    <li><p>wnpa-sec-2015-41</p>
15599	      <p>SCTP dissector crash. (Bug 11767)</p></li>
15600	    <li><p>wnpa-sec-2015-42</p>
15601	      <p>802.11 decryption crash. (Bug 11790, Bug 11826)</p></li>
15602	    <li><p>wnpa-sec-2015-43</p>
15603	      <p>DIAMETER dissector crash. (Bug 11792)</p></li>
15604	    <li><p>wnpa-sec-2015-44</p>
15605	      <p>VeriWave file parser crashes. (Bug 11789, Bug 11791)</p></li>
15606	    <li><p>wnpa-sec-2015-45</p>
15607	      <p>RSVP dissector crash. (Bug 11793)</p></li>
15608	    <li><p>wnpa-sec-2015-46</p>
15609	      <p>ANSI A and GSM A dissector crashes. (Bug 11797)</p></li>
15610	    <li><p>wnpa-sec-2015-47</p>
15611	      <p>Ascend file parser crash. (Bug 11794)</p></li>
15612	    <li><p>wnpa-sec-2015-48</p>
15613	      <p>NBAP dissector crash. (Bug 11815)</p></li>
15614	    <li><p>wnpa-sec-2015-49</p>
15615	      <p>RSL dissector crash. (Bug 11829)</p></li>
15616	    <li><p>wnpa-sec-2015-50</p>
15617	      <p>ZigBee ZCL dissector crash. (Bug 11830)</p></li>
15618	    <li><p>wnpa-sec-2015-51</p>
15619	      <p>Sniffer file parser crash. (Bug 11827)</p></li>
15620	    <li><p>wnpa-sec-2015-52</p>
15621	      <p>NWP dissector crash. (Bug 11726)</p></li>
15622	    <li><p>wnpa-sec-2015-53</p>
15623	      <p>BT ATT dissector crash. (Bug 11817)</p></li>
15624	    <li><p>wnpa-sec-2015-54</p>
15625	      <p>MP2T file parser crash. (Bug 11820)</p></li>
15626	    <li><p>wnpa-sec-2015-55</p>
15627	      <p>MP2T file parser crash. (Bug 11821)</p></li>
15628	    <li><p>wnpa-sec-2015-56</p>
15629	      <p>S7COMM dissector crash. (Bug 11823)</p></li>
15630	    <li><p>wnpa-sec-2015-57</p>
15631	      <p>IPMI dissector crash. (Bug 11831)</p></li>
15632	    <li><p>wnpa-sec-2015-58</p>
15633	      <p>TDS dissector crash. (Bug 11846)</p></li>
15634	    <li><p>wnpa-sec-2015-59</p>
15635	      <p>PPI dissector crash. (Bug 11876)</p></li>
15636	    <li><p>wnpa-sec-2015-60</p>
15637	      <p>MS-WSP dissector crash. (Bug 11931)</p></li>
15638	  </ul>
15639	</blockquote>
15640      </body>
15641    </description>
15642    <references>
15643      <url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.1.html</url>
15644    </references>
15645    <dates>
15646      <discovery>2015-12-29</discovery>
15647      <entry>2016-03-01</entry>
15648    </dates>
15649  </vuln>
15650
15651  <vuln vid="7bbc3016-de63-11e5-8fa8-14dae9d210b8">
15652    <topic>tomcat -- multiple vulnerabilities</topic>
15653    <affects>
15654      <package>
15655	<name>tomcat7</name>
15656	<range><lt>7.0.68</lt></range>
15657      </package>
15658      <package>
15659	<name>tomcat8</name>
15660	<range><lt>8.0.30</lt></range>
15661      </package>
15662    </affects>
15663    <description>
15664      <body xmlns="http://www.w3.org/1999/xhtml">
15665	<p>Mark Thomas reports:</p>
15666	<blockquote cite="http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF96.7070701@apache.org%3e">
15667	  <ul>
15668	  <li><p>CVE-2015-5346 Apache Tomcat Session fixation</p></li>
15669	  <li><p>CVE-2015-5351 Apache Tomcat CSRF token leak</p></li>
15670	  <li><p>CVE-2016-0763 Apache Tomcat Security Manager Bypass</p></li>
15671	  </ul>
15672	</blockquote>
15673      </body>
15674    </description>
15675    <references>
15676      <url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF96.7070701@apache.org%3e</url>
15677      <url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF7B.1010901@apache.org%3e</url>
15678      <url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEFB2.9030605@apache.org%3e</url>
15679      <cvename>CVE-2015-5346</cvename>
15680      <cvename>CVE-2015-5351</cvename>
15681      <cvename>CVE-2016-0763</cvename>
15682    </references>
15683    <dates>
15684      <discovery>2016-02-22</discovery>
15685      <entry>2016-02-28</entry>
15686    </dates>
15687  </vuln>
15688
15689  <vuln vid="1f1124fe-de5c-11e5-8fa8-14dae9d210b8">
15690    <topic>tomcat -- multiple vulnerabilities</topic>
15691    <affects>
15692      <package>
15693	<name>tomcat</name>
15694	<range><lt>6.0.45</lt></range>
15695      </package>
15696      <package>
15697	<name>tomcat7</name>
15698	<range><lt>7.0.68</lt></range>
15699      </package>
15700      <package>
15701	<name>tomcat8</name>
15702	<range><lt>8.0.30</lt></range>
15703      </package>
15704    </affects>
15705    <description>
15706      <body xmlns="http://www.w3.org/1999/xhtml">
15707	<p>Mark Thomas reports:</p>
15708	<blockquote cite="http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF96.7070701@apache.org%3e">
15709	  <ul>
15710	  <li><p>CVE-2015-5345 Apache Tomcat Directory disclosure</p></li>
15711	  <li><p>CVE-2016-0706 Apache Tomcat Security Manager bypass</p></li>
15712	  <li><p>CVE-2016-0714 Apache Tomcat Security Manager Bypass</p></li>
15713	  </ul>
15714	</blockquote>
15715      </body>
15716    </description>
15717    <references>
15718      <url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF96.7070701@apache.org%3e</url>
15719      <url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF6A.70703@apache.org%3e</url>
15720      <url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF4F.5090003@apache.org%3e</url>
15721      <cvename>CVE-2015-5345</cvename>
15722      <cvename>CVE-2015-5346</cvename>
15723      <cvename>CVE-2016-0706</cvename>
15724      <cvename>CVE-2016-0714</cvename>
15725    </references>
15726    <dates>
15727      <discovery>2016-02-22</discovery>
15728      <entry>2016-02-28</entry>
15729      <modified>2017-03-18</modified>
15730    </dates>
15731  </vuln>
15732
15733  <vuln vid="a7f2e9c6-de20-11e5-8458-6cc21735f730">
15734    <topic>xerces-c3 -- Parser Crashes on Malformed Input</topic>
15735    <affects>
15736      <package>
15737	<name>xerces-c3</name>
15738	<range><lt>3.1.3</lt></range>
15739      </package>
15740    </affects>
15741    <description>
15742      <body xmlns="http://www.w3.org/1999/xhtml">
15743	<p>The Apache Software Foundation reports:</p>
15744	<blockquote cite="http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt">
15745	  <p>The Xerces-C XML parser mishandles certain kinds of malformed input
15746	  documents, resulting in buffer overflows during processing and error
15747	  reporting. The overflows can manifest as a segmentation fault or as
15748	  memory corruption during a parse operation.  The bugs allow for a
15749	  denial of service attack in many applications by an unauthenticated
15750	  attacker, and could conceivably result in remote code execution.</p>
15751	</blockquote>
15752      </body>
15753    </description>
15754    <references>
15755      <cvename>CVE-2016-0729</cvename>
15756      <url>http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt</url>
15757    </references>
15758    <dates>
15759      <discovery>2016-02-25</discovery>
15760      <entry>2016-02-28</entry>
15761    </dates>
15762  </vuln>
15763
15764  <vuln vid="6b1d8a39-ddb3-11e5-8fa8-14dae9d210b8">
15765    <topic>django -- regression in permissions model</topic>
15766    <affects>
15767      <package>
15768	<name>py27-django19</name>
15769	<name>py33-django19</name>
15770	<name>py34-django19</name>
15771	<name>py35-django19</name>
15772	<range><lt>1.9.2</lt></range>
15773      </package>
15774      <package>
15775	<name>py27-django-devel</name>
15776	<name>py33-django-devel</name>
15777	<name>py34-django-devel</name>
15778	<name>py35-django-devel</name>
15779	<range><le>20150709,1</le></range>
15780      </package>
15781    </affects>
15782    <description>
15783      <body xmlns="http://www.w3.org/1999/xhtml">
15784	<p>Tim Graham reports:</p>
15785	<blockquote cite="https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/">
15786	  <p>User with "change" but not "add" permission can create
15787	    objects for ModelAdmin’s with save_as=True</p>
15788	</blockquote>
15789      </body>
15790    </description>
15791    <references>
15792      <url>https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/</url>
15793      <cvename>CVE-2016-2048</cvename>
15794    </references>
15795    <dates>
15796      <discovery>2016-02-01</discovery>
15797      <entry>2016-02-28</entry>
15798    </dates>
15799  </vuln>
15800
15801  <vuln vid="81f9d6a4-ddaf-11e5-b2bd-002590263bf5">
15802    <topic>xen-kernel -- VMX: guest user mode may crash guest with non-canonical RIP</topic>
15803    <affects>
15804      <package>
15805	<name>xen-kernel</name>
15806	<range><lt>4.5.2_2</lt></range>
15807      </package>
15808    </affects>
15809    <description>
15810      <body xmlns="http://www.w3.org/1999/xhtml">
15811	<p>The Xen Project reports:</p>
15812	<blockquote cite="http://xenbits.xen.org/xsa/advisory-170.html">
15813	  <p>VMX refuses attempts to enter a guest with an instruction pointer
15814	    which doesn't satisfy certain requirements. In particular, the
15815	    instruction pointer needs to be canonical when entering a guest
15816	    currently in 64-bit mode. This is the case even if the VM entry
15817	    information specifies an exception to be injected immediately (in
15818	    which case the bad instruction pointer would possibly never get used
15819	    for other than pushing onto the exception handler's stack).
15820	    Provided the guest OS allows user mode to map the virtual memory
15821	    space immediately below the canonical/non-canonical address
15822	    boundary, a non-canonical instruction pointer can result even from
15823	    normal user mode execution. VM entry failure, however, is fatal to
15824	    the guest.</p>
15825	  <p>Malicious HVM guest user mode code may be able to crash the
15826	    guest.</p>
15827	</blockquote>
15828      </body>
15829    </description>
15830    <references>
15831      <cvename>CVE-2016-2271</cvename>
15832      <url>http://xenbits.xen.org/xsa/advisory-170.html</url>
15833    </references>
15834    <dates>
15835      <discovery>2016-02-17</discovery>
15836      <entry>2016-02-28</entry>
15837    </dates>
15838  </vuln>
15839
15840  <vuln vid="80adc394-ddaf-11e5-b2bd-002590263bf5">
15841    <topic>xen-kernel -- VMX: intercept issue with INVLPG on non-canonical address</topic>
15842    <affects>
15843      <package>
15844	<name>xen-kernel</name>
15845	<range><ge>3.3</ge><lt>4.5.2_2</lt></range>
15846      </package>
15847    </affects>
15848    <description>
15849      <body xmlns="http://www.w3.org/1999/xhtml">
15850	<p>The Xen Project reports:</p>
15851	<blockquote cite="http://xenbits.xen.org/xsa/advisory-168.html">
15852	  <p>While INVLPG does not cause a General Protection Fault when used on
15853	    a non-canonical address, INVVPID in its "individual address"
15854	    variant, which is used to back the intercepted INVLPG in certain
15855	    cases, fails in such cases. Failure of INVVPID results in a
15856	    hypervisor bug check.</p>
15857	  <p>A malicious guest can crash the host, leading to a Denial of
15858	    Service.</p>
15859	</blockquote>
15860      </body>
15861    </description>
15862    <references>
15863      <cvename>CVE-2016-1571</cvename>
15864      <url>http://xenbits.xen.org/xsa/advisory-168.html</url>
15865    </references>
15866    <dates>
15867      <discovery>2016-01-20</discovery>
15868      <entry>2016-02-28</entry>
15869    </dates>
15870  </vuln>
15871
15872  <vuln vid="7ed7c36f-ddaf-11e5-b2bd-002590263bf5">
15873    <topic>xen-kernel -- PV superpage functionality missing sanity checks</topic>
15874    <affects>
15875      <package>
15876	<name>xen-kernel</name>
15877	<range><eq>3.4.0</eq></range>
15878	<range><eq>3.4.1</eq></range>
15879	<range><ge>4.1</ge><lt>4.5.2_2</lt></range>
15880      </package>
15881    </affects>
15882    <description>
15883      <body xmlns="http://www.w3.org/1999/xhtml">
15884	<p>The Xen Project reports:</p>
15885	<blockquote cite="http://xenbits.xen.org/xsa/advisory-167.html">
15886	  <p>The PV superpage functionality lacks certain validity checks on
15887	    data being passed to the hypervisor by guests.  This is the case
15888	    for the page identifier (MFN) passed to MMUEXT_MARK_SUPER and
15889	    MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as
15890	    well as for various forms of page table updates.</p>
15891	  <p>Use of the feature, which is disabled by default, may have unknown
15892	    effects, ranging from information leaks through Denial of Service to
15893	    privilege escalation.</p>
15894	</blockquote>
15895      </body>
15896    </description>
15897    <references>
15898      <cvename>CVE-2016-1570</cvename>
15899      <url>http://xenbits.xen.org/xsa/advisory-167.html</url>
15900    </references>
15901    <dates>
15902      <discovery>2016-01-20</discovery>
15903      <entry>2016-02-28</entry>
15904    </dates>
15905  </vuln>
15906
15907  <vuln vid="2d299950-ddb0-11e5-8fa8-14dae9d210b8">
15908    <topic>moodle -- multiple vulnerabilities</topic>
15909    <affects>
15910      <package>
15911	<name>moodle28</name>
15912	<range><lt>2.8.10</lt></range>
15913      </package>
15914      <package>
15915	<name>moodle29</name>
15916	<range><lt>2.9.4</lt></range>
15917      </package>
15918      <package>
15919	<name>moodle30</name>
15920	<range><lt>3.0.2</lt></range>
15921      </package>
15922    </affects>
15923    <description>
15924      <body xmlns="http://www.w3.org/1999/xhtml">
15925	<p>Marina Glancy reports:</p>
15926	<blockquote cite="https://moodle.org/security/">
15927	  <ul>
15928	    <li><p>MSA-16-0001: Two enrolment-related web services don't
15929	    check course visibility</p></li>
15930	    <li><p>MSA-16-0002: XSS Vulnerability in course management
15931	    search</p></li>
15932	  </ul>
15933	</blockquote>
15934      </body>
15935    </description>
15936    <references>
15937      <url>https://moodle.org/security/</url>
15938      <cvename>CVE-2016-0724</cvename>
15939      <cvename>CVE-2016-0725</cvename>
15940    </references>
15941    <dates>
15942      <discovery>2016-01-18</discovery>
15943      <entry>2016-02-28</entry>
15944    </dates>
15945  </vuln>
15946
15947  <vuln vid="6540c8f0-dca3-11e5-8fa8-14dae9d210b8">
15948    <topic>pitivi -- code execution</topic>
15949    <affects>
15950      <package>
15951	<name>pitivi</name>
15952	<range><lt>0.95</lt></range>
15953      </package>
15954    </affects>
15955    <description>
15956      <body xmlns="http://www.w3.org/1999/xhtml">
15957	<p>Luke Farone reports:</p>
15958	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/23/8">
15959	  <p>Double-clicking a file in the user's media library with a
15960	    specially-crafted path or filename allows for arbitrary code execution
15961	    with the permissions of the user running Pitivi.</p>
15962	</blockquote>
15963      </body>
15964    </description>
15965    <references>
15966      <url>http://www.openwall.com/lists/oss-security/2015/12/23/8</url>
15967      <url>https://git.gnome.org/browse/pitivi/commit/?id=45a4c84edb3b4343f199bba1c65502e3f49f5bb2</url>
15968      <cvename>CVE-2015-0855</cvename>
15969    </references>
15970    <dates>
15971      <discovery>2015-09-13</discovery>
15972      <entry>2016-02-26</entry>
15973    </dates>
15974  </vuln>
15975
15976  <vuln vid="90c8385a-dc9f-11e5-8fa8-14dae9d210b8">
15977    <topic>giflib -- heap overflow</topic>
15978    <affects>
15979      <package>
15980	<name>giflib</name>
15981	<range><lt>5.1.2</lt></range>
15982      </package>
15983    </affects>
15984    <description>
15985      <body xmlns="http://www.w3.org/1999/xhtml">
15986	<p>Hans Jerry Illikainen reports:</p>
15987	<blockquote cite="http://seclists.org/bugtraq/2015/Dec/114">
15988	  <p>A heap overflow may occur in the giffix utility included in
15989	    giflib-5.1.1 when processing records of the type
15990	    `IMAGE_DESC_RECORD_TYPE' due to the allocated size of `LineBuffer'
15991	    equaling the value of the logical screen width, `GifFileIn-&gt;SWidth',
15992	    while subsequently having `GifFileIn-&gt;Image.Width' bytes of data written
15993	    to it.</p>
15994	</blockquote>
15995      </body>
15996    </description>
15997    <references>
15998      <url>http://seclists.org/bugtraq/2015/Dec/114</url>
15999      <cvename>CVE-2015-7555</cvename>
16000    </references>
16001    <dates>
16002      <discovery>2015-12-21</discovery>
16003      <entry>2016-02-26</entry>
16004    </dates>
16005  </vuln>
16006
16007  <vuln vid="59a0af97-dbd4-11e5-8fa8-14dae9d210b8">
16008    <topic>drupal -- multiple vulnerabilities</topic>
16009    <affects>
16010      <package>
16011	<name>drupal6</name>
16012	<range><lt>6.38</lt></range>
16013      </package>
16014      <package>
16015	<name>drupal7</name>
16016	<range><lt>7.43</lt></range>
16017      </package>
16018      <package>
16019	<name>drupal8</name>
16020	<range><lt>8.0.4</lt></range>
16021      </package>
16022    </affects>
16023    <description>
16024      <body xmlns="http://www.w3.org/1999/xhtml">
16025	<p>Drupal Security Team reports:</p>
16026	<blockquote cite="https://www.drupal.org/SA-CORE-2016-001">
16027	  <ul>
16028	  <li><p>File upload access bypass and denial of service (File
16029	    module - Drupal 7 and 8 - Moderately Critical)</p></li>
16030	  <li><p>Brute force amplification attacks via XML-RPC (XML-RPC
16031	    server - Drupal 6 and 7 - Moderately Critical)</p></li>
16032	  <li><p>Open redirect via path manipulation (Base system -
16033	    Drupal 6, 7 and 8 - Moderately Critical) </p></li>
16034	  <li><p>Form API ignores access restrictions on submit buttons
16035	    (Form API - Drupal 6 - Critical)</p></li>
16036	  <li><p>HTTP header injection using line breaks (Base system -
16037	    Drupal 6 - Moderately Critical)</p></li>
16038	  <li><p>Open redirect via double-encoded 'destination'
16039	    parameter (Base system - Drupal 6 - Moderately Critical)</p></li>
16040	  <li><p>Reflected file download vulnerability (System module -
16041	    Drupal 6 and 7 - Moderately Critical)</p></li>
16042	  <li><p>Saving user accounts can sometimes grant the user all
16043	    roles (User module - Drupal 6 and 7 - Less Critical)</p></li>
16044	  <li><p>Email address can be matched to an account (User module
16045	    - Drupal 7 and 8 - Less Critical)</p></li>
16046	  <li><p>Session data truncation can lead to unserialization of
16047	    user provided data (Base system - Drupal 6 - Less Critical)</p></li>
16048	  </ul>
16049	</blockquote>
16050      </body>
16051    </description>
16052    <references>
16053      <url>https://www.drupal.org/SA-CORE-2016-001</url>
16054    </references>
16055    <dates>
16056      <discovery>2016-02-24</discovery>
16057      <entry>2016-02-25</entry>
16058    </dates>
16059  </vuln>
16060
16061  <vuln vid="7e01df39-db7e-11e5-b937-00e0814cab4e">
16062    <topic>jenkins -- multiple vulnerabilities</topic>
16063    <affects>
16064      <package>
16065	<name>jenkins</name>
16066	<range><le>1.650</le></range>
16067      </package>
16068      <package>
16069	<name>jenkins-lts</name>
16070	<range><le>1.642.2</le></range>
16071      </package>
16072    </affects>
16073    <description>
16074      <body xmlns="http://www.w3.org/1999/xhtml">
16075	<p>Jenkins Security Advisory:</p>
16076	<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Security+Advisory+2016-02-24">
16077	  <h1>Description</h1>
16078	  <h5>SECURITY-232 / CVE-2016-0788(Remote code execution vulnerability in remoting module)</h5>
16079	  <p>A vulnerability in the Jenkins remoting module allowed
16080	    unauthenticated remote attackers to open a JRMP listener on the
16081	    server hosting the Jenkins master process, which allowed arbitrary
16082	    code execution.</p>
16083	  <h5>SECURITY-238 / CVE-2016-0789(HTTP response splitting vulnerability)</h5>
16084	  <p>An HTTP response splitting vulnerability in the CLI command
16085	    documentation allowed attackers to craft Jenkins URLs that serve
16086	    malicious content.</p>
16087	  <h5>SECURITY-241 / CVE-2016-0790(Non-constant time comparison of API token)</h5>
16088	  <p>The verification of user-provided API tokens with the expected
16089	    value did not use a constant-time comparison algorithm, potentially
16090	    allowing attackers to use statistical methods to determine valid
16091	    API tokens using brute-force methods.</p>
16092	  <h5>SECURITY-245 / CVE-2016-0791(Non-constant time comparison of CSRF crumbs)</h5>
16093	  <p>The verification of user-provided CSRF crumbs with the expected
16094	    value did not use a constant-time comparison algorithm, potentially
16095	    allowing attackers to use statistical methods to determine valid
16096	    CSRF crumbs using brute-force methods.</p>
16097	  <h5>SECURITY-247 / CVE-2016-0792(Remote code execution through remote API)</h5>
16098	  <p>Jenkins has several API endpoints that allow low-privilege users
16099	    to POST XML files that then get deserialized by Jenkins.
16100	    Maliciously crafted XML files sent to these API endpoints could
16101	    result in arbitrary code execution.</p>
16102	</blockquote>
16103      </body>
16104    </description>
16105    <references>
16106      <url>https://wiki.jenkins-ci.org/display/SECURITY/Security+Advisory+2016-02-24</url>
16107    </references>
16108    <dates>
16109      <discovery>2016-02-24</discovery>
16110      <entry>2016-02-25</entry>
16111    </dates>
16112  </vuln>
16113
16114  <vuln vid="660ebbf5-daeb-11e5-b2bd-002590263bf5">
16115    <topic>squid -- remote DoS in HTTP response processing</topic>
16116    <affects>
16117      <package>
16118	<name>squid</name>
16119	<range><lt>3.5.15</lt></range>
16120      </package>
16121    </affects>
16122    <description>
16123      <body xmlns="http://www.w3.org/1999/xhtml">
16124	<p>Squid security advisory 2016:2 reports:</p>
16125	<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_2.txt">
16126	  <p>Due to incorrect bounds checking Squid is vulnerable to a denial
16127	    of service attack when processing HTTP responses.</p>
16128	  <p>These problems allow remote servers delivering certain unusual
16129	    HTTP response syntax to trigger a denial of service for all
16130	    clients accessing the Squid service.</p>
16131	  <p>HTTP responses containing malformed headers that trigger this
16132	    issue are becoming common. We are not certain at this time if
16133	    that is a sign of malware or just broken server scripting.</p>
16134	</blockquote>
16135      </body>
16136    </description>
16137    <references>
16138      <cvename>CVE-2016-2569</cvename>
16139      <cvename>CVE-2016-2570</cvename>
16140      <cvename>CVE-2016-2571</cvename>
16141      <freebsdpr>ports/207454</freebsdpr>
16142      <url>http://www.squid-cache.org/Advisories/SQUID-2016_2.txt</url>
16143      <url>http://www.openwall.com/lists/oss-security/2016/02/24/12</url>
16144    </references>
16145    <dates>
16146      <discovery>2016-02-24</discovery>
16147      <entry>2016-02-24</entry>
16148      <modified>2016-02-28</modified>
16149    </dates>
16150  </vuln>
16151
16152  <vuln vid="9e5bbffc-d8ac-11e5-b2bd-002590263bf5">
16153    <topic>bsh -- remote code execution vulnerability</topic>
16154    <affects>
16155      <package>
16156	<name>bsh</name>
16157	<range><lt>2.0.b6</lt></range>
16158      </package>
16159    </affects>
16160    <description>
16161      <body xmlns="http://www.w3.org/1999/xhtml">
16162	<p>Stian Soiland-Reyes reports:</p>
16163	<blockquote cite="https://github.com/beanshell/beanshell/releases/tag/2.0b6">
16164	  <p>This release fixes a remote code execution vulnerability that was
16165	    identified in BeanShell by Alvaro Muñoz and Christian Schneider.
16166	    The BeanShell team would like to thank them for their help and
16167	    contributions to this fix!</p>
16168	  <p>An application that includes BeanShell on the classpath may be
16169	    vulnerable if another part of the application uses Java
16170	    serialization or XStream to deserialize data from an untrusted
16171	    source.</p>
16172	  <p>A vulnerable application could be exploited for remote code
16173	    execution, including executing arbitrary shell commands.</p>
16174	  <p>This update fixes the vulnerability in BeanShell, but it is worth
16175	    noting that applications doing such deserialization might still be
16176	    insecure through other libraries. It is recommended that application
16177	    developers take further measures such as using a restricted class
16178	    loader when deserializing. See notes on Java serialization security
16179	    XStream security and How to secure deserialization from untrusted
16180	    input without using encryption or sealing.</p>
16181	</blockquote>
16182      </body>
16183    </description>
16184    <references>
16185      <cvename>CVE-2016-2510</cvename>
16186      <freebsdpr>ports/207334</freebsdpr>
16187      <url>https://github.com/beanshell/beanshell/releases/tag/2.0b6</url>
16188    </references>
16189    <dates>
16190      <discovery>2016-02-18</discovery>
16191      <entry>2016-02-21</entry>
16192    </dates>
16193  </vuln>
16194
16195  <vuln vid="6171eb07-d8a9-11e5-b2bd-002590263bf5">
16196    <topic>libsrtp -- DoS via crafted RTP header vulnerability</topic>
16197    <affects>
16198      <package>
16199	<name>libsrtp</name>
16200	<range><lt>1.5.3</lt></range>
16201      </package>
16202    </affects>
16203    <description>
16204      <body xmlns="http://www.w3.org/1999/xhtml">
16205	<p>libsrtp reports:</p>
16206	<blockquote cite="https://github.com/cisco/libsrtp/commit/704a31774db0dd941094fd2b47c21638b8dc3de2">
16207	  <p>Prevent potential DoS attack due to lack of bounds checking on RTP
16208	    header CSRC count and extension header length. Credit goes to
16209	    Randell Jesup and the Firefox team for reporting this issue.</p>
16210	</blockquote>
16211      </body>
16212    </description>
16213    <references>
16214      <cvename>CVE-2015-6360</cvename>
16215      <freebsdpr>ports/207003</freebsdpr>
16216      <url>https://github.com/cisco/libsrtp/releases/tag/v1.5.3</url>
16217      <url>https://github.com/cisco/libsrtp/commit/704a31774db0dd941094fd2b47c21638b8dc3de2</url>
16218      <url>https://github.com/cisco/libsrtp/commit/be95365fbb4788b688cab7af61c65b7989055fb4</url>
16219      <url>https://github.com/cisco/libsrtp/commit/be06686c8e98cc7bd934e10abb6f5e971d03f8ee</url>
16220      <url>https://github.com/cisco/libsrtp/commit/cdc69f2acde796a4152a250f869271298abc233f</url>
16221    </references>
16222    <dates>
16223      <discovery>2015-11-02</discovery>
16224      <entry>2016-02-21</entry>
16225    </dates>
16226  </vuln>
16227
16228  <vuln vid="006e3b7c-d7d7-11e5-b85f-0018fe623f2b">
16229    <topic>jasper -- multiple vulnerabilities</topic>
16230    <affects>
16231      <package>
16232	<name>jasper</name>
16233	<range><lt>1.900.1_16</lt></range>
16234      </package>
16235    </affects>
16236    <description>
16237      <body xmlns="http://www.w3.org/1999/xhtml">
16238	<p>oCERT reports:</p>
16239	<blockquote cite="http://www.ocert.org/advisories/ocert-2014-012.html">
16240	  <p>The library is affected by a double-free vulnerability in function
16241	    jas_iccattrval_destroy()
16242	    as well as a heap-based buffer overflow in function jp2_decode().
16243	    A specially crafted jp2 file can be used to trigger the vulnerabilities.</p>
16244	</blockquote>
16245	<p>oCERT reports:</p>
16246	<blockquote cite="http://www.ocert.org/advisories/ocert-2015-001.html">
16247	  <p>The library is affected by an off-by-one error in a buffer boundary check
16248	    in jpc_dec_process_sot(), leading to a heap based buffer overflow, as well
16249	    as multiple unrestricted stack memory use issues in jpc_qmfb.c, leading to
16250	    stack overflow.
16251	    A specially crafted jp2 file can be used to trigger the vulnerabilities.</p>
16252	</blockquote>
16253	<p>oCERT reports:</p>
16254	<blockquote cite="http://www.ocert.org/advisories/ocert-2014-009.html">
16255	  <p>Multiple off-by-one flaws, leading to heap-based buffer overflows, were
16256	    found in the way JasPer decoded JPEG 2000 files. A specially crafted file
16257	    could cause an application using JasPer to crash or,
16258	    possibly, execute arbitrary code.</p>
16259	</blockquote>
16260	<p>limingxing reports:</p>
16261	<blockquote cite="http://seclists.org/oss-sec/2016/q1/233">
16262	  <p>A vulnerability was found in the way the JasPer's jas_matrix_clip()
16263	    function parses certain JPEG 2000 image files. A specially crafted file
16264	    could cause an application using JasPer to crash.</p>
16265	</blockquote>
16266      </body>
16267    </description>
16268    <references>
16269      <url>http://www.ocert.org/advisories/ocert-2014-012.html</url>
16270      <url>https://bugzilla.redhat.com/show_bug.cgi?id=1173157</url>
16271      <url>https://bugzilla.redhat.com/show_bug.cgi?id=1173162</url>
16272      <url>http://www.ocert.org/advisories/ocert-2015-001.html</url>
16273      <url>https://bugzilla.redhat.com/show_bug.cgi?id=1179282</url>
16274      <url>http://www.ocert.org/advisories/ocert-2014-009.html</url>
16275      <url>https://bugzilla.redhat.com/show_bug.cgi?id=1167537</url>
16276      <url>http://seclists.org/oss-sec/2016/q1/233</url>
16277      <url>https://bugzilla.redhat.com/show_bug.cgi?id=1302636</url>
16278      <cvename>CVE-2014-8137</cvename>
16279      <cvename>CVE-2014-8138</cvename>
16280      <cvename>CVE-2014-8157</cvename>
16281      <cvename>CVE-2014-8158</cvename>
16282      <cvename>CVE-2014-9029</cvename>
16283      <cvename>CVE-2016-2089</cvename>
16284    </references>
16285    <dates>
16286      <discovery>2014-12-10</discovery>
16287      <entry>2016-02-20</entry>
16288      <modified>2016-02-24</modified>
16289    </dates>
16290  </vuln>
16291
16292  <vuln vid="368993bb-d685-11e5-8858-00262d5ed8ee">
16293    <topic>chromium -- same origin bypass</topic>
16294    <affects>
16295      <package>
16296	<name>chromium</name>
16297	<name>chromium-npapi</name>
16298	<name>chromium-pulse</name>
16299	<range><lt>48.0.2564.116</lt></range>
16300      </package>
16301    </affects>
16302    <description>
16303      <body xmlns="http://www.w3.org/1999/xhtml">
16304	<p>Google Chrome Releases reports:</p>
16305	<blockquote cite="http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_18.html">
16306	  <p>[583431] Critical CVE-2016-1629: Same-origin bypass in Blink
16307	    and Sandbox escape in Chrome. Credit to anonymous.</p>
16308	</blockquote>
16309      </body>
16310    </description>
16311    <references>
16312      <cvename>CVE-2016-1629</cvename>
16313      <url>http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_18.html</url>
16314    </references>
16315    <dates>
16316      <discovery>2016-02-18</discovery>
16317      <entry>2016-02-18</entry>
16318    </dates>
16319  </vuln>
16320
16321  <vuln vid="2dd7e97e-d5e8-11e5-bcbd-bc5ff45d0f28">
16322    <topic>glibc -- getaddrinfo stack-based buffer overflow</topic>
16323    <affects>
16324      <package>
16325	<name>linux_base-c6</name>
16326	<name>linux_base-c6_64</name>
16327	<range><lt>6.7_1</lt></range>
16328      </package>
16329      <package>
16330	<name>linux_base-f10</name>
16331	<range><ge>0</ge></range>
16332      </package>
16333    </affects>
16334    <description>
16335      <body xmlns="http://www.w3.org/1999/xhtml">
16336	<p>Fabio Olive Leite reports:</p>
16337	<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7547">
16338	  <p>A stack-based buffer overflow was found in libresolv when invoked
16339	    from nss_dns, allowing specially crafted DNS responses to seize
16340	    control of EIP in the DNS client. The buffer overflow occurs in the
16341	    functions send_dg (send datagram) and send_vc (send TCP) for the
16342	    NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
16343	    family, or in some cases AF_INET6 family. The use of AF_UNSPEC (or
16344	    AF_INET6 in some cases) triggers the low-level resolver code to
16345	    send out two parallel queries for A and AAAA. A mismanagement of
16346	    the buffers used for those queries could result in the response of
16347	    a query writing beyond the alloca allocated buffer created by
16348	    __res_nquery.</p>
16349	</blockquote>
16350      </body>
16351    </description>
16352    <references>
16353      <cvename>CVE-2015-7547</cvename>
16354      <freebsdpr>ports/207272</freebsdpr>
16355      <url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7547</url>
16356      <url>https://blog.des.no/2016/02/freebsd-and-cve-2015-7547/</url>
16357      <url>https://googleonlinesecurity.blogspot.no/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html</url>
16358      <url>https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html</url>
16359    </references>
16360    <dates>
16361      <discovery>2016-02-16</discovery>
16362      <entry>2016-02-18</entry>
16363    </dates>
16364  </vuln>
16365
16366  <vuln vid="56562efb-d5e4-11e5-b2bd-002590263bf5">
16367    <topic>squid -- SSL/TLS processing remote DoS</topic>
16368    <affects>
16369      <package>
16370	<name>squid</name>
16371	<range><ge>3.5.13</ge><lt>3.5.14</lt></range>
16372      </package>
16373    </affects>
16374    <description>
16375      <body xmlns="http://www.w3.org/1999/xhtml">
16376	<p>Squid security advisory 2016:1 reports:</p>
16377	<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_1.txt">
16378	  <p>Due to incorrectly handling server errors Squid is vulnerable to a
16379	    denial of service attack when connecting to TLS or SSL servers.</p>
16380	  <p>This problem allows any trusted client to perform a denial of
16381	    service attack on the Squid service regardless of whether TLS or
16382	    SSL is configured for use in the proxy.</p>
16383	  <p>Misconfigured client or server software may trigger this issue
16384	    to perform a denial of service unintentionally.</p>
16385	  <p>However, the bug is exploitable only if Squid is built using the
16386	    --with-openssl option.</p>
16387	</blockquote>
16388	<p>The FreeBSD port does not use SSL by default and is not vulnerable
16389	  in the default configuration.</p>
16390      </body>
16391    </description>
16392    <references>
16393      <cvename>CVE-2016-2390</cvename>
16394      <freebsdpr>ports/207294</freebsdpr>
16395      <url>http://www.squid-cache.org/Advisories/SQUID-2016_1.txt</url>
16396    </references>
16397    <dates>
16398      <discovery>2016-02-16</discovery>
16399      <entry>2016-02-18</entry>
16400    </dates>
16401  </vuln>
16402
16403  <vuln vid="dd563930-d59a-11e5-8fa8-14dae9d210b8">
16404    <topic>adminer -- remote code execution</topic>
16405    <affects>
16406      <package>
16407	<name>adminer</name>
16408	<range><lt>4.2.4</lt></range>
16409      </package>
16410    </affects>
16411    <description>
16412      <body xmlns="http://www.w3.org/1999/xhtml">
16413	<p>Jakub Vrana reports:</p>
16414	<blockquote cite="https://github.com/vrana/adminer/commit/e5352cc5acad21513bb02677e2021b80bf7e7b8b">
16415	  <p>Fix remote code execution in SQLite query</p>
16416	</blockquote>
16417      </body>
16418    </description>
16419    <references>
16420      <url>https://github.com/vrana/adminer/commit/e5352cc5acad21513bb02677e2021b80bf7e7b8b</url>
16421    </references>
16422    <dates>
16423      <discovery>2016-02-06</discovery>
16424      <entry>2016-02-17</entry>
16425    </dates>
16426  </vuln>
16427
16428  <vuln vid="18201a1c-d59a-11e5-8fa8-14dae9d210b8">
16429    <topic>adminer -- XSS vulnerability</topic>
16430    <affects>
16431      <package>
16432	<name>adminer</name>
16433	<range><lt>4.2.3</lt></range>
16434      </package>
16435    </affects>
16436    <description>
16437      <body xmlns="http://www.w3.org/1999/xhtml">
16438	<p>Jakub Vrana reports:</p>
16439	<blockquote cite="https://github.com/vrana/adminer/commit/4be0b6655e0bf415960659db2a6dd4e60eebbd66">
16440	  <p>Fix XSS in indexes (non-MySQL only)</p>
16441	</blockquote>
16442      </body>
16443    </description>
16444    <references>
16445      <url>https://github.com/vrana/adminer/commit/4be0b6655e0bf415960659db2a6dd4e60eebbd66</url>
16446    </references>
16447    <dates>
16448      <discovery>2015-11-08</discovery>
16449      <entry>2016-02-17</entry>
16450    </dates>
16451  </vuln>
16452
16453  <vuln vid="ad91ee9b-d599-11e5-8fa8-14dae9d210b8">
16454    <topic>adminer -- XSS vulnerability</topic>
16455    <affects>
16456      <package>
16457	<name>adminer</name>
16458	<range><lt>4.2.2</lt></range>
16459      </package>
16460    </affects>
16461    <description>
16462      <body xmlns="http://www.w3.org/1999/xhtml">
16463	<p>Jakub Vrana reports:</p>
16464	<blockquote cite="https://github.com/vrana/adminer/commit/596f8df373cd3efe5bcb6013858bd7a6bb5ecb2c">
16465	  <p>Fix XSS in alter table</p>
16466	</blockquote>
16467      </body>
16468    </description>
16469    <references>
16470      <url>https://github.com/vrana/adminer/commit/596f8df373cd3efe5bcb6013858bd7a6bb5ecb2c</url>
16471    </references>
16472    <dates>
16473      <discovery>2015-08-05</discovery>
16474      <entry>2016-02-17</entry>
16475    </dates>
16476  </vuln>
16477
16478  <vuln vid="8cf54d73-d591-11e5-8fa8-14dae9d210b8">
16479    <topic>adminer -- XSS vulnerability</topic>
16480    <affects>
16481      <package>
16482	<name>adminer</name>
16483	<range><lt>4.2.0</lt></range>
16484      </package>
16485    </affects>
16486    <description>
16487      <body xmlns="http://www.w3.org/1999/xhtml">
16488	<p>Jakub Vrana reports:</p>
16489	<blockquote cite="https://github.com/vrana/adminer/commit/c990de3b3ee1816afb130bd0e1570577bf54a8e5">
16490	  <p>Fix XSS in login form</p>
16491	</blockquote>
16492      </body>
16493    </description>
16494    <references>
16495      <url>https://github.com/vrana/adminer/commit/c990de3b3ee1816afb130bd0e1570577bf54a8e5</url>
16496      <url>https://sourceforge.net/p/adminer/bugs-and-features/436/</url>
16497    </references>
16498    <dates>
16499      <discovery>2015-01-30</discovery>
16500      <entry>2016-02-17</entry>
16501    </dates>
16502  </vuln>
16503
16504  <vuln vid="95b92e3b-d451-11e5-9794-e8e0b747a45a">
16505    <topic>libgcrypt -- side-channel attack on ECDH</topic>
16506    <affects>
16507      <package>
16508	<name>libgcrypt</name>
16509	<range><lt>1.6.5</lt></range>
16510      </package>
16511    </affects>
16512    <description>
16513      <body xmlns="http://www.w3.org/1999/xhtml">
16514	<p>GnuPG reports:</p>
16515	<blockquote cite="https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html">
16516	  <p>Mitigate side-channel attack on ECDH with Weierstrass curves.</p>
16517	</blockquote>
16518      </body>
16519    </description>
16520    <references>
16521      <cvename>CVE-2015-7511</cvename>
16522      <url>https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html</url>
16523    </references>
16524    <dates>
16525      <discovery>2016-02-09</discovery>
16526      <entry>2016-02-16</entry>
16527    </dates>
16528  </vuln>
16529
16530  <vuln vid="f1bf28c5-d447-11e5-b2bd-002590263bf5">
16531    <topic>xdelta3 -- buffer overflow vulnerability</topic>
16532    <affects>
16533      <package>
16534	<name>xdelta3</name>
16535	<range><lt>3.0.9,1</lt></range>
16536      </package>
16537    </affects>
16538    <description>
16539      <body xmlns="http://www.w3.org/1999/xhtml">
16540	<p>Stepan Golosunov reports:</p>
16541	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/02/08/1">
16542	  <p>Buffer overflow was found and fixed in xdelta3 binary diff tool
16543	    that allows arbitrary code execution from input files at least on
16544	    some systems.</p>
16545	</blockquote>
16546      </body>
16547    </description>
16548    <references>
16549      <cvename>CVE-2014-9765</cvename>
16550      <url>http://www.openwall.com/lists/oss-security/2016/02/08/1</url>
16551      <url>https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2</url>
16552    </references>
16553    <dates>
16554      <discovery>2014-10-08</discovery>
16555      <entry>2016-02-16</entry>
16556    </dates>
16557  </vuln>
16558
16559  <vuln vid="172b22cb-d3f6-11e5-ac9e-485d605f4717">
16560    <topic>firefox -- Same-origin-policy violation using Service Workers with plugins</topic>
16561    <affects>
16562      <package>
16563	<name>firefox</name>
16564	<range><lt>44.0.2,1</lt></range>
16565      </package>
16566      <package>
16567	<name>linux-firefox</name>
16568	<range><lt>44.0.2,1</lt></range>
16569      </package>
16570    </affects>
16571    <description>
16572      <body xmlns="http://www.w3.org/1999/xhtml">
16573	<p>The Mozilla Foundation reports:</p>
16574	<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox44.0.2">
16575	  <p>MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept
16576	    responses to plugin network requests made through the browser. Plugins which
16577	    make security decisions based on the content of network requests can have these
16578	    decisions subverted if a service worker forges responses to those requests. For
16579	    example, a forged crossdomain.xml could allow a malicious site to violate the
16580	    same-origin policy using the Flash plugin.</p>
16581	</blockquote>
16582      </body>
16583    </description>
16584    <references>
16585      <cvename>CVE-2016-1949</cvename>
16586      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-13/</url>
16587    </references>
16588    <dates>
16589      <discovery>2016-02-11</discovery>
16590      <entry>2016-02-15</entry>
16591    </dates>
16592  </vuln>
16593
16594  <vuln vid="07718e2b-d29d-11e5-a95f-b499baebfeaf">
16595    <topic>nghttp2 -- Out of memory in nghttpd, nghttp, and libnghttp2_asio</topic>
16596    <affects>
16597      <package>
16598	<name>nghttp2</name>
16599	<range><lt>1.7.1</lt></range>
16600      </package>
16601    </affects>
16602    <description>
16603      <body xmlns="http://www.w3.org/1999/xhtml">
16604	<p>Nghttp2 reports:</p>
16605	<blockquote cite="https://nghttp2.org/blog/2016/02/11/nghttp2-v1-7-1/">
16606	  <p>Out of memory in nghttpd, nghttp, and libnghttp2_asio applications
16607	   due to unlimited incoming HTTP header fields.</p>
16608	  <p>nghttpd, nghttp, and libnghttp2_asio applications do not limit the memory usage
16609	   for the incoming HTTP header field. If peer sends specially crafted HTTP/2
16610	   HEADERS frames and CONTINUATION frames, they will crash with out of memory
16611	   error.</p>
16612	  <p>Note that libnghttp2 itself is not affected by this vulnerability.</p>
16613	</blockquote>
16614      </body>
16615    </description>
16616    <references>
16617      <url>http://nghttp2.org/blog/2016/02/11/nghttp2-v1-7-1/</url>
16618      <cvename>CVE-2016-1544</cvename>
16619    </references>
16620    <dates>
16621      <discovery>2016-02-03</discovery>
16622      <entry>2016-02-13</entry>
16623    </dates>
16624  </vuln>
16625
16626  <vuln vid="3aa8b781-d2c4-11e5-b2bd-002590263bf5">
16627    <topic>horde -- XSS vulnerabilities</topic>
16628    <affects>
16629      <package>
16630	<name>horde</name>
16631	<range><lt>5.2.9</lt></range>
16632      </package>
16633      <package>
16634	<name>pear-Horde_Core</name>
16635	<range><lt>2.22.6</lt></range>
16636      </package>
16637    </affects>
16638    <description>
16639      <body xmlns="http://www.w3.org/1999/xhtml">
16640	<p>The Horde Team reports:</p>
16641	<blockquote cite="http://lists.horde.org/archives/announce/2016/001149.html">
16642	  <p>Fixed XSS vulnerabilities in menu bar and form renderer.</p>
16643	</blockquote>
16644      </body>
16645    </description>
16646    <references>
16647      <cvename>CVE-2015-8807</cvename>
16648      <cvename>CVE-2016-2228</cvename>
16649      <url>https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253</url>
16650      <url>https://bugs.horde.org/ticket/14213</url>
16651      <url>https://github.com/horde/horde/commit/f03301cf6edcca57121a15e80014c4d0f29d99a0</url>
16652      <url>https://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8</url>
16653      <url>http://www.openwall.com/lists/oss-security/2016/02/06/4</url>
16654      <url>http://lists.horde.org/archives/announce/2016/001149.html</url>
16655    </references>
16656    <dates>
16657      <discovery>2016-02-02</discovery>
16658      <entry>2016-02-14</entry>
16659    </dates>
16660  </vuln>
16661
16662  <vuln vid="e8b6605b-d29f-11e5-8458-6cc21735f730">
16663    <topic>PostgreSQL -- Security Fixes for Regular Expressions, PL/Java.</topic>
16664    <affects>
16665      <package>
16666	<name>postgresql91-server</name>
16667	<range><ge>9.1.0</ge><lt>9.1.20</lt></range>
16668      </package>
16669      <package>
16670	<name>postgresql92-server</name>
16671	<range><ge>9.2.0</ge><lt>9.2.15</lt></range>
16672      </package>
16673      <package>
16674	<name>postgresql93-server</name>
16675	<range><ge>9.3.0</ge><lt>9.3.11</lt></range>
16676      </package>
16677      <package>
16678	<name>postgresql94-server</name>
16679	<range><ge>9.4.0</ge><lt>9.4.6</lt></range>
16680      </package>
16681      <package>
16682	<name>postgresql95-server</name>
16683	<range><ge>9.5.0</ge><lt>9.5.1</lt></range>
16684      </package>
16685    </affects>
16686    <description>
16687      <body xmlns="http://www.w3.org/1999/xhtml">
16688	<p>PostgreSQL project reports:</p>
16689	<blockquote cite="http://www.postgresql.org/about/news/1644/">
16690	  <p>
16691	  Security Fixes for Regular Expressions, PL/Java
16692	  </p>
16693	  <ul>
16694	    <li>CVE-2016-0773: This release closes security hole CVE-2016-0773,
16695	     an issue with regular expression (regex) parsing. Prior code allowed
16696	     users to pass in expressions which included out-of-range Unicode
16697	     characters, triggering a backend crash.  This issue is critical for
16698	     PostgreSQL systems with untrusted users or which generate regexes
16699	     based on user input.
16700	    </li>
16701	    <li>CVE-2016-0766: The update also fixes CVE-2016-0766, a privilege
16702	     escalation issue for users of PL/Java.  Certain custom configuration
16703	     settings (GUCS) for PL/Java will now be modifiable only by the
16704	     database superuser
16705	    </li>
16706	  </ul>
16707	</blockquote>
16708      </body>
16709    </description>
16710    <references>
16711      <cvename>CVE-2016-0773</cvename>
16712      <cvename>CVE-2016-0766</cvename>
16713    </references>
16714    <dates>
16715      <discovery>2016-02-08</discovery>
16716      <entry>2016-02-12</entry>
16717    </dates>
16718  </vuln>
16719
16720  <vuln vid="5d8e56c3-9e67-4d5b-81c9-3a409dfd705f">
16721    <topic>flash -- multiple vulnerabilities</topic>
16722    <affects>
16723      <package>
16724	<name>linux-c6-flashplugin</name>
16725	<name>linux-f10-flashplugin</name>
16726	<name>linux-c6_64-flashplugin</name>
16727	<range><lt>11.2r202.569</lt></range>
16728      </package>
16729    </affects>
16730    <description>
16731      <body xmlns="http://www.w3.org/1999/xhtml">
16732	<p>Adobe reports:</p>
16733	<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-04.html">
16734	  <p>These updates resolve a type confusion vulnerability that
16735	    could lead to code execution (CVE-2016-0985).</p>
16736	  <p>These updates resolve use-after-free vulnerabilities that
16737	    could lead to code execution (CVE-2016-0973, CVE-2016-0974,
16738	    CVE-2016-0975, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984).</p>
16739	  <p>These updates resolve a heap buffer overflow vulnerability
16740	    that could lead to code execution (CVE-2016-0971).</p>
16741	  <p>These updates resolve memory corruption vulnerabilities
16742	    that could lead to code execution (CVE-2016-0964,
16743	    CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, CVE-2016-0968,
16744	    CVE-2016-0969, CVE-2016-0970, CVE-2016-0972, CVE-2016-0976,
16745	    CVE-2016-0977, CVE-2016-0978, CVE-2016-0979, CVE-2016-0980,
16746	    CVE-2016-0981).</p>
16747	</blockquote>
16748      </body>
16749    </description>
16750    <references>
16751      <cvename>CVE-2016-0964</cvename>
16752      <cvename>CVE-2016-0965</cvename>
16753      <cvename>CVE-2016-0966</cvename>
16754      <cvename>CVE-2016-0967</cvename>
16755      <cvename>CVE-2016-0968</cvename>
16756      <cvename>CVE-2016-0969</cvename>
16757      <cvename>CVE-2016-0970</cvename>
16758      <cvename>CVE-2016-0971</cvename>
16759      <cvename>CVE-2016-0972</cvename>
16760      <cvename>CVE-2016-0973</cvename>
16761      <cvename>CVE-2016-0974</cvename>
16762      <cvename>CVE-2016-0975</cvename>
16763      <cvename>CVE-2016-0976</cvename>
16764      <cvename>CVE-2016-0977</cvename>
16765      <cvename>CVE-2016-0978</cvename>
16766      <cvename>CVE-2016-0979</cvename>
16767      <cvename>CVE-2016-0980</cvename>
16768      <cvename>CVE-2016-0981</cvename>
16769      <cvename>CVE-2016-0982</cvename>
16770      <cvename>CVE-2016-0983</cvename>
16771      <cvename>CVE-2016-0984</cvename>
16772      <cvename>CVE-2016-0985</cvename>
16773      <url>https://helpx.adobe.com/security/products/flash-player/apsb16-04.html</url>
16774    </references>
16775    <dates>
16776      <discovery>2016-02-09</discovery>
16777      <entry>2016-02-10</entry>
16778    </dates>
16779  </vuln>
16780
16781  <vuln vid="515b4327-cf8a-11e5-96d6-14dae9d210b8">
16782    <topic>dnscrypt-proxy -- code execution</topic>
16783    <affects>
16784      <package>
16785	<name>dnscrypt-proxy</name>
16786	<range><ge>1.1.0</ge><lt>1.6.1</lt></range>
16787      </package>
16788    </affects>
16789    <description>
16790      <body xmlns="http://www.w3.org/1999/xhtml">
16791	<p>Frank Denis reports:</p>
16792	<blockquote cite="https://github.com/jedisct1/dnscrypt-proxy/blob/1d129f7d5f0d469308967cbe4eacb4a6919f1fa1/NEWS#L2-L8">
16793	  <p>Malformed packets could lead to denial of service or code
16794	    execution.</p>
16795	</blockquote>
16796      </body>
16797    </description>
16798    <references>
16799      <url>https://github.com/jedisct1/dnscrypt-proxy/blob/1d129f7d5f0d469308967cbe4eacb4a6919f1fa1/NEWS#L2-L8</url>
16800    </references>
16801    <dates>
16802      <discovery>2016-02-02</discovery>
16803      <entry>2016-02-10</entry>
16804      <modified>2016-02-14</modified>
16805    </dates>
16806  </vuln>
16807
16808  <vuln vid="36034227-cf81-11e5-9c2b-00262d5ed8ee">
16809    <topic>chromium -- multiple vulnerabilities</topic>
16810    <affects>
16811      <package>
16812	<name>chromium</name>
16813	<name>chromium-npapi</name>
16814	<name>chromium-pulse</name>
16815	<range><lt>48.0.2564.109</lt></range>
16816      </package>
16817    </affects>
16818    <description>
16819      <body xmlns="http://www.w3.org/1999/xhtml">
16820	<p>Google Chrome Releases reports:</p>
16821	<blockquote cite="http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_9.html">
16822	  <p>6 security fixes in this release, including:</p>
16823	  <ul>
16824	    <li>[546677] High CVE-2016-1622: Same-origin bypass in Extensions.
16825	      Credit to anonymous.</li>
16826	    <li>[577105] High CVE-2016-1623: Same-origin bypass in DOM. Credit
16827	      to Mariusz Mlynski.</li>
16828	    <li>[509313] Medium CVE-2016-1625: Navigation bypass in Chrome
16829	      Instant. Credit to Jann Horn.</li>
16830	    <li>[571480] Medium CVE-2016-1626: Out-of-bounds read in PDFium.
16831	      Credit to anonymous, working with HP's Zero Day Initiative.</li>
16832	    <li>[585517] CVE-2016-1627: Various fixes from internal audits,
16833	      fuzzing and other initiatives.</li>
16834	  </ul>
16835	</blockquote>
16836      </body>
16837    </description>
16838    <references>
16839      <cvename>CVE-2016-1622</cvename>
16840      <cvename>CVE-2016-1623</cvename>
16841      <cvename>CVE-2016-1625</cvename>
16842      <cvename>CVE-2016-1626</cvename>
16843      <cvename>CVE-2016-1627</cvename>
16844      <url>http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_9.html</url>
16845    </references>
16846    <dates>
16847      <discovery>2016-02-08</discovery>
16848      <entry>2016-02-09</entry>
16849      <modified>2016-03-08</modified>
16850    </dates>
16851  </vuln>
16852
16853  <vuln vid="8f10fa04-cf6a-11e5-96d6-14dae9d210b8">
16854    <topic>graphite2 -- code execution vulnerability</topic>
16855    <affects>
16856      <package>
16857	<name>graphite2</name>
16858	<range><lt>1.3.5</lt></range>
16859      </package>
16860      <package>
16861	<name>silgraphite</name>
16862	<range><lt>2.3.1_4</lt></range>
16863      </package>
16864      <package>
16865	<name>linux-thunderbird</name>
16866	<range><lt>38.6.0</lt></range>
16867      </package>
16868    </affects>
16869    <description>
16870      <body xmlns="http://www.w3.org/1999/xhtml">
16871	<p>Talos reports:</p>
16872	<blockquote cite="http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html">
16873	  <ul>
16874	  <li><p>An exploitable denial of service vulnerability exists
16875	    in the font handling of Libgraphite. A specially crafted font can cause
16876	    an out-of-bounds read potentially resulting in an information leak or
16877	    denial of service.</p></li>
16878	  <li><p>A specially crafted font can cause a buffer overflow
16879	    resulting in potential code execution.</p></li>
16880	  <li><p>An exploitable NULL pointer dereference exists in the
16881	    bidirectional font handling functionality of Libgraphite. A specially
16882	    crafted font can cause a NULL pointer dereference resulting in a
16883	    crash.</p></li>
16884	  </ul>
16885	</blockquote>
16886      </body>
16887    </description>
16888    <references>
16889      <url>http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html</url>
16890      <url>http://www.talosintel.com/reports/TALOS-2016-0061/</url>
16891      <url>https://www.mozilla.org/security/advisories/mfsa2016-14/</url>
16892      <cvename>CVE-2016-1521</cvename>
16893      <cvename>CVE-2016-1522</cvename>
16894      <cvename>CVE-2016-1523</cvename>
16895      <cvename>CVE-2016-1526</cvename>
16896    </references>
16897    <dates>
16898      <discovery>2016-02-05</discovery>
16899      <entry>2016-02-09</entry>
16900      <modified>2016-03-08</modified>
16901    </dates>
16902  </vuln>
16903
16904  <vuln vid="1cecd5e0-c372-11e5-96d6-14dae9d210b8">
16905    <topic>xymon-server -- multiple vulnerabilities</topic>
16906    <affects>
16907      <package>
16908	<name>xymon-server</name>
16909	<range><lt>4.3.25</lt></range>
16910      </package>
16911    </affects>
16912    <description>
16913      <body xmlns="http://www.w3.org/1999/xhtml">
16914	<p>J.C. Cleaver reports:</p>
16915	<blockquote cite="http://lists.xymon.com/pipermail/xymon/2016-February/042986.html">
16916	  <ul>
16917	  <li><p>CVE-2016-2054: Buffer overflow in xymond handling of
16918	    "config" command</p></li>
16919	  <li><p> CVE-2016-2055: Access to possibly confidential files
16920	    in the Xymon configuration directory</p></li>
16921	  <li><p>CVE-2016-2056: Shell command injection in the
16922	    "useradm" and "chpasswd" web applications</p></li>
16923	  <li><p>CVE-2016-2057: Incorrect permissions on IPC queues
16924	    used by the xymond daemon can bypass IP access filtering</p></li>
16925	  <li><p>CVE-2016-2058: Javascript injection in "detailed status
16926	    webpage" of monitoring items; XSS vulnerability via malformed
16927	    acknowledgment messages</p></li>
16928	  </ul>
16929	</blockquote>
16930      </body>
16931    </description>
16932    <references>
16933      <url>http://lists.xymon.com/pipermail/xymon/2016-February/042986.html</url>
16934      <cvename>CVE-2016-2054</cvename>
16935      <cvename>CVE-2016-2055</cvename>
16936      <cvename>CVE-2016-2056</cvename>
16937      <cvename>CVE-2016-2057</cvename>
16938      <cvename>CVE-2016-2058</cvename>
16939    </references>
16940    <dates>
16941      <discovery>2016-01-19</discovery>
16942      <entry>2016-02-09</entry>
16943    </dates>
16944  </vuln>
16945
16946  <vuln vid="85eb4e46-cf16-11e5-840f-485d605f4717">
16947    <topic>php -- multiple vulnerabilities</topic>
16948    <affects>
16949      <package>
16950	<name>php55</name>
16951	<name>php55-phar</name>
16952	<name>php55-wddx</name>
16953	<range><lt>5.5.32</lt></range>
16954      </package>
16955      <package>
16956	<name>php56</name>
16957	<name>php56-phar</name>
16958	<name>php56-wddx</name>
16959	<range><lt>5.6.18</lt></range>
16960      </package>
16961    </affects>
16962    <description>
16963      <body xmlns="http://www.w3.org/1999/xhtml">
16964	<p>PHP reports:</p>
16965	<blockquote cite="http://php.net/ChangeLog-5.php#5.6.18">
16966	  <ul><li>Core:
16967	  <ul>
16968	    <li>Fixed bug #71039 (exec functions ignore length but look for NULL
16969	      termination).</li>
16970	    <li>Fixed bug #71323 (Output of stream_get_meta_data can be
16971	      falsified by its input).</li>
16972	    <li>Fixed bug #71459 (Integer overflow in iptcembed()).</li>
16973	  </ul></li>
16974	  <li>PCRE:
16975	  <ul>
16976	    <li>Upgraded bundled PCRE library to 8.38.(CVE-2015-8383,
16977	      CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390,
16978	      CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)</li>
16979	  </ul></li>
16980	  <li>Phar:
16981	  <ul>
16982	    <li>Fixed bug #71354 (Heap corruption in tar/zip/phar parser).</li>
16983	    <li>Fixed bug #71391 (NULL Pointer Dereference in
16984	      phar_tar_setupmetadata()).</li>
16985	    <li>Fixed bug #71488 (Stack overflow when decompressing tar
16986	      archives). (CVE-2016-2554)</li>
16987	  </ul></li>
16988	  <li>WDDX:
16989	  <ul>
16990	    <li>Fixed bug #71335 (Type Confusion in WDDX Packet
16991	      Deserialization).</li>
16992	  </ul></li>
16993	  </ul>
16994	</blockquote>
16995      </body>
16996    </description>
16997    <references>
16998      <cvename>CVE-2015-8383</cvename>
16999      <cvename>CVE-2015-8386</cvename>
17000      <cvename>CVE-2015-8387</cvename>
17001      <cvename>CVE-2015-8389</cvename>
17002      <cvename>CVE-2015-8390</cvename>
17003      <cvename>CVE-2015-8391</cvename>
17004      <cvename>CVE-2015-8393</cvename>
17005      <cvename>CVE-2015-8394</cvename>
17006      <cvename>CVE-2016-2554</cvename>
17007      <url>http://php.net/ChangeLog-5.php#5.6.18</url>
17008      <url>http://php.net/ChangeLog-5.php#5.5.32</url>
17009    </references>
17010    <dates>
17011      <discovery>2016-02-04</discovery>
17012      <entry>2016-02-09</entry>
17013      <modified>2016-03-13</modified>
17014    </dates>
17015  </vuln>
17016
17017  <vuln vid="a8de962a-cf15-11e5-805c-5453ed2e2b49">
17018    <topic>py-imaging, py-pillow -- Buffer overflow in PCD decoder</topic>
17019    <affects>
17020      <package>
17021	<name>py27-pillow</name>
17022	<name>py33-pillow</name>
17023	<name>py34-pillow</name>
17024	<name>py35-pillow</name>
17025	<range><lt>2.9.0_1</lt></range>
17026      </package>
17027      <package>
17028	<name>py27-imaging</name>
17029	<range><lt>1.1.7_6</lt></range>
17030      </package>
17031    </affects>
17032    <description>
17033      <body xmlns="http://www.w3.org/1999/xhtml">
17034	<p>The Pillow maintainers report:</p>
17035	<blockquote cite="https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html">
17036	  <p>In all versions of Pillow, dating back at least to the last PIL
17037	    1.1.7 release, PcdDecode.c has a buffer overflow error.</p>
17038	  <p>The state.buffer for PcdDecode.c is allocated based on a 3 bytes
17039	    per pixel sizing, where PcdDecode.c wrote into the buffer assuming
17040	    4 bytes per pixel. This writes 768 bytes beyond the end of the
17041	    buffer into other Python object storage. In some cases, this causes
17042	    a segfault, in others an internal Python malloc error.</p>
17043	</blockquote>
17044      </body>
17045    </description>
17046    <references>
17047      <mlist>http://openwall.com/lists/oss-security/2016/02/02/5</mlist>
17048      <url>https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4</url>
17049      <url>https://github.com/python-pillow/Pillow/issues/568</url>
17050    </references>
17051    <dates>
17052      <discovery>2016-02-02</discovery>
17053      <entry>2016-02-09</entry>
17054    </dates>
17055  </vuln>
17056
17057  <vuln vid="0519db18-cf15-11e5-805c-5453ed2e2b49">
17058    <topic>py-pillow -- Integer overflow in Resample.c</topic>
17059    <affects>
17060      <package>
17061	<name>py27-pillow</name>
17062	<name>py33-pillow</name>
17063	<name>py34-pillow</name>
17064	<name>py35-pillow</name>
17065	<range><lt>2.9.0_1</lt></range>
17066      </package>
17067    </affects>
17068    <description>
17069      <body xmlns="http://www.w3.org/1999/xhtml">
17070	<p>The Pillow maintainers report:</p>
17071	<blockquote cite="https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html">
17072	  <p>If a large value was passed into the new size for an image, it is
17073	    possible to overflow an int32 value passed into malloc, leading the
17074	    malloc’d buffer to be undersized. These allocations are followed by
17075	    a loop that writes out of bounds. This can lead to corruption on
17076	    the heap of the Python process with attacker controlled float
17077	    data.</p>
17078	  <p>This issue was found by Ned Williamson.</p>
17079	</blockquote>
17080      </body>
17081    </description>
17082    <references>
17083      <url>https://github.com/python-pillow/Pillow/commit/41fae6d9e2da741d2c5464775c7f1a609ea03798</url>
17084      <url>https://github.com/python-pillow/Pillow/issues/1710</url>
17085    </references>
17086    <dates>
17087      <discovery>2016-02-05</discovery>
17088      <entry>2016-02-09</entry>
17089    </dates>
17090  </vuln>
17091
17092  <vuln vid="6ea60e00-cf13-11e5-805c-5453ed2e2b49">
17093    <topic>py-imaging, py-pillow -- Buffer overflow in FLI decoding code</topic>
17094    <affects>
17095      <package>
17096	<name>py27-pillow</name>
17097	<name>py33-pillow</name>
17098	<name>py34-pillow</name>
17099	<name>py35-pillow</name>
17100	<range><lt>2.9.0_1</lt></range>
17101      </package>
17102      <package>
17103	<name>py27-imaging</name>
17104	<range><lt>1.1.7_6</lt></range>
17105      </package>
17106    </affects>
17107    <description>
17108      <body xmlns="http://www.w3.org/1999/xhtml">
17109	<p>The Pillow maintainers report:</p>
17110	<blockquote cite="https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html">
17111	  <p>In all versions of Pillow, dating back at least to the last PIL
17112	    1.1.7 release, FliDecode.c has a buffer overflow error.</p>
17113	  <p>There is a memcpy error where x is added to a target buffer
17114	    address. X is used in several internal temporary variable roles,
17115	    but can take a value up to the width of the image. Im-&gt;image[y]
17116	    is a set of row pointers to segments of memory that are the size of
17117	    the row. At the max y, this will write the contents of the line off
17118	    the end of the memory buffer, causing a segfault.</p>
17119	  <p>This issue was found by Alyssa Besseling at Atlassian.</p>
17120	</blockquote>
17121      </body>
17122    </description>
17123    <references>
17124      <cvename>CVE-2016-0775</cvename>
17125      <url>https://github.com/python-pillow/Pillow/commit/bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec</url>
17126    </references>
17127    <dates>
17128      <discovery>2016-02-05</discovery>
17129      <entry>2016-02-09</entry>
17130    </dates>
17131  </vuln>
17132
17133  <vuln vid="53252879-cf11-11e5-805c-5453ed2e2b49">
17134    <topic>py-pillow -- Buffer overflow in TIFF decoding code</topic>
17135    <affects>
17136      <package>
17137	<name>py27-pillow</name>
17138	<name>py33-pillow</name>
17139	<name>py34-pillow</name>
17140	<name>py35-pillow</name>
17141	<range><lt>2.9.0_1</lt></range>
17142      </package>
17143    </affects>
17144    <description>
17145      <body xmlns="http://www.w3.org/1999/xhtml">
17146	<p>The Pillow maintainers report:</p>
17147	<blockquote cite="https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html">
17148	  <p>Pillow 3.1.0 and earlier when linked against libtiff &gt;= 4.0.0 on
17149	    x64 may overflow a buffer when reading a specially crafted tiff
17150	    file.</p>
17151	  <p>Specifically, libtiff &gt;= 4.0.0 changed the return type of
17152	    TIFFScanlineSize from int32 to machine dependent int32|64. If the
17153	    scanline is sized so that it overflows an int32, it may be
17154	    interpreted as a negative number, which will then pass the size check
17155	    in TiffDecode.c line 236. To do this, the logical scanline size has
17156	    to be &gt; 2gb, and for the test file, the allocated buffer size is 64k
17157	    against a roughly 4gb scan line size. Any image data over 64k is
17158	    written over the heap, causing a segfault.</p>
17159	  <p>This issue was found by security researcher FourOne.</p>
17160	</blockquote>
17161      </body>
17162    </description>
17163    <references>
17164      <cvename>CVE-2016-0740</cvename>
17165      <url>https://github.com/python-pillow/Pillow/commit/6dcbf5bd96b717c58d7b642949da8d323099928e</url>
17166    </references>
17167    <dates>
17168      <discovery>2016-02-04</discovery>
17169      <entry>2016-02-09</entry>
17170    </dates>
17171  </vuln>
17172
17173  <vuln vid="6ac79ed8-ccc2-11e5-932b-5404a68ad561">
17174    <topic>ffmpeg -- remote denial of service in JPEG2000 decoder</topic>
17175    <affects>
17176      <package>
17177	<name>ffmpeg</name>
17178	<range><lt>2.8.6,1</lt></range>
17179      </package>
17180      <package>
17181	<name>mplayer</name>
17182	<name>mencoder</name>
17183	<range>
17184	  <lt>1.2.r20151219_3</lt>
17185	</range>
17186      </package>
17187    </affects>
17188    <description>
17189      <body xmlns="http://www.w3.org/1999/xhtml">
17190	<p>FFmpeg security reports:</p>
17191	<blockquote cite="https://www.ffmpeg.org/security.html">
17192	  <p>FFmpeg 2.8.6 fixes the following vulnerabilities:
17193	    CVE-2016-2213</p>
17194	</blockquote>
17195      </body>
17196    </description>
17197    <references>
17198      <cvename>CVE-2016-2213</cvename>
17199      <url>https://www.ffmpeg.org/security.html</url>
17200    </references>
17201    <dates>
17202      <discovery>2016-01-27</discovery>
17203      <entry>2016-02-06</entry>
17204    </dates>
17205  </vuln>
17206
17207  <vuln vid="448047e9-030e-4ce4-910b-f21a3ad5d9a0">
17208    <topic>shotwell -- not verifying certificates</topic>
17209    <affects>
17210      <package>
17211	<name>shotwell</name>
17212	<range><lt>0.22.0.99</lt></range>
17213      </package>
17214    </affects>
17215    <description>
17216      <body xmlns="http://www.w3.org/1999/xhtml">
17217	<p>Michael Catanzaro reports:</p>
17218	<blockquote cite="https://mail.gnome.org/archives/distributor-list/2016-January/msg00000.html">
17219	  <p>Shotwell has a serious security issue ("Shotwell does not
17220	    verify TLS certificates").  Upstream is no longer active and
17221	    I do not expect any further upstream releases unless someone
17222	    from the community steps up to maintain it.</p>
17223
17224	  <p>What is the impact of the issue? If you ever used any of
17225	    the publish functionality (publish to Facebook, publish to
17226	    Flickr, etc.), your passwords may have been stolen; changing
17227	    them is not a bad idea.</p>
17228
17229	  <p>What is the risk of the update? Regressions. The easiest
17230	    way to validate TLS certificates was to upgrade WebKit; it
17231	    seems to work but I don't have accounts with the online
17232	    services it supports, so I don't know if photo publishing
17233	    still works properly on all the services.</p>
17234	</blockquote>
17235      </body>
17236    </description>
17237    <references>
17238      <url>https://mail.gnome.org/archives/distributor-list/2016-January/msg00000.html</url>
17239    </references>
17240    <dates>
17241      <discovery>2016-01-06</discovery>
17242      <entry>2016-02-05</entry>
17243    </dates>
17244  </vuln>
17245
17246  <vuln vid="1091d2d1-cb2e-11e5-b14b-bcaec565249c">
17247    <topic>webkit -- UI spoof</topic>
17248    <affects>
17249      <package>
17250	<name>webkit-gtk2</name>
17251	<name>webkit-gtk3</name>
17252	<range><lt>2.4.9_1</lt></range>
17253      </package>
17254    </affects>
17255    <description>
17256      <body xmlns="http://www.w3.org/1999/xhtml">
17257	<p>webkit reports:</p>
17258	<blockquote cite="http://webkitgtk.org/security/WSA-2015-0002.html">
17259	  <p>The ScrollView::paint function in platform/scroll/ScrollView.cpp
17260	    in Blink, as used in Google Chrome before 35.0.1916.114, allows
17261	    remote attackers to spoof the UI by extending scrollbar painting
17262	    into the parent frame.</p>
17263	</blockquote>
17264      </body>
17265    </description>
17266    <references>
17267      <cvename>CVE-2014-1748</cvename>
17268      <url>http://webkitgtk.org/security/WSA-2015-0002.html</url>
17269    </references>
17270    <dates>
17271      <discovery>2015-12-28</discovery>
17272      <entry>2016-02-04</entry>
17273    </dates>
17274  </vuln>
17275
17276  <vuln vid="e78bfc9d-cb1e-11e5-b251-0050562a4d7b">
17277    <topic>py-rsa -- Bleichenbacher'06 signature forgery vulnerability</topic>
17278    <affects>
17279      <package>
17280	<name>py27-rsa</name>
17281	<name>py32-rsa</name>
17282	<name>py33-rsa</name>
17283	<name>py34-rsa</name>
17284	<name>py35-rsa</name>
17285	<range><lt>3.3</lt></range>
17286      </package>
17287    </affects>
17288    <description>
17289      <body xmlns="http://www.w3.org/1999/xhtml">
17290	<p>Filippo Valsorda reports:</p>
17291	<blockquote cite="https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/">
17292	  <p>
17293	   python-rsa is vulnerable to a straightforward variant of the
17294	   Bleichenbacher'06 attack against RSA signature verification
17295	   with low public exponent.</p>
17296	</blockquote>
17297      </body>
17298    </description>
17299    <references>
17300      <cvename>CVE-2016-1494</cvename>
17301      <url>https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/</url>
17302      <url>https://bitbucket.org/sybren/python-rsa/pull-requests/14/security-fix-bb06-attack-in-verify-by</url>
17303      <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1494</url>
17304      <url>http://www.openwall.com/lists/oss-security/2016/01/05/3</url>
17305      <url>http://www.openwall.com/lists/oss-security/2016/01/05/1</url>
17306    </references>
17307    <dates>
17308      <discovery>2016-01-05</discovery>
17309      <entry>2016-02-04</entry>
17310    </dates>
17311  </vuln>
17312
17313  <vuln vid="559f3d1b-cb1d-11e5-80a4-001999f8d30b">
17314    <topic>asterisk -- Multiple vulnerabilities</topic>
17315    <affects>
17316      <package>
17317	<name>asterisk</name>
17318	<range><lt>1.8.32.3_5</lt></range>
17319      </package>
17320      <package>
17321	<name>asterisk11</name>
17322	<range><lt>11.21.1</lt></range>
17323      </package>
17324      <package>
17325	<name>asterisk13</name>
17326	<range><lt>13.7.1</lt></range>
17327      </package>
17328    </affects>
17329    <description>
17330      <body xmlns="http://www.w3.org/1999/xhtml">
17331	<p>The Asterisk project reports:</p>
17332	<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
17333	  <p>AST-2016-001 - BEAST vulnerability in HTTP server</p>
17334	  <p>AST-2016-002 - File descriptor exhaustion in chan_sip</p>
17335	  <p>AST-2016-003 - Remote crash vulnerability when receiving UDPTL FAX data</p>
17336	</blockquote>
17337      </body>
17338    </description>
17339    <references>
17340      <url>http://downloads.asterisk.org/pub/security/AST-2016-001.html</url>
17341      <cvename>CVE-2011-3389</cvename>
17342      <url>http://downloads.asterisk.org/pub/security/AST-2016-002.html</url>
17343      <cvename>CVE-2016-2316</cvename>
17344      <url>http://downloads.asterisk.org/pub/security/AST-2016-003.html</url>
17345      <cvename>CVE-2016-2232</cvename>
17346    </references>
17347    <dates>
17348      <discovery>2016-02-03</discovery>
17349      <entry>2016-02-04</entry>
17350      <modified>2016-03-07</modified>
17351    </dates>
17352  </vuln>
17353
17354  <vuln vid="0652005e-ca96-11e5-96d6-14dae9d210b8">
17355    <topic>salt -- code execution</topic>
17356    <affects>
17357      <package>
17358	<name>py27-salt</name>
17359	<name>py32-salt</name>
17360	<name>py33-salt</name>
17361	<name>py34-salt</name>
17362	<name>py35-salt</name>
17363	<range><ge>2015.8.0</ge><lt>2015.8.4</lt></range>
17364      </package>
17365    </affects>
17366    <description>
17367      <body xmlns="http://www.w3.org/1999/xhtml">
17368	<p>SaltStack reports:</p>
17369	<blockquote cite="https://docs.saltstack.com/en/latest/topics/releases/2015.8.4.html">
17370	  <p>Improper handling of clear messages on the minion, which
17371	    could result in executing commands not sent by the master.</p>
17372	</blockquote>
17373      </body>
17374    </description>
17375    <references>
17376      <url>https://docs.saltstack.com/en/latest/topics/releases/2015.8.4.html</url>
17377      <url>https://github.com/saltstack/salt/pull/30613/files</url>
17378      <cvename>CVE-2016-1866</cvename>
17379    </references>
17380    <dates>
17381      <discovery>2016-01-25</discovery>
17382      <entry>2016-02-03</entry>
17383    </dates>
17384  </vuln>
17385
17386  <vuln vid="bb0ef21d-0e1b-461b-bc3d-9cba39948888">
17387    <topic>rails -- multiple vulnerabilities</topic>
17388    <affects>
17389      <package>
17390	<name>rubygem-actionpack</name>
17391	<range><lt>3.2.22.1</lt></range>
17392      </package>
17393      <package>
17394	<name>rubygem-actionpack4</name>
17395	<range><lt>4.2.5.1</lt></range>
17396      </package>
17397      <package>
17398	<name>rubygem-actionview</name>
17399	<range><lt>4.2.5.1</lt></range>
17400      </package>
17401      <package>
17402	<name>rubygem-activemodel4</name>
17403	<range><lt>4.2.5.1</lt></range>
17404      </package>
17405      <package>
17406	<name>rubygem-activerecord</name>
17407	<range><lt>3.2.22.1</lt></range>
17408      </package>
17409      <package>
17410	<name>rubygem-activerecord4</name>
17411	<range><lt>4.2.5.1</lt></range>
17412      </package>
17413      <package>
17414	<name>rubygem-rails</name>
17415	<range><lt>3.2.22.1</lt></range>
17416      </package>
17417      <package>
17418	<name>rubygem-rails-html-sanitizer</name>
17419	<range><lt>1.0.3</lt></range>
17420      </package>
17421      <package>
17422	<name>rubygem-rails4</name>
17423	<range><lt>4.2.5.1</lt></range>
17424      </package>
17425    </affects>
17426    <description>
17427      <body xmlns="http://www.w3.org/1999/xhtml">
17428	<p>Ruby on Rails blog:</p>
17429	<blockquote cite="http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/">
17430	  <p>Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, and 3.2.22.1 have been
17431	    released! These contain important security fixes, and it is
17432	    recommended that users upgrade as soon as possible.</p>
17433	</blockquote>
17434      </body>
17435    </description>
17436    <references>
17437      <cvename>CVE-2015-7576</cvename>
17438      <cvename>CVE-2015-7577</cvename>
17439      <cvename>CVE-2015-7581</cvename>
17440      <cvename>CVE-2016-0751</cvename>
17441      <cvename>CVE-2016-0752</cvename>
17442      <cvename>CVE-2016-0753</cvename>
17443      <url>https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ</url>
17444      <url>https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ</url>
17445      <url>https://groups.google.com/d/msg/rubyonrails-security/dthJ5wL69JE/YzPnFelbFQAJ</url>
17446      <url>https://groups.google.com/d/msg/rubyonrails-security/9oLY_FCzvoc/w9oI9XxbFQAJ</url>
17447      <url>https://groups.google.com/d/msg/rubyonrails-security/335P1DcLG00/OfB9_LhbFQAJ</url>
17448      <url>https://groups.google.com/d/msg/rubyonrails-security/6jQVC1geukQ/8oYETcxbFQAJ</url>
17449      <url>http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/</url>
17450    </references>
17451    <dates>
17452      <discovery>2016-01-25</discovery>
17453      <entry>2016-02-02</entry>
17454    </dates>
17455  </vuln>
17456
17457  <vuln vid="a52a7172-c92e-11e5-96d6-14dae9d210b8">
17458    <topic>socat -- diffie hellman parameter was not prime</topic>
17459    <affects>
17460      <package>
17461	<name>socat</name>
17462	<range><ge>1.7.2.5</ge><lt>1.7.3.1</lt></range>
17463      </package>
17464    </affects>
17465    <description>
17466      <body xmlns="http://www.w3.org/1999/xhtml">
17467	<p>socat reports:</p>
17468	<blockquote cite="http://www.dest-unreach.org/socat/contrib/socat-secadv7.html">
17469	  <p>In the OpenSSL address implementation the hard coded 1024
17470	    bit DH p parameter was not prime. The effective cryptographic strength
17471	    of a key exchange using these parameters was weaker than the one one
17472	    could get by using a prime p. Moreover, since there is no indication of
17473	    how these parameters were chosen, the existence of a trapdoor that makes
17474	    possible for an eavesdropper to recover the shared secret from a key
17475	    exchange that uses them cannot be ruled out.</p>
17476	</blockquote>
17477      </body>
17478    </description>
17479    <references>
17480      <url>http://www.dest-unreach.org/socat/contrib/socat-secadv7.html</url>
17481    </references>
17482    <dates>
17483      <discovery>2016-02-01</discovery>
17484      <entry>2016-02-01</entry>
17485    </dates>
17486  </vuln>
17487
17488  <vuln vid="4f00dac0-1e18-4481-95af-7aaad63fd303">
17489    <topic>mozilla -- multiple vulnerabilities</topic>
17490    <affects>
17491      <package>
17492	<name>firefox</name>
17493	<name>linux-firefox</name>
17494	<range><lt>44.0,1</lt></range>
17495      </package>
17496      <package>
17497	<name>seamonkey</name>
17498	<name>linux-seamonkey</name>
17499	<range><lt>2.41</lt></range>
17500      </package>
17501      <package>
17502	<name>firefox-esr</name>
17503	<range><lt>38.6.0,1</lt></range>
17504      </package>
17505      <package>
17506	<name>libxul</name>
17507	<name>thunderbird</name>
17508	<name>linux-thunderbird</name>
17509	<range><lt>38.6.0</lt></range>
17510      </package>
17511    </affects>
17512    <description>
17513      <body xmlns="http://www.w3.org/1999/xhtml">
17514	<p>Mozilla Foundation reports:</p>
17515	<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox44">
17516	  <p>MFSA 2016-01 Miscellaneous memory safety hazards (rv:44.0
17517	    / rv:38.6)</p>
17518	  <p>MFSA 2016-02 Out of Memory crash when parsing GIF format
17519	    images</p>
17520	  <p>MFSA 2016-03 Buffer overflow in WebGL after out of memory
17521	    allocation</p>
17522	  <p>MFSA 2016-04 Firefox allows for control characters to be
17523	    set in cookie names</p>
17524	  <p>MFSA 2016-06 Missing delay following user click events in
17525	    protocol handler dialog</p>
17526	  <p>MFSA 2016-09 Addressbar spoofing attacks</p>
17527	  <p>MFSA 2016-10 Unsafe memory manipulation found through
17528	    code inspection</p>
17529	  <p>MFSA 2016-11 Application Reputation service disabled in
17530	    Firefox 43</p>
17531	</blockquote>
17532      </body>
17533    </description>
17534    <references>
17535      <cvename>CVE-2015-7208</cvename>
17536      <cvename>CVE-2016-1930</cvename>
17537      <cvename>CVE-2016-1931</cvename>
17538      <cvename>CVE-2016-1933</cvename>
17539      <cvename>CVE-2016-1935</cvename>
17540      <cvename>CVE-2016-1937</cvename>
17541      <cvename>CVE-2016-1939</cvename>
17542      <cvename>CVE-2016-1942</cvename>
17543      <cvename>CVE-2016-1943</cvename>
17544      <cvename>CVE-2016-1944</cvename>
17545      <cvename>CVE-2016-1945</cvename>
17546      <cvename>CVE-2016-1946</cvename>
17547      <cvename>CVE-2016-1947</cvename>
17548      <url>https://www.mozilla.org/security/advisories/mfsa2016-01/</url>
17549      <url>https://www.mozilla.org/security/advisories/mfsa2016-02/</url>
17550      <url>https://www.mozilla.org/security/advisories/mfsa2016-03/</url>
17551      <url>https://www.mozilla.org/security/advisories/mfsa2016-04/</url>
17552      <url>https://www.mozilla.org/security/advisories/mfsa2016-06/</url>
17553      <url>https://www.mozilla.org/security/advisories/mfsa2016-09/</url>
17554      <url>https://www.mozilla.org/security/advisories/mfsa2016-10/</url>
17555      <url>https://www.mozilla.org/security/advisories/mfsa2016-11/</url>
17556    </references>
17557    <dates>
17558      <discovery>2016-01-26</discovery>
17559      <entry>2016-02-01</entry>
17560      <modified>2016-03-08</modified>
17561    </dates>
17562  </vuln>
17563
17564  <vuln vid="e00d8b94-c88a-11e5-b5fe-002590263bf5">
17565    <topic>gdcm -- multiple vulnerabilities</topic>
17566    <affects>
17567      <package>
17568	<name>gdcm</name>
17569	<range><lt>2.6.2</lt></range>
17570      </package>
17571    </affects>
17572    <description>
17573      <body xmlns="http://www.w3.org/1999/xhtml">
17574	<p>CENSUS S.A. reports:</p>
17575	<blockquote cite="http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/">
17576	  <p>GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are
17577	    prone to an integer overflow vulnerability which leads to a buffer
17578	    overflow and potentially to remote code execution.</p>
17579	</blockquote>
17580	<blockquote cite="http://census-labs.com/news/2016/01/11/gdcm-out-bounds-read-jpeglscodec-decodeextent/">
17581	  <p>GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are
17582	    prone to an out-of-bounds read vulnerability due to missing checks.
17583	    </p>
17584	</blockquote>
17585      </body>
17586    </description>
17587    <references>
17588      <cvename>CVE-2015-8396</cvename>
17589      <cvename>CVE-2015-8397</cvename>
17590      <url>http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/</url>
17591      <url>http://census-labs.com/news/2016/01/11/gdcm-out-bounds-read-jpeglscodec-decodeextent/</url>
17592    </references>
17593    <dates>
17594      <discovery>2015-12-23</discovery>
17595      <entry>2016-02-01</entry>
17596    </dates>
17597  </vuln>
17598
17599  <vuln vid="c1c18ee1-c711-11e5-96d6-14dae9d210b8">
17600    <topic>nginx -- multiple vulnerabilities</topic>
17601    <affects>
17602      <package>
17603	<name>nginx</name>
17604	<range><lt>1.8.1,2</lt></range>
17605      </package>
17606      <package>
17607	<name>nginx-devel</name>
17608	<range><lt>1.9.10</lt></range>
17609      </package>
17610    </affects>
17611    <description>
17612      <body xmlns="http://www.w3.org/1999/xhtml">
17613	<p>Maxim Dounin reports:</p>
17614	<blockquote cite="http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html">
17615	  <p>Several problems in nginx resolver were identified, which
17616	    might allow an attacker to cause worker process crash, or might have
17617	    potential other impact if the "resolver" directive
17618	    is used in a configuration file.</p>
17619	</blockquote>
17620      </body>
17621    </description>
17622    <references>
17623      <url>http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html</url>
17624      <cvename>CVE-2016-0742</cvename>
17625      <cvename>CVE-2016-0746</cvename>
17626      <cvename>CVE-2016-0747</cvename>
17627    </references>
17628    <dates>
17629      <discovery>2016-01-26</discovery>
17630      <entry>2016-01-30</entry>
17631    </dates>
17632  </vuln>
17633
17634  <vuln vid="a0d77bc8-c6a7-11e5-96d6-14dae9d210b8">
17635    <topic>typo3 -- multiple vulnerabilities</topic>
17636    <affects>
17637      <package>
17638	<name>typo3</name>
17639	<range><lt>7.6.1</lt></range>
17640      </package>
17641      <package>
17642	<name>typo3-lts</name>
17643	<range><lt>6.2.16</lt></range>
17644      </package>
17645    </affects>
17646    <description>
17647      <body xmlns="http://www.w3.org/1999/xhtml">
17648	<p>TYPO3 Security Team reports:</p>
17649	<blockquote cite="http://lists.typo3.org/pipermail/typo3-announce/2015/000351.html">
17650	  <p>It has been discovered that TYPO3 CMS is susceptible to
17651	    Cross-Site Scripting and Cross-Site Flashing.</p>
17652	</blockquote>
17653      </body>
17654    </description>
17655    <references>
17656      <url>http://lists.typo3.org/pipermail/typo3-announce/2015/000351.html</url>
17657      <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-010/</url>
17658      <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-011/</url>
17659      <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-012/</url>
17660      <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-013/</url>
17661      <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-014/</url>
17662      <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-015/</url>
17663    </references>
17664    <dates>
17665      <discovery>2015-12-15</discovery>
17666      <entry>2016-01-29</entry>
17667    </dates>
17668  </vuln>
17669
17670  <vuln vid="93eadedb-c6a6-11e5-96d6-14dae9d210b8">
17671    <topic>nghttp2 -- use after free</topic>
17672    <affects>
17673      <package>
17674	<name>nghttp2</name>
17675	<range><lt>1.6.0</lt></range>
17676      </package>
17677    </affects>
17678    <description>
17679      <body xmlns="http://www.w3.org/1999/xhtml">
17680	<p>nghttp2 reports:</p>
17681	<blockquote cite="https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/">
17682	  <p>This release fixes heap-use-after-free bug in idle stream
17683	    handling code. We strongly recommend to upgrade the older installation
17684	    to this latest version as soon as possible.</p>
17685	</blockquote>
17686      </body>
17687    </description>
17688    <references>
17689      <url>https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/</url>
17690      <cvename>CVE-2015-8659</cvename>
17691    </references>
17692    <dates>
17693      <discovery>2015-12-23</discovery>
17694      <entry>2016-01-29</entry>
17695    </dates>
17696  </vuln>
17697
17698  <vuln vid="3166222b-c6a4-11e5-96d6-14dae9d210b8">
17699    <topic>owncloud -- multiple vulnerabilities</topic>
17700    <affects>
17701      <package>
17702	<name>owncloud</name>
17703	<range><lt>8.2.2</lt></range>
17704      </package>
17705    </affects>
17706    <description>
17707      <body xmlns="http://www.w3.org/1999/xhtml">
17708	<p>Owncloud reports:</p>
17709	<blockquote cite="https://owncloud.org/blog/owncloud-8-2-2-8-1-5-8-0-10-and-7-0-12-here-with-sharing-ldap-fixes/">
17710	  <ul>
17711	  <li><p>Reflected XSS in OCS provider discovery
17712	    (oC-SA-2016-001)</p></li>
17713	  <li><p>Information Exposure Through Directory Listing in the
17714	    file scanner (oC-SA-2016-002)</p></li>
17715	  <li><p>Disclosure of files that begin with ".v" due to
17716	    unchecked return value (oC-SA-2016-003)</p></li>
17717	  </ul>
17718	</blockquote>
17719      </body>
17720    </description>
17721    <references>
17722      <url>https://owncloud.org/blog/owncloud-8-2-2-8-1-5-8-0-10-and-7-0-12-here-with-sharing-ldap-fixes/</url>
17723      <url>https://owncloud.org/security/advisory/?id=oc-sa-2016-001</url>
17724      <url>https://owncloud.org/security/advisory/?id=oc-sa-2016-002</url>
17725      <url>https://owncloud.org/security/advisory/?id=oc-sa-2016-003</url>
17726      <cvename>CVE-2016-1498</cvename>
17727      <cvename>CVE-2016-1499</cvename>
17728      <cvename>CVE-2016-1500</cvename>
17729    </references>
17730    <dates>
17731      <discovery>2015-12-23</discovery>
17732      <entry>2016-01-29</entry>
17733    </dates>
17734  </vuln>
17735
17736  <vuln vid="ff824eea-c69c-11e5-96d6-14dae9d210b8">
17737    <topic>radicale -- multiple vulnerabilities</topic>
17738    <affects>
17739      <package>
17740	<name>py27-radicale</name>
17741	<name>py32-radicale</name>
17742	<name>py33-radicale</name>
17743	<name>py34-radicale</name>
17744	<range><lt>1.1</lt></range>
17745      </package>
17746    </affects>
17747    <description>
17748      <body xmlns="http://www.w3.org/1999/xhtml">
17749	<p>Radicale reports:</p>
17750	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/06/4">
17751	  <p>The multifilesystem backend allows access to arbitrary
17752	    files on all platforms.</p>
17753	  <p>Prevent regex injection in rights management.</p>
17754	</blockquote>
17755      </body>
17756    </description>
17757    <references>
17758      <url>http://www.openwall.com/lists/oss-security/2016/01/06/4</url>
17759      <cvename>CVE-2015-8747</cvename>
17760      <cvename>CVE-2015-8748</cvename>
17761    </references>
17762    <dates>
17763      <discovery>2015-12-24</discovery>
17764      <entry>2016-01-29</entry>
17765    </dates>
17766  </vuln>
17767
17768  <vuln vid="7a59e283-c60b-11e5-bf36-6805ca0b3d42">
17769    <topic>phpmyadmin -- XSS vulnerability in SQL editor</topic>
17770    <affects>
17771      <package>
17772	<name>phpmyadmin</name>
17773	<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
17774      </package>
17775    </affects>
17776    <description>
17777      <body xmlns="http://www.w3.org/1999/xhtml">
17778	<p>The phpMyAdmin development team reports:</p>
17779	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-9/">
17780	  <p>With a crafted SQL query, it is possible to trigger an
17781	    XSS attack in the SQL editor.</p>
17782	  <p>We consider this vulnerability to be non-critical.</p>
17783	  <p>This vulnerability can be triggered only by someone who is
17784	    logged in to phpMyAdmin, as the usual token protection
17785	    prevents non-logged-in users from accessing the required
17786	    pages.</p>
17787	</blockquote>
17788      </body>
17789    </description>
17790    <references>
17791      <url>https://www.phpmyadmin.net/security/PMASA-2016-9/</url>
17792      <cvename>CVE-2016-2045</cvename>
17793    </references>
17794    <dates>
17795      <discovery>2016-01-28</discovery>
17796      <entry>2016-01-28</entry>
17797    </dates>
17798  </vuln>
17799
17800  <vuln vid="78b4ebfb-c60b-11e5-bf36-6805ca0b3d42">
17801    <topic>phpmyadmin -- Full path disclosure vulnerability in SQL parser</topic>
17802    <affects>
17803      <package>
17804	<name>phpmyadmin</name>
17805	<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
17806      </package>
17807    </affects>
17808    <description>
17809      <body xmlns="http://www.w3.org/1999/xhtml">
17810	<p>The phpMyAdmin development team reports:</p>
17811	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-8/">
17812	  <p>By calling a particular script that is part of phpMyAdmin
17813	    in an unexpected way, it is possible to trigger phpMyAdmin
17814	    to display a PHP error message which contains the full path
17815	    of the directory where phpMyAdmin is installed.</p>
17816	  <p>We consider this vulnerability to be non-critical.</p>
17817	  <p>This path disclosure is possible on servers where the
17818	    recommended setting of the PHP configuration directive
17819	    display_errors is set to on, which is against the
17820	    recommendations given in the PHP manual for a production
17821	    server.</p>
17822	</blockquote>
17823      </body>
17824    </description>
17825    <references>
17826      <url>https://www.phpmyadmin.net/security/PMASA-2016-8/</url>
17827      <cvename>CVE-2016-2044</cvename>
17828    </references>
17829    <dates>
17830      <discovery>2016-01-28</discovery>
17831      <entry>2016-01-28</entry>
17832    </dates>
17833  </vuln>
17834
17835  <vuln vid="7694927f-c60b-11e5-bf36-6805ca0b3d42">
17836    <topic>phpmyadmin -- XSS vulnerability in normalization page</topic>
17837    <affects>
17838      <package>
17839	<name>phpmyadmin</name>
17840	<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
17841      </package>
17842    </affects>
17843    <description>
17844      <body xmlns="http://www.w3.org/1999/xhtml">
17845	<p>The phpMyAdmin development team reports:</p>
17846	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-7/">
17847	  <p>With a crafted table name it is possible to trigger an
17848	    XSS attack in the database normalization page.</p>
17849	  <p>We consider this vulnerability to be non-critical.</p>
17850	  <p>This vulnerability can be triggered only by someone who is
17851	    logged in to phpMyAdmin, as the usual token protection
17852	    prevents non-logged-in users from accessing the required page.</p>
17853	</blockquote>
17854      </body>
17855    </description>
17856    <references>
17857      <url>https://www.phpmyadmin.net/security/PMASA-2016-7/</url>
17858      <cvename>CVE-2016-2043</cvename>
17859    </references>
17860    <dates>
17861      <discovery>2016-01-28</discovery>
17862      <entry>2016-01-28</entry>
17863    </dates>
17864  </vuln>
17865
17866  <vuln vid="740badcb-c60b-11e5-bf36-6805ca0b3d42">
17867    <topic>phpmyadmin -- Multiple full path disclosure vulnerabilities</topic>
17868    <affects>
17869      <package>
17870	<name>phpmyadmin</name>
17871	<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
17872      </package>
17873    </affects>
17874    <description>
17875      <body xmlns="http://www.w3.org/1999/xhtml">
17876	<p>The phpMyAdmin development team reports:</p>
17877	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-6/">
17878	  <p>By calling some scripts that are part of phpMyAdmin in an
17879	    unexpected way, it is possible to trigger phpMyAdmin to
17880	    display a PHP error message which contains the full path of
17881	    the directory where phpMyAdmin is installed.</p>
17882	  <p>We consider these vulnerabilities to be non-critical.</p>
17883	  <p>This path disclosure is possible on servers where the
17884	    recommended setting of the PHP configuration directive
17885	    display_errors is set to on, which is against the
17886	    recommendations given in the PHP manual for a production
17887	    server.</p>
17888	</blockquote>
17889      </body>
17890    </description>
17891    <references>
17892      <url>https://www.phpmyadmin.net/security/PMASA-2016-6/</url>
17893      <cvename>CVE-2016-2042</cvename>
17894    </references>
17895    <dates>
17896      <discovery>2016-01-28</discovery>
17897      <entry>2016-01-28</entry>
17898    </dates>
17899  </vuln>
17900
17901  <vuln vid="71b24d99-c60b-11e5-bf36-6805ca0b3d42">
17902    <topic>phpmyadmin -- Unsafe comparison of XSRF/CSRF token</topic>
17903    <affects>
17904      <package>
17905	<name>phpmyadmin</name>
17906	<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
17907      </package>
17908    </affects>
17909    <description>
17910      <body xmlns="http://www.w3.org/1999/xhtml">
17911	<p>The phpMyAdmin development team reports:</p>
17912	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-5/">
17913	  <p>The comparison of the XSRF/CSRF token parameter with the
17914	    value saved in the session is vulnerable to timing
17915	    attacks. Moreover, the comparison could be bypassed if the
17916	    XSRF/CSRF token matches a particular pattern.</p>
17917	  <p>We consider this vulnerability to be serious.</p>
17918	</blockquote>
17919      </body>
17920    </description>
17921    <references>
17922      <url>https://www.phpmyadmin.net/security/PMASA-2016-5/</url>
17923      <cvename>CVE-2016-2041</cvename>
17924    </references>
17925    <dates>
17926      <discovery>2016-01-28</discovery>
17927      <entry>2016-01-28</entry>
17928    </dates>
17929  </vuln>
17930
17931  <vuln vid="6f0c2d1b-c60b-11e5-bf36-6805ca0b3d42">
17932    <topic>phpmyadmin -- Insecure password generation in JavaScript</topic>
17933    <affects>
17934      <package>
17935	<name>phpmyadmin</name>
17936	<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
17937      </package>
17938    </affects>
17939    <description>
17940      <body xmlns="http://www.w3.org/1999/xhtml">
17941	<p>The phpMyAdmin development team reports:</p>
17942	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-4/">
17943	  <p>Password suggestion functionality uses Math.random()
17944	    which does not provide cryptographically secure random
17945	    numbers.</p>
17946	  <p>We consider this vulnerability to be non-critical.</p>
17947	</blockquote>
17948      </body>
17949    </description>
17950    <references>
17951      <url>https://www.phpmyadmin.net/security/PMASA-2016-4/</url>
17952      <cvename>CVE-2016-1927</cvename>
17953    </references>
17954    <dates>
17955      <discovery>2016-01-28</discovery>
17956      <entry>2016-01-28</entry>
17957    </dates>
17958  </vuln>
17959
17960  <vuln vid="6cc06eec-c60b-11e5-bf36-6805ca0b3d42">
17961    <topic>phpmyadmin -- Multiple XSS vulnerabilities</topic>
17962    <affects>
17963      <package>
17964	<name>phpmyadmin</name>
17965	<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
17966      </package>
17967    </affects>
17968    <description>
17969      <body xmlns="http://www.w3.org/1999/xhtml">
17970	<p>The phpMyAdmin development team reports:</p>
17971	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-3/">
17972	  <ul>
17973	    <li>With a crafted table name it is possible to trigger
17974	      an XSS attack in the database search page.</li>
17975	    <li>With a crafted SET value or a crafted search query, it
17976	      is possible to trigger an XSS attacks in the zoom search
17977	      page.</li>
17978	    <li>With a crafted hostname header, it is possible to
17979	      trigger an XSS attacks in the home page.</li>
17980	  </ul>
17981	  <p>We consider these vulnerabilities to be non-critical.</p>
17982	  <p>These vulnerabilities can be triggered only by someone
17983	    who is logged in to phpMyAdmin, as the usual token
17984	    protection prevents non-logged-in users from accessing the
17985	    required pages.</p>
17986	</blockquote>
17987      </body>
17988    </description>
17989    <references>
17990      <url>https://www.phpmyadmin.net/security/PMASA-2016-3/</url>
17991      <cvename>CVE-2016-2040</cvename>
17992    </references>
17993    <dates>
17994      <discovery>2016-01-28</discovery>
17995      <entry>2016-01-28</entry>
17996    </dates>
17997  </vuln>
17998
17999  <vuln vid="60ab0e93-c60b-11e5-bf36-6805ca0b3d42">
18000    <topic>phpmyadmin -- Unsafe generation of XSRF/CSRF token</topic>
18001    <affects>
18002      <package>
18003	<name>phpmyadmin</name>
18004	<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
18005      </package>
18006    </affects>
18007    <description>
18008      <body xmlns="http://www.w3.org/1999/xhtml">
18009	<p>The phpMyAdmin development team reports:</p>
18010	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-2/">
18011	  <p>The XSRF/CSRF token is generated with a weak algorithm
18012	    using functions that do not return cryptographically secure
18013	    values.</p>
18014	  <p>We consider this vulnerability to be non-critical.</p>
18015	</blockquote>
18016      </body>
18017    </description>
18018    <references>
18019      <url>https://www.phpmyadmin.net/security/PMASA-2016-2/</url>
18020      <cvename>CVE-2016-2039</cvename>
18021    </references>
18022    <dates>
18023      <discovery>2016-01-28</discovery>
18024      <entry>2016-01-28</entry>
18025    </dates>
18026  </vuln>
18027
18028  <vuln vid="5d6a204f-c60b-11e5-bf36-6805ca0b3d42">
18029    <topic>phpmyadmin -- Multiple full path disclosure vulnerabilities</topic>
18030    <affects>
18031      <package>
18032	<name>phpmyadmin</name>
18033	<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
18034      </package>
18035    </affects>
18036    <description>
18037      <body xmlns="http://www.w3.org/1999/xhtml">
18038	<p>The phpMyAdmin development team reports:</p>
18039	<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-1/">
18040	  <p>By calling some scripts that are part of phpMyAdmin in an
18041	    unexpected way, it is possible to trigger phpMyAdmin to
18042	    display a PHP error message which contains the full path of
18043	    the directory where phpMyAdmin is installed.</p>
18044	  <p>We consider these vulnerabilities to be non-critical.</p>
18045	  <p>This path disclosure is possible on servers where the
18046	    recommended setting of the PHP configuration directive
18047	    display_errors is set to on, which is against the
18048	    recommendations given in the PHP manual for a production
18049	    server.</p>
18050	</blockquote>
18051      </body>
18052    </description>
18053    <references>
18054      <url>https://www.phpmyadmin.net/security/PMASA-2016-1/</url>
18055      <cvename>CVE-2016-2038</cvename>
18056    </references>
18057    <dates>
18058      <discovery>2016-01-28</discovery>
18059      <entry>2016-01-28</entry>
18060    </dates>
18061  </vuln>
18062
18063  <vuln vid="50394bc9-c5fa-11e5-96a5-d93b343d1ff7">
18064    <topic>prosody -- user impersonation vulnerability</topic>
18065    <affects>
18066      <package>
18067	<name>prosody</name>
18068	<range><lt>0.9.10</lt></range>
18069      </package>
18070    </affects>
18071    <description>
18072      <body xmlns="http://www.w3.org/1999/xhtml">
18073	<p>The Prosody team reports:</p>
18074    <blockquote cite="https://prosody.im/security/advisory_20160127/">
18075	 <p>Adopt key generation algorithm from XEP-0185, to
18076	 prevent impersonation attacks (CVE-2016-0756)</p>
18077	</blockquote>
18078      </body>
18079    </description>
18080    <references>
18081      <freebsdpr>ports/206707</freebsdpr>
18082      <cvename>CVE-2016-0756</cvename>
18083      <url>https://prosody.im/security/advisory_20160127/</url>
18084    </references>
18085    <dates>
18086      <discovery>2016-01-27</discovery>
18087      <entry>2016-01-28</entry>
18088    </dates>
18089  </vuln>
18090
18091  <vuln vid="3679fd10-c5d1-11e5-b85f-0018fe623f2b">
18092    <topic>openssl -- multiple vulnerabilities</topic>
18093    <affects>
18094      <package>
18095	<name>openssl</name>
18096	<range><lt>1.0.2_7</lt></range>
18097      </package>
18098      <package>
18099	<name>mingw32-openssl</name>
18100	<range><ge>1.0.1</ge><lt>1.0.2f</lt></range>
18101      </package>
18102      <package>
18103	<name>FreeBSD</name>
18104	<range><ge>10.2</ge><lt>10.2_12</lt></range>
18105	<range><ge>10.1</ge><lt>10.1_29</lt></range>
18106	<range><ge>9.3</ge><lt>9.3_36</lt></range>
18107      </package>
18108    </affects>
18109    <description>
18110      <body xmlns="http://www.w3.org/1999/xhtml">
18111	<p>OpenSSL project reports:</p>
18112	<blockquote cite="https://www.openssl.org/news/secadv/20160128.txt">
18113	  <ol>
18114	    <li>Historically OpenSSL only ever generated DH parameters based on "safe"
18115	      primes. More recently (in version 1.0.2) support was provided for
18116	      generating X9.42 style parameter files such as those required for RFC 5114
18117	      support. The primes used in such files may not be "safe". Where an
18118	      application is using DH configured with parameters based on primes that are
18119	      not "safe" then an attacker could use this fact to find a peer's private
18120	      DH exponent. This attack requires that the attacker complete multiple
18121	      handshakes in which the peer uses the same private DH exponent. For example
18122	      this could be used to discover a TLS server's private DH exponent if it's
18123	      reusing the private DH exponent or it's using a static DH ciphersuite.
18124	      OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
18125	      TLS. It is not on by default. If the option is not set then the server
18126	      reuses the same private DH exponent for the life of the server process and
18127	      would be vulnerable to this attack. It is believed that many popular
18128	      applications do set this option and would therefore not be at risk.
18129	      (CVE-2016-0701)</li>
18130	    <li>A malicious client can negotiate SSLv2 ciphers that have been disabled on
18131	      the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
18132	      been disabled, provided that the SSLv2 protocol was not also disabled via
18133	      SSL_OP_NO_SSLv2.
18134	      (CVE-2015-3197)</li>
18135	  </ol>
18136	</blockquote>
18137      </body>
18138    </description>
18139    <references>
18140      <freebsdsa>SA-16:11.openssl</freebsdsa>
18141      <cvename>CVE-2016-0701</cvename>
18142      <cvename>CVE-2015-3197</cvename>
18143      <url>https://www.openssl.org/news/secadv/20160128.txt</url>
18144    </references>
18145    <dates>
18146      <discovery>2016-01-22</discovery>
18147      <entry>2016-01-28</entry>
18148      <modified>2016-08-09</modified>
18149    </dates>
18150  </vuln>
18151
18152  <vuln vid="8b27f1bc-c509-11e5-a95f-b499baebfeaf">
18153    <topic>curl -- Credentials not checked</topic>
18154    <affects>
18155      <package>
18156	<name>curl</name>
18157	<range><ge>7.10.0</ge><lt>7.47.0</lt></range>
18158      </package>
18159    </affects>
18160    <description>
18161      <body xmlns="http://www.w3.org/1999/xhtml">
18162	<p>The cURL project reports:</p>
18163	<blockquote cite="http://curl.haxx.se/docs/adv_20160127A.html">
18164	  <p>libcurl will reuse NTLM-authenticated proxy connections
18165	    without properly making sure that the connection was
18166	    authenticated with the same credentials as set for this
18167	    transfer.</p>
18168	</blockquote>
18169      </body>
18170    </description>
18171    <references>
18172      <url>http://curl.haxx.se/docs/adv_20160127A.html</url>
18173      <cvename>CVE-2016-0755</cvename>
18174    </references>
18175    <dates>
18176      <discovery>2016-01-27</discovery>
18177      <entry>2016-01-27</entry>
18178      <modified>2017-02-06</modified>
18179    </dates>
18180  </vuln>
18181
18182  <vuln vid="fb754341-c3e2-11e5-b5fe-002590263bf5">
18183    <topic>wordpress -- XSS vulnerability</topic>
18184    <affects>
18185      <package>
18186	<name>wordpress</name>
18187	<range><lt>4.4.1,1</lt></range>
18188      </package>
18189      <package>
18190	<name>de-wordpress</name>
18191	<name>ja-wordpress</name>
18192	<name>ru-wordpress</name>
18193	<name>zh-wordpress-zh_CN</name>
18194	<name>zh-wordpress-zh_TW</name>
18195	<range><lt>4.4.1</lt></range>
18196      </package>
18197    </affects>
18198    <description>
18199      <body xmlns="http://www.w3.org/1999/xhtml">
18200	<p>Aaron Jorbin reports:</p>
18201	<blockquote cite="https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/">
18202	  <p>WordPress 4.4.1 is now available. This is a security release for
18203	    all previous versions and we strongly encourage you to update your
18204	    sites immediately.</p>
18205	  <p>WordPress versions 4.4 and earlier are affected by a cross-site
18206	    scripting vulnerability that could allow a site to be compromised.
18207	    This was reported by Crtc4L.</p>
18208	</blockquote>
18209      </body>
18210    </description>
18211    <references>
18212      <cvename>CVE-2016-1564</cvename>
18213      <url>http://www.openwall.com/lists/oss-security/2016/01/08/3</url>
18214      <url>https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/</url>
18215    </references>
18216    <dates>
18217      <discovery>2016-01-06</discovery>
18218      <entry>2016-01-26</entry>
18219      <modified>2016-03-08</modified>
18220    </dates>
18221  </vuln>
18222
18223  <vuln vid="a763a0e7-c3d9-11e5-b5fe-002590263bf5">
18224    <topic>privoxy -- multiple vulnerabilities</topic>
18225    <affects>
18226      <package>
18227	<name>privoxy</name>
18228	<range><lt>3.0.24</lt></range>
18229      </package>
18230    </affects>
18231    <description>
18232      <body xmlns="http://www.w3.org/1999/xhtml">
18233	<p>Privoxy Developers reports:</p>
18234	<blockquote cite="http://www.privoxy.org/3.0.24/user-manual/whatsnew.html">
18235	  <p>Prevent invalid reads in case of corrupt chunk-encoded content.
18236	    CVE-2016-1982. Bug discovered with afl-fuzz and AddressSanitizer.
18237	    </p>
18238	  <p>Remove empty Host headers in client requests. Previously they
18239	    would result in invalid reads. CVE-2016-1983. Bug discovered with
18240	    afl-fuzz and AddressSanitizer.</p>
18241	</blockquote>
18242      </body>
18243    </description>
18244    <references>
18245      <cvename>CVE-2016-1982</cvename>
18246      <cvename>CVE-2016-1983</cvename>
18247      <freebsdpr>ports/206504</freebsdpr>
18248      <url>http://www.privoxy.org/3.0.24/user-manual/whatsnew.html</url>
18249      <url>http://www.openwall.com/lists/oss-security/2016/01/21/4</url>
18250    </references>
18251    <dates>
18252      <discovery>2016-01-22</discovery>
18253      <entry>2016-01-26</entry>
18254    </dates>
18255  </vuln>
18256
18257  <vuln vid="d9e1b569-c3d8-11e5-b5fe-002590263bf5">
18258    <topic>privoxy -- multiple vulnerabilities</topic>
18259    <affects>
18260      <package>
18261	<name>privoxy</name>
18262	<range><lt>3.0.23</lt></range>
18263      </package>
18264    </affects>
18265    <description>
18266      <body xmlns="http://www.w3.org/1999/xhtml">
18267	<p>Privoxy Developers reports:</p>
18268	<blockquote cite="http://www.privoxy.org/3.0.23/user-manual/whatsnew.html">
18269	  <p>Fixed a DoS issue in case of client requests with incorrect
18270	    chunk-encoded body. When compiled with assertions enabled (the
18271	    default) they could previously cause Privoxy to abort(). Reported
18272	    by Matthew Daley. CVE-2015-1380.</p>
18273	  <p>Fixed multiple segmentation faults and memory leaks in the pcrs
18274	    code. This fix also increases the chances that an invalid pcrs
18275	    command is rejected as such. Previously some invalid commands would
18276	    be loaded without error. Note that Privoxy's pcrs sources (action
18277	    and filter files) are considered trustworthy input and should not be
18278	    writable by untrusted third-parties. CVE-2015-1381.</p>
18279	  <p>Fixed an 'invalid read' bug which could at least theoretically
18280	    cause Privoxy to crash. So far, no crashes have been observed.
18281	    CVE-2015-1382.</p>
18282	</blockquote>
18283      </body>
18284    </description>
18285    <references>
18286      <cvename>CVE-2015-1380</cvename>
18287      <cvename>CVE-2015-1381</cvename>
18288      <cvename>CVE-2015-1382</cvename>
18289      <freebsdpr>ports/197089</freebsdpr>
18290      <url>http://www.privoxy.org/3.0.23/user-manual/whatsnew.html</url>
18291      <url>http://www.openwall.com/lists/oss-security/2015/01/26/4</url>
18292    </references>
18293    <dates>
18294      <discovery>2015-01-26</discovery>
18295      <entry>2016-01-26</entry>
18296    </dates>
18297  </vuln>
18298
18299  <vuln vid="89d4ed09-c3d7-11e5-b5fe-002590263bf5">
18300    <topic>privoxy -- multiple vulnerabilities</topic>
18301    <affects>
18302      <package>
18303	<name>privoxy</name>
18304	<range><lt>3.0.22</lt></range>
18305      </package>
18306    </affects>
18307    <description>
18308      <body xmlns="http://www.w3.org/1999/xhtml">
18309	<p>Privoxy Developers reports:</p>
18310	<blockquote cite="http://www.privoxy.org/3.0.22/user-manual/whatsnew.html">
18311	  <p>Fixed a memory leak when rejecting client connections due to the
18312	    socket limit being reached (CID 66382). This affected Privoxy 3.0.21
18313	    when compiled with IPv6 support (on most platforms this is the
18314	    default).</p>
18315	  <p>Fixed an immediate-use-after-free bug (CID 66394) and two
18316	    additional unconfirmed use-after-free complaints made by Coverity
18317	    scan (CID 66391, CID 66376).</p>
18318	</blockquote>
18319	<p>MITRE reports:</p>
18320	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1201">
18321	  <p>Privoxy before 3.0.22 allows remote attackers to cause a denial
18322	    of service (file descriptor consumption) via unspecified vectors.
18323	    </p>
18324	</blockquote>
18325      </body>
18326    </description>
18327    <references>
18328      <cvename>CVE-2015-1030</cvename>
18329      <cvename>CVE-2015-1031</cvename>
18330      <cvename>CVE-2015-1201</cvename>
18331      <freebsdpr>ports/195468</freebsdpr>
18332      <url>http://www.privoxy.org/3.0.22/user-manual/whatsnew.html</url>
18333      <url>http://www.openwall.com/lists/oss-security/2015/01/11/1</url>
18334    </references>
18335    <dates>
18336      <discovery>2015-01-10</discovery>
18337      <entry>2016-01-26</entry>
18338    </dates>
18339  </vuln>
18340
18341  <vuln vid="ad82b0e9-c3d6-11e5-b5fe-002590263bf5">
18342    <topic>privoxy -- malicious server spoofing as proxy vulnerability</topic>
18343    <affects>
18344      <package>
18345	<name>privoxy</name>
18346	<range><lt>3.0.21</lt></range>
18347      </package>
18348    </affects>
18349    <description>
18350      <body xmlns="http://www.w3.org/1999/xhtml">
18351	<p>Privoxy Developers reports:</p>
18352	<blockquote cite="http://www.privoxy.org/3.0.21/user-manual/whatsnew.html">
18353	  <p>Proxy authentication headers are removed unless the new directive
18354	    enable-proxy-authentication-forwarding is used. Forwarding the
18355	    headers potentially allows malicious sites to trick the user into
18356	    providing them with login information. Reported by Chris John Riley.
18357	    </p>
18358	</blockquote>
18359      </body>
18360    </description>
18361    <references>
18362      <cvename>CVE-2013-2503</cvename>
18363      <freebsdpr>ports/176813</freebsdpr>
18364      <url>http://www.privoxy.org/3.0.21/user-manual/whatsnew.html</url>
18365    </references>
18366    <dates>
18367      <discovery>2013-03-07</discovery>
18368      <entry>2016-01-26</entry>
18369    </dates>
18370  </vuln>
18371
18372  <vuln vid="2e8cdd36-c3cc-11e5-b5fe-002590263bf5">
18373    <topic>sudo -- potential privilege escalation via symlink misconfiguration</topic>
18374    <affects>
18375      <package>
18376	<name>sudo</name>
18377	<range><lt>1.8.15</lt></range>
18378      </package>
18379    </affects>
18380    <description>
18381      <body xmlns="http://www.w3.org/1999/xhtml">
18382	<p>MITRE reports:</p>
18383	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5602">
18384	  <p>sudoedit in Sudo before 1.8.15 allows local users to gain
18385	    privileges via a symlink attack on a file whose full path is defined
18386	    using multiple wildcards in /etc/sudoers, as demonstrated by
18387	    "/home/*/*/file.txt."</p>
18388	</blockquote>
18389      </body>
18390    </description>
18391    <references>
18392      <cvename>CVE-2015-5602</cvename>
18393      <freebsdpr>ports/206590</freebsdpr>
18394      <url>https://www.exploit-db.com/exploits/37710/</url>
18395      <url>https://bugzilla.sudo.ws/show_bug.cgi?id=707</url>
18396      <url>http://www.sudo.ws/stable.html#1.8.15</url>
18397    </references>
18398    <dates>
18399      <discovery>2015-11-17</discovery>
18400      <entry>2016-01-26</entry>
18401    </dates>
18402  </vuln>
18403
18404  <vuln vid="99d3a8a5-c13c-11e5-96d6-14dae9d210b8">
18405    <topic>imlib2 -- denial of service vulnerabilities</topic>
18406    <affects>
18407      <package>
18408	<name>imlib2</name>
18409	<range><lt>1.4.7</lt></range>
18410      </package>
18411    </affects>
18412    <description>
18413      <body xmlns="http://www.w3.org/1999/xhtml">
18414	<p>Enlightenment reports:</p>
18415	<blockquote cite="https://git.enlightenment.org/legacy/imlib2.git/tree/ChangeLog">
18416	  <p>GIF loader: Fix segv on images without colormap</p>
18417	  <p>Prevent division-by-zero crashes.</p>
18418	  <p>Fix segfault when opening input/queue/id:000007,src:000000,op:flip1,pos:51 with feh</p>
18419	</blockquote>
18420      </body>
18421    </description>
18422    <references>
18423      <url>https://git.enlightenment.org/legacy/imlib2.git/tree/ChangeLog</url>
18424      <url>http://seclists.org/oss-sec/2016/q1/162</url>
18425      <cvename>CVE-2014-9762</cvename>
18426      <cvename>CVE-2014-9763</cvename>
18427      <cvename>CVE-2014-9764</cvename>
18428    </references>
18429    <dates>
18430      <discovery>2013-12-21</discovery>
18431      <entry>2016-01-22</entry>
18432    </dates>
18433  </vuln>
18434
18435  <vuln vid="b4578647-c12b-11e5-96d6-14dae9d210b8">
18436    <topic>bind -- denial of service vulnerability</topic>
18437    <affects>
18438      <package>
18439	<name>bind99</name>
18440	<range><lt>9.9.8P3</lt></range>
18441      </package>
18442      <package>
18443	<name>bind910</name>
18444	<range><lt>9.10.3P3</lt></range>
18445      </package>
18446      <package>
18447	<name>FreeBSD</name>
18448	<range><ge>9.3</ge><lt>9.3_35</lt></range>
18449      </package>
18450    </affects>
18451    <description>
18452      <body xmlns="http://www.w3.org/1999/xhtml">
18453	<p>ISC reports:</p>
18454	<blockquote cite="https://kb.isc.org/article/AA-01335">
18455	  <p>Specific APL data could trigger an INSIST in apl_42.c</p>
18456	</blockquote>
18457      </body>
18458    </description>
18459    <references>
18460      <url>https://kb.isc.org/article/AA-01335</url>
18461      <cvename>CVE-2015-8704</cvename>
18462      <freebsdsa>SA-16:08.bind</freebsdsa>
18463    </references>
18464    <dates>
18465      <discovery>2016-01-19</discovery>
18466      <entry>2016-01-22</entry>
18467      <modified>2016-08-09</modified>
18468    </dates>
18469  </vuln>
18470
18471  <vuln vid="371bbea9-3836-4832-9e70-e8e928727f8c">
18472    <topic>chromium -- multiple vulnerabilities</topic>
18473    <affects>
18474      <package>
18475	<name>chromium</name>
18476	<name>chromium-npapi</name>
18477	<name>chromium-pulse</name>
18478	<range><lt>48.0.2564.82</lt></range>
18479      </package>
18480    </affects>
18481    <description>
18482      <body xmlns="http://www.w3.org/1999/xhtml">
18483	<p>Google Chrome Releases reports:</p>
18484	<blockquote cite="http://googlechromereleases.blogspot.de/2016/01/stable-channel-update_20.html">
18485	  <p>This update includes 37 security fixes, including:</p>
18486	  <ul>
18487	    <li>[497632] High CVE-2016-1612: Bad cast in V8.</li>
18488	    <li>[572871] High CVE-2016-1613: Use-after-free in PDFium.</li>
18489	    <li>[544691] Medium CVE-2016-1614: Information leak in Blink.</li>
18490	    <li>[468179] Medium CVE-2016-1615: Origin confusion in Omnibox.</li>
18491	    <li>[541415] Medium CVE-2016-1616: URL Spoofing.</li>
18492	    <li>[544765] Medium CVE-2016-1617: History sniffing with HSTS and
18493	      CSP.</li>
18494	    <li>[552749] Medium CVE-2016-1618: Weak random number generator in
18495	      Blink.</li>
18496	    <li>[557223] Medium CVE-2016-1619: Out-of-bounds read in
18497	      PDFium.</li>
18498	    <li>[579625] CVE-2016-1620: Various fixes from internal audits,
18499	      fuzzing and other initiatives.</li>
18500	    <li>Multiple vulnerabilities in V8 fixed at the tip of the 4.8
18501	      branch.</li>
18502	  </ul>
18503	</blockquote>
18504      </body>
18505    </description>
18506    <references>
18507      <cvename>CVE-2016-1612</cvename>
18508      <cvename>CVE-2016-1613</cvename>
18509      <cvename>CVE-2016-1614</cvename>
18510      <cvename>CVE-2016-1615</cvename>
18511      <cvename>CVE-2016-1616</cvename>
18512      <cvename>CVE-2016-1617</cvename>
18513      <cvename>CVE-2016-1618</cvename>
18514      <cvename>CVE-2016-1619</cvename>
18515      <cvename>CVE-2016-1620</cvename>
18516      <url>http://googlechromereleases.blogspot.de/2016/01/stable-channel-update_20.html</url>
18517    </references>
18518    <dates>
18519      <discovery>2016-01-20</discovery>
18520      <entry>2016-01-21</entry>
18521    </dates>
18522  </vuln>
18523
18524  <vuln vid="5237f5d7-c020-11e5-b397-d050996490d0">
18525    <topic>ntp -- multiple vulnerabilities</topic>
18526    <affects>
18527      <package>
18528	<name>ntp</name>
18529	<range><lt>4.2.8p6</lt></range>
18530      </package>
18531      <package>
18532	<name>ntp-devel</name>
18533	<range><lt>4.3.90</lt></range>
18534      </package>
18535      <package>
18536	<name>FreeBSD</name>
18537	<range><ge>10.2</ge><lt>10.2_11</lt></range>
18538	<range><ge>10.1</ge><lt>10.1_28</lt></range>
18539	<range><ge>9.3</ge><lt>9.3_35</lt></range>
18540      </package>
18541    </affects>
18542    <description>
18543      <body xmlns="http://www.w3.org/1999/xhtml">
18544	<p>Network Time Foundation reports:</p>
18545	<blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit">
18546	  <p>NTF's NTP Project has been notified of the following low-
18547	    and medium-severity vulnerabilities that are fixed in
18548	    ntp-4.2.8p6, released on Tuesday, 19 January 2016:</p>
18549	  <ul>
18550	    <li>Bug 2948 / CVE-2015-8158: Potential Infinite Loop
18551	      in ntpq.  Reported by Cisco ASIG.</li>
18552	    <li>Bug 2945 / CVE-2015-8138: origin: Zero Origin
18553	      Timestamp Bypass.  Reported by Cisco ASIG.</li>
18554	    <li>Bug 2942 / CVE-2015-7979: Off-path Denial of
18555	      Service (DoS) attack on authenticated broadcast
18556	      mode.  Reported by Cisco ASIG.</li>
18557	    <li>Bug 2940 / CVE-2015-7978: Stack exhaustion in
18558	      recursive traversal of restriction list.
18559	      Reported by Cisco ASIG.</li>
18560	    <li>Bug 2939 / CVE-2015-7977: reslist NULL pointer
18561	      dereference.  Reported by Cisco ASIG.</li>
18562	    <li>Bug 2938 / CVE-2015-7976: ntpq saveconfig command
18563	      allows dangerous characters in filenames.
18564	      Reported by Cisco ASIG.</li>
18565	    <li>Bug 2937 / CVE-2015-7975: nextvar() missing length
18566	      check.  Reported by Cisco ASIG.</li>
18567	    <li>Bug 2936 / CVE-2015-7974: Skeleton Key: Missing
18568	      key check allows impersonation between authenticated
18569	      peers.  Reported by Cisco ASIG.</li>
18570	    <li>Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on
18571	      authenticated broadcast mode.  Reported by Cisco ASIG.</li>
18572	  </ul>
18573	  <p>Additionally, mitigations are published for the following
18574	    two issues:</p>
18575	  <ul>
18576	    <li>Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay
18577	      attacks.  Reported by Cisco ASIG.</li>
18578	    <li>Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc,
18579	      disclose origin.  Reported by Cisco ASIG.</li>
18580	  </ul>
18581	</blockquote>
18582      </body>
18583    </description>
18584    <references>
18585      <freebsdsa>SA-16:09.ntp</freebsdsa>
18586      <cvename>CVE-2015-7973</cvename>
18587      <cvename>CVE-2015-7974</cvename>
18588      <cvename>CVE-2015-7975</cvename>
18589      <cvename>CVE-2015-7976</cvename>
18590      <cvename>CVE-2015-7977</cvename>
18591      <cvename>CVE-2015-7978</cvename>
18592      <cvename>CVE-2015-7979</cvename>
18593      <cvename>CVE-2015-8138</cvename>
18594      <cvename>CVE-2015-8139</cvename>
18595      <cvename>CVE-2015-8140</cvename>
18596      <cvename>CVE-2015-8158</cvename>
18597      <url>http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit</url>
18598    </references>
18599    <dates>
18600      <discovery>2016-01-20</discovery>
18601      <entry>2016-01-21</entry>
18602      <modified>2016-08-09</modified>
18603    </dates>
18604  </vuln>
18605
18606  <vuln vid="62c0dbbd-bfce-11e5-b5fe-002590263bf5">
18607    <topic>cgit -- multiple vulnerabilities</topic>
18608    <affects>
18609      <package>
18610	<name>cgit</name>
18611	<range><lt>0.12</lt></range>
18612      </package>
18613    </affects>
18614    <description>
18615      <body xmlns="http://www.w3.org/1999/xhtml">
18616	<p>Jason A. Donenfeld reports:</p>
18617	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/14/6">
18618	  <p>Reflected Cross Site Scripting and Header Injection in Mimetype
18619	    Query String.</p>
18620	  <p>Stored Cross Site Scripting and Header Injection in Filename
18621	    Parameter.</p>
18622	  <p>Integer Overflow resulting in Buffer Overflow.</p>
18623	</blockquote>
18624      </body>
18625    </description>
18626    <references>
18627      <cvename>CVE-2016-1899</cvename>
18628      <cvename>CVE-2016-1900</cvename>
18629      <cvename>CVE-2016-1901</cvename>
18630      <freebsdpr>ports/206417</freebsdpr>
18631      <url>http://lists.zx2c4.com/pipermail/cgit/2016-January/002817.html</url>
18632      <url>http://www.openwall.com/lists/oss-security/2016/01/14/6</url>
18633    </references>
18634    <dates>
18635      <discovery>2016-01-14</discovery>
18636      <entry>2016-01-20</entry>
18637    </dates>
18638  </vuln>
18639
18640  <vuln vid="314830d8-bf91-11e5-96d6-14dae9d210b8">
18641    <topic>bind -- denial of service vulnerability</topic>
18642    <affects>
18643      <package>
18644	<name>bind910</name>
18645	<range><lt>9.10.3P3</lt></range>
18646      </package>
18647    </affects>
18648    <description>
18649      <body xmlns="http://www.w3.org/1999/xhtml">
18650	<p>ISC reports:</p>
18651	<blockquote cite="https://kb.isc.org/article/AA-01336">
18652	  <p>Problems converting OPT resource records and ECS options to
18653	    text format can cause BIND to terminate</p>
18654	</blockquote>
18655      </body>
18656    </description>
18657    <references>
18658      <url>https://kb.isc.org/article/AA-01336</url>
18659      <cvename>CVE-2015-8705</cvename>
18660    </references>
18661    <dates>
18662      <discovery>2016-01-19</discovery>
18663      <entry>2016-01-20</entry>
18664      <modified>2016-01-22</modified>
18665    </dates>
18666  </vuln>
18667
18668  <vuln vid="51358314-bec8-11e5-82cd-bcaec524bf84">
18669    <topic>claws-mail -- no bounds checking on the output buffer in conv_jistoeuc, conv_euctojis, conv_sjistoeuc</topic>
18670    <affects>
18671      <package>
18672	<name>claws-mail</name>
18673	<range><lt>3.13.2</lt></range>
18674      </package>
18675    </affects>
18676    <description>
18677      <body xmlns="http://www.w3.org/1999/xhtml">
18678	<p>DrWhax reports:</p>
18679	<blockquote cite="http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557">
18680	  <p>So in codeconv.c there is a function for Japanese character set
18681	    conversion called conv_jistoeuc().  There is no bounds checking on
18682	    the output buffer, which is created on the stack with alloca()
18683	    Bug can be triggered by sending an email to TAILS_luser@riseup.net
18684	    or whatever.
18685
18686	    Since my C is completely rusty, you might be able to make a better
18687	    judgment on the severity of this issue. Marking critical for now.</p>
18688	</blockquote>
18689      </body>
18690    </description>
18691    <references>
18692      <cvename>CVE-2015-8614</cvename>
18693      <url>https://security-tracker.debian.org/tracker/CVE-2015-8614</url>
18694    </references>
18695    <dates>
18696      <discovery>2015-11-04</discovery>
18697      <entry>2016-01-19</entry>
18698    </dates>
18699  </vuln>
18700
18701  <vuln vid="7c63775e-be31-11e5-b5fe-002590263bf5">
18702    <topic>libarchive -- multiple vulnerabilities</topic>
18703    <affects>
18704      <package>
18705	<name>libarchive</name>
18706	<range><lt>3.1.2_5,1</lt></range>
18707      </package>
18708      <package>
18709	<name>FreeBSD</name>
18710	<range><ge>10.3</ge><lt>10.3_4</lt></range>
18711	<range><ge>10.2</ge><lt>10.2_18</lt></range>
18712	<range><ge>10.1</ge><lt>10.1_35</lt></range>
18713	<range><ge>9.3</ge><lt>9.3_43</lt></range>
18714      </package>
18715    </affects>
18716    <description>
18717      <body xmlns="http://www.w3.org/1999/xhtml">
18718	<p>MITRE reports:</p>
18719	<blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0211">
18720	  <p>Integer signedness error in the archive_write_zip_data function in
18721	    archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when
18722	    running on 64-bit machines, allows context-dependent attackers to
18723	    cause a denial of service (crash) via unspecified vectors, which
18724	    triggers an improper conversion between unsigned and signed types,
18725	    leading to a buffer overflow.</p>
18726	</blockquote>
18727	<blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304">
18728	  <p>Absolute path traversal vulnerability in bsdcpio in libarchive
18729	    3.1.2 and earlier allows remote attackers to write to arbitrary
18730	    files via a full pathname in an archive.</p>
18731	</blockquote>
18732	<p>Libarchive issue tracker reports:</p>
18733	<blockquote cite="https://github.com/libarchive/libarchive/issues/502">
18734	  <p>Using a crafted tar file bsdtar can perform an out-of-bounds memory
18735	    read which will lead to a SEGFAULT. The issue exists when the
18736	    executable skips data in the archive. The amount of data to skip is
18737	    defined in byte offset [16-19] If ASLR is disabled, the issue can
18738	    lead to an infinite loop.</p>
18739	</blockquote>
18740      </body>
18741    </description>
18742    <references>
18743      <cvename>CVE-2013-0211</cvename>
18744      <cvename>CVE-2015-2304</cvename>
18745      <freebsdpr>ports/200176</freebsdpr>
18746      <freebsdsa>SA-16:22.libarchive</freebsdsa>
18747      <freebsdsa>SA-16:23.libarchive</freebsdsa>
18748      <url>https://github.com/libarchive/libarchive/pull/110</url>
18749      <url>https://github.com/libarchive/libarchive/commit/5935715</url>
18750      <url>https://github.com/libarchive/libarchive/commit/2253154</url>
18751      <url>https://github.com/libarchive/libarchive/issues/502</url>
18752      <url>https://github.com/libarchive/libarchive/commit/3865cf2</url>
18753      <url>https://github.com/libarchive/libarchive/commit/e6c9668</url>
18754      <url>https://github.com/libarchive/libarchive/commit/24f5de6</url>
18755    </references>
18756    <dates>
18757      <discovery>2012-12-06</discovery>
18758      <entry>2016-01-18</entry>
18759      <modified>2016-08-09</modified>
18760    </dates>
18761  </vuln>
18762
18763  <vuln vid="6809c6db-bdeb-11e5-b5fe-002590263bf5">
18764    <topic>go -- information disclosure vulnerability</topic>
18765    <affects>
18766      <package>
18767	<name>go</name>
18768	<range><ge>1.5,1</ge><lt>1.5.3,1</lt></range>
18769      </package>
18770    </affects>
18771    <description>
18772      <body xmlns="http://www.w3.org/1999/xhtml">
18773	<p>Jason Buberel reports:</p>
18774	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/13/7">
18775	  <p>A security-related issue has been reported in Go's math/big
18776	    package. The issue was introduced in Go 1.5. We recommend that all
18777	    users upgrade to Go 1.5.3, which fixes the issue. Go programs must
18778	    be recompiled with Go 1.5.3 in order to receive the fix.</p>
18779	  <p>The Go team would like to thank Nick Craig-Wood for identifying the
18780	    issue.</p>
18781	  <p>This issue can affect RSA computations in crypto/rsa, which is used
18782	    by crypto/tls. TLS servers on 32-bit systems could plausibly leak
18783	    their RSA private key due to this issue. Other protocol
18784	    implementations that create many RSA signatures could also be
18785	    impacted in the same way.</p>
18786	  <p>Specifically, incorrect results in one part of the RSA Chinese
18787	    Remainder computation can cause the result to be incorrect in such a
18788	    way that it leaks one of the primes. While RSA blinding should
18789	    prevent an attacker from crafting specific inputs that trigger the
18790	    bug, on 32-bit systems the bug can be expected to occur at random
18791	    around one in 2^26 times. Thus collecting around 64 million
18792	    signatures (of known data) from an affected server should be enough
18793	    to extract the private key used.</p>
18794	  <p>On 64-bit systems, the frequency of the bug is so low (less than
18795	    one in 2^50) that it would be very difficult to exploit.
18796	    Nonetheless, everyone is strongly encouraged to upgrade.</p>
18797	</blockquote>
18798      </body>
18799    </description>
18800    <references>
18801      <cvename>CVE-2015-8618</cvename>
18802      <url>http://www.openwall.com/lists/oss-security/2016/01/13/7</url>
18803      <url>https://go-review.googlesource.com/#/c/17672/</url>
18804      <url>https://go-review.googlesource.com/#/c/18491/</url>
18805    </references>
18806    <dates>
18807      <discovery>2016-01-13</discovery>
18808      <entry>2016-01-18</entry>
18809    </dates>
18810  </vuln>
18811
18812  <vuln vid="05eeb7e9-b987-11e5-83ef-14dae9d210b8">
18813    <topic>isc-dhcpd -- Denial of Service</topic>
18814    <affects>
18815      <package>
18816	<name>isc-dhcp41-server</name>
18817	<range><lt>4.1.e_10,2</lt></range>
18818      </package>
18819      <package>
18820	<name>isc-dhcp41-client</name>
18821	<range><lt>4.1.e_3,2</lt></range>
18822      </package>
18823      <package>
18824	<name>isc-dhcp41-relay</name>
18825	<range><lt>4.1.e_6,2</lt></range>
18826      </package>
18827      <package>
18828	<name>isc-dhcp42-client</name>
18829	<name>isc-dhcp42-server</name>
18830	<name>isc-dhcp42-relay</name>
18831	<range><ge>0</ge></range>
18832      </package>
18833      <package>
18834	<name>isc-dhcp43-client</name>
18835	<name>isc-dhcp43-server</name>
18836	<name>isc-dhcp43-relay</name>
18837	<range><lt>4.3.3.p1</lt></range>
18838      </package>
18839    </affects>
18840    <description>
18841      <body xmlns="http://www.w3.org/1999/xhtml">
18842	<p>ISC reports:</p>
18843	<blockquote cite="https://kb.isc.org/article/AA-01334">
18844	  <p>A badly formed packet with an invalid IPv4 UDP length field
18845	    can cause a DHCP server, client, or relay program to terminate
18846	    abnormally.</p>
18847	</blockquote>
18848      </body>
18849    </description>
18850    <references>
18851      <url>https://kb.isc.org/article/AA-01334</url>
18852      <cvename>CVE-2015-8605</cvename>
18853    </references>
18854    <dates>
18855      <discovery>2016-01-05</discovery>
18856      <entry>2016-01-12</entry>
18857    </dates>
18858  </vuln>
18859
18860  <vuln vid="3b5c2362-bd07-11e5-b7ef-5453ed2e2b49">
18861    <topic>libproxy -- stack-based buffer overflow</topic>
18862    <affects>
18863      <!-- libproxy-python is not affected. It only installs a .py file that
18864	   dlopen()s libproxy.so. -->
18865      <package>
18866	<name>libproxy</name>
18867	<range><ge>0.4.0</ge><lt>0.4.6_1</lt></range>
18868      </package>
18869      <package>
18870	<name>libproxy-gnome</name>
18871	<range><ge>0.4.0</ge><lt>0.4.6_2</lt></range>
18872      </package>
18873      <package>
18874	<name>libproxy-kde</name>
18875	<range><ge>0.4.0</ge><lt>0.4.6_6</lt></range>
18876      </package>
18877      <package>
18878	<name>libproxy-perl</name>
18879	<range><ge>0.4.0</ge><lt>0.4.6_3</lt></range>
18880      </package>
18881      <package>
18882	<name>libproxy-webkit</name>
18883	<range><ge>0.4.0</ge><lt>0.4.6_4</lt></range>
18884      </package>
18885    </affects>
18886    <description>
18887      <body xmlns="http://www.w3.org/1999/xhtml">
18888	<p>Tomas Hoger reports:</p>
18889	<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=864417#c0">
18890	  <p>A buffer overflow flaw was discovered in the libproxy's
18891	    url::get_pac() used to download proxy.pac proxy auto-configuration
18892	    file. A malicious host hosting proxy.pac, or a man in the middle
18893	    attacker, could use this flaw to trigger a stack-based buffer
18894	    overflow in an application using libproxy, if proxy configuration
18895	    instructed it to download proxy.pac file from a remote HTTP
18896	    server.</p>
18897	</blockquote>
18898      </body>
18899    </description>
18900    <references>
18901      <cvename>CVE-2012-4504</cvename>
18902      <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4504</url>
18903      <mlist>http://www.openwall.com/lists/oss-security/2012/10/12/1</mlist>
18904      <url>https://github.com/libproxy/libproxy/commit/c440553c12836664afd24a24fb3a4d10a2facd2c</url>
18905      <url>https://bugzilla.redhat.com/show_bug.cgi?id=864417</url>
18906      <mlist>https://groups.google.com/forum/?fromgroups=#!topic/libproxy/VxZ8No7mT0E</mlist>
18907    </references>
18908    <dates>
18909      <discovery>2012-10-10</discovery>
18910      <entry>2016-01-17</entry>
18911      <modified>2016-01-18</modified>
18912    </dates>
18913  </vuln>
18914
18915  <vuln vid="046fedd1-bd01-11e5-bbf4-5404a68ad561">
18916    <topic>ffmpeg -- remote attacker can access local files</topic>
18917    <affects>
18918      <package>
18919	<name>ffmpeg</name>
18920	<range>
18921	  <gt>2.0,1</gt>
18922	  <lt>2.8.5,1</lt>
18923	</range>
18924      </package>
18925      <package>
18926	<name>mplayer</name>
18927	<name>mencoder</name>
18928	<range>
18929	  <lt>1.2.r20151219_2</lt>
18930	</range>
18931      </package>
18932    </affects>
18933    <description>
18934      <body xmlns="http://www.w3.org/1999/xhtml">
18935	<p>Arch Linux reports:</p>
18936	<blockquote cite="https://bugs.archlinux.org/task/47738">
18937	  <p>ffmpeg has a vulnerability in the current version that allows the
18938	    attacker to create a specially crafted video file, downloading which
18939	    will send files from a user PC to a remote attacker server. The
18940	    attack does not even require the user to open that file — for
18941	    example, KDE Dolphin thumbnail generation is enough.</p>
18942	</blockquote>
18943      </body>
18944    </description>
18945    <references>
18946      <cvename>CVE-2016-1897</cvename>
18947      <cvename>CVE-2016-1898</cvename>
18948      <freebsdpr>ports/206282</freebsdpr>
18949      <url>https://www.ffmpeg.org/security.html</url>
18950    </references>
18951    <dates>
18952      <discovery>2016-01-13</discovery>
18953      <entry>2016-01-17</entry>
18954    </dates>
18955  </vuln>
18956
18957  <vuln vid="6c808811-bb9a-11e5-a65c-485d605f4717">
18958    <topic>h2o -- directory traversal vulnerability</topic>
18959    <affects>
18960      <package>
18961	<name>h2o</name>
18962	<range><lt>1.6.2</lt></range>
18963      </package>
18964    </affects>
18965    <description>
18966      <body xmlns="http://www.w3.org/1999/xhtml">
18967	<p>Yakuzo OKU reports:</p>
18968	<blockquote cite="http://h2o.examp1e.net/vulnerabilities.html">
18969	  <p>When redirect directive is used, this flaw allows a remote
18970	     attacker to inject response headers into an HTTP redirect response.</p>
18971	</blockquote>
18972      </body>
18973    </description>
18974    <references>
18975      <cvename>CVE-2016-1133</cvename>
18976      <url>https://h2o.examp1e.net/vulnerabilities.html</url>
18977    </references>
18978    <dates>
18979      <discovery>2016-01-13</discovery>
18980      <entry>2016-01-15</entry>
18981    </dates>
18982  </vuln>
18983
18984  <vuln vid="dfe0cdc1-baf2-11e5-863a-b499baebfeaf">
18985    <topic>openssh -- information disclosure</topic>
18986    <affects>
18987      <package>
18988	<name>openssh-portable</name>
18989	<range>
18990	  <gt>5.4.p0,1</gt>
18991	  <lt>7.1.p2,1</lt>
18992	</range>
18993      </package>
18994      <package>
18995	<name>FreeBSD</name>
18996	<range><ge>10.2</ge><lt>10.2_10</lt></range>
18997	<range><ge>10.1</ge><lt>10.1_27</lt></range>
18998	<range><ge>9.3</ge><lt>9.3_34</lt></range>
18999      </package>
19000    </affects>
19001    <description>
19002      <body xmlns="http://www.w3.org/1999/xhtml">
19003	<p>OpenSSH reports:</p>
19004	<blockquote cite="http://www.openssh.com/security.html">
19005	  <p>OpenSSH clients between versions 5.4 and 7.1 are vulnerable to
19006	  information disclosure that may allow a malicious server to retrieve
19007	  information including under some circumstances, user's private keys.</p>
19008	</blockquote>
19009      </body>
19010    </description>
19011    <references>
19012      <url>http://www.openssh.com/security.html</url>
19013      <cvename>CVE-2016-0777</cvename>
19014      <cvename>CVE-2016-0778</cvename>
19015      <freebsdsa>SA-16:07</freebsdsa>
19016    </references>
19017    <dates>
19018      <discovery>2016-01-14</discovery>
19019      <entry>2016-01-14</entry>
19020      <modified>2016-08-09</modified>
19021    </dates>
19022  </vuln>
19023
19024  <vuln vid="842cd117-ba54-11e5-9728-002590263bf5">
19025    <topic>prosody -- multiple vulnerabilities</topic>
19026    <affects>
19027      <package>
19028	<name>prosody</name>
19029	<range><lt>0.9.9</lt></range>
19030      </package>
19031    </affects>
19032    <description>
19033      <body xmlns="http://www.w3.org/1999/xhtml">
19034	<p>The Prosody Team reports:</p>
19035	<blockquote cite="http://blog.prosody.im/prosody-0-9-9-security-release/">
19036	  <p>Fix path traversal vulnerability in mod_http_files
19037	    (CVE-2016-1231)</p>
19038	  <p>Fix use of weak PRNG in generation of dialback secrets
19039	    (CVE-2016-1232)</p>
19040	</blockquote>
19041      </body>
19042    </description>
19043    <references>
19044      <cvename>CVE-2016-1231</cvename>
19045      <cvename>CVE-2016-1232</cvename>
19046      <freebsdpr>ports/206150</freebsdpr>
19047      <url>http://blog.prosody.im/prosody-0-9-9-security-release/</url>
19048    </references>
19049    <dates>
19050      <discovery>2016-01-08</discovery>
19051      <entry>2016-01-14</entry>
19052    </dates>
19053  </vuln>
19054
19055  <vuln vid="a7a4e96c-ba50-11e5-9728-002590263bf5">
19056    <topic>kibana4 -- XSS vulnerability</topic>
19057    <affects>
19058      <package>
19059	<name>kibana4</name>
19060	<name>kibana41</name>
19061	<range><lt>4.1.4</lt></range>
19062      </package>
19063      <package>
19064	<name>kibana42</name>
19065	<range><lt>4.2.2</lt></range>
19066      </package>
19067      <package>
19068	<name>kibana43</name>
19069	<range><lt>4.3.1</lt></range>
19070      </package>
19071    </affects>
19072    <description>
19073      <body xmlns="http://www.w3.org/1999/xhtml">
19074	<p>Elastic reports:</p>
19075	<blockquote cite="https://www.elastic.co/blog/kibana-4-3-1-and-4-2-2-and-4-1-4">
19076	  <p>Fixes XSS vulnerability (CVE pending) - Thanks to Vladimir Ivanov
19077	    for responsibly reporting.</p>
19078	</blockquote>
19079      </body>
19080    </description>
19081    <references>
19082      <freebsdpr>ports/205961</freebsdpr>
19083      <freebsdpr>ports/205962</freebsdpr>
19084      <freebsdpr>ports/205963</freebsdpr>
19085      <url>https://www.elastic.co/blog/kibana-4-3-1-and-4-2-2-and-4-1-4</url>
19086    </references>
19087    <dates>
19088      <discovery>2015-12-17</discovery>
19089      <entry>2016-01-13</entry>
19090    </dates>
19091  </vuln>
19092
19093  <vuln vid="333f655a-b93a-11e5-9efa-5453ed2e2b49">
19094    <topic>p5-PathTools -- File::Spec::canonpath loses taint</topic>
19095    <affects>
19096      <package>
19097	<name>p5-PathTools</name>
19098	<range>
19099	  <gt>3.4000</gt>
19100	  <lt>3.6200</lt>
19101	</range>
19102      </package>
19103      <package>
19104	<name>perl5</name>
19105	<name>perl5.20</name>
19106	<name>perl5.22</name>
19107	<name>perl5-devel</name>
19108	<range><ge>5.19.9</ge><lt>5.20.2</lt></range>
19109	<range><ge>5.21.0</ge><lt>5.22.2</lt></range>
19110	<range><ge>5.23.0</ge><lt>5.23.7</lt></range>
19111      </package>
19112    </affects>
19113    <description>
19114      <body xmlns="http://www.w3.org/1999/xhtml">
19115	<p>Ricardo Signes reports:</p>
19116	<blockquote>
19117	  <p>Beginning in PathTools 3.47 and/or perl 5.20.0, the
19118	    File::Spec::canonpath() routine returned untained strings even if
19119	    passed tainted input. This defect undermines the guarantee of taint
19120	    propagation, which is sometimes used to ensure that unvalidated
19121	    user input does not reach sensitive code.</p>
19122	  <p>This defect was found and reported by David Golden of MongoDB.</p>
19123	</blockquote>
19124      </body>
19125    </description>
19126    <references>
19127      <cvename>CVE-2015-8607</cvename>
19128      <url>https://rt.perl.org/Public/Bug/Display.html?id=126862</url>
19129    </references>
19130    <dates>
19131      <discovery>2016-01-11</discovery>
19132      <entry>2016-01-12</entry>
19133      <modified>2016-08-22</modified>
19134    </dates>
19135  </vuln>
19136
19137  <vuln vid="6b771fe2-b84e-11e5-92f9-485d605f4717">
19138    <topic>php -- multiple vulnerabilities</topic>
19139    <affects>
19140      <package>
19141	<name>php55</name>
19142	<name>php55-gd</name>
19143	<name>php55-wddx</name>
19144	<name>php55-xmlrpc</name>
19145	<range><lt>5.5.31</lt></range>
19146      </package>
19147      <package>
19148	<name>php56</name>
19149	<name>php56-gd</name>
19150	<name>php56-soap</name>
19151	<name>php56-wddx</name>
19152	<name>php56-xmlrpc</name>
19153	<range><lt>5.6.17</lt></range>
19154      </package>
19155    </affects>
19156    <description>
19157      <body xmlns="http://www.w3.org/1999/xhtml">
19158	<p>PHP reports:</p>
19159	<blockquote cite="http://www.php.net/ChangeLog-5.php#5.5.31">
19160	  <ul><li>Core:
19161	  <ul>
19162	  <li>Fixed bug #70755 (fpm_log.c memory leak and buffer overflow).</li>
19163	  </ul></li>
19164	  <li>GD:
19165	  <ul>
19166	  <li>Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array
19167	      Index Out of Bounds).</li>
19168	  </ul></li>
19169	  <li>SOAP:
19170	  <ul>
19171	  <li>Fixed bug #70900 (SoapClient systematic out of memory error).</li>
19172	  </ul></li>
19173	  <li>Wddx
19174	  <ul>
19175	  <li>Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet
19176	      Deserialization).</li>
19177	  <li>Fixed bug #70741 (Session WDDX Packet Deserialization Type
19178	      Confusion Vulnerability).</li>
19179	  </ul></li>
19180	  <li>XMLRPC:
19181	  <ul>
19182	  <li>Fixed bug #70728 (Type Confusion Vulnerability in
19183	      PHP_to_XMLRPC_worker()).</li>
19184	  </ul></li>
19185	  </ul>
19186	</blockquote>
19187      </body>
19188    </description>
19189    <references>
19190      <url>http://www.php.net/ChangeLog-5.php#5.5.31</url>
19191      <url>http://www.php.net/ChangeLog-5.php#5.6.17</url>
19192    </references>
19193    <dates>
19194      <discovery>2016-01-07</discovery>
19195      <entry>2016-01-11</entry>
19196    </dates>
19197  </vuln>
19198
19199  <vuln vid="5f276780-b6ce-11e5-9731-5453ed2e2b49">
19200    <topic>pygments -- shell injection vulnerability</topic>
19201    <affects>
19202      <package>
19203	<name>py27-pygments</name>
19204	<name>py32-pygments</name>
19205	<name>py33-pygments</name>
19206	<name>py34-pygments</name>
19207	<name>py35-pygments</name>
19208	<range><lt>2.0.2_1</lt></range>
19209      </package>
19210    </affects>
19211    <description>
19212      <body xmlns="http://www.w3.org/1999/xhtml">
19213	<p>NVD reports:</p>
19214	<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8557">
19215	  <p>The FontManager._get_nix_font_path function in formatters/img.py
19216	    in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute
19217	    arbitrary commands via shell metacharacters in a font name.</p>
19218	</blockquote>
19219      </body>
19220    </description>
19221    <references>
19222      <cvename>CVE-2015-8557</cvename>
19223      <mlist>http://seclists.org/fulldisclosure/2015/Oct/4</mlist>
19224      <url>https://bitbucket.org/birkenfeld/pygments-main/commits/0036ab1c99e256298094505e5e92fdacdfc5b0a8</url>
19225    </references>
19226    <dates>
19227      <discovery>2015-09-28</discovery>
19228      <entry>2016-01-09</entry>
19229    </dates>
19230  </vuln>
19231
19232  <vuln vid="631fc042-b636-11e5-83ef-14dae9d210b8">
19233    <topic>polkit -- multiple vulnerabilities</topic>
19234    <affects>
19235      <package>
19236	<name>polkit</name>
19237	<range><lt>0.113</lt></range>
19238      </package>
19239    </affects>
19240    <description>
19241      <body xmlns="http://www.w3.org/1999/xhtml">
19242	<p>Colin Walters reports:</p>
19243	<blockquote cite="http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html">
19244	  <ul>
19245	    <li><p>Integer overflow in the
19246	    authentication_agent_new_cookie function in PolicyKit (aka polkit)
19247	    before 0.113 allows local users to gain privileges by creating a large
19248	    number of connections, which triggers the issuance of a duplicate cookie
19249	    value.</p></li>
19250	    <li><p>The authentication_agent_new function in
19251	    polkitbackend/polkitbackendinteractiveauthority.c in PolicyKit (aka
19252	    polkit) before 0.113 allows local users to cause a denial of service
19253	    (NULL pointer dereference and polkitd daemon crash) by calling
19254	    RegisterAuthenticationAgent with an invalid object path.</p></li>
19255	    <li><p>The polkit_backend_action_pool_init function in
19256	    polkitbackend/polkitbackendactionpool.c in PolicyKit (aka polkit) before
19257	    0.113 might allow local users to gain privileges via duplicate action
19258	    IDs in action descriptions.</p></li>
19259	    <li><p>PolicyKit (aka polkit) before 0.113 allows local
19260	    users to cause a denial of service (memory corruption and polkitd daemon
19261	    crash) and possibly gain privileges via unspecified vectors, related to
19262	    "javascript rule evaluation."</p></li>
19263	  </ul>
19264	</blockquote>
19265      </body>
19266    </description>
19267    <references>
19268      <url>http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html</url>
19269      <cvename>CVE-2015-4625</cvename>
19270      <cvename>CVE-2015-3218</cvename>
19271      <cvename>CVE-2015-3255</cvename>
19272      <cvename>CVE-2015-3256</cvename>
19273    </references>
19274    <dates>
19275      <discovery>2015-06-03</discovery>
19276      <entry>2016-01-08</entry>
19277    </dates>
19278  </vuln>
19279
19280  <vuln vid="b22b016b-b633-11e5-83ef-14dae9d210b8">
19281    <topic>librsync -- collision vulnerability</topic>
19282    <affects>
19283      <package>
19284	<name>librsync</name>
19285	<range><lt>1.0.0</lt></range>
19286      </package>
19287    </affects>
19288    <description>
19289      <body xmlns="http://www.w3.org/1999/xhtml">
19290	<p>Michael Samuel reports:</p>
19291	<blockquote cite="http://www.openwall.com/lists/oss-security/2014/07/28/1">
19292	  <p>librsync before 1.0.0 uses a truncated MD4 checksum to
19293	    match blocks, which makes it easier for remote attackers to modify
19294	    transmitted data via a birthday attack.</p>
19295	</blockquote>
19296      </body>
19297    </description>
19298    <references>
19299      <url>http://www.openwall.com/lists/oss-security/2014/07/28/1</url>
19300      <cvename>CVE-2014-8242</cvename>
19301    </references>
19302    <dates>
19303      <discovery>2014-07-28</discovery>
19304      <entry>2016-01-08</entry>
19305    </dates>
19306  </vuln>
19307
19308  <vuln vid="4eae4f46-b5ce-11e5-8a2b-d050996490d0">
19309    <topic>ntp -- denial of service vulnerability</topic>
19310    <affects>
19311      <package>
19312	<name>ntp</name>
19313	<range><lt>4.2.8p5</lt></range>
19314      </package>
19315      <package>
19316	<name>ntp-devel</name>
19317	<range><lt>4.3.78</lt></range>
19318      </package>
19319      <package>
19320	<name>FreeBSD</name>
19321	<range><ge>10.2</ge><lt>10.2_9</lt></range>
19322	<range><ge>10.1</ge><lt>10.1_26</lt></range>
19323	<range><ge>9.3</ge><lt>9.3_33</lt></range>
19324      </package>
19325    </affects>
19326    <description>
19327      <body xmlns="http://www.w3.org/1999/xhtml">
19328	<p>Network Time Foundation reports:</p>
19329	<blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p5_Securit">
19330	  <p>NTF's NTP Project has been notified of the following
19331	    1 medium-severity vulnerability that is fixed in
19332	    ntp-4.2.8p5, released on Thursday, 7 January 2016:</p>
19333	  <p>NtpBug2956: Small-step/Big-step CVE-2015-5300</p>
19334	</blockquote>
19335      </body>
19336    </description>
19337    <references>
19338      <freebsdsa>SA-16:02.ntp</freebsdsa>
19339      <cvename>CVE-2015-5300</cvename>
19340      <url>https://www.cs.bu.edu/~goldbe/NTPattack.html</url>
19341      <url>http://support.ntp.org/bin/view/Main/NtpBug2956</url>
19342      <url>http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p5_Securit</url>
19343    </references>
19344    <dates>
19345      <discovery>2015-10-21</discovery>
19346      <entry>2016-01-08</entry>
19347      <modified>2016-08-09</modified>
19348    </dates>
19349  </vuln>
19350
19351  <vuln vid="df587aa2-b5a5-11e5-9728-002590263bf5">
19352    <topic>dhcpcd -- multiple vulnerabilities</topic>
19353    <affects>
19354      <package>
19355	<name>dhcpcd</name>
19356	<range><lt>6.10.0</lt></range>
19357      </package>
19358    </affects>
19359    <description>
19360      <body xmlns="http://www.w3.org/1999/xhtml">
19361	<p>Nico Golde reports:</p>
19362	<blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/07/3">
19363	  <p>heap overflow via malformed dhcp responses later in print_option
19364	    (via dhcp_envoption1) due to incorrect option length values.
19365	    Exploitation is non-trivial, but I'd love to be proven wrong.</p>
19366	  <p>invalid read/crash via malformed dhcp responses. not exploitable
19367	    beyond DoS as far as I can judge.</p>
19368	</blockquote>
19369      </body>
19370    </description>
19371    <references>
19372      <cvename>CVE-2016-1503</cvename>
19373      <cvename>CVE-2016-1504</cvename>
19374      <freebsdpr>ports/206015</freebsdpr>
19375      <url>http://roy.marples.name/projects/dhcpcd/info/76a1609352263bd9def1300d7ba990679571fa30</url>
19376      <url>http://roy.marples.name/projects/dhcpcd/info/595883e2a431f65d8fabf33059aa4689cca17403</url>
19377      <url>http://www.openwall.com/lists/oss-security/2016/01/07/3</url>
19378    </references>
19379    <dates>
19380      <discovery>2016-01-04</discovery>
19381      <entry>2016-01-08</entry>
19382    </dates>
19383  </vuln>
19384
19385  <vuln vid="4084168e-b531-11e5-a98c-0011d823eebd">
19386    <topic>mbedTLS/PolarSSL -- SLOTH attack on TLS 1.2 server authentication</topic>
19387    <affects>
19388      <package>
19389	<name>polarssl13</name>
19390	<range><lt>1.3.16</lt></range>
19391      </package>
19392      <package>
19393	<name>mbedtls</name>
19394	<range><lt>2.2.1</lt></range>
19395      </package>
19396    </affects>
19397    <description>
19398      <body xmlns="http://www.w3.org/1999/xhtml">
19399	<p>ARM Limited reports:</p>
19400	<blockquote cite="https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released">
19401	  <p>MD5 handshake signatures in TLS 1.2 are vulnerable to the SLOTH attack
19402	    on TLS 1.2 server authentication.  They have been disabled by default.
19403	    Other attacks from the SLOTH paper do not apply to any version of mbed
19404	    TLS or PolarSSL.</p>
19405	</blockquote>
19406      </body>
19407    </description>
19408    <references>
19409      <url>https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released</url>
19410    </references>
19411    <dates>
19412      <discovery>2016-01-04</discovery>
19413      <entry>2016-01-07</entry>
19414    </dates>
19415  </vuln>
19416
19417  <vuln vid="6aa2d135-b40e-11e5-9728-002590263bf5">
19418    <topic>xen-kernel -- ioreq handling possibly susceptible to multiple read issue</topic>
19419    <affects>
19420      <package>
19421	<name>xen-kernel</name>
19422	<range><lt>4.5.2_1</lt></range>
19423      </package>
19424    </affects>
19425    <description>
19426      <body xmlns="http://www.w3.org/1999/xhtml">
19427	<p>The Xen Project reports:</p>
19428	<blockquote cite="http://xenbits.xen.org/xsa/advisory-166.html">
19429	  <p>Single memory accesses in source code can be translated to multiple
19430	    ones in machine code by the compiler, requiring special caution when
19431	    accessing shared memory.  Such precaution was missing from the
19432	    hypervisor code inspecting the state of I/O requests sent to the
19433	    device model for assistance.</p>
19434	  <p>Due to the offending field being a bitfield, it is however believed
19435	    that there is no issue in practice, since compilers, at least when
19436	    optimizing (which is always the case for non-debug builds), should find
19437	    it more expensive to extract the bit field value twice than to keep the
19438	    calculated value in a register.</p>
19439	  <p>This vulnerability is exposed to malicious device models.  In
19440	    conventional Xen systems this means the qemu which service an HVM
19441	    domain.  On such systems this vulnerability can only be exploited if
19442	    the attacker has gained control of the device model qemu via another
19443	    vulnerability.</p>
19444	  <p>Privilege escalation, host crash (Denial of Service), and leaked
19445	    information all cannot be excluded.</p>
19446	</blockquote>
19447      </body>
19448    </description>
19449    <references>
19450      <freebsdpr>ports/205841</freebsdpr>
19451      <url>http://xenbits.xen.org/xsa/advisory-166.html</url>
19452    </references>
19453    <dates>
19454      <discovery>2015-12-17</discovery>
19455      <entry>2016-01-06</entry>
19456    </dates>
19457  </vuln>
19458
19459  <vuln vid="e839ca04-b40d-11e5-9728-002590263bf5">
19460    <topic>xen-kernel -- information leak in legacy x86 FPU/XMM initialization</topic>
19461    <affects>
19462      <package>
19463	<name>xen-kernel</name>
19464	<range><lt>4.5.2_1</lt></range>
19465      </package>
19466    </affects>
19467    <description>
19468      <body xmlns="http://www.w3.org/1999/xhtml">
19469	<p>The Xen Project reports:</p>
19470	<blockquote cite="http://xenbits.xen.org/xsa/advisory-165.html">
19471	  <p>When XSAVE/XRSTOR are not in use by Xen to manage guest extended
19472	    register state, the initial values in the FPU stack and XMM
19473	    registers seen by the guest upon first use are those left there by
19474	    the previous user of those registers.</p>
19475	  <p>A malicious domain may be able to leverage this to obtain sensitive
19476	    information such as cryptographic keys from another domain.</p>
19477	</blockquote>
19478      </body>
19479    </description>
19480    <references>
19481      <cvename>CVE-2015-8555</cvename>
19482      <freebsdpr>ports/205841</freebsdpr>
19483      <url>http://xenbits.xen.org/xsa/advisory-165.html</url>
19484    </references>
19485    <dates>
19486      <discovery>2015-12-17</discovery>
19487      <entry>2016-01-06</entry>
19488    </dates>
19489  </vuln>
19490
19491  <vuln vid="5d1d4473-b40d-11e5-9728-002590263bf5">
19492    <topic>xen-tools -- libxl leak of pv kernel and initrd on error</topic>
19493    <affects>
19494      <package>
19495	<name>xen-tools</name>
19496	<range><ge>4.1</ge><lt>4.5.2_1</lt></range>
19497      </package>
19498    </affects>
19499    <description>
19500      <body xmlns="http://www.w3.org/1999/xhtml">
19501	<p>The Xen Project reports:</p>
19502	<blockquote cite="http://xenbits.xen.org/xsa/advisory-160.html">
19503	  <p>When constructing a guest which is configured to use a PV
19504	    bootloader which runs as a userspace process in the toolstack domain
19505	    (e.g. pygrub) libxl creates a mapping of the files to be used as
19506	    kernel and initial ramdisk when building the guest domain.</p>
19507	  <p>However if building the domain subsequently fails these mappings
19508	    would not be released leading to a leak of virtual address space in
19509	    the calling process, as well as preventing the recovery of the
19510	    temporary disk files containing the kernel and initial ramdisk.</p>
19511	  <p>For toolstacks which manage multiple domains within the same
19512	    process, an attacker who is able to repeatedly start a suitable
19513	    domain (or many such domains) can cause an out-of-memory condition in the
19514	    toolstack process, leading to a denial of service.</p>
19515	  <p>Under the same circumstances an attacker can also cause files to
19516	    accumulate on the toolstack domain filesystem (usually under /var in
19517	    dom0) used to temporarily store the kernel and initial ramdisk,
19518	    perhaps leading to a denial of service against arbitrary other
19519	    services using that filesystem.</p>
19520	</blockquote>
19521      </body>
19522    </description>
19523    <references>
19524      <cvename>CVE-2015-8341</cvename>
19525      <freebsdpr>ports/205841</freebsdpr>
19526      <url>http://xenbits.xen.org/xsa/advisory-160.html</url>
19527    </references>
19528    <dates>
19529      <discovery>2015-12-08</discovery>
19530      <entry>2016-01-06</entry>
19531    </dates>
19532  </vuln>
19533
19534  <vuln vid="bcad3faa-b40c-11e5-9728-002590263bf5">
19535    <topic>xen-kernel -- XENMEM_exchange error handling issues</topic>
19536    <affects>
19537      <package>
19538	<name>xen-kernel</name>
19539	<range><lt>4.5.2_1</lt></range>
19540      </package>
19541    </affects>
19542    <description>
19543      <body xmlns="http://www.w3.org/1999/xhtml">
19544	<p>The Xen Project reports:</p>
19545	<blockquote cite="http://xenbits.xen.org/xsa/advisory-159.html">
19546	  <p>Error handling in the operation may involve handing back pages to
19547	    the domain. This operation may fail when in parallel the domain gets
19548	    torn down. So far this failure unconditionally resulted in the host
19549	    being brought down due to an internal error being assumed. This is
19550	    CVE-2015-8339.</p>
19551	  <p>Furthermore error handling so far wrongly included the release of a
19552	    lock. That lock, however, was either not acquired or already released
19553	    on all paths leading to the error handling sequence. This is
19554	    CVE-2015-8340.</p>
19555	  <p>A malicious guest administrator may be able to deny service by
19556	    crashing the host or causing a deadlock.</p>
19557	</blockquote>
19558      </body>
19559    </description>
19560    <references>
19561      <cvename>CVE-2015-8339</cvename>
19562      <cvename>CVE-2015-8340</cvename>
19563      <freebsdpr>ports/205841</freebsdpr>
19564      <url>http://xenbits.xen.org/xsa/advisory-159.html</url>
19565    </references>
19566    <dates>
19567      <discovery>2015-12-08</discovery>
19568      <entry>2016-01-06</entry>
19569    </dates>
19570  </vuln>
19571
19572  <vuln vid="b65e4914-b3bc-11e5-8255-5453ed2e2b49">
19573    <topic>tiff -- out-of-bounds read in CIE Lab image format</topic>
19574    <affects>
19575      <package>
19576	<name>tiff</name>
19577	<range><lt>4.0.6_1</lt></range>
19578      </package>
19579      <package>
19580	<name>linux-c6-tiff</name>
19581	<range><lt>3.9.4_2</lt></range>
19582      </package>
19583      <package>
19584	<name>linux-f10-tiff</name>
19585	<range><ge>*</ge></range>
19586      </package>
19587    </affects>
19588    <description>
19589      <body xmlns="http://www.w3.org/1999/xhtml">
19590	<p>zzf of Alibaba discovered an out-of-bounds vulnerability in the code
19591	  processing the LogLUV and CIE Lab image format files. An attacker
19592	  could create a specially-crafted TIFF file that could cause libtiff
19593	  to crash.</p>
19594      </body>
19595    </description>
19596    <references>
19597      <cvename>CVE-2015-8683</cvename>
19598      <mlist>http://www.openwall.com/lists/oss-security/2015/12/25/2</mlist>
19599    </references>
19600    <dates>
19601      <discovery>2015-12-25</discovery>
19602      <entry>2016-01-05</entry>
19603      <modified>2016-09-06</modified>
19604    </dates>
19605  </vuln>
19606
19607  <vuln vid="bd349f7a-b3b9-11e5-8255-5453ed2e2b49">
19608    <topic>tiff -- out-of-bounds read in tif_getimage.c</topic>
19609    <affects>
19610      <package>
19611	<name>tiff</name>
19612	<range><lt>4.0.6_1</lt></range>
19613      </package>
19614      <package>
19615	<name>linux-c6-tiff</name>
19616	<range><lt>3.9.4_2</lt></range>
19617      </package>
19618      <package>
19619	<name>linux-f10-tiff</name>
19620	<range><ge>*</ge></range>
19621      </package>
19622    </affects>
19623    <description>
19624      <body xmlns="http://www.w3.org/1999/xhtml">
19625	<p>LMX of Qihoo 360 Codesafe Team discovered an out-of-bounds read in
19626	  tif_getimage.c. An attacker could create a specially-crafted TIFF
19627	  file that could cause libtiff to crash.</p>
19628      </body>
19629    </description>
19630    <references>
19631      <cvename>CVE-2015-8665</cvename>
19632      <mlist>http://www.openwall.com/lists/oss-security/2015/12/24/2</mlist>
19633    </references>
19634    <dates>
19635      <discovery>2015-12-24</discovery>
19636      <entry>2016-01-05</entry>
19637      <modified>2016-09-06</modified>
19638    </dates>
19639  </vuln>
19640
19641  <vuln vid="86c3c66e-b2f5-11e5-863a-b499baebfeaf">
19642    <topic>unzip -- multiple vulnerabilities</topic>
19643    <affects>
19644      <package>
19645	<name>unzip</name>
19646	<range><lt>6.0_7</lt></range>
19647      </package>
19648    </affects>
19649    <description>
19650      <body xmlns="http://www.w3.org/1999/xhtml">
19651	<p>Gustavo Grieco reports:</p>
19652	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/07/4">
19653	 <p>Two issues were found in unzip 6.0:</p>
19654	 <p> * A heap overflow triggered by unzipping a file with password
19655	    (e.g unzip -p -P x sigsegv.zip).</p>
19656	 <p> * A denegation of service with a file that never finishes unzipping
19657	    (e.g. unzip sigxcpu.zip).</p>
19658	</blockquote>
19659      </body>
19660    </description>
19661    <references>
19662      <url>http://www.openwall.com/lists/oss-security/2015/09/07/4</url>
19663      <freebsdpr>ports/204413</freebsdpr>
19664      <cvename>CVE-2015-7696</cvename>
19665      <cvename>CVE-2015-7697</cvename>
19666    </references>
19667    <dates>
19668      <discovery>2015-09-26</discovery>
19669      <entry>2016-01-04</entry>
19670    </dates>
19671  </vuln>
19672
19673  <vuln vid="bb961ff3-b3a4-11e5-8255-5453ed2e2b49">
19674    <topic>cacti -- SQL injection vulnerabilities</topic>
19675    <affects>
19676      <package>
19677	<name>cacti</name>
19678	<range><le>0.8.8f_1</le></range>
19679      </package>
19680    </affects>
19681    <description>
19682      <body xmlns="http://www.w3.org/1999/xhtml">
19683	<p>NVD reports:</p>
19684	<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8369">
19685	  <p>SQL injection vulnerability in include/top_graph_header.php in
19686	    Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary
19687	    SQL commands via the rra_id parameter in a properties action to
19688	    graph.php.</p>
19689	</blockquote>
19690      </body>
19691    </description>
19692    <references>
19693      <cvename>CVE-2015-8369</cvename>
19694      <url>http://bugs.cacti.net/view.php?id=2646</url>
19695      <url>http://svn.cacti.net/viewvc?view=rev&amp;revision=7767</url>
19696      <mlist>http://seclists.org/fulldisclosure/2015/Dec/8</mlist>
19697    </references>
19698    <dates>
19699      <discovery>2015-12-05</discovery>
19700      <entry>2016-01-05</entry>
19701    </dates>
19702  </vuln>
19703
19704  <vuln vid="59e7eb28-b309-11e5-af83-80ee73b5dcf5">
19705    <topic>kea -- unexpected termination while handling a malformed packet</topic>
19706    <affects>
19707      <package>
19708	<name>kea</name>
19709	<range><ge>0.9.2</ge><lt>1.0.0</lt></range>
19710      </package>
19711    </affects>
19712    <description>
19713      <body xmlns="http://www.w3.org/1999/xhtml">
19714	<p>ISC Support reports:</p>
19715	<blockquote cite="https://kb.isc.org/article/AA-01318/0/CVE-2015-8373-ISC-Kea%3A-unexpected-termination-while-handling-a-malformed-packet.html">
19716	  <p>ISC Kea may terminate unexpectedly (crash) while handling
19717	    a malformed client packet.  Related defects in the kea-dhcp4
19718	    and kea-dhcp6 servers can cause the server to crash during
19719	    option processing if a client sends a malformed packet.
19720	    An attacker sending a crafted malformed packet can cause
19721	    an ISC Kea server providing DHCP services to IPv4 or IPv6
19722	    clients to exit unexpectedly.</p>
19723	  <ul>
19724	    <li><p>The kea-dhcp4 server is vulnerable only in versions
19725		  0.9.2 and 1.0.0-beta, and furthermore only when logging
19726		  at debug level 40 or higher.  Servers running kea-dhcp4
19727		  versions 0.9.1 or lower, and servers which are not
19728		  logging or are logging at debug level 39 or below are
19729		  not vulnerable.</p></li>
19730	    <li><p>The kea-dhcp6 server is vulnerable only in versions
19731		  0.9.2 and 1.0.0-beta, and furthermore only when
19732		  logging at debug level 45 or higher.  Servers running
19733		  kea-dhcp6 versions 0.9.1 or lower, and servers
19734		  which are not logging or are logging at debug level 44
19735		  or below are not vulnerable.</p></li>
19736	  </ul>
19737	</blockquote>
19738      </body>
19739    </description>
19740    <references>
19741      <cvename>CVE-2015-8373</cvename>
19742      <url>https://kb.isc.org/article/AA-01318/0/CVE-2015-8373-ISC-Kea%3A-unexpected-termination-while-handling-a-malformed-packet.html</url>
19743    </references>
19744    <dates>
19745      <discovery>2015-12-15</discovery>
19746      <entry>2016-01-04</entry>
19747      <modified>2016-01-05</modified>
19748    </dates>
19749  </vuln>
19750
19751  <vuln vid="84dc49b0-b267-11e5-8a5b-00262d5ed8ee">
19752    <topic>mini_httpd -- buffer overflow via snprintf</topic>
19753    <affects>
19754      <package>
19755	<name>mini_httpd</name>
19756	<range><lt>1.23</lt></range>
19757      </package>
19758    </affects>
19759    <description>
19760      <body xmlns="http://www.w3.org/1999/xhtml">
19761	<p>ACME Updates reports:</p>
19762	<blockquote cite="https://cxsecurity.com/acveshow/CVE-2015-1548">
19763	  <p>mini_httpd 1.21 and earlier allows remote attackers to obtain
19764	    sensitive information from process memory via an HTTP request with
19765	    a long protocol string, which triggers an incorrect response size
19766	    calculation and an out-of-bounds read.</p>
19767	  <p>(rene) ACME, the author, claims that the vulnerability is fixed
19768	    *after* version 1.22, released on 2015-12-28</p>
19769	</blockquote>
19770      </body>
19771    </description>
19772    <references>
19773      <cvename>CVE-2015-1548</cvename>
19774      <url>https://cxsecurity.com/cveshow/CVE-2015-1548</url>
19775      <url>http://acme.com/updates/archive/192.html</url>
19776    </references>
19777    <dates>
19778      <discovery>2015-02-10</discovery>
19779      <entry>2016-01-03</entry>
19780    </dates>
19781  </vuln>
19782
19783  <vuln vid="1384f2fd-b1be-11e5-9728-002590263bf5">
19784    <topic>qemu -- denial of service vulnerability in Rocker switch emulation</topic>
19785    <affects>
19786      <package>
19787	<name>qemu</name>
19788	<name>qemu-devel</name>
19789	<range><lt>2.5.50</lt></range>
19790      </package>
19791      <package>
19792	<name>qemu-sbruno</name>
19793	<name>qemu-user-static</name>
19794	<range><lt>2.5.50.g20160213</lt></range>
19795      </package>
19796    </affects>
19797    <description>
19798      <body xmlns="http://www.w3.org/1999/xhtml">
19799	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
19800	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/28/6">
19801	  <p>Qemu emulator built with the Rocker switch emulation support is
19802	    vulnerable to an off-by-one error. It happens while processing
19803	    transmit(tx) descriptors in 'tx_consume' routine, if a descriptor
19804	    was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments.
19805	    </p>
19806	  <p>A privileged user inside guest could use this flaw to cause memory
19807	    leakage on the host or crash the Qemu process instance resulting in
19808	    DoS issue.</p>
19809	</blockquote>
19810      </body>
19811    </description>
19812    <references>
19813      <cvename>CVE-2015-8701</cvename>
19814      <freebsdpr>ports/205813</freebsdpr>
19815      <freebsdpr>ports/205814</freebsdpr>
19816      <url>http://www.openwall.com/lists/oss-security/2015/12/28/6</url>
19817      <url>https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04629.html</url>
19818      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=007cd223de527b5f41278f2d886c1a4beb3e67aa</url>
19819      <url>https://github.com/seanbruno/qemu-bsd-user/commit/007cd223de527b5f41278f2d886c1a4beb3e67aa</url>
19820    </references>
19821    <dates>
19822      <discovery>2015-12-28</discovery>
19823      <entry>2016-01-03</entry>
19824      <modified>2016-07-06</modified>
19825    </dates>
19826  </vuln>
19827
19828  <vuln vid="152acff3-b1bd-11e5-9728-002590263bf5">
19829    <topic>qemu -- denial of service vulnerability in Q35 chipset emulation</topic>
19830    <affects>
19831      <package>
19832	<name>qemu</name>
19833	<name>qemu-devel</name>
19834	<range><lt>2.5.50</lt></range>
19835      </package>
19836      <package>
19837	<name>qemu-sbruno</name>
19838	<name>qemu-user-static</name>
19839	<range><lt>2.5.50.g20151224</lt></range>
19840      </package>
19841    </affects>
19842    <description>
19843      <body xmlns="http://www.w3.org/1999/xhtml">
19844	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
19845	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/24/1">
19846	  <p>Qemu emulator built with the Q35 chipset based pc system emulator
19847	    is vulnerable to a heap based buffer overflow. It occurs during VM
19848	    guest migration, as more(16 bytes) data is moved into allocated
19849	    (8 bytes) memory area.</p>
19850	  <p>A privileged guest user could use this issue to corrupt the VM
19851	    guest image, potentially leading to a DoS. This issue affects q35
19852	    machine types.</p>
19853	</blockquote>
19854      </body>
19855    </description>
19856    <references>
19857      <cvename>CVE-2015-8666</cvename>
19858      <url>http://www.openwall.com/lists/oss-security/2015/12/24/1</url>
19859      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=d9a3b33d2c9f996537b7f1d0246dee2d0120cefb</url>
19860      <url>https://github.com/seanbruno/qemu-bsd-user/commit/d9a3b33d2c9f996537b7f1d0246dee2d0120cefb</url>
19861    </references>
19862    <dates>
19863      <discovery>2015-11-19</discovery>
19864      <entry>2016-01-03</entry>
19865      <modified>2016-07-06</modified>
19866    </dates>
19867  </vuln>
19868
19869  <vuln vid="62ab8707-b1bc-11e5-9728-002590263bf5">
19870    <topic>qemu -- denial of service vulnerability in Human Monitor Interface support</topic>
19871    <affects>
19872      <package>
19873	<name>qemu</name>
19874	<name>qemu-devel</name>
19875	<range><lt>2.5.0</lt></range>
19876      </package>
19877      <package>
19878	<name>qemu-sbruno</name>
19879	<name>qemu-user-static</name>
19880	<range><lt>2.5.50.g20160213</lt></range>
19881      </package>
19882    </affects>
19883    <description>
19884      <body xmlns="http://www.w3.org/1999/xhtml">
19885	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
19886	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/22/8">
19887	  <p>Qemu emulator built with the Human Monitor Interface(HMP) support
19888	    is vulnerable to an OOB write issue. It occurs while processing
19889	    'sendkey' command in hmp_sendkey routine, if the command argument is
19890	    longer than the 'keyname_buf' buffer size.</p>
19891	  <p>A user/process could use this flaw to crash the Qemu process
19892	    instance resulting in DoS.</p>
19893	</blockquote>
19894      </body>
19895    </description>
19896    <references>
19897      <cvename>CVE-2015-8619</cvename>
19898      <freebsdpr>ports/205813</freebsdpr>
19899      <freebsdpr>ports/205814</freebsdpr>
19900      <url>http://www.openwall.com/lists/oss-security/2015/12/22/8</url>
19901      <url>https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02930.html</url>
19902      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=64ffbe04eaafebf4045a3ace52a360c14959d196</url>
19903      <url>https://github.com/seanbruno/qemu-bsd-user/commit/64ffbe04eaafebf4045a3ace52a360c14959d196</url>
19904    </references>
19905    <dates>
19906      <discovery>2015-12-23</discovery>
19907      <entry>2016-01-03</entry>
19908      <modified>2016-07-06</modified>
19909    </dates>
19910  </vuln>
19911
19912  <vuln vid="b3f9f8ef-b1bb-11e5-9728-002590263bf5">
19913    <topic>qemu -- denial of service vulnerability in MegaRAID SAS HBA emulation</topic>
19914    <affects>
19915      <package>
19916	<name>qemu</name>
19917	<name>qemu-devel</name>
19918	<range><lt>2.5.0</lt></range>
19919      </package>
19920      <package>
19921	<name>qemu-sbruno</name>
19922	<name>qemu-user-static</name>
19923	<range><lt>2.5.50.g20160213</lt></range>
19924      </package>
19925    </affects>
19926    <description>
19927      <body xmlns="http://www.w3.org/1999/xhtml">
19928	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
19929	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/21/7">
19930	  <p>Qemu emulator built with the SCSI MegaRAID SAS HBA emulation
19931	    support is vulnerable to a stack buffer overflow issue. It occurs
19932	    while processing the SCSI controller's CTRL_GET_INFO command. A
19933	    privileged guest user could use this flaw to crash the Qemu process
19934	    instance resulting in DoS.</p>
19935	</blockquote>
19936      </body>
19937    </description>
19938    <references>
19939      <cvename>CVE-2015-8613</cvename>
19940      <freebsdpr>ports/205813</freebsdpr>
19941      <freebsdpr>ports/205814</freebsdpr>
19942      <url>http://www.openwall.com/lists/oss-security/2015/12/21/7</url>
19943      <url>https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03737.html</url>
19944      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=36fef36b91f7ec0435215860f1458b5342ce2811</url>
19945      <url>https://github.com/seanbruno/qemu-bsd-user/commit/36fef36b91f7ec0435215860f1458b5342ce2811</url>
19946    </references>
19947    <dates>
19948      <discovery>2015-12-21</discovery>
19949      <entry>2016-01-03</entry>
19950      <modified>2016-07-06</modified>
19951    </dates>
19952  </vuln>
19953
19954  <vuln vid="9ad8993e-b1ba-11e5-9728-002590263bf5">
19955    <topic>qemu -- denial of service vulnerability in VMWARE VMXNET3 NIC support</topic>
19956    <affects>
19957      <package>
19958	<name>qemu</name>
19959	<name>qemu-devel</name>
19960	<range><lt>2.5.0</lt></range>
19961      </package>
19962      <package>
19963	<name>qemu-sbruno</name>
19964	<name>qemu-user-static</name>
19965	<range><lt>2.5.50.g20160213</lt></range>
19966      </package>
19967    </affects>
19968    <description>
19969      <body xmlns="http://www.w3.org/1999/xhtml">
19970	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
19971	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/15/4">
19972	  <p>Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator
19973	    support is vulnerable to a memory leakage flaw. It occurs when a
19974	    guest repeatedly tries to activate the vmxnet3 device.</p>
19975	  <p>A privileged guest user could use this flaw to leak host memory,
19976	    resulting in DoS on the host.</p>
19977	</blockquote>
19978      </body>
19979    </description>
19980    <references>
19981      <cvename>CVE-2015-8567</cvename>
19982      <cvename>CVE-2015-8568</cvename>
19983      <freebsdpr>ports/205813</freebsdpr>
19984      <freebsdpr>ports/205814</freebsdpr>
19985      <url>http://www.openwall.com/lists/oss-security/2015/12/15/4</url>
19986      <url>https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html</url>
19987      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=aa4a3dce1c88ed51b616806b8214b7c8428b7470</url>
19988      <url>https://github.com/seanbruno/qemu-bsd-user/commit/aa4a3dce1c88ed51b616806b8214b7c8428b7470</url>
19989    </references>
19990    <dates>
19991      <discovery>2015-12-15</discovery>
19992      <entry>2016-01-03</entry>
19993      <modified>2016-07-06</modified>
19994    </dates>
19995  </vuln>
19996
19997  <vuln vid="60cb2055-b1b8-11e5-9728-002590263bf5">
19998    <topic>qemu -- denial of service vulnerability in USB EHCI emulation support</topic>
19999    <affects>
20000      <package>
20001	<name>qemu</name>
20002	<name>qemu-devel</name>
20003	<range><lt>2.5.0</lt></range>
20004      </package>
20005      <package>
20006	<name>qemu-sbruno</name>
20007	<name>qemu-user-static</name>
20008	<range><lt>2.5.50.g20151224</lt></range>
20009      </package>
20010    </affects>
20011    <description>
20012      <body xmlns="http://www.w3.org/1999/xhtml">
20013	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
20014	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/14/9">
20015	  <p>Qemu emulator built with the USB EHCI emulation support is
20016	    vulnerable to an infinite loop issue. It occurs during communication
20017	    between host controller interface(EHCI) and a respective device
20018	    driver. These two communicate via a isochronous transfer descriptor
20019	    list(iTD) and an infinite loop unfolds if there is a closed loop in
20020	    this list.</p>
20021	  <p>A privileges user inside guest could use this flaw to consume
20022	    excessive CPU cycles &amp; resources on the host.</p>
20023	</blockquote>
20024      </body>
20025    </description>
20026    <references>
20027      <cvename>CVE-2015-8558</cvename>
20028      <freebsdpr>ports/205814</freebsdpr>
20029      <url>http://www.openwall.com/lists/oss-security/2015/12/14/9</url>
20030      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=156a2e4dbffa85997636a7a39ef12da6f1b40254</url>
20031      <url>https://github.com/seanbruno/qemu-bsd-user/commit/156a2e4dbffa85997636a7a39ef12da6f1b40254</url>
20032    </references>
20033    <dates>
20034      <discovery>2015-12-14</discovery>
20035      <entry>2016-01-03</entry>
20036    </dates>
20037  </vuln>
20038
20039  <vuln vid="3fb06284-b1b7-11e5-9728-002590263bf5">
20040    <topic>qemu -- denial of service vulnerability in MSI-X support</topic>
20041    <affects>
20042      <package>
20043	<name>qemu</name>
20044	<name>qemu-devel</name>
20045	<range><lt>2.5.0</lt></range>
20046      </package>
20047      <package>
20048	<name>qemu-sbruno</name>
20049	<name>qemu-user-static</name>
20050	<range><lt>2.5.50.g20151224</lt></range>
20051      </package>
20052    </affects>
20053    <description>
20054      <body xmlns="http://www.w3.org/1999/xhtml">
20055	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
20056	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/14/2">
20057	  <p>Qemu emulator built with the PCI MSI-X support is vulnerable to
20058	    null pointer dereference issue. It occurs when the controller
20059	    attempts to write to the pending bit array(PBA) memory region.
20060	    Because the MSI-X MMIO support did not define the .write method.</p>
20061	  <p>A privileges used inside guest could use this flaw to crash the
20062	    Qemu process resulting in DoS issue.</p>
20063	</blockquote>
20064      </body>
20065    </description>
20066    <references>
20067      <cvename>CVE-2015-7549</cvename>
20068      <url>http://www.openwall.com/lists/oss-security/2015/12/14/2</url>
20069      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=43b11a91dd861a946b231b89b7542856ade23d1b</url>
20070      <url>https://github.com/seanbruno/qemu-bsd-user/commit/43b11a91dd861a946b231b89b7542856ade23d1b</url>
20071    </references>
20072    <dates>
20073      <discovery>2015-06-26</discovery>
20074      <entry>2016-01-03</entry>
20075    </dates>
20076  </vuln>
20077
20078  <vuln vid="67feba97-b1b5-11e5-9728-002590263bf5">
20079    <topic>qemu -- denial of service vulnerability in VNC</topic>
20080    <affects>
20081      <package>
20082	<name>qemu</name>
20083	<name>qemu-devel</name>
20084	<range><lt>2.5.0</lt></range>
20085      </package>
20086      <package>
20087	<name>qemu-sbruno</name>
20088	<name>qemu-user-static</name>
20089	<range><lt>2.5.50.g20151224</lt></range>
20090      </package>
20091    </affects>
20092    <description>
20093      <body xmlns="http://www.w3.org/1999/xhtml">
20094	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
20095	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/08/4">
20096	  <p>Qemu emulator built with the VNC display driver support is
20097	    vulnerable to an arithmetic exception flaw. It occurs on the VNC
20098	    server side while processing the 'SetPixelFormat' messages from a
20099	    client.</p>
20100	  <p>A privileged remote client could use this flaw to crash the guest
20101	    resulting in DoS.</p>
20102	</blockquote>
20103      </body>
20104    </description>
20105    <references>
20106      <cvename>CVE-2015-8504</cvename>
20107      <url>http://www.openwall.com/lists/oss-security/2015/12/08/4</url>
20108      <url>http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3</url>
20109      <url>https://github.com/seanbruno/qemu-bsd-user/commit/4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3</url>
20110    </references>
20111    <dates>
20112      <discovery>2015-12-08</discovery>
20113      <entry>2016-01-03</entry>
20114    </dates>
20115  </vuln>
20116
20117  <vuln vid="405446f4-b1b3-11e5-9728-002590263bf5">
20118    <topic>qemu and xen-tools -- denial of service vulnerabilities in AMD PC-Net II NIC support</topic>
20119    <affects>
20120      <package>
20121	<name>qemu</name>
20122	<name>qemu-devel</name>
20123	<range><lt>2.5.0</lt></range>
20124      </package>
20125      <package>
20126	<name>qemu-sbruno</name>
20127	<name>qemu-user-static</name>
20128	<range><lt>2.5.50.g20151224</lt></range>
20129      </package>
20130      <package>
20131	<name>xen-tools</name>
20132	<range><lt>4.5.2_1</lt></range>
20133      </package>
20134    </affects>
20135    <description>
20136      <body xmlns="http://www.w3.org/1999/xhtml">
20137	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
20138	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/30/2">
20139	  <p>Qemu emulator built with the AMD PC-Net II Ethernet Controller
20140	    support is vulnerable to a heap buffer overflow flaw. While
20141	    receiving packets in the loopback mode, it appends CRC code to the
20142	    receive buffer. If the data size given is same as the receive buffer
20143	    size, the appended CRC code overwrites 4 bytes beyond this
20144	    's-&gt;buffer' array.</p>
20145	  <p>A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw
20146	    to crash the Qemu instance resulting in DoS or potentially execute
20147	    arbitrary code with privileges of the Qemu process on the host.</p>
20148	</blockquote>
20149	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/30/3">
20150	  <p>The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets
20151	    from a remote host(non-loopback mode), fails to validate the
20152	    received data size, thus resulting in a buffer overflow issue. It
20153	    could potentially lead to arbitrary code execution on the host, with
20154	    privileges of the Qemu process. It requires the guest NIC to have
20155	    larger MTU limit.</p>
20156	  <p>A remote user could use this flaw to crash the guest instance
20157	    resulting in DoS or potentially execute arbitrary code on a remote
20158	    host with privileges of the Qemu process.</p>
20159	</blockquote>
20160      </body>
20161    </description>
20162    <references>
20163      <cvename>CVE-2015-7504</cvename>
20164      <cvename>CVE-2015-7512</cvename>
20165      <url>http://www.openwall.com/lists/oss-security/2015/11/30/2</url>
20166      <url>http://www.openwall.com/lists/oss-security/2015/11/30/3</url>
20167      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=837f21aacf5a714c23ddaadbbc5212f9b661e3f7</url>
20168      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=8b98a2f07175d46c3f7217639bd5e03f2ec56343</url>
20169      <url>https://github.com/seanbruno/qemu-bsd-user/commit/837f21aacf5a714c23ddaadbbc5212f9b661e3f7</url>
20170      <url>https://github.com/seanbruno/qemu-bsd-user/commit/8b98a2f07175d46c3f7217639bd5e03f2ec56343</url>
20171      <url>http://xenbits.xen.org/xsa/advisory-162.html</url>
20172    </references>
20173    <dates>
20174      <discovery>2015-11-30</discovery>
20175      <entry>2016-01-03</entry>
20176      <modified>2016-01-06</modified>
20177    </dates>
20178  </vuln>
20179
20180  <vuln vid="b56fe6bb-b1b1-11e5-9728-002590263bf5">
20181    <topic>qemu -- denial of service vulnerabilities in eepro100 NIC support</topic>
20182    <affects>
20183      <package>
20184	<name>qemu</name>
20185	<name>qemu-devel</name>
20186	<range><lt>2.5.50</lt></range>
20187      </package>
20188      <package>
20189	<name>qemu-sbruno</name>
20190	<name>qemu-user-static</name>
20191	<range><lt>2.5.50.g20160213</lt></range>
20192      </package>
20193    </affects>
20194    <description>
20195      <body xmlns="http://www.w3.org/1999/xhtml">
20196	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
20197	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/25/3">
20198	  <p>Qemu emulator built with the i8255x (PRO100) emulation support is
20199	    vulnerable to an infinite loop issue. It could occur while
20200	    processing a chain of commands located in the Command Block List
20201	    (CBL). Each Command Block(CB) points to the next command in the
20202	    list. An infinite loop unfolds if the link to the next CB points
20203	    to the same block or there is a closed loop in the chain.</p>
20204	  <p>A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw
20205	    to crash the Qemu instance resulting in DoS.</p>
20206	</blockquote>
20207      </body>
20208    </description>
20209    <references>
20210      <cvename>CVE-2015-8345</cvename>
20211      <freebsdpr>ports/205813</freebsdpr>
20212      <freebsdpr>ports/205814</freebsdpr>
20213      <url>http://www.openwall.com/lists/oss-security/2015/11/25/3</url>
20214      <url>https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html</url>
20215      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=00837731d254908a841d69298a4f9f077babaf24</url>
20216      <url>https://github.com/seanbruno/qemu-bsd-user/commit/00837731d254908a841d69298a4f9f077babaf24</url>
20217    </references>
20218    <dates>
20219      <discovery>2015-10-16</discovery>
20220      <entry>2016-01-03</entry>
20221      <modified>2016-07-06</modified>
20222    </dates>
20223  </vuln>
20224
20225  <vuln vid="42cbd1e8-b152-11e5-9728-002590263bf5">
20226    <topic>qemu -- denial of service vulnerability in virtio-net support</topic>
20227    <affects>
20228      <package>
20229	<name>qemu</name>
20230	<name>qemu-devel</name>
20231	<range><lt>2.4.1</lt></range>
20232      </package>
20233      <package>
20234	<name>qemu-sbruno</name>
20235	<name>qemu-user-static</name>
20236	<range><lt>2.5.50.g20151224</lt></range>
20237      </package>
20238    </affects>
20239    <description>
20240      <body xmlns="http://www.w3.org/1999/xhtml">
20241	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
20242	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/18/5">
20243	  <p>Qemu emulator built with the Virtual Network Device(virtio-net)
20244	    support is vulnerable to a DoS issue. It could occur while receiving
20245	    large packets over the tuntap/macvtap interfaces and when guest's
20246	    virtio-net driver did not support big/mergeable receive buffers.</p>
20247	  <p>An attacker on the local network could use this flaw to disable
20248	    guest's networking by sending a large number of jumbo frames to the
20249	    guest, exhausting all receive buffers and thus leading to a DoS
20250	    situation.</p>
20251	</blockquote>
20252      </body>
20253    </description>
20254    <references>
20255      <cvename>CVE-2015-7295</cvename>
20256      <url>http://www.openwall.com/lists/oss-security/2015/09/18/5</url>
20257      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=696317f1895e836d53b670c7b77b7be93302ba08</url>
20258      <url>https://github.com/seanbruno/qemu-bsd-user/commit/0cf33fb6b49a19de32859e2cdc6021334f448fb3</url>
20259    </references>
20260    <dates>
20261      <discovery>2015-09-18</discovery>
20262      <entry>2016-01-02</entry>
20263    </dates>
20264  </vuln>
20265
20266  <vuln vid="6aa3322f-b150-11e5-9728-002590263bf5">
20267    <topic>qemu -- denial of service vulnerabilities in NE2000 NIC support</topic>
20268    <affects>
20269      <package>
20270	<name>qemu</name>
20271	<name>qemu-devel</name>
20272	<range><lt>2.4.0.1</lt></range>
20273      </package>
20274      <package>
20275	<name>qemu-sbruno</name>
20276	<name>qemu-user-static</name>
20277	<range><lt>2.5.50.g20151224</lt></range>
20278      </package>
20279    </affects>
20280    <description>
20281      <body xmlns="http://www.w3.org/1999/xhtml">
20282	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
20283	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/15/2">
20284	  <p>Qemu emulator built with the NE2000 NIC emulation support is
20285	    vulnerable to an infinite loop issue. It could occur when receiving
20286	    packets over the network.</p>
20287	  <p>A privileged user inside guest could use this flaw to crash the
20288	    Qemu instance resulting in DoS.</p>
20289	</blockquote>
20290	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/15/3">
20291	  <p>Qemu emulator built with the NE2000 NIC emulation support is
20292	    vulnerable to a heap buffer overflow issue. It could occur when
20293	    receiving packets over the network.</p>
20294	  <p>A privileged user inside guest could use this flaw to crash the
20295	    Qemu instance or potentially execute arbitrary code on the host.</p>
20296	</blockquote>
20297      </body>
20298    </description>
20299    <references>
20300      <cvename>CVE-2015-5278</cvename>
20301      <cvename>CVE-2015-5279</cvename>
20302      <url>http://www.openwall.com/lists/oss-security/2015/09/15/2</url>
20303      <url>http://www.openwall.com/lists/oss-security/2015/09/15/3</url>
20304      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=5a1ccdfe44946e726b4c6fda8a4493b3931a68c1</url>
20305      <url>https://github.com/seanbruno/qemu-bsd-user/commit/737d2b3c41d59eb8f94ab7eb419b957938f24943</url>
20306      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755</url>
20307      <url>https://github.com/seanbruno/qemu-bsd-user/commit/9bbdbc66e5765068dce76e9269dce4547afd8ad4</url>
20308    </references>
20309    <dates>
20310      <discovery>2015-09-15</discovery>
20311      <entry>2016-01-02</entry>
20312    </dates>
20313  </vuln>
20314
20315  <vuln vid="bbc97005-b14e-11e5-9728-002590263bf5">
20316    <topic>qemu -- denial of service vulnerability in IDE disk/CD/DVD-ROM emulation</topic>
20317    <affects>
20318      <package>
20319	<name>qemu</name>
20320	<name>qemu-devel</name>
20321	<range><lt>2.4.1</lt></range>
20322      </package>
20323      <package>
20324	<name>qemu-sbruno</name>
20325	<name>qemu-user-static</name>
20326	<range><lt>2.5.50.g20151224</lt></range>
20327      </package>
20328    </affects>
20329    <description>
20330      <body xmlns="http://www.w3.org/1999/xhtml">
20331	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
20332	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/10/1">
20333	  <p>Qemu emulator built with the IDE disk and CD/DVD-ROM emulation
20334	    support is vulnerable to a divide by zero issue. It could occur
20335	    while executing an IDE command WIN_READ_NATIVE_MAX to determine
20336	    the maximum size of a drive.</p>
20337	  <p>A privileged user inside guest could use this flaw to crash the
20338	    Qemu instance resulting in DoS.</p>
20339	</blockquote>
20340      </body>
20341    </description>
20342    <references>
20343      <cvename>CVE-2015-6855</cvename>
20344      <url>http://www.openwall.com/lists/oss-security/2015/09/10/1</url>
20345      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=63d761388d6fea994ca498c6e7a210851a99ad93</url>
20346      <url>https://github.com/seanbruno/qemu-bsd-user/commit/d9033e1d3aa666c5071580617a57bd853c5d794a</url>
20347    </references>
20348    <dates>
20349      <discovery>2015-09-09</discovery>
20350      <entry>2016-01-02</entry>
20351    </dates>
20352  </vuln>
20353
20354  <vuln vid="10bf8eed-b14d-11e5-9728-002590263bf5">
20355    <topic>qemu -- denial of service vulnerability in e1000 NIC support</topic>
20356    <affects>
20357      <package>
20358	<name>qemu</name>
20359	<name>qemu-devel</name>
20360	<range><lt>2.4.0.1</lt></range>
20361      </package>
20362      <package>
20363	<name>qemu-sbruno</name>
20364	<name>qemu-user-static</name>
20365	<range><lt>2.5.50.g20151224</lt></range>
20366      </package>
20367    </affects>
20368    <description>
20369      <body xmlns="http://www.w3.org/1999/xhtml">
20370	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
20371	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/04/4">
20372	  <p>Qemu emulator built with the e1000 NIC emulation support is
20373	    vulnerable to an infinite loop issue. It could occur while
20374	    processing transmit descriptor data when sending a network packet.
20375	    </p>
20376	  <p>A privileged user inside guest could use this flaw to crash the
20377	    Qemu instance resulting in DoS.</p>
20378	</blockquote>
20379      </body>
20380    </description>
20381    <references>
20382      <cvename>CVE-2015-6815</cvename>
20383      <url>http://www.openwall.com/lists/oss-security/2015/09/04/4</url>
20384      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=3a56af1fbc17ff453f6e90fb08ce0c0e6fd0b61b</url>
20385      <url>https://github.com/seanbruno/qemu-bsd-user/commit/b947ac2bf26479e710489739c465c8af336599e7</url>
20386    </references>
20387    <dates>
20388      <discovery>2015-09-04</discovery>
20389      <entry>2016-01-02</entry>
20390    </dates>
20391  </vuln>
20392
20393  <vuln vid="8a560bcf-b14b-11e5-9728-002590263bf5">
20394    <topic>qemu -- denial of service vulnerability in VNC</topic>
20395    <affects>
20396      <package>
20397	<name>qemu</name>
20398	<name>qemu-devel</name>
20399	<range><lt>2.1.0</lt></range>
20400      </package>
20401      <package>
20402	<name>qemu-sbruno</name>
20403	<name>qemu-user-static</name>
20404	<range><lt>2.2.50.g20141230</lt></range>
20405      </package>
20406    </affects>
20407    <description>
20408      <body xmlns="http://www.w3.org/1999/xhtml">
20409	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
20410	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/02/7">
20411	  <p>Qemu emulator built with the VNC display driver is vulnerable to an
20412	    infinite loop issue. It could occur while processing a
20413	    CLIENT_CUT_TEXT message with specially crafted payload message.</p>
20414	  <p>A privileged guest user could use this flaw to crash the Qemu
20415	    process on the host, resulting in DoS.</p>
20416	</blockquote>
20417      </body>
20418    </description>
20419    <references>
20420      <cvename>CVE-2015-5239</cvename>
20421      <url>http://www.openwall.com/lists/oss-security/2015/09/02/7</url>
20422      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=f9a70e79391f6d7c2a912d785239ee8effc1922d</url>
20423      <url>https://github.com/seanbruno/qemu-bsd-user/commit/f9a70e79391f6d7c2a912d785239ee8effc1922d</url>
20424    </references>
20425    <dates>
20426      <discovery>2014-06-30</discovery>
20427      <entry>2016-01-02</entry>
20428    </dates>
20429  </vuln>
20430
20431  <vuln vid="2b3b4c27-b0c7-11e5-8d13-bc5ff45d0f28">
20432    <topic>qemu -- buffer overflow vulnerability in VNC</topic>
20433    <affects>
20434      <package>
20435	<name>qemu</name>
20436	<name>qemu-devel</name>
20437	<range><lt>2.4.0.1</lt></range>
20438      </package>
20439      <package>
20440	<name>qemu-sbruno</name>
20441	<name>qemu-user-static</name>
20442	<range><lt>2.4.50.g20151011</lt></range>
20443      </package>
20444    </affects>
20445    <description>
20446      <body xmlns="http://www.w3.org/1999/xhtml">
20447	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
20448	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/08/21/6">
20449	  <p>Qemu emulator built with the VNC display driver support is
20450	    vulnerable to a buffer overflow flaw leading to a heap memory
20451	    corruption issue. It could occur while refreshing the server
20452	    display surface via routine vnc_refresh_server_surface().</p>
20453	  <p>A privileged guest user could use this flaw to corrupt the heap
20454	    memory and crash the Qemu process instance OR potentially use it
20455	    to execute arbitrary code on the host.</p>
20456	</blockquote>
20457      </body>
20458    </description>
20459    <references>
20460      <cvename>CVE-2015-5225</cvename>
20461      <url>http://www.openwall.com/lists/oss-security/2015/08/21/6</url>
20462      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=efec4dcd2552e85ed57f276b58f09fc385727450</url>
20463      <url>https://github.com/seanbruno/qemu-bsd-user/commit/eb8934b0418b3b1d125edddc4fc334a54334a49b</url>
20464    </references>
20465    <dates>
20466      <discovery>2015-08-17</discovery>
20467      <entry>2016-01-01</entry>
20468    </dates>
20469  </vuln>
20470
20471  <vuln vid="21e5abe3-b0c6-11e5-8d13-bc5ff45d0f28">
20472    <topic>qemu -- buffer overflow vulnerability in virtio-serial message exchanges</topic>
20473    <affects>
20474      <package>
20475	<name>qemu</name>
20476	<name>qemu-devel</name>
20477	<range><lt>2.4.0</lt></range>
20478      </package>
20479      <package>
20480	<name>qemu-sbruno</name>
20481	<name>qemu-user-static</name>
20482	<range><lt>2.4.50.g20150814</lt></range>
20483      </package>
20484    </affects>
20485    <description>
20486      <body xmlns="http://www.w3.org/1999/xhtml">
20487	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
20488	<blockquote cite="http://www.openwall.com/lists/oss-security/2015/08/06/3">
20489	  <p>Qemu emulator built with the virtio-serial vmchannel support is
20490	    vulnerable to a buffer overflow issue. It could occur while
20491	    exchanging virtio control messages between guest and the host.</p>
20492	  <p>A malicious guest could use this flaw to corrupt few bytes of Qemu
20493	    memory area, potentially crashing the Qemu process.</p>
20494	</blockquote>
20495      </body>
20496    </description>
20497    <references>
20498      <cvename>CVE-2015-5745</cvename>
20499      <url>http://www.openwall.com/lists/oss-security/2015/08/06/5</url>
20500      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=7882080388be5088e72c425b02223c02e6cb4295</url>
20501      <url>https://github.com/seanbruno/qemu-bsd-user/commit/7882080388be5088e72c425b02223c02e6cb4295</url>
20502    </references>
20503    <dates>
20504      <discovery>2015-08-06</discovery>
20505      <entry>2016-01-01</entry>
20506    </dates>
20507  </vuln>
20508
20509  <vuln vid="a267cd6c-b0c4-11e5-8d13-bc5ff45d0f28">
20510    <topic>qemu -- stack buffer overflow while parsing SCSI commands</topic>
20511    <affects>
20512      <package>
20513	<name>qemu</name>
20514	<name>qemu-devel</name>
20515	<range><lt>2.4.0</lt></range>
20516      </package>
20517      <package>
20518	<name>qemu-sbruno</name>
20519	<name>qemu-user-static</name>
20520	<range><lt>2.4.50.g20150814</lt></range>
20521      </package>
20522    </affects>
20523    <description>
20524      <body xmlns="http://www.w3.org/1999/xhtml">
20525	<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
20526	<blockquote cite="http://openwall.com/lists/oss-security/2015/07/23/6">
20527	  <p>Qemu emulator built with the SCSI device emulation support is
20528	    vulnerable to a stack buffer overflow issue. It could occur while
20529	    parsing SCSI command descriptor block with an invalid operation
20530	    code.</p>
20531	  <p>A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw
20532	    to crash the Qemu instance resulting in DoS.</p>
20533	</blockquote>
20534      </body>
20535    </description>
20536    <references>
20537      <cvename>CVE-2015-5158</cvename>
20538      <url>http://openwall.com/lists/oss-security/2015/07/23/6</url>
20539      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=c170aad8b057223b1139d72e5ce7acceafab4fa9</url>
20540      <url>https://github.com/seanbruno/qemu-bsd-user/commit/c170aad8b057223b1139d72e5ce7acceafab4fa9</url>
20541    </references>
20542    <dates>
20543      <discovery>2015-07-23</discovery>
20544      <entry>2016-01-01</entry>
20545    </dates>
20546  </vuln>
20547
20548  <vuln vid="aea8d90e-b0c1-11e5-8d13-bc5ff45d0f28">
20549    <topic>qemu -- code execution on host machine</topic>
20550    <affects>
20551      <package>
20552	<name>qemu</name>
20553	<name>qemu-devel</name>
20554	<range><lt>2.4.0</lt></range>
20555      </package>
20556      <package>
20557	<name>qemu-sbruno</name>
20558	<name>qemu-user-static</name>
20559	<range><lt>2.4.50.g20150814</lt></range>
20560      </package>
20561    </affects>
20562    <description>
20563      <body xmlns="http://www.w3.org/1999/xhtml">
20564	<p>Petr Matousek of Red Hat Inc. reports:</p>
20565	<blockquote cite="http://openwall.com/lists/oss-security/2015/06/17/5">
20566	  <p>Due converting PIO to the new memory read/write api we no longer
20567	    provide separate I/O region lenghts for read and write operations.
20568	    As a result, reading from PIT Mode/Command register will end with
20569	    accessing pit-&gt;channels with invalid index and potentially cause
20570	    memory corruption and/or minor information leak.</p>
20571	  <p>A privileged guest user in a guest with QEMU PIT emulation enabled
20572	    could potentially (tough unlikely) use this flaw to execute
20573	    arbitrary code on the host with the privileges of the hosting QEMU
20574	    process.</p>
20575	  <p>Please note that by default QEMU/KVM guests use in-kernel (KVM) PIT
20576	    emulation and are thus not vulnerable to this issue.</p>
20577	</blockquote>
20578      </body>
20579    </description>
20580    <references>
20581      <cvename>CVE-2015-3214</cvename>
20582      <url>http://openwall.com/lists/oss-security/2015/06/17/5</url>
20583      <url>http://git.qemu.org/?p=qemu.git;a=commit;h=d4862a87e31a51de9eb260f25c9e99a75efe3235</url>
20584      <url>https://github.com/seanbruno/qemu-bsd-user/commit/d4862a87e31a51de9eb260f25c9e99a75efe3235</url>
20585    </references>
20586    <dates>
20587      <discovery>2015-06-17</discovery>
20588      <entry>2016-01-01</entry>
20589    </dates>
20590  </vuln>
20591