gitea -- multiple vulnerabilities gitea 1.13.1

The Gitea Team reports for release 1.13.1:

  • Hide private participation in Orgs
  • Fix escaping issue in diff
https://github.com/go-gitea/gitea/releases/tag/v1.13.1 ports/252310 2020-12-15 2020-12-31
InspIRCd websocket module double free vulnerability inspircd 3.8.1

The InspIRCd development team reports:

The websocket module before v3.8.1 contains a double free vulnerability. When combined with a HTTP reverse proxy this vulnerability can be used by any user who is [GKZ]-lined to remotely crash an InspIRCd server.

https://docs.inspircd.org/security/2020-02/ 2020-02-01 2021-01-01
Intel CPU issues devcpu-data 1.31

Intel reports:

Intel CPUs suffer Special Register Buffer Data Sampling vulnerability

https://software.intel.com/security-software-guidance/insights/processors-affected-special-register-buffer-data-sampling CVE-2020-0543 2020-06-09 2020-12-28
asterisk -- Remote crash in res_pjsip_diversion asterisk13 13.38.1 asterisk16 16.15.1 asterisk18 18.1.1

The Asterisk project reports:

AST-2020-003: A crash can occur in Asterisk when a SIP message is received that has a History-Info header, which contains a tel-uri.

AST-2020-004: A crash can occur in Asterisk when a SIP 181 response is received that has a Diversion header, which contains a tel-uri.

https://downloads.asterisk.org/pub/security/AST-2020-003.html https://downloads.asterisk.org/pub/security/AST-2020-004.html 2020-12-02 2020-12-22
postsrsd -- Denial of service vulnerability postsrsd 1.10

postsrsd developer reports:

PostSRSd could be tricked into consuming a lot of CPU time with an SRS address that has an excessively long time stamp tag.

CVE-2020-35573 https://github.com/roehling/postsrsd/commit/4733fb11f6bec6524bb8518c5e1a699288c26bac https://github.com/roehling/postsrsd/releases/tag/1.10 2020-12-12 2020-12-21
powerdns -- Various issues in GSS-TSIG support powerdns 4.4.0

PowerDNS developers report:

A remote, unauthenticated attacker can trigger a race condition leading to a crash, or possibly arbitrary code execution, by sending crafted queries with a GSS-TSIG signature.

A remote, unauthenticated attacker can cause a denial of service by sending crafted queries with a GSS-TSIG signature.

A remote, unauthenticated attacker might be able to cause a double-free, leading to a crash or possibly arbitrary code execution by sending crafted queries with a GSS-TSIG signature.

CVE-2020-24696 CVE-2020-24697 CVE-2020-24698 https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-06.html 2020-08-27 2020-12-21
vault -- User Enumeration via LDAP auth vault 1.6.1

Vault developers report:

Vault allowed enumeration of users via the LDAP auth method. This vulnerability, was fixed in Vault 1.6.1 and 1.5.6.

An external party reported that they were able to enumerate LDAP users via error messages returned by Vault’s LDAP auth method

CVE-2020-35177 https://discuss.hashicorp.com/t/hcsec-2020-25-vault-s-ldap-auth-method-allows-user-enumeration/18984 2020-12-16 2020-12-17
jasper -- heap overflow vulnerability jasper 2.0.23

JasPer NEWS:

Fix CVE-2020-27828, heap-overflow in cp_create() in jpc_enc.c.

CVE-2020-27828 https://github.com/jasper-software/jasper/blob/master/NEWS https://github.com/jasper-software/jasper/issues/252 2020-12-08 2020-12-13
py-matrix-synapse -- DoS on Federation API py36-matrix-synapse py37-matrix-synapse py38-matrix-synapse py39-matrix-synapse 1.23.1

Matrix developers reports:

A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a /send_join, /send_leave, /invite or /exchange_third_party_invite request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers.

CVE-2020-26257 https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm ports/251768 2020-12-09 2020-12-13
p11-kit -- Multiple vulnerabilities p11-kit 0.23.22

The p11-glue project reports:

CVE-2020-29363: Out-of-bounds write in p11_rpc_buffer_get_byte_array_value function
A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value.

CVE-2020-29362: Out-of-bounds read in p11_rpc_buffer_get_byte_array function
A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation.

CVE-2020-29361: Integer overflow when allocating memory for arrays of attributes and object identifiers
Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.

https://lists.freedesktop.org/archives/p11-glue/2020-December/000712.html CVE-2020-29361 CVE-2020-29362 CVE-2020-29363 2020-12-12 2020-12-12
Unbound/NSD -- Denial of service vulnerability unbound 1.13.0 nsd 4.3.4

NLNetLabs reports:

Unbound and NSD when writing the PID file would not check if an existing file was a symlink. This could allow for a local symlink \ attack if an attacker has access to the user Unbound/NSD runs as.

https://nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt CVE-2020-28935 2020-12-01 2020-12-12
LibreSSL -- NULL pointer dereference libressl 3.2.03.2.3 3.1.5 libressl-devel 3.3.1

The LibreSSL project reports:

Malformed ASN.1 in a certificate revocation list or a timestamp response token can lead to a NULL pointer dereference.

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.3-relnotes.txt 2020-12-08 2020-12-11 2020-12-12
glpi -- Public GLPIKEY can be used to decrypt any data glpi 9.4.6,1

MITRE Corporation reports:

GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work.

https://github.com/glpi-project/glpi/security/advisories/GHSA-j222-j9mf-h6j9 https://github.com/glpi-project/glpi/commit/efd14468c92c4da43333aa9735e65fd20cbc7c6c CVE-2020-5248 2020-01-02 2020-01-02 2024-04-25
glpi -- Insecure Direct Object Reference on ajax/getDropdownValue.php glpi 9.5.3,1

MITRE Corporation reports:

In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).

https://github.com/glpi-project/glpi/security/advisories/GHSA-pqfv-4pvr-55r4 CVE-2020-27663 2020-10-22 2020-10-22 2024-04-25
glpi -- Insecure Direct Object Reference on ajax/comments.ph glpi 9.5.3,1

MITRE Corporation reports:

In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).

https://github.com/glpi-project/glpi/security/advisories/GHSA-wq38-gwxp-8p5p CVE-2020-27662 2020-10-22 2020-10-22 2024-04-25
glpi -- Any CalDAV calendars is read-only for every authenticated user glpi 9.5.0,19.5.3,1

MITRE Corporation reports:

In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. This issue is fixed in version 9.5.3. As a workaround, one can remove the caldav.php file to block access to CalDAV server.

https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7 https://github.com/glpi-project/glpi/releases/tag/9.5.3 CVE-2020-26212 2020-10-01 2020-10-01 2024-04-25
glpi -- SQL Injection in Search API glpi 9.1,19.5.2,1

MITRE Corporation reports:

In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user. The most likely scenario for this vulnerability is with someone who has an API account to the system. The issue is patched in version 9.5.2. A proof-of-concept with technical details is available in the linked advisory.

https://github.com/glpi-project/glpi/commit/3dc4475c56b241ad659cc5c7cb5fb65727409cf0 https://github.com/glpi-project/glpi/security/advisories/GHSA-jwpv-7m4h-5gvc CVE-2020-15226 2020-06-25 2020-06-25 2024-04-25
glpi -- leakage issue with knowledge base glpi 9.5.0,19.5.2,1

MITRE Corporation reports:

In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ.

https://github.com/glpi-project/glpi/commit/39e25591efddc560e3679ab07e443ee6198705e2 https://github.com/glpi-project/glpi/security/advisories/GHSA-x9hg-j29f-wvvv CVE-2020-15217 2020-06-25 2020-06-25 2024-04-25
glpi -- Unauthenticated Stored XSS glpi 9.5.2,1

MITRE Corporation reports:

In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2.

https://github.com/glpi-project/glpi/commit/a8109d4ee970a222faf48cf48fae2d2f06465796 https://github.com/glpi-project/glpi/security/advisories/GHSA-prvh-9m4h-4m79 CVE-2020-15177 2020-06-25 2020-06-25 2024-04-25
glpi -- Multiple SQL Injections Stemming From isNameQuoted() glpi 9.5.2,1

MITRE Corporation reports:

In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2

https://github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf32575 https://github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qw CVE-2020-15176 2020-06-25 2020-06-25 2024-04-25
glpi -- Unauthenticated File Deletion glpi 9.5.2,1

MITRE Corporation reports:

In GLPI before version 9.5.2, the pluginimage.send.php endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in /files/. Some of the sensitive information that is compromised are the user sessions, logs, and more. An attacker would be able to get the Administrators session token and use that to authenticate. The issue is patched in version 9.5.2.

https://github.com/glpi-project/glpi/security/advisories/GHSA-rm52-jx9h-rwcp https://github.com/glpi-project/glpi/commit/6ca9a0e77299a755c356d758344a23278df67f65 CVE-2020-15175 2020-06-25 2020-06-25 2024-04-25
glpi -- SQL injection for all usages of "Clone" feature glpi 9.5.0,19.5.1,1

MITRE Corporation reports:

In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1.

https://github.com/glpi-project/glpi/security/advisories/GHSA-qv6w-68gq-wx2v https://github.com/glpi-project/glpi/commit/a4baa64114eb92fd2adf6056a36e0582324414ba https://github.com/glpi-project/glpi/pull/6684 CVE-2020-15108 2020-06-25 2020-06-25 2024-04-25
glpi -- Reflexive XSS in Dropdown menus glpi 9.4.6,1

MITRE Corporation reports:

In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6.

https://github.com/glpi-project/glpi/security/advisories/GHSA-3xxh-f5p2-jg3h https://github.com/glpi-project/glpi/commit/5e1c52c5e8a30ceb4e9572964da7ed89ddfb1aaf CVE-2020-11062 2020-03-30 2020-03-30 2024-04-25
glpi -- Remote Code Execution (RCE) via the backup functionality glpi 9.4.6,1

MITRE Corporation reports:

In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.

https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f https://github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396f320c CVE-2020-11060 2020-03-30 2020-03-30 2024-04-25
glpi -- multiple related stored XSS vulnerabilities glpi 9.4.6,1

MITRE Corporation reports:

In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "alert(1)" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by an outside party through the following steps: 1. Create a user with the surname `" onmouseover="alert(document.cookie)` and an empty first name. 2. With this user, create a ticket 3. As an administrator (or other privileged user) open the created ticket 4. On the "last update" field, put your mouse on the name of the user 5. The XSS fires This is fixed in version 9.4.6.

https://github.com/glpi-project/glpi/security/advisories/GHSA-3g3h-rwhr-7385 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5WQMONZRWLWOXMHMYWR7A5Q5JJERPMVC/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/ CVE-2020-11036 2020-03-30 2020-03-30 2024-04-25
glpi -- weak csrf tokens glpi 0.83.3,19.4.6,1

MITRE Corporation reports:

In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.

https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5WQMONZRWLWOXMHMYWR7A5Q5JJERPMVC/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/ CVE-2020-11035 2020-03-30 2020-03-30 2024-04-25
glpi -- bypass of the open redirect protection glpi 9.4.6,1

MITRE Corporation reports:

In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.

https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5WQMONZRWLWOXMHMYWR7A5Q5JJERPMVC/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/ CVE-2020-11034 2020-03-30 2020-03-30 2024-04-25
glpi -- able to read any token through API user endpoint glpi 9.1,19.4.6,1

MITRE Corporation reports:

In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token. This is fixed in version 9.4.6.

https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5WQMONZRWLWOXMHMYWR7A5Q5JJERPMVC/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/ CVE-2020-11033 2020-03-30 2020-03-30 2024-04-25
glpi -- SQL injection for all helpdesk instances glpi 9.4.6,1

MITRE Corporation reports:

In GLPI before version 9.4.6, there is a SQL injection vulnerability for all helpdesk instances. Exploiting this vulnerability requires a technician account. This is fixed in version 9.4.6.

https://github.com/glpi-project/glpi/security/advisories/GHSA-344w-34h9-wwhh CVE-2020-11032 2020-03-30 2020-03-30 2024-04-25
glpi -- Improve encryption algorithm glpi 9.5.0,1

MITRE Corporation reports:

In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library chosen is sodium.

https://github.com/glpi-project/glpi/security/advisories/GHSA-7xwm-4vjr-jvqh https://github.com/glpi-project/glpi/commit/f1ae6c8481e5c19a6f1801a5548cada45702e01a#diff-b5d0ee8c97c7abd7e3fa29b9a27d1780 https://github.com/glpi-project/glpi/commit/f1ae6c8481e5c19a6f1801a5548cada45702e01a#diff-b5d0ee8c97c7abd7e3fa29b9a27d1780 CVE-2020-11031 2020-03-30 2020-03-30 2024-04-25
glpi -- Account takeover vulnerability glpi 9.4.4,1

MITRE Corporation reports:

GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user. This vulnerability can be exploited to take control of admin account. This vulnerability could be also abused to obtain other sensitive fields like API keys or password hashes.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14666 https://github.com/glpi-project/glpi/security/advisories/GHSA-47hq-pfrr-jh5q https://www.tarlogic.com/advisories/Tarlogic-2019-GPLI-Account-Takeover.txt CVE-2019-14666 2019-08-05 2019-08-05 2024-04-25
cURL -- Multiple vulnerabilities curl 4.07.74.0

The cURL project reports:

Trusting FTP PASV responses (CVE-2020-8284)

FTP wildcard stack overflow (CVE-2020-8285)

Inferior OCSP verification (CVE-2020-8286)

https://curl.se/docs/security.html CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 2020-12-09 2020-12-09
OpenSSL -- NULL pointer de-reference openssl 1.0.2,11.1.1i,1 FreeBSD 12.212.2_2 12.112.1_12 11.411.4_6

The OpenSSL project reports:

EDIPARTYNAME NULL pointer de-reference (High)

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack.

https://www.openssl.org/news/secadv/20201208.txt CVE-2020-1971 SA-20:33.openssl 2020-12-08 2020-12-08 2020-12-15
Gitlab -- Multiple vulnerabilities gitlab-ce 13.6.013.6.2 13.5.013.5.5 12.213.4.9

Gitlab reports:

XSS in Zoom Meeting URL

Limited Information Disclosure in Private Profile

User email exposed via GraphQL endpoint

Group and project membership potentially exposed via GraphQL

Search terms logged in search parameter in rails logs

Un-authorised access to feature flag user list

A specific query on the explore page causes statement timeouts

Exposure of starred projects on private user profiles

Uncontrolled Resource Consumption in any Markdown field using Mermaid

Former group members able to view updates to confidential epics

Update GraphicsMagick dependency

Update GnuPG dependency

Update libxml dependency

https://about.gitlab.com/releases/2020/12/07/security-release-gitlab-13-6-2-released/ CVE-2020-26407 CVE-2020-26408 CVE-2020-13357 CVE-2020-26411 CVE-2020-26409 2020-12-07 2020-12-07
consul -- Fix Consul Connect CA private key configuration consul 1.9.0

Hashicorp reports:

Increase the permissions to read from the /connect/ca/configuration endpoint to operator:write. Previously Connect CA configuration, including the private key, set via this endpoint could be read back by an operator with operator:read privileges.

https://github.com/hashicorp/consul/blob/master/CHANGELOG.md CVE-2020-28053 2020-11-02 2020-12-06
chromium -- multiple vulnerabilities chromium 87.0.4280.88

Chrome Releases reports:

This release contains 8 security fixes, including:

  • [1142331] High CVE-2020-16037: Use after free in clipboard. Reported by Ryoya Tsukasaki on 2020-10-26
  • [1138683] High CVE-2020-16038: Use after free in media. Reported by Khalil Zhani on 2020-10-14
  • [1149177] High CVE-2020-16039: Use after free in extensions. Reported by Anonymous on 2020-11-15
  • [1150649] High CVE-2020-16040: Insufficient data validation in V8. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2020-11-19
  • [1151865] Medium CVE-2020-16041: Out of bounds read in networking. Reported by Sergei Glazunov and Mark Brand of Google Project Zero on 2020-11-23
  • [1151890] Medium CVE-2020-16042: Uninitialized Use in V8. Reported by André Bargull on 2020-11-2
CVE-2020-16037 CVE-2020-16038 CVE-2020-16039 CVE-2020-16040 CVE-2020-16041 CVE-2020-16042 https://chromereleases.googleblog.com/2020/12/stable-channel-update-for-desktop.html 2020-12-02 2020-12-05
gitea -- multiple vulnerabilities gitea 1.13.0

The Gitea Team reports for release 1.13.0:

  • Add Allow-/Block-List for Migrate and Mirrors
  • Prevent git operations for inactive users
  • Disallow urlencoded new lines in git protocol paths if there is a port
  • Mitigate Security vulnerability in the git hook feature
  • Disable DSA ssh keys by default
  • Set TLS minimum version to 1.2
  • Use argon as default password hash algorithm
  • Escape failed highlighted files
https://github.com/go-gitea/gitea/releases/tag/v1.13.0 ports/251577 2020-12-01 2020-12-04
FreeBSD -- Multiple vulnerabilities in rtsold FreeBSD 12.212.2_1 12.112.1_11 11.411.4_5

Problem Description:

Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling. First, rtsold(8) failed to perform sufficient bounds checking on the extent of the option. In particular, it does not verify that the option does not extend past the end of the received packet before processing its contents. The kernel currently ignores such malformed packets but still passes them to userspace programs.

Second, when processing a DNSSL option, rtsold(8) decodes domain name labels per an encoding specified in RFC 1035 in which the first octet of each label contains the label's length. rtsold(8) did not validate label lengths correctly and could overflow the destination buffer.

Impact:

It is believed that these bugs could be exploited to gain remote code execution within the rtsold(8) daemon, which runs as root. Note that rtsold(8) only processes messages received from hosts attached to the same physical link as the interface(s) on which rtsold(8) is listening.

In FreeBSD 12.2 rtsold(8) runs in a Capsicum sandbox, limiting the scope of a compromised rtsold(8) process.

CVE-2020-25577 SA-20:32.rtsold 2020-12-01 2020-12-02
FreeBSD -- ICMPv6 use-after-free in error message handling FreeBSD-kernel 12.212.2_1 12.112.1_11 11.411.4_5

Problem Description:

When an ICMPv6 error message is received, the FreeBSD ICMPv6 stack may extract information from the message to hand to upper-layer protocols. As a part of this operation, it may parse IPv6 header options from a packet embedded in the ICMPv6 message.

The handler for a routing option caches a pointer into the packet buffer holding the ICMPv6 message. However, when processing subsequent options the packet buffer may be freed, rendering the cached pointer invalid. The network stack may later dereference the pointer, potentially triggering a use-after-free.

Impact:

A remote host may be able to trigger a read of freed kernel memory. This may trigger a kernel panic if the address had been unmapped.

CVE-2020-7469 SA-20:31.icmp6 2020-12-01 2020-12-02
xorg-server -- Multiple input validation failures in X server XKB extension xorg-server 1.20.9_1,1 xephyr 1.20.9_1,1 xorg-vfbserver 1.20.9_1,1 xorg-nestserver 1.20.9_1,1 xwayland 1.20.9_2,1 xorg-dmx 1.20.9_1,1

The X.org project reports:

These issues can lead to privileges elevations for authorized clients on systems where the X server is running privileged.

Insufficient checks on the lengths of the XkbSetMap request can lead to out of bounds memory accesses in the X server.

Insufficient checks on input of the XkbSetDeviceInfo request can lead to a buffer overflow on the head in the X server.

https://lists.x.org/archives/xorg-announce/2020-December/003066.html CVE-2020-14360 CVE-2020-25712 2020-12-01 2020-12-01
nomad -- multiple vulnerabilities nomad 0.12.6

The HashiCorp team reports:

  • artifact: Fixed a bug where interpolation can be used in the artifact destination field to write artifact payloads outside the allocation directory.
  • template: Fixed a bug where interpolation can be used in the template source and destination fields to read or write files outside the allocation directory even when disable_file_sandbox was set to false (the default).
  • template: Fixed a bug where the disable_file_sandbox configuration was only respected for the template file function and not the template source and destination fields.
https://github.com/hashicorp/nomad/blob/master/CHANGELOG.md CVE-2020-27195 2020-10-21 2020-11-27
gitea -- multiple vulnerabilities gitea 1.12.6

The Gitea Team reports for release 1.12.6:

  • Prevent git operations for inactive users
  • Disallow urlencoded new lines in git protocol paths if there is a port
Disallow urlencoded new lines in git protocol paths if there is a port ports/251296 2020-11-16 2020-11-21
Node.js -- November 2020 Security Releases node 15.2.1 node14 14.15.1 node12 12.19.1

Node.js reports:

Updates are now available for v12.x, v14.x and v15.x Node.js release lines for the following issues.

Denial of Service through DNS request (CVE-2020-8277)

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of service by getting the application to resolve a DNS record with a larger number of responses.

https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/ CVE-2020-8277 2020-11-16 2020-11-21
mutt -- authentication credentials being sent over an unencrypted connection mutt 2.0.2

Kevin J. McCarthy reports:

Mutt had incorrect error handling when initially connecting to an IMAP server, which could result in an attempt to authenticate without enabling TLS.

CVE-2020-28896 https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a 2020-11-20 2020-11-20
mozjpeg -- heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file mozjpeg 4.0.0

NIST reports:

  • Heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.
CVE-2020-13790 https://nvd.nist.gov/vuln/detail/CVE-2020-13790 2020-06-03 2020-10-10
libjpeg-turbo -- Issue in the PPM reader causing a buffer overrun in cjpeg, TJBench, or the tjLoadImage() function. libjpeg-turbo 2.0.4

libjpeg-turbo releases reports:

This release fixes the following security issue:

  • Heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.
CVE-2020-13790 https://nvd.nist.gov/vuln/detail/CVE-2020-13790 2020-06-03 2020-10-10
mantis -- multiple vulnerabilities mantis-php72 mantis-php73 mantis-php74 mantis-php80 2.24.3,1

Mantis 2.24.3 release reports:

This release fixes 3 security issues:

  • 0027039: CVE-2020-25781: Access to private bug note attachments
  • 0027275: CVE-2020-25288: HTML Injection on bug_update_page.php
  • 0027304: CVE-2020-25830: HTML Injection in bug_actiongroup_page.php
ports/251141 CVE-2020-25781 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25781 CVE-2020-25288 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25288 CVE-2020-25830 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25830 2020-09-13 2020-11-14 2020-11-15
go -- math/big: panic during recursive division of very large numbers; cmd/go: arbitrary code execution at build time through cgo go 1.15.5,1

The Go project reports:

A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat methods are similarly affected.

The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by a malicious gcc flags specified via a #cgo directive.

The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious unquoted symbol names.

CVE-2020-28362 https://github.com/golang/go/issues/42552 CVE-2020-28367 https://github.com/golang/go/issues/42556 CVE-2020-28366 https://github.com/golang/go/issues/42559 2020-11-09 2020-11-12
salt -- multiple vulnerabilities py36-salt py37-salt py38-salt 30023002.1

SaltStack reports multiple security vulnerabilities in Salt 3002:

  • CVE-2020-16846: Prevent shell injections in netapi ssh client.
  • CVE-2020-17490: Prevent creating world readable private keys with the tls execution module.
  • CVE-2020-25592: Properly validate eauth credentials and tokens along with their ACLs. Prior to this change eauth was not properly validated when calling Salt ssh via the salt-api. Any value for 'eauth' or 'token' would allow a user to bypass authentication and make calls to Salt ssh.
https://docs.saltstack.com/en/latest/topics/releases/3002.1.html CVE-2020-16846 https://nvd.nist.gov/vuln/detail/CVE-2020-16846 CVE-2020-17490 https://nvd.nist.gov/vuln/detail/CVE-2020-17490 CVE-2020-25592 https://nvd.nist.gov/vuln/detail/CVE-2020-25592 2020-11-06 2020-11-12
Apache OpenOffice -- Unrestricted actions leads to arbitrary code execution in crafted documents apache-openoffice 4.1.8 apache-openoffice-devel 4.2.1602022694,4

The Apache Openofffice project reports:

CVE-2020-13958 Unrestricted actions leads to arbitrary code execution in crafted documents

Description

A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target users file system. These hyperlinks can be triggered unconditionally. In fixed versions no internal protocol may be called from the document event handler and other hyperlinks require a control-click.

Severity: Low

There are no known exploits of this vulnerability.
A proof-of-concept demonstration exists.

Thanks to the reporter for discovering this issue.

Acknowledgments

The Apache OpenOffice Security Team would like to thank Imre Rad for discovering and reporting this attack vector.

https://www.openoffice.org/security/cves/CVE-2020-13958.html CVE-2020-13958 2020-04-28 2020-11-10
raptor2 -- buffer overflow raptor2 2.0.15_16

CVE MITRE reports:

raptor_xml_writer_start_element_common in raptor_xml_writer.c in Raptor RDF Syntax Library 2.0.15 miscalculates the maximum nspace declarations for the XML writer, leading to heap-based buffer overflows (sometimes seen in raptor_qname_format_as_xml).

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18926 https://github.com/LibreOffice/core/blob/master/external/redland/raptor/0001-Calcualte-max-nspace-declarations-correctly-for-XML-.patch.1 CVE-2017-18926 2017-04-16 2020-11-09
jupyter notebook -- open redirect vulnerability py37-notebook py38-notebook py39-notebook 6.1.5

Jupyter reports:

6.1.5 is a security release, fixing one vulnerability: Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned)

https://jupyter-notebook.readthedocs.io/en/stable/changelog.html#release-6-1-5 https://github.com/jupyter/notebook/blob/6.1.5/docs/source/changelog.rst 2020-10-15 2020-11-08
asterisk -- Outbound INVITE loop on challenge with different nonce asterisk13 13.37.1 asterisk16 16.14.1 asterisk18 18.0.1

The Asterisk project reports:

If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.

https://downloads.asterisk.org/pub/security/AST-2020-002.html 2020-11-05 2020-11-05
asterisk -- Remote crash in res_pjsip_session asterisk13 13.37.1 asterisk16 16.14.1 asterisk18 18.0.1

The Asterisk project reports:

Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a gap between the creation of the dialog object, and its next use by the thread that created it. Depending upon some off nominal circumstances, and timing it was possible for another thread to free said dialog in this gap. Asterisk could then crash when the dialog object, or any of its dependent objects were de-referenced, or accessed next by the initial creation thread.

https://downloads.asterisk.org/pub/security/AST-2020-001.html 2020-11-05 2020-11-05
chromium -- multiple vulnerabilities chromium 86.0.4240.183

Chrome Releases reports:

This release contains 10 security fixes, including:

  • [1138911] High CVE-2020-16004: Use after free in user interface. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-10-15
  • [1139398] High CVE-2020-16005: Insufficient policy enforcement in ANGLE. Reported by Jaehun Jeong (@n3sk) of Theori on 2020-10-16
  • [1133527] High CVE-2020-16006: Inappropriate implementation in V8. Reported by Bill Parks on 2020-09-29
  • [1125018] High CVE-2020-16007: Insufficient data validation in installer. Reported by Abdelhamid Naceri (halov) on 2020-09-04
  • [1134107] High CVE-2020-16008: Stack buffer overflow in WebRTC. Reported by Tolya Korniltsev on 2020-10-01
  • [1143772] High CVE-2020-16009: Inappropriate implementation in V8. Reported by Clement Lecigne of Google's Threat Analysis Group and Samuel Groß of Google Project Zero on 2020-10-29
  • [1144489] High CVE-2020-16011: Heap buffer overflow in UI on Windows. Reported by Sergei Glazunov of Google Project Zero on 2020-11-01

There are reports that an exploit for CVE-2020-16009 exists in the wild.

CVE-2020-16004 CVE-2020-16005 CVE-2020-16006 CVE-2020-16007 CVE-2020-16008 CVE-2020-16009 CVE-2020-16011 https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html 2020-11-02 2020-11-03
Gitlab -- Multiple vulnerabilities gitlab-ce 13.5.013.5.2 13.4.013.4.5 8.8.913.3.9

Gitlab reports:

Path Traversal in LFS Upload

Path traversal allows saving packages in arbitrary location

Kubernetes agent API leaks private repos

Terraform state deletion API exposes object storage URL

Stored-XSS in error message of build-dependencies

Git credentials persisted on disk

Potential Denial of service via container registry

Info leak when group is transferred from private to public group

Limited File Disclosure Via Multipart Bypass

Unauthorized user is able to access scheduled pipeline variables and values

CSRF in runner administration page allows an attacker to pause/resume runners

Regex backtracking attack in path parsing of Advanced Search result

Bypass of required CODEOWNERS approval

SAST CiConfiguration information visible without permissions

https://about.gitlab.com/releases/2020/11/02/security-release-gitlab-13-5-2-released/ CVE-2020-13355 CVE-2020-26405 CVE-2020-13358 CVE-2020-13359 CVE-2020-13340 CVE-2020-13353 CVE-2020-13354 CVE-2020-13352 CVE-2020-13356 CVE-2020-13351 CVE-2020-13350 CVE-2020-13349 CVE-2020-13348 2020-11-02 2020-11-02
wordpress -- multiple issues wordpress fr-wordpress 5.5.2,1 de-wordpress zh_CN-wordpress zh_TW-wordpress ja-wordpress ru-wordpress 5.5.2

wordpress developers reports:

Ten security issues affect WordPress versions 5.5.1 and earlier. If you havent yet updated to 5.5, all WordPress versions since 3.7 have also been updated to fix the following security issues: -Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests. -Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network. -Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables. -Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC. -Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE. -Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs. -Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion.

https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/ 2020-10-29 2020-11-02
samba -- Multiple Vulnerabilities samba410 4.10.18 samba411 4.11.15 samba412 4.12.9 samba413 4.13.1

The Samba Team reports:

  • CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify
  • CVE-2020-14323: Unprivileged user can crash winbind
  • CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records
https://www.samba.org/samba/security/CVE-2020-14318.html https://www.samba.org/samba/security/CVE-2020-14323.html https://www.samba.org/samba/security/CVE-2020-14383.html CVE-2020-14318 CVE-2020-14323 CVE-2020-14383 2020-10-29 2020-10-30
tmux -- stack overflow in CSI parsing tmux 3.1c

Nicholas Marriott reports:

tmux has a stack overflow in CSI parsing.

https://groups.google.com/g/tmux-users/c/DGfmsD9CM00/m/Six6uZG0AQAJ https://marc.info/?l=openbsd-announce&m=160399126725142&w=2 2020-10-29 2020-10-30
motion -- Denial of Service motion 3.24.3.1

cxsecurity.com reports:

A Denial of Service condition in Motion-Project Motion 3.2 through 4.3.1 allows remote unauthenticated users to cause a webu.c segmentation fault and kill the main process via a crafted HTTP request

https://cve-search.iicrai.org/cve/CVE-2020-26566 2020-10-05 2020-10-28
freetype2 -- heap buffer overlfow freetype2 2.10.4

The freetype project reports:

A heap buffer overflow has been found in the handling of embedded PNG bitmaps, introduced in FreeType version 2.6.

https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/ CVE-2020-15999 2020-10-20 2020-10-22
MySQL -- Multiple vulnerabilities mariadb103-server 10.3.26 mariadb104-server 10.4.16 mariadb105-server 10.5.7 mysql56-server 5.6.50 mysql57-server 5.7.32 mysql80-server 8.0.22

Oracle reports:

This Critical Patch Update contains 48 new security patches for Oracle MySQL.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 8.

NOTE: MariaDB only contains CVE-2020-14812 CVE-2020-14765 CVE-2020-14776 and CVE-2020-14789

https://www.oracle.com/security-alerts/cpuoct2020.html#AppendixMSQL CVE-2020-14878 CVE-2020-14828 CVE-2020-14775 CVE-2020-14765 CVE-2020-14769 CVE-2020-14830 CVE-2020-14836 CVE-2020-14846 CVE-2020-14800 CVE-2020-14827 CVE-2020-14760 CVE-2020-14776 CVE-2020-14821 CVE-2020-14829 CVE-2020-14848 CVE-2020-14852 CVE-2020-14814 CVE-2020-14789 CVE-2020-14804 CVE-2020-14812 CVE-2020-14773 CVE-2020-14777 CVE-2020-14785 CVE-2020-14793 CVE-2020-14794 CVE-2020-14809 CVE-2020-14837 CVE-2020-14839 CVE-2020-14845 CVE-2020-14861 CVE-2020-14866 CVE-2020-14868 CVE-2020-14888 CVE-2020-14891 CVE-2020-14893 CVE-2020-14786 CVE-2020-14790 CVE-2020-14844 CVE-2020-14799 CVE-2020-14869 CVE-2020-14672 CVE-2020-14870 CVE-2020-14867 CVE-2020-14873 CVE-2020-14838 CVE-2020-14860 CVE-2020-14791 CVE-2020-14771 2020-10-20 2020-10-21 2020-11-07
chromium -- multiple vulnerabilities chromium 86.0.4240.111

Chrome Releases reports:

This release includes 5 security fixes:

  • [1125337] High CVE-2020-16000: Inappropriate implementation in Blink. Reported by amaebi_jp on 2020-09-06
  • [1135018] High CVE-2020-16001: Use after free in media. Reported by Khalil Zhani on 2020-10-05
  • [1137630] High CVE-2020-16002: Use after free in PDFium. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-10-13
  • [1139963] High CVE-2020-15999: Heap buffer overflow in Freetype. Reported by Sergei Glazunov of Google Project Zero on 2020-10-19
  • [1134960] Medium CVE-2020-16003: Use after free in printing. Reported by Khalil Zhani on 2020-10-04
CVE-2020-15999 CVE-2020-16000 CVE-2020-16001 CVE-2020-16002 CVE-2020-16003 https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html 2020-10-20 2020-10-21
powerdns-recursor -- cache pollution powerdns-recursor 4.3.04.3.5 4.2.04.2.5 4.1.04.1.18

PowerDNS Team reports:

CVE-2020-25829: An issue has been found in PowerDNS Recursor where a remote attacker can cause the cached records for a given name to be updated to the ‘Bogus’ DNSSEC validation state, instead of their actual DNSSEC ‘Secure’ state, via a DNS ANY query. This results in a denial of service for installations that always validate (dnssec=validate) and for clients requesting validation when on-demand validation is enabled (dnssec=process).

https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html CVE-2020-25829 2020-10-13 2020-10-14
MariaDB -- Undisclosed vulnerability mariadb103-client 10.3.25 mariadb103-server 10.3.25 mariadb104-client 10.4.15 mariadb104-server 10.4.15 mariadb105-client 10.5.6 mariadb105-server 10.5.6

The MariaDB project reports:

Details of this vulnerability have not yet been disclosed

https://mariadb.com/kb/en/mariadb-1056-release-notes/ https://mariadb.com/kb/en/mariadb-10415-release-notes/ https://mariadb.com/kb/en/mariadb-10325-release-notes/ CVE-2020-15180 2020-10-07 2020-10-18
py-matrix-synapse -- XSS vulnerability py36-matrix-synapse py37-matrix-synapse py38-matrix-synapse py39-matrix-synapse 1.21.0

Matrix developers reports:

The fallback authentication endpoint served via Synapse were vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains.

CVE-2020-26891 https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq https://github.com/matrix-org/synapse/releases/tag/v1.21.2 ports/249948 2020-10-01 2020-10-17
drupal -- Multiple Vulnerabilities drupal7 7.72

Drupal Security Team reports:

The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.

https://www.drupal.org/sa-core-2020-007 2020-09-16 2020-10-17
Flash Player -- arbitrary code execution linux-flashplayer 32.0.0.445

Adobe reports:

  • This update resolves a NULL pointer dereference vulnerability that could lead to arbitrary code execution (CVE-2020-9746).
CVE-2020-9746 https://helpx.adobe.com/security/products/flash-player/apsb20-58.html 2020-10-13 2020-10-13
Rails -- Possible XSS vulnerability rubygem-actionpack60 6.0.3.4

Ruby on Rails blog:

Rails version 6.0.3.4 has been released! This version is a security release and addresses one possible XSS attack vector in Actionable Exceptions.

https://weblog.rubyonrails.org/2020/10/7/Rails-6-0-3-4-has-been-released/ CVE-2020-8264 2020-10-07 2020-10-10
Payara -- path trasversal flaw via either loc/con parameters in Eclipse Mojarra payara 5.201

Payara Releases reports:

The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:

  • CVE-2020-6950 Eclipse Mojarra vulnerable to path trasversal flaw via either loc/con parameters
CVE-2020-6950 https://docs.payara.fish/community/docs/5.2020.4/security/security-fix-list.html 2020-01-13 2020-10-06
Payara -- A Polymorphic Typing issue in FasterXML jackson-databind payara 5.193

Payara Releases reports:

The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:

  • CVE-2019-12086 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9
CVE-2019-12086 https://docs.payara.fish/community/docs/5.193/security/security-fix-list.html 2019-05-17 2020-10-06
payara -- multiple vulnerabilities payara 5.191

Payara Releases reports:

The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:

  • CVE-2018-14721 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks
  • CVE-2018-14720 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct external XML entity (XXE) attacks
  • CVE-2018-14719 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code
  • CVE-2018-14718 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code
  • CVE-2018-14371 Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter
CVE-2018-14721 CVE-2018-14720 CVE-2018-14719 CVE-2018-14718 CVE-2018-14371 https://docs.payara.fish/community/docs/5.191/security/security-fix-list.html 2019-02-01 2020-10-06
zeek -- Vulnerability due to memory leak zeek 3.0.11

Jon Siwek of Corelight reports:

This release fixes the following security issue:

  • A memory leak in multipart MIME code has potential for remote exploitation and cause for Denial of Service via resource exhaustion.
https://github.com/zeek/zeek/releases/tag/v3.0.11 2020-09-29 2020-10-07
chromium -- multiple vulnerabilities chromium 86.0.4240.75

Chrome releases reports:

This release contains 35 security fixes, including:

  • [1127322] Critical CVE-2020-15967: Use after free in payments. Reported by Man Yue Mo of GitHub Security Lab on 2020-09-11
  • [1126424] High CVE-2020-15968: Use after free in Blink. Reported by Anonymous on 2020-09-09
  • [1124659] High CVE-2020-15969: Use after free in WebRTC. Reported by Anonymous on 2020-09-03
  • [1108299] High CVE-2020-15970: Use after free in NFC. Reported by Man Yue Mo of GitHub Security Lab on 2020-07-22
  • [1114062] High CVE-2020-15971: Use after free in printing. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-08-07
  • [1115901] High CVE-2020-15972: Use after free in audio. Reported by Anonymous on 2020-08-13
  • [1133671] High CVE-2020-15990: Use after free in autofill. Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo 360 on 2020-09-30
  • [1133688] High CVE-2020-15991: Use after free in password manager. Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo 360 on 2020-09-30
  • [1106890] Medium CVE-2020-15973: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-07-17
  • [1104103] Medium CVE-2020-15974: Integer overflow in Blink. Reported by Juno Im (junorouse) of Theori on 2020-07-10
  • [1110800] Medium CVE-2020-15975: Integer overflow in SwiftShader. Reported by Anonymous on 2020-07-29
  • [1123522] Medium CVE-2020-15976: Use after free in WebXR. Reported by YoungJoo Lee (@ashuu_lee) of Raon Whitehat on 2020-08-31
  • [1083278] Medium CVE-2020-6557: Inappropriate implementation in networking. Reported by Matthias Gierlings and Marcus Brinkmann (NDS Ruhr-University Bochum) on 2020-05-15
  • [1097724] Medium CVE-2020-15977: Insufficient data validation in dialogs. Reported by Narendra Bhati (@imnarendrabhati) on 2020-06-22
  • [1116280] Medium CVE-2020-15978: Insufficient data validation in navigation. Reported by Luan Herrera (@lbherrera_) on 2020-08-14
  • [1127319] Medium CVE-2020-15979: Inappropriate implementation in V8. Reported by Avihay Cohen (@SeraphicAlgorithms) on 2020-09-11
  • [1092453] Medium CVE-2020-15980: Insufficient policy enforcement in Intents. Reported by Yongke Wang (@Rudykewang) and Aryb1n (@aryb1n) of Tencent Security Xuanwu Lab on 2020-06-08
  • [1123023] Medium CVE-2020-15981: Out of bounds read in audio. Reported by Christoph Guttandin on 2020-08-28
  • [1039882] Medium CVE-2020-15982: Side-channel information leakage in cache. Reported by Luan Herrera (@lbherrera_) on 2020-01-07
  • [1076786] Medium CVE-2020-15983: Insufficient data validation in webUI. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-04-30
  • [1080395] Medium CVE-2020-15984: Insufficient policy enforcement in Omnibox. Reported by Rayyan Bijoora on 2020-05-07
  • [1099276] Medium CVE-2020-15985: Inappropriate implementation in Blink. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2020-06-25
  • [1100247] Medium CVE-2020-15986: Integer overflow in media. Reported by Mark Brand of Google Project Zero on 2020-06-29
  • [1127774] Medium CVE-2020-15987: Use after free in WebRTC. Reported by Philipp Hancke on 2020-09-14
  • [1110195] Medium CVE-2020-15992: Insufficient policy enforcement in networking. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-28
  • [1092518] Low CVE-2020-15988: Insufficient policy enforcement in downloads. Reported by Samuel Attard on 2020-06-08
  • [1108351] Low CVE-2020-15989: Uninitialized Use in PDFium. Reported by Gareth Evans (Microsoft) on 2020-07-22
CVE-2020-6557 CVE-2020-15967 CVE-2020-15968 CVE-2020-15969 CVE-2020-15970 CVE-2020-15971 CVE-2020-15972 CVE-2020-15973 CVE-2020-15974 CVE-2020-15975 CVE-2020-15976 CVE-2020-15977 CVE-2020-15978 CVE-2020-15979 CVE-2020-15980 CVE-2020-15981 CVE-2020-15982 CVE-2020-15983 CVE-2020-15984 CVE-2020-15985 CVE-2020-15986 CVE-2020-15987 CVE-2020-15988 CVE-2020-15989 CVE-2020-15990 CVE-2020-15991 CVE-2020-15992 https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html 2020-10-06 2020-10-07
libexif -- multiple vulnerabilities libexif 0.6.22

Release notes:

Lots of fixes exposed by fuzzers like AFL, ClusterFuzz, OSSFuzz and others:

CVE-2016-6328: fixed integer overflow when parsing maker notes

CVE-2017-7544: fixed buffer overread

CVE-2018-20030: Fix for recursion DoS

CVE-2019-9278: replaced integer overflow checks the compiler could optimize away by safer constructs

CVE-2020-0093: read overflow

CVE-2020-12767: fixed division by zero

CVE-2020-13112: Various buffer overread fixes due to integer overflows in maker notes

CVE-2020-13113: Potential use of uninitialized memory

CVE-2020-13114: Time consumption DoS when parsing canon array markers

https://github.com/libexif/libexif/blob/master/NEWS CVE-2016-6328 CVE-2017-7544 CVE-2018-20030 CVE-2019-9278 CVE-2020-0093 CVE-2020-12767 CVE-2020-13112 CVE-2020-13113 CVE-2020-13114 2020-05-18 2020-10-05
kdeconnect -- packet manipulation can be exploited in a Denial of Service attack kdeconnect-kde 20.08.1

Albert Astals Cid reports:

KDE Project Security Advisory

Title KDE Connect: packet manipulation can be exploited in a Denial of Service attack
Risk Rating Important
CVE CVE-2020-26164
Versions kdeconnect <= 20.08.1
Author Albert Vaca Cintora <albertvaka@gmail.com>
Date 2 October 2020

Overview

An attacker on your local network could send maliciously crafted packets to other hosts running kdeconnect on the network, causing them to use large amounts of CPU, memory or network connections, which could be used in a Denial of Service attack within the network.

Impact

Computers that run kdeconnect are susceptible to DoS attacks from the local network.

Workaround

We advise you to stop KDE Connect when on untrusted networks like those on airports or conferences.

Since kdeconnect is dbus activated it is relatively hard to make sure it stays stopped so the brute force approach is to uninstall the kdeconnect package from your system and then run

	      kquitapp5 kdeconnectd
	  

Just install the package again once you're back in a trusted network.

Solution

KDE Connect 20.08.2 patches several code paths that could result in a DoS.

You can apply these patches on top of 20.08.1:

  • https://invent.kde.org/network/kdeconnect-kde/-/commit/f183b5447bad47655c21af87214579f03bf3a163
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/b279c52101d3f7cc30a26086d58de0b5f1c547fa
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/d35b88c1b25fe13715f9170f18674d476ca9acdc
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/b496e66899e5bc9547b6537a7f44ab44dd0aaf38
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/5310eae85dbdf92fba30375238a2481f2e34943e
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/721ba9faafb79aac73973410ee1dd3624ded97a5
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/ae58b9dec49c809b85b5404cee17946116f8a706
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/66c768aa9e7fba30b119c8b801efd49ed1270b0a
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/85b691e40f525e22ca5cc4ebe79c361d71d7dc05
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/48180b46552d40729a36b7431e97bbe2b5379306

Credits

Thanks Matthias Gerstner and the openSUSE security team for reporting the issue.

Thanks to Aleix Pol, Nicolas Fella and Albert Vaca Cintora for the patches.

https://kde.org/info/security/advisory-20201002-1.txt CVE-2020-26164 2020-10-02 2020-10-04
upnp -- denial of service (crash) upnp 1.12.1_1,1

CVE mitre reports:

Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13848 https://nvd.nist.gov/vuln/detail/CVE-2020-13848 https://github.com/pupnp/pupnp/issues/177 https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0 CVE-2020-13848 2020-06-04 2020-10-03
Gitlab -- multiple vulnerabilities gitlab-ce 13.4.013.4.2 13.3.013.3.7 7.1213.2.10

Gitlab reports:

Potential Denial Of Service Via Update Release Links API

Insecure Storage of Session Key In Redis

Improper Access Expiration Date Validation

Cross-Site Scripting in Multiple Pages

Unauthorized Users Can View Custom Project Template

Cross-Site Scripting in SVG Image Preview

Incomplete Handling in Account Deletion

Insufficient Rate Limiting at Re-Sending Confirmation Email

Improper Type Check in GraphQL

To-dos Are Not Redacted When Membership Changes

Guest users can modify confidentiality attribute

Command injection on runner host

Insecure Runner Configuration in Kubernetes Environments

https://about.gitlab.com/releases/2020/10/01/security-release-13-4-2-release/ CVE-2020-13333 CVE-2020-13332 CVE-2020-13335 CVE-2020-13334 CVE-2020-13327 2020-10-01 2020-10-02
tt-rss -- multiple vulnerabilities tt-rss g20200919

tt-rss project reports:

The cached_url feature mishandles JavaScript inside an SVG document.

imgproxy in plugins/af_proxy_http/init.php mishandles $_REQUEST["url"] in an error message.

It does not validate all URLs before requesting them.

Allows remote attackers to execute arbitrary PHP code via a crafted plural forms header.

https://community.tt-rss.org/t/heads-up-several-vulnerabilities-fixed/3799 https://community.tt-rss.org/t/replace-php-gettext/2889 CVE-2020-25789 CVE-2020-25788 CVE-2020-25787 CVE-2016-6175 2020-09-15 2020-09-20
Apache Ant leaks sensitive information via the java.io.tmpdir apache-ant 1.11.10.8

Apache reports:

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.

https://issues.apache.org/jira/browse/RAT-269?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel CVE-2020-1945 2020-05-14 2020-09-28
powerdns -- Leaking uninitialised memory through crafted zone records powerdns 4.3.04.3.1 4.2.04.2.3 4.1.04.1.14

PowerDNS Team reports

CVE-2020-17482: An issue has been found in PowerDNS Authoritative Server before 4.3.1 where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory. Such a user could be a customer inserting data via a control panel, or somebody with access to the REST API. Crafted records cannot be inserted via AXFR.

https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html CVE-2020-17482 2020-09-22 2020-09-24
chromium -- multiple vulnerabilities chromium 85.0.4183.121

Chrome Releases reports:

This release fixes 10 security issues, including:

  • [1100136] High CVE-2020-15960: Out of bounds read in storage. Reported by Anonymous on 2020-06-28
  • [1114636] High CVE-2020-15961: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-08-10
  • [1121836] High CVE-2020-15962: Insufficient policy enforcement in serial. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-08-26
  • [1113558] High CVE-2020-15963: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-08-06
  • [1126249] High CVE-2020-15965: Out of bounds write in V8. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2020-09-08
  • [1113565] Medium CVE-2020-15966: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-08-06
  • [1121414] Low CVE-2020-15964: Insufficient data validation in media. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2020-08-25
CVE-2020-15960 CVE-2020-15961 CVE-2020-15962 CVE-2020-15963 CVE-2020-15964 CVE-2020-15965 CVE-2020-15966 https://chromereleases.googleblog.com/2020/09/stable-channel-update-for-desktop_21.html 2020-09-21 2020-09-22
libxml -- multiple vulnerabilities libxml2 2.9.10_1

CVE mitre reports:

CVE-2019-20388

xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.

CVE-2020-7595

xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

CVE-2020-24977

GNOME project libxml2 v2.9.10 and earlier have a global buffer over-read vulnerability in xmlEncodeEntitiesInternal

https://nvd.nist.gov/vuln/detail/CVE-2019-20388 https://nvd.nist.gov/vuln/detail/CVE-2020-7595 https://nvd.nist.gov/vuln/detail/CVE-2020-24977 2020-01-21 2020-09-22
py-matrix-synapse -- malformed events may prevent users from joining federated rooms py36-matrix-synapse py37-matrix-synapse py38-matrix-synapse 1.19.2

Problem Description:

Affected Synapse versions assume that all events have an "origin" field set. If an event without the "origin" field is sent into a federated room, servers not already joined to the room will be unable to do so due to failing to fetch the malformed event.

Impact:

An attacker could cause a denial of service by deliberately sending a malformed event into a room, thus preventing new servers (and thus their users) from joining the room.

https://github.com/matrix-org/synapse/issues/8319 https://github.com/matrix-org/synapse/pull/8324 https://github.com/matrix-org/synapse/blob/v1.19.3/CHANGES.md 2020-09-16 2020-09-21
Python -- multiple vulnerabilities python35 3.5.10

Python reports:

bpo-39603: Prevent http header injection by rejecting control characters in http.client.putrequest(…).

bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (CVE-2020-15523).

bpo-41004: CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).

bpo-39073: Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.

bpo-38576: Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised.

bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.

bpo-38945: Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process.

bpo-38804: Fixes a ReDoS vulnerability in http.cookiejar. Patch by Ben Caller.

bpo-39017: Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).

bpo-41183: Use 3072 RSA keys and SHA-256 signature for test certs and keys.

bpo-39503: AbstractBasicAuthHandler of urllib.request now parses all WWW-Authenticate HTTP headers and accepts multiple challenges per header: use the realm of the first Basic challenge.

CVE-2020-15523 CVE-2020-14422 CVE-2019-18348 CVE-2020-8492 CVE-2019-20907 2020-08-19 2020-09-20
samba -- Unauthenticated domain takeover via netlogon samba410 4.10.18 samba411 4.11.13 samba412 4.12.7

The Samba Team reports:

An unauthenticated attacker on the network can gain administrator access by exploiting a netlogon protocol flaw.

https://www.samba.org/samba/security/CVE-2020-1472.html CVE-2020-1472 2020-01-01 2020-09-20
Nextcloud -- Password share by mail not hashed nextcloud 19.0.1

The Nextcloud project reports:

NC-SA-2020-026 (low): Password of share by mail is not hashed when given on the create share call
A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.

https://nextcloud.com/security/advisory/?id=NC-SA-2020-026 CVE-2020-8183 2020-06-04 2020-09-19
webkit2-gtk3 -- multible vulnerabilities webkit2-gtk3 2.28.3

The WebKitGTK project reports vulnerabilities:

  • CVE-2020-9802: Processing maliciously crafted web content may lead to arbitrary code execution.
  • CVE-2020-9803: Processing maliciously crafted web content may lead to arbitrary code execution.
  • CVE-2020-9805: Processing maliciously crafted web content may lead to universal cross site scripting.
  • CVE-2020-9806: Processing maliciously crafted web content may lead to arbitrary code execution.
  • CVE-2020-9807: Processing maliciously crafted web content may lead to arbitrary code execution.
  • CVE-2020-9843: Processing maliciously crafted web content may lead to a cross site scripting attack.
  • CVE-2020-9850: A remote attacker may be able to cause arbitrary code execution.
  • CVE-2020-13753: CLONE_NEWUSER could potentially be used to confuse xdg- desktop-portal, which allows access outside the sandbox. TIOCSTI can be used to directly execute commands outside the sandbox by writing to the controlling terminal’s input buffer.
https://webkitgtk.org/security/WSA-2020-0006.html CVE-2020-9802 CVE-2020-9803 CVE-2020-9805 CVE-2020-9806 CVE-2020-9807 CVE-2020-9843 CVE-2020-9850 CVE-2020-13753 2020-07-10 2020-07-10
Node.js -- September 2020 Security Releases node 14.11.0 node12 12.18.4 node10 10.22.1

Node.js reports:

Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues.

HTTP Request Smuggling due to CR-to-Hyphen conversion (High) (CVE-2020-8201)

Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.

Impacts:

  • All versions of the 14.x and 12.x releases line

Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical) (CVE-2020-8251)

Node.js is vulnerable to HTTP denial of service (DOS) attacks based on delayed requests submission which can make the server unable to accept new connections. The fix a new http.Server option called requestTimeout with a default value of 0 which means it is disabled by default. This should be set when Node.js is used as an edge server, for more details refer to the documentation.

Impacts:

  • All versions of the 14.x release line

fs.realpath.native on may cause buffer overflow (Medium) (CVE-2020-8252)

libuv's realpath implementation incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.

Impacts:

  • All versions of the 10.x release line
  • All versions of the 12.x release line
  • All versions of the 14.x release line before 14.9.0
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/ CVE-2020-8201 CVE-2020-8251 CVE-2020-8252 2020-09-08 2020-09-16
FreeBSD -- ftpd privilege escalation via ftpchroot feature FreeBSD 12.112.1_10 11.411.4_4 11.311.3_14

Problem Description:

A ftpd(8) bug in the implementation of the file system sandbox, combined with capabilities available to an authenticated FTP user, can be used to escape the file system restriction configured in ftpchroot(5). Moreover, the bug allows a malicious client to gain root privileges.

Impact:

A malicious FTP user can gain privileged access to an affected system.

CVE-2020-7468 SA-20:30.ftpd 2020-09-15 2020-09-16
FreeBSD -- bhyve SVM guest escape FreeBSD-kernel 12.112.1_10 11.411.4_4 11.311.3_14

Problem Description:

A number of AMD virtualization instructions operate on host physical addresses, are not subject to nested page table translation, and guest use of these instructions was not trapped.

Impact:

From kernel mode a malicious guest can write to arbitrary host memory (with some constraints), affording the guest full control of the host.

CVE-2020-7467 SA-20:29.bhyve_svm 2020-09-15 2020-09-16
FreeBSD -- bhyve privilege escalation via VMCS access FreeBSD-kernel 12.112.1_10 11.411.4_4 11.311.3_14

Problem Description:

AMD and Intel CPUs support hardware virtualization using specialized data structures that control various aspects of guest operation. These are the Virtual Machine Control Structure (VMCS) on Intel CPUs, and the Virtual Machine Control Block (VMCB) on AMD CPUs. Insufficient access controls allow root users, including those running in a jail, to change these data structures.

Impact:

An attacker with host root access (including to a jailed bhyve instance) can use this vulnerability to achieve kernel code execution.

CVE-2020-24718 SA-20:28.bhyve_vmcs 2020-09-15 2020-09-16
FreeBSD -- ure device driver susceptible to packet-in-packet attack FreeBSD-kernel 12.112.1_10 11.411.4_4 11.311.3_14

Problem Description:

A programming error in the ure(4) device driver caused some Realtek USB Ethernet interfaces to incorrectly report packets with more than 2048 bytes in a single USB transfer as having a length of only 2048 bytes.

An adversary can exploit this to cause the driver to misinterpret part of the payload of a large packet as a separate packet, and thereby inject packets across security boundaries such as VLANs.

Impact:

An attacker that can send large frames (larger than 2048 bytes in size) to be received by the host (be it VLAN, or non-VLAN tagged packet), can inject arbitrary packets to be received and processed by the host. This includes spoofing packets from other hosts, or injecting packets to other VLANs than the host is on.

CVE-2020-7464 SA-20:27.ure 2020-09-15 2020-09-16
Rails -- Potential XSS vulnerability rubygem-actionview52 5.2.4.4 rubygem-actionview60 6.0.3.3

Ruby on Rails blog:

Rails 5.2.4.4 and 6.0.3.3 have been released! These releases contain an important security fix, so please upgrade when you can.

Both releases contain the following fix: [CVE-2020-15169] Potential XSS vulnerability in Action View

https://weblog.rubyonrails.org/2020/9/10/Rails-5-2-4-4-and-6-0-3-3-have-been-released/ https://groups.google.com/forum/#!topic/rubyonrails-security/b-C9kSGXYrc https://github.com/rails/rails/blob/5-2-stable/actionview/CHANGELOG.md https://github.com/rails/rails/blob/6-0-stable/actionview/CHANGELOG.md CVE-2020-15169 2020-09-09 2020-09-12
zeek -- Various vulnerabilities zeek 3.0.10

Jon Siwek of Corelight reports:

This release fixes the following security issue:

  • The AYIYA and GTPv1 parsing/decapsulation logic may leak memory -- These leaks have potential for remote exploitation to cause Denial of Service via resource exhaustion.
https://github.com/zeek/zeek/releases/tag/v3.0.10 2020-08-28 2020-09-09
chromium -- multiple vulnerabilities chromium 85.0.4183.102

Chrome Releases reports:

This release contains 5 security fixes:

  • [1116304] High CVE-2020-6573: Use after free in video. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-08-14
  • [1102196] High CVE-2020-6574: Insufficient policy enforcement in installer. Reported by CodeColorist of Ant-Financial LightYear Labs on 2020-07-05
  • [1081874] High CVE-2020-6575: Race in Mojo. Reported by Microsoft on 2020-05-12
  • [1111737] High CVE-2020-6576: Use after free in offscreen canvas. Reported by Looben Yang on 2020-07-31
  • [1122684] High CVE-2020-15959: Insufficient policy enforcement in networking. Reported by Eric Lawrence of Microsoft on 2020-08-27
CVE-2020-6573 CVE-2020-6574 CVE-2020-6575 CVE-2020-6576 CVE-2020-15969 https://chromereleases.googleblog.com/2020/09/stable-channel-update-for-desktop.html 2020-09-08 2020-09-09
Multi-link PPP protocol daemon MPD5 remotely exploitable crash mpd5 5.9

Version 5.9 contains security fix for L2TP clients and servers. Insufficient validation of incoming L2TP control packet specially crafted by unauthenticated user might lead to unexpected termination of the process. The problem affects mpd versions since 4.0 that brought in initial support for L2TP. Installations not using L2TP clients nor L2TP server configuration were not affected.

CVE-2020-7465 CVE-2020-7466 http://mpd.sourceforge.net/doc5/mpd4.html#4 2020-09-04 2020-09-06 2020-09-07
Mbed TLS -- Local side channel attack on RSA and static Diffie-Hellman mbedtls 2.16.8

Manuel Pégourié-Gonnard reports:

An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) can recover the private keys used in RSA or static (finite-field) Diffie-Hellman operations.

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2 2020-09-01 2020-09-06
Mbed TLS -- Local side channel attack on classical CBC decryption in (D)TLS mbedtls 2.16.8

Manuel Pégourié-Gonnard reports:

When decrypting/authenticating (D)TLS record in a connection using a CBC ciphersuite without the Encrypt-then-Mac extension RFC 7366, Mbed TLS used dummy rounds of the compression function associated with the hash used for HMAC in order to hide the length of the padding to remote attackers, as recommended in the original Lucky Thirteen paper.

A local attacker who is able to observe the state of the cache could monitor the presence of mbedtls_md_process() in the cache in order to determine when the actual computation ends and when the dummy rounds start. This is a reliable target as it's always called at least once, in response to a previous attack. The attacker can then continue with one of many well-documented Lucky 13 variants.

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1 CVE-2020-16150 2020-09-01 2020-09-06
GnuTLS -- null pointer dereference gnutls 3.6.15

The GnuTLS project reports:

It was found by oss-fuzz that the server sending a "no_renegotiation" alert in an unexpected timing, followed by an invalid second handshake can cause a TLS 1.3 client to crash via a null-pointer dereference. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.

https://gnutls.org/security-new.html#GNUTLS-SA-2020-09-04 CVE-2020-24659 2020-09-04 2020-09-06
Django -- multiple vulnerabilities py35-django22 py36-django22 py37-django22 py38-django22 2.2.16 py36-django30 py37-django30 py38-django30 3.0.10 py36-django31 py37-django31 py38-django31 3.1.1

Django Release notes:

CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+

On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static directories when using the collectstatic management command.

CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+

On Python 3.7+, the intermediate-level directories of the file system cache had the system's standard umask rather than 0o077 (no group or others permissions).

https://docs.djangoproject.com/en/2.2/releases/2.2.16/ https://docs.djangoproject.com/en/3.0/releases/3.0.10/ https://docs.djangoproject.com/en/3.1/releases/3.1.1/ CVE-2020-24583 CVE-2020-24584 2020-09-01 2020-09-05
gnupg -- AEAD key import overflow gnupg 2.2.212.2.23

Importing an OpenPGP key having a preference list for AEAD algorithms will lead to an array overflow and thus often to a crash or other undefined behaviour.

Importing an arbitrary key can often easily be triggered by an attacker and thus triggering this bug. Exploiting the bug aside from crashes is not trivial but likely possible for a dedicated attacker. The major hurdle for an attacker is that only every second byte is under their control with every first byte having a fixed value of 0x04.

CVE-2020-25125 https://dev.gnupg.org/T5050 2020-09-03 2020-09-03
FreeBSD -- dhclient heap overflow FreeBSD 12.112.1_9 11.411.4_3 11.311.3_13

Problem Description:

When parsing option 119 data, dhclient(8) computes the uncompressed domain list length so that it can allocate an appropriately sized buffer to store the uncompressed list. The code to compute the length failed to handle certain malformed input, resulting in a heap overflow when the uncompressed list is copied into in inadequately sized buffer.

Impact:

The heap overflow could in principle be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit. However, it is possible the bug could be combined with other vulnerabilities to escape the sandbox.

CVE-2020-7461 SA-20:26.dhclient 2020-09-02 2020-09-02
FreeBSD -- SCTP socket use-after-free bug FreeBSD-kernel 12.112.1_9 11.411.4_3 11.311.3_13

Problem Description:

Due to improper handling in the kernel, a use-after-free bug can be triggered by sending large user messages from multiple threads on the same socket.

Impact:

Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic.

CVE-2020-7463 SA-20:25.sctp 2020-09-02 2020-09-02
FreeBSD -- IPv6 Hop-by-Hop options use-after-free bug FreeBSD-kernel 11.311.3_13

Problem Description:

Due to improper mbuf handling in the kernel, a use-after-free bug might be triggered by sending IPv6 Hop-by-Hop options over the loopback interface.

Impact:

Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic.

CVE-2020-7462 SA-20:24.ipv6 2020-09-02 2020-09-02
Gitlab -- multiple vulnerabilities gitlab-ce 13.3.013.3.4 13.2.013.2.8 013.1.10

Gitlab reports:

Vendor Cross-Account Assume-Role Attack

Stored XSS on the Vulnerability Page

Outdated Job Token Can Be Reused to Access Unauthorized Resources

File Disclosure Via Workhorse File Upload Bypass

Unauthorized Maintainer Can Edit Group Badge

Denial of Service Within Wiki Functionality

Sign-in Vulnerable to Brute-force Attacks

Invalidated Session Allows Account Access With an Old Password

GitLab Omniauth Endpoint Renders User Controlled Messages

Blind SSRF Through Repository Mirroring

Information Disclosure Through Incorrect Group Permission Verifications

No Rate Limit on GitLab Webhook Feature

GitLab Session Revocation Feature Does Not Invalidate All Sessions

OAuth Authorization Scope for an External Application Can Be Changed Without User Consent

Unauthorized Maintainer Can Delete Repository

Improper Verification of Deploy-Key Leads to Access Restricted Repository

Disabled Repository Still Accessible With a Deploy-Token

Duplicated Secret Code Generated by 2 Factor Authentication Mechanism

Lack of Validation Within Project Invitation Flow

Current Sessions Not Invalidated Upon Enabling 2 Factor Authentication

Users Without 2 Factor Authentication Can Be Blocked Accessing GitLab

Lack of Upper Bound Check Leading to Possible Denial of Service

2 Factor Authentication for Groups Was Not Enforced Within API Endpoint

GitLab Runner Denial of Service via CI Jobs

Update jQuery Dependency

https://about.gitlab.com/releases/2020/09/02/security-release-gitlab-13-3-3-released/ CVE-2020-13318 CVE-2020-13301 CVE-2020-13284 CVE-2020-13298 CVE-2020-13313 CVE-2020-13311 CVE-2020-13289 CVE-2020-13302 CVE-2020-13314 CVE-2020-13309 CVE-2020-13287 CVE-2020-13306 CVE-2020-13299 CVE-2020-13300 CVE-2020-13317 CVE-2020-13303 CVE-2020-13316 CVE-2020-13304 CVE-2020-13305 CVE-2020-13307 CVE-2020-13308 CVE-2020-13315 CVE-2020-13297 CVE-2020-13310 CVE-2020-11022 2020-09-02 2020-09-02
go -- net/http/cgi, net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified go 1.14.8,1 1.15,11.15.1,1

The Go project reports:

When a Handler does not explicitly set the Content-Type header, both CGI implementations default to “text/html”. If an attacker can make a server generate content under their control (e.g. a JSON containing user data or an uploaded image file) this might be mistakenly returned by the server as “text/html”. If a victim visits such a page they could get the attacker's code executed in the context of the server origin. If an attacker can make a server generate content under their control (e.g. a JSON containing user data or an uploaded image file) this might be mistakenly returned by the server as “text/html”. If a victim visits such a page they could get the attacker's code executed in the context of the server origin.

CVE-2020-24553 https://github.com/golang/go/issues/40928 2020-08-20 2020-09-01
ark -- extraction outside of extraction directory ark 20.08.0_1

Albert Astals Cid reports:

Overview

A maliciously crafted TAR archive containing symlink entries would install files anywhere in the user's home directory upon extraction.

Proof of concept

For testing, an example of malicious archive can be found at dirsymlink.tar

Impact

Users can unwillingly install files like a modified .bashrc, or a malicious script placed in ~/.config/autostart.

Workaround

Before extracting a downloaded archive using the Ark GUI, users should inspect it to make sure it doesn't contain symlink entries pointing outside the extraction folder.

The 'Extract' context menu from the Dolphin file manager shouldn't be used.

Solution

Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR archives.

Alternatively, 8bf8c5ef07b0ac5e914d752681e470dea403a5bd can be applied to previous releases.

Credits

Thanks to Fabian Vogt for reporting this issue and for fixing it.

https://kde.org/info/security/advisory-20200827-1.txt CVE-2020-24654 2020-08-27 2020-08-28
php72 -- use of freed hash key php72 7.2.33 php73 7.3.21 php74 7.4.9

grigoritchy at gmail dot com reports:

The phar_parse_zipfile function had use-after-free vulnerability because of mishandling of the actual_alias variable.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7068 CVE-2020-7068 2020-07-06 2020-08-27
chromium -- multiple vulnerabilities chromium 85.0.4183.83

Chrome Releases reports:

This update includes 20 security fixes, including:

  • [1109120] High CVE-2020-6558: Insufficient policy enforcement in iOS. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-24
  • [1116706] High CVE-2020-6559: Use after free in presentation API. Reported by Liu Wei and Wu Zekai of Tencent Security Xuanwu Lab on 2020-08-15
  • [1108181] Medium CVE-2020-6560: Insufficient policy enforcement in autofill. Reported by Nadja Ungethuem from www.unnex.de on 2020-07-22
  • [932892] Medium CVE-2020-6561: Inappropriate implementation in Content Security Policy. Reported by Rob Wu on 2019-02-16
  • [1086845] Medium CVE-2020-6562: Insufficient policy enforcement in Blink. Reported by Masato Kinugawa on 2020-05-27
  • [1104628] Medium CVE-2020-6563: Insufficient policy enforcement in intent handling. Reported by Pedro Oliveira on 2020-07-12
  • [841622] Medium CVE-2020-6564: Incorrect security UI in permissions. Reported by Khalil Zhani on 2018-05-10
  • [1029907] Medium CVE-2020-6565: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2019-12-02
  • [1065264] Medium CVE-2020-6566: Insufficient policy enforcement in media. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-03-27
  • [937179] Low CVE-2020-6567: Insufficient validation of untrusted input in command line handling. Reported by Joshua Graham of TSS on 2019-03-01
  • [1092451] Low CVE-2020-6568: Insufficient policy enforcement in intent handling. Reported by Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab on 2020-06-08
  • [995732] Low CVE-2020-6569: Integer overflow in WebUSB. Reported by guaixiaomei on 2019-08-20
  • [1084699] Low CVE-2020-6570: Side-channel information leakage in WebRTC. Reported by Signal/Tenable on 2020-05-19
  • [1085315] Low CVE-2020-6571: Incorrect security UI in Omnibox. Reported by Rayyan Bijoora on 2020-05-21
CVE-2020-6558 CVE-2020-6559 CVE-2020-6560 CVE-2020-6561 CVE-2020-6562 CVE-2020-6563 CVE-2020-6564 CVE-2020-6565 CVE-2020-6566 CVE-2020-6567 CVE-2020-6568 CVE-2020-6569 CVE-2020-6570 CVE-2020-6571 https://chromereleases.googleblog.com/2020/08/stable-channel-update-for-desktop_25.html 2020-08-25 2020-08-26
jasper -- multiple vulnerabilities jasper 2.0.20

JasPer NEWS:

- Fix CVE-2018-9154

- Fix CVE-2018-19541

- Fix CVE-2016-9399, CVE-2017-13751

- Fix CVE-2018-19540

- Fix CVE-2018-9055

- Fix CVE-2017-13748

- Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505

- Fix CVE-2018-9252

- Fix CVE-2018-19139

- Fix CVE-2018-19543, CVE-2017-9782

- Fix CVE-2018-20570

- Fix CVE-2018-20622

- Fix CVE-2016-9398

- Fix CVE-2017-14132

- Fix CVE-2017-5499

- Fix CVE-2018-18873

- Fix CVE-2017-13750

https://github.com/jasper-software/jasper/blob/master/NEWS CVE-2018-9154 CVE-2018-19541 CVE-2016-9399 CVE-2017-13751 CVE-2018-19540 CVE-2018-9055 CVE-2017-13748 CVE-2017-5503 CVE-2017-5504 CVE-2017-5505 CVE-2018-9252 CVE-2018-19139 CVE-2018-19543 CVE-2017-9782 CVE-2018-20570 CVE-2018-20622 CVE-2016-9398 CVE-2017-14132 CVE-2017-5499 CVE-2018-18873 CVE-2017-13750 2020-07-28 2020-08-25 2020-09-05
xorg-server -- Multiple input validation failures in X server extensions xorg-server 1.20.8_4,1 xephyr 1.20.8_4,1 xorg-vfbserver 1.20.8_4,1 xorg-nestserver 1.20.8_4,1 xwayland 1.20.8_4,1 xorg-dmx 1.20.8_4,1

The X.org project reports:

All theses issuses can lead to local privileges elevation on systems where the X server is running privileged.

The handler for the XkbSetNames request does not validate the request length before accessing its contents.

An integer underflow exists in the handler for the XIChangeHierarchy request.

An integer underflow exist in the handler for the XkbSelectEvents request.

An integer underflow exist in the handler for the CreateRegister request of the X record extension.

CVE-2020-14345 CVE-2020-14346 CVE-2020-14361 CVE-2020-14362 https://lists.x.org/archives/xorg-announce/2020-August/003058.html 2020-08-25 2020-08-25
libX11 -- Doublefree in locale handlng code libX11 1.6.12,1

The X.org project reports:

There is an integer overflow and a double free vulnerability in the way LibX11 handles locales. The integer overflow is a necessary precursor to the double free.

CVE-2020-14363 https://lists.x.org/archives/xorg-announce/2020-August/003056.html 2020-08-25 2020-08-25 2020-11-15
chrony <= 3.5.1 data corruption through symlink vulnerability writing the pidfile chrony 3.5.1

Miroslav Lichvar reports:

chrony-3.5.1 [...] fixes a security issue in writing of the pidfile.

When chronyd is configured to save the pidfile in a directory where the chrony user has write permissions (e.g. /var/run/chrony - the default since chrony-3.4), an attacker that compromised the chrony user account could create a symbolic link at the location of the pidfile to make chronyd starting with root privileges follow the symlink and write its process ID to a file for which the chrony user doesn't have write permissions, causing a denial of service, or data loss.

This issue was reported by Matthias Gerstner of SUSE.

https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2020/08/msg00000.html CVE-2020-14367 2020-08-06 2020-08-22
sysutils/openzfs-kmod -- critical permissions issues openzfs-kmod 2020081800

Andrew Walker reports:

Issue 1:

Users are always granted permissions to cd into a directory. The check for whether execute is present on directories is a de-facto no-op. This cannot be mitigated without upgrading. Even setting an explicit "deny - execute" NFSv4 ACE will be bypassed.

Issue 2:

All ACEs for the owner_group (group@) and regular groups (group:<foo>) are granted the current user. This means that POSIX mode 770 is de-facto 777, and the below ACL is also de-facto 777 because the groupmember check for builtin_administrators returns True.

root@TESTBOX[~]# getfacl testfile
# file: testfile
# owner: root
# group: wheel
group:builtin_administrators:rwxpDdaARWcCos:-------:allow
	  
ports/248787 https://github.com/openzfs/zfs/commit/716b53d0a14c72bda16c0872565dd1909757e73f https://reviews.freebsd.org/D26107 2020-08-13 2020-08-20
textproc/elasticsearch6 -- field disclosure flaw elasticsearch6 6.8.12

Elastic reports:

A field disclosure flaw was found in Elasticsearch when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.

CVE-2020-7019 https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456 https://github.com/elastic/elasticsearch/pull/39490 2020-08-19 2020-08-20
adns -- multiple vulnerabilities adns 1.5.2

Ian Jackson and the adns project reports:

Vulnerable applications: all adns callers. Exploitable by: the local recursive resolver. Likely worst case: Remote code execution.

Vulnerable applications: those that make SOA queries. Exploitable by: upstream DNS data sources. Likely worst case: DoS (crash of the adns-using application)

Vulnerable applications: those that use adns_qf_quoteok_query. Exploitable by: sources of query domain names. Likely worst case: DoS (crash of the adns-using application)

Vulnerable applications: adnshost. Exploitable by: code responsible for framing the input. Likely worst case: DoS (adnshost crashes at EOF).

https://www.chiark.greenend.org.uk/pipermail/adns-announce/2020/000004.html CVE-2017-9103 CVE-2017-9104 CVE-2017-9105 CVE-2017-9106 CVE-2017-9107 CVE-2017-9108 CVE-2017-9109 2017-05-21 2020-08-20
Icinga Web 2 -- directory traversal vulnerability icingaweb2 2.8.1

Icinga development team reports:

CVE-2020-24368

Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2.

https://icinga.com/2020/08/19/icinga-web-security-release-v2-6-4-v2-7-4-and-v2-8-2/ CVE-2020-24368 2020-08-19 2020-08-19
curl -- expired pointer dereference vulnerability curl 7.29.07.72.0

curl security problems:

CVE-2020-8231: wrong connect-only connection

An application that performs multiple requests with libcurl's multi API and sets the CURLOPT_CONNECT_ONLY option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection - and instead pick another one the application has created since then.

CURLOPT_CONNECT_ONLY is the option to tell libcurl to not perform an actual transfer, only connect. When that operation is completed, libcurl remembers which connection it used for that transfer and "easy handle". It remembers the connection using a pointer to the internal connectdata struct in memory.

If more transfers are then done with the same multi handle before the connect-only connection is used, leading to the initial connect-only connection to get closed (for example due to idle time-out) while also new transfers (and connections) are setup, such a new connection might end up getting the exact same memory address as the now closed connect-only connection.

If after those operations, the application then wants to use the original transfer's connect-only setup to for example use curl_easy_send() to send raw data over that connection, libcurl could erroneously find an existing connection still being alive at the address it remembered since before even though this is now a new and different connection.

The application could then accidentally send data over that connection which wasn't at all intended for that recipient, entirely unknowingly.

https://curl.haxx.se/docs/security.html https://curl.haxx.se/docs/CVE-2020-8231.html CVE-2020-8231 2020-08-19 2020-08-19
Python -- multiple vulnerabilities python37 3.7.9 python36 3.6.12

Python reports:

bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (CVE-2020-15523).

bpo-41004: CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).

bpo-39603: Prevent http header injection by rejecting control characters in http.client.putrequest(...).

https://docs.python.org/release/3.7.9/whatsnew/changelog.html#changelog https://docs.python.org/release/3.6.12/whatsnew/changelog.html#changelog CVE-2020-14422 CVE-2020-15523 2020-06-17 2020-08-19
security/trousers -- several vulnerabilities trousers 0.3.14_3

the TrouSerS project reports reports:

If the tcsd daemon is started with root privileges, it fails to drop the root gid after it is no longer needed.

If the tcsd daemon is started with root privileges, the tss user has read and write access to the /etc/tcsd.conf file.

If the tcsd daemon is started with root privileges, the creation of the system.data file is prone to symlink attacks.

https://sourceforge.net/p/trousers/trousers/ci/e74dd1d96753b0538192143adf58d04fcd3b242b/ https://www.openwall.com/lists/oss-security/2020/05/20/3 CVE-2020-24330 CVE-2020-24331 CVE-2020-24332 2020-05-20 2020-08-18
chromium -- heap buffer overflow chromium 84.0.4147.135

Chrome Releases reports:

This release contains one security fix:

  • [1115345] High CVE-2020-6556: Heap buffer overflow in SwiftShader. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-08-12
CVE-2020-6556 https://chromereleases.googleblog.com/2020/08/stable-channel-update-for-desktop_18.html 2020-08-18 2020-08-18
ceph14 -- HTTP header injection via CORS ExposeHeader tag ceph14 14.2.11

Red Hat bugzilla reports:

A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10753 CVE-2020-10753 ports/248673 2020-05-27 2020-08-16
jenkins -- Buffer corruption in bundled Jetty jenkins 2.243 jenkins-lts 2.235.5

Jenkins Security Advisory:

Description

(Critical) SECURITY-1983 / CVE-2019-17638

Buffer corruption in bundled Jetty

CVE-2019-17638 https://www.jenkins.io/security/advisory/2020-08-17/ 2020-08-17 2020-08-17
net/rsync -- multiple zlib issues rsync 3.2.0

rsync developers reports:

Various zlib fixes, including security fixes for CVE-2016-9843, CVE-2016-9842, CVE-2016-9841, and CVE-2016-9840

https://download.samba.org/pub/rsync/NEWS#3.2.0 CVE-2016-9843 CVE-2016-9842 CVE-2016-9841 CVE-2016-9840 2020-06-19 2020-08-16
security/py-ecdsa -- multiple issues py27-ecdsa 0.13.3 py37-ecdsa 0.13.3

py-ecdsa developers report:

Fix CVE-2019-14853 - possible DoS caused by malformed signature decoding.

Fix CVE-2019-14859 - signature malleability caused by insufficient checks of DER encoding

https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3 CVE-2019-14853 CVE-2019-14859 2019-10-07 2020-08-16
snmptt -- malicious shell code snmptt 1.4.2

Snmptt reports:

Fixed a security issue with EXEC / PREXEC / unknown_trap_exec that could allow malicious shell code to be executed.

Fixed a bug with EXEC / PREXEC / unknown_trap_exec that caused commands to be run as root instead of the user defined in daemon_uid.

http://snmptt.sourceforge.net/changelog.shtml ports/248162 2020-07-23 2020-08-15
mail/dovecot -- multiple vulnerabilities dovecot 2.3.11

Aki Tuomi reports:

Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory..

Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash

lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash.

Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on.

https://dovecot.org/pipermail/dovecot-news/2020-August/000440.html CVE-2020-12100 CVE-2020-12673 CVE-2020-10967 CVE-2020-12674 2020-04-23 2020-08-13
ilmbase, openexr -- v2.5.3 is a patch release with various bug/security fixes ilmbase 2.5.3 openexr 2.5.3

Cary Phillips reports:

v2.5.3 - Patch release with various bug/security fixes [...]:

  • Various sanitizer/fuzz-identified issues related to handling of invalid input
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.5.3 2020-07-13 2020-08-13
jenkins -- multiple vulnerabilities jenkins 2.252 jenkins-lts 2.235.4

Jenkins Security Advisory:

Description

(High) SECURITY-1955 / CVE-2020-2229

Stored XSS vulnerability in help icons

(High) SECURITY-1957 / CVE-2020-2230

Stored XSS vulnerability in project naming strategy

(High) SECURITY-1960 / CVE-2020-2231

Stored XSS vulnerability in 'Trigger builds remotely'

CVE-2020-2229 CVE-2020-2230 CVE-2020-2231 https://www.jenkins.io/security/advisory/2020-08-12/ 2020-08-12 2020-08-12
chromium -- multiple vulnerabilities chromium 84.0.4147.125

Chrome Releases reports:

This release contains 15 security fixes, including:

  • [1107433] High CVE-2020-6542: Use after free in ANGLE. Reported by Piotr Bania of Cisco Talos on 2020-07-20
  • [1104046] High CVE-2020-6543: Use after free in task scheduling. Reported by Looben Yang on 2020-07-10
  • [1108497] High CVE-2020-6544: Use after free in media. Reported by Tim Becker of Theori on 2020-07-22
  • [1095584] High CVE-2020-6545: Use after free in audio. Reported by Anonymous on 2020-06-16
  • [1100280] High CVE-2020-6546: Inappropriate implementation in installer. Reported by Andrew Hess (any1) on 2020-06-29
  • [1102153] High CVE-2020-6547: Incorrect security UI in media. Reported by David Albert on 2020-07-05
  • [1103827] High CVE-2020-6548: Heap buffer overflow in Skia. Reported by Choongwoo Han, Microsoft Browser Vulnerability Research on 2020-07-09
  • [1105426] High CVE-2020-6549: Use after free in media. Reported by Sergei Glazunov of Google Project Zero on 2020-07-14
  • [1106682] High CVE-2020-6550: Use after free in IndexedDB. Reported by Sergei Glazunov of Google Project Zero on 2020-07-17
  • [1107815] High CVE-2020-6551: Use after free in WebXR. Reported by Sergei Glazunov of Google Project Zero on 2020-07-21
  • [1108518] High CVE-2020-6552: Use after free in Blink. Reported by Tim Becker of Theori on 2020-07-22
  • [1111307] High CVE-2020-6553: Use after free in offline mode. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-30
  • [1094235] Medium CVE-2020-6554: Use after free in extensions. Reported by Anonymous on 2020-06-12
  • [1105202] Medium CVE-2020-6555: Out of bounds read in WebGL. Reported by Marcin Towalski of Cisco Talos on 2020-07-13
CVE-2020-6542 CVE-2020-6543 CVE-2020-6544 CVE-2020-6545 CVE-2020-6546 CVE-2020-6547 CVE-2020-6548 CVE-2020-6549 CVE-2020-6550 CVE-2020-6551 CVE-2020-6552 CVE-2020-6553 CVE-2020-6554 CVE-2020-6555 https://chromereleases.googleblog.com/2020/08/stable-channel-update-for-desktop.html 2020-08-10 2020-08-11
puppetdb -- Multiple vulnerabilities puppetdb5 5.2.18

Puppetlabs reports:

In June 2020, jackson-databind published security updates addressing several CVEs. Previous releases of PuppetDB contain a vulnerable version of jackson.core:jackson-databind. PuppetDB 5.2.18 contains an updated version of jackson-databind that has patched the vulnerabilities.

https://puppet.com/security/cve/jackson-july-2020-security-fixes/ CVE-2020-9548 CVE-2020-14062 CVE-2020-14060 CVE-2020-14061 CVE-2020-14195 2020-07-23 2020-08-11
bftpd -- Multiple vulnerabilities bftpd 5.6

Bftpd project reports:

Bftpd is vulnerable to out of bounds memory access, file descriptor leak and a potential buffer overflow.

http://bftpd.sourceforge.net/news.html 2020-04-16 2020-08-10
trafficserver -- resource consumption trafficserver 8.0.8

Bryan Call reports:

ATS is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9494 CVE-2020-9494 2020-06-24 2020-07-02
Apache httpd -- Multiple vulnerabilities apache24 2.4.46 mod_http2 1.15.14

The Apache httpd projec reports:

  • mod_http2: Important: Push Diary Crash on Specifically Crafted HTTP/2 Header (CVE-2020-9490)
    A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards.
  • mod_proxy_uwsgi: Moderate: mod_proxy_uwsgi buffer overflow (CVE-2020-11984)
    info disclosure and possible RCE
  • mod_http2: Moderate: Push Diary Crash on Specifically Crafted HTTP/2 Header (CVE-2020-11993)
    When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools.
https://downloads.apache.org/httpd/CHANGES_2.4.46 https://httpd.apache.org/security/vulnerabilities_24.html CVE-2020-9490 CVE-2020-11984 CVE-2020-11993 2020-08-07 2020-08-08 2020-08-08
go -- encoding/binary: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs go 1.14.7,1

The Go project reports:

Certain invalid inputs to ReadUvarint or ReadVarint could cause those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This could lead to processing more input than expected when the caller is reading directly from the network and depends on ReadUvarint and ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs.

CVE-2020-16845 https://github.com/golang/go/issues/40618 2020-08-06 2020-08-06
Gitlab -- Multiple Vulnerabilities gitlab-ce 13.3.0

Gitlab reports:

Arbitrary File Read when Moving an Issue

Memory Exhaustion via Excessive Logging of Invite Email Error

Denial of Service Through Project Import Feature

User Controlled Git Configuration Settings Resulting in SSRF

Stored XSS in Issue Reference Number Tooltip

Stored XSS in Issues List via Milestone Title

Improper Access Control After Group Transfer

Bypass Email Verification Required for OAuth Flow

Confusion When Using Hexadecimal Branch Names

Insufficient OAuth Revocation

Improper Access Control for Project Sharing

Stored XSS in Jobs Page

Improper Access Control of Applications Page

SSRF into Shared Runner

Update Kramdown Gem

https://about.gitlab.com/releases/2020/08/05/gitlab-13-2-3-released/ CVE-2020-10977 CVE-2020-13280 CVE-2020-13281 CVE-2020-14001 2020-08-05 2020-08-06 2020-08-25
FreeBSD -- sendmsg(2) privilege escalation FreeBSD-kernel 12.112.1_8 11.411.4_2 11.311.3_12

Problem Description:

When handling a 32-bit sendmsg(2) call, the compat32 subsystem copies the control message to be transmitted (if any) into kernel memory, and adjusts alignment of control message headers. The code which performs this work contained a time-of-check to time-of-use (TOCTOU) vulnerability which allows a malicious userspace program to modify control message headers after they were validated by the kernel.

Impact:

The TOCTOU bug can be exploited by an unprivileged malicious userspace program to trigger privilege escalation.

CVE-2020-7460 SA-20:23.sendmsg 2020-08-05 2020-08-06
FreeBSD -- Potential memory corruption in USB network device drivers FreeBSD-kernel 12.112.1_8 11.411.4_2 11.311.3_12

Problem Description:

A missing length validation code common to these three drivers means that a malicious USB device could write beyond the end of an allocated network packet buffer.

Impact:

An attacker with physical access to a USB port and the ability to bring a network interface up may be able to use a specially crafted USB device to gain kernel or user-space code execution.

CVE-2020-7459 SA-20:21.usb_net 2020-08-05 2020-08-06
typo3 -- multiple vulnerabilities typo3-9-php72 typo3-9-php73 typo3-9-php74 9.5.20 typo3-10-php72 typo3-10-php73 typo3-10-php74 10.4.6

Typo3 Team reports:

In case an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php which again contains the encryptionKey as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, this allows to completely retrieve, manipulate or delete database contents. This includes creating an administration user account - which can be used to trigger remote code execution by injecting custom extensions.

It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains as described below.

https://typo3.org/article/typo3-1046-and-9520-security-releases-published https://typo3.org/security/advisory/typo3-core-sa-2020-007 https://typo3.org/security/advisory/typo3-core-sa-2020-008 CVE-2020-15098 CVE-2020-15099 2020-07-28 2020-08-04
xorg-server -- Pixel Data Uninitialized Memory Information Disclosure xorg-server 1.20.8_3,1 xephyr 1.20.8_3,1 xorg-vfbserver 1.20.8_3,1 xorg-nestserver 1.20.8_3,1 xwayland 1.20.8_3,1 xorg-dmx 1.20.8_3,1

The X.org project reports:

Allocation for pixmap data in AllocatePixmap() does not initialize the memory in xserver, it leads to leak uninitialize heap memory to clients. When the X server runs with elevated privileges.

This flaw can lead to ASLR bypass, which when combined with other flaws (known/unknown) could lead to lead to privilege elevation in the client.

https://lists.x.org/archives/xorg-announce/2020-July/003051.html CVE-2020-14347 2020-07-31 2020-08-01
libX11 -- Heap corruption in the X input method client in libX11 libX11 1.6.9_3,1

The X.org project reports:

The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method.

https://lists.x.org/archives/xorg-announce/2020-July/003050.html CVE-2020-14344 2020-07-31 2020-08-01
Python -- multiple vulnerabilities python38 3.8.5

Python reports:

bpo-41304: Fixes python3x._pth being ignored on Windows, caused by the fix for bpo-29778 (CVE-2020-15801).

bpo-39603: Prevent http header injection by rejecting control characters in http.client.putreques().

https://docs.python.org/3/whatsnew/changelog.html#python-3-8-5-final CVE-2020-15801 2020-02-11 2020-07-31
ark -- directory traversal ark 20.04.2_1 20.04.3

KDE Project Security Advisory reports:

KDE Project Security Advisory

Title: Ark: maliciously crafted archive can install files outside the extraction directory.
Risk Rating: Important
CVE: CVE-2020-16116
Versions: ark <= 20.04.3
Author: Elvis Angelaccio <elvis.angelaccio@kde.org>
Date: 30 July 2020

Overview

A maliciously crafted archive with "../" in the file paths would install files anywhere in the user's home directory upon extraction.

Proof of concept

For testing, an example of malicious archive can be found at https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip

Impact

Users can unwillingly install files like a modified .bashrc, or a malicious script placed in ~/.config/autostart

Workaround

Users should not use the 'Extract' context menu from the Dolphin file manager. Before extracting a downloaded archive using the Ark GUI, users should inspect it to make sure it doesn't contain entries with "../" in the file path.

Solution

Ark 20.08.0 prevents loading of malicious archives and shows a warning message to the users.

Alternatively, https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f can be applied to previous releases.

Credits

Thanks to Dominik Penner for finding and reporting this issue and thanks to Elvis Angelaccio and Albert Astals Cid for fixing it.

CVE-2020-16116 https://kde.org/info/security/advisory-20200730-1.txt 2020-07-30 2020-07-30
chromium -- multiple vulnerabilities chromium 84.0.4147.105

Chrome Releases reports:

This update contains 8 security fixes, including:

  • [1105318] High CVE-2020-6537: Type Confusion in V8. Reported by Alphalaab on 2020-07-14
  • [1096677] High CVE-2020-6538: Inappropriate implementation in WebView. Reported by Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab on 2020-06-18
  • [1104061] High CVE-2020-6532: Use after free in SCTP. Reported by Anonymous on 2020-07-09
  • [1105635] High CVE-2020-6539: Use after free in CSS. Reported by Oriol Brufau on 2020-07-14
  • [1105720] High CVE-2020-6540: Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-07-15
  • [1106773] High CVE-2020-6541: Use after free in WebUSB. Reported by Sergei Glazunov of Google Project Zero on 2020-07-17
CVE-2020-6532 CVE-2020-6537 CVE-2020-6538 CVE-2020-6539 CVE-2020-6540 CVE-2020-6541 https://chromereleases.googleblog.com/2020/07/stable-channel-update-for-desktop_27.html 2020-07-27 2020-07-28
libsndfile -- out-of-bounds read memory access libsndfile 1.0.29.p.20200620

RedHat reports:

It was discovered the fix for CVE-2018-19758 was not complete and still allows a read beyond the limits of a buffer in wav_write_header() function in wav.c. A local attacker may use this flaw to make the application crash.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3832 2019-02-14 2020-07-28
FreeRDP -- Integer overflow in RDPEGFX channel freerdp 2.2.0

Bernhard Miklautz reports:

  • Integer overflow due to missing input sanitation in rdpegfx channel
  • All FreeRDP clients are affected
  • The input rectangles from the server are not checked against local surface coordinates and blindly accepted. A malicious server can send data that will crash the client later on (invalid length arguments to a memcpy)
https://www.freerdp.com/2020/07/20/2_2_0-released https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15103 CVE-2020-15103 2020-06-25 2020-07-28
zeek -- Various vulnerabilities zeek 3.0.8

Jon Siwek of Corelight reports:

This release fixes the following security issues:

  • Fix potential DNS analyzer stack overflow
  • Fix potential NetbiosSSN analyzer stack overflow
https://github.com/zeek/zeek/releases/tag/v3.0.8 2020-07-28 2020-07-28
Cacti -- multiple vulnerabilities cacti 1.2.13

Cacti developers reports:

Multiple fixes for bundled jQuery to prevent code exec (CVE-2020-11022, CVE-2020-11023).

PHPMail contains a escaping bug (CVE-2020-13625).

SQL Injection via color.php in Cacti (CVE-2020-14295).

https://www.cacti.net/release_notes.php?version=1.2.13 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13625 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14295 CVE-2020-11022 CVE-2020-11023 CVE-2020-13625 CVE-2020-14295 2020-07-15 2020-07-27
Wagtail -- XSS vulnerability py36-wagtail py37-wagtail py38-wagtail 2.8.02.9.3 2.7.4

GitHub Advisory Database:

When a form page type is made available to Wagtail editors through the wagtail.contrib.forms app, and the page template is built using Django's standard form rendering helpers such as form.as_p (as directed in the documentation), any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation. This functionality should therefore not have been made available to editor-level users.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

https://github.com/advisories/GHSA-2473-9hgq-j7xw CVE-2020-15118 2020-07-20 2020-07-24
pango -- buffer overflow pango 1.42.4_5

Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010238 https://nvd.nist.gov/vuln/detail/CVE-2019-1010238 CVE-2019-1010238 2019-07-19 2020-07-23 2020-09-26
Apache Tomcat -- Multiple Vulnerabilities tomcat7 7.0.105 tomcat85 8.5.57 tomcat9 9.0.37 tomcat-devel 10.0.0.M7

The Apache Software Foundation reports:

An h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

https://tomcat.apache.org/security-7.html https://tomcat.apache.org/security-8.html https://tomcat.apache.org/security-9.html https://tomcat.apache.org/security-10.html CVE-2020-11996 CVE-2020-13934 CVE-2020-13935 2020-07-05 2020-07-23 2020-07-23
Python -- multiple vulnerabilities python38 3.8.4

Python reports:

bpo-41162:Audit hooks are now cleared later during finalization to avoid missing events.

bpo-29778:Ensure python3.dll is loaded from correct locations when Python is embedded.

https://docs.python.org/3/whatsnew/changelog.html#python-3-8-4-final CVE-2020-15523 2020-06-29 2020-07-20
VirtualBox -- Multiple vulnerabilities virtualbox-ose 5.25.2.44 6.06.0.24 6.16.1.12

Oracle reports:

Vulnerabilities in VirtualBox core can allow users with logon access to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of these vulnerabilities can result in unauthorized access to critical data, access to all Oracle VM VirtualBox accessible data, unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) or takeover of Oracle VM VirtualBox.

https://www.oracle.com/security-alerts/cpujul2020.html CVE-2020-14628 CVE-2020-14629 CVE-2020-14646 CVE-2020-14647 CVE-2020-14648 CVE-2020-14649 CVE-2020-14650 CVE-2020-14673 CVE-2020-14674 CVE-2020-14675 CVE-2020-14676 CVE-2020-14677 CVE-2020-14694 CVE-2020-14695 CVE-2020-14698 CVE-2020-14699 CVE-2020-14700 CVE-2020-14703 CVE-2020-14704 CVE-2020-14707 CVE-2020-14711 CVE-2020-14712 CVE-2020-14713 CVE-2020-14714 CVE-2020-14715 2020-07-14 2020-07-19
clamav -- multiple vulnerabilities clamav 0.102.4,1

Micah Snyder reports:

CVE-2020-3350
Fixed a vulnerability a malicious user could exploit to replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (such as a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan and clamonacc.
CVE-2020-3327
Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.3 that could cause a denial-of-service (DoS) condition. Improper bounds checking resulted in an out-of-bounds read that could cause a crash. The previous fix for this CVE in version 0.102.3 was incomplete. This fix correctly resolves the issue.
CVE-2020-3481
Fixed a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 that could cause a denial-of-service (DoS) condition. Improper error handling could cause a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in affected versions.
https://blog.clamav.net/2020/07/clamav-01024-security-patch-released.html CVE-2020-3350 CVE-2020-3327 CVE-2020-3481 2020-07-16 2020-07-16
OpenEXR/ilmbase 2.5.2 -- patch release with various bug/security fixes ilmbase 2.5.2 openexr 2.5.2

Cary Phillips reports:

openexr 2.5.2 [is a p]atch release with various bug/security and build/install fixes:

  • Invalid input could cause a heap-use-after-free error in DeepScanLineInputFile::DeepScanLineInputFile()
  • Invalid chunkCount attributes could cause heap buffer overflow in getChunkOffsetTableSize()
  • Invalid tiled input file could cause invalid memory access TiledInputFile::TiledInputFile()
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.5.2 2020-05-18 2020-07-16
chromium -- multiple vulnerabilities chromium 84.0.4147.89

Chrome Releases reports:

This update contains 38 security fixes, including:

  • [1103195] Critical CVE-2020-6510: Heap buffer overflow in background fetch. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-07-08
  • [1074317] High CVE-2020-6511: Side-channel information leakage in content security policy. Reported by Mikhail Oblozhikhin on 2020-04-24
  • [1084820] High CVE-2020-6512: Type Confusion in V8. Reported by nocma, leogan, cheneyxu of WeChat Open Platform Security Team on 2020-05-20
  • [1091404] High CVE-2020-6513: Heap buffer overflow in PDFium. Reported by Aleksandar Nikolic of Cisco Talos on 2020-06-04
  • [1076703] High CVE-2020-6514: Inappropriate implementation in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2020-04-30
  • [1082755] High CVE-2020-6515: Use after free in tab strip. Reported by DDV_UA on 2020-05-14
  • [1092449] High CVE-2020-6516: Policy bypass in CORS. Reported by Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab on 2020-06-08
  • [1095560] High CVE-2020-6517: Heap buffer overflow in history. Reported by ZeKai Wu (@hellowuzekai) of Tencent Security Xuanwu Lab on 2020-06-16
  • [986051] Medium CVE-2020-6518: Use after free in developer tools. Reported by David Erceg on 2019-07-20
  • [1064676] Medium CVE-2020-6519: Policy bypass in CSP. Reported by Gal Weizman (@WeizmanGal) of PerimeterX on 2020-03-25
  • [1092274] Medium CVE-2020-6520: Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-06-08
  • [1075734] Medium CVE-2020-6521: Side-channel information leakage in autofill. Reported by Xu Lin (University of Illinois at Chicago), Panagiotis Ilia (University of Illinois at Chicago), Jason Polakis (University of Illinois at Chicago) on 2020-04-27
  • [1052093] Medium CVE-2020-6522: Inappropriate implementation in external protocol handlers. Reported by Eric Lawrence of Microsoft on 2020-02-13
  • [1080481] Medium CVE-2020-6523: Out of bounds write in Skia. Reported by Liu Wei and Wu Zekai of Tencent Security Xuanwu Lab on 2020-05-08
  • [1081722] Medium CVE-2020-6524: Heap buffer overflow in WebAudio. Reported by Sung Ta (@Mipu94) of SEFCOM Lab, Arizona State University on 2020-05-12
  • [1091670] Medium CVE-2020-6525: Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-06-05
  • [1074340] Low CVE-2020-6526: Inappropriate implementation in iframe sandbox. Reported by Jonathan Kingston on 2020-04-24
  • [992698] Low CVE-2020-6527: Insufficient policy enforcement in CSP. Reported by Zhong Zhaochen of andsecurity.cn on 2019-08-10
  • [1063690] Low CVE-2020-6528: Incorrect security UI in basic auth. Reported by Rayyan Bijoora on 2020-03-22
  • [978779] Low CVE-2020-6529: Inappropriate implementation in WebRTC. Reported by kaustubhvats7 on 2019-06-26
  • [1016278] Low CVE-2020-6530: Out of bounds memory access in developer tools. Reported by myvyang on 2019-10-21
  • [1042986] Low CVE-2020-6531: Side-channel information leakage in scroll to text. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-01-17
  • [1069964] Low CVE-2020-6533: Type Confusion in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2020-04-11
  • [1072412] Low CVE-2020-6534: Heap buffer overflow in WebRTC. Reported by Anonymous on 2020-04-20
  • [1073409] Low CVE-2020-6535: Insufficient data validation in WebUI. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-04-22
  • [1080934] Low CVE-2020-6536: Incorrect security UI in PWAs. Reported by Zhiyang Zeng of Tencent security platform department on 2020-05-09
CVE-2020-6510 CVE-2020-6511 CVE-2020-6512 CVE-2020-6513 CVE-2020-6514 CVE-2020-6515 CVE-2020-6516 CVE-2020-6517 CVE-2020-6518 CVE-2020-6519 CVE-2020-6520 CVE-2020-6521 CVE-2020-6522 CVE-2020-6523 CVE-2020-6524 CVE-2020-6525 CVE-2020-6526 CVE-2020-6527 CVE-2020-6528 CVE-2020-6529 CVE-2020-6530 CVE-2020-6531 CVE-2020-6533 CVE-2020-6534 CVE-2020-6535 CVE-2020-6536 https://chromereleases.googleblog.com/2020/07/stable-channel-update-for-desktop.html 2020-07-14 2020-07-15
jenkins -- multiple vulnerabilities jenkins 2.245 jenkins-lts 2.235.2

Jenkins Security Advisory:

Description

(High) SECURITY-1868 / CVE-2020-2220

Stored XSS vulnerability in job build time trend

(High) SECURITY-1901 / CVE-2020-2221

Stored XSS vulnerability in upstream cause

(High) SECURITY-1902 / CVE-2020-2222

Stored XSS vulnerability in 'keep forever' badge icons

(High) SECURITY-1945 / CVE-2020-2223

Stored XSS vulnerability in console links

CVE-2020-2220 CVE-2020-2221 CVE-2020-2222 CVE-2020-2223 https://www.jenkins.io/security/advisory/2020-07-15/ 2020-07-15 2020-07-15
MySQL -- Multiple vulnerabilities mysql56-client 5.6.49 mysql56-server 5.6.49 mysql57-client 5.7.31 mysql57-server 5.7.31 mysql80-client 8.0.21 mysql80-server 8.0.21

Oracle reports:

This Critical Patch Update contains 40 new security patches for Oracle MySQL. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 9.8.

This Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for July 2020, which will be released on Tuesday, July 14, 2020.

https://www.oracle.com/security-alerts/cpujul2020.html 2020-07-07 2020-07-11
FreeBSD -- IPv6 socket option race condition and use after free FreeBSD-kernel 12.112.1_7 11.411.4_1 11.311.3_11

Problem Description:

The IPV6_2292PKTOPTIONS set handler was missing synchronization, so racing accesses could modify freed memory.

Impact:

A malicious user application could trigger memory corruption, leading to privilege escalation.

CVE-2020-7457 SA-20:20.ipv6 2020-07-09 2020-07-10
FreeBSD -- posix_spawnp(3) buffer overflow FreeBSD 11.411.4_1

Problem Description:

posix_spawnp spawns a new thread with a limited stack allocated on the heap before delegating to execvp for the final execution within that thread.

execvp would previously make unbounded allocations on the stack, directly proportional to the length of the user-controlled PATH environment variable.

Impact:

Long values in the user-controlled PATH environment variable cause posix_spawnp to write beyond the end of stack that was allocated, ultimately overflowing the heap-allocated stack with a direct copy of the value stored in PATH.

CVE-2020-7458 SA-20:18.posix_spawnp 2020-07-09 2020-07-10
mybb -- multible vulnerabilities mybb 1.8.22

mybb Team reports:

High risk: Installer RCE on settings file write

Medium risk: Arbitrary upload paths and Local File Inclusion RCE

Medium risk: XSS via insufficient HTML sanitization of Blog feed and Extend data

Low risk: Open redirect on login

Low risk: SCEditor reflected XSS

https://blog.mybb.com/2019/12/30/mybb-1-8-22-released-security-maintenance-release/ 2019-12-30 2020-07-09
kramdown -- template option vulnerability rubygem-kramdown 2.3.0

kramdown news:

CVE-2020-14001 is addressed to avoid problems when using the {::options /} extension together with the 'template' option.

https://kramdown.gettalong.org/news.html CVE-2020-14001 2020-06-28 2020-07-08
Mbed TLS -- Side-channel attack on ECC key import and validation mbedtls 2.16.7

Manuel Pégourié-Gonnard reports:

The scalar multiplication function in Mbed TLS accepts a random number generator (RNG) as an optional argument and, if provided, uses it to protect against some attacks.

It is the caller's responsibility to provide a RNG if protection against side-channel attacks is desired; however two groups of functions in Mbed TLS itself fail to pass a RNG:

  1. mbedtls_pk_parse_key() and mbedtls_pk_parse_keyfile()
  2. mbedtls_ecp_check_pub_priv() and mbedtls_pk_check_pair()

When those functions are called, scalar multiplication is computed without randomisation, a number of old and new attacks apply, allowing a powerful local attacker to fully recover the private key.

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07 2020-07-01 2020-07-07
Gitlab -- Multiple Vulnerabilities gitlab-ce 13.1.013.1.3 13.0.013.0.9 012.10.14

Gitlab reports:

Workhorse bypass allows files in /tmp to be read via Maven Repository APIs

https://about.gitlab.com/releases/2020/07/06/critical-security-release-gitlab-13-1-3-released/ CVE-2020-15525 2020-07-06 2020-07-07
Python -- multiple vulnerabilities python37 3.7.8

Python reports:

The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.

Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised.

Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.

https://docs.python.org/3.7/whatsnew/changelog.html#changelog CVE-2019-18348 CVE-2020-8492 2019-10-24 2020-07-06
samba -- Multiple Vulnerabilities samba410 4.10.17 samba411 4.11.11 samba412 4.12.4

The Samba Team reports:

Four vulnerabilities were fixed in samba:

  • CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC LDAP Server with ASQ, VLV and paged_results
  • CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume excessive CPU in the AD DC (only)
  • CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with paged_results and VLV
  • CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd
https://www.samba.org/samba/security/CVE-2020-10730.html https://www.samba.org/samba/security/CVE-2020-10745.html https://www.samba.org/samba/security/CVE-2020-10760.html https://www.samba.org/samba/security/CVE-2020-14303.html CVE-2020-10730 CVE-2020-10745 CVE-2020-10760 CVE-2020-14303 2020-07-02 2020-07-02
Anydesk -- Multiple Vulnerabilities anydesk 5.5.5

Anydesk reports:

AnyDesk before 5.5.3 on Linux and FreeBSD has a format string vulnerability that can be exploited for remote code execution.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13160 CVE-2020-13160 2020-06-10 2020-07-04
py-matrix-synapse -- multiple vulnerabilities py36-matrix-synapse py37-matrix-synapse py38-matrix-synapse 1.15.2

Matrix developers report:

Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.

  • A malicious homeserver could force Synapse to reset the state in a room to a small subset of the correct state. This affects all Synapse deployments which federate with untrusted servers.
  • HTML pages served via Synapse were vulnerable to clickjacking attacks. This predominantly affects homeservers with single-sign-on enabled, but all server administrators are encouraged to upgrade.
https://github.com/matrix-org/synapse/releases/tag/v1.15.2 2020-07-02 2020-07-03
dbus file descriptor leak dbus 1.12.18

GitHub Security Lab reports:

D-Bus has a file descriptor leak, which can lead to denial of service when the dbus-daemon runs out of file descriptors. An unprivileged local attacker can use this to attack the system dbus-daemon, leading to denial of service for all users of the machine.

https://gitlab.freedesktop.org/dbus/dbus/-/issues/294 https://www.openwall.com/lists/oss-security/2020/06/04/3 CVE-2020-12049 2020-04-09 2020-07-03
Gitlab -- Multiple Vulnerabilities gitlab-ce 13.1.013.1.2 13.0.013.0.8 012.10.13

Gitlab reports:

Missing Permission Check on Time Tracking

Cross-Site Scripting in PyPi Files API

Insecure Authorization Check on Private Project Security Dashboard

Cross-Site Scripting in References

Cross-Site Scripting in Group Names

Cross-Site Scripting in Blob Viewer

Cross-Site Scripting in Error Tracking

Insecure Authorisation Check on Creation and Deletion of Deploy Tokens

User Name Format Restiction Bypass

Denial of Service in Issue Comments

Cross-Site Scripting in Wiki Pages

Private Merge Request Updates Leaked via Todos

Private User Activity Leaked via API

Cross-Site Scripting in Bitbucket Import Feature

Github Project Restriction Bypass

Update PCRE Dependency

Update Kaminari Gem

Cross-Site Scripting in User Profile

Update Xterm.js

https://about.gitlab.com/releases/2020/07/01/security-release-13-1-2-release/ CVE-2020-14155 CVE-2020-11082 CVE-2019-0542 2020-07-01 2020-07-02
coturn -- information leakage coturn 4.5.1.3

Felix Dörre reports:

The issue is that STUN/TURN response buffer is not initialized properly. (CWE 665) This is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client.

https://github.com/coturn/coturn/commit/fdf7065d0f8e676feaf6734e86370f6dadfb8eec CVE-2020-4067 2020-06-30 2020-07-02
powerdns-recursor -- access restriction bypass powerdns-recursor 4.3.04.3.2 4.2.04.2.3 4.1.04.1.17

PowerDNS Team reports:

CVE-2020-14196: An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via webserver-allow-from is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction. In the default configuration the API webserver is not enabled. Only installations using a non-default value for webserver and webserver-address are affected.

https://doc.powerdns.com/recursor/security-advisories/index.html CVE-2020-14196 2020-07-01 2020-07-02
drupal -- Multiple Vulnerabilities drupal7 7.72

Drupal Security Team reports:

The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.

https://www.drupal.org/sa-core-2020-004 2020-06-17 2020-07-01
xrdp -- Local users can perform a buffer overflow attack against the xrdp-sesman service and then inpersonate it xrdp 0.9.13.1,1

Ashley Newson reports:

The xrdp-sesman service can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350.

https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4044 CVE-2020-4044 2020-06-02 2020-06-30
MongoDB -- Ensure RoleGraph can serialize authentication restrictions to BSON mongodb36 3.6.18 mongodb40 4.0.15 mongodb42 4.2.3

reports:

Improper serialization of MongoDB Server's internal authorization state permits a user with valid credentials to bypass IP source address protection mechanisms following administrative action.

Credit
Discovered by Tony Yesudas.

CVE-2020-7921 2020-01-10 2020-06-29
libvorbis -- two vulnerabilities libvorbis 1.3.6_1,3

Two vulnerabilities were fixed in the upstream repository:

https://www.openwall.com/lists/oss-security/2017/09/21/2 CVE-2017-14160 https://gitlab.xiph.org/xiph/vorbis/-/issues/2335 CVE-2018-10392 2017-09-21 2020-06-28
PuTTY -- Release 0.74 fixes two security vulnerabilities putty 0.74 putty-gtk2 0.74 putty-nogtk 0.74

Simon Tatham reports:

[Release 0.74] fixes the following security issues:

  • New configuration option to disable PuTTY's default policy of changing its host key algorithm preferences to prefer keys it already knows. (There is a theoretical information leak in this policy.) [CVE-2020-14002]
  • In some situations an SSH server could cause PuTTY to access freed mdmory by pretending to accept an SSH key and then refusing the actual signature. It can only happen if you're using an SSH agent.
https://lists.tartarus.org/pipermail/putty-announce/2020/000030.html https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-dynamic-hostkey-info-leak.html https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/ CVE-2020-14002 https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-keylist-used-after-free.html 2020-06-27 2020-06-28
chromium -- multiple vulnerabilities chromium 83.0.4103.116

Chrome Releases reports:

This update includes 2 security fixes, including:

  • [1092308] High CVE-2020-6509: Use after free in extensions. Reported by Anonymous on 2020-06-08
CVE-2020-6509 https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_22.html 2020-06-22 2020-06-24
Machine-in-the-middle response injection attack when using STARTTLS with IMAP, POP3, and SMTP mutt 1.14.3

mutt 1.14.4 updates:

CVE-2020-14954 - Machine-in-the-middle response injection attack when using STARTTLS with IMAP, POP3, and SMTP

CVE-2020-14954 https://gitlab.com/muttmua/mutt/-/commit/c547433cdf2e79191b15c6932c57f1472bfb5ff4 2020-06-16 2020-06-24
IMAP fcc/postpone machine-in-the-middle attack mutt 1.14.2

mutt 1.14.3 updates:

CVE-2020-14093 - IMAP fcc/postpone man-in-the-middle attack via a PREAUTH response.

https://github.com/muttmua/mutt/commit/3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01 CVE-2020-14093 2020-06-14 2020-06-24
curl -- multiple vulnerabilities curl 7.20.07.71.0

curl security problems:

CVE-2020-8169: Partial password leak over DNS on HTTP redirect

libcurl can be tricked to prepend a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s).

libcurl can be given a username and password for HTTP authentication when requesting an HTTP resource - used for HTTP Authentication such as Basic, Digest, NTLM and similar. The credentials are set, either together with CURLOPT_USERPWD or separately with CURLOPT_USERNAME and CURLOPT_PASSWORD. Important detail: these strings are given to libcurl as plain C strings and they are not supposed to be URL encoded.

In addition, libcurl also allows the credentials to be set in the URL, using the standard RFC 3986 format: http://user:password@host/path. In this case, the name and password are URL encoded as that's how they appear in URLs.

If the options are set, they override the credentials set in the URL.

Internally, this is handled by storing the credentials in the "URL object" so that there is only a single set of credentials stored associated with this single URL.

When libcurl handles a relative redirect (as opposed to an absolute URL redirect) for an HTTP transfer, the server is only sending a new path to the client and that path is applied on to the existing URL. That "applying" of the relative path on top of an absolute URL is done by libcurl first generating a full absolute URL out of all the components it has, then it applies the redirect and finally it deconstructs the URL again into its separate components.

This security vulnerability originates in the fact that curl did not correctly URL encode the credential data when set using one of the curl_easy_setopt options described above. This made curl generate a badly formatted full URL when it would do a redirect and the final re-parsing of the URL would then go bad and wrongly consider a part of the password field to belong to the host name.

The wrong host name would then be used in a name resolve lookup, potentially leaking the host name + partial password in clear text over the network (if plain DNS was used) and in particular to the used DNS server(s).

CVE-2020-8177: curl overwrite local file with -J

curl can be tricked by a malicious server to overwrite a local file when using -J (--remote-header-name) and -i (--include) in the same command line.

The command line tool offers the -J option that saves a remote file using the file name present in the Content-Disposition: response header. curl then refuses to overwrite an existing local file using the same name, if one already exists in the current directory.

The -J flag is designed to save a response body, and so it doesn't work together with -i and there's logic that forbids it. However, the check is flawed and doesn't properly check for when the options are used in the reversed order: first using -J and then -i were mistakenly accepted.

The result of this mistake was that incoming HTTP headers could overwrite a local file if one existed, as the check to avoid the local file was done first when body data was received, and due to the mistake mentioned above, it could already have received and saved headers by that time.

The saved file would only get response headers added to it, as it would abort the saving when the first body byte arrives. A malicious server could however still be made to send back virtually anything as headers and curl would save them like this, until the first CRLF-CRLF sequence appears.

(Also note that -J needs to be used in combination with -O to have any effect.)

https://curl.haxx.se/docs/security.html https://curl.haxx.se/docs/CVE-2020-8169.html https://curl.haxx.se/docs/CVE-2020-8177.html CVE-2020-8169 CVE-2020-8177 2020-06-24 2020-06-24
CUPS -- memory corruption cups 2.3.3_1

Apple reports:

  • CVE-2019-8842: The ippReadIO function may under-read an extension.
  • CVE-2020-3898: The ppdOpen function did not handle invalid UI constraint. ppdcSource::get_resolution function did not handle invalid resolution strings. An application may be able to gain elevated privileges.
https://github.com/apple/cups/releases/tag/v2.3.3 https://support.apple.com/en-us/HT211100 CVE-2019-8842 CVE-2020-3898 2020-04-28 2020-06-24
Rails -- permission vulnerability rubygem-actionpack60 6.0.3.2

Ruby on Rails blog:

Rails 6.0.3.2 has been released! This version of Rails contains an important security patch, and you should upgrade! The release contains only one patch that addresses CVE-2020-8185.

https://weblog.rubyonrails.org/2020/6/17/Rails-6-0-3-2-has-been-released/ https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md https://groups.google.com/forum/#!topic/rubyonrails-security/pAe9EV8gbM0 CVE-2020-8185 2020-06-17 2020-06-22
vlc heap-based buffer overflow vlc 3.0.11,4

Thomas Guillem reports:

A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file.

https://nvd.nist.gov/vuln/detail/CVE-2020-13428 CVE-2020-13428 2020-05-27 2020-06-17
Several issues in Lynis lynis 2.0.02.7.5

lynis update:

This release resolves two security issues

https://github.com/CISOfy/lynis/blob/master/CHANGELOG.md#security-issues 2020-06-18 2020-06-18
BIND -- Remote Denial of Service vulnerability bind911 9.11.149.11.20 bind916 9.16.09.16.4

ISC reports:

The asterisk character ("*") is allowed in DNS zone files, where it is most commonly present as a wildcard at a terminal node of the Domain Name System graph. However, the RFCs do not require and BIND does not enforce that an asterisk character be present only at a terminal node.

A problem can occur when an asterisk is present in an empty non-terminal location within the DNS graph. If such a node exists, after a series of queries, named can reach an inconsistent state that results in the failure of an assertion check in rbtdb.c, followed by the program exiting due to the assertion failure.

CVE-2020-8619 https://kb.isc.org/docs/cve-2020-8619 2020-06-17 2020-06-18
BIND -- Remote Denial of Service vulnerability bind916 9.16.09.16.4

ISC reports:

An assertion check in BIND (that is meant to prevent going beyond the end of a buffer when processing incoming data) can be incorrectly triggered by a large response during zone transfer.

CVE-2020-8618 https://kb.isc.org/docs/cve-2020-8618 2020-06-17 2020-06-18
LibreOffice Security Advisory libreoffice 6.4.4

LibreOffice reports:

Two flaws were found in LibreOffice:

  • CVE-2020-12802: remote graphics contained in docx format retrieved in 'stealth mode'
  • CVE-2020-12803: XForms submissions could overwrite local files
https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12802 https://www.libreoffice.org/about-us/security/advisories/cve-2020-12803 CVE-2020-12802 CVE-2020-12803 2020-06-08 2020-06-12
several security issues in sqlite3 sqlite3 3.32.2,1 FreeBSD 12.112.1_8 11.411.4_2 11.311.3_12

sqlite3 update:

Various security issues could be used by an attacker to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code.

https://nvd.nist.gov/vuln/detail/CVE-2020-11655 CVE-2020-11655 https://nvd.nist.gov/vuln/detail/CVE-2020-13434 CVE-2020-13434 https://nvd.nist.gov/vuln/detail/CVE-2020-13435 CVE-2020-13435 https://nvd.nist.gov/vuln/detail/CVE-2020-13630 CVE-2020-13630 https://nvd.nist.gov/vuln/detail/CVE-2020-13631 CVE-2020-13631 https://nvd.nist.gov/vuln/detail/CVE-2020-13632 CVE-2020-13632 SA-20:22.sqlite 2020-05-25 2020-06-10 2020-08-06
Node.js -- June 2020 Security Releases node 14.4.0 node12 12.18.0 node10 10.21.0

Node.js reports:

Updates are now available for all supported Node.js release lines for the following issues.

TLS session reuse can lead to host certificate verification bypass (High) (CVE-2020-8172)

The 'session' event could be emitted before the 'secureConnect' event. It should not be, because the connection may fail to be authorized. If it was saved an authorized connection could be established later with the session ticket. Note that the https agent caches sessions, so is vulnerable to this.

The 'session' event will now only be emitted after the 'secureConnect' event, and only for authorized connections.

HTTP/2 Large Settings Frame DoS (Low) (CVE-2020-11080)

Receiving unreasonably large HTTP/2 SETTINGS frames can consume 100% CPU to process all the settings, blocking all other activities until complete.

The HTTP/2 session frame is limited to 32 settings by default. This can be configured if necessary using the maxSettings option.

napi_get_value_string_*() allows various kinds of memory corruption (High) (CVE-2020-8174)

Calling napi_get_value_string_latin1(), napi_get_value_string_utf8(), or napi_get_value_string_utf16() with a non-NULL buf, and a bufsize of 0 will cause the entire string value to be written to buf, probably overrunning the length of the buffer.

A exploit has not been reported and it may be difficult but the following is suggested:

  • All users of LTS Node.js versions should update to the versions announced in this security post. This will address the issue for any non pre-built add-on.
  • Maintainers who support EOL Node.js versions and/or build against a version of Node.js that did not support N-API internally should update to use the new versions of node-addon-api 1.x and 2.x that will be released soon after this announcement.

ICU-20958 Prevent SEGV_MAPERR in append (High) (CVE-2020-10531)

An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.

Fix was applied to 10.x in an abundance of caution, even though there is no known way to trigger the overflow in 10.x.

https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/ CVE-2020-8174 CVE-2020-8172 CVE-2020-10531 CVE-2020-11080 2020-06-02 2020-06-12
tcpreplay -- Multiple vulnerabilities tcpreplay 4.3.2

fklassen on Github reports:

This release fixes the following security issues:

  • memory access in do_checksum()
  • NULL pointer dereference get_layer4_v6()
  • NULL pointer dereference get_ipv6_l4proto()
https://github.com/appneta/tcpreplay/releases/tag/v4.3.2 CVE-2019-8381 CVE-2019-8376 CVE-2019-8377 2019-03-12 2020-06-11
znc -- Authenticated users can trigger an application crash znc 1.8.01.8.1

Mitre reports:

ZNC 1.8.0 up to 1.8.1-rc1 allows attackers to trigger an application crash (with a NULL pointer dereference) if echo-message is not enabled and there is no network.

CVE-2020-13775 https://wiki.znc.in/ChangeLog/1.8.1 2020-06-02 2020-06-10
NPM -- Multiple vulnerabilities npm 6.13.4

NPM reports:

Global node_modules Binary Overwrite

Symlink reference outside of node_modules

Arbitrary File Write

https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/ CVE-2019-16775 CVE-2019-16776 CVE-2019-16777 2019-12-18 2020-06-10
libadplug -- Various vulnerabilities libadplug 2.3.3

Malvineous on Github reports:

This release fixes the following security issues:

  • buffer overflow in .bmf
  • buffer overflow in .dtm
  • buffer overflow in .mkj
  • buffer overflow in .a2m
  • buffer overflow in .rad
  • buffer overflow in .mtk
  • double free and OOB reads in .u6m
https://github.com/adplug/adplug/releases/tag/adplug-2.3.3 CVE-2019-14690 CVE-2019-14691 CVE-2019-14692 CVE-2019-14732 CVE-2019-14733 CVE-2019-14734 CVE-2019-15151 2020-06-08 2020-06-10
zeek -- Various vulnerabilities zeek 3.0.7

Jon Siwek of Corelight reports:

This release fixes the following security issues:

  • Fix potential stack overflow in NVT analyzer
  • Fix NVT analyzer memory leak from multiple telnet authn name options
  • Fix multiple content-transfer-encoding headers causing a memory leak
  • Fix potential leak of Analyzers added to tree during Analyzer::Done
  • Prevent IP fragment reassembly on packets without minimal IP header
https://raw.githubusercontent.com/zeek/zeek/v3.0.7/NEWS 2020-05-04 2020-06-10
Flash Player -- arbitrary code execution linux-flashplayer 32.0.0.387

Adobe reports:

  • This update resolves a use-after-free vulnerability that could lead to arbitrary code execution (CVE-2020-9633).
CVE-2020-9633 https://helpx.adobe.com/security/products/flash-player/apsb20-30.html 2020-06-09 2020-06-09
FreeBSD -- USB HID descriptor parsing error FreeBSD-kernel 12.112.1_6 11.311.3_10

Problem Description:

If the push/pop level of the USB HID state is not restored within the processing of the same HID item, an invalid memory location may be used for subsequent HID item processing.

Impact:

An attacker with physical access to a USB port may be able to use a specially crafted USB device to gain kernel or user-space code execution.

CVE-2020-7456 SA-20:17.usb 2020-06-03 2020-06-09
FreeRDP -- multiple vulnerabilities freerdp 2.1.1

The FreeRDP changelog reports 14 CVEs addressed after 2.0.0-rc4

https://github.com/FreeRDP/FreeRDP/blob/2.1.1/ChangeLog CVE-2020-11521 CVE-2020-11522 CVE-2020-11523 CVE-2020-11524 CVE-2020-11525 CVE-2020-11526 CVE-2020-11039 CVE-2020-11038 CVE-2020-11043 CVE-2020-11040 CVE-2020-11041 CVE-2020-11019 CVE-2020-11017 CVE-2020-11018 2020-04-10 2020-05-28
chromium -- multiple vulnerabilities chromium 83.0.4103.97

Chrome Releases reports:

This update includes 5 security fixes. Below, we highlight fixes that were contributed by external researchers.

  • [1082105] High CVE-2020-6493: Use after free in WebAuthentication. Reported by Anonymous on 2020-05-13
  • [1083972] High CVE-2020-6494: Incorrect security UI in payments. Reported by Juho Nurminen on 2020-05-18
  • [1072116] High CVE-2020-6495: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-04-18
  • [1085990] High CVE-2020-6496: Use after free in payments. Reported by Khalil Zhani on 2020-05-24
CVE-2020-6493 CVE-2020-6494 CVE-2020-6495 CVE-2020-6496 https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop.html 2020-06-03 2020-06-05
Gitlab -- Multiple Vulnerabilities gitlab-ce 13.0.013.0.4 12.10.012.10.9 10.6.012.9.9

Gitlab reports:

CI Token Access Control

https://about.gitlab.com/releases/2020/06/03/critical-security-release-13-0-4-released/ 2020-06-03 2020-06-04
Django -- multiple vulnerabilities py36-django22 py37-django22 py38-django22 2.2.13 py36-django30 py37-django30 py38-django30 3.0.7

Django security release reports:

CVE-2020-13254: Potential data leakage via malformed memcached keys

In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.

CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget

Query parameters for the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded.

https://www.djangoproject.com/weblog/2020/jun/03/security-releases/ CVE-2020-13254 CVE-2020-13596 2020-06-01 2020-06-04
malicious URLs may present credentials to wrong server git 2.26.02.26.1 2.25.02.25.3 2.24.02.24.2 2.23.02.23.2 2.22.02.22.3 2.21.02.21.2 2.20.02.20.3 2.19.02.19.4 2.18.02.18.3 02.17.4 git-lite 2.26.02.26.1 2.25.02.25.3 2.24.02.24.2 2.23.02.23.2 2.22.02.22.3 2.21.02.21.2 2.20.02.20.3 2.19.02.19.4 2.18.02.18.3 02.17.4 git-gui 2.26.02.26.1 2.25.02.25.3 2.24.02.24.2 2.23.02.23.2 2.22.02.22.3 2.21.02.21.2 2.20.02.20.3 2.19.02.19.4 2.18.02.18.3 02.17.4

git security advisory reports:

Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server for an HTTP request being made to another server, resulting in credentials for the former being sent to the latter.

https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q CVE-2020-5260 2020-04-14 2020-04-22
malicious URLs can cause git to send a stored credential to wrong server git 2.26.02.26.2 2.25.02.25.4 2.24.02.24.3 2.23.02.23.3 2.22.02.22.4 2.21.02.21.3 2.20.02.20.4 2.19.02.19.5 2.18.02.18.4 02.17.5 git-lite 2.26.02.26.2 2.25.02.25.4 2.24.02.24.3 2.23.02.23.3 2.22.02.22.4 2.21.02.21.3 2.20.02.20.4 2.19.02.19.5 2.18.02.18.4 02.17.5 git-gui 2.26.02.26.2 2.25.02.25.4 2.24.02.24.3 2.23.02.23.3 2.22.02.22.4 2.21.02.21.3 2.20.02.20.4 2.19.02.19.5 2.18.02.18.4 02.17.5

git security advisory reports:

Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching any URL, and will return some unspecified stored password, leaking the password to an attacker's server.

https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7 CVE-2020-11008 2020-04-20 2020-04-22
GnuTLS -- flaw in TLS session ticket key construction gnutls 3.6.14

The GnuTLS project reports:

It was found that GnuTLS 3.6.4 introduced a regression in the TLS protocol implementation. This caused the TLS server to not securely construct a session ticket encryption key considering the application supplied secret, allowing a MitM attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2.

https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03 CVE-2020-13777 2020-06-03 2020-06-04
websocket-extensions -- ReDoS vulnerability rubygem-websocket-extensions 0.1.5

Changelog:

Remove a ReDoS vulnerability in the header parser (CVE-2020-7663)

https://github.com/faye/websocket-extensions-ruby/blob/master/CHANGELOG.md https://github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838b CVE-2020-7663 2020-06-02 2020-06-03
nghttp2 -- DoS vulnerability nghttp2 libnghttp2 1.41.0

nghttp2 security advisories:

The overly large HTTP/2 SETTINGS frame payload causes denial of service.

The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%.

https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr CVE-2020-11080 2020-06-02 2020-06-03
gitea -- multiple vulnerabilities gitea 1.11.6

The Gitea Team reports for release 1.11.6:

  • Fix missing authorization check on pull for public repos of private/limited org (#11656) (#11683)
  • Use session for retrieving org teams (#11438) (#11439)
https://github.com/go-gitea/gitea/releases/tag/v1.11.6 ports/246892 2020-03-01 2020-05-31
kaminari -- potential XSS vulnerability rubygem-kaminari-core 1.2.1

Kaminari Security Advisories:

There was a vulnerability in versions of Kaminari that would allow an attacker to inject arbitrary code into pages with pagination links.

The 1.2.1 gem including the patch has already been released.

All past released versions are affected by this vulnerability.

https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433 https://github.com/kaminari/kaminari/blob/master/CHANGELOG.md#121 https://github.com/kaminari/kaminari/pull/1020 CVE-2020-11082 2020-04-22 2020-05-28
Sane -- Multiple Vulnerabilities sane-backends 1.0.30

The Sane Project reports:

epson2: fixes CVE-2020-12867 (GHSL-2020-075) and several memory management issues found while addressing that CVE

epsonds: addresses out-of-bound memory access issues to fix CVE-2020-12862 (GHSL-2020-082) and CVE-2020-12863 (GHSL-2020-083), addresses a buffer overflow fixing CVE-2020-12865 (GHSL-2020-084) and disables network autodiscovery to mitigate CVE-2020-12866 (GHSL-2020-079), CVE-2020-12861 (GHSL-2020-080) and CVE-2020-12864 (GHSL-2020-081). Note that this backend does not support network scanners to begin with.

magicolor: fixes a floating point exception and uninitialized data read

fixes an overflow in sanei_tcp_read()

https://gitlab.com/sane-project/backends/-/releases/1.0.30 CVE-2020-12861 CVE-2020-12862 CVE-2020-12863 CVE-2020-12864 CVE-2020-12865 CVE-2020-12866 CVE-2020-12867 2020-05-17 2020-05-28
Gitlab -- Multiple Vulnerabilities gitlab-ce 13.0.013.0.1 12.10.012.10.7 12.9.012.9.8

Gitlab reports:

User Email Verification Bypass

OAuth Flow Missing Email Verification Checks

Notification Email Verification Bypass

Undisclosed Vulnerability on a Third-Party Rendering Engine

Group Sign-Up Restriction Bypass

Mirror Project Owner Impersonation

Missing Permission Check on Fork Relation Creation

Cross-Site Scripting in Repository Files API

Kubernetes Cluster Token Disclosure

Object Storage File Enumeration

Insecure Authorization Check on Project Deploy Keys

Cross-Site Scripting on Metrics Dashboard

Denial of Service on Custom Dashboards

Client-Side Code Injection through Mermaid Markup

Cross-Site Scripting on Static Site Editor

Disclosure of Amazon EKS Credentials

Denial of Service on Workhorse

https://about.gitlab.com/releases/2020/05/27/security-release-13-0-1-released/ 2020-05-27 2020-05-28
sympa -- Denial of service caused by malformed CSRF token sympa 6.2.54

Javier Moreno discovered a vulnerability in Sympa web interface that can cause denial of service (DoS) attack.

By submitting requests with malformed parameters, this flaw allows to create junk files in Sympa's directory for temporary files. And particularly by tampering token to prevent CSRF, it allows to originate exessive notification messages to listmasters.

CVE-2020-9369 https://sympa-community.github.io/security/2020-001.html 2020-02-24 2020-05-22
sympa - Security flaws in setuid wrappers sympa 6.2.56

A vulnerability has been discovered in Sympa web interface by which attacker can execute arbitrary code with root privileges. Sympa uses two sorts of setuid wrappers:

The FastCGI wrappers wwsympa-wrapper.fcgi and sympa_soap_server-wrapper.fcgi were used to make the web interface running under privileges of a dedicated user.

The newaliases wrapper (sympa_newaliases-wrapper) allows Sympa to update the alias database with root privileges.

Since these setuid wrappers did not clear environment variables, if environment variables like PERL5LIB were injected, forged code might be loaded and executed under privileges of setuid-ed users.

https://sympa-community.github.io/security/2020-002.html 2020-05-24 2020-05-26
powerdns-recursor -- multiple vulnerabilities powerdns-recursor 4.3.04.3.1 4.2.04.2.2 4.1.04.1.16

PowerDNS Team reports:

CVE-2020-10995: An issue in the DNS protocol has been found that allow malicious parties to use recursive DNS services to attack third party authoritative name servers. The attack uses a crafted reply by an authoritative name server to amplify the resulting traffic between the recursive and other authoritative name servers. Both types of service can suffer degraded performance as an effect.

CVE-2020-12244: An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer. This would allow an attacker in position of man-in-the-middle to send a NXDOMAIN answer for a name that does exist, bypassing DNSSEC validation.

CVE-2020-10030: An issue has been found in PowerDNS Authoritative Server allowing an attacker with enough privileges to change the system's hostname to cause disclosure of uninitialized memory content via a stack-based out-of-bounds read. It only occurs on systems where gethostname() does not null-terminate the returned string if the hostname is larger than the supplied buffer. Linux systems are not affected because the buffer is always large enough. OpenBSD systems are not affected because the returned hostname is always null-terminated. Under some conditions this issue can lead to the writing of one null-byte out-of-bounds on the stack, causing a denial of service or possibly arbitrary code execution.

https://doc.powerdns.com/recursor/security-advisories/index.html CVE-2020-10995 CVE-2020-12244 CVE-2020-10030 2020-05-19 2020-05-26 2020-05-29
chromium -- multiple vulnerabilities chromium 83.0.4103.61

Google Chrome Releases reports:

This release includes 38 security fixes, including CVEs CVE-2020-6465 through CVE-2020-6491.

CVE-2020-6465 CVE-2020-6466 CVE-2020-6467 CVE-2020-6468 CVE-2020-6469 CVE-2020-6470 CVE-2020-6471 CVE-2020-6472 CVE-2020-6473 CVE-2020-6474 CVE-2020-6475 CVE-2020-6476 CVE-2020-6477 CVE-2020-6478 CVE-2020-6479 CVE-2020-6480 CVE-2020-6481 CVE-2020-6482 CVE-2020-6483 CVE-2020-6484 CVE-2020-6485 CVE-2020-6486 CVE-2020-6487 CVE-2020-6488 CVE-2020-6489 CVE-2020-6490 CVE-2020-6491 https://chromereleases.googleblog.com/2020/05/stable-channel-update-for-desktop_19.html 2020-05-19 2020-05-24
piwigo -- Multible Vulnerabilities piwigo 2.10.2

Piwigo reports:

Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-8089 CVE-2020-8089 2020-02-07 2020-05-23
Apache Tomcat Remote Code Execution via session persistence tomcat7 7.0.104 tomcat85 8.5.55 tomcat9 9.0.35 tomcat-devel 10.0.0.M5

The Apache Software Foundation reports:

Under certain circumstances an attacker will be able to trigger remote code execution via deserialization of the file under their control

http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-9.html http://tomcat.apache.org/security-10.html CVE-2020-9484 2020-05-12 2020-05-22
unbound -- mutliple vulnerabilities unbound 1.10.1 FreeBSD 12.112.1_7 11.411.4_1 11.311.3_11

NLNetLabs reports:

This release fixes CVE-2020-12662 and CVE-2020-12663.

Bug Fixes:

  • CVE-2020-12662 Unbound can be tricked into amplifying an incoming query into a large number of queries directed to a target.
  • CVE-2020-12663 Malformed answers from upstream name servers can be used to make Unbound unresponsive.
https://lists.nlnetlabs.nl/pipermail/unbound-users/2020-May/006833.html CVE-2020-12662 CVE-2020-12663 SA-20:19.unbound 2020-05-19 2020-05-22 2020-07-10
drupal -- Multiple Vulnerabilities drupal7 7.70 drupal8 8.8.6

Drupal Security Team reports:

The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are: ... Security issues in jQuerys DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub.

Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. The vulnerability is caused by insufficient validation of the destination query parameter in the drupal_goto() function.

https://www.drupal.org/sa-core-2020-002 https://www.drupal.org/sa-core-2020-003 2020-05-20 2020-05-22
Zabbix -- Remote code execution zabbix3-server zabbix3-proxy 3.0.31

Zabbix reports:

Fixed security vulnerability cve-2020-11800 (remote code execution). (ZBX-17600)

CVE-2020-11800 https://www.zabbix.com/rn/rn3.0.31 https://support.zabbix.com/browse/ZBX-17600 2020-04-15 2020-05-20
Rails -- multiple vulnerabilities rubygem-actionpack52 rubygem-actionview52 rubygem-activestorage52 rubygem-activesupport52 5.2.4.3 rubygem-actionpack60 rubygem-actionview60 rubygem-activestorage60 rubygem-activesupport60 6.0.3.1

Ruby on Rails blog:

Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.

Both releases contain the following fixes:

CVE-2020-8162: Circumvention of file size limits in ActiveStorage

CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack

CVE-2020-8165: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

CVE-2020-8166: Ability to forge per-form CSRF tokens given a global CSRF token

CVE-2020-8167: CSRF Vulnerability in rails-ujs

https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/ https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0 CVE-2020-8162 CVE-2020-8164 CVE-2020-8165 CVE-2020-8166 CVE-2020-8167 2020-05-18 2020-05-19
Dovecot -- Multiple vulnerabilities dovecot 2.3.10.1

Aki Tuomi reports:

Vulnerability Details: Sending malformed NOOP command causes crash in submission, submission-login or lmtp service. Risk: Remote attacker can keep submission-login service down, causing denial of service attack. For lmtp the risk is neglible, as lmtp is usually behind a trusted MTA. Steps to reproduce: Send ``NOOP EE"FY`` to submission port, or similarly malformed command.

Vulnerability Details: Sending command followed by sufficient number of newlines triggers a use-after-free bug that might crash submission-login, submission or lmtp service. Risk: Remote attacker can keep submission-login service down, causing denial of service attack. For lmtp the risk is neglible, as lmtp is usually behind a trusted MTA. Steps to reproduce: This can be currently reproduced with ASAN or Valgrind. Reliable way to crash has not yet been discovered.

Vulnerability Details: Sending mail with empty quoted localpart causes submission or lmtp component to crash. Risk: Malicious actor can cause denial of service to mail delivery by repeatedly sending mails with bad sender or recipient address. Steps to reproduce: Send mail with envelope sender or recipient as <""@example.org>. Workaround: For submission there is no workaround, but triggering the bug requires valid credentials. For lmtp, one can implement sufficient filtering on MTA level to prevent mails with such addresses from ending up in LMTP delivery.

https://dovecot.org/pipermail/dovecot-news/2020-May/000438.html CVE-2020-10957 CVE-2020-10958 CVE-2020-10967 2020-04-02 2020-05-18
clamav -- multiple vulnerabilities clamav 0.102.3,1

Micah Snyder reports:

CVE-2020-3327: Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.2 that could cause a denial-of-service condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash. Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ parsing vulnerability.

CVE-2020-3341: Fixed a vulnerability in the PDF-parsing module in ClamAV 0.101 - 0.102.2 that could cause a denial-of-service condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read, which may cause a crash. OSS-Fuzz discovered this vulnerability.

https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html CVE-2020-3327 CVE-2020-3341 2020-05-12 2020-05-14
Rails -- remote code execution vulnerability rubygem-actionview4 4.2.11.2

Ruby on Rails blog:

Due to an unfortunate oversight, Rails 4.2.11.2 has a missing constant error. To address this Rails 4.2.11.3 has been released.

The original announcement for CVE-2020-8163 has a follow-up message with an updated patch if you’re unable to use the gems.

https://weblog.rubyonrails.org/2020/5/16/rails-4-2-11-3-has-been-released/ https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0 CVE-2020-8163 2020-05-15 2020-05-16
salt -- multiple vulnerabilities in salt-master process py27-salt py32-salt py33-salt py34-salt py35-salt py36-salt py37-salt py38-salt 2019.2.4 30003000.2

F-Secure reports:

CVE-2020-11651 - Authentication bypass vulnerabilities

The ClearFuncs class processes unauthenticated requests and unintentionally exposes the _send_pub() method, which can be used to queue messages directly on the master publish server. Such messages can be used to trigger minions to run arbitrary commands as root.

The ClearFuncs class also exposes the method _prep_auth_info(), which returns the "root key" used to authenticate commands from the local root user on the master server. This "root key" can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master.

CVE-2020-11652 - Directory traversal vulnerabilities

The wheel module contains commands used to read and write files under specific directory paths. The inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction.

The get_token() method of the salt.tokens.localfs class (which is exposed to unauthenticated requests by the ClearFuncs class) fails to sanitize the token input parameter which is then used as a filename, allowing insertion of ".." path elements and thus reading of files outside of the intended directory. The only restriction is that the file has to be deserializable by salt.payload.Serial.loads().

CVE-2020-11651 CVE-2020-11652 https://nvd.nist.gov/vuln/detail/CVE-2020-11651 https://nvd.nist.gov/vuln/detail/CVE-2020-11652 https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html https://labs.f-secure.com/advisories/saltstack-authorization-bypass https://blog.f-secure.com/new-vulnerabilities-make-exposed-salt-hosts-easy-targets/ https://www.tenable.com/blog/cve-2020-11651-cve-2020-11652-critical-salt-framework-vulnerabilities-exploited-in-the-wild 2020-04-30 2020-05-16
json-c -- integer overflow and out-of-bounds write via a large JSON file json-c 0.14

Tobias Stöckmann reports:

I have discovered a way to trigger an out of boundary write while parsing a huge json file through a malicious input source. It can be triggered if an attacker has control over the input stream or if a huge load during filesystem operations can be triggered.

https://github.com/json-c/json-c/pull/592 https://github.com/json-c/json-c/pull/599 CVE-2020-12762 2020-05-02 2020-05-14 2020-05-17
typo3 -- multiple vulnerabilities typo3-9-php72 typo3-9-php73 typo3-9-php74 9.5.17 typo3-10-php72 typo3-10-php73 typo3-10-php74 10.4.2

Typo3 News:

CVE-2020-11063: TYPO3-CORE-SA-2020-001: Information Disclosure in Password Reset

It has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to verify whether a backend user account with a given email address exists or not.

CVE-2020-11064: TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form Engine

It has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability.

CVE-2020-11065: TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link Handling

It has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting - properties being assigned as HTML attributes have not been parsed correctly.

CVE-2020-11066: TYPO3-CORE-SA-2020-004: Class destructors causing side-effects when being unserialized

Calling unserialize() on malicious user-submitted content can result in the following scenarios:

- trigger deletion of arbitrary directory in file system (if writable for web server)

- trigger message submission via email using identity of web site (mail relay)

Another insecure deserialization vulnerability is required to actually exploit mentioned aspects.

CVE-2020-11067: TYPO3-CORE-SA-2020-005: Insecure Deserialization in Backend User Settings

It has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of 3rd party components this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability.

CVE-2020-11069: TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to Backend User Interface

It has been discovered that the backend user interface and install tool are vulnerable to same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server - scripts are then executed with the privileges of the victims’ user session.

In a worst case scenario new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it’ actually a same-site request forgery (SSRF).

Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a 3rd party extension - e.g. file upload in a contact form with knowing the target location.

The attacked victim requires an active and valid backend or install tool user session at the time of the attack to be successful.

https://typo3.org/article/typo3-1042-and-9517-security-releases-published https://get.typo3.org/release-notes/9.5.17 https://get.typo3.org/release-notes/10.4.2 https://typo3.org/security/advisory/typo3-core-sa-2020-001 https://typo3.org/security/advisory/typo3-core-sa-2020-002 https://typo3.org/security/advisory/typo3-core-sa-2020-003 https://typo3.org/security/advisory/typo3-core-sa-2020-004 https://typo3.org/security/advisory/typo3-core-sa-2020-005 https://typo3.org/security/advisory/typo3-core-sa-2020-006 CVE-2020-11063 CVE-2020-11064 CVE-2020-11065 CVE-2020-11066 CVE-2020-11067 CVE-2020-11069 2020-05-12 2020-05-13
FreeBSD -- Insufficient cryptodev MAC key length check FreeBSD-kernel 12.112.1_5

Problem Description:

Requests to create cryptography sessions using a MAC did not validate the user-supplied MAC key length. The cryptodev module allocates a buffer whose size is this user-suppled length.

Impact:

An unprivileged process can trigger a kernel panic.

CVE-2019-15879 SA-20:15.cryptodev 2020-01-20 2020-05-12
FreeBSD -- Use after free in cryptodev module FreeBSD-kernel 12.112.1_5 11.311.3_9

Problem Description:

A race condition permitted a data structure in the kernel to be used after it was freed by the cryptodev module.

Impact:

An unprivileged process can overwrite arbitrary kernel memory.

CVE-2019-15879 SA-20:15.cryptodev 2020-01-20 2020-05-12
FreeBSD -- Improper checking in SCTP-AUTH shared key update FreeBSD-kernel 11.311.3_9

Problem Description:

The SCTP layer does improper checking when an application tries to update a shared key. Therefore an unprivileged local user can trigger a use-after- free situation, for example by specific sequences of updating shared keys and closing the SCTP association.

Impact:

Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic.

CVE-2019-15878 SA-20:14.sctp 2019-09-19 2020-05-12
FreeBSD -- Memory disclosure vulnerability in libalias FreeBSD-kernel 12.112.1_5 11.411.4_1 11.311.3_9

Problem Description:

The FTP packet handler in libalias incorrectly calculates some packet lengths. This may result in disclosing small amounts of memory from the kernel (for the in-kernel NAT implementation) or from the process space for natd (for the userspace implementation).

Impact:

A malicious attacker could send specially constructed packets that exploit the erroneous calculation allowing the attacker to disclose small amount of memory either from the kernel (for the in-kernel NAT implementation) or from the process space for natd (for the userspace implementation).

CVE-2020-7455 SA-20:13.libalias 2020-05-12 2020-05-12
FreeBSD -- Insufficient packet length validation in libalias FreeBSD-kernel 12.112.1_5 11.411.4_1 11.311.3_9

Problem Description:

libalias(3) packet handlers do not properly validate the packet length before accessing the protocol headers. As a result, if a libalias(3) module does not properly validate the packet length before accessing the protocol header, it is possible for an out of bound read or write condition to occur.

Impact:

A malicious attacker could send specially constructed packets that exploit the lack of validation allowing the attacker to read or write memory either from the kernel (for the in-kernel NAT implementation) or from the process space for natd (for the userspace implementation).

CVE-2020-7454 SA-20:12.libalias 2020-05-12 2020-05-12
qutebrowser -- Reloading page with certificate errors shows a green URL qutebrowser 1.11.1

Qutebrowser developers report:

After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false which is not recommended), this could still provide a false sense of security.

https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j https://github.com/qutebrowser/qutebrowser/issues/5403 CVE-2020-11054 2020-05-02 2020-05-09
Python -- CRLF injection via the host part of the url passed to urlopen() python27 2.7.18 python38 3.8.3 python37 3.7.7 python36 3.6.10 python35 3.5.9_4

Python reports:

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18348 https://bugs.python.org/issue38576 CVE-2019-18348 2019-10-24 2020-05-09 2020-06-13
glpi -- stored XSS glpi 9.4.3,1

MITRE Corporation reports:

inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture.

https://github.com/glpi-project/glpi/commit/c2aa7a7cd6af28be3809acc7e7842d2d2008c0fb https://www.synacktiv.com/ressources/advisories/GLPI_9.4.0_stored_XSS.pdf https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13239 CVE-2019-13239 2019-02-25 2020-05-09 2024-04-25
zeek -- Various vulnerabilities zeek 3.0.6

Jon Siwek of Corelight reports:

This release fixes the following security issues:

  • Fix buffer over-read in Ident analyzer
  • Fix SSL scripting error leading to uninitialized field access and memory leak
  • Fix POP3 analyzer global buffer over-read
  • Fix potential stack overflows due to use of Variable-Length-Arrays
https://raw.githubusercontent.com/zeek/zeek/v3.0.6/NEWS 2020-05-06 2020-05-06
Wagtail -- potential timing attack vulnerability py35-wagtail py36-wagtail py37-wagtail py38-wagtail 2.7.3 2.82.8.2

Wagtail release notes:

CVE-2020-11037: Potential timing attack on password-protected private pages

This release addresses a potential timing attack on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. (This is understood to be feasible on a local network, but not on the public internet.)

https://docs.wagtail.io/en/latest/releases/2.8.2.html https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6 CVE-2020-11037 2020-05-04 2020-05-05
mailman -- arbitrary content injection vulnerability via options or private archive login pages mailman 2.1.30_4 2.1.312.1.33 mailman-with-htdig 2.1.30_4 2.1.312.1.33

Mark Sapiro reports:

A content injection vulnerability via the options login page has been discovered and reported by Vishal Singh.

An issue similar to CVE-2018-13796 exists at different endpoint & param. It can lead to a phishing attack.

(added 2020-05-07) This is essentially the same as https://bugs.launchpad.net/mailman/+bug/1873722 except the vector is the private archive login page and the attack only succeeds if the list's roster visibility (private_roster) setting is 'Anyone'.

https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1845/NEWS#L8 https://bugs.launchpad.net/mailman/+bug/1873722 https://bugs.launchpad.net/mailman/+bug/1877379 https://mail.python.org/archives/list/mailman-developers@python.org/thread/SYBIZ3MNSQZLKN6PVKO7ZKR7QMOBMS45/ CVE-2018-13796 2020-04-20 2020-05-07
cacti -- XSS exposure cacti 1.2.12

Cacti developer reports:

Lack of escaping of color items can lead to XSS exposure.

https://sourceforge.net/p/cacti/mailman/message/37000502/ https://github.com/Cacti/cacti/blob/release/1.2.12/CHANGELOG CVE-2020-7106 ports/246164 2020-04-16 2020-05-04
Squid -- multiple vulnerabilities squid 4.10

The Squid developers reports:

Improper Input Validation issues in HTTP Request processing (CVE-2020-8449, CVE-2020-8450).

Information Disclosure issue in FTP Gateway (CVE-2019-12528).

Buffer Overflow issue in ext_lm_group_acl helper (CVE-2020-8517).

http://lists.squid-cache.org/pipermail/squid-announce/2020-February/000107.html https://nvd.nist.gov/vuln/detail/CVE-2020-8449 https://nvd.nist.gov/vuln/detail/CVE-2020-8450 https://nvd.nist.gov/vuln/detail/CVE-2019-12528 https://nvd.nist.gov/vuln/detail/CVE-2020-8517 CVE-2020-8449 CVE-2020-8450 CVE-2019-12528 CVE-2020-8517 ports/244026 2020-02-10 2020-04-07
taglib -- heap-based buffer over-read via a crafted audio file taglib 1.12.b.1

Webin security lab - dbapp security Ltd reports:

The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib 1.11.1 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted audio file.

https://seclists.org/fulldisclosure/2018/May/49 CVE-2018-11439 2018-05-28 2020-05-03
Gitlab -- Multiple Vulnerabilities gitlab-ce 12.10.012.10.2 12.9.012.9.5 8.4.012.8.10

Gitlab reports:

Path Traversal in NuGet Package Registry

Workhorse Bypass Leads to File Disclosure

OAuth Application Client Secrets Revealed

Code Owners Approval Rules Are Not Updated for Existing Merge Requests When Source Branch Changes

Code Owners Protection Not Enforced from Web UI

Repository Mirror Passwords Exposed To Maintainers

Admin Audit Log Page Denial of Service

Private Project ID Revealed Through Group API

Elasticsearch Credentials Logged to ELK

GitHub Personal Access Token Exposed on Integrations Page

Update Nokogiri dependency

Update OpenSSL Dependency

Update git

https://about.gitlab.com/releases/2020/04/30/security-release-12-10-2-released/ CVE-2020-12448 CVE-2020-10187 CVE-2020-7595 CVE-2020-1967 CVE-2020-11008 2020-04-30 2020-05-01
vlc -- Multiple vulnerabilities fixed in VLC media player vlc 3.0.10,4

VideoLAN reports:

Details

A remote user could:

  • Create a specifically crafted image file that could trigger an out of bounds read
  • Send a specifically crafter request to the microdns service discovery, potentially triggering various memory management issues

Impact

If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.

While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed.

We have not seen exploits performing code execution through these vulnerabilities

CVE-2019-19721 affects VLC 3.0.8 and earlier, and only reads 1 byte out of bound

https://www.videolan.org/security/sb-vlc309.html 2020-04-01 2020-04-29
samba -- multiple vulnerabilities samba410 4.10.15 samba411 4.11.8 samba412 4.12.2

The Samba Team reports:

CVE-2020-10700

A client combining the 'ASQ' and 'Paged Results' LDAP controls can cause a use-after-free in Samba's AD DC LDAP server.

CVE-2020-10704

A deeply nested filter in an un-authenticated LDAP search can exhaust the LDAP server's stack memory causing a SIGSEGV.

https://www.samba.org/samba/history/samba-4.12.2.html CVE-2020-10700 CVE-2020-10704 2020-04-29 2020-04-29
ceph14 -- multiple security issues ceph14 14.1.114.2.9

RedHat reports:

ceph: secure mode of msgr2 breaks both confidentiality and integrity aspects for long-lived sessions.

ceph: header-splitting in RGW GetObject has a possible XSS.

CVE-2020-1759 https://www.openwall.com/lists/oss-security/2020/04/07/2 CVE-2020-1760 https://www.openwall.com/lists/oss-security/2020/04/07/1 2020-04-07 2020-04-14
nested filters leads to stack overflow openldap24-server 2.4.50

Howard Chu reports:

nested filters leads to stack overflow

https://bugs.openldap.org/show_bug.cgi?id=9202 CVE-2020-12243 2020-04-28 2020-04-28
py-yaml -- FullLoader (still) exploitable for arbitrary command execution py27-yaml py35-yaml py36-yaml py37-yaml py38-yaml 5.3.1

Riccardo Schirone (https://github.com/ret2libc) reports:

In FullLoader python/object/new constructor, implemented by construct_python_object_apply, has support for setting the state of a deserialized instance through the set_python_instance_state method. After setting the state, some operations are performed on the instance to complete its initialization, however it is possible for an attacker to set the instance' state in such a way that arbitrary code is executed by the FullLoader.

This patch tries to block such attacks in FullLoader by preventing set_python_instance_state from setting arbitrar properties. It implements a blacklist that includes extend method (called by construct_python_object_apply) and all special methods (e.g. __set__, __setitem__, etc.).

Users who need special attributes being set in the state of a deserialized object can still do it through the UnsafeLoader, which however should not be used on untrusted input. Additionally, they can subclass FullLoader and redefine state_blacklist_regexp to include the additional attributes they need, passing the subclassed loader to yaml.load.

https://bugzilla.redhat.com/show_bug.cgi?id=1807367 https://github.com/yaml/pyyaml/pull/386 CVE-2020-1747 ports/245937 2020-03-02 2020-04-27 2020-04-29
py-bleach -- regular expression denial-of-service py27-bleach py35-bleach py36-bleach py37-bleach py38-bleach 3.1.4

Bleach developers reports:

bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS).

Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).

https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 CVE-2020-6817 ports/245943 2019-03-09 2020-04-26
MySQL Server -- Multiple vulerabilities mariadb101-server 10.1.45 mariadb102-server 10.2.32 mariadb103-server 10.3.23 mariadb104-server 10.4.13 mysql56-server 5.6.48 mysql57-server 5.7.30 mysql80-server 8.0.20 percona55-server 5.5.68 percona56-server 5.6.48 percona57-server 5.7.30

Oracle reports:

This Critical Patch Update contains 45 new security patches for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

MariaDB reports 4 of these vulnerabilities exist in their software

https://www.oracle.com/security-alerts/cpujan2020.html CVE-2019-5482 CVE-2019-15601 CVE-2020-2780 CVE-2020-2790 CVE-2020-2768 CVE-2020-2804 CVE-2020-2760 CVE-2020-2806 CVE-2020-2762 CVE-2020-2814 CVE-2020-2893 CVE-2020-2895 CVE-2020-2898 CVE-2020-2903 CVE-2020-2896 CVE-2020-2770 CVE-2020-2765 CVE-2020-2892 CVE-2020-2897 CVE-2020-2923 CVE-2020-2924 CVE-2020-2901 CVE-2020-2928 CVE-2020-2904 CVE-2020-2925 CVE-2020-2759 CVE-2020-2763 CVE-2020-2761 CVE-2020-2774 CVE-2020-2853 CVE-2020-2779 CVE-2020-2812 CVE-2019-1547 CVE-2020-2926 CVE-2020-2921 CVE-2020-2930 2020-04-14 2020-04-23 2020-05-16
MySQL Client -- Multiple vulerabilities mysql56-client 5.6.48 mysql57-client 5.7.30 mysql80-client 8.0.20 mysql-connector-c 8.0.20 mysql-connector-c++ 8.0.20 mysql-connector-java 8.0.20 percona55-client 5.5.68 percona56-client 5.6.48 percona57-client 5.7.30

Oracle reports:

This Critical Patch Update contains 45 new security patches for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

https://www.oracle.com/security-alerts/cpujan2020.html CVE-2020-2752 CVE-2020-2934 CVE-2020-2875 CVE-2020-2922 CVE-2020-2933 2020-04-14 2020-04-23
Nextcloud -- multiple vulnerabilities nextcloud 18.0.4

Nextcloud reports:

XSS in Files PDF viewer (NC-SA-2020-019)

Missing ownership check on remote wipe endpoint (NC-SA-2020-018)

https://nextcloud.com/security/advisories/ https://nextcloud.com/security/advisory/?id=NC-SA-2020-018 https://nextcloud.com/security/advisory/?id=NC-SA-2020-019 2020-03-18 2020-04-23
Python -- Regular Expression DoS attack against client python38 3.8.3 python37 3.7.7 python36 3.6.10 python35 3.5.9_4 python27 2.7.18

Ben Caller and Matt Schwager reports:

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html https://bugs.python.org/issue39503 CVE-2020-8492 ports/245819 2019-11-17 2020-04-23 2020-06-13
Wagtail -- XSS vulnerability py35-wagtail py36-wagtail py37-wagtail py38-wagtail 2.7.2

Wagtail release notes:

CVE-2020-11001: Possible XSS attack via page revision comparison view

This release addresses a cross-site scripting (XSS) vulnerability on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

https://docs.wagtail.io/en/latest/releases/2.7.2.html https://github.com/advisories/GHSA-v2wc-pfq2-5cm6 CVE-2020-11001 2020-04-03 2020-04-22
libntlm -- buffer overflow vulnerability libntlm 1.6

NVD reports:

Libntlm through 1.5 relies on a fixed buffer size for tSmbNtlmAuthRequest, tSmbNtlmAuthChallenge, and tSmbNtlmAuthResponse read and write operations, as demonstrated by a stack-based buffer over-read in buildSmbNtlmAuthRequest in smbutil.c for a crafted NTLM request.

https://gitlab.com/jas/libntlm/-/issues/2 https://nvd.nist.gov/vuln/detail/CVE-2019-17455 CVE-2019-17455 2019-10-08 2020-04-21
OpenSSL remote denial of service vulnerability FreeBSD 12.112.1_4 openssl 1.1.1,11.1.1g,1

Problem Description:

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognized signature algorithm is received from the peer.

Impact:

A malicious peer could exploit the NULL pointer dereference crash, causing a denial of service attack.

CVE-2020-1967 SA-20:11.openssl https://www.openssl.org/news/secadv/20200421.txt 2020-04-21 2020-04-21 2020-04-22
FreeBSD -- ipfw invalid mbuf handling FreeBSD-kernel 12.112.1_4 11.311.3_8

Problem Description:

Incomplete packet data validation may result in accessing out-of-bounds memory (CVE-2019-5614) or may access memory after it has been freed (CVE-2019-15874).

Impact:

Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results.

CVE-2019-5614 CVE-2019-15874 SA-20:10.ipfw 2020-04-21 2020-04-21
py-twisted -- multiple vulnerabilities py27-twisted py35-twisted py36-twisted py37-twisted py38-twisted 20.3.0

Twisted developers reports:

All HTTP clients in twisted.web.client now raise a ValueError when called with a method and/or URL that contain invalid characters. This mitigates CVE-2019-12387. Thanks to Alex Brasetvik for reporting this vulnerability.

The HTTP/2 server implementation now enforces TCP flow control on control frame messages and times out clients that send invalid data without reading responses. This closes CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood). Thanks to Jonathan Looney and Piotr Sikora.

twisted.web.http was subject to several request smuggling attacks. Requests with multiple Content-Length headers were allowed (CVE-2020-10108, thanks to Jake Miller from Bishop Fox and ZeddYu Lu for reporting this) and now fail with a 400; requests with a Content-Length header and a Transfer-Encoding header honored the first header (CVE-2020-10109, thanks to Jake Miller from Bishop Fox for reporting this) and now fail with a 400; requests whose Transfer-Encoding header had a value other than "chunked" and "identity" (thanks to ZeddYu Lu) were allowed and now fail with a 400.

https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst CVE-2019-12387 CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 CVE-2020-10108 CVE-2020-10109 ports/245252 2019-03-01 2020-04-21
Client/server denial of service when handling AES-CTR ciphers libssh 0.8.00.8.9 0.9.00.9.4

The libssh team reports (originally reported by Yasheng Yang from Google):

A malicious client or server could crash the counterpart implemented with libssh AES-CTR ciphers are used and don't get fully initialized. It will crash when it tries to cleanup the AES-CTR ciphers when closing the connection.

https://www.libssh.org/security/advisories/CVE-2020-1730.txt" CVE-2020-1730 2020-01-25 2020-04-19
webkit2-gtk3 -- Denial of service webkit2-gtk3 2.28.1

The WebKitGTK project reports the following vulnerability.

Processing maliciously crafted web content may lead to arbitrary code execution or application crash (denial of service). Description: A memory corruption issue (use-after-free) was addressed with improved memory handling.

https://webkitgtk.org/security/WSA-2020-0004.html CVE-2020-11793 2020-04-16 2020-04-18
drupal -- Drupal Core - Moderately critical - Third-party library drupal8 8.8.4

Drupal Security Team reports:

The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.

Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site's users. An attacker that can createor edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access.

The latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities.

https://www.drupal.org/sa-core-2020-001 2020-03-18 2020-04-17
ansible - Vault password leak from temporary file ansible 2.8.9 ansible27 2.7.17 ansible26 2.7.17 ansible25 2.7.17 ansible24 2.7.17 ansible23 2.7.17

Borja Tarraso reports:

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740 https://github.com/ansible/ansible/issues/67798 CVE-2020-1740 2020-02-12 2020-04-17
ansible - subversion password leak from PID ansible 2.8.9 ansible27 2.7.17 ansible26 2.7.17 ansible25 2.7.17 ansible24 2.7.17 ansible23 2.7.17

Borja Tarraso reports:

A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739 https://github.com/ansible/ansible/issues/67797 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FWDK3QUVBULS3Q3PQTGEKUQYPSNOU5M3/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QT27K5ZRGDPCH7GT3DRI3LO4IVDVQUB7/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3IMV3XEIUXL6S4KPLYYM4TVJQ2VNEP2/ CVE-2020-1739 2020-02-12 2020-04-17
ansible - win_unzip path normalization ansible 2.8.9 ansible27 2.7.17 ansible26 2.7.17 ansible25 2.7.17 ansible24 2.7.17 ansible23 2.7.17

Borja Tarraso reports:

A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal. This issue is fixed in 2.10.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1737 https://github.com/ansible/ansible/issues/67795 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FWDK3QUVBULS3Q3PQTGEKUQYPSNOU5M3/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QT27K5ZRGDPCH7GT3DRI3LO4IVDVQUB7/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3IMV3XEIUXL6S4KPLYYM4TVJQ2VNEP2/ CVE-2020-1737 2020-02-12 2020-04-17
chromium -- use after free chromium 81.0.4044.113

Google Chrome Releases reports:

[1067851] Critical CVE-2020-6457: Use after free in speech recognizer. Reported by Leecraso and Guang Gong of Alpha Lab, Qihoo 360 on 2020-04-04

https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_15.html CVE-2020-6457 2020-04-15 2020-04-16
openvpn -- illegal client float can break VPN session for other users openvpn 2.4.8_3 openvpn-mbedtls 2.4.8_3 openvpn-devel 202016

Lev Stipakov and Gert Doering report:

There is a time frame between allocating peer-id and initializing data channel key (which is performed on receiving push request or on async push-reply) in which the existing peer-id float checks do not work right.

If a "rogue" data channel packet arrives during that time frame from another address and with same peer-id, this would cause client to float to that new address.

The net effect of this behaviour is that the VPN session for the "victim client" is broken. Since the "attacker client" does not have suitable keys, it can not inject or steal VPN traffic from the other session. The time window is small and it can not be used to attack a specific client's session, unless some other way is found to make it disconnect and reconnect first.

https://github.com/OpenVPN/openvpn/commit/f7b318f811bb43c0d3aa7f337ec6242ed2c33881 https://sourceforge.net/p/openvpn/openvpn/ci/f7b318f811bb43c0d3aa7f337ec6242ed2c33881/ https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html https://community.openvpn.net/openvpn/ticket/1272 https://patchwork.openvpn.net/patch/1077/ CVE-2020-11810 2020-04-13 2020-04-16
Mbed TLS -- Side channel attack on ECDSA mbedtls 2.16.6

Manuel Pégourié-Gonnard reports:

An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) can fully recover an ECDSA private key after observing a number of signature operations.

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04 CVE-2020-10932 2020-04-14 2020-04-15
Gitlab -- Multiple Vulnerabilities gitlab-ce 12.9.012.9.3 12.8.012.8.9 012.7.9

Gitlab reports:

NuGet Package and File Disclosure through GitLab Workhorse

Job Artifact Uploads and File Disclosure through GitLab Workhorse

Incorrect membership following group removal

Logging of Praefect tokens

Update Rack dependency

Update OpenSSL dependency

https://about.gitlab.com/releases/2020/04/14/critical-security-release-gitlab-12-dot-9-dot-3-released/ CVE-2020-11505 CVE-2020-11506 CVE-2020-11649 CVE-2020-16782 2020-04-14 2020-04-15
zeek -- Remote crash vulnerability zeek 3.0.4

Jon Siwek of Corelight reports:

This release fixes the following security issue:

  • An attacker can crash Zeek remotely via crafted packet sequence.
https://raw.githubusercontent.com/zeek/zeek/e059d4ec2e689b3c8942f4aa08b272f24ed3f612/NEWS 2020-04-14 2020-04-14
chromium -- multiple vulnerabilities chromium 81.0.4044.92

Google Chrome Releases reports:

This updates includes 32 security fixes, including:

  • [1019161] High CVE-2020-6454: Use after free in extensions. Reported by Leecraso and Guang Gong of Alpha Lab, Qihoo 360 on 2019-10-29
  • [1043446] High CVE-2020-6423: Use after free in audio. Reported by Anonymous on 2020-01-18
  • [1059669] High CVE-2020-6455: Out of bounds read in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of Alpha Lab, Qihoo 360 on 2020-03-09
  • [1031479] Medium CVE-2020-6430: Type Confusion in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2019-12-06
  • [1040755] Medium CVE-2020-6456: Insufficient validation of untrusted input in clipboard. Reported by Michał Bentkowski of Securitum on 2020-01-10
  • [852645] Medium CVE-2020-6431: Insufficient policy enforcement in full screen. Reported by Luan Herrera (@lbherrera_) on 2018-06-14
  • [965611] Medium CVE-2020-6432: Insufficient policy enforcement in navigations. Reported by David Erceg on 2019-05-21
  • [1043965] Medium CVE-2020-6433: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-01-21
  • [1048555] Medium CVE-2020-6434: Use after free in devtools. Reported by HyungSeok Han (DaramG) of Theori on 2020-02-04
  • [1032158] Medium CVE-2020-6435: Insufficient policy enforcement in extensions. Reported by Sergei Glazunov of Google Project Zero on 2019-12-09
  • [1034519] Medium CVE-2020-6436: Use after free in window management. Reported by Igor Bukanov from Vivaldi on 2019-12-16
  • [639173] Low CVE-2020-6437: Inappropriate implementation in WebView. Reported by Jann Horn on 2016-08-19
  • [714617] Low CVE-2020-6438: Insufficient policy enforcement in extensions. Reported by Ng Yik Phang on 2017-04-24
  • [868145] Low CVE-2020-6439: Insufficient policy enforcement in navigations. Reported by remkoboonstra on 2018-07-26
  • [894477] Low CVE-2020-6440: Inappropriate implementation in extensions. Reported by David Erceg on 2018-10-11
  • [959571] Low CVE-2020-6441: Insufficient policy enforcement in omnibox. Reported by David Erceg on 2019-05-04
  • [1013906] Low CVE-2020-6442: Inappropriate implementation in cache. Reported by B@rMey on 2019-10-12
  • [1040080] Low CVE-2020-6443: Insufficient data validation in developer tools. Reported by @lovasoa (Ophir LOJKINE) on 2020-01-08
  • [922882] Low CVE-2020-6444: Uninitialized Use in WebRTC. Reported by mlfbrown on 2019-01-17
  • [933171] Low CVE-2020-6445: Insufficient policy enforcement in trusted types. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
  • [933172] Low CVE-2020-6446: Insufficient policy enforcement in trusted types. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
  • [991217] Low CVE-2020-6447: Inappropriate implementation in developer tools. Reported by David Erceg on 2019-08-06
  • [1037872] Low CVE-2020-6448: Use after free in V8. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2019-12-26
CVE-2020-6423 CVE-2020-6430 CVE-2020-6431 CVE-2020-6432 CVE-2020-6433 CVE-2020-6434 CVE-2020-6435 CVE-2020-6436 CVE-2020-6437 CVE-2020-6438 CVE-2020-6439 CVE-2020-6440 CVE-2020-6441 CVE-2020-6442 CVE-2020-6443 CVE-2020-6444 CVE-2020-6445 CVE-2020-6446 CVE-2020-6447 CVE-2020-6448 CVE-2020-6454 CVE-2020-6455 CVE-2020-6456 https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html 2020-04-07 2020-04-12
chromium -- multiple vulnerabilities chromium 80.0.3987.162

Google Chrome Releases reports:

This update contains 8 security fixes.

  • [1062247] High CVE-2020-6450: Use after free in WebAudio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-03-17
  • [1061018] High CVE-2020-6451: Use after free in WebAudio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-03-12
  • [1059764] High CVE-2020-6452: Heap buffer overflow in media Reported by asnine on 2020-03-09
  • [1066247] Various fixes from internal audits, fuzzing and other initiatives.
https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_31.html CVE-2020-6450 CVE-2020-6451 CVE-2020-6452 2020-03-31 2020-04-02
HAproxy -- serious vulnerability affecting the HPACK decoder used for HTTP/2 haproxy 2.0.02.0.14 haproxy18 1.8.01.8.25 haproxy19 1.9.01.9.15 haproxy21 2.1.02.1.4

The HAproxy Project reports:

The main driver for this release is that it contains a fix for a serious vulnerability that was responsibly reported last week by Felix Wilhelm from Google Project Zero, affecting the HPACK decoder used for HTTP/2. CVE-2020-11100 was assigned to this issue.

CVE-2020-11100 https://www.mail-archive.com/haproxy@formilux.org/msg36876.html https://www.mail-archive.com/haproxy@formilux.org/msg36877.html https://www.mail-archive.com/haproxy@formilux.org/msg36878.html https://www.mail-archive.com/haproxy@formilux.org/msg36879.html 2020-04-02 2020-04-02
Apache -- Multiple vulnerabilities apache24 2.4.43

Apache Team reports:

SECURITY: CVE-2020-1934

mod_proxy_ftp: Use of uninitialized value with malicious backend FTP server.

SECURITY: CVE-2020-1927

rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable matches and substitutions with encoded line break characters. The fix for CVE-2019-10098 was not effective.

https://downloads.apache.org/httpd/CHANGES_2.4.43 CVE-2020-1934 CVE-2020-1927 2020-04-01 2020-04-02
cacti -- multiple vulnerabilities cacti 1.2.10

The Cacti developers reports:

When guest users have access to realtime graphs, remote code could be executed (CVE-2020-8813).

Lack of escaping on some pages can lead to XSS exposure (CVE-2020-7106).

Remote Code Execution due to input validation failure in Performance Boost Debug Log (CVE-2020-7237).

https://github.com/Cacti/cacti/releases/tag/release%2F1.2.10 https://nvd.nist.gov/vuln/detail/CVE-2020-8813 https://nvd.nist.gov/vuln/detail/CVE-2020-7106 https://nvd.nist.gov/vuln/detail/CVE-2020-7237 CVE-2020-8813 CVE-2020-7106 CVE-2020-7237 ports/245198 2020-02-04 2020-04-02
GnuTLS -- flaw in DTLS protocol implementation gnutls 3.6.13

The GnuTLS project reports:

It was found that GnuTLS 3.6.3 introduced a regression in the DTLS protocol implementation. This caused the DTLS client to not contribute any randomness to the DTLS negotiation breaking the security guarantees of the DTLS protocol.

https://gnutls.org/security-new.html#GNUTLS-SA-2020-03-31 CVE-2020-11501 2020-03-31 2020-03-31
PostgresSQL -- ALTER ... DEPENDS ON EXTENSION is missing authorization checks postgresql12-server 12.2 postgresql11-server 11.7 postgresql10-server 10.12 postgresql96-server 9.6.17

The PostgreSQL project reports:

Versions Affected: 9.6 - 12

The ALTER ... DEPENDS ON EXTENSION sub-commands do not perform authorization checks, which can allow an unprivileged user to drop any function, procedure, materialized view, index, or trigger under certain conditions. This attack is possible if an administrator has installed an extension and an unprivileged user can CREATE, or an extension owner either executes DROP EXTENSION predictably or can be convinced to execute DROP EXTENSION.

https://www.postgresql.org/about/news/1960/ CVE-2020-1720 2020-02-13 2020-03-29
mediawiki -- multiple vulnerabilities mediawiki131 1.31.7 mediawiki133 1.33.3 mediawiki134 1.34.1

Mediawiki reports:

Security fixes: T246602:jquery.makeCollapsible allows applying event handler to any CSS selector.

https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-March/000247.html 2020-03-02 2020-03-27
Gitlab -- Multiple Vulnerabilities gitlab-ce 12.9.012.9.1 12.8.012.8.8 012.7.8

Gitlab reports:

Arbitrary File Read when Moving an Issue

Path Traversal in NPM Package Registry

SSRF on Project Import

External Users Can Create Personal Snippet

Triggers Decription Can be Updated by Other Maintainers in Project

Information Disclosure on Confidential Issues Moved to Private Programs

Potential DoS in Repository Archive Download

Blocked Users Can Still Pull/Push Docker Images

Repository Mirroring not Disabled when Feature not Activated

Vulnerability Feedback Page Was Leaking Information on Vulnerabilities

Stored XSS Vulnerability in Admin Feature

Upload Feature Allowed a User to Read Unauthorized Exported Files

Unauthorized Users Are Able to See CI Metrics

Last Pipeline Status of a Merge Request Leaked

Blind SSRF on FogBugz

Update Nokogiri dependency

https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10953 CVE-2020-10956 CVE-2020-10954 CVE-2020-10952 CVE-2020-10955 CVE-2020-9795 2020-03-26 2020-03-26
rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix) rubygem-json 2.3.0

When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system.

This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parse(user_input), but didn’t address some other styles of JSON parsing including JSON(user_input) and JSON.parse(user_input, nil).

See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary bjects may cause severe security consequences depending upon the application code.

Please update the json gem to version 2.3.0 or later. You can use gem update json to update it. If you are using bundler, please add gem "json", ">= 2.3.0" to your Gemfile.

https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/ CVE-2020-10663 2020-03-19 2020-03-26 2020-04-02
jenkins -- multiple vulnerabilities jenkins 2.227 jenkins-lts 2.204.5

Jenkins Security Advisory:

Description

(High) SECURITY-1774 / CVE-2020-2160

CSRF protection for any URL could be bypassed

(Medium) SECURITY-1781 / CVE-2020-2161

Stored XSS vulnerability in label expression validation

(Medium) SECURITY-1793 / CVE-2020-2162

Stored XSS vulnerability in file parameters

(Medium) SECURITY-1796 / CVE-2020-2163

Stored XSS vulnerability in list view column headers

CVE-2020-2160 CVE-2020-2161 CVE-2020-2162 CVE-2020-2163 https://jenkins.io/security/advisory/2020-03-25/ 2020-03-25 2020-03-25
phpMyAdmin -- SQL injection phpMyAdmin phpMyAdmin-php72 phpMyAdmin-php73 phpMyAdmin-php74 phpMyAdmin5 phpMyAdmin5-php72 phpMyAdmin5-php73 phpMyAdmin5-php74 4.9.5 5.05.0.2

phpMyAdmin Team reports:

PMASA-2020-2 SQL injection vulnerability in the user accounts page, particularly when changing a password

PMASA-2020-3 SQL injection vulnerability relating to the search feature

PMASA-2020-4 SQL injection and XSS having to do with displaying results

Removing of the "options" field for the external transformation

https://www.phpmyadmin.net/news/2020/3/21/phpmyadmin-495-and-502-are-released/ 2020-03-21 2020-03-25
puppetserver and puppetdb -- Puppet Server and PuppetDB may leak sensitive information via metrics API puppetdb5 5.2.13 puppetdb6 6.9.1 puppetserver5 5.3.12 puppetserver6 6.9.2

Puppetlabs reports:

Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network.

PE 2018.1.13 & 2019.4.0, Puppet Server 6.9.1 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default.

CVE-2020-7943 https://puppet.com/security/cve/CVE-2020-7943/ 2020-03-10 2020-03-23
puppet6 -- Arbitrary Catalog Retrieval puppet6 6.13.0

Puppetlabs reports:

Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master.

Puppet 6.13.0 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior.

CVE-2020-7942 https://puppet.com/security/cve/CVE-2020-7942/ 2020-02-18 2020-03-23
FreeBSD -- Kernel memory disclosure with nested jails FreeBSD-kernel 12.112.1_3 11.311.3_7

Problem Description:

A missing NUL-termination check for the jail_set(2) configration option "osrelease" may return more bytes when reading the jail configuration back with jail_get(2) than were originally set.

Impact:

For jails with a non-default setting of children.max > 0 ("nested jails") a superuser inside a jail can create a jail and may be able to read and take advantage of exposed kernel memory.

CVE-2020-7453 SA-20:08.jail 2020-03-19 2020-03-19
FreeBSD -- Incorrect user-controlled pointer use in epair FreeBSD-kernel 12.112.1_3 11.311.3_7

Problem Description:

Incorrect use of a potentially user-controlled pointer in the kernel allowed vnet jailed users to panic the system and potentially execute aribitrary code in the kernel.

Impact:

Users with root level access (or the PRIV_NET_IFCREATE privilege) can panic the system, or potentially escape the jail or execute arbitrary code with kernel priviliges.

CVE-2020-7452 SA-20:07.epair 2020-03-19 2020-03-19
FreeBSD -- Insufficient ixl(4) ioctl(2) privilege checking FreeBSD-kernel 12.112.1_3

Problem Description:

The driver-specific ioctl(2) command handlers in ixl(4) failed to check whether the caller has sufficient privileges to perform the corresponding operation.

Impact:

The ixl(4) handler permits unprivileged users to trigger updates to the device's non-volatile memory (NVM).

CVE-2019-15877 SA-20:06.if_ixl_ioctl 2020-03-19 2020-03-19
FreeBSD -- Insufficient oce(4) ioctl(2) privilege checking FreeBSD-kernel 12.112.1_3 11.311.3_7

Problem Description:

The driver-specific ioctl(2) command handlers in oce(4) failed to check whether the caller has sufficient privileges to perform the corresponding operation.

Impact:

The oce(4) handler permits unprivileged users to send passthrough commands to device firmware.

CVE-2019-15876 SA-20:05.if_oce_ioctl 2020-03-19 2020-03-19
FreeBSD -- TCP IPv6 SYN cache kernel information disclosure FreeBSD-kernel 12.112.1_3 11.311.3_7

Problem Description:

When a TCP server transmits or retransmits a TCP SYN-ACK segment over IPv6, the Traffic Class field is not initialized. This also applies to challenge ACK segments, which are sent in response to received RST segments during the TCP connection setup phase.

Impact:

For each TCP SYN-ACK (or challenge TCP-ACK) segment sent over IPv6, one byte of kernel memory is transmitted over the network.

CVE-2020-7451 SA-20:04.tcp 2020-03-19 2020-03-19
www/py-bleach -- multiple vulnerabilities py27-bleach py35-bleach py36-bleach py37-bleach py38-bleach 3.1.2

* ``bleach.clean`` behavior parsing embedded MathML and SVG content with RCDATA tags did not match browser behavior and could result in a mutation XSS.

Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or ``svg`` tags and one or more of the RCDATA tags ``script``, ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or ``xmp`` in the allowed tags whitelist were vulnerable to a mutation XSS.

* ``bleach.clean`` behavior parsing ``noscript`` tags did not match browser behavior.

Calls to ``bleach.clean`` allowing ``noscript`` and one or more of the raw text tags (``title``, ``textarea``, ``script``, ``style``, ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable to a mutation XSS.

https://bugzilla.mozilla.org/show_bug.cgi?id=1615315 https://bugzilla.mozilla.org/show_bug.cgi?id=1621692 2020-02-13 2020-03-18
zeek -- potential denial of service issues zeek 3.0.3

Jon Siwek of Corelight reports:

This release addresses the following security issues:

  • Potential Denial of Service due to memory leak in DNS TSIG message parsing.
  • Potential Denial of Service due to memory leak (or assertion when compiling with assertions enabled) when receiving a second SSH KEX message after a first.
  • Potential Denial of Service due to buffer read overflow and/or memory leaks in Kerberos analyzer. The buffer read overflow could occur when the Kerberos message indicates it contains an IPv6 address, but does not send enough data to parse out a full IPv6 address. A memory leak could occur when processing KRB_KDC_REQ KRB_KDC_REP messages for message types that do not match a known/expected type.
  • Potential Denial of Service when sending many zero-length SSL/TLS certificate data. Such messages underwent the full Zeek file analysis treatment which is expensive (and meaninguless here) compared to how cheaply one can "create" or otherwise indicate many zero-length contained in an SSL message.
  • Potential Denial of Service due to buffer read overflow in SMB transaction data string handling. The length of strings being parsed from SMB messages was trusted to be whatever the message claimed instead of the actual length of data found in the message.
  • Potential Denial of Service due to null pointer dereference in FTP ADAT Base64 decoding.
  • Potential Denial of Service due buffer read overflow in FTP analyzer word/whitespace handling. This typically won't be a problem in most default deployments of Zeek since the FTP analyzer receives data from a ContentLine (NVT) support analyzer which first null-terminates the buffer used for further FTP parsing.
https://github.com/zeek/zeek/blob/9dda3602a760f00d9532c6314ea79108106033fa/NEWS 2020-02-25 2020-03-15
Okular -- Local binary execution via action links okular 19.12.3_3

Albert Astals Cid:

Okular can be tricked into executing local binaries via specially crafted PDF files.

This binary execution can require almost no user interaction.

No parameters can be passed to those local binaries.

We have not been able to identify any binary that will cause actual damage, be it in the hardware or software level, when run without parameters.

We remain relatively confident that for this issue to do any actual damage, it has to run a binary specially crafted. That binary must have been deployed to the user system via another method, be it the user downloading it directly as an email attachment, webpage download, etc. or by the system being already compromised.

https://kde.org/info/security/advisory-20200312-1.txt 2020-03-12 2020-03-13
Gitlab -- Vulnerability gitlab-ce 12.8.012.8.6

Gitlab reports:

Email Confirmation not Required on Sign-up

https://about.gitlab.com/releases/2020/03/11/critical-security-release-gitlab-12-dot-8-dot-6-released/ 2020-03-11 2020-03-12
Django -- potential SQL injection vulnerability py27-django111 py35-django111 py36-django111 py37-django111 py38-django111 1.11.29 py35-django22 py36-django22 py37-django22 py38-django22 2.2.11 py36-django30 py37-django30 py38-django30 3.0.4

MITRE CVE reports:

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9402 https://www.djangoproject.com/weblog/2020/mar/04/security-releases/ CVE-2020-9402 2020-02-25 2020-03-12
py-matrix-synapse -- users of single-sign-on are vulnerable to phishing py35-matrix-synapse py36-matrix-synapse py37-matrix-synapse 1.11.1

Matrix developers report:

[The 1.11.1] release includes a security fix impacting installations using Single Sign-On (i.e. SAML2 or CAS) for authentication. Administrators of such installations are encouraged to upgrade as soon as possible.

https://github.com/matrix-org/synapse/releases/tag/v1.11.1 2020-03-03 2020-03-11
Node.js -- multiple vulnerabilities node 13.8.0 node12 12.15.0 node10 10.19.0

Node.js reports:

Updates are now available for all active Node.js release lines for the following issues.

HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)

Affected Node.js versions can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system.

HTTP header values do not have trailing OWS trimmed (High) (CVE-2019-15606)

Optional whitespace should be trimmed from HTTP header values. Its presence may allow attackers to bypass security checks based on HTTP header values.

Remotely trigger an assertion on a TLS server with a malformed certificate string (High) (CVE-2019-15604)

Connecting to a NodeJS TLS server with a client certificate that has a type 19 string in its subjectAltName will crash the TLS server if it tries to read the peer certificate.

Strict HTTP header parsing (None)

Increase the strictness of HTTP header parsing. There are no known vulnerabilities addressed, but lax HTTP parsing has historically been a source of problems. Some commonly used sites are known to generate invalid HTTP headers, a --insecure-http-parser CLI option or insecureHTTPParser http option can be used if necessary for interoperability, but is not recommended.

https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/ CVE-2019-15605 CVE-2019-15606 CVE-2019-15604 2020-02-06 2020-03-09
gitea -- multiple vulnerabilities gitea 1.11.2

The Gitea Team reports for release 1.11.0:

  • Never allow an empty password to validate (#9682) (#9683)
  • Prevent redirect to Host (#9678) (#9679)
  • Swagger hide search field (#9554)
  • Add "search" to reserved usernames (#9063)
  • Switch to fomantic-ui (#9374)
  • Only serve attachments when linked to issue/release and if accessible by user (#9340)

The Gitea Team reports for release 1.11.2:

  • Ensure only own addresses are updated (#10397) (#10399)
  • Logout POST action (#10582) (#10585)
  • Org action fixes and form cleanup (#10512) (#10514)
  • Change action GETs to POST (#10462) (#10464)
  • Fix admin notices (#10480) (#10483)
  • Change admin dashboard to POST (#10465) (#10466)
  • Update markbates/goth (#10444) (#10445)
  • Update crypto vendors (#10385) (#10398)
https://blog.gitea.io/2020/02/gitea-1.11.0-is-released/ https://blog.gitea.io/2020/03/gitea-1.11.2-is-released/ ports/244025 2019-11-18 2020-03-07
salt -- salt-api vulnerability py27-salt py32-salt py33-salt py34-salt py35-salt py36-salt py37-salt py38-salt 2019.2.3

SaltStack reports:

With the Salt NetAPI enabled in addition to having a SSH roster defined, unauthenticated access is possible when specifying the client as SSH.

Additionally, when the raw_shell option is specified any arbitrary command may be run on the Salt master when specifying SSH options.

CVE-2019-17361 https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html https://nvd.nist.gov/vuln/detail/CVE-2019-17361 2020-01-15 2020-03-07
Gitlab -- Multiple Vulnerabilities gitlab-ce 12.8.012.8.2 12.7.012.7.7 012.6.8

Gitlab reports:

Directory Traversal to Arbitrary File Read

Account Takeover Through Expired Link

Server Side Request Forgery Through Deprecated Service

Group Two-Factor Authentication Requirement Bypass

Stored XSS in Merge Request Pages

Stored XSS in Merge Request Submission Form

Stored XSS in File View

Stored XSS in Grafana Integration

Contribution Analytics Exposed to Non-members

Incorrect Access Control in Docker Registry via Deploy Tokens

Denial of Service via Permission Checks

Denial of Service in Design For Public Issue

Incorrect Access Control via LFS Import

Unescaped HTML in Header

Private Merge Request Titles Leaked via Widget

Project Namespace Exposed via Vulnerability Feedback Endpoint

Denial of Service Through Recursive Requests

Project Authorization Not Being Updated

Incorrect Permission Level For Group Invites

Disclosure of Private Group Epic Information

User IP Address Exposed via Badge images

https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-8113 2020-03-04 2020-03-06
ntp -- Multiple vulnerabilities FreeBSD 11.311.3_7 12.112.1_3 ntp 4.2.8p14 ntp-devel 4.3.99_6

nwtime.org reports:

Three ntp vulnerabilities, Depending on configuration, may have little impact up to termination of the ntpd process.

NTP Bug 3610: Process_control() should exit earlier on short packets. On systems that override the default and enable ntpdc (mode 7) fuzz testing detected that a short packet will cause ntpd to read uninitialized data.

NTP Bug 3596: An unauthenticated unmonitored ntpd is vulnerable to attack on IPv4 with highly predictable transmit timestamps. An off-path attacker who can query time from the victim's ntp which receives time from an unauthenticated time source must be able to send from a spoofed IPv4 address of upstream ntp server and and the victim must be able to process a large number of packets with the spoofed IPv4 address of the upstream server. After eight or more successful attacks in a row the attacker can either modify the victim's clock by a small amount or cause ntpd to terminate. The attack is especially effective when unusually short poll intervals have been configured.

NTP Bug 3592: The fix for https://bugs.ntp.org/3445 introduced a bug such that a ntp can be prevented from initiating a time volley to its peer resulting in a DoS.

All three NTP bugs may result in DoS or terimation of the ntp daemon.

SA-20:09.ntp 2019-05-30 2020-03-03
librsvg2 -- multiple vulnerabilities librsvg2 2.40.21 librsvg2-rust 2.41.02.46.3

Librsvg2 developers reports:

Backport the following fixes from 2.46.x:

Librsvg now has limits on the number of loaded XML elements, and the number of referenced elements within an SVG document. This is to mitigate malicious SVGs which try to consume all memory, and those which try to consume an exponential amount of CPU time.

Fix stack exhaustion with circular references in <use> elements.

Fix a denial-of-service condition from exponential explosion of rendered elements, through nested use of SVG <use> elements in malicious SVGs. This is similar to the XML "billion laughs attack" but for SVG instancing.

https://mail.gnome.org/archives/ftp-release-list/2020-February/msg00133.html CVE-2019-20446 2020-02-26 2020-03-02
TiMidity++ -- Multiple vulnerabilities timidity++ 2.15.0 timidity++-emacs 2.15.0 timidity++-gtk 2.15.0 timidity++-motif 2.15.0 timidity++-slang 2.15.0 timidity++-tcltk 2.15.0 timidity++-xaw 2.15.0 timidity++-xskin 2.15.0

qflb.wu of DBAPPSecurity reports:

Ihe insert_note_steps function in readmidi.c in TiMidity++ 2.14.0 can cause a denial of service(divide-by-zero error and application crash) via a crafted mid file.

The resample_gauss function in resample.c in TiMidity++ 2.14.0 can cause a denial of service(heap-buffer-overflow) via a crafted mid file.

The play_midi function in playmidi.c in TiMidity++ 2.14.0 can cause a denial of service(large loop and CPU consumption) via a crafted mid file.

https://seclists.org/fulldisclosure/2017/Jul/83 CVE-2017-11546 CVE-2017-11547 CVE-2017-11549 2017-07-31 2020-03-02
Solr -- multiple vulnerabilities apache-solr 8.3.1

Community reports:

8.1.1 and 8.2.0 users check ENABLE_REMOTE_JMX_OPTS setting

Apache Solr RCE vulnerability due to bad config default

Apache Solr RCE through VelocityResponseWriter

https://lucene.apache.org/solr/security.html CVE-2019-17558 2019-12-30 2020-02-29
OpenSMTPd -- LPE and RCE in OpenSMTPD's default install opensmtpd 6.6.4,1

OpenSMTPD developers reports:

An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.

An unprivileged local attacker can read the first line of an arbitrary file (for example, root's password hash in /etc/master.passwd) or the entire contents of another user's file (if this file and /var/spool/smtpd/ are on the same filesystem).

CVE-2020-8793 https://www.openwall.com/lists/oss-security/2020/02/24/4 CVE-2020-8794 https://www.openwall.com/lists/oss-security/2020/02/24/5 2020-02-22 2020-02-24 2020-02-27
Mbed TLS -- Cache attack against RSA key import in SGX mbedtls 2.16.5

Janos Follath reports:

If Mbed TLS is running in an SGX enclave and the adversary has control of the main operating system, they can launch a side channel attack to recover the RSA private key when it is being imported.

The attack only requires access to fine grained measurements to cache usage. Therefore the attack might be applicable to a scenario where Mbed TLS is running in TrustZone secure world and the attacker controls the normal world or possibly when Mbed TLS is part of a hypervisor and the adversary has full control of a guest OS.

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02 2020-02-18 2020-02-24
Mbed TLS -- Side channel attack on ECDSA mbedtls 2.16.4

Janos Follath reports:

Our bignum implementation is not constant time/constant trace, so side channel attacks can retrieve the blinded value, factor it (as it is smaller than RSA keys and not guaranteed to have only large prime factors), and then, by brute force, recover the key.

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12 CVE-2019-18222 2019-10-25 2020-02-24
WeeChat -- Multiple vulnerabilities weechat 2.7.1

The WeeChat project reports:

Buffer overflow when receiving a malformed IRC message 324 (channel mode). (CVE-2020-8955)

Buffer overflow when a new IRC message 005 is received with longer nick prefixes.

Crash when receiving a malformed IRC message 352 (WHO).

https://weechat.org/doc/security/ CVE-2020-8955 2020-02-20 2020-02-21
webkit-gtk3 -- Multiple vulnerabilities webkit2-gtk3 2.26.4

The WebKitGTK project reports multiple vulnerabilities.

https://webkitgtk.org/security/WSA-2020-0002.html CVE-2020-3862 CVE-2020-3864 CVE-2020-3865 CVE-2020-3867 CVE-2020-3868 2020-02-14 2020-02-19
FreeBSD -- kernel stack data disclosure FreeBSD-kernel 12.112.1_2 12.012.0_13 11.311.3_6

Problem Description:

Due to incorrect initialization of a stack data structure, up to 20 bytes of kernel data stored previously stored on the stack will be exposed to a crashing user process.

Impact:

Sensitive kernel data may be disclosed.

CVE-2019-15875 SA-20:03.thrmisc 2020-01-28 2020-01-29
FreeBSD -- Missing IPsec anti-replay window check FreeBSD-kernel 12.012.0_13

Problem Description:

A missing check means that an attacker can reinject an old packet and it will be accepted and processed by the IPsec endpoint.

Impact:

The impact depends on the higher-level protocols in use over IPsec. For example, an attacker who can capture and inject packets could cause an action that was intentionally performed once to be repeated.

CVE-2019-5613 SA-20:02.ipsec 2020-01-28 2020-01-29
FreeBSD -- libfetch buffer overflow FreeBSD 12.112.1_2 12.012.0_13 11.311.3_6

Problem Description:

A programming error allows an attacker who can specify a URL with a username and/or password components to overflow libfetch(3) buffers.

Impact:

An attacker in control of the URL to be fetched (possibly via HTTP redirect) may cause a heap buffer overflow, resulting in program misbehavior or malicious code execution.

CVE-2020-7450 SA-20:01.libfetch 2020-01-28 2020-01-29
Gitlab -- Vulnerability gitlab-ce 12.7.012.7.6 12.6.012.6.7 12.5.012.5.10

Gitlab reports:

Incorrect membership handling of group sharing feature

https://about.gitlab.com/releases/2020/02/13/critical-security-release-gitlab-12-dot-7-dot-6-released/ CVE-2020-8795 2020-02-13 2020-02-13
dovecot -- multiple vulnerabilities dovecot 2.3.9.3

Aki Tuomi reports:

lib-smtp doesn't handle truncated command parameters properly, resulting in infinite loop taking 100% CPU for the process. This happens for LMTP (where it doesn't matter so much) and also for submission-login where unauthenticated users can trigger it.

Aki also reports:

Snippet generation crashes if: message is large enough that message-parser returns multiple body blocks The first block(s) don't contain the full snippet (e.g. full of whitespace) input ends with '>'

https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html CVE-2020-7046 CVE-2020-7967 2020-01-14 2020-02-13
grub2-bhyve -- multiple privilege escalations grub2-bhyve 0.40_8

Reno Robert reports:

FreeBSD uses a two-process model for running a VM. For booting non-FreeBSD guests, a modified grub-emu is used (grub-bhyve). Grub-bhyve executes command from guest grub.cfg file. This is a security problem because grub was never written to handle inputs from OS as untrusted. In the current design, grub and guest OS works across trust boundaries. This exposes a grub to untrusted inputs from guest.

grub-bhyve (emu) is built without SDL graphics support which reduces lot of gfx attack surface, however font loading code is still accessible. Guest can provide arbitrary font file, which is parsed by grub-bhyve running as root.

In grub-core/font/font.c, read_section_as_string() allocates section->length + 1 bytes of memory. However, untrusted section->length is an unsigned 32-bit number, and the result can overflow to malloc(0). This can result in a controlled buffer overflow via the 'loadfont' command in a guest VM grub2.cfg, eventually leading to privilege escalation from guest to host.

Reno Robert also reports:

GRUB supports commands to read and write addresses of choice. In grub-bhyve, these commands provide a way to write to arbitrary virtual addresses within the grub-bhyve process. This is another way for a guest grub2.cfg, run by the host, to eventually escalate privileges.

These vulnerabilities are mitigated by disabling the 'loadfont', 'write_dword', 'read_dword', 'inl', 'outl', and other width variants of the same functionality in grub2-bhyve.

There is also work in progress to sandbox the grub-bhyve utility such that an escaped guest ends up with nobody:nobody in a Capsium sandbox. It is not included in 0.40_8.

https://www.voidsecurity.in/ 2019-12-09 2020-02-12
libexif -- privilege escalation libexif 0.6.21_5

Mitre reports:

In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation.

CVE-2019-9278 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9278 https://security-tracker.debian.org/tracker/CVE-2019-9278 https://seclists.org/bugtraq/2020/Feb/9 https://github.com/libexif/libexif/issues/26 2019-02-06 2020-02-11
Flash Player -- arbitrary code execution linux-flashplayer 32.0.0.330

Adobe reports:

  • This update resolves a type confusion vulnerability that could lead to arbitrary code execution (CVE-2020-3757).
CVE-2020-3757 https://helpx.adobe.com/security/products/flash-player/apsb20-06.html 2020-02-11 2020-02-11
NGINX -- HTTP request smuggling nginx 1.16.1_11,2 nginx-devel 1.17.7

NGINX Team reports:

NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20372 CVE-2019-20372 2019-12-10 2020-02-09
ksh93 -- certain environment variables interpreted as arithmetic expressions on startup, leading to code injection ksh93 2020.0.02020.0.1_1,1 ksh93-devel 2020.02.07

Upstream ksh93 maintainer Siteshwar Vashisht reports:

A flaw was found in the way ksh evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.

https://bugzilla.redhat.com/show_bug.cgi?id=1757324 https://access.redhat.com/security/cve/CVE-2019-14868 https://access.redhat.com/errata/RHSA-2020:0431 2019-10-01 2020-02-07
clamav -- Denial-of-Service (DoS) vulnerability clamav 0.102.2,1

Micah Snyder reports:

A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature. Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash.

https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html CVE-2020-3123 2020-02-05 2020-02-05
Django -- potential SQL injection vulnerability py27-django111 py35-django111 py36-django111 py37-django111 py38-django111 1.11.28 py35-django22 py36-django22 py37-django22 py38-django22 2.2.10 py36-django30 py37-django30 py38-django30 3.0.3

MITRE CVE reports:

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7471 https://docs.djangoproject.com/en/1.11/releases/1.11.28/ https://docs.djangoproject.com/en/2.2/releases/2.2.10/ https://docs.djangoproject.com/en/3.0/releases/3.0.3/ CVE-2020-7471 2020-02-03 2020-02-04
MariaDB -- Vulnerability in C API mariadb55-client 5.5.67 mariadb55-server 5.5.67 mariadb101-client 10.1.44 mariadb101-server 10.1.44 mariadb102-client 10.2.31 mariadb102-server 10.2.31 mariadb103-client 10.3.22 mariadb103-server 10.3.22 mariadb104-client 10.4.12 mariadb104-server 10.4.12 mariadb-connector-c 3.1.7

MariaDB reports:

Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client.

https://mariadb.com/kb/en/security/ https://mariadb.com/kb/en/mdb-5567-rn/ https://mariadb.com/kb/en/mdb-10412-rn/ https://mariadb.com/kb/en/mdb-10322-rn/ https://mariadb.com/kb/en/mdb-10231-rn/ https://mariadb.com/kb/en/mdb-10144-rn/ https://mariadb.com/kb/en/mariadb-connector-c-317-release-notes/ CVE-2020-2574 2020-01-28 2020-02-02
libssh -- Unsanitized location in scp could lead to unwanted command execution libssh 0.4.00.8.8 0.9.00.9.3

The libssh team reports:

In an environment where a user is only allowed to copy files and not to execute applications, it would be possible to pass a location which contains commands to be executed in additon.

When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of ssh_scp_new(), it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.

https://www.libssh.org/security/advisories/CVE-2019-14889.txt https://nvd.nist.gov/vuln/detail/CVE-2019-14889 CVE-2019-14889 2019-11-14 2020-02-02
spamassassin -- Nefarious rule configuration files can run system commands spamassassin 3.4.4

The Apache SpamAssassin project reports:

A nefarious rule configuration (.cf) files can be configured to run system commands. This issue is less stealthy and attempts to exploit the issue will throw warnings.

Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places.

https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202001.mbox/%3c0a91e67a-3190-36e5-41e9-d3553743bcd2@apache.org%3e https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202001.mbox/%3ccdae17ce-acde-6060-148a-6dc5f45ee728@apache.org%3e CVE-2020-1930 CVE-2020-1931 2020-01-28 2020-01-31
sudo -- Potential bypass of Runas user restrictions sudo 1.8.31

Todd C. Miller reports:

Sudo's pwfeedback option can be used to provide visual feedback when the user is inputting their password. For each key press, an asterisk is printed. This option was added in response to user confusion over how the standard Password: prompt disables the echoing of key presses. While pwfeedback is not enabled by default in the upstream version of sudo, some systems, such as Linux Mint and Elementary OS, do enable it in their default sudoers files.

Due to a bug, when the pwfeedback option is enabled in the sudoers file, a user may be able to trigger a stack-based buffer overflow. This bug can be triggered even by users not listed in the sudoers file. There is no impact unless pwfeedback has been enabled.

https://www.sudo.ws/alerts/pwfeedback.html CVE-2019-18634 2020-01-30 2020-01-30
Gitlab -- Multiple Vulnerabilities gitlab-ce 12.7.012.7.4 12.6.012.6.6 5.312.5.9

Gitlab reports:

Path Traversal to Arbitrary File Read

User Permissions Not Validated in ProjectExportWorker

XSS Vulnerability in File API

Package and File Disclosure through GitLab Workhorse

XSS Vulnerability in Create Groups

Issue and Merge Request Activity Counts Exposed

Email Confirmation Bypass Using AP

Disclosure of Forked Private Project Source Code

Private Project Names Exposed in GraphQL queries

Disclosure of Issues and Merge Requests via Todos

Denial of Service via AsciiDoc

Last Pipeline Status Exposed

Arbitrary Change of Pipeline Status

Grafana Token Displayed in Plaintext

Update excon gem

Update rdoc gem

Update rack-cors gem

Update rubyzip gem

https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ CVE-2020-7966 CVE-2020-8114 CVE-2020-7973 CVE-2020-6833 CVE-2020-7971 CVE-2020-7967 CVE-2020-7972 CVE-2020-7968 CVE-2020-7979 CVE-2020-7969 CVE-2020-7978 CVE-2020-7974 CVE-2020-7977 CVE-2020-7976 CVE-2019-16779 CVE-2019-18978 CVE-2019-16892 2020-01-30 2020-01-31
OpenSMTPd -- critical LPE / RCE vulnerability opensmtpd 6.4.0,16.6.2,1

OpenSMTPD developers report:

An incorrect check allows an attacker to trick mbox delivery into executing arbitrary commands as root and lmtp delivery into executing arbitrary commands as an unprivileged user

CVE-2020-7247 https://www.openwall.com/lists/oss-security/2020/01/28/3 2020-01-28 2020-01-29
jenkins -- multiple vulnerabilities jenkins 2.219 jenkins-lts 2.204.2

Jenkins Security Advisory:

Description

(High) SECURITY-1682 / CVE-2020-2099

Inbound TCP Agent Protocol/3 authentication bypass

(Medium) SECURITY-1641 / CVE-2020-2100

Jenkins vulnerable to UDP amplification reflection attack

(Medium) SECURITY-1659 / CVE-2020-2101

Non-constant time comparison of inbound TCP agent connection secret

(Medium) SECURITY-1660 / CVE-2020-2102

Non-constant time HMAC comparison

(Medium) SECURITY-1695 / CVE-2020-2103

Diagnostic page exposed session cookies

(Medium) SECURITY-1650 / CVE-2020-2104

Memory usage graphs accessible to anyone with Overall/Read

(Low) SECURITY-1704 / CVE-2020-2105

Jenkins REST APIs vulnerable to clickjacking

(Medium) SECURITY-1680 / CVE-2020-2106

Stored XSS vulnerability in Code Coverage API Plugin

(Medium) SECURITY-1565 / CVE-2020-2107

Fortify Plugin stored credentials in plain text

(High) SECURITY-1719 / CVE-2020-2108

XXE vulnerability in WebSphere Deployer Plugin

CVE-2020-2099 CVE-2020-2100 CVE-2020-2101 CVE-2020-2102 CVE-2020-2103 CVE-2020-2104 CVE-2020-2105 CVE-2020-2106 CVE-2020-2107 CVE-2020-2108 https://jenkins.io/security/advisory/2020-01-29/ 2020-01-29 2020-01-29
pkg -- vulnerability in libfetch pkg 1.12.0_1 pkg-devel 1.12.99_1

A programming error allows an attacker who can specify a URL with a username and/or password components to overflow libfetch(3) buffers.

SA-20:01.libfetch CVE-2020-7450 2020-01-28 2020-01-29
samba -- multiple vulnerabilities samba410 4.10.12 samba411 4.11.4

The Samba Team reports:

CVE-2019-14902

The implementation of ACL inheritance in the Samba AD DC was not complete, and so absent a 'full-sync' replication, ACLs could get out of sync between domain controllers.

CVE-2019-14907

When processing untrusted string input Samba can read past the end of the allocated buffer when printing a "Conversion error" message to the logs.

CVE-2019-19344

During DNS zone scavenging (of expired dynamic entries) there is a read of memory after it has been freed.

https://www.samba.org/samba/history/samba-4.10.12.html CVE-2019-14902 CVE-2019-14907 CVE-2019-19344 2020-01-14 2020-01-27
webkit-gtk3 -- Multiple vulnerabilities webkit2-gtk3 2.26.3

The WebKitGTK project reports multiple vulnerabilities.

https://webkitgtk.org/security/WSA-2020-0001.html CVE-2019-8835 CVE-2019-8844 CVE-2019-8846 2020-01-23 2020-01-26
Pillow -- Multiple vulnerabilities py27-pillow py35-pillow py36-pillow py37-pillow py38-pillow 6.2.2

Pillow developers report:

This release addresses several security problems, as well as addressing CVE-2019-19911.

CVE-2019-19911 is regarding FPX images. If an image reports that it has a large number of bands, a large amount of resources will be used when trying to process the image. This is fixed by limiting the number of bands to those usable by Pillow.

Buffer overruns were found when processing an SGI, PCX or FLI image. Checks have been added to prevent this.

Overflow checks have been added when calculating the size of a memory block to be reallocated in the processing of a TIFF image.

https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html CVE-2019-19911 CVE-2020-5310 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313 ports/243336 2019-12-19 2020-01-24
gitea -- multiple vulnerabilities gitea 1.10.3

The Gitea Team reports:

  • Hide credentials when submitting migration
  • Never allow an empty password to validate
  • Prevent redirect to Host
  • Hide public repos owned by private orgs
https://github.com/go-gitea/gitea/releases/tag/v1.10.3 ports/243437 2019-11-22 2020-01-18
MySQL -- Multiple vulerabilities mysql56-server 5.6.47 mysql57-server 5.7.29 mysql80-server 8.0.19 percona55-server 5.5.67 percona56-server 5.6.47 percona57-server 5.7.29

Oracle reports:

This Critical Patch Update contains 17 new security fixes for Oracle MySQL. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

https://www.oracle.com/security-alerts/cpujan2020.html CVE-2019-1547 CVE-2020-2579 CVE-2020-2686 CVE-2020-2627 CVE-2020-2570 CVE-2020-2573 CVE-2020-2574 CVE-2020-2577 CVE-2020-2589 CVE-2020-2580 CVE-2020-2588 CVE-2020-2660 CVE-2020-2679 CVE-2020-2584 CVE-2020-2694 CVE-2020-2572 CVE-2019-8457 2020-01-14 2020-01-15 2020-02-02
drm graphics drivers -- potential information disclusure via local access drm-fbsd11.2-kmod 4.11.g20200115 drm-fbsd12.0-kmod 4.16.g20200115 drm-current-kmod 4.16.g20200115 drm-devel-kmod 5.0.g20200115

Intel reports:

.A potential security vulnerability in Intel(R) Processor Graphics may allow information disclosure. Intel is releasing software updates to mitigate this potential vulnerability.

Description: Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may allow an unauthenticated user to potentially enable information disclosure via local access.

This patch provides mitigation for Gen9 hardware only. Patches for Gen7 and Gen7.5 will be provided later. Note that Gen8 is not impacted due to a previously implemented workaround. The mitigation involves using an existing hardware feature to forcibly clear down all EU state at each context switch.

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00314.html CVE-2019-14615 2020-01-14 2020-01-15
Template::Toolkit -- Directory traversal on write p5-Template-Toolkit 3.004

Art Manion and Will Dormann report:

By using an older and less-secure form of open(), it is possible for untrusted template files to cause reads/writes outside of the template directories. This vulnerability is a component of the recent Citrix exploit.

https://www.kb.cert.org/vuls/id/619785/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781 CVE-2019-19781 2019-12-13 2020-01-14
Gitlab -- Private objects exposed through project import gitlab-ce 12.6.012.6.4 12.5.012.5.7 8.9.012.4.8

Gitlab reports:

Private objects exposed through project importi

https://about.gitlab.com/releases/2020/01/13/critical-security-release-gitlab-12-dot-6-dot-4-released/ CVE-2020-6832 2020-01-13 2020-01-14
e2fsprogs -- rehash.c/pass 3a mutate_name() code execution vulnerability e2fsprogs 1.45.5

Lilith of Cisco Talos reports:

A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

Theodore Y. Ts'o reports:

E2fsprogs 1.45.5 [...:] Fix a potential out of bounds write when checking a maliciously corrupted file system. This is probably not exploitable on 64-bit platforms, but may be exploitable on 32-bit binaries depending on how the compiler lays out the stack variables. (Addresses CVE-2019-5188)

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973 http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.45.5 CVE-2019-5188 2019-12-18 2020-01-08
phpMyAdmin -- SQL injection phpMyAdmin phpMyAdmin-php72 phpMyAdmin-php73 phpMyAdmin-php74 phpMyAdmin5 phpMyAdmin5-php72 phpMyAdmin5-php73 phpMyAdmin5-php74 4.9.4 5.0.05.0.1

The phpMyAdmin development team reports:

A SQL injection flaw has been discovered in the user accounts page

https://www.phpmyadmin.net/security/PMASA-2020-1/ CVE-2020-5504 2020-01-05 2020-01-11
cacti -- multiple vulnerabilities cacti 1.2.8

The cacti developers reports:

When viewing graphs, some input variables are not properly checked (SQL injection possible).

Multiple instances of lib/functions.php are affected by unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module.

https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8 CVE-2019-17357 CVE-2019-17358 ports/242834 2019-10-12 2020-01-06
Gitlab -- Multiple Vulnerabilities gitlab-ce 12.6.012.6.2 12.5.012.5.6 5.1.012.4.7

SO-AND-SO reports:

Group Maintainers Can Update/Delete Group Runners Using API

GraphQL Queries Can Hang the Application

Unauthorized Users Have Access to Milestones of Releases

Private Group Name Revealed Through Protected Tags API

Users Can Publish Reviews on Locked Merge Requests

DoS in the Issue and Commit Comments Pages

Project Name Disclosed Through Unsubscribe Link

Private Project Name Disclosed Through Notification Settings

https://about.gitlab.com/blog/2020/01/02/security-release-gitlab-12-6-2-released/ CVE-2019-20144 CVE-2019-20146 CVE-2019-20143 CVE-2019-20147 CVE-2019-20145 CVE-2019-20142 CVE-2019-20148 CVE-2020-5197 2020-01-02 2020-01-03